Tag Archives: privacy

The data retention parrot

One of the most-read posts on this site is a 2009 set of ten questions about data retention legislation in Ireland. It was written with a mixture of anger and detail. Today’s post contains neither. Instead, it’s relieved – but hurried.

This morning, the Court of Justice of the European Union (CJEU) ruled in a set of cases regarding the validity, from a human rights point of view, of the Data Retention Directive (which provides for the retention by service providers of phone and Internet communications data across the EU for set periods, for the purpose of subsequent access by public authorities). Here’s the decision as posted on Scribd; official link to follow. Cases C-293/12 and C-594/12.

The Advocate General had already given his Opinion in late 2013, which was in some respects very critical of the Directive, but his recommendations were also a bit limited.  Of the cases that the CJEU heard, the one I know best (unsurprisingly) is the challenge made in Ireland by Digital Rights Ireland (High Court decision of 2010). This, and other cases starting in Austria, were sent to the EU court for a ruling on points of EU law.

Here are my first-look highlights from today’s decision.

1. The Directive raises serious issues of compatibility with the fundamental rights protected under EU law (privacy and data protection) – and it is not proportionate, and therefore invalid. This was clearly flagged by the Advocate General and will be the big headline today, rightly.  I’m just going to add some more observations, but the big result shouldn’t be ignored!

2. On the other hand, the proposal of the Advocate General (that the effect of declaring it invalid be suspended to allow better legislation to be introduced; paras 154-158 of his Opinion) has been entirely ignored in the decision, and only alluded to in a footnote in the accompanying press release. If I’m reading it right, this idea has simply disappeared.  The Directive is dead and, legally speaking, should never have existed.

3. There are important warning signs to the European bodies for the (inevitable) attempt to draft a replacement. Because of the nature of the rights and the infringements, discretion of the legislative bodies “is reduced, with the result that review of that discretion should be strict” (paras 47-8). Shroud-waving should also be avoided; “the fight against serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern investigation techniques. However, such an objective of general interest, however fundamental it may be, does not, in itself, justify” a retention measure such as this one (para 51). There are a range of specific criticisms outlined from para 58 onwards that would surely be relevant, e.g. application to the whole population, temporal or geographic restrictions, lack of a definition of serious crime, inadequate limits on access/use, a retention period plucked out of the air. Export outside the EU (topical!) is also highlighted at para 68.

4. Although it wasn’t necessary to rely on it to reach today’s result (see paras 69-70) , the CJEU makes some very important comments about the relationship between surveillance and speech:

In such circumstances, even though, as is apparent from Article 1(2) and Article 5(2) of Directive 2006/24, the directive does not permit the retention of the content of the communication or of information consulted using an electronic communications network, it is not inconceivable that the retention of the data in question might have an effect on the use, by subscribers or registered users, of the means of communication covered by that directive and, consequently, on their exercise of the freedom of expression guaranteed by Article 11 of the Charter. (para 28)

(Bonus points for channelling Vizzini)

5. The Court makes significant use of the ECtHR’s decision in S & Marper v UK (about DNA databases) – three separate references, all ‘by analogy’ regarding article 8 ECHR. The significance of S was clear at the time and today’s opinion demonstrates how it valuable it is in terms of analysing questions of law and technology – especially chilling and cumulative effects.  It’s also further evidence of the way that the CJEU builds on ECtHR rulings.

6. The Court endorses the Advocate General’s point about perception. It’s not a point unknown to those in the field (especially through the jurisprudence of the German courts and others), but it’s still not fully grasped in the UK and Ireland; data retention of this nature is “likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” (para 37). (Which, for the record, is a bad thing).

Those are some first thoughts, and are really an extension of even earlier thoughts posted on Twitter. More later if I can!

When Irish eyes are watching

Last year, I was invited to give a ‘response’ to two very interesting papers at a seminar of the British Association for Comparative Law. The papers, by Paula Giliker and Elspeth Christie Reid, were on the evolution of breach of confidence and privacy, primarily in relation to England and Scotland. (Eric Clive wrote up his notes from the day here).

The papers, including a developed version of my comparative comments, are now being published in Juridical Review. A slightly earlier version of my contribution is available on SSRN through the University of Edinburgh School of Law Working Paper Series (here’s the series, and while there why not also download my colleague Judith’s latest paper on big data and small government…).

My article is a short one, and the main thing I hope it does is remind some UK-based readers of the interesting things that have happened in Ireland in relation to the privacy cause of action. I do spent a good deal of space talking about Sullivan v Boylan [2013] IEHC 104, which is a particularly useful contribution to the English and Scottish debates on how to handle the evolving questions of privacy and confidence. I also talk a bit about New Zealand.

Beyond breach of confidence: an Irish eye on English and Scottish privacy law

This article is based on comparative comments (with special attention paid to Irish law) presented at a seminar on breach of confidence and privacy. It is first argued that a continuing uncertainty regarding the role of statute in relation to privacy is common to the development of doctrines in both England and Scotland, with similar anxieties present in other jurisdictions. In the absence of statutory clarity, the questions arising out of debate on the nature of the cause of action, and the consequences of variation in definitions of “privacy”, are considered – with special attention to developments in Ireland and New Zealand. The relationship between the evolution of breach of confidence and the human rights framework is also noted. Finally, the prospects for law reform and/or convergence across jurisdictions in the United Kingdom are assessed.

(Sorry if you expected this post would be about this; words fail me on that subject, I’m afraid).

FISA, NSA and PRISM: behind the headlines

My Edinburgh colleague Judith Rauhofer (who has a particular research and teaching interest in privacy, data protection, and information), along with Caspar Bowden (who many readers will know through his writing and advocacy on privacy), has just launched a very timely paper on data protection in ‘the cloud’, with a particular emphasis on data stored in the US and subject to US law on access to data. Judith and Caspar have been making this argument well before the current PRISM/NSA reporting, and the paper makes it clear how there are already a number of important legal issues that require attention. The paper engages with recent scholarship on cloud computing itself (e.g. the Queen Mary projects) and the proposed new Regulation on data protection. It also contains a very detailed analysis of FISA. But the key argument, and the one that deserves the most attention from those who have reacted with alarm to recent news reports, is that about the obligations of European institutions to protect fundamental rights; both the Charter and Convention are discussed.

The paper is now available on SSRN:

Protecting Their Own: Fundamental Rights Implications for EU Data Sovereignty in the Cloud

Recommended reading, 14-20 February 2013

News, blog posts, etc

Lisa Campbell, ‘Is Netflix just a novelty?‘ (Broadcast 14 February 2013). Given my interest in VOD (primarily how it is regulated but to get there requires understanding the market), the last few weeks have provided much to think about.  I can’t decide whether to be impressed at the Netflix coup of launching House of Cards as an all-at-once release or cynical about how its press releases were parroted by some in the press.  I think both.  Anyway, the coverage in Broadcast does look at it from a number of different angles. (Thought I will return to although I’ve probably said it before: if the standard for being covered by EU audiovisual media law includes being ‘TV-like’ subject to interpretation in a ‘dynamic’ way, does this sort of move make a difference?)

Jeremy Phillips, ‘Save our hyperlinks! Paws for reflection as Profs Opine‘ (IPKat 15 February 2013).  Commentary on the intervention of academic group the European Copyright Society (does it have a website? cannot find) in a very important case on hyperlinks, Svensson.  The case is before the Court of Justice of the EU shortly and takes up a question much loved by IT textbooks more or less since they started to exist: is a link one of the acts restricted under copyright law?  If so, then the consent of the author of the target page may be necessary – but the consequences are significant.

Claire Porter, ‘Google ‘flaw’ puts users’ details on display‘ (News.com.au 16 February 2013). Another tricky story about apps and privacy; this one is about the Google Play store.  Worth noting that there is a bit of discussion about the way the story has been reported (and amended) – see e.g. here.  Original link via Slashdot.

David Streitfield, ‘Tech Industry Sets Its Sights on Gambling‘ (New York Times 18 February 2013). Discusses the implications of any change in the law on online gambling in the US for social networks and for the casual gaming sector.  Also mentions the interesting issue of gambling and Diablo.

William Turvill, ‘News agencies’ fear over impact of copyright law proposals‘ (Press Gazette 20 February 2013). It looks like the lobbying against the proposed implementation of the Hargreaves Review is well underway now.  I think there is a fair point to be made about the constitutional problems (the typical, pernicious turn to secondary legislation in place of proper parliamentary scrutiny), although the substantive arguments tend to the alarmist.  For example, I can see why the photographer groups who were critical of orphan works proposals in the past are sceptical about extended collective licensing.  Less obvious to me is why that opposition extends to the long-overdue proposals on parody.  Perhaps there’s just general opposition.  We’ll see.  Given that some of these recommendations are still overdue from Gowers 2006, it would be a shame to get stuck at this stage..

Academic publications

Speaking of parody: Kris Erickson, ‘Evaluating the Impact of Parody on the Exploitation of Copyright Works: An Empirical Study of Music Video Content on YouTube‘ (Bournemouth University for IPO, 2013).  Fascinating attempt to measure the consequences of protecting (or not protecting) parody.  Via Rebecca Tushnet.

And more on copyright: Lee Edwards, Bethany Klein, David Lee, Giles Moss, and Fiona Philip, ‘Framing the consumer: Copyright regulation and the public’ (2013) 19 Convergence 9-24 (£). Multi-disciplinary perspective on attitudes to copyright, with a particular interest in downloading (other articles in the same issue also explore the theme of attitudes and IP)



Recommended reading, 7-13 February 2013

News, blog posts, etc

European Commission, ‘EU Cybersecurity plan to protect open internet and online freedom and opportunity‘ (press release, 7 February 2013).  Marking the release of a new strategy and proposed Directive (download both of them here) on this topic.  The interesting bit about this is how it’s framed – legally speaking it’s an internal market measure (not crime!); strategically, it follows up on the many comments about ‘trust’ in the Digital Agenda documents of the last couple of years.  While most of the operative provisions of the Directive are about national authorities for infrastructure and cooperation between them, there is an interesting (proposed) obligation for member states to regulate ‘market operators’ in terms of security and also notification of breaches.  (Incidentally, is this category of ‘market operator’ a new one?  It has two sub-categories – information society services ‘which enable the provision of other’ ISSes (examples in an Annex are cloud computing platforms, app stores, search engines, social networks), and operators of certain types of critical infrastructure.  Art 14 doesn’t apply, in essence, to telephone/mobile/broadband providers, because the electronic communications directives already occupy the field.  (It also doesn’t apply to certain players in the much-maligned electronic signatures field – although I read that exclusion as being broader than those entities contemplated in the 1999 Directive).  (The ‘open internet’ etc language of the strategy and press release is slightly overstated, I think).

John Brodkin, ‘Wi-Fi “as free as air”—the totally false story that refuses to die‘ (Ars Technica 8 February 2013). This is most curious. The (interesting and potentially significant) work of the FCC on what to do with UHF ‘white spaces’ – spectrum formerly used or left as a buffer for TV broadcasting but becoming available for other uses – has been of interest in IT law for some years now.  Then seemingly from nowhere, a normal development in the regulatory process became the basis for an article about free wifi.  This is not to say that white spaces and Internet access are unconnected; clearly, it’s one of the reasons that people beyond spectrum gurus talk about it.  (I wrote about it in passing in this 2009 article, in section 5.5).  But the licensing process does not deliver a free service by any means (even if, as is being discussed, the regulatory model would not include a license fee for spectrum use).  Nor has anything particularly interesting happened in recent weeks – as Brodkin’s deconstruction points out, the interesting stuff either happened a few years ago (when the opening up started) or will happen in the future (if new services are launched).

Simon Fodden, ‘Edwin Mellen Press’s Curious Case‘ (Slaw 10 February 2013).  A comment, with plenty of links, on the developing (and worrying) story about the huge defamation claim (the applicant seeks the equivalent of over £2m!) against a librarian (who wrote some quite critical things about a publisher, informed by his knowledge of the field) and his university employer.  I would certainly not have anything to do with this publisher as a result of its actions in this case (whatever about the underlying allegations themselves!).

Alexander Hanff, ‘The murky world of privacy advocacy‘ (10 February 2013). A new blog and a rollicking start, with a detailed analysis of corporate funding for tech-related NGOs. It’s about time. Given the field I’m working in, I’ve seen quite a few of these organisations (and indeed, their close cousins, the consultant reinventing themselves as an NGO/think-tank with no membership, no membership and often nothing to add). I think the post by Hanff demonstrates a very honest attempt to understand the weaknesses of the lobbying system and reminds us all to think about the motives as well as the contents of interventions.

Virtual currency and virtual property revisited‘ (Technollama 11 February 2013). An overview of recent developments on virtual £££ and IP and other things, prompted by a piece in Forbes which mostly about virtual property). See also this nice PBS video on Bitcoin, etc.

Academic articles

Nina Mendelson, ‘Should Mass Comments Count?’ (2012) 2 Michigan Journal of Environmental & Administrative Law 173 (SSRN). This is a response to the author’s earlier work (and a debate about it), but reading the article covers much of what before quite neatly.  The issue is a controversial one – how, when public consultation happens, to deal with different forms of participation (particularly one-click or template methods).

Michael O’Flaherty, ‘Freedom of Expression: Article 19 of the International Covenant on Civil and Political Rights and the Human Rights Committee’s General Comment No 34′ (2012) 12 Human Rights Law Review 627-654 (£, link).  The author of this article was the rapporteur work on this General Comment and discusses the comment as well as some of the cases and stories it relied upon.  Watch out for the interesting discussion of article 19 and emerging technology, too.

E Tarantino, ‘A simple model of vertical search engines foreclosure’ (2013) 37 Telecommunications Policy 1 (£, link).  The new volume of this journal (mix of law, business, economics, etc) starts off with one of the topics of the year, competition law and search engines.