User Name:     Password:        Join Us
  • 1
  • 2
  • 3
  • 4
  • 5
▪ China’s Market Regulator Reined in Internet Commercial Ads
▪ Stricter than the GDPR, China’s Privacy Law Provides Prohibitive and Control Oblig
▪ China kicked off the 1st national security review on DiDi
▪ Non-prosecution for compliance under ISO 37301 - Dentons lawyers take the world’s
▪ China’s Data Security Law is anything but frightening
▪ Alibaba fined USD 2.68 billion for abusing dominant market position in China
▪ China’s new “Blocking Statute” and the concerns it raised
▪ Survey result: how is bribery risk managed in China?
▪ China’s Administrative Punishment Law Awards Meaningful Credits for Compliance Eff
▪ Salon | How Would the Sanction on Pompeo and Blocking Measures Impact Foreign Comp
▪ Fees to speakers: academic exchange or commercial bribery
▪ China’s Personal Information Protection Law (2)
▪ China’s Personal Information Protection Law (1)
▪ Reading Into China’s Export Control Law
▪ English Translation of Export Control Law of China
▪ China Issued Its List of Unreliable Entities
▪ Demystify Corporate Social Credit System in China
▪ China is deploying “Operation Skynet” to further “Fox Hunt”
▪ China is to award whistleblowers heavily – foreign companies are more vulnerable t
▪ 130 Chinese headhunters arrested, involving breach of 200 million personal info
▪ Corporate Compliance Programs Evaluation Issued by US DOJ (Chinese Translation)
▪ The prospect is promising to commercialize Level-3 autonomous driving in China
▪ Intelligent and digital infrastructures are scheduled to accompany automatic vehic
▪ Will China illegalize VIEs?
▪ You cannot miss the gold rush under China's new Foreign Investment Law
▪ Classified Protection Under China's Cyber Security Law
▪ China is to fast-track law-making in autonomous driving
▪ What compliance obligations to meet to transfer data from within China?
▪ Chinese government uses digital forensics technology to dig bribery evidence
▪ A Chinese medical device distributor fined CNY 50,000 for bribing with Moutai
▪ How would Chinese E-commerce Law affect you (1)?
▪ Conflict between the culture and the Party’s rules: $70 gift money got a director
▪ "Excessive Pricing" from perspective of Competition Law
▪ Does China prohibit cross-border transfer of scientific data?
▪ Hypermarket Caesar jailed for ten years for giving “reward for go-between”
▪ How is environmental protection tax collected in China?
▪ China Redefined Bribery Anticompetitive in Nature
▪ China is to amend its Constitution
▪ Chinese government vowed to crack down on bribe givers more harshly
▪ China has its own Dodd-Frank; the award for whistleblower could be US$ 80K
▪ Chinese government may LIUZHI a suspect of wrongdoing
▪ Cooking clinical trial data is rampant and now criminally punishable in China
▪ 5th Viadrina Compliance Congress
▪ Does a compliance bird eat nothing?
▪ How Are Drugs Being Sold in China Despite the Anti-Corruption Crusading
▪ Chinese whistle-blower lauded while French boss fled out of China
▪ Life Sentence for Deputy Chief Justice of China
▪ Why Is Chinese Anti-bribery Law a Very Important Compliance Obligation?
▪ The Report on Corporate Compliance Management in China (2016)
▪ Use of "predictive coding" in eDiscovery document review…best friend or job replac
 
Home > Personal Information
European Court of Justice Abrogates Data Retention and Allows Data Detention
By Wolfgang Zankl | 2014/4/24 16:24:09

Due to the fact that providers usually supply only technical infrastructures, they can - according to the European E-Commerce Directive - basically not be held liable. For example, a host provider is exempt from any liability as long as he has no knowledge of violations; access providers are completely released of any liability whatsoever, even if they have positive knowledge of infringements.

 

In rather the opposite way the ECJ judgment of March 27, 2014, states that holders of copyrights (in this specific case: Constantin Film) can apply for a court order to force access  providers (here the Austrian provider UPC) to block their customers' access to  websites containing infringements of such copyrights. This is remarkable because so far holders of rights had to prosecute the operator of violating websites or - under certain circumstances - host providers or customers of such sites rather than access providers who, as mentioned before, only supply a technical environment. This approach of the ECJ is not only new but also questionable, for several reasons: the first and most significant argument against website blocking obviously is that it means an infringement of fundamental rights, namely the customer´s right of freedom of information according to Article 10 of the European Convention on Human Rights[1] (ECHR).

 

A counter-argument could be para 2 of Art 10 which allows restrictions of the right of freedom of information as long as such restrictions are necessary to protect rights of other individuals. This is what the ECJ seems to have in mind when it emphasizes that  not blocking a website could be a violation of copyrights and related rights, which are intellectual property and are therefore protected under Article 17(2) of the Charter of Fundamental Rights of the European Union (CFREU). According to the ECJ the blocking measures adopted by access providers  must therefore be “strictly targeted, in the sense that they must serve to bring an end to a third party’s infringement of copyright or of a related right but without thereby affecting internet users who are using the provider’s services in order to lawfully access information”.  

 

This restriction does not really solve the problem though because it remains unclear how providers should exactly handle this complicated and sensible balance. And moreover, and returning to fundamental rights arguments, the ECJ does not deal with the fact that website blockings can easily be bypassed, even by users with average internet knowledge[2]. Considering this, it can hardly be said that such blockings violating the right of freedom of information according to the mentioned Art 10 para 1 are, in terms of Art 10 para 2, “necessary” to protect  the rights of other individuals.  And finally it should not be neglected that an obligation to block websites means legal uncertainty, because it raises the question whether providers  can now be obliged to block all kinds of pages (for example Youtube) which contain copyrights infringements. It has been argued that in its enquiries to the ECJ the Austrian Supreme court referred only to internet pages which make content accessible "exclusively or predominantly" without permission of the copyright holder (and that therefore Youtube would not be affected of the ECJ’s judgment). The problem is that the ECJ’s judgment was not restricted to such sites, for which reason sites like Youtube could also be affected by blocking requests of copyright holders. But even if the ECJ judgment - contrary to its wording - would be confined to "exclusively or predominantly" infringing sites, there would remain the problem what “predominantly” exactly means, and there would also remain the even more complicated question how and by whom it should be decided whether the illegal content predominates the legal content.        

 
The second judgment of April, 8th 2014, which canceled the very controversial European Directive on Data Retention (which had been imposed 2006 in the aftermath of terror attacks in Madrid and London in 2005) is, compared to the first judgment of March 27, much more precise and plausible in its argumentation concerning fundamental rights.  


Again, the cause of the complaint came (among others[3]) from Austria (the Austrian Constitutional Court) and again the case was about providers and their customers’ fundamental rights. The Directive introduced an obligation of internet and telecommunication providers to store customers’ traffic and location data (who is calling, e-mailing or texting whom, when and where). Upon request providers have then to submit the collected data to the responsible law enforcement authorities.      

 

The content of such data is exempt from storage and release to the authorities according to the Directive. But still, in many cases it is easily possible to trace content information by simply taking a closer look at traffic data. If a person is, for example, frequently calling a certain lawyer, it is quite obvious that this person is a client. If a person keeps sending and receiving e-mails to and from a doctor specialized in HIV diseases it is very likely that such person suffers from HIV and so on. By analyzing location data it is easy to keep track of activities carried out, of social relationships or environments of an individual and so on.

 

The ECJ regards this as a violation of the fundamental right of respect for private life[4], as a violation of the protection of personal data[5] and as a violation of the right of respect for freedom of expression[6]. The Court came to the conclusion that, by adopting the Data Retention Directive, EU legislation has exceeded the limits imposed by compliance with the principle of proportionality.

 

Furthermore the ECJ emphasizes that there is no precise definition of “serious crimes” which should be prevented by data storage according to the Directive; and the ECJ also underlines that a duty to save the customer´s data up to two years is way too long, and that it is not determined where data should be stored regionally. The ECJ finally points out that the Directive lacks requirements to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data.

 

This view is to be utterly welcomed, because it corresponds to an overwhelming number of critical reviews. The e-center and many other institutions, scholars and courts throughout Europe have provided rich evidence that the complete and comprehensive surveillance of all European citizens irrespective of a given suspicion of having committed or being about to commit a crime means an absolutely unacceptable interference with fundamental rights. It remains to be seen, how the decision of the ECJ will affect the transformations of the Directive in the Member States. But it is clear that sooner or later these national laws based upon the Directive will either have to be adapted to the decision of the ECJ or be completely abolished.

 

For reasons already mentioned before, the latter would definitely be the better option: para 1 of Art 8 ECHR states that “everyone has the right to respect for his private and family life, his home and his correspondence”. According to para 2 “there shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

 

The emphasis of the exemption to the right of privacy according to the mentioned Art 8 lies, again, on the word necessary. The interference with the right of privacy has to be necessary in order to be justified.

 

That this is not the case with Data Retention can easily be proved by European statistics which have brought clear evidence that Data Retention has no influence whatsoever on crime detection rates.[7] From this point of view it can hardly be said that Data Retention is “necessary”. And it can of course also be easily avoided by simply using prepaid anonymous devices or by surfing not from an identifiable office computer or at home but, for example, from an internet café. No trace will be left and so no data retention is possible. It can be expected that criminals will be skilled enough to realize and consider such obvious measures. So what we get in the end is not surveillance of those who should be observed but of those who should not. This can obviously not be “necessary”!

 

The same can be assumed for surveillance irrespective of any suspect – a principle Data Retention is presently based upon. So if,  for whatever reasons, Member States should decide to hold on to data retention (which they should, according to the arguments mentioned before, not do) they should, aside from considering the ECJ judgment, at least refrain from saving data on a general basis independent of any specific suspicion. The much more adequate way in terms of fundamental rights would be a quick freeze procedure storing only data of individuals being at least suspected of committing or having committed a crime. 



[1] ”Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This Article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.”

See also Article 11 of the Charter of Fundamental Rights of the European Union: “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.”

[2] There are many ways to bypass an internet censorship. One way for example is changing the DNS (Domain Name Server) in the network configuration, another way is using a proxy server such as “hide my ass”.

[3] Irish High Court.

[4] Article 8 of the ECHR: “Everyone has the right to respect for his private and family life, his home and his correspondence”. Article 7 CFREU: “Everyone has the right to respect for his or her private and family life, home and communications”.

[5] Article 7 CFREU: “Everyone has the right to the protection of personal data concerning him or her”.

[6] Article 11 CFREU: “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers”.

[7]The statistics show the detection rate of various crimes, for example, bank robberies, computer crime, etc.

The Max-Planck Institute determined that the accessibility to data storage, did not change the crime detection rates (for example computer crime statistics 2007: 50%; 2008: 40%; 2009: 42%). The Institute came to the same result in connection with child pornography crimes. July 2011; direct link: https://www.bmj.de/SharedDocs/Downloads/DE/pdfs/20120127_MPI_Gutachten_VDS_Langfassung.pdf?__blob=publicationFile.


Tweet Like Email LinkedIn
There are no comments for this journal entry. To create a new comment, use the form below.
    Enter your information below to add a new comment.
Author:   
Email:    (optional)
URL:    (optional)
Content:  
    
  Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.
The Compliance Reviews COPYRIGHT © 2013-19 All Rights Reserved. Supported by International Risk and Compliance Association and International Risk and Compliance Institute Limited. 沪ICP备10034943号-8
沪ICP备19033746号-4
沪公网安备31010502002477号