-
rC3 2021 Chaos-West TV preroll music
-
Herald: Good, good afternoon, everyone.
This upcoming talk is "Stop general data
-
retention in the European Union and the
current plans for mass surveillance".
-
And it is not in German as the Fahrplan
suggests. It's all done in English, but…
-
Dieser Vortrag wird also
simultan übersetzt ins Deutsch.
-
So that's the extent of my German.
I will carry on introducing the speakers.
-
Also not included in the
line up in the Fahrplan is
-
Friedemann Ebelt, a freelance campaigner
in Germany against data retention.
-
Another German is joining us,
that is Patrick Breyer
-
who is a member of the European
Parliament for the German Pirates.
-
And we stay in Brussels for a little bit
with Chloé Berthélémy, who is a policy
-
adviser of European Digital Rights.
-
And we are also staying a little bit
in European Digital Rights, because
-
We also have the chairman of
the Danish NGO IT-Pol, Jesper Lund
-
That group's also an EDRi member.
-
And last, but definitely not least,
-
We have TJ McIntyre, who is a lecturer at
University College Dublin, but is also
-
part of Digital Rights Ireland. And is one
of the brains, together with Austrian NGOs
-
and activists, behind the original
DRI Ireland case in front of the
-
Court of Justice of the European Union,
which struck down data retention.
-
That was already in 2016.
Time flies when you're getting old.
-
I'm going to hand it over to Friedemann,
who is moderating this panel.
-
Friedemann Ebelt: Thank you, Walter,
for introducing this talk.
-
And welcome everybody to this talk on mass
surveillance of our communication data in
-
the European Union. And also thanks you
for your interest in this very important
-
issue. I had the joy to organize this talk
and I will help to navigate a little
-
through this session. And the key
questions of this talk are going to be:
-
What is data retention?
And what are the problems?
-
Also, what is the legal situation
in the European Union?
-
And what are member state
governments actually doing?
-
What is the Commission of
the European Union doing?
-
And what's going on
in the European Parliament?
-
Also important questions are…
What's the situation in Germany?
-
What's the situation in France,
Ireland, Denmark and Belgium?
-
And what can we expect from
the new year, from 2022 and the future?
-
And of course, for many of you,
one of the most important questions:
-
What can citizens do about mass
surveillance of communication data?
-
You will find more information
on the speakers, and you will find also
-
the audio and video to download on
media.ccc.de
-
You can just search for data retention.
-
And of course, if you like,
you can recommend the talk to others.
-
In general to follow the discussion on data
retention during the year 2022 and beyond
-
you can use the hashtag
#DataRetention
-
or the equivalent in your language.
-
In German, this would be
#Vorratsdatenspeicherung
-
Patrick Breyer,
as the member of the European Parliament,
-
will start this talk with the question:
-
What is data retention,
and what are the problems?
-
Patrick Breyer:
Thank you very much Friedemann.
-
And thanks everybody
for joining us for this talk.
-
Data retention has been called the
most privacy-invasive scheme ever
-
adopted by the European Union. But what
does the term mean exactly? Now, data
-
retention means that a record is kept by
your providers on all phone calls you made
-
and received, on all electronic messages
you sent or received, as well as on the
-
IP address that was assigned
to each of your internet connections.
-
So this means that the record does
not contain the content of your calls
-
and messages, but details on who you
were communicating with, at what time,
-
and, in the case of mobile devices,
where you were located.
-
This record can be accessed by public
authorities to investigate suspects
-
of serious crime. But it will be created
even if you are not suspected or in
-
any way remotely connected to any crime.
-
So what is the problem with
creating this sea of personal data?
-
For the first time with data retention,
sensitive information is amassed
-
on the everyday social contacts,
including business contacts,
-
on the movements and on the private lives
of millions of citizens that are not even
-
remotely connected to any wrongdoing.
The German Constitutional Court said
-
that data retention has a broader range
than anything in the legal system to date.
-
And the idea of collecting information
just in case you might need it
-
in the future, that idea opens the
floodgates to recording our entire lives.
-
Including collecting our travels, using
ANPR data, facial recognition data…
-
You name it. This idea of retaining "just
in case" is what is dangerous about this
-
data retention. And that's why we are
fighting this precedent so hard.
-
It normalizes mass surveillance.
-
Besides, a blanket telecommunications
data retention has proven
-
to be harmful to many sectors
of society. It disrupts confidential
-
communications in areas that legitimately
require non-traceability. For example,
-
contacts with psychotherapists, with
physicians, lawyers, workers councils,
-
marriage counselors, drug abuse
counselors, help lines, et cetera. It thus
-
endangers the physical and mental health
of people in need of support, as well as
-
of people around them. For example, a
German crisis line reported they once
-
talked a student out of a killing spree
that he was contemplating at his own
-
school. And you know, if you start
recording information on these contacts
-
and people risk being prosecuted, they
might no longer call and it might not be
-
possible to dissuade them from these
kind of crimes. Furthermore, the inability
-
of journalists to electronically receive
information through untraceable channels
-
compromises the freedom of the press,
damages preconditions of our open and
-
democratic society. Blanket data retention
creates risks of data abuse and loss of
-
confidential information relating to our
contacts, movements, and interests. And
-
communications data are particularly
susceptible to producing unjustified
-
suspicions and subjecting innocent
citizens to criminal investigations
-
because they relate to a connection point,
not a specific person. And let me briefly
-
explain why data retention is the problem
and not the solution for law enforcement.
-
It is, as I explained, a weapon of mass
surveillance directed against the entire
-
population. But on the other hand, the
results are not even statistically
-
significant. So neither the number of
crimes, nor the crime clearance rate
-
depends on whether you have data retention
legislation in place in a country or not.
-
So I've commissioned the European
Parliament's research service to look at
-
the statistics throughout the EU, and they
didn't find one country where the
-
crime rate or the number of crimes
depended on is a data retention law in
-
effect or not. But you'd expect it, you
know, considering the breadth and mass
-
of information that's being recorded.
Obviously, there are typically other ways
-
of clearing crimes than historical
records. And also, blanket retention may
-
have counterproductive effects, pushing
criminals to other terms and making
-
investigations even more difficult in some
cases. And specifically, I want to say, in
-
relation to child pornography online,
which is really the favorite, most popular
-
argument that proponents use currently.
Let me underline that in Germany, without
-
mandatory data retention in force, 91% of
all investigations of child pornography
-
are cleared. And the crime clearance rate
actually dropped when IP data retention
-
came into force in Germany, about 10 years
ago. Besides, anonymous communications
-
protects children by allowing for
anonymous counseling that they are in need
-
of, by allowing for anonymous self-help
groups, by allowing them to anonymously
-
file criminal charges. So don't be
mistaken about the killer argument of
-
child pornography. It's an excuse, not a
valid justification.
-
Ebelt: Patrick, since you explained what
blanket or general data retention is all
-
about, it seems pretty clear that it's a
huge problem in democracies. And it's a
-
huge problem for the freedom of our
communications. But how about the legal
-
situation? And this is something TJ
McIntyre, chairman of Digital Rights
-
Ireland, will explain us right now. TJ…
TJ McIntyre: Thanks Friedemann. So the
-
situation here, if we go back to the early
part of the 2000's, is that even in the
-
run up to 9/11, governments were using
this kind of data retention essentially in
-
secret. And they were getting telecom
companies to retain this information
-
without usually any real legal basis. And,
after that was exposed, the early part of
-
the 2000's saw some national laws being
rushed in, in a hurry, to try to legalize
-
this practice. But it also saw a lot of
challenges brought by civil rights groups
-
to these practices. And there were
successful challenges in many individual
-
countries on different grounds, in
Germany, Romania, Bulgaria and so on. But
-
what was most interesting from my
perspective was when the battle shifted to
-
the European level, because there was a
move to introduce a European law, which
-
would require data retention across all of
Europe, which was eventually adopted as
-
the so-called Data Retention Directive.
And we in Digital Rights Ireland, along
-
with colleagues from many other civil
rights groups, brought action seeking to
-
challenge this. And eventually we were
successful in doing so before the European
-
Court of Justice in 2014, which
invalidated the directive on the basis
-
that it was essentially disproportionate
and a gross invasion of privacy, one that
-
creates real risks of abuse. If we had a
piece of legislation which involves
-
creating these huge dossiers of data on
everybody indiscriminately. So that was
-
2014, and since then we've seen massive
national pushback against this finding,
-
that this kind of indiscriminate data
retention is disproportionate and
-
therefore contrary to European law. And
we've seen multiple cases since then where
-
national governments have tried to
persuade the European Court of Justice to
-
change its tack. There was a judgment in
2016 in a case brought by litigants from
-
the United Kingdom and from Sweden, the
Tele2 and Davis and Watson case. There was
-
a judgment in 2018 in a case arising from
Spain. There was a judgment in 2020 in a
-
case coming from France and the United
Kingdom, the Quadrature du Net and the
-
Privacy International joint cases. And
again and again and again, what national
-
governments have tried to do is to
persuade the European Court of Justice
-
that it was wrong in 2014. That this
finding that mass indiscriminate
-
surveillance is unacceptable in a
democratic society should be rolled back.
-
Now, to my mind, what's very interesting
is what's happening at the moment. Because
-
there is yet another of these cases, in
fact, three parallel cases before the
-
European Court of Justice at the moment,
where national governments have
-
essentially again tried to square up to
the European Court of Justice. Where
-
collectively – this is really quite
remarkable, I don't think we've ever seen
-
such a coordinated set of national
disobedience to court rulings before –
-
where collectively, national governments
across the EU have tried to say to the
-
European Court of Justice, "we need this
kind of mass surveillance," – though,
-
without producing any evidence to show
that it's in fact necessary, as Patrick
-
points out – "We need this kind of mass
surveillance. We think you are wrong. We
-
want you to change your mind on this." So,
this to me is rather worrying because it
-
shows, I think, a degree of lawlessness
here. National governments are unwilling
-
to accept the findings of the highest
court in Europe on this point. In some
-
countries – in Ireland, for example – the
law and the theory hasn't been changed at
-
all. Despite the multiple judgments in
this area, Irish law remains as it was in
-
2011, so predating all these cases. And
the Irish government has essentially
-
indicated that it plans to keep that law
in place until it is forced by the
-
judgment of the national courts to do away
with it. So we have, I think, a very
-
difficult situation here. In one sense, of
course, we've been very lucky. We've
-
achieved a number of very important
judgments from the European Court of
-
Justice. We have a court there whose
members understand the importance of this
-
issue. But against that, you have a real
problem here with national pushback and a
-
desire to eventually force down the
court. And perhaps wait until the
-
composition of the courts changes in
future and get more favorable precedents.
-
So I think, from that perspective, it's
very important that at a national level,
-
we push to increase the political pressure
against these laws. And, as far as we can
-
at European level, we try to push the
Commission to act, to take steps against
-
member states that have refused to
implement judgments of the European Court
-
of Justice, and to ensure
compliance with European law.
-
Ebelt: Thank you, TJ. Now, following the
legal situation, let us have a look at the
-
implementation of law. And here, one of
the or maybe the most important players
-
in the European Union is the Commission of
the European Union. And this question goes
-
to Jesper Lund, chairman of the IT-
Political Association of Denmark.
-
Jesper, what is going on at the Commission?
-
Jesper Lund: Thank you, Friedemann.
-
So, essentially, every since the Data
Retention Directive was annulled in 2014,
-
there has been an ongoing discussion: is
there going to be a new data retention
-
instrument at the EU level? And so,
besides waiting for the Commission, this
-
discussion has also been going on in
various working groups of council
-
where member states meet in secret.
Fortunately, some of that documents are
-
leaked or obtained through Freedom of
Information Access requests. So we sort of
-
know from this process that that, as TJ
mentioned, member states are in complete
-
denial. They refuse to accept that general
indiscriminate data retention is illegal,
-
and try to move on from that starting
point. So most recently, I think, the
-
Commission has sort of taken a hold...
wait and see attitude, wait for the next
-
judgment. But after the La Quadrature
judgement in October last year,
-
the Commission has come forward with a
non-paper in June which generated a lot of
-
attention. So it's mostly a paper that
that asks questions to member states, but
-
sort of reading between the lines of the
paper, we can also see what plans the
-
Commission might have for a not
necessarily a new data retention law; that
-
is one of the options for member states.
It could also be guidance for member
-
states. But sort of going through the
paper, it follows roughly the judgment in
-
the La Quadrature case. One novel aspect
of that is that the court reaffirmed that
-
we cannot have mass surveillance, general
and indiscriminate data retention, for the
-
purpose of combating even serious crime.
But it is possible unfortunately the court
-
said, it is possible, in certain cases,
to have general and indiscriminate data
-
retention for national security, if there
is a serious threat to national security
-
that is as genuine and present and
foreseeable. It's pretty clear from my
-
reading of the judgment that this must be
an extraordinary situation where
-
surveilling everybody for a short time can
help prevent a very serious threat to
-
national security. But the commission is
using that, and member states are also
-
doing that. We'll get to that later. Using
that as sort of a starting point to have
-
general and indiscriminate data retention.
So the commission asks – even though
-
national security is the sole
competence of the member states,
-
and the commission is very
unsure of any legal basis here –
-
whether there should be an EU instrument
on data retention for national security.
-
One thing to note here is that
this might be even worse
-
than the Data Retention Directive
because the commission indicates that this
-
should not just cover telecommunications
services, as the Data Retention Directive
-
did, but also so-called over-the-top
providers (OTT's.) Which would be services
-
like Signal, WhatsApp, Facebook Messenger,
and so forth. And this could potentially
-
be an EU legislative initiative, whereas
perhaps data retention for traditional
-
telecommunications services could remain
with member states. The Commission is also
-
suggesting that there could be a mixed
approach of national legislation and and
-
EU legislation. The Commission is also
asking member states about targeted data
-
retention. This is what the court has said
since, essentially since the first judgement
-
that general and indiscriminate data
retention is not allowed, but targeted
-
data retention could be allowed or is
allowed by EU law. And unfortunately, what
-
the Commission does in this area is so,
take every hint in the La Quadrature
-
judgement, and sort of amplify to make
targeted data retention cover as much as
-
possible. It's pretty clear from the
judgment that targeted data retention has
-
to be the exception, not the rule. It
cannot cover half of the population. But
-
this part is sort of forgotten by the
Commission in the non-paper. So they
-
mentioned a long list of areas: critical
infrastructure, transport hubs, and then
-
areas with above average crime rates. This
is not exactly what the court said; said
-
specific areas of high incidence of crimes
or above average could very easily include
-
a large part of a member state. And then
on the person-based targeted data
-
retention, it sort of mentions almost
everybody who could be of interest to the
-
police: known organized groups,
individuals convicted of serious crime,
-
individuals who have been subject to a
lawful interception order, individuals on
-
watchlists, and so forth. You know the
tendency of the police and secret services
-
to put people on watchlists in secret,
that this can presumably be very long.
-
In connection with this – it actually gets
even worse – because in connection with
-
targeted data retention, the Commission
mentions the idea of having subscriber
-
information collected on everybody and
verified subscriber information, including
-
mandatory and EU-wide mandatory obligation
to have registration of anonymous SIM
-
cards, pay as you go SIM cards. And this
is sort of justified by the targeted data
-
retention. We need to make sure that
the right persons can be targeted.
-
The non-paper also mentions quick-freeze
or expedited retention. This is interesting
-
because quick-freeze data preservation
is what civil society has called for as
-
the alternative to data retention,
basically ever since the mid-2000s.
-
And finally, it goes into the generalized
retention of IP addresses, which the Court
-
of Justice unfortunately allowed on a
general and indiscriminate basis in the
-
La Quadrature judgement, but limited to
serious crime. Just looking at the
-
questions, Commission is asking member
states whether sufficient, whether all
-
relevant cybercrimes are covered by their
notion of serious crime. Let me briefly,
-
in conclusion, mention some of the member
states' reaction to this. Statewatch did a
-
Freedom of Information Access request with
the Commission to get a response from
-
member states. Most of them refused, but
some Denmark, Finland, Germany,
-
Hungary, Luxembourg, the Netherlands,
and Sweden provided their responses.
-
In general, they want an EU instrument, but
they're not interested in having that
-
cover national security. They're also not
too keen on targeted data retention, and
-
they don't really like the idea of quick-
freeze. So it's not entirely clear what
-
this EU instrument should cover. Except
while they want, you know, indiscriminate
-
data retention for everything, but they
can't have that. And that is their chosen
-
state of denial, which has been going on
since the first judgment in 2014.
-
Let me let me stop here as the
summary of the present EU initiative,
-
and we'll continue later.
-
Ebelt: Thank you, Jesper.
-
So the Commission is communicating
and negotiating a lot with member state
-
governments, and the aim seems to be to
find new ways for more mass surveillance.
-
So of course the question is,
how do national governments
-
in the European Union treat fundamental
rights and respond to the legal situation?
-
So what is going on in EU member states?
And maybe let us start with France,
-
where Chloé from EDRi
can tell us about the situation.
-
Chloé Berthélémy: Sure, thanks.
I'd like to introduce
-
a little bit maybe the work
of our EDRi member in France?
-
So EDRi is a network of members,
and one of them is La Quadrature du Net.
-
And they were among the main
-
sounds of fixing microphone
-
Hmm, would this one work?
Yes, OK. Sorry about that.
-
Yes, so I wanted to talk about like the
work of like La Quadrature du Net,
-
our EDRi member in France.
Sorry for all the technical details.
-
They were one of the main plaintiffs
that led to the landmark ruling,
-
La Quadrature du Net, that was
mentioned already a couple of times now.
-
And they brought this case, like the
procedure started already in 2015.
-
They went in front of the
Council of State in France
-
after the first ruling by the Court
of Justice of the European Union in
-
in Digital Rights Ireland and wanted to
have the legal framework in France removed
-
or annulled by the Council of State. And
obviously, that wasn't to the taste of the
-
highest administrative court in France,
and they decided to refer yet another
-
question to the Court of Justice. That led
to the famous ruling in 2020 in October,
-
saying that the National Legal Framework
in France is actually contrary to EU law
-
and to the Charter of Fundamental Rights.
But unfortunately, what the kind of, the
-
aftermath of this ruling in October 2020
shows us is that France is, possibly, one
-
of the most aggressive, offensive
member states in the EU who is willing to
-
really pay the price and the high price to
keep its mass retention regime in place.
-
The reason why I'm saying this is because
the government made a huge advocacy
-
campaign towards the Council of State,
so the highest administrative court again
-
charged to actually give its decision
after the CJEU ruling. They submitted
-
weeks before the decision was released by
the Council of State, a statement of case.
-
And in this statement of case, they
argued that the Court of Justice
-
of the European Union would
have actually had abused its powers,
-
and actually wanted to advise
the Council of State to ignore
-
everything that the court has said,
and mentioned that this is
-
way beyond its jurisdiction to
actually limit member states in the EU
-
with anything related to
the fight against terrorism
-
or everything related to national security
-
and therefore the ruling
should be completely ignored.
-
The Council of State more or less
followed this government approach.
-
Obviously, not as radical position
as the French government said.
-
Because I think it was
reported even … the press, that
-
at one point the French government
-
was really willing to even negotiate
a reopening of the EU treaties
-
and notably the charter.
They would go as far as
-
going against the primary
law of the European Union
-
to change it in order to accommodate
France needs in terms of national security.
-
Which was pretty strong and quite telling
in terms of like the contradiction
-
that there is with France's typical kind
of reputation as a pro-European Union
-
integration leader. As like, a
reputation it has to just drive
-
EU integration forward and
be pro-European in general.
-
So they're really willing
to jeopardize their position
-
as a strategic position in those fields
to keep mass surveillance in place.
-
And so to all appearance, even
if the Council of States said that
-
the decrees in place since 2015 should
be revised, they largely actually give the
-
legislature all the keys and solutions,
corrective solutions, to just maintain the
-
surveillance regime in place. So how it
did that? I'm not going to go through the
-
entire judgment, because it's rich and
there is a lot of conclusions that we
-
could like analyze, and it's super
interesting. But maybe one that is quite
-
telling I would mention. And that shows
like how France is willing to do anything
-
to keep its data retention in place, and
the matter that is indiscriminate in
-
general, is the reinterpretation of the
notion of national security. And in this
-
notion of national security, it goes far
beyond terrorism and thus was also like
-
showcased during the hearing made by the
Council of State just before it released
-
its decision. There was the general, the
director general of the intelligence
-
services, talking at the hearing and
mentioning 'actually terrorism, we have
-
all the legal tools at hand. It's not so
much that you are limited in competence.
-
What afraid us is more like the, if we
apply the CJEU ruling now, we will have
-
less power to actually surveil and spy on
people who are at the kind of the
-
forefront of social movements, or who are
organizing like demonstrations, who are
-
engaged in social justice fights, and so
on. And so in this context of, in this
-
notion of national security, the Council
of State is putting any threat to the
-
economic interests of the French nation.
So they are thinking about economic
-
espionage, but they're also thinking about
mild, like drug trafficking, even like the
-
smallest networks in your city suburbs?
Like that could also fall as a threat to
-
national security and justify the
indiscriminate and general data retention.
-
And then lastly, the organization of non-
registered protests as a permanent threat
-
to public peace, they call it "public
peace". And so that would justify
-
a general kind of threat to national,
that would like demonstrate a threat to
-
national security permanently and allow
France to keep its indiscriminate and
-
general data retention regime for good.
Completely contrary to what the Court of
-
Justice said, obviously. And even going
beyond what France has in place until now,
-
which was like the state of emergency. I
think this is something that many of you
-
probably heard in 2015, during the
terrorist attacks. France reacted
-
strongly, implemented a lot of measures
that were anti-democratic, very like going
-
against rights and freedoms. That was
supposed to be temporary. Unfortunately,
-
following the ruling by the Court of
Justice – and this is also a natural trend
-
and flow – they decided to bring all those
measures that were exceptionally allowed,
-
in exceptional times. And now they
proposed recently in April – just a
-
few weeks after, a month after actually
the decision of the Council – a reform that
-
brings everything, all of these measures
into ordinary law. So obviously what the
-
Council of State has said: indiscriminate
general retention obviously always OK,
-
because there's constantly threats to
national security. But there is obviously
-
other measures linked to house arrest, use
of drones, cooperation with private actors
-
to enable government hacking into end
devices of users, etc. etc. And so all
-
of this is packaged into one nice little
law. And the latest development that I can
-
share with you in France is that the …
-
the socialists in the parliament blocked
-
submission of this bill to the council,
the Constitutional Council of France, the
-
only kind of institution that is left,
that kind of like control a little bit
-
what the government has to say,
and put forward as legislation.
-
And unfortunately, the part related,
-
like the provision related
to data retention in this bill
-
weren't submitted to
the Constitutional Council,
-
so they never had any say in this.
And so now the project is adopted.
-
Which is like, this is…
-
Voilà. Rubber stamped. What the
Council of State has decided for France.
-
And this will be very difficult
in the future to attack again.
-
Ebelt: Thank you, Chloé.
-
I must admit that it is extremely
interesting to hear about the situation
-
in France, but it's also extremely shocking
to hear about the strong tensions in the
-
relations between governments and courts,
and governments and rule of law.
-
And now, to everybody
who's watching this talk live,
-
you can send in your
questions to the speakers
-
by using the hashtag #rc3cwtv,
-
because we are having a Q&A
after, right after the talk.
-
And maybe we will come
back to this point in the Q&A.
-
And the hashtag is for
Mastodon and Twitter.
-
Since recently,
there's a new government in Berlin.
-
And also, Germany is next to
or together with France
-
a big and important player in EU politics.
-
So also, there's a new situation
in Germany with data retention.
-
And of course,
this question goes to Patrick Breyer
-
as a German member
of the European Parliament.
-
Patrick, what can you tell us
about the situation in Germany?
-
Breyer: Well, legally speaking,
indiscriminate data retention legislation
-
is in force, but it's not being applied
due to a pending court cases that have
-
said that it violates the EU case law
and charter of fundamental rights.
-
The European Court of Justice will rule,
will decide next year on the compatibility
-
of the German regime with the European
fundamental rights. And in the meantime,
-
the new government has agreed that data
should be retained on an ad hoc basis
-
and by judicial order only. Now, on
the one hand side, this excludes sort of
-
indiscriminate and general regime. But on
the other hand, after what you've
-
heard from previous speakers, you will
know that it does not exclude, for
-
example, a geographically targeted
retention that could cover vast parts of
-
the country, above average crime rates
and the like. Nor does it really exclude the
-
retention of data referring to a present
or foreseeable national security threat,
-
which could also be said to be on an ad
hoc basis. So we'll have to watch
-
very closely what the government will do.
The Liberals and the new Justice Minister
-
are advocating for quick-freeze. But
there is a risk, for example, that in the
-
pending procedure, the courts will not
invalidate indiscriminate IP data
-
retention. You know, saying that the
European Court of Justice said all IP data
-
retention is OK. And there is a risk that
the coalition cannot agree, cannot find a
-
majority to agree on abolishing it
politically. So we'll have to see and
-
watch very closely how the new government
will behave also at a European level.
-
Ebelt: Thank you, Patrick. You said there
is a pending procedure on data retention
-
in Germany, and I know there's also a
pending court case, if I'm not mistaken,
-
on the national data
retention regime in Ireland.
-
And TJ, what can you tell us
about the situation in Ireland?
-
McIntyre: So there are, in fact, three
-
cases before the Court of Justice at this
moment: one from Germany, one from
-
Ireland, and a parallel one from France.
And what to me is very interesting about
-
those cases is not so much the questions
that are asked, but how the court has been
-
dealing with the case. So the questions
that are asked are basically the same
-
questions over again. Can we have
indiscriminate mass retention of data
-
where we need it for dealing with serious
crimes? That is essentially the question
-
that the Irish court has asked. Again,
it's basically putting it up to the
-
European Court of Justice to change its
mind. And then the questions from
-
Germany are very similar, because we're
dealing with the law, which is again
-
indiscriminate, albeit that the German
retention period has now been reduced to
-
approximately 10 weeks, I think, Patrick.
And the question from France is a slightly
-
more technical question and parralel area
of law. But again, the national
-
governments were taking the opportunity
here to push the agenda of looking to
-
rewind the time machine to 2014, prior to
the Digital Rights Ireland judgment, and
-
go back to a situation where mass
indiscriminate retention was allowed.
-
What the court did, to my mind
which was very interesting,
-
in dealing with these cases, was
it initially said, right, we're going to
-
ask the national courts, do they really
want us to hear these cases?
-
After the La Quadrature du Net
judgement the Supreme Court of Justice
-
reached out to the Irish Supreme
Court, for example, and said to it
-
essentially, "Listen, we've already
answered your question. Do you
-
really want to go ahead with this case?"
And in fact, the advocate general
-
suggested something even more
dramatic, if you like, as a response.
-
Where he said that the
response of the courts should be
-
to dispose of the case using Article 99 of
the Rules of Procedure of the court.
-
Now that might not sound very interesting,
but Article 99 basically means you can take
-
an incoming request from a national court
and say, "We've dealt with this already. We
-
We don't need to hear this case, and we
can dispose of it without a hearing." So
-
the advocate general and I think the court
itself is intent here on sending a signal
-
that we've decided, we've made up our
minds regarding these cases, we're not
-
interested in hearing more and more
national cases coming back to us for
-
national governments. We'd really like you
to change your mind now. The Court of
-
Justice, to my mind, is about to send a
signal here where it says, look, the law
-
on this point is settled. Please go and
try and implement that law in good faith,
-
as opposed to coming back to us with ever
more ingenious ways of arguing in favor of
-
mass data retention. The real question, of
course, is whether that's going to happen,
-
whether national courts are going –
national governments, I should say – are
-
prepared to respect the rule of law. Or
whether, as Chloé pointed out, they're
-
going to be prepared to continue to
manufacture a crisis, to manufacture a
-
collision between national law and
European law for the sake of promoting
-
this surveillance agenda. And
unfortunately, I suspect the national
-
governments are more likely to do the
latter than the former. I think it is very
-
likely that we'll continue to see pushback
from them.
-
Ebelt: Thank you. Next question goes to
Jesper. And it would be, how is the signal
-
– that's how you, TJ, framed what's going
on – how is the signal from the European
-
Court of Justice received in Denmark?
-
Lund: Well, thank you very much.
-
cough
-
Sorry. Well, the current Danish data
retention law, which is about to be
-
updated, is essentially the old data
retention directive, so general and
-
indiscriminate data retention of
telecommunications services,
-
kept for one year.
-
There's a court challenge to that
which is still ongoing. The Association
-
Against Illegal and Mass Surveillance
actually lost the case in the first
-
instance because the government, the
Ministry of Justice, argued that the
-
Danish law should not be annulled. Rather,
it should not be applied to the extent
-
that it is against EU law. So to some
extent, this is the same situation as in
-
Germany, although the Danish
telecommunications providers are retaining
-
the data voluntarily as though the law is
still in effect. So to some extent, that
-
is a sweet spot for the government.
Officially they do not have to apply the
-
data retention law, but telecommunications
providers are respecting it anyhow.
-
Nonetheless, the Danish government has
taken upon itself the task of adjusting
-
Danish law, claiming that after these
adjustments, it will be compatible with
-
the case law of the Court of Justice. So
that sounds very interesting.
-
Unfortunately it's a total exercise in
circumventing the court, because, in the
-
end, we will have almost exactly the same
data retention as we have today. It'll
-
just be relabeled in a way that the
government claims it complies with the
-
Court of Justice. And sort of the main
vehicle for doing that is the same one
-
used in France, namely data retention for
national security. So Denmark is going to
-
claim similar to what France is doing,
that there is a quasi-permanent threat to
-
national security, which justifies the
general and indiscriminate retention of
-
all communications data. Some of the
safeguards in the La Quadrature
-
judgements, such as review by an
independent court of these renewable
-
decisions for general and indiscriminate
data retention, are ignored completely.
-
The Ministry of Justice says, well you can
sue us if you disagree with our decisions,
-
and by the way, the your civil court case
will not get access to all the evidence
-
that the Ministry of Justice used
to justify the general and
-
indiscriminate data retention due to our
threat to national security. So it's an
-
almost impossible situation. However, it
gets even worse, because you if you have
-
data retention for national security, you
would sort of by the principle of purpose
-
limitation, you would assume that it is
limited to that purpose only. The Danish
-
government disagrees with that, because
the retained data, similar to France, can
-
also be used for serious crime. So that
is, in effect, maintaining the current
-
data retention regime, except relabeling
it as data retention for national
-
security, but mainly used for the purpose
of combating serious crime, as it is done
-
currently. There's a small catch here. The
Danish government recognizes that there is
-
significant legal uncertainty with this
interpretation that it can't be used or
-
accessed in cases of serious crime. So
it's actually very possible that
-
Denmark will one day send a data
retention case to Luxembourg. So let's see
-
how that goes, when the Court of Justice
believes that every possible question
-
about data retention has been answered.
But this is not the end of the story in
-
Denmark. So the Minister of Justice is
aware that one day it may not be possible
-
to maintain general indiscriminate data
retention, because it has to be for a time
-
limited period, so that cannot be evaded
forever. There's also the possibility that
-
the Danish government might lose a court
case. So as an insurance policy to cover
-
this situation, there is a provision on
targeted data retention. This would only
-
kick in if the general and indiscriminate
data retention for national security
-
cannot continue. And it is not really
targeted, because the, just like the
-
European Commission obviously tries to do
with the non-paper that I
-
described earlier, so the Danish
government is taking the possibilities for
-
targeted data retention, adding them
together to the extreme. So the
-
general criterion for above average crime
rates is defined in a way that makes no
-
adjustment for a population density. So
any city or city-like area in Denmark will
-
have an above average number of crime
cases, and that will be included in the
-
geographical targeted data retention.
So 5%…sorry. 75% of the Danish population
-
lives in 5% of the Danish territory, the
cities. They will be surveilled just like
-
before. On top of that, you have
infrastructure sites: every train station
-
or almost every train station and the
mobile towers are selected, so that these
-
areas are covered in full even though it
means surveilling people outside these
-
areas. So in the end, with the targeted
data retention, something like 80 to 90 %
-
of the Danish population will be covered.
On top of that, there are person-based
-
criteria, where every person convicted of
serious crime, every person that's
-
been subject to lawful interception,
criteria mentioned in the non-paper from
-
the commission. And even with all of that
– generalized indiscriminate data
-
retention continuing, an insurance policy
with targeted data retention that covers
-
80 to 90 % of the Danish population – the
Danish politicians, those that are in
-
favor of data retention, which is a vast
majority, complain that they have to
-
restrict the law because of the Court of
Justice in Luxembourg. And they are
-
saying, these are, they're really using
rhetoric that's that we would expect from
-
from Hungary and Poland. Judges lack the
democratic legitimacy, why should they
-
interfere with Danish politics, and so
forth. That is a really terrible situation
-
for the rule of law in Denmark and
Europe in general. So this is sort of...
-
on a couple of minor tweaks also, there
will be mandatory SIM card registration in
-
Denmark as one of the last EU member
states to introduce that,
-
unfortunately. There are a couple of
others that also don't have it yet.
-
And the threshold for serious crime will be
lowered as well. So in effect, even though
-
if this is presented as adjusting to the
case law of the Court of Justice, we will
-
have in practice more data retention and
police would have easier access to the
-
data. I really hope that this does not
become a blueprint for how other member
-
states in Europe adapt to the
case law from the Court of Justice.
-
But it is unfortunately following the
non-paper from the Commission,
-
perhaps putting it to the extreme
more than the Commission intended.
-
But certainly not
the response that we hoped for.
-
So the fight in Denmark will continue,
I can assure you of that.
-
And let me stop here and
pass the word back to Friedemann.
-
Ebelt: Thank you, Jesper. Yes…
-
I think the fight needs to continue.
-
And you said that a lot of data
retention politics has to do with
-
circumventing the court and
ignoring decisions and the rule of law.
-
And on an EU level, a lot of this politics
takes place, of course, in process at the
-
European Parliament, at the Commission.
So…
-
And after hearing this, I… Yeah. I hope…
-
Chloé, maybe you have some good news
for us? What is the situation in Belgium?
-
Berthélémy: I'm afraid not so
good news either from Belgium.
-
Let me try to a draw a little bit
the situation from what happened
-
since, again, the landmark ruling
in October 2020. So it's funny. The
-
Constitutional Court in Belgium released
its decision following that, that ruling
-
on the 21st of April. So that means one
day after the French Council of State gave
-
its decision. And I listened to the
President of the Court of Justice, who was
-
invited once at a French National
Assembly, in front of the committee
-
specialized in legal affairs and European
affairs. And he were saying, "Oh, don't
-
you imagine that those two jurists, the
two courts obviously talk to each other,
-
and this is why they released their
judgment so close to one another." And
-
those are two very neighboring countries,
friend countries. So you can imagine that
-
they discussed and they exchanged
on their point of view on the CJEU ruling.
-
I was like, well, probably if this is the
case, they… probably like the conclusion
-
of their talks was "we agree to disagree."
Because the Constitutional Court of
-
Belgium choose a completely divergent way
compared to the French Council of States –
-
which I remind you completely to go
completely rogue and ignore the court's
-
main conclusions – the Constitutional Court
decided to basically implement what the
-
CJEU said. And decided, gave the Belgian
government the task to find the solution
-
for itself. So completely something else,
than the French Council of State has done.
-
Which, in its case, was really like
giving the French government the concrete
-
corrective measures to maintain its regime
in place. In Belgium, it was: Your legal
-
system is false and should is annulled.
Now you have to work on the solutions
-
yourself. And so this is what the
government has been doing. They have done
-
it for a month only. So a month later they
came up with a bill, with a proposal
-
for a new law. And that was proposed by
the Council of Ministers. Mainly what the
-
bill contained is a system, is a regime for
targeted retention. So they they are not
-
even like going for the national security
mass retention thing.They try out the
-
targeted retention approach, and they
mainly focus on the criteria of
-
geographical areas. They also include
individual-based criteria, but mainly they
-
focus on how can we maintain data
retention as much as possible based on
-
this geographical measures and
measurements. And this is basically what
-
Jesper explained for Denmark. This isn't
very far from actually including the
-
entire country on there, just "targeted"
data retention. The way to do that is,
-
they the select first like geographical
areas that they call "by nature sensitive"
-
for national security or for any kind of
public security. And that includes
-
airports, train stations, metro stations,
so you can already imagine that Brussels
-
is entirely covered, the border zones
with like the neighboring countries,
-
hospitals, motorways (there's a lot of
motorways in Belgium), research centers
-
so everything that has to do with like
state innovation, state research and
-
everything, justice and police buildings,
and all infrastructure, and then all the
-
municipalities. So the entire territory of
the municipality of a city, even small,
-
which has on its territory critical
infrastructures. So water supply, energy
-
supply, everything. And you can
already see like, it's just this list of
-
geographical like places that the
government selected. Given the density,
-
the urban density of Belgium, the size of
the country, it already covers quite a
-
bunch of people. And a large proportion of
the population will be submitted to data
-
retention, to this "targeted" just in name
retention. And they all also use, as
-
Denmark, the average crime rate.
This has been criticized heavily by the
-
Data Protection Authority in Belgium. They
said that the Minister of Justice failed to
-
provide any statistics to actually explain
why they decided this number, this amount
-
of years. And they even criticized the
source of the statistics that will be used
-
to determine whether a judicial district
will be subjected to data retention or
-
not, because the government wants to use a
police database where crimes are
-
registered. But it's mainly managed and
it's exclusively managed by police
-
officers. So there is a high risk and a
conflict of interest that police officer
-
will just determine one minor act or one
minor offense into a serious crime. And so
-
therefore their police district or their
judicial district will fall under data
-
retention. The database is called the BNG,
the BNG. And it was heavily criticized by
-
journalists in Belgium. They released an
entire investigation into the BNG, and
-
they show that the BNG mostly contained
false, like a lot of false information,
-
rumors, non-verified information, or
outdated information as well. And so the
-
DPA, the Data Protection Authority,
required that they use a different
-
database with actual like criminal offense
that led to a conviction that led to a
-
criminal sentence. Which makes more sense,
it's not even given. So this is all the
-
problems we see with the Belgian bill.
This is not limited to that, it is only
-
the two things that I can mention now.
There are many other problems that the DPA
-
objected to. But for now, the chance we
had is that this bill also contained very
-
dangerous and controversial provisions on
access to encrypted content, with the
-
possibility to force service providers to
switch off encryption for certain users.
-
And thanks to that, there was enough like
resistance from civil society and outrage
-
in the public to halt a little bit the
bill. So now it's still under negotiations
-
with between the ministers before it is
presented to the parliament.
-
But we hopefully can also bring
some more attention and traction
-
on the data retention provision
of this law, and try to…
-
Yeah, halt as much as possible
-
the general mass retention of metadata
in Belgium as well.
-
Ebelt: Thank you, Chloé. OK. There are
many, many problems, but luckily there's
-
also civil society, and there are also
freedom advocates.
-
So the big question I would really,
really like to hear your opinion on is,
-
what do you expect from the future?
-
How should governments – but also maybe
the Commission of the European Union – act?
-
What should they do?
-
Let's hear TJ first.
-
McIntyre: Thanks Friedemann. Well, I think
the problem is, we know what governments
-
should do, which is comply with the law,
and that they're unwilling to do that. So
-
perhaps the question could become, what
can we do to force them to comply with the
-
law? Now, as civil society, we are
collectively already very much
-
overstretched, I think. Particularly, at
the moment most people are doing this,
-
myself included, as a part time thing.
It's unusual to have an organization such
-
as EDRi, which is quite professional in
this regard, when particularly the smaller
-
member states, this tends to be a part
time activity for a small number of
-
technologists, a small number of lawyers,
and so on. So maybe the first thing
-
everybody should be doing is supporting
their local digital rights organization
-
and I think probably all agreed on that.
Otherwise, we're caught in something of a
-
loop here where we're being reactive.
Governments put forward laws which are
-
ever more draconian, which very often
breach existing precedent from the Court
-
of Justice, never mind the Court of Human
Rights. And we as civil society have to
-
respond to that very expensively. The
cost, for governments, of introducing new
-
measures is, relatively speaking, low. In
the sense that, if it doesn't meet with
-
great domestic political pushback, it's
quite straightforward for them to push
-
forward new measures. And those measures
can often remain in place for months or
-
even years before there is litigation to
challenge them, if indeed it's possible in
-
a particular jurisdiction to bring
litigation to challenge them. So as civil
-
society, we're always on the back foot
here. It is very much a reactive sort of
-
game that we're playing. Ultimately, we
need to increase the costs for pushing
-
these kinds of very illiberal measures,
and we need to do that at the point when
-
those measures are being proposed and
adopted. And I think we can learn here
-
from the German experience and the way in
which data retention and encryption and
-
communications have been baked into the
coalition government's negotiations.
-
That's something which I think we, as
voters and advocates need to try to get
-
our governments to do at the point where
those governments are being formed. Short
-
of that, though, I don't really have any
great answer, Friedemann. I'm sorry.
-
Perhaps somebody else might be able to
take it further.
-
Ebelt: I think that's a great answer. And
yet, Patrick, what we what are your
-
thoughts on the future?
Breyer: Well, I can tell for the European
-
Parliament that I don't know what the
majorities would be if the commission
-
proposed another data retention
legislation. Because, you know – having
-
seen what's happened with chat control,
where they justified even the scanning of
-
content of communications, a blanket
indiscriminate, using the child protection
-
killer argument – I'm not sure that the
European Parliament's majority would go
-
against another data retention instrument,
especially if it claims to abide by the
-
European Court of Justice jurisprudence.
And also, I'm very outraged at the
-
European Data Protection supervisor who,
in those court hearings that we've
-
discussed earlier, actually undermines the
ECJ jurisprudence and says, you know, what
-
matters is access to data, not so much the
storage. It's really outrageous. So, but
-
one good thing from the European
Parliament is that in the pending trilogue
-
on the eprivacy regulation, on the reform,
the majority agrees that we won't accept
-
to have data retention in that specific
instrument, because it's about eprivacy and
-
not about e-surveillance. So what I'm
trying to do at the EU level is to
-
push back in the very early stages of the
political process. First of all, I'm very
-
happy that I found Friedemann to
support my work. Last year, I have
-
commissioned a study by the European
Parliament's research service to compare
-
crime rates throughout the EU. I've
already told you about that. And
-
currently, I have commissioned a poll to
find out the public opinion on data
-
retention in several EU countries. We'll
have the results early next year. And
-
I will also commission a legal opinion,
ask a former Court of Justice, European
-
Court of Justice judge, to write a legal
opinion on the French resurrection of
-
indiscriminate data retention, because
that is a model that they are using,
-
more and more countries are using.
So if you have any more ideas about
-
what we could do at EU level,
please let me know.
-
Ebelt: Thank you.
-
Well, Chloé, what do you expect
of the future or maybe 2022
-
from your EDRi, European rights,
NGO perspective?
-
Berthélémy: Sure. Well, we'll continue
-
obviously monitoring the situation at EU
levels, just like Patrick does, only like
-
with our network of experts and NGO.
-
Obviously, looking at what the
Commission has in mind and where this like
-
long year process of like thinking how
all of this can be like put together
-
and enable mass data retention without like…
-
without like insulting too much the
Court of Justice will lead to actually.
-
That would be obviously one of
our main tasks for the future.
-
We'll continue, as I said, as a network to
monitor what's going on at national level.
-
So, and as TJ said, we are lacking resources,
especially at national level,
-
to follow all the 27 jurisdictions.
-
So if you're just interested, and
it's in your country, I would just advise
-
viewers now to look at, look up on
EDRi's website our map of members. And
-
You can join and get in touch with some
of them at their contact email address.
-
If you want to lend a hand and
contribute to just monitoring, because the
-
first step of what we're doing as civil
society is just bring a light to those
-
developments. Because most of the cases,
like in many times, it's just going under
-
the radar. The media isn't picking up the
stories so quickly as we would like them
-
to do, and all those kind of really
rights-violating measures can go unchecked
-
without any kind of democratic pushback or
anything. So this is the kind of the first
-
that I would recommend for viewers to do
if they want to get engaged, is basically
-
join us. Follow us on social media. Follow
our website. EDRi has a newsletter where
-
each and every members of EDRi can
contribute, and write, and even guest
-
writers sometimes. If you want to
write about the situation in your country
-
and you've investigated a little bit the
state of play, please talk to us and drop
-
us an email. Everything is… Obviously all
the information of contact can be found on
-
our website. And you can
obviously subscribe to this newsletter.
-
If you want to go a bit further
and get really engaged
-
like the step, the kind of,
the scale of engagement,
-
you can join us on our mailing list
dedicated to the topic data retention,
-
just by dropping me an email.
If you're really into it and
-
want to contribute actively to the
analysis, to possible future campaigns,
-
or any kind of advocacy actions,
we're organizing at EU level.
-
And then… That's for kind of the…
-
I think I didn't forget anything
you can do as viewers.
-
In general, what we're looking for, we'll
try to push the Commission. It's…
-
I think it's a dead wish, but
I will mention it nonetheless.
-
We would like the Commission to do,
to launch infringement procedures
-
against countries that do not
comply with the CJEU ruling.
-
As I said, it's a dead wish,
because this is a highly political topic.
-
The Commission has stated multiple
times in public that it won't do this.
-
They're not interested in doing this.
They're interested in being in a
-
cooperative state of mind or spirit of
collaboration with member states to find
-
solutions. Another word for saying, we
will ignore what the ruling, what the
-
ruling says and try to find solutions
that can work out and that avoids like
-
the painful and embarrassing situation of
having a future EU legal instrument being
-
struck down by their own courts. But yeah.
This is to be seen. We'll work together
-
with Jesper. I don't know if you have
anything to add, Jesper, to that.
-
If I forgot something.
-
Lund: No, I think…
So even monitoring the situation
-
in 27 member states is a huge task,
and we definitely need help on this.
-
Denmark is well covered, but
-
there is also Sweden…
-
Many, many different member states.
-
Mostly you have governments
that like data retention and either
-
try to just ignore the Court of Justice
or, as Denmark is doing, make
-
adjustments to the national law that are
not real adjustments, but just try to
-
maintain what is already in place
under the guise of adjusting to the Court
-
of Justice. Or, we have talked about
France, Denmark, Belgium as cases
-
that really try to circumvent
the case law. So keeping…
-
One definite risk here is that
data retention will be forgotten.
-
That is what member states want,
so that nobody talks about it.
-
So we need to, yeah,
we need to keep the public debate going
-
and make sure that…
-
contact journalists, make sure that
they write about data retention.
-
And also, I think focus on the rule of law
problem that is associated with this area,
-
because it's really not
a sustainable situation that
-
all member states are
ignoring fundamental rights.
-
Ebelt: In the end, everything sounds also
a little bit promising. And at least,
-
let's not forget this is about, it's about
the citizens, it's about the people,
-
it's about their data, it's about their
governments, it's about their freedoms.
-
Do you have or do you
would like to add something?
-
I mean, here as the speakers?
-
If not…
You still have time to interrupt me.
-
We can have…
I would hand over to Walter, and
-
we can we just go into
the Q&A part of the talk.
-
And I would thank everybody too,
for joining this talk.
-
Also, thank you to the speakers.
It's been really, really interesting.
-
And to everybody who liked the
talk you can recommend it, and
-
you can get the audio and video
to download on media.ccc.de
-
And of course,
-
Join the discussion on data retention
by using the hashtag #dataretention
-
or the hashtag that is
used in your language.
-
So Walter…
-
Herald: Before we go into the questions
that have we already have collected
-
through Mastodon, IRC, Matrix, and Twitter
-
TJ wanted to add something earlier on
while Chloé was still talking, I remember.
-
McIntyre: Thanks Walter, Chloé's
-
points reminded me
of something that I was very impressed
-
with from the German campaign against data
retention, which was the great use of
-
civil societies – the groups representing
journalists, lawyers, medical
-
professionals, and so on – to make the
point that communications confidentiality
-
is important for them, too. And that's
something I have to admit that we didn't
-
do to the same extent in Ireland, but it's
certainly something we've tried to do. And
-
to the extent that anybody listening to
this now is from a group where they have a
-
professional interest in communications
confidentiality, I think it's a good thing
-
if you can work through your group to try
to develop that. It might be that you're
-
in an area such as technical security. It
might be that you're in an area such as
-
the legal profession or in the medical
profession or the like. But if you, as a
-
professional, have a special interest in
communications confidentiality, then it
-
would be a good idea to not just go to
your local digital rights group, but also
-
see if you can take this up through
your own professional body.
-
Herald: OK, thank you.
-
Since I am the moderator for the
Q&A questions, then I also sort of
-
get to rephrase the questions
as passed on through me for the internet.
-
And the most recent question, but I think
also the most fascinating question is,
-
Someone is asking to what extent
the Gaia-X program and the Palantir
-
collaborations in the EU tied to this, and
what can be done to stop this?
-
For those who are unfamiliar with Gaia-X,
-
that's an initiative to create a European-
based, Europe-based cloud service.
-
But it should be mentioned that
all sorts of American tech companies
-
are also participants in that, so the
European nature of that could be disputed.
-
But to get back to the question…
-
How does Gaia-X and Palantir
may or may not tie into this?
-
I think that might be
a question for Patrick.
-
Breyer: I'm afraid I don't know
enough to to answer it, Walter.
-
Palantir has their hands,
of course, in managing databases.
-
And they will also offer products to
police that will integrate data retention.
-
And of course, the impact of
communications data grows potentially with
-
the capacities to analyze this data. It
has long been established that, you know,
-
the idea that listening in to phone
calls was more sensitive than
-
only knowing that the call details is
wrong nowadays, because you can use the
-
the bulk of data that has been
collected over weeks and months
-
to paint a picture of persons, and their
networks, and their movements,
-
and their personalities. That is actually
much, much more intrusive and
-
much more sensitive than what you can tell
from just listening to to phone calls.
-
And yes, I think companies such as Palantir
are taking this to to very great length
-
with the products they are offering. And
certainly it's a commercial incentive.
-
Mass surveillance is big business, and
we need to be very aware of this.
-
Herald: OK, I will also ask Jesper this,
-
because he may have some
thoughts on this as well. Jesper?
-
Lund: Yeah, I think another worrying
development we are seeing
-
is with the amendment
to the European regulation,
-
which to a large extent is about allowing
big data analysis and, in fact, legalizing
-
practices that are currently illegal. I
could easily imagine that, so, police
-
authorities will not have access to the
sort of complete data sets that are
-
retained by the telecommunications
providers. But whenever they have a
-
criminal investigation and get access to
some data, there's a risk that it would be
-
stored in the database and used for other
purposes. I could easily see that systems
-
from Palantir could be used
for analyzing such data, that it could be
-
disclosed to Europol and possibly analyzed
by Europol using perhaps Palantir's
-
software as well. So. Even though the
connection to Palantir and Gaia-X is a bit
-
speculative, it certainly fits the picture
of more big data analysis for the police.
-
Herald: Chloé, you want to
add something to that?
-
Berthélémy: Just a quick remark on the…
-
it's not linked to Palantir directly or
Gaia-X, but like this is also part of the
-
French law that was actually
brought down by the Court of Justice.
-
Like one part, was also like about
black boxes used by intelligence services
-
not police authorities,
not law enforcement authorities,
-
but intelligence services. And the
new "Loi Renseignement 2", so like
-
the revival or the reform of the former
law that was adopted this year that I've
-
mentioned before, also contains this kind
of algorithmic based, big data analysis of
-
metadata, of communications data. And this
is even further expanded in the new law by
-
including URL's. So also an analysis of
internet network, and how websites
-
are being visited, and which ones and by
whom in general. And all of this will be
-
done now from the premises of like the
physical premises of the intelligence
-
services in France, and no longer at the
premises of the service providers.
-
So it's kind of a huge shift, where like
intelligence services are getting the copy
-
of metadata on the basis of a judge's
decision. But basically everything is
-
copied, and then they're like
applying an algorithmic analysis to it.
-
Something that is obviously
not known by the public.
-
This isn't in the sense, it's…
-
It follows the same trend.
-
Herald: OK, thank you.
Another question from the audience is…
-
I think I'm going to give that
one to TJ, because this may
-
also require a expansion into other
fundamental rights or a broader set of
-
fundamental rights – someone is wondering
what is actually so bad about a general
-
data retention for just IP addresses, for
just severe crimes? TJ.
-
McIntyre: Well, that's a very good
question. So first of all, what do we mean
-
by "just serious crimes"? In Ireland, a
"serious crime" includes stealing a Mars
-
bar from your local shop or a sweet of
your choice from your local shop, because
-
that theoretically carries a possible
seven year prison sentence. And in fact,
-
the Irish police have been using this so-
called serious crime provision to
-
investigate things like theft of a mobile
phone from a locker and theft of 100 €
-
from an ATM machine. So first of all, the
problem here is that scope creep is a
-
thing. And even if you describe something
as being limited to serious crime, it's no
-
guarantee that what you think of a serious
crime and what it will be used for are in
-
fact the same things. The second is that
registration of any sort is a gateway to
-
registration of everything. The kinds
of registration we see talked about
-
and Jesper mentioned already, and Patrick
has fought against in different contexts;
-
registration of SIM cards, for example,
generally require identity verification of
-
some sort. And that, in turn, is a real
threat then to the people who rely on
-
confidentiality – the whistleblowers who
want to get information about what
-
government is doing out to you, the people
who want to talk to their doctors or their
-
support helplines in confidence – and that
is a threat to them. But I think Patrick
-
probably is better placed to
discuss those points than I am,
-
so perhaps I'll just hand over to him.
-
Breyer: Just to add to what TJ said
-
about IP addresses specifically… On the
internet, the major providers of services
-
will log your every click and search term
that you enter and keep that data for
-
months. And so basically, if you know a
person's IP addresses, it's easy to
-
request from Google all the search terms
that they entered. Or if somebody is
-
publishing anonymously using a Twitter
account, or they think it's anonymously,
-
then you'll ask for the IP address.
And you can establish, you can lift the
-
anonymity of that whole account. And
that's why IP addresses or being able to
-
trace IP addresses really means that you
can follow whatever a person has done on
-
the internet. And you can even determine
their location because IP address tells
-
about your movements more or less,
roughly. Whether you're at home or at work
-
can be determined, according to research.
And it's very telling, it's not true that
-
it's somehow less sensitive. You know,
if you call somebody and
-
suppress your phone number, you can't you
wouldn't be allowed to retain data on this.
-
But if you use digital services
to send an email, you'll have the
-
IP address in the header. If you use
messaging services, they will be logging
-
your IP address. So very similar things as
making phone calls will be able to be
-
retained indiscriminately
and be tracing the IP address.
-
Herald: OK, I have a very specific question
about Chloé's bit in the presentation
-
unintelligible
-
I didn't quite get what
the Socialist Party did block
-
and how, and what happened there.
-
Berthélémy: Sure. That went very by fast.
-
It's not just the socialists, obviously,
I forgot to mention that the right parties
-
had the big role to play there.
Basically, there is like a procedure in
-
France every time, like a legislation is
adopted by the parliament, so both
-
the French National Assembly and the
Senate. There is a possibility there's
-
this rule where either 60 senators or 60
MP's, members of National Assembly can
-
just vote in favor of submitting the bill,
before it is adopted and officially
-
published in the official journal and can
come into force, there is this possibility
-
of submitting it to the Constitutional
Council. So the Constitutional Council in
-
France is composed of nine members.
They're not elected, there are designated.
-
So it's not the best kind of democratic
counter-power you can imagine. But this is
-
still there, and has been proven effective
in the past years, especially since the
-
presidency of Macron. To, a little bit,
hold responsible what the government is
-
proposing and has annulled or prevented
some provision in several security laws to
-
pass and to come into effect. And so for
the second, the "Loi Renseignement 2",
-
so like the reform of the intelligence
service law that contains the provision
-
about the data retention, so when this
reform was finally like adopted by both
-
the Senate and the National Assembly,
there wasn't the majority. There wasn't
-
enough majority to send the text in
front of the Constitutional Court, or at
-
least not on the provision related to data
retention. And some other provision
-
contained in the bill were sent to the
Constitutional Council. And the reason why
-
data retention wasn't included is because
the socialists didn't support it, this
-
submission, this reference to the
Constitutional Council. So not just the
-
socialists' fault. It's also I just said
the right parties and the party in power,
-
so the La République en marche. But I
think one assumption that we can make
-
and this is not like verified information,
but this is one assumption we can make
-
is that the reason why the socialists
didn't support it, the submission to
-
another scrutiny or constitutional
scrutiny, is because they were the ones
-
introducing those measures in 2015 when
they were in power under François Hollande
-
Herald: I've been told by the translators
that we really have to wrap it up.
-
So I probably will be asking the last
question, depending on the length of
-
the answer, maybe another question.
And I'm going to ask them to Friedemann,
-
because he hasn't been
talking much during the Q&A.
-
One of the questions is, and that was by
a viewer, who understood the
-
explanations about the Court of Justice
as potentially being willing to revise the
-
earlier jurisprudence on data retention
which I understood quite differently,
-
so maybe you could explain it as well.
But the question is…
-
In case the Court of Justice of the
European Union were to revisit its
-
earlier opinions and weakens its stance,
what will be possible to do against that?
-
Ebelt: Well, to be honest, I would love
to pass this question on to the speakers,
-
since I'm not actually a speaker of this
talk, and just the host and moderator.
-
So would somebody of the speakers
take the question?
-
Herald: Then I suggest Chloé does it.
-
Berthélémy: Oh, wow, what a nice gift.
Can I pass the ball to Jesper? laughs
-
I don't know what can be done as a citizen
counter the Court of Justice's future rulings.
-
One thing that Patrick mentioned,
for example, is the influence of several
-
interventions during hearings in front
of the courts. And notably, when the
-
European data protection supervisor is
kind of weakening what the court has said
-
previously and said that access is more
important than the mere retention of data,
-
it's problematic. Even though it didn't
impact it this time too much,
-
there is a risk that this
kind of narratives build up
-
and becomes like very
influential in the judges' ears.
-
So this is something to be avoided.
But Jesper, please complete, because
-
I'm probably far from the
comprehensive answers to this question.
-
Lund: In the hypothetical situation that
the court would revise its position and
-
say, allow general and indiscriminate data
retention, not just for national security
-
in extraordinary circumstances, but for
combating serious crime in general.
-
That would put us back
to sort of square one,
-
before the…
-
when the campaign against
data retention started. And,
-
then we can no longer say that
it's against fundamental rights.
-
But it's still a bad idea.
-
It still has problems for vulnerable groups,
-
persons with professional privileges,
and so forth.
-
So in that situation, ideally, we want
to convince our parliamentarians
-
at a national level that it's a bad idea.
And if that is not possible, at least make
-
exceptions so that these groups with
professional privileges are not included
-
in data retention.
It may be possible.
-
Germany has, in its current data retention
law, has some provisions on where
-
certain phone numbers of help groups,
help phone lines are excluded.
-
And also make sure that access to this
data is subject to prior court review.
-
That is not the case in all member states.
-
And that access is exceptional, also.
-
And so these are the options remaining
-
should the Court of Justice
revise its position, which…
-
I would consider unlikely at this stage,
and certainly the advocate general is in
-
audio breaking up
-
…the three cases pending is not suggesting
this at all. Rather the contrary.
-
Herald: OK, thank you.
And we have run out…
-
oh, and also for those who want to
look up the website, it's edri.org
-
And that contains the map Chloé mentioned.
-
But again, thank you all.
And this is it for the session.
-
Take care. Bye bye.
-
rC3 2021 Chaos-West TV postroll music
-
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!
