What would the end of the current European Data Retention Directive (DRD) mean for business?
Plenty, if the European Court of Justice (ECJ) decides to opt for the strong opinion given it last week by its advocate general, Pedro Cruz Villalón, in a landmark case taken by privacy advocates Digital Rights Ireland.
In a ruling almost certainly influenced by the ongoing revelations from US whistleblower Edward Snowden about secret surveillance by the US National Security Agency (NSA) and GCHQ in Britain, Mr Cruz Villalón advised that the controversial 2006 directive was unlawful and incompatible with the Charter of Fundamental Rights, and recommended it be overturned.
Data retention, he wrote, is “a permanent threat throughout the data retention period to the right of citizens of the union to confidentiality in their private lives”. Retained data is so comprehensive that it could easily reveal private identities, which are supposed to remain anonymised. And data entrusted to third parties is at too much risk of fraudulent or malicious use.
In particular, he highlighted concerns about the burden, often without reimbursement, placed on internet service providers (ISPs) to store data and comply with access requests, and the practice of outsourcing data retention to third parties who may place data into “”the cloud”, outside the European Union, where they are no longer subject to EU protections.
The directive does not provide adequate justification, protection or oversight for these practices, he wrote.
Those observations will be of concern to the many multinationals that offer cloud storage and in some cases provide contracts to store and manage retained data, business services that comprises a multimillion- euro income stream.
But those points provide a vindication to Irish ISPs who for a decade raised just such concerns with Irish governments and the EU.
"It was nice, after all this time, to have the AG reflect some of the issues that we at the ISPAI [Internet Service Providers' Association of Ireland] have raised over the years," said ISPAI chief executive officer Paul Durrant.
“It does really vindicate what we were saying. Customers have to have confidence in us and know their data logs aren’t being viewed.”
The ISPAI protested that the ISP industry should not have to carry the cost of the data retention scheme in Ireland, which is based on the directive. This, said Durrant, is like expecting the Irish automotive industry to provide and maintain the Garda vehicle fleet for free.
Transparency
Over the years, the organisation also raised concerns about the transparency of the Irish retention law, the lack of clarity on the types of data to be retained, and for which specific types of crime. It criticised what it saw as poor oversight for the retention scheme, which required only an annual sign-off report from a single State-appointed judge.
While the ISPAI would like to see data retention dropped entirely, Mr Cruz Villalón has proposed it be retained but with the legislation substantially rewritten. If the ECJ goes with that option in its final decision “we’d be very glad to see this [law] tightening,” Mr Durrant said. In his advice, Mr Cruz Villalón also noted the broad but potentially revealing nature of metadata, the descriptive information about digital content that is a large piece of the “big data” picture, often stored and managed in the cloud.
Metadata
This metadata, he wrote, should be considered "special data" with clear, additional protections.
“The data in question [is] not personal data in the traditional sense of the term . . . but ‘special’ personal data, the use of which may make it possible to create a both faithful and exhaustive map of a large portion of a person’s conduct, strictly forming part of his private life, or even a complete and accurate picture of his private identity”.
As big data and cloud computing are two of the biggest developments in business information technology at the moment, any move to legislate for greater protections and safeguards around data and metadata in Europe would have an impact on businesses of all sizes, and the large IT providers offering data services.
Such a move would also create a potential US v EU business conundrum. IT companies would have to provide separate services for European companies, to meet European data retention and data protection requirements, if the same protection is not mandated by non-EU governments. Or European businesses might opt for services from European companies.
However, in a first ruling of its kind, a US federal court judge ruled last Tuesday that the NSA likely violated the US constitution’s fourth amendment by gathering and retaining call data – its metadata – for US phone users.
His ruling echoed many of the points from Mr Cruz Villalón. The case was brought in response to information on NSA surveillance provided by Snowden.
With several more such US cases in the pipeline, the legal response to this year's document leaks is only beginning. US observers expect the issue to eventually land with the Supreme Court.
The upshot may be that, after years of EU-US wrangling over principles for sharing and managing data, Europe and the US may find it is their courts that finally provide data protection harmonisation across these two huge business markets.
Data justice: Digital Rights Ireland case to proceed after European court decision
In 2006 Irish privacy advocates Digital Rights Ireland (digitalrights.ie) launched a case against the State that questioned the legality of Irish data-retention legislation requiring that phone companies and internet service providers gather data about customer locations, calls, texts and emails, and store that information for up to two years. Brought by McGarr Solicitors, the case challenges the constitutionality and the implementation of Ireland's legislation, both the Criminal Justice (Terrorist Offences) Act 2005 and the State's 2006 implementation of the EU data-retention directive (2006/24/EC).
In 2012 the High Court referred the case to the European Court of Justice (ECJ), asking for an opinion on the validity of the EU directive.
In July 2013 the case was heard by the ECJ, coupled with a related Austrian case. Last Thursday, following normal ECJ procedure, the ECJ’s advocate general presented his advisory legal opinion on the case, which recommended the directive be overturned.
The ECJ will give its decision in the new year. In the past it has followed the advice of the advocate general in 80 per cent of cases. Once the verdict is given, Digital Rights Ireland’s case against the State’s legislation will proceed.