1 / 31

R(87) 15 : A Slow death?

R(87) 15 : A Slow death?. Joseph A. Cannataci, Mireille M. Caruana, Jeanne Pia Mifsud Bonnici Law & IT Research Unit Centre for Communication Technology University of Malta. Objectives of Presentation. Meeting the DP Champion - R(87)15

merle
Download Presentation

R(87) 15 : A Slow death?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. R(87) 15 : A Slow death? Joseph A. Cannataci, Mireille M. Caruana, Jeanne Pia Mifsud Bonnici Law & IT Research Unit Centre for Communication Technology University of Malta

  2. Objectives of Presentation • Meeting the DP Champion - R(87)15 • Painful birth of R(87)15 – ‘purpose specification’ victory • In the ascendant – the adoption of R(87)15 at Schengen • From Recommendation to Treaty? • First skirmish – the 1994 review • Meeting the Internet • Living on – in spite of defeat in Cybercrime Convention negotiations; the 1998 and 2002 review • Meeting the executioner? – Directive 2006/24/EC (The Data Retention Directive) • 9/11, Madrid, London – a ‘valid’ excuse to ignore purpose • Passenger Data – first to go….is there light at the end of the tunnel? • The resistance – Article 29 opinions, EDPS opinion, civil society • The political realities • Is R(87) 15 dead? Or dormant?

  3. The painful birth of R(87)15 • R(87) 15 was born within the Committee of Experts on Data Protection (CJ-PD) during 1984-1986 • CJ-PD characterised by strong leadership of Spiros Simitis – later involved in including data protection in EU Charter of Rights, and succeeded by Peter Hustinx - today EU DP Commissioner. • Many of the data protection experts at CJ-PD in Strasbourg accompanied by police & security representatives • The battle: police & security reps asking for “general purpose’ collection vs. CJ-PD (Convention 108) position of “purpose specification”

  4. Purpose Specification - The victory of R(87)15 • Ambiguity created by Convention 108 by allowing an exclusion from provisions for security purposes • R(87)15 resolved this ambiguity by unambiguously subjecting police data to same data protection regime as other data • R(87)15 scored victory by entrenching the notion of purpose for collection and processing of data, even for police use

  5. In the ascendant:the early years 1987-1993 • Never popular with the police • Greeted as model for democracy and cited often especially in the 1989-1992 period in Central & Eastern Europe • Classic post 1989 use in Stasi files in Germany-the purpose challenged • Riding the wave: in the post-1989 surge forward for democracy, adopted as data protection standard for Schengen Treaty

  6. From Recommendation to Treaty? • No stopping R(87)15 in the early years • Recommendation 1181 (1992)1 on police co-operation and protection of personal data in the police sector the member states of the Council of Europe had agreed to move towards a convention enshrining the principles of R(87)15 • What happened then? • Why don’t we have a new convention today? • Why, instead, do we have a data retention directive?

  7. The first skirmish: 1993 • Would anyone dilute R(87)15? • CJ-PD requested (by Committee of Ministers) to review it • 1994 Cannataci report ensued • Qualitative analysis of responses of some MS • Response overview reinforced the impression that R (87) 15 continued to provide a sound basis for data protection in the police sector • R (87) 15 sufficiently elastic to permit the various interpretations that some member States wished to see specifically mentioned • “Several experts concurred that the provisions of R (87) 15 constitute an inalterable necessary minimum” • No overwhelming arguments advanced as to why current formulation of Principle 5 (Communication of Data) fails in providing the most balanced formula capable of providing equitable provision for current requirements • Status of R(87)15 preserved

  8. Meeting the Internet • R(87)15 was a pre-Internet animal • Interpol & Europol were not in synch in their data protection standards • The Police and security forces slowly started gaining experience with Internet & cybercrime • Immigration issues with Schengen were pushing uses of hi-tech ID systems (from mag-stripe to biometric)

  9. Cybercrime vs. Privacy 1996-2001 • The first signs of a losing battle • Concern with cybercrime increased in inverse proportion with concern with privacy • The crime lawyers were in the ascendant: the attempts by CJ-PD to insert breach of privacy as a substantive offence in the Cybercrime convention failed; • The role of the US is inestimable: in order to get the US on board a Council of Europe convention, the PC-CY was prepared to downplay Privacy as an issue

  10. The role of the US • US approach to data protection less strict than European approach • In Cybercrime, US were interested in • agreeing minimum substantive offence • Creating 24/7 collaboration for detection & investigation • Creating mechanism for preservation of evidence & subsequent prosecution • Privacy was just not an issue (but when is it to security forces?)

  11. Living On…The second report: 1998 • The 1998 Patijn Report …viewed against Directive 1995/46EC & negotiations on Cybercrime Convention • R (87)15 still gives adequate protection + included in Schengen Agreement & Europol Treaty – don’t change but… • More detailed recommendations • Police powers, to be adequate, necessarily interfere with the respect for private life and should therefore be restricted to the extent that is necessary • Proposes that the Committee of Ministers recommend that national legislators explicitly deal with certain questions of data protection rules for criminal data • Result - Integrity of R(87)15 was preserved

  12. Third Evaluation Report - 2002 • CJ-PD examined R (87) 15 and agreed that • No revision and no new recommendation • Principles are still relevant especially as a basis for the elaboration of regulations on use of personal data by the police and as a point of reference for activities in this field. • CJ-PD giving up?

  13. Changing times – 9/11 • R(87) 15 was created when Europe had largely settled the terrorist issues which had plagued Germany & Italy in the 70s • 2001 brought with it 9/11 – a disaster which heralded much trouble for data protection • First victim: Airline passenger lists and the dispute between EU and the US ….is May 2006 ECJ decision a ‘small’ victory?

  14. Waking up to the Internet • Post-9/11 Police & Security forces became more aware of terrorist & crime uses of the Internet • To Police & Security Forces, the Internet is simply another communications system • “to tap” • And especially to proved “traffic data” • Police (esp. in Germany) had been using traffic data to locate terrorists since the seventies. The lessons of the Clemens Wagner case from Baader-Meinhof era were well-learnt

  15. We want the traffic data! • So the debate commenced • The Internet is rich in traffic data=let’s get at it • Art. 29 (and many others) pointed out (even as early as 1999) many fallacies in Police & Security force arguments: • There are many ways of getting around monitoring of traffic and content data • Monitoring all data is grossly disproportionate measure and puts civil society at risk

  16. Data Retention – ignoring purpose specification • Discussions on regulation on retention of traffic data for law enforcement purposes go back to G8 meeting in Moscow 1999 • 9/11 – speeded up discussions and gave a ‘justification’ for retention of traffic data for longer periods • By 2000 – retention of traffic data allowed for billing and interconnection payments

  17. The Article 29 Mantra • Retention of traffic data for purposes of law enforcement should be allowed only under strict conditions: • Kept only for a limited period • Kept only where necessary, appropriate and proportionate in a democratic society

  18. From Draft Framework Decision to Data Retention Directive • Resistance of Article 29 group, EDPS and civil society unaltered • Traffic data retention interferes with the fundamental right to confidential communications (Art. 8 ECHR) • Any restriction on this fundamental right must be based on a pressing need, should only be allowed in exceptional cases and be the subject of adequate safeguards

  19. Article 29’s 2005 Opinion • Is it legally and factually justified to require a compulsory and general data retention requirement? • Are the proposed data retention periods in the draft Directive convincing?

  20. Article 29’s List of desirables: A return to basic DP principles • Re-Introduce Purpose specification: The purposes of data retention should be stated clearly in the Directive • Indicate Authorised Recipients of the Data Retained – access clearly defined • Limit Data Mining • Process only according to purpose • Introduce accountability - judicial/independent scrutiny • Indicate precisely who is to retain data • No obligation for identification • Require separation of data retained for billing from data retained under Directive • Security – make sure data is retained in a secure manner • Identification of which data to be retained – should satisfy a strict necessity test • The evidence supporting these measures should be evaluated periodically

  21. Were the desiderata addressed in Directive 2006/24? • Purpose specification – No. Directive 2006/24 does not clearly define and delineate the specific purposes for which data should be retained. • Access limitation – Directive 2006/24 provides that data is to be provided only to the competent national authorities BUT it does NOT provide that the competent national authorities should be specifically designated law enforcement authorities or that a list of such designated authorities should be made public

  22. Were the desiderata addressed in Directive 2006/24?(2) • No data mining – The limitation in Art 4 to “specific cases” seems to prohibit data mining activities. However the Directive does not specify that data can only be provided if this is needed in relation to a specific criminal offence. • Further processing – No provision ruling out or limiting stringently further processing for other related proceedings.

  23. Were the desiderata addressed in Directive 2006/24?(3) • Access Logs – Directive 2006/24 does not provide that any retrieval of the data should be recorded and the records made available to the supervisory authority • Judicial / independent scrutiny of authorized access – Not mandated by the Directive • Retention Purposes of Providers – solely for public order purposes, not for other purposes, especially their own. Not specifically mandated by the Directive.

  24. Were the desiderata addressed in Directive 2006/24?(4) • System Separation – In particular, the systems for storage of data for public order purposes should be logically separated from the systems used for business purposes and protected by more stringent security measures. No specific provision in the Directive. • Security Measures – General requirements on minimum standards concerning the technical and organisational security measures to be taken by providers were included - Article 7 of the Directive

  25. Were the desiderata addressed in Directive 2006/24? • Short Answer – NO. • Basically ignored all the data protection concerns • Ignored Article 29, EDPS, civil society & forged ahead

  26. Directive 2006/24/ECThe Data Retention Directive • Providers of publicly available communication services being forced unprecedentedly to store billions of data relating to the communications of any and all citizens for investigational purposes • From the perspective of data protection there is a need of full harmonization of the main elements included in the proposal

  27. The Criticism • “Harsh criticism” • Measures are disproportionate • The notion of purpose is not respected • Not enough safeguards are established • The cost-efficiency of data retention nowhere demonstrated – how many terrorists & criminals have been apprehended because of Internet traffic data?

  28. Article 29 WP Opinion 3/2006 of 25 March 2006 (post Directive) • The Directive • Lacks some adequate and specific safeguards • Leaves room for diverging interpretation and implementation by the Member States • The WP considers it crucial that • The provisions of the Directive are interpreted and implemented in a harmonised way • The Directive is accompanied in each Member State by measures curtailing the impact on privacy

  29. The verdict • What The Data retention Directive achieves is the death of “purpose” • The respect for the principle of purpose for gathering data, in this case “traffic data”, now takes second place to the notional usefulness of such data in the fight against terrorism & crime • The danger inherent in having whole masses of data preserved, for years AND subject to the monitoring by police & security forces for “their” purposes

  30. Is R(87) 15 dead? • Who has really funded an in-depth implementation review of R(87) 15? • Can we trust the Police & security forces to be telling us the truth anyway? • Data retention directive lowers the standards by • giving legitimacy to the opponents of “purpose” • Creates new dangers in large databases of traffic data which previously did not exist

  31. Is it dormant? • Is there hope in the May 2006 ECJ decision on illegality of transfer of Airline Passenger Data? …is this the beginning of the return of ‘purpose specification’? • Will the EU stop paying only lip-service to data protection?

More Related