Ten things to read about today’s data retention decision

I am a fair-weather blogger, and so I cannot remember the last time I had so many visits or retweets in a day.  Piggybacking on the unexpected traffic boost, here are ten things worth reading (from various sources) about the reason for that traffic – the finding by the Court of Justice of the EU that the Data Retention Directive is, on human rights grounds, invalid.  (My own post, Data retention parrot, is here).

I had plenty to choose from in putting this list together – fortunate that the decision was published when many of us legal academics are not teaching?

  1. The decision of the Court.  The early pages are taken up with reproducing the provisions of the legislation, so if you are familiar with the Directive, those pages are most skippable.
  2. Fiona de Londras, professor at Durham Law School, writing at Human Rights in Ireland. Special mention: discussion on whether “a more tailored, narrower approach” might survive scrutiny if the Directive is to be replaced (see also her lessons for the US, posted at The Conversation).
  3. “Cybermatron”, an expert in this field, writing on her blog. Special mention: highlighting weaknesses in the decision, including where the Court may have underappreciated the significance of the legislation and of this challenge.
  4. Steve Peers, professor at the University of Essex Law School, writing on his blog EU Law Analysis. Special mention: analysis of the current status of the (invalid) Directive, and options for states and the EU from this point on.
  5. Paul Bernal, lecturer at the UEA Law School, writing on his blog. Special mention: how the decision sits within the wider debate on and advocacy for privacy.
  6. Karlin Lillington, journalist, writing in the Irish Times. Special mention: the consequences for Ireland and the EU, by someone who has been instrumental in highlighting data retention practices for over a decade.
  7. Luke Scanlon, solicitor, Pinsent Masons, writing on Out-law. Special mention: impact on other legislation, including data protection present and future.
  8. Glyn Moody, author and journalist, writing for ComputerWorld UK. Special mention: explanation, point by point, of how the court’s decision relates to specific data retention practices.
  9. Gabriele Steinhauser, journalist, writing in the Wall Street Journal. Special mention: how the decision is being reported to an international audience, including the political dimension.
  10. Press release and FAQ on the decision from the European Commission (the ‘losing’ side, not that you would know that from the statement). Special mention: reading it with a straight face.

Apologies to those omitted – additional links welcome, through the comments sections below.

The data retention parrot

One of the most-read posts on this site is a 2009 set of ten questions about data retention legislation in Ireland. It was written with a mixture of anger and detail. Today’s post contains neither. Instead, it’s relieved – but hurried.

This morning, the Court of Justice of the European Union (CJEU) ruled in a set of cases regarding the validity, from a human rights point of view, of the Data Retention Directive (which provides for the retention by service providers of phone and Internet communications data across the EU for set periods, for the purpose of subsequent access by public authorities). Here’s the decision as posted on Scribd; official link to follow. Cases C-293/12 and C-594/12.

The Advocate General had already given his Opinion in late 2013, which was in some respects very critical of the Directive, but his recommendations were also a bit limited.  Of the cases that the CJEU heard, the one I know best (unsurprisingly) is the challenge made in Ireland by Digital Rights Ireland (High Court decision of 2010). This, and other cases starting in Austria, were sent to the EU court for a ruling on points of EU law.

Here are my first-look highlights from today’s decision.

1. The Directive raises serious issues of compatibility with the fundamental rights protected under EU law (privacy and data protection) – and it is not proportionate, and therefore invalid. This was clearly flagged by the Advocate General and will be the big headline today, rightly.  I’m just going to add some more observations, but the big result shouldn’t be ignored!

2. On the other hand, the proposal of the Advocate General (that the effect of declaring it invalid be suspended to allow better legislation to be introduced; paras 154-158 of his Opinion) has been entirely ignored in the decision, and only alluded to in a footnote in the accompanying press release. If I’m reading it right, this idea has simply disappeared.  The Directive is dead and, legally speaking, should never have existed.

3. There are important warning signs to the European bodies for the (inevitable) attempt to draft a replacement. Because of the nature of the rights and the infringements, discretion of the legislative bodies “is reduced, with the result that review of that discretion should be strict” (paras 47-8). Shroud-waving should also be avoided; “the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify” a retention measure such as this one (para 51). There are a range of specific criticisms outlined from para 58 onwards that would surely be relevant, e.g. application to the whole population, temporal or geographic restrictions, lack of a definition of serious crime, inadequate limits on access/use, a retention period plucked out of the air. Export outside the EU (topical!) is also highlighted at para 68.

4. Although it wasn’t necessary to rely on it to reach today’s result (see paras 69-70) , the CJEU makes some very important comments about the relationship between surveillance and speech:

In such circumstances, even though, as is apparent from Article 1(2) and Article 5(2) of Directive 2006/24, the directive does not permit the retention of the content of the communication or of information consulted using an electronic communications network, it is not inconceivable that the retention of the data in question might have an effect on the use, by subscribers or registered users, of the means of communication covered by that directive and, consequently, on their exercise of the freedom of expression guaranteed by Article 11 of the Charter. (para 28)

(Bonus points for channelling Vizzini)

5. The Court makes significant use of the ECtHR’s decision in S & Marper v UK (about DNA databases) – three separate references, all ‘by analogy’ regarding article 8 ECHR. The significance of S was clear at the time and today’s opinion demonstrates how it valuable it is in terms of analysing questions of law and technology – especially chilling and cumulative effects.  It’s also further evidence of the way that the CJEU builds on ECtHR rulings.

6. The Court endorses the Advocate General’s point about perception. It’s not a point unknown to those in the field (especially through the jurisprudence of the German courts and others), but it’s still not fully grasped in the UK and Ireland; data retention of this nature is “likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” (para 37). (Which, for the record, is a bad thing).

Those are some first thoughts, and are really an extension of even earlier thoughts posted on Twitter. More later if I can!

The shock of the who?

Just a note to plug this year’s Policy Forum at the Society for Computers and Law.  Prof. Chris Reed is the chair, and the title is “The Shock of the New or How we are losing (and gaining) control over data”.  Further information here.  The event encompasses a free lecture by Dr. Ian Brown (more information here).  The event takes place in London on 12-13 September 2013.

I’m speaking on an a panel with a promising description:

Smartphones, tablets and glasses: taking the Internet with you
Portable, personal devices are rapidly becoming the default way to access, generate and process information. Because they travel with their user, their interactions with other devices (fixed and mobile) generates rich metadata which links to the user. Because they are in some sense “owned” by the user, they potentially upset the current legal settlement for rights in and control over information. “Bring your own device” is making significant inroads in large organisations.

  • Chair: Judith Rauhofer, Lecturer in IT Law, University of Edinburgh
  • Portable devices and the internet of things, George Roussos, Department of Computer Science, Birkbeck
  • Human rights and the omnipresent network, Dr Daithí Mac Sithigh, Lecturer in Digital Media Law, University of Edinburgh.
  • Pick a law, any law: property v IP v contract, Olivier Haas, Of Counsel, Herbert Smith Freehills

FISA, NSA and PRISM: behind the headlines

My Edinburgh colleague Judith Rauhofer (who has a particular research and teaching interest in privacy, data protection, and information), along with Caspar Bowden (who many readers will know through his writing and advocacy on privacy), has just launched a very timely paper on data protection in ‘the cloud’, with a particular emphasis on data stored in the US and subject to US law on access to data. Judith and Caspar have been making this argument well before the current PRISM/NSA reporting, and the paper makes it clear how there are already a number of important legal issues that require attention. The paper engages with recent scholarship on cloud computing itself (e.g. the Queen Mary projects) and the proposed new Regulation on data protection. It also contains a very detailed analysis of FISA. But the key argument, and the one that deserves the most attention from those who have reacted with alarm to recent news reports, is that about the obligations of European institutions to protect fundamental rights; both the Charter and Convention are discussed.

The paper is now available on SSRN:

Protecting Their Own: Fundamental Rights Implications for EU Data Sovereignty in the Cloud

Preview: media & communications at SLS 2013

The 2013 conference of the Society of Legal Scholars takes place here in Edinburgh this September. I continue as convenor of the Media & Communications section, and we have a particularly exciting (and packed) programme this year. An EU session, a set of responses to Leveson, and two general sessions (one with a social media flavour and one with a human rights theme).

Registration is now open; ‘early bird’ discount until the end of July.

Tuesday 3rd September

A1: 14.00-15.30 (Special session on conference theme)

Ewa Komorek (Trinity College Dublin):
The problem which will not go away. Recent developments in the EU approach to media pluralism issue

Dimitrios Doukas (Belfast):
The Sky is not the (Only) Limit – Sports Broadcasting without Frontiers and the European Court of Justice

A2: 16.00-17.30

Alan Durant (Middlesex):
The DPP’s Interim guidelines (December 2012) on prosecuting communications via social media

Damien McCallig (Galway):
Intrusion into private grief: regulating the reporting and presentation of deceased persons in the modern media

Paul Bernal (East Anglia):
Defamation on Twitter: a defence of ‘responsible tweeting’

Wednesday 4th September

A3: 9-10.30

Yik Chan Chin (Hong Kong Baptist) & Yanbin Lu (Nottingham):
Defenses of Freedom of Expression in Chinese Right to Reputation Lawsuits

Päivi Tiilikka (Helsinki):
Margin of appreciation and balancing-criteria in the practise of the ECtHR when balancing the freedom of expression and right to private life – is there any consistency?

Jason Bosland (Melbourne)
Defamation, Statutory Reform and the Protection of Opinion in Australia and the United Kingdom

A4: 14.00-15.30 (Leveson Inquiry session, chaired by Tom Gibbons, Manchester)

Paul Wragg (Leeds):
Freedom of the Press after Leveson

Judith Townend (City):
An uncertain climate: Defamation, privacy and the resolution of disputes outside the courtroom

Karen Mc Cullagh (East Anglia):
Regulation of Investigative Journalism post Leveson