This letter is to provide you with our views on the minimum criteria for the impact assessment and subsequent legislative proposal.



Similar documents
CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

European Union Law and Online Gambling by Marcos Charif

Having regard to the Charter of Fundamental Rights of the European Union, and in particular Articles 7 and 8 thereof,

Under European law teleradiology is both a health service and an information society service.

4-column document Net neutrality provisions (including recitals)

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

Filtering for Copyright Enforcement in Europe after the Sabam cases

EUROPEAN DATA PROTECTION SUPERVISOR

EDRi s. January European Digital Rights Rue Belliard 20, 1040 Brussels tel. +32 (0)

DRAFT DATA RETENTION AND INVESTIGATORY POWERS BILL

Opinion Statement of the CFE. on the proposed Directive. on the fight against fraud to the EU s financial interests. by means of criminal law

THE DATA RETENTION DIRECTIVE NEVER EXISTED

ARTICLE 29 Data Protection Working Party

Response of the Northern Ireland Human Rights Commission on the Health and Social Care (Control of Data Processing) NIA Bill 52/11-16

29 October 2015 Conference of the Independent Data Protection Authorities of the Federation and the Federal States

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

THOMSON REUTERS HUMAN RIGHTS LAW CONFERENCE Privacy, data retention and state surveillance: Digital Rights Ireland.

PROTECTING HUMAN RIGHTS IN THE UK THE CONSERVATIVES PROPOSALS FOR CHANGING BRITAIN S HUMAN RIGHTS LAWS

ARTICLE 29 DATA PROTECTION WORKING PARTY

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

THE TRADE SECRETS DIRECTIVE THE NEW COUNCIL PROPOSAL 1 WOUTER PORS. Bird & Bird The Hague. 1. Introduction and general issues

Europeanisation of Family Law

5439/15 PT/ek 1 DG E

Guidelines on data protection in EU financial services regulation

THE TRANSFER OF PERSONAL DATA ABROAD

(Legislative acts) DIRECTIVES

The Commission proposal is in the left column, our suggestions in the right column. Recital 46. deleted

Technical Questions on Data Retention

Opinion of the European Data Protection Supervisor

Strategic Priorities for the Cooperation against Cybercrime in the Eastern Partnership Region

on the Proposal for a Regulation of the European Parliament and of the Council laying

EUROPEAN DATA PROTECTION SUPERVISOR

Minister Shatter presents Presidency priorities in the JHA area to European Parliament

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 February /05 LIMITE COPEN 35 TELECOM 10

Comments and proposals on the Chapter II of the General Data Protection Regulation

Section 1: Development of the EU s competence in the field of police and judicial cooperation in criminal matters

ETNO Expert Contribution on Data retention in e- communications - Council s Draft Framework Decision, Commission s Proposal for a Directive

Privacy, data retention and terrorism

23/1/15 Version 1.0 (final)

Data Retention Law in EU - A Review

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Rebuilding Trust in EU-US Data Flows

Act CLXV of on Complaints and Public Interest Disclosures. 1. Complaint and public interest disclosure

Table of contents. Frame of the cards: identical structure for each country

European Commission Per

DATRET/EXPGRP (2009) 6 FINAL Document 6

Data Protection A Guide for Users

Consultation on the future of European Insolvency Law

Net Neutrality Analysis and background of trialogue compromise CHAPTER 1 HISTORY

ARTICLE 29 Data Protection Working Party

Council of the European Union Brussels, 12 September 2014 (OR. en)

Patents in Europe 2013/2014

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

COUNCIL OF EUROPE COMMITTEE OF MINISTERS

Proposal for a COUNCIL REGULATION (EU) implementing enhanced cooperation in the area of the law applicable to divorce and legal separation

Cyber Crime and Data Retention

Section 151 Officer Monitoring Officer

10788/15 AD/FC/vm DGE 2

Statistics on Requests for data under the Data Retention Directive

Honourable members of the National Parliaments of the EU member states and candidate countries,

Civil Rights, Security and Consumer Protection in the EU

DER HESSISCHE DATENSCHUTZBEAUFTRAGTE

Setting the legal context for telemedicine in the EU

Opinion 03/2013 on purpose limitation

Factsheet on the Right to be

REPORT ON THE EXECUTION ON THE EAW ISSUED BY MEMBER STATE Z AGAINST PAUL

"Transmission of any material in violation of any Country, Federal, State or Local regulation is prohibited."

LEAKED ACTA DIGITAL ENFORCEMENT CHAPTER

ROMANIA Constitutional Court. DECISION no from 8 October 2009

Position Paper: Berlin, 31 March Legislative intentions to increase IT Security

The Århus Convention by Jens Hamer, ERA

Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity

Formal response to the Consultation Paper: Monitoring and Regulation of Migration

I. Background information

EDRi's Position Paper on Council text regarding net neutrality

Inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

European Direct Tax Policy: Harmonisation versus Coordination. Dr Tom O Shea Queen Mary, University of London t.o shea@qmul.ac.uk

C 128/28 Official Journal of the European Union

PO BoxA147 Sydney South NSW November 2014

CCBE comments on the proposal for a Directive of the European Parliament and of the Council on singlemember private limited liability companies

Dealing with data breaches in Europe and beyond

6482/15 GB/ek 1 DG E2B

Federal Act on Data Protection (FADP) Aim, Scope and Definitions

Message 791 Communication from the Commission - SG(2012) D/50777 Directive 98/34/EC Notification: 2011/0188/D

PUBLIC PROCUREMENT CONTRACTS

Department of Communications. Enhancing Online Safety for Children Discussion Paper. Submission by the Australian Federal Police

Behavioral Targeting Legal Developments in Europe and the Netherlands

DRAFT BILL PROPOSITION

Telefónica response to the consultation on the implementation of the Intellectual Property Rights Enforcement Directive

COMMUNICATION FROM THE COMMISSION TO THE COUNCIL, THE EUROPEAN PARLIAMENT AND THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE

Quantitative restrictions on imports and all measures having equivalent effect shall be prohibited between Member States.

***I DRAFT REPORT. EN United in diversity EN 2012/0011(COD)

ICC Guidelines on Whistleblowing

7 August I. Introduction

Online Security, Traffic Data and IP Addresses. Review of the Regulatory Framework for Electronic Communications

EUROPEAN PARLIAMENT Committee on Industry, Research and Energy. of the Committee on Industry, Research and Energy

Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and English PEN briefing on the fast-track Data Retention and

Transcription:

Dear Commissioner Malmström, As you know, we have been closely involved in consultations with the European Commission with regard to the impact assessment on, and probable review of, the Data Retention Directive. We remain committed to the impact assessment for the new legislative proposal being as credible and complete as possible. Since the impact assessment supporting the original Directive was exceptionally poor and this Commission has sworn a legally binding oath to respect fundamental rights, 1 it is very important that the impact assessment address all concerns regarding the compatibility of the Directive with the Charter of Fundamental Rights and the European Convention on Human Rights, in particular in the light of relevant recent case law. 2 We remain convinced that a comprehensive impact assessment will definitively show that data retention is not necessary for either market harmonisation nor the fight against serious crime and is consequently illegal. This position is in line with that of the Council of Europe Commissioner for Human Rights, Thomas Hammarberg, who recently stated 3 that any surveillance measures must respect the prohibition (in the Cybercrime Convention) on 'general or indiscriminate surveillance and collection of large amounts of traffic [and communications] data'. Compulsory suspicionless retention of such data, currently required under EU law, violates this principle and also, in our view, the ECHR and the EU Charter of Fundamental Rights, as well as several national constitutions. This letter is to provide you with our views on the minimum criteria for the impact assessment and subsequent legislative proposal. A. Fundamental Rights Checklist We believe that the Commission has already given itself a valuable tool for ensuring that adequate attention is given to fundamental rights in all of its proposals, namely Communication COM(2010)573 and its fundamental rights checklist. Full respect for the checklist, and articles 5 and 6 in particular, should result in an impact assessment and legislative proposal which respect the EU's legal obligations on fundamental rights. Point 5 of that list asks Would any limitation of fundamental rights be formulated in a clear and predictable manner? This would require the following questions to be asked: In the absence of a definition of serious crime, is it possible (and if so, why) to have a clear and predictable implementation of the Directive across the EU, particularly for crossborder communications? 1 European Commission swears oath to respect the EU Treaties, IP/10/487, 3 May 2010, http://europa.eu/rapid/pressreleasesaction.do?reference=ip/10/487 2 Such as S. and Marper v. the United Kingdom (application nos. 30562/04 and 30566/04) and ECJ 9 November 2010, C-92/09 and C-93/09, Volker und Markus Schecke. 3 Footnote to be added before sending

Does the huge time range from 6 months to 24 months offer clarity and predictability, particularly for citizens involved in cross-border communications? What elements of the review process have identified systemic breaches of fundamental rights that need to be addressed in order to ensure that citizens can have reasonable legal certainty regarding how their data is being processed? 4 Point 6 of that checklist list asks: Would any limitation of fundamental rights: be necessary to achieve an objective of general interest or to protect the rights and freedoms of others (which)? be proportionate to the desired aim? preserve the essence of the fundamental rights concerned? A.1: Necessity and Proportionality: This point can only be answered if a full assessment of alternatives in every aspect of the Directive is undertaken. This would include an assessment of each category and size of service providers addressed, of each individual type of data and of the retention period for each type of data in order to assess its usefulness in the achievement of the objectives of the existing or revised legislation. Furthermore, it will be crucial for the credibility of the impact assessment not to repeat the fault in the evaluation report (COM(2011) 225 final) where the necessity and proportionality of data retention and the necessity of having a Directive on data retention are treated as if they are the same thing. Both elements need to be assessed in isolation in order to assess if data retention is necessary to achieve an objective of general interest and proportionate to the desired aim and if a Directive is necessary for this purpose. A second flaw in the evaluation report that must be avoided, is that it refers to retained data in general and not to necessity of having the additional data that would not otherwise have been available in the absence of the Directive through the storage of traffic and location data regulated by the E-Privacy Directive (2002/58/EC). The third element that must be adequately addressed is assessing the range of other options available: the banning of blanket data retention regimes in Europe The anecdotes provided in the original impact assessment are far from being compelling evidence of the necessity of data retention. Their weight is further diminished by the fact that, in several of the anecdotes, data was used that would have certainly been available in any case. 5 If data retention is, indeed, pointless and even counterproductive and, as the evaluation report suggests, is undermining the single market, the Commission has a duty to act in order to remove this impediment. 4 Such as the implementation report's reference to domestic operators providing access to data on foreign communications as an alternative to following the proper mutual legal assistance procedures. Evaluation report on the Data Retention Directive (Directive 2006/24/EC, COM(2011) 225 final, p.22/23. 5 In one of the examples provided, a proper analysis of the incident in question would show that long-term retention would not have been necessary in the absence of profound failures in the efficiency of international police cooperation which, instead of being addressed and resolved, are propagated by the existing data retention regime.

replacement of the Directive with a less restrictive alternative such as targeted collection of data and expedited data preservation In its preparation of the evaluation report, the Commission did not seek to obtain information from Member States that have not implemented the Directive, in order to compare the efficacy of alternative approaches. 6 It also did not look at the experience of countries which have implemented the approach preferred by the Council of Europe Cybercrime Convention, namely expedited data preservation. This approach is quite clearly a measure which affects less adversely the fundamental rights of natural persons than massive long-term storage of communications data on all citizens and which still contributes effectively to the objectives of the European Union rules in question. 7 This alternative should be thoroughly assessed in order to show credibly whether any amount of untargeted data retention is strictly necessary and proportionate and that a Directive is needed. removing the minimum retention period and re-assessing the maximum retention period The European Union may, taking into account the strict criteria set out in the Charter, the Convention and relevant case-law, establish legislation which places restrictions on the fundamental rights of citizens. In the case of data retention (the post-lisbon Treaty legal framework will inevitably lead to this issue coming up repeatedly), the democratically elected parliaments as well as Constitutional Courts of several sovereign Member States quite clearly did not and do not feel that the fundamental rights restrictions are, as required by the European Convention on Human Rights, necessary in a democratic society, and, as a result, did not implement the Directive. The Commission is taking infringement proceedings against these countries, offering no margin of appreciation, no respect for subsidiarity and, in essence, forcing those countries (according to the assessment of those democratically elected governments) to breach the Convention. It is simply unacceptable that Member States have a margin of appreciation when they restrict fundamental rights but no margin of appreciation when they seek to protect them. One option to avoid this anomaly is to establish maximum retention periods but not minimum periods. If, as the Commission says, cross-border requests for data represent fewer than 1% of uses of retained data (and bearing in mind that a proportion of these would be available under expedited preservation), this would: not present particular problems for law enforcement; provide a margin of appreciation for Member States which believe that data retention is not necessary and; measurably and significantly damage the single market, particularly if cost reimbursement for providers under a blanket retention obligation were made compulsory. In order to assess the impact of the various options presented on the prosecution of serious crime in a scientifically valid way, the impact assessment would need to address the following points: In how many cases does the detection, investigation or prosecution of serious crime in the absence of blanket retention legislation lack communications data that would be available under a blanket retention scheme (quantify as a percentage of all serious crime being investigated or prosecuted)? To the prosecution of how many serious crimes does such extra communications data ultimately make a positive difference (quantify as a percentage of all serious crime being prosecuted)? 6 COM HOME A3/JV/cn D (2010) 11574, 27 July 2010, https://www.bof.nl/live/wp-content/uploads/letter-to-mssupp-info-on-drd.pdf 7 ECJ 9 November 2010, C-92/09 and C-93/09, Volker und Markus Schecke, 86.

Is any such benefit offset by counter-productive side effects of blanket data retention (e.g. furthering the use of circumvention techniques and other communication channels? All in all, does the presence or absence of blanket telecommunications data retention legislation in practice have a demonstrable, statistically significant impact on the prevalence or the investigation of serious crime in a given Member State? If so, by how many percent does it increase or decrease the prevalence, the clearance or the prosecution of serious crime? Has the introduction or the absence of blanket telecommunications data retention legislation in the past made a significant difference to the number of condemnations, acquittals or the closure or discontinuation of serious crime cases in a given state? If so, by how many percent did the number of condemnations, acquittals or the closure or discontinuation of serious crime cases increase or decrease as a result of blanket telecommunications data retention legislation or its absence? A.2: Preserving the essence of the right Article 52 of the Charter of Fundamental Rights of the European Union states that limitations of fundamental rights must not restrict or reduce the right in such a way or to such extent that the very essence of the right is impaired. The European Court of Human Rights has ruled similarly on numerous occasions. 8 In its Evaluation Report, The European Commission identified points which are peripheral to the achievement of the goals of the Directive, but which undermine the essence of the fundamental rights impacted by the Directive. Experience of the impact on fundamental rights It will be impossible for the European Commission to fully respect its own fundamental rights checklist without a comprehensive analysis of the extent to which the rights in question have been undermined by the existing Directive. Without learning from this experience, it will be impossible to ensure maximum respect for the Charter. In particular, attention should be given to experience with regard to: Data losses and abuse. 9 Mistakes in data retrieval. 10 Damage to the right to communication caused by citizens and businesses feeling unable to confidentially communicate with health professionals, lawyers, journalists, 11 etc. 12 Definition of serious crime As some Member States do not have a definition of serious crime, we already see that the scope is 8 ECtHR 11 July 2002, nr. 28957/95, Goodwin v The United Kingdom, 99: '... the limitations (thereby) introduced must not restrict or reduce the right in such a way or to such an extent that the very essence of the right is impaired'. The ruling also refers to the ECtHR Rees and F. v. Switzerland judgements. 9 Examples of data losses and data abuse across Europe can be found in: Arbeitskreis Vorratsdatenspeicherung, 'There is no such thing as secure data', http://wiki.vorratsdatenspeicherung.de/images/heft_- _es_gibt_keine_sicheren_daten_en.pdf 10 'ISP Wrongfully Sent 300 First Strike Letters To Innocents', 17 June 2011, http://torrentfreak.com/isp-wrongfullysent-300-first-strike-letters-to-innocents-110617/ 11 European Journalists Warn EU Home Affairs Chief that European Data Law Threatens Freedom, 01 October 2010, http://europe.ifj.org/fr/articles/european-journalists-warn-eu-home-affairs-chief-that-european-data-law-threatensfreedom 12 FORSA, Opinions of citizens on data retention, 2 June 2008, p. 3, http://www.eco.de/dokumente/20080602_forsa_vds_umfrage.pdf

far broader than intended by the legislator. Therefore, in addition to the fact that the outcome of legislation has proven to be problematic in the area of foreseeability, many uses of data retained under the Directive fail to respect the essence of the fundamental rights in question. The farreaching consequences of not strictly defining 'serious crime' in the Directive have been illustrated clearly in Poland, where authorities accessed communications data more than 1 million times in 2009, using the retained data far beyond the prosecution of 'serious crimes' even in civil proceedings. 13 Alarmingly, the Commission recently seemed to argue that the telecommunication data retained under the safeguard that it is retained only for the investigation and prosecution of serious crime can also be used without problems in order to investigate intellectual property-related offences, that might not even be crimes, let alone serious crimes. 14 Analysis of each data set When legislation mandates indiscriminate storage of personal data that is not strictly necessary, the legislation harms the essence of the fundamental right to privacy. It is illogical to assume that retention of all communications data would be necessary, or even useful, for the same periods of time and that each type of data is of equal value. Therefore, the Commission should make a credible effort to demonstrate the alleged necessity of each data set that is in the current Directive or in the new legislative proposal. Furthermore, in the absence of the necessary practical data being made available by the Member States, the Commission must explain to the Council that lack of data proving necessity means that it is legally obliged to remove that data set from the Directive. Access and security restrictions For the same reasons as above, the Commission needs to assess if and exactly what minimum access restrictions and data security safeguards could be set by the Directive in order to better safeguard fundamental rights. It would be far easier to establish a baseline in the revised Directive than seek to impose minimum safeguards on Member States after transposing legislation has been adopted. Centralised storage and direct access The European Commission should analyse whether it considers that circumstances exist where the advantages of centralised data storage outweigh the security and privacy risks that such an approach inevitably incurs. If such circumstances do not exist, this approach should be explicitly excluded by the Directive. Similarly, are there circumstances in which direct access to this data would not automatically be a breach of Article 8 of the European Convention on Human Rights? Again, if no such circumstances exist, this option should be specifically excluded by the Directive. B: Article 15.1 of Directive 2002/58 We were disturbed to see in the evaluation report an interpretation of the legal significance of Article 15.1 of the E-Privacy Directive that not alone contradicts legal reality, but also contradicts the European Commission's own declaration on this text. At the time of adoption of the legislation, the European Commission pointed out the legal fact that the Directive could neither authorise not prohibit any activity in the then third pillar. 15 We urge the European Commission to avoid making 13 'POLAND: Data retention and population surveillance', November 2010, Statewatch RefNo# 30113, http://database.statewatch.org/article.asp?aid=30113 14 ECJ Hearing on Bonnier Audio c.s. case (only in Swedish), C-461/10, http://www.edri.org/files/c461-10-rapport.pdf 15 COM/2002/0338 def, 17 june 2002, p. 3, under Amendment 47 - Recital 11 ; Amendment 46 - Article 15, paragraph 1, http://eur-lex.europa.eu/lexuriserv/lexuriserv.do?uri=celex:52002pc0338:en:html.

the same mistake in the impact assessment. C: Impact on the single market In its evaluation report, the European Commission listed a range of ways in which the Data Retention Directive undermined the single market and failed to provide any compelling evidence that the Directive has had any corresponding positive impact. This raises serious questions as to the legality and value of the Directive if the objective of general interest to be achieved is harmonisation. If the Commission is intending to keep the same legal basis, it should specifically indicate how the objective of harmonisation has been achieved, or may be achieved, through this instrument. Furthermore, it should indicate exactly why it believes that the range of damaging effects that it has identified in the existing Directive will be resolved by the proposed changes to the legislation. Cost reimbursement It is clear that a harmonised cost reimbursement scheme would be of more positive impact for the internal market than the current and somewhat chaotic situation described by in the Commission's impact assessment. The impact assessment must therefore specifically address the viability of this approach. By costs, we mean capital costs, access costs and personnel costs. Furthermore, it appears to be unquestionable that state authorities will be more restrained in their requests for retained data when this has to be justified in their budget. We trust that this constructive input will assist you in the preparation of the impact assessment and revised Directive and remain at your disposal as a constructive partner in this process. Yours...

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information