Rethink of European Surveillance, Data Retention Laws Said Unlikely To Offer More Privacy Safeguards
Growing pressure from privacy advocates and others for changes to European surveillance laws probably won't accomplish much, attorneys said in interviews. Despite last year's European Court of Justice ruling invalid the EU data retention directive, which required ISPs to store telecom and Internet traffic data (see report in the April 9, 2014, issue), governments continue to propose and enact far-reaching surveillance measures, they said. Whether these new laws mean real change in privacy protections remains to be seen, said Hogan Lovells (London) technology attorney Mark Taylor.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Governments are starting to look afresh at what their legal regimes for interception and surveillance should be, Taylor said. One example is a bill moving through the French Parliament (the Bill on Intelligence), which Amnesty International, the French League for Human Rights, Privacy International and Reporters Without Borders said Wednesday would let intelligence agencies "hack into computers and devices and spy on the communications of anyone who makes contact with a person under suspicion, even incidentally." The law would allow such surveillance to be carried out under authorization of the prime minister's office, without a court order, they said.
March 11, a Dutch court struck down the country's telecom data retention act for failing to provide adequate privacy safeguards, among other reasons, wrote Baker & McKenzie (Amsterdam) information technology attorney Wouter Seinen in the firm's client newsletter. The Dutch Security and Justice Ministry is considering an appeal, despite the recent announcement by EU Home Affairs Commissioner Dimitris Avramopoulos that the European Commission doesn't plan to float new legislation on data retention, he wrote.
The surveillance debate is also alive in the U.K. A May 12 Parliament Intelligence and Security Committee report said the security and intelligence agencies don't seek to circumvent the law, but "the legal framework is unnecessarily complicated and -- crucially -- lacks transparency." Its key recommendation was that all current legislation on the intrusive capabilities of the agencies be replaced by a single new act. The report "fires the starting gun" on an overhaul of Britain's surveillance regime, not that anything is likely to happen immediately, said Taylor. The U.K. last summer passed emergency legislation, the Data Retention and Investigatory Powers Act, to address the problems caused by the invalidity of the data retention directive, but it's an interim solution, with a longer term fix due in 2016, he said.
The debate over whether to reintroduce data retention is "intensifying in Germany," wrote Sebastian Lisken of German privacy organization Digitalcourage in a Wednesday European Digital Rights article. It's being driven by the Social Democrats, the smaller political party in the country's coalition government, he said. Since the EC gave up on plans to introduce a new data retention directive after the ECJ ruling, it has become clear that the idea is to leave it to individual EU members "to muddle their own ways through this question," he wrote.
Surveillance activities are being contested. Among other examples, Privacy International and seven ISPs in 2014 challenged U.K. Government Communications Headquarters' hacking and exploitation of networks to gain access to personal information. PI also sued to stop GCHQ from using hacking tools. French citizens' advocacy group La Quadrature du Net and ISPs have attacked the Military Planning Act, which increases the number of police and intelligence services with access to connection data and widens the scope of the data to "information and documents" as well as to metadata held by ISPs and hosting service providers, La Quadrature said.
Officials are likely to say they're making changes but then to do as little as possible, said Taylor. Some bits of legislation will be different but it's not clear whether anything will fundamentally change, he said.
There's no general answer that applies across Europe, Seinen emailed. Some EU members, such as Germany, are very conscious of digital privacy rights, while others much favor electronic surveillance and interception, he said. "The current (far reaching) surveillance laws are not likely to be changed or withdrawn." It's likely that the Netherlands will try to enact a new data retention act "that tinkers around the edges," he said. A growing number of senators are showing more interest in personal data protection, so coming up with a new measure could be too big a challenge, he said. The law that was struck down concerned only traffic data storage, he said; the powers to demand access to such data and all other available data remain unaffected.