Thursday, 27 November 2008

Someone in Brussels should listen to Ireland

EUOBSERVER / COMMENT – The European media has been awash with stories of government excess in electronic surveillance and retention (as well as loss) of personal data. But the European Commission, aided by the European Court of Justice (ECJ) has set its sights on not only assisting such excesses, but mandating them. Not so fast, or at least, not so easily, says Ireland.

On 14 October, the ECJ advocate general upheld the competence of EU member states to enact Directive 2006/24 (on retention of data generated or processed in connection with the provision of publicly available electronic communications), based solely on Article 95 of the EU treaty on single-market competence. The opinion rejected Ireland’s claim that the legislation should be enacted under the EU’s “third pillar” competence on judicial and police co-operation.

The purpose of Directive 2006/24 is “to harmonise … the retention of certain data … in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member state in its national law.”

To the untrained eye, it would be hard to imagine a more straightforward attempt to legislate the collection of data for police co-operation among member states, an activity that falls squarely within third pillar competence.

The “third pillar” of the EU sets out those areas where member states have so far been reluctant to hand over full sovereignty to the EU, as they have done on the single market. Third pillar measures require unanimity, while single market moves work via qualified majority. Third pillar actions retain “intergovernmental” status, comparable to a standard agreement under international law between fully sovereign states.

To reach his conclusion, the advocate general, Yves Bot, acknowledges Directive 2006/24′s crime-fighting purpose, but says the different costs of data retention by internet service providers (ISPs) might harm the internal market in electronic communications. His opinion fails to mention the importance with which member states have viewed data protection over the past five decades.

Personal data protection is an important offshoot of the fundamental right of privacy as set out in the European Convention on Human Rights, the International Covenant on Civil and Political Rights, and the EU Charter of Fundamental Rights. It has deep roots in the post-World War II constitutions of EU states.

As a human right, by definition, it protects individuals from the state. The concept of “privacy” – as an instinct that drives us to walk off into a corner to talk on our mobile phone or close the curtains when we are having sex – has diluted its primary function and made most of us associate it with our neighbors rather than the state. This needs to be corrected before the right is lost altogether.

The Nazi census of 1933

Personal data protection law first arose in Germany, based on a belief that the facility with which pre-war abuses of human rights were carried out was at least partly attributable to the excessive accumulation of personal data by the Nazi regime, made possible by a purpose-built census designed for the regime by IBM in 1933.

In the 1990s, the rapid growth of the internet, advanced telecommunications and new genetic and biometric technologies accentuated the need to protect the fundamental right of privacy in general.

A 1995 European Community directive (95/46) harmonised the protection and free movement of personal data between member states. It includes the proviso that personal data should not be sent to any non-member state unless it is established that the recipient country provides a similar level of legal protection.

In 1997 the European Community added another directive (97/77) on data protection in the telecommunications sector, followed by a European Community regulation in 2001 (2001/45) on the protection of data processed by EU institutions. The regulation also established the European Data Protection Supervisor. Like the two directives, it applies not only to data movement within the EU but to personal data sent to non-member states.

The 9/11 moment

The unfolding of “globalisation” with its new communications technologies and facilitation of transnational crime along with reactions to the events of 11 September, 2001, introduced serious threats to many individual rights. The “war on terror” and overriding claims of “national security,” combined with heightened interest in preventing crimes ranging from trafficking to intellectual property offences, exacerbated the tension between state (and economic) interests and individual privacy.

In November 2001 the US enacted legislation requiring all air carriers to provide US customs authorities with access to extensive electronic data on all passengers entering or leaving the US (passenger name records, or PNR).

“The EU” in July 2007 agreed to transfer the data – no one seemed bothered by the fact that “the EU” has no legal personality and cannot therefore enter into such an agreement, while the US has no solid data protection laws. A week later the US Department of Homeland Security requested that all negotiation documents related to the PNR deal be kept secret for 10 years.

Feeling perhaps that it had given something for nothing, in late 2007 the EU proposed its own PNR requirement laws modelled on the US. Pre-empting claims that this violated fundamental rights, the proposal states that “terrorism constitutes one of the greatest threats to …fundamental rights.” Finding existing legislation “sufficient only for identifying known terrorists and criminals,” the EU “now needs intelligence for making associations between known and unknown people.”

Also responding to 11 September, a 2002 European Community directive (2002/58) limited protection of personal data afforded in the original 1995 law by enabling member states to restrict rights to safeguard national security, “defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system.” The expansion of state powers from doing what is necessary to pursue terrorists to “criminal offences” and “unauthorised use of electronic communication systems” is noteworthy.

The 2006 directive – the subject of the attorney generals’ decision at the beginning of our story – amended the 2002 law by actually mandating data retention, with the European Commission now trying to slip the new bill through the single market line despite Irish objections.

Precipitous decline

The decline in privacy in Europe has been precipitous – out of the 27 EU states only Germany found the introduction of “body scanners,” which expose people’s naked bodies to border officials – to be an affront to human dignity. The introduction of the scanners was eventually scrapped. But the 375-168 victory in the lower house of the German parliament on 12 November, favouring new laws to enable spying on computers and tapping conversations indicates that even in the home of personal data protection, all is not well.

This decline is particularly marked in the UK where universal databases containing information ranging from DNA and biometrics to medical detail have recently been proposed.

The recent US judicial recognition of US border officials’ power to copy the hard disks of air passengers received little or no official comment in Europe, where companies fearing exposure of trade secrets now advise employees travelling to the US to go with empty computers. This will be of scant effect if last week’s opinion by the advocate general is upheld by the ECJ and national measures like the UK database plans become law.

Mr Yves Bot’s approval of legislation forcing member states to require ISPs to collect and retain customers’ personal data will, if followed by the ECJ, provide yet another reversal of privacy rights built up over the past 50 years. If approved under single market competence, it will also be a strike against the democratic representation of all EU citizens.

Ironically, the Charter of Fundamental Rights with its Article 8 protection of personal data is inoperative until the Lisbon treaty comes into effect. Rejecting Ireland’s challenge to what seems an obviously flawed legislative competence might not be the best way to gain support for a treaty that would place even more power in Brussels.

Disturbing picture

While the question posed in the ECJ single market/third pillar verdict appears to be a narrow one, the underlying question is whether Europe still supports fundamental rights of data protection.

In an era where EU member states, most notably the UK, violate privacy rights to a degree inconceivable even two decades ago, Europeans would be justified in expecting that their unelected officials in Brussels would at least make a show of protecting their rights. The forces, internal and external, in favour of reducing personal data protection are formidable.

“National security” and the “War on Terror” have taken the entire western legal order into dangerous territory in terms of reversing advances human rights law has made since its inception after World War II. Even in the United Kingdom, no reduction in criminal activity has been noted. Initially designed to weed out “terrorists,” this movement now feels justified to undertake full-scale surveillance over all individuals.

It is not just the chilling effect of ubiquitous state surveillance that is at issue in these developments. Corporate economic interests, including but not limited to intellectual property holders, have “caught the coat tails” of this onslaught on privacy.

Once the state has full access to our personal data, communicated or stored in our hard disks or held by internet service providers, no one is safe and there is no reason to believe that good faith will prevail.

By Virginia Keyder
Virginia Keyder teaches EU law at the Bogazici University and the Sabanci University in Istanbul, Turkey

This article first appeared on EU Observer