rC3 2021 Chaos-West TV preroll music
Herald: Good, good afternoon, everyone.
This upcoming talk is "Stop general data
retention in the European Union and the
current plans for mass surveillance".
And it is not in German as the Fahrplan
suggests. It's all done in English, but…
Dieser Vortrag wird also
simultan übersetzt ins Deutsch.
So that's the extent of my German.
I will carry on introducing the speakers.
Also not included in the
line up in the Fahrplan is
Friedemann Ebelt, a freelance campaigner
in Germany against data retention.
Another German is joining us,
that is Patrick Breyer
who is a member of the European
Parliament for the German Pirates.
And we stay in Brussels for a little bit
with Chloé Berthélémy, who is a policy
adviser of European Digital Rights.
And we are also staying a little bit
in European Digital Rights, because
We also have the chairman of
the Danish NGO IT-Pol, Jesper Lund
That group's also an EDRi member.
And last, but definitely not least,
We have TJ McIntyre, who is a lecturer at
University College Dublin, but is also
part of Digital Rights Ireland. And is one
of the brains, together with Austrian NGOs
and activists, behind the original
DRI Ireland case in front of the
Court of Justice of the European Union,
which struck down data retention.
That was already in 2016.
Time flies when you're getting old.
I'm going to hand it over to Friedemann,
who is moderating this panel.
Friedemann Ebelt: Thank you, Walter,
for introducing this talk.
And welcome everybody to this talk on mass
surveillance of our communication data in
the European Union. And also thanks you
for your interest in this very important
issue. I had the joy to organize this talk
and I will help to navigate a little
through this session. And the key
questions of this talk are going to be:
What is data retention?
And what are the problems?
Also, what is the legal situation
in the European Union?
And what are member state
governments actually doing?
What is the Commission of
the European Union doing?
And what's going on
in the European Parliament?
Also important questions are…
What's the situation in Germany?
What's the situation in France,
Ireland, Denmark and Belgium?
And what can we expect from
the new year, from 2022 and the future?
And of course, for many of you,
one of the most important questions:
What can citizens do about mass
surveillance of communication data?
You will find more information
on the speakers, and you will find also
the audio and video to download on
media.ccc.de
You can just search for data retention.
And of course, if you like,
you can recommend the talk to others.
In general to follow the discussion on data
retention during the year 2022 and beyond
you can use the hashtag
#DataRetention
or the equivalent in your language.
In German, this would be
#Vorratsdatenspeicherung
Patrick Breyer,
as the member of the European Parliament,
will start this talk with the question:
What is data retention,
and what are the problems?
Patrick Breyer:
Thank you very much Friedemann.
And thanks everybody
for joining us for this talk.
Data retention has been called the
most privacy-invasive scheme ever
adopted by the European Union. But what
does the term mean exactly? Now, data
retention means that a record is kept by
your providers on all phone calls you made
and received, on all electronic messages
you sent or received, as well as on the
IP address that was assigned
to each of your internet connections.
So this means that the record does
not contain the content of your calls
and messages, but details on who you
were communicating with, at what time,
and, in the case of mobile devices,
where you were located.
This record can be accessed by public
authorities to investigate suspects
of serious crime. But it will be created
even if you are not suspected or in
any way remotely connected to any crime.
So what is the problem with
creating this sea of personal data?
For the first time with data retention,
sensitive information is amassed
on the everyday social contacts,
including business contacts,
on the movements and on the private lives
of millions of citizens that are not even
remotely connected to any wrongdoing.
The German Constitutional Court said
that data retention has a broader range
than anything in the legal system to date.
And the idea of collecting information
just in case you might need it
in the future, that idea opens the
floodgates to recording our entire lives.
Including collecting our travels, using
ANPR data, facial recognition data…
You name it. This idea of retaining "just
in case" is what is dangerous about this
data retention. And that's why we are
fighting this precedent so hard.
It normalizes mass surveillance.
Besides, a blanket telecommunications
data retention has proven
to be harmful to many sectors
of society. It disrupts confidential
communications in areas that legitimately
require non-traceability. For example,
contacts with psychotherapists, with
physicians, lawyers, workers councils,
marriage counselors, drug abuse
counselors, help lines, et cetera. It thus
endangers the physical and mental health
of people in need of support, as well as
of people around them. For example, a
German crisis line reported they once
talked a student out of a killing spree
that he was contemplating at his own
school. And you know, if you start
recording information on these contacts
and people risk being prosecuted, they
might no longer call and it might not be
possible to dissuade them from these
kind of crimes. Furthermore, the inability
of journalists to electronically receive
information through untraceable channels
compromises the freedom of the press,
damages preconditions of our open and
democratic society. Blanket data retention
creates risks of data abuse and loss of
confidential information relating to our
contacts, movements, and interests. And
communications data are particularly
susceptible to producing unjustified
suspicions and subjecting innocent
citizens to criminal investigations
because they relate to a connection point,
not a specific person. And let me briefly
explain why data retention is the problem
and not the solution for law enforcement.
It is, as I explained, a weapon of mass
surveillance directed against the entire
population. But on the other hand, the
results are not even statistically
significant. So neither the number of
crimes, nor the crime clearance rate
depends on whether you have data retention
legislation in place in a country or not.
So I've commissioned the European
Parliament's research service to look at
the statistics throughout the EU, and they
didn't find one country where the
crime rate or the number of crimes
depended on is a data retention law in
effect or not. But you'd expect it, you
know, considering the breadth and mass
of information that's being recorded.
Obviously, there are typically other ways
of clearing crimes than historical
records. And also, blanket retention may
have counterproductive effects, pushing
criminals to other terms and making
investigations even more difficult in some
cases. And specifically, I want to say, in
relation to child pornography online,
which is really the favorite, most popular
argument that proponents use currently.
Let me underline that in Germany, without
mandatory data retention in force, 91% of
all investigations of child pornography
are cleared. And the crime clearance rate
actually dropped when IP data retention
came into force in Germany, about 10 years
ago. Besides, anonymous communications
protects children by allowing for
anonymous counseling that they are in need
of, by allowing for anonymous self-help
groups, by allowing them to anonymously
file criminal charges. So don't be
mistaken about the killer argument of
child pornography. It's an excuse, not a
valid justification.
Ebelt: Patrick, since you explained what
blanket or general data retention is all
about, it seems pretty clear that it's a
huge problem in democracies. And it's a
huge problem for the freedom of our
communications. But how about the legal
situation? And this is something TJ
McIntyre, chairman of Digital Rights
Ireland, will explain us right now. TJ…
TJ McIntyre: Thanks Friedemann. So the
situation here, if we go back to the early
part of the 2000's, is that even in the
run up to 9/11, governments were using
this kind of data retention essentially in
secret. And they were getting telecom
companies to retain this information
without usually any real legal basis. And,
after that was exposed, the early part of
the 2000's saw some national laws being
rushed in, in a hurry, to try to legalize
this practice. But it also saw a lot of
challenges brought by civil rights groups
to these practices. And there were
successful challenges in many individual
countries on different grounds, in
Germany, Romania, Bulgaria and so on. But
what was most interesting from my
perspective was when the battle shifted to
the European level, because there was a
move to introduce a European law, which
would require data retention across all of
Europe, which was eventually adopted as
the so-called Data Retention Directive.
And we in Digital Rights Ireland, along
with colleagues from many other civil
rights groups, brought action seeking to
challenge this. And eventually we were
successful in doing so before the European
Court of Justice in 2014, which
invalidated the directive on the basis
that it was essentially disproportionate
and a gross invasion of privacy, one that
creates real risks of abuse. If we had a
piece of legislation which involves
creating these huge dossiers of data on
everybody indiscriminately. So that was
2014, and since then we've seen massive
national pushback against this finding,
that this kind of indiscriminate data
retention is disproportionate and
therefore contrary to European law. And
we've seen multiple cases since then where
national governments have tried to
persuade the European Court of Justice to
change its tack. There was a judgment in
2016 in a case brought by litigants from
the United Kingdom and from Sweden, the
Tele2 and Davis and Watson case. There was
a judgment in 2018 in a case arising from
Spain. There was a judgment in 2020 in a
case coming from France and the United
Kingdom, the Quadrature du Net and the
Privacy International joint cases. And
again and again and again, what national
governments have tried to do is to
persuade the European Court of Justice
that it was wrong in 2014. That this
finding that mass indiscriminate
surveillance is unacceptable in a
democratic society should be rolled back.
Now, to my mind, what's very interesting
is what's happening at the moment. Because
there is yet another of these cases, in
fact, three parallel cases before the
European Court of Justice at the moment,
where national governments have
essentially again tried to square up to
the European Court of Justice. Where
collectively – this is really quite
remarkable, I don't think we've ever seen
such a coordinated set of national
disobedience to court rulings before –
where collectively, national governments
across the EU have tried to say to the
European Court of Justice, "we need this
kind of mass surveillance," – though,
without producing any evidence to show
that it's in fact necessary, as Patrick
points out – "We need this kind of mass
surveillance. We think you are wrong. We
want you to change your mind on this." So,
this to me is rather worrying because it
shows, I think, a degree of lawlessness
here. National governments are unwilling
to accept the findings of the highest
court in Europe on this point. In some
countries – in Ireland, for example – the
law and the theory hasn't been changed at
all. Despite the multiple judgments in
this area, Irish law remains as it was in
2011, so predating all these cases. And
the Irish government has essentially
indicated that it plans to keep that law
in place until it is forced by the
judgment of the national courts to do away
with it. So we have, I think, a very
difficult situation here. In one sense, of
course, we've been very lucky. We've
achieved a number of very important
judgments from the European Court of
Justice. We have a court there whose
members understand the importance of this
issue. But against that, you have a real
problem here with national pushback and a
desire to eventually force down the
court. And perhaps wait until the
composition of the courts changes in
future and get more favorable precedents.
So I think, from that perspective, it's
very important that at a national level,
we push to increase the political pressure
against these laws. And, as far as we can
at European level, we try to push the
Commission to act, to take steps against
member states that have refused to
implement judgments of the European Court
of Justice, and to ensure
compliance with European law.
Ebelt: Thank you, TJ. Now, following the
legal situation, let us have a look at the
implementation of law. And here, one of
the or maybe the most important players
in the European Union is the Commission of
the European Union. And this question goes
to Jesper Lund, chairman of the IT-
Political Association of Denmark.
Jesper, what is going on at the Commission?
Jesper Lund: Thank you, Friedemann.
So, essentially, every since the Data
Retention Directive was annulled in 2014,
there has been an ongoing discussion: is
there going to be a new data retention
instrument at the EU level? And so,
besides waiting for the Commission, this
discussion has also been going on in
various working groups of council
where member states meet in secret.
Fortunately, some of that documents are
leaked or obtained through Freedom of
Information Access requests. So we sort of
know from this process that that, as TJ
mentioned, member states are in complete
denial. They refuse to accept that general
indiscriminate data retention is illegal,
and try to move on from that starting
point. So most recently, I think, the
Commission has sort of taken a hold...
wait and see attitude, wait for the next
judgment. But after the La Quadrature
judgement in October last year,
the Commission has come forward with a
non-paper in June which generated a lot of
attention. So it's mostly a paper that
that asks questions to member states, but
sort of reading between the lines of the
paper, we can also see what plans the
Commission might have for a not
necessarily a new data retention law; that
is one of the options for member states.
It could also be guidance for member
states. But sort of going through the
paper, it follows roughly the judgment in
the La Quadrature case. One novel aspect
of that is that the court reaffirmed that
we cannot have mass surveillance, general
and indiscriminate data retention, for the
purpose of combating even serious crime.
But it is possible unfortunately the court
said, it is possible, in certain cases,
to have general and indiscriminate data
retention for national security, if there
is a serious threat to national security
that is as genuine and present and
foreseeable. It's pretty clear from my
reading of the judgment that this must be
an extraordinary situation where
surveilling everybody for a short time can
help prevent a very serious threat to
national security. But the commission is
using that, and member states are also
doing that. We'll get to that later. Using
that as sort of a starting point to have
general and indiscriminate data retention.
So the commission asks – even though
national security is the sole
competence of the member states,
and the commission is very
unsure of any legal basis here –
whether there should be an EU instrument
on data retention for national security.
One thing to note here is that
this might be even worse
than the Data Retention Directive
because the commission indicates that this
should not just cover telecommunications
services, as the Data Retention Directive
did, but also so-called over-the-top
providers (OTT's.) Which would be services
like Signal, WhatsApp, Facebook Messenger,
and so forth. And this could potentially
be an EU legislative initiative, whereas
perhaps data retention for traditional
telecommunications services could remain
with member states. The Commission is also
suggesting that there could be a mixed
approach of national legislation and and
EU legislation. The Commission is also
asking member states about targeted data
retention. This is what the court has said
since, essentially since the first judgement
that general and indiscriminate data
retention is not allowed, but targeted
data retention could be allowed or is
allowed by EU law. And unfortunately, what
the Commission does in this area is so,
take every hint in the La Quadrature
judgement, and sort of amplify to make
targeted data retention cover as much as
possible. It's pretty clear from the
judgment that targeted data retention has
to be the exception, not the rule. It
cannot cover half of the population. But
this part is sort of forgotten by the
Commission in the non-paper. So they
mentioned a long list of areas: critical
infrastructure, transport hubs, and then
areas with above average crime rates. This
is not exactly what the court said; said
specific areas of high incidence of crimes
or above average could very easily include
a large part of a member state. And then
on the person-based targeted data
retention, it sort of mentions almost
everybody who could be of interest to the
police: known organized groups,
individuals convicted of serious crime,
individuals who have been subject to a
lawful interception order, individuals on
watchlists, and so forth. You know the
tendency of the police and secret services
to put people on watchlists in secret,
that this can presumably be very long.
In connection with this – it actually gets
even worse – because in connection with
targeted data retention, the Commission
mentions the idea of having subscriber
information collected on everybody and
verified subscriber information, including
mandatory and EU-wide mandatory obligation
to have registration of anonymous SIM
cards, pay as you go SIM cards. And this
is sort of justified by the targeted data
retention. We need to make sure that
the right persons can be targeted.
The non-paper also mentions quick-freeze
or expedited retention. This is interesting
because quick-freeze data preservation
is what civil society has called for as
the alternative to data retention,
basically ever since the mid-2000s.
And finally, it goes into the generalized
retention of IP addresses, which the Court
of Justice unfortunately allowed on a
general and indiscriminate basis in the
La Quadrature judgement, but limited to
serious crime. Just looking at the
questions, Commission is asking member
states whether sufficient, whether all
relevant cybercrimes are covered by their
notion of serious crime. Let me briefly,
in conclusion, mention some of the member
states' reaction to this. Statewatch did a
Freedom of Information Access request with
the Commission to get a response from
member states. Most of them refused, but
some Denmark, Finland, Germany,
Hungary, Luxembourg, the Netherlands,
and Sweden provided their responses.
In general, they want an EU instrument, but
they're not interested in having that
cover national security. They're also not
too keen on targeted data retention, and
they don't really like the idea of quick-
freeze. So it's not entirely clear what
this EU instrument should cover. Except
while they want, you know, indiscriminate
data retention for everything, but they
can't have that. And that is their chosen
state of denial, which has been going on
since the first judgment in 2014.
Let me let me stop here as the
summary of the present EU initiative,
and we'll continue later.
Ebelt: Thank you, Jesper.
So the Commission is communicating
and negotiating a lot with member state
governments, and the aim seems to be to
find new ways for more mass surveillance.
So of course the question is,
how do national governments
in the European Union treat fundamental
rights and respond to the legal situation?
So what is going on in EU member states?
And maybe let us start with France,
where Chloé from EDRi
can tell us about the situation.
Chloé Berthélémy: Sure, thanks.
I'd like to introduce
a little bit maybe the work
of our EDRi member in France?
So EDRi is a network of members,
and one of them is La Quadrature du Net.
And they were among the main
sounds of fixing microphone
Hmm, would this one work?
Yes, OK. Sorry about that.
Yes, so I wanted to talk about like the
work of like La Quadrature du Net,
our EDRi member in France.
Sorry for all the technical details.
They were one of the main plaintiffs
that led to the landmark ruling,
La Quadrature du Net, that was
mentioned already a couple of times now.
And they brought this case, like the
procedure started already in 2015.
They went in front of the
Council of State in France
after the first ruling by the Court
of Justice of the European Union in
in Digital Rights Ireland and wanted to
have the legal framework in France removed
or annulled by the Council of State. And
obviously, that wasn't to the taste of the
highest administrative court in France,
and they decided to refer yet another
question to the Court of Justice. That led
to the famous ruling in 2020 in October,
saying that the National Legal Framework
in France is actually contrary to EU law
and to the Charter of Fundamental Rights.
But unfortunately, what the kind of, the
aftermath of this ruling in October 2020
shows us is that France is, possibly, one
of the most aggressive, offensive
member states in the EU who is willing to
really pay the price and the high price to
keep its mass retention regime in place.
The reason why I'm saying this is because
the government made a huge advocacy
campaign towards the Council of State,
so the highest administrative court again
charged to actually give its decision
after the CJEU ruling. They submitted
weeks before the decision was released by
the Council of State, a statement of case.
And in this statement of case, they
argued that the Court of Justice
of the European Union would
have actually had abused its powers,
and actually wanted to advise
the Council of State to ignore
everything that the court has said,
and mentioned that this is
way beyond its jurisdiction to
actually limit member states in the EU
with anything related to
the fight against terrorism
or everything related to national security
and therefore the ruling
should be completely ignored.
The Council of State more or less
followed this government approach.
Obviously, not as radical position
as the French government said.
Because I think it was
reported even … the press, that
at one point the French government
was really willing to even negotiate
a reopening of the EU treaties
and notably the charter.
They would go as far as
going against the primary
law of the European Union
to change it in order to accommodate
France needs in terms of national security.
Which was pretty strong and quite telling
in terms of like the contradiction
that there is with France's typical kind
of reputation as a pro-European Union
integration leader. As like, a
reputation it has to just drive
EU integration forward and
be pro-European in general.
So they're really willing
to jeopardize their position
as a strategic position in those fields
to keep mass surveillance in place.
And so to all appearance, even
if the Council of States said that
the decrees in place since 2015 should
be revised, they largely actually give the
legislature all the keys and solutions,
corrective solutions, to just maintain the
surveillance regime in place. So how it
did that? I'm not going to go through the
entire judgment, because it's rich and
there is a lot of conclusions that we
could like analyze, and it's super
interesting. But maybe one that is quite
telling I would mention. And that shows
like how France is willing to do anything
to keep its data retention in place, and
the matter that is indiscriminate in
general, is the reinterpretation of the
notion of national security. And in this
notion of national security, it goes far
beyond terrorism and thus was also like
showcased during the hearing made by the
Council of State just before it released
its decision. There was the general, the
director general of the intelligence
services, talking at the hearing and
mentioning 'actually terrorism, we have
all the legal tools at hand. It's not so
much that you are limited in competence.
What afraid us is more like the, if we
apply the CJEU ruling now, we will have
less power to actually surveil and spy on
people who are at the kind of the
forefront of social movements, or who are
organizing like demonstrations, who are
engaged in social justice fights, and so
on. And so in this context of, in this
notion of national security, the Council
of State is putting any threat to the
economic interests of the French nation.
So they are thinking about economic
espionage, but they're also thinking about
mild, like drug trafficking, even like the
smallest networks in your city suburbs?
Like that could also fall as a threat to
national security and justify the
indiscriminate and general data retention.
And then lastly, the organization of non-
registered protests as a permanent threat
to public peace, they call it "public
peace". And so that would justify
a general kind of threat to national,
that would like demonstrate a threat to
national security permanently and allow
France to keep its indiscriminate and
general data retention regime for good.
Completely contrary to what the Court of
Justice said, obviously. And even going
beyond what France has in place until now,
which was like the state of emergency. I
think this is something that many of you
probably heard in 2015, during the
terrorist attacks. France reacted
strongly, implemented a lot of measures
that were anti-democratic, very like going
against rights and freedoms. That was
supposed to be temporary. Unfortunately,
following the ruling by the Court of
Justice – and this is also a natural trend
and flow – they decided to bring all those
measures that were exceptionally allowed,
in exceptional times. And now they
proposed recently in April – just a
few weeks after, a month after actually
the decision of the Council – a reform that
brings everything, all of these measures
into ordinary law. So obviously what the
Council of State has said: indiscriminate
general retention obviously always OK,
because there's constantly threats to
national security. But there is obviously
other measures linked to house arrest, use
of drones, cooperation with private actors
to enable government hacking into end
devices of users, etc. etc. And so all
of this is packaged into one nice little
law. And the latest development that I can
share with you in France is that the …
the socialists in the parliament blocked
submission of this bill to the council,
the Constitutional Council of France, the
only kind of institution that is left,
that kind of like control a little bit
what the government has to say,
and put forward as legislation.
And unfortunately, the part related,
like the provision related
to data retention in this bill
weren't submitted to
the Constitutional Council,
so they never had any say in this.
And so now the project is adopted.
Which is like, this is…
Voilà. Rubber stamped. What the
Council of State has decided for France.
And this will be very difficult
in the future to attack again.
Ebelt: Thank you, Chloé.
I must admit that it is extremely
interesting to hear about the situation
in France, but it's also extremely shocking
to hear about the strong tensions in the
relations between governments and courts,
and governments and rule of law.
And now, to everybody
who's watching this talk live,
you can send in your
questions to the speakers
by using the hashtag #rc3cwtv,
because we are having a Q&A
after, right after the talk.
And maybe we will come
back to this point in the Q&A.
And the hashtag is for
Mastodon and Twitter.
Since recently,
there's a new government in Berlin.
And also, Germany is next to
or together with France
a big and important player in EU politics.
So also, there's a new situation
in Germany with data retention.
And of course,
this question goes to Patrick Breyer
as a German member
of the European Parliament.
Patrick, what can you tell us
about the situation in Germany?
Breyer: Well, legally speaking,
indiscriminate data retention legislation
is in force, but it's not being applied
due to a pending court cases that have
said that it violates the EU case law
and charter of fundamental rights.
The European Court of Justice will rule,
will decide next year on the compatibility
of the German regime with the European
fundamental rights. And in the meantime,
the new government has agreed that data
should be retained on an ad hoc basis
and by judicial order only. Now, on
the one hand side, this excludes sort of
indiscriminate and general regime. But on
the other hand, after what you've
heard from previous speakers, you will
know that it does not exclude, for
example, a geographically targeted
retention that could cover vast parts of
the country, above average crime rates
and the like. Nor does it really exclude the
retention of data referring to a present
or foreseeable national security threat,
which could also be said to be on an ad
hoc basis. So we'll have to watch
very closely what the government will do.
The Liberals and the new Justice Minister
are advocating for quick-freeze. But
there is a risk, for example, that in the
pending procedure, the courts will not
invalidate indiscriminate IP data
retention. You know, saying that the
European Court of Justice said all IP data
retention is OK. And there is a risk that
the coalition cannot agree, cannot find a
majority to agree on abolishing it
politically. So we'll have to see and
watch very closely how the new government
will behave also at a European level.
Ebelt: Thank you, Patrick. You said there
is a pending procedure on data retention
in Germany, and I know there's also a
pending court case, if I'm not mistaken,
on the national data
retention regime in Ireland.
And TJ, what can you tell us
about the situation in Ireland?
McIntyre: So there are, in fact, three
cases before the Court of Justice at this
moment: one from Germany, one from
Ireland, and a parallel one from France.
And what to me is very interesting about
those cases is not so much the questions
that are asked, but how the court has been
dealing with the case. So the questions
that are asked are basically the same
questions over again. Can we have
indiscriminate mass retention of data
where we need it for dealing with serious
crimes? That is essentially the question
that the Irish court has asked. Again,
it's basically putting it up to the
European Court of Justice to change its
mind. And then the questions from
Germany are very similar, because we're
dealing with the law, which is again
indiscriminate, albeit that the German
retention period has now been reduced to
approximately 10 weeks, I think, Patrick.
And the question from France is a slightly
more technical question and parralel area
of law. But again, the national
governments were taking the opportunity
here to push the agenda of looking to
rewind the time machine to 2014, prior to
the Digital Rights Ireland judgment, and
go back to a situation where mass
indiscriminate retention was allowed.
What the court did, to my mind
which was very interesting,
in dealing with these cases, was
it initially said, right, we're going to
ask the national courts, do they really
want us to hear these cases?
After the La Quadrature du Net
judgement the Supreme Court of Justice
reached out to the Irish Supreme
Court, for example, and said to it
essentially, "Listen, we've already
answered your question. Do you
really want to go ahead with this case?"
And in fact, the advocate general
suggested something even more
dramatic, if you like, as a response.
Where he said that the
response of the courts should be
to dispose of the case using Article 99 of
the Rules of Procedure of the court.
Now that might not sound very interesting,
but Article 99 basically means you can take
an incoming request from a national court
and say, "We've dealt with this already. We
We don't need to hear this case, and we
can dispose of it without a hearing." So
the advocate general and I think the court
itself is intent here on sending a signal
that we've decided, we've made up our
minds regarding these cases, we're not
interested in hearing more and more
national cases coming back to us for
national governments. We'd really like you
to change your mind now. The Court of
Justice, to my mind, is about to send a
signal here where it says, look, the law
on this point is settled. Please go and
try and implement that law in good faith,
as opposed to coming back to us with ever
more ingenious ways of arguing in favor of
mass data retention. The real question, of
course, is whether that's going to happen,
whether national courts are going –
national governments, I should say – are
prepared to respect the rule of law. Or
whether, as Chloé pointed out, they're
going to be prepared to continue to
manufacture a crisis, to manufacture a
collision between national law and
European law for the sake of promoting
this surveillance agenda. And
unfortunately, I suspect the national
governments are more likely to do the
latter than the former. I think it is very
likely that we'll continue to see pushback
from them.
Ebelt: Thank you. Next question goes to
Jesper. And it would be, how is the signal
– that's how you, TJ, framed what's going
on – how is the signal from the European
Court of Justice received in Denmark?
Lund: Well, thank you very much.
cough
Sorry. Well, the current Danish data
retention law, which is about to be
updated, is essentially the old data
retention directive, so general and
indiscriminate data retention of
telecommunications services,
kept for one year.
There's a court challenge to that
which is still ongoing. The Association
Against Illegal and Mass Surveillance
actually lost the case in the first
instance because the government, the
Ministry of Justice, argued that the
Danish law should not be annulled. Rather,
it should not be applied to the extent
that it is against EU law. So to some
extent, this is the same situation as in
Germany, although the Danish
telecommunications providers are retaining
the data voluntarily as though the law is
still in effect. So to some extent, that
is a sweet spot for the government.
Officially they do not have to apply the
data retention law, but telecommunications
providers are respecting it anyhow.
Nonetheless, the Danish government has
taken upon itself the task of adjusting
Danish law, claiming that after these
adjustments, it will be compatible with
the case law of the Court of Justice. So
that sounds very interesting.
Unfortunately it's a total exercise in
circumventing the court, because, in the
end, we will have almost exactly the same
data retention as we have today. It'll
just be relabeled in a way that the
government claims it complies with the
Court of Justice. And sort of the main
vehicle for doing that is the same one
used in France, namely data retention for
national security. So Denmark is going to
claim similar to what France is doing,
that there is a quasi-permanent threat to
national security, which justifies the
general and indiscriminate retention of
all communications data. Some of the
safeguards in the La Quadrature
judgements, such as review by an
independent court of these renewable
decisions for general and indiscriminate
data retention, are ignored completely.
The Ministry of Justice says, well you can
sue us if you disagree with our decisions,
and by the way, the your civil court case
will not get access to all the evidence
that the Ministry of Justice used
to justify the general and
indiscriminate data retention due to our
threat to national security. So it's an
almost impossible situation. However, it
gets even worse, because you if you have
data retention for national security, you
would sort of by the principle of purpose
limitation, you would assume that it is
limited to that purpose only. The Danish
government disagrees with that, because
the retained data, similar to France, can
also be used for serious crime. So that
is, in effect, maintaining the current
data retention regime, except relabeling
it as data retention for national
security, but mainly used for the purpose
of combating serious crime, as it is done
currently. There's a small catch here. The
Danish government recognizes that there is
significant legal uncertainty with this
interpretation that it can't be used or
accessed in cases of serious crime. So
it's actually very possible that
Denmark will one day send a data
retention case to Luxembourg. So let's see
how that goes, when the Court of Justice
believes that every possible question
about data retention has been answered.
But this is not the end of the story in
Denmark. So the Minister of Justice is
aware that one day it may not be possible
to maintain general indiscriminate data
retention, because it has to be for a time
limited period, so that cannot be evaded
forever. There's also the possibility that
the Danish government might lose a court
case. So as an insurance policy to cover
this situation, there is a provision on
targeted data retention. This would only
kick in if the general and indiscriminate
data retention for national security
cannot continue. And it is not really
targeted, because the, just like the
European Commission obviously tries to do
with the non-paper that I
described earlier, so the Danish
government is taking the possibilities for
targeted data retention, adding them
together to the extreme. So the
general criterion for above average crime
rates is defined in a way that makes no
adjustment for a population density. So
any city or city-like area in Denmark will
have an above average number of crime
cases, and that will be included in the
geographical targeted data retention.
So 5%…sorry. 75% of the Danish population
lives in 5% of the Danish territory, the
cities. They will be surveilled just like
before. On top of that, you have
infrastructure sites: every train station
or almost every train station and the
mobile towers are selected, so that these
areas are covered in full even though it
means surveilling people outside these
areas. So in the end, with the targeted
data retention, something like 80 to 90 %
of the Danish population will be covered.
On top of that, there are person-based
criteria, where every person convicted of
serious crime, every person that's
been subject to lawful interception,
criteria mentioned in the non-paper from
the commission. And even with all of that
– generalized indiscriminate data
retention continuing, an insurance policy
with targeted data retention that covers
80 to 90 % of the Danish population – the
Danish politicians, those that are in
favor of data retention, which is a vast
majority, complain that they have to
restrict the law because of the Court of
Justice in Luxembourg. And they are
saying, these are, they're really using
rhetoric that's that we would expect from
from Hungary and Poland. Judges lack the
democratic legitimacy, why should they
interfere with Danish politics, and so
forth. That is a really terrible situation
for the rule of law in Denmark and
Europe in general. So this is sort of...
on a couple of minor tweaks also, there
will be mandatory SIM card registration in
Denmark as one of the last EU member
states to introduce that,
unfortunately. There are a couple of
others that also don't have it yet.
And the threshold for serious crime will be
lowered as well. So in effect, even though
if this is presented as adjusting to the
case law of the Court of Justice, we will
have in practice more data retention and
police would have easier access to the
data. I really hope that this does not
become a blueprint for how other member
states in Europe adapt to the
case law from the Court of Justice.
But it is unfortunately following the
non-paper from the Commission,
perhaps putting it to the extreme
more than the Commission intended.
But certainly not
the response that we hoped for.
So the fight in Denmark will continue,
I can assure you of that.
And let me stop here and
pass the word back to Friedemann.
Ebelt: Thank you, Jesper. Yes…
I think the fight needs to continue.
And you said that a lot of data
retention politics has to do with
circumventing the court and
ignoring decisions and the rule of law.
And on an EU level, a lot of this politics
takes place, of course, in process at the
European Parliament, at the Commission.
So…
And after hearing this, I… Yeah. I hope…
Chloé, maybe you have some good news
for us? What is the situation in Belgium?
Berthélémy: I'm afraid not so
good news either from Belgium.
Let me try to a draw a little bit
the situation from what happened
since, again, the landmark ruling
in October 2020. So it's funny. The
Constitutional Court in Belgium released
its decision following that, that ruling
on the 21st of April. So that means one
day after the French Council of State gave
its decision. And I listened to the
President of the Court of Justice, who was
invited once at a French National
Assembly, in front of the committee
specialized in legal affairs and European
affairs. And he were saying, "Oh, don't
you imagine that those two jurists, the
two courts obviously talk to each other,
and this is why they released their
judgment so close to one another." And
those are two very neighboring countries,
friend countries. So you can imagine that
they discussed and they exchanged
on their point of view on the CJEU ruling.
I was like, well, probably if this is the
case, they… probably like the conclusion
of their talks was "we agree to disagree."
Because the Constitutional Court of
Belgium choose a completely divergent way
compared to the French Council of States –
which I remind you completely to go
completely rogue and ignore the court's
main conclusions – the Constitutional Court
decided to basically implement what the
CJEU said. And decided, gave the Belgian
government the task to find the solution
for itself. So completely something else,
than the French Council of State has done.
Which, in its case, was really like
giving the French government the concrete
corrective measures to maintain its regime
in place. In Belgium, it was: Your legal
system is false and should is annulled.
Now you have to work on the solutions
yourself. And so this is what the
government has been doing. They have done
it for a month only. So a month later they
came up with a bill, with a proposal
for a new law. And that was proposed by
the Council of Ministers. Mainly what the
bill contained is a system, is a regime for
targeted retention. So they they are not
even like going for the national security
mass retention thing.They try out the
targeted retention approach, and they
mainly focus on the criteria of
geographical areas. They also include
individual-based criteria, but mainly they
focus on how can we maintain data
retention as much as possible based on
this geographical measures and
measurements. And this is basically what
Jesper explained for Denmark. This isn't
very far from actually including the
entire country on there, just "targeted"
data retention. The way to do that is,
they the select first like geographical
areas that they call "by nature sensitive"
for national security or for any kind of
public security. And that includes
airports, train stations, metro stations,
so you can already imagine that Brussels
is entirely covered, the border zones
with like the neighboring countries,
hospitals, motorways (there's a lot of
motorways in Belgium), research centers
so everything that has to do with like
state innovation, state research and
everything, justice and police buildings,
and all infrastructure, and then all the
municipalities. So the entire territory of
the municipality of a city, even small,
which has on its territory critical
infrastructures. So water supply, energy
supply, everything. And you can
already see like, it's just this list of
geographical like places that the
government selected. Given the density,
the urban density of Belgium, the size of
the country, it already covers quite a
bunch of people. And a large proportion of
the population will be submitted to data
retention, to this "targeted" just in name
retention. And they all also use, as
Denmark, the average crime rate.
This has been criticized heavily by the
Data Protection Authority in Belgium. They
said that the Minister of Justice failed to
provide any statistics to actually explain
why they decided this number, this amount
of years. And they even criticized the
source of the statistics that will be used
to determine whether a judicial district
will be subjected to data retention or
not, because the government wants to use a
police database where crimes are
registered. But it's mainly managed and
it's exclusively managed by police
officers. So there is a high risk and a
conflict of interest that police officer
will just determine one minor act or one
minor offense into a serious crime. And so
therefore their police district or their
judicial district will fall under data
retention. The database is called the BNG,
the BNG. And it was heavily criticized by
journalists in Belgium. They released an
entire investigation into the BNG, and
they show that the BNG mostly contained
false, like a lot of false information,
rumors, non-verified information, or
outdated information as well. And so the
DPA, the Data Protection Authority,
required that they use a different
database with actual like criminal offense
that led to a conviction that led to a
criminal sentence. Which makes more sense,
it's not even given. So this is all the
problems we see with the Belgian bill.
This is not limited to that, it is only
the two things that I can mention now.
There are many other problems that the DPA
objected to. But for now, the chance we
had is that this bill also contained very
dangerous and controversial provisions on
access to encrypted content, with the
possibility to force service providers to
switch off encryption for certain users.
And thanks to that, there was enough like
resistance from civil society and outrage
in the public to halt a little bit the
bill. So now it's still under negotiations
with between the ministers before it is
presented to the parliament.
But we hopefully can also bring
some more attention and traction
on the data retention provision
of this law, and try to…
Yeah, halt as much as possible
the general mass retention of metadata
in Belgium as well.
Ebelt: Thank you, Chloé. OK. There are
many, many problems, but luckily there's
also civil society, and there are also
freedom advocates.
So the big question I would really,
really like to hear your opinion on is,
what do you expect from the future?
How should governments – but also maybe
the Commission of the European Union – act?
What should they do?
Let's hear TJ first.
McIntyre: Thanks Friedemann. Well, I think
the problem is, we know what governments
should do, which is comply with the law,
and that they're unwilling to do that. So
perhaps the question could become, what
can we do to force them to comply with the
law? Now, as civil society, we are
collectively already very much
overstretched, I think. Particularly, at
the moment most people are doing this,
myself included, as a part time thing.
It's unusual to have an organization such
as EDRi, which is quite professional in
this regard, when particularly the smaller
member states, this tends to be a part
time activity for a small number of
technologists, a small number of lawyers,
and so on. So maybe the first thing
everybody should be doing is supporting
their local digital rights organization
and I think probably all agreed on that.
Otherwise, we're caught in something of a
loop here where we're being reactive.
Governments put forward laws which are
ever more draconian, which very often
breach existing precedent from the Court
of Justice, never mind the Court of Human
Rights. And we as civil society have to
respond to that very expensively. The
cost, for governments, of introducing new
measures is, relatively speaking, low. In
the sense that, if it doesn't meet with
great domestic political pushback, it's
quite straightforward for them to push
forward new measures. And those measures
can often remain in place for months or
even years before there is litigation to
challenge them, if indeed it's possible in
a particular jurisdiction to bring
litigation to challenge them. So as civil
society, we're always on the back foot
here. It is very much a reactive sort of
game that we're playing. Ultimately, we
need to increase the costs for pushing
these kinds of very illiberal measures,
and we need to do that at the point when
those measures are being proposed and
adopted. And I think we can learn here
from the German experience and the way in
which data retention and encryption and
communications have been baked into the
coalition government's negotiations.
That's something which I think we, as
voters and advocates need to try to get
our governments to do at the point where
those governments are being formed. Short
of that, though, I don't really have any
great answer, Friedemann. I'm sorry.
Perhaps somebody else might be able to
take it further.
Ebelt: I think that's a great answer. And
yet, Patrick, what we what are your
thoughts on the future?
Breyer: Well, I can tell for the European
Parliament that I don't know what the
majorities would be if the commission
proposed another data retention
legislation. Because, you know – having
seen what's happened with chat control,
where they justified even the scanning of
content of communications, a blanket
indiscriminate, using the child protection
killer argument – I'm not sure that the
European Parliament's majority would go
against another data retention instrument,
especially if it claims to abide by the
European Court of Justice jurisprudence.
And also, I'm very outraged at the
European Data Protection supervisor who,
in those court hearings that we've
discussed earlier, actually undermines the
ECJ jurisprudence and says, you know, what
matters is access to data, not so much the
storage. It's really outrageous. So, but
one good thing from the European
Parliament is that in the pending trilogue
on the eprivacy regulation, on the reform,
the majority agrees that we won't accept
to have data retention in that specific
instrument, because it's about eprivacy and
not about e-surveillance. So what I'm
trying to do at the EU level is to
push back in the very early stages of the
political process. First of all, I'm very
happy that I found Friedemann to
support my work. Last year, I have
commissioned a study by the European
Parliament's research service to compare
crime rates throughout the EU. I've
already told you about that. And
currently, I have commissioned a poll to
find out the public opinion on data
retention in several EU countries. We'll
have the results early next year. And
I will also commission a legal opinion,
ask a former Court of Justice, European
Court of Justice judge, to write a legal
opinion on the French resurrection of
indiscriminate data retention, because
that is a model that they are using,
more and more countries are using.
So if you have any more ideas about
what we could do at EU level,
please let me know.
Ebelt: Thank you.
Well, Chloé, what do you expect
of the future or maybe 2022
from your EDRi, European rights,
NGO perspective?
Berthélémy: Sure. Well, we'll continue
obviously monitoring the situation at EU
levels, just like Patrick does, only like
with our network of experts and NGO.
Obviously, looking at what the
Commission has in mind and where this like
long year process of like thinking how
all of this can be like put together
and enable mass data retention without like…
without like insulting too much the
Court of Justice will lead to actually.
That would be obviously one of
our main tasks for the future.
We'll continue, as I said, as a network to
monitor what's going on at national level.
So, and as TJ said, we are lacking resources,
especially at national level,
to follow all the 27 jurisdictions.
So if you're just interested, and
it's in your country, I would just advise
viewers now to look at, look up on
EDRi's website our map of members. And
You can join and get in touch with some
of them at their contact email address.
If you want to lend a hand and
contribute to just monitoring, because the
first step of what we're doing as civil
society is just bring a light to those
developments. Because most of the cases,
like in many times, it's just going under
the radar. The media isn't picking up the
stories so quickly as we would like them
to do, and all those kind of really
rights-violating measures can go unchecked
without any kind of democratic pushback or
anything. So this is the kind of the first
that I would recommend for viewers to do
if they want to get engaged, is basically
join us. Follow us on social media. Follow
our website. EDRi has a newsletter where
each and every members of EDRi can
contribute, and write, and even guest
writers sometimes. If you want to
write about the situation in your country
and you've investigated a little bit the
state of play, please talk to us and drop
us an email. Everything is… Obviously all
the information of contact can be found on
our website. And you can
obviously subscribe to this newsletter.
If you want to go a bit further
and get really engaged
like the step, the kind of,
the scale of engagement,
you can join us on our mailing list
dedicated to the topic data retention,
just by dropping me an email.
If you're really into it and
want to contribute actively to the
analysis, to possible future campaigns,
or any kind of advocacy actions,
we're organizing at EU level.
And then… That's for kind of the…
I think I didn't forget anything
you can do as viewers.
In general, what we're looking for, we'll
try to push the Commission. It's…
I think it's a dead wish, but
I will mention it nonetheless.
We would like the Commission to do,
to launch infringement procedures
against countries that do not
comply with the CJEU ruling.
As I said, it's a dead wish,
because this is a highly political topic.
The Commission has stated multiple
times in public that it won't do this.
They're not interested in doing this.
They're interested in being in a
cooperative state of mind or spirit of
collaboration with member states to find
solutions. Another word for saying, we
will ignore what the ruling, what the
ruling says and try to find solutions
that can work out and that avoids like
the painful and embarrassing situation of
having a future EU legal instrument being
struck down by their own courts. But yeah.
This is to be seen. We'll work together
with Jesper. I don't know if you have
anything to add, Jesper, to that.
If I forgot something.
Lund: No, I think…
So even monitoring the situation
in 27 member states is a huge task,
and we definitely need help on this.
Denmark is well covered, but
there is also Sweden…
Many, many different member states.
Mostly you have governments
that like data retention and either
try to just ignore the Court of Justice
or, as Denmark is doing, make
adjustments to the national law that are
not real adjustments, but just try to
maintain what is already in place
under the guise of adjusting to the Court
of Justice. Or, we have talked about
France, Denmark, Belgium as cases
that really try to circumvent
the case law. So keeping…
One definite risk here is that
data retention will be forgotten.
That is what member states want,
so that nobody talks about it.
So we need to, yeah,
we need to keep the public debate going
and make sure that…
contact journalists, make sure that
they write about data retention.
And also, I think focus on the rule of law
problem that is associated with this area,
because it's really not
a sustainable situation that
all member states are
ignoring fundamental rights.
Ebelt: In the end, everything sounds also
a little bit promising. And at least,
let's not forget this is about, it's about
the citizens, it's about the people,
it's about their data, it's about their
governments, it's about their freedoms.
Do you have or do you
would like to add something?
I mean, here as the speakers?
If not…
You still have time to interrupt me.
We can have…
I would hand over to Walter, and
we can we just go into
the Q&A part of the talk.
And I would thank everybody too,
for joining this talk.
Also, thank you to the speakers.
It's been really, really interesting.
And to everybody who liked the
talk you can recommend it, and
you can get the audio and video
to download on media.ccc.de
And of course,
Join the discussion on data retention
by using the hashtag #dataretention
or the hashtag that is
used in your language.
So Walter…
Herald: Before we go into the questions
that have we already have collected
through Mastodon, IRC, Matrix, and Twitter
TJ wanted to add something earlier on
while Chloé was still talking, I remember.
McIntyre: Thanks Walter, Chloé's
points reminded me
of something that I was very impressed
with from the German campaign against data
retention, which was the great use of
civil societies – the groups representing
journalists, lawyers, medical
professionals, and so on – to make the
point that communications confidentiality
is important for them, too. And that's
something I have to admit that we didn't
do to the same extent in Ireland, but it's
certainly something we've tried to do. And
to the extent that anybody listening to
this now is from a group where they have a
professional interest in communications
confidentiality, I think it's a good thing
if you can work through your group to try
to develop that. It might be that you're
in an area such as technical security. It
might be that you're in an area such as
the legal profession or in the medical
profession or the like. But if you, as a
professional, have a special interest in
communications confidentiality, then it
would be a good idea to not just go to
your local digital rights group, but also
see if you can take this up through
your own professional body.
Herald: OK, thank you.
Since I am the moderator for the
Q&A questions, then I also sort of
get to rephrase the questions
as passed on through me for the internet.
And the most recent question, but I think
also the most fascinating question is,
Someone is asking to what extent
the Gaia-X program and the Palantir
collaborations in the EU tied to this, and
what can be done to stop this?
For those who are unfamiliar with Gaia-X,
that's an initiative to create a European-
based, Europe-based cloud service.
But it should be mentioned that
all sorts of American tech companies
are also participants in that, so the
European nature of that could be disputed.
But to get back to the question…
How does Gaia-X and Palantir
may or may not tie into this?
I think that might be
a question for Patrick.
Breyer: I'm afraid I don't know
enough to to answer it, Walter.
Palantir has their hands,
of course, in managing databases.
And they will also offer products to
police that will integrate data retention.
And of course, the impact of
communications data grows potentially with
the capacities to analyze this data. It
has long been established that, you know,
the idea that listening in to phone
calls was more sensitive than
only knowing that the call details is
wrong nowadays, because you can use the
the bulk of data that has been
collected over weeks and months
to paint a picture of persons, and their
networks, and their movements,
and their personalities. That is actually
much, much more intrusive and
much more sensitive than what you can tell
from just listening to to phone calls.
And yes, I think companies such as Palantir
are taking this to to very great length
with the products they are offering. And
certainly it's a commercial incentive.
Mass surveillance is big business, and
we need to be very aware of this.
Herald: OK, I will also ask Jesper this,
because he may have some
thoughts on this as well. Jesper?
Lund: Yeah, I think another worrying
development we are seeing
is with the amendment
to the European regulation,
which to a large extent is about allowing
big data analysis and, in fact, legalizing
practices that are currently illegal. I
could easily imagine that, so, police
authorities will not have access to the
sort of complete data sets that are
retained by the telecommunications
providers. But whenever they have a
criminal investigation and get access to
some data, there's a risk that it would be
stored in the database and used for other
purposes. I could easily see that systems
from Palantir could be used
for analyzing such data, that it could be
disclosed to Europol and possibly analyzed
by Europol using perhaps Palantir's
software as well. So. Even though the
connection to Palantir and Gaia-X is a bit
speculative, it certainly fits the picture
of more big data analysis for the police.
Herald: Chloé, you want to
add something to that?
Berthélémy: Just a quick remark on the…
it's not linked to Palantir directly or
Gaia-X, but like this is also part of the
French law that was actually
brought down by the Court of Justice.
Like one part, was also like about
black boxes used by intelligence services
not police authorities,
not law enforcement authorities,
but intelligence services. And the
new "Loi Renseignement 2", so like
the revival or the reform of the former
law that was adopted this year that I've
mentioned before, also contains this kind
of algorithmic based, big data analysis of
metadata, of communications data. And this
is even further expanded in the new law by
including URL's. So also an analysis of
internet network, and how websites
are being visited, and which ones and by
whom in general. And all of this will be
done now from the premises of like the
physical premises of the intelligence
services in France, and no longer at the
premises of the service providers.
So it's kind of a huge shift, where like
intelligence services are getting the copy
of metadata on the basis of a judge's
decision. But basically everything is
copied, and then they're like
applying an algorithmic analysis to it.
Something that is obviously
not known by the public.
This isn't in the sense, it's…
It follows the same trend.
Herald: OK, thank you.
Another question from the audience is…
I think I'm going to give that
one to TJ, because this may
also require a expansion into other
fundamental rights or a broader set of
fundamental rights – someone is wondering
what is actually so bad about a general
data retention for just IP addresses, for
just severe crimes? TJ.
McIntyre: Well, that's a very good
question. So first of all, what do we mean
by "just serious crimes"? In Ireland, a
"serious crime" includes stealing a Mars
bar from your local shop or a sweet of
your choice from your local shop, because
that theoretically carries a possible
seven year prison sentence. And in fact,
the Irish police have been using this so-
called serious crime provision to
investigate things like theft of a mobile
phone from a locker and theft of 100 €
from an ATM machine. So first of all, the
problem here is that scope creep is a
thing. And even if you describe something
as being limited to serious crime, it's no
guarantee that what you think of a serious
crime and what it will be used for are in
fact the same things. The second is that
registration of any sort is a gateway to
registration of everything. The kinds
of registration we see talked about
and Jesper mentioned already, and Patrick
has fought against in different contexts;
registration of SIM cards, for example,
generally require identity verification of
some sort. And that, in turn, is a real
threat then to the people who rely on
confidentiality – the whistleblowers who
want to get information about what
government is doing out to you, the people
who want to talk to their doctors or their
support helplines in confidence – and that
is a threat to them. But I think Patrick
probably is better placed to
discuss those points than I am,
so perhaps I'll just hand over to him.
Breyer: Just to add to what TJ said
about IP addresses specifically… On the
internet, the major providers of services
will log your every click and search term
that you enter and keep that data for
months. And so basically, if you know a
person's IP addresses, it's easy to
request from Google all the search terms
that they entered. Or if somebody is
publishing anonymously using a Twitter
account, or they think it's anonymously,
then you'll ask for the IP address.
And you can establish, you can lift the
anonymity of that whole account. And
that's why IP addresses or being able to
trace IP addresses really means that you
can follow whatever a person has done on
the internet. And you can even determine
their location because IP address tells
about your movements more or less,
roughly. Whether you're at home or at work
can be determined, according to research.
And it's very telling, it's not true that
it's somehow less sensitive. You know,
if you call somebody and
suppress your phone number, you can't you
wouldn't be allowed to retain data on this.
But if you use digital services
to send an email, you'll have the
IP address in the header. If you use
messaging services, they will be logging
your IP address. So very similar things as
making phone calls will be able to be
retained indiscriminately
and be tracing the IP address.
Herald: OK, I have a very specific question
about Chloé's bit in the presentation
unintelligible
I didn't quite get what
the Socialist Party did block
and how, and what happened there.
Berthélémy: Sure. That went very by fast.
It's not just the socialists, obviously,
I forgot to mention that the right parties
had the big role to play there.
Basically, there is like a procedure in
France every time, like a legislation is
adopted by the parliament, so both
the French National Assembly and the
Senate. There is a possibility there's
this rule where either 60 senators or 60
MP's, members of National Assembly can
just vote in favor of submitting the bill,
before it is adopted and officially
published in the official journal and can
come into force, there is this possibility
of submitting it to the Constitutional
Council. So the Constitutional Council in
France is composed of nine members.
They're not elected, there are designated.
So it's not the best kind of democratic
counter-power you can imagine. But this is
still there, and has been proven effective
in the past years, especially since the
presidency of Macron. To, a little bit,
hold responsible what the government is
proposing and has annulled or prevented
some provision in several security laws to
pass and to come into effect. And so for
the second, the "Loi Renseignement 2",
so like the reform of the intelligence
service law that contains the provision
about the data retention, so when this
reform was finally like adopted by both
the Senate and the National Assembly,
there wasn't the majority. There wasn't
enough majority to send the text in
front of the Constitutional Court, or at
least not on the provision related to data
retention. And some other provision
contained in the bill were sent to the
Constitutional Council. And the reason why
data retention wasn't included is because
the socialists didn't support it, this
submission, this reference to the
Constitutional Council. So not just the
socialists' fault. It's also I just said
the right parties and the party in power,
so the La République en marche. But I
think one assumption that we can make
and this is not like verified information,
but this is one assumption we can make
is that the reason why the socialists
didn't support it, the submission to
another scrutiny or constitutional
scrutiny, is because they were the ones
introducing those measures in 2015 when
they were in power under François Hollande
Herald: I've been told by the translators
that we really have to wrap it up.
So I probably will be asking the last
question, depending on the length of
the answer, maybe another question.
And I'm going to ask them to Friedemann,
because he hasn't been
talking much during the Q&A.
One of the questions is, and that was by
a viewer, who understood the
explanations about the Court of Justice
as potentially being willing to revise the
earlier jurisprudence on data retention
which I understood quite differently,
so maybe you could explain it as well.
But the question is…
In case the Court of Justice of the
European Union were to revisit its
earlier opinions and weakens its stance,
what will be possible to do against that?
Ebelt: Well, to be honest, I would love
to pass this question on to the speakers,
since I'm not actually a speaker of this
talk, and just the host and moderator.
So would somebody of the speakers
take the question?
Herald: Then I suggest Chloé does it.
Berthélémy: Oh, wow, what a nice gift.
Can I pass the ball to Jesper? laughs
I don't know what can be done as a citizen
counter the Court of Justice's future rulings.
One thing that Patrick mentioned,
for example, is the influence of several
interventions during hearings in front
of the courts. And notably, when the
European data protection supervisor is
kind of weakening what the court has said
previously and said that access is more
important than the mere retention of data,
it's problematic. Even though it didn't
impact it this time too much,
there is a risk that this
kind of narratives build up
and becomes like very
influential in the judges' ears.
So this is something to be avoided.
But Jesper, please complete, because
I'm probably far from the
comprehensive answers to this question.
Lund: In the hypothetical situation that
the court would revise its position and
say, allow general and indiscriminate data
retention, not just for national security
in extraordinary circumstances, but for
combating serious crime in general.
That would put us back
to sort of square one,
before the…
when the campaign against
data retention started. And,
then we can no longer say that
it's against fundamental rights.
But it's still a bad idea.
It still has problems for vulnerable groups,
persons with professional privileges,
and so forth.
So in that situation, ideally, we want
to convince our parliamentarians
at a national level that it's a bad idea.
And if that is not possible, at least make
exceptions so that these groups with
professional privileges are not included
in data retention.
It may be possible.
Germany has, in its current data retention
law, has some provisions on where
certain phone numbers of help groups,
help phone lines are excluded.
And also make sure that access to this
data is subject to prior court review.
That is not the case in all member states.
And that access is exceptional, also.
And so these are the options remaining
should the Court of Justice
revise its position, which…
I would consider unlikely at this stage,
and certainly the advocate general is in
audio breaking up
…the three cases pending is not suggesting
this at all. Rather the contrary.
Herald: OK, thank you.
And we have run out…
oh, and also for those who want to
look up the website, it's edri.org
And that contains the map Chloé mentioned.
But again, thank you all.
And this is it for the session.
Take care. Bye bye.
rC3 2021 Chaos-West TV postroll music
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!