 |
| Via Wikimedia |
On 8 April 2014 the Court of Justice handed down its
judgment in the cases of Digital Rights Ireland against the Irish authorities
and of the Austrian Constitutional Court against the Government of Carinthia
and Mr Seitling, Mr Tschohl and other complainants, Cases C-293/12 and C-594/12, declaring the invalidity of the Directive on the retention of
telecommunications and electronic communications data of 2006, hereinafter the
“Directive”, with effect from the date on which the Directive entered into
force.
What were the requirements of the Directive? What type of
data was retained?
With the goal of combating terrorism and other serious
offences, the Directive required telecommunications companies and internet operators to register and
retain the following data from all types of telephone calls (fixed and mobile
as well as unanswered calls) and e-mails during a period of between 6 and 24
months, depending on the applicable legislation in each state:
- In the case of fixed telephones, the data of the calling telephone number and destination number, the names and addresses of the persons calling and those to which the telephone numbers were registered at the time of connection, as well as the telephone service used and from where they were calling, but not the content of the conversation, which required judicial authorisation.
- In the case of mobile telephones, the identifier of the device was also required.
- In the case of internet, the dynamic and static IP addresses assigned by the internet access provider, the name and address of the user and data necessary to identify the date, time and duration of a communication.
- In the case of a pre-paid card, data regarding the date and time of the activation of the service also needed to be retained.
Reasons for the invalidity of the Directive
The Court of Justice indicates that the requirements on
telecommunications operators imposed by the Directive entails a wide-ranging
and particularly serious interference of the fundamental right of individuals
to privacy and the protection of their personal data, given that there are no
substantive and procedural limits in the Directive regulating and restricting
those interferences to what is strictly necessary, thus exceeding the limits of
the principle of proportionality.
In fact, the judgment states that “the Directive covers, in
a generalised manner, all persons and all means of electronic communication as
well as all traffic data without any differentiation, limitation or exception
being made in the light of the objective of fighting against terrorism and
serious crime.”
Consequently, the judgment holds that the said data taken as
a whole, what we call Big Data, may provide very precise information concerning
the private lives of the persons whose data has been retained, such as the
habits of everyday life, permanent or temporary places of residence, the
activities carried out in their daily life, when going out or on holiday, the
relationships, friends, of those persons and the social environments frequented
by them, in short all their life, thoughts, beliefs, feelings, location, and
that of their children, current accounts, without prior information provided or
consent sought to process that data, basic principles of the fundamental right
to the protection of personal data.
In its judgment the Court of Justice examines whether or not
such interference in fundamental rights is justified, and although it
recognises that the Directive:
(i) does not allow for the content of electronic
communications to be revealed,
(ii) requires internet service providers to respect certain
data protection and security principles and
(iii) requires that the retention of data for the purpose of
possible access to them by the competent national authorities must genuinely
meet objectives of general interest in the fight against serious crime in order
to ensure public security
the Court
declares that the Directive does not provide for sufficient safeguards to
ensure effective protection of the data retained against the risk of abuse and
against any unlawful access and use of that data.
As a
result, there is no formal requirement to apply reinforced security measures to
protect the said information or to review or audit the measures taken to verify
whether they have been fulfilled and prevent the data from falling into the
hands of persons or entities that may make unauthorised use thereof, from the
creation of personality or behavioural profiles, to a criminal use thereof,
blackmail, house burglaries or theft of money, kidnapping of individuals or
their family, etc.
As everyone
knows, the application of security measures requires investment, and the Court
indicates that the Directive allows service providers to take into account
economic considerations when determining the level of security which they apply
(in particular as regards the costs of implementing security measures) and does
not ensure the irreversible destruction of the data at the end of the data
retention period.
In fact, the security of individuals is also affected
because, according to the Court of Justice, the directive does not require the
data in question to be retained within the European Union. As a result, the
Directive does not guarantee that the data will be processed with the same
levels of security and the same protection criteria as those existing in the
EU, an essential principle, duly established and consolidated in the European
legislation governing the processing of personal data in the EU, nor does it
require authorisations from the competent authority or checks of the levels of
security applied to the data in third countries.
Conclusion
Technological development has resulted in the possibility of
everything about us being known, and each and everyone of us being vulnerable
to attack from the standpoint of cybersecurity, the only limits to an attack
being how long a hacker takes to get hold of the data and what are the measures
put in place by companies and governments to slow down the attack, detect it
and put a stop to it. The current location of the war and the power of
information is space and I am not referring to airspace but to cyberspace, even
though this may sound like something from Star Wars.
The abuse of our data by some governments, from the
espionage of the NSA to that of other countries such as the Ukraine, leads us
to once again consider the need to defend our security, without which there is
no freedom or democracy, and hence to protect our data, congratulating the
Court of Justice on its decision.
The recent invalidation of the Directive on the retention of data by the Court of Justice has significant implications, especially when considering dissertation topics in higher education. This ruling sparks critical discussions around data privacy and its impact on higher education institutions.When delving into dissertation topics in higher education, it's essential to stay updated on legal and regulatory changes like this. One intriguing avenue to explore could be the role of data retention and privacy within educational institutions.
ReplyDelete"Exploring the Court of Justice's verdict on the Directive and its implications for data privacy and protection. A comprehensive analysis shedding light on the challenges posed by the retention of telecommunications data. Do you need a PAM in KSA. I am happy I'd be assisting you as a professionally.
ReplyDeleteThe recent decision by the Court of Justice declaring the data retention directive invalid highlights the growing focus on privacy and data protection. As businesses navigate these changes, partnering with شركات امن المعلومات في السعودية becomes crucial. For reliable cybersecurity solutions, visit Security Pact, a leader in protecting your digital assets and ensuring compliance with evolving regulations.
ReplyDelete