On Thursday and Friday, March 12th and 13th, the International Association of Constitutional law and the Research Group on Constitutional Responses to Terrorism invited to a conference called “Surveillance, Privacy and Transnational Relations in the Digital Era”. The conference, held in the Institut d’ Etudes Européennes at the Université Libre de Bruxelles, saw an exchange of ideas, orientations, and suggestions concerning the issues of data protection, surveillance and privacy.
The introductory part, held by Prof. Anne Weyembergh, Dr. Christiana Höhn and Prof. David Cole introduced the audience to the topic of Data Protection Regulation which is gaining importance in the last periods because of the European Parliament and European Commission working on a new Data Protection Regulation since 2013 and also because the Data Protection issue is more than ever connected to the counter-terrorist actions, always an actual and attractive theme.
The first panel of discussion, “The ECJ Data Retention case and it s aftermath”, chaired by Prof. David Cole with the contributions of Prof. Ojonen, Prof. Fabbrini, Prof. Vedaschi and Mr. Marino shed light on the main problems concerning the collection of personal data, more specifically the indiscriminate data collection itself which often does not respect citizens fundamental rights (as the one of privacy). Moreover with an ever innovating IT sector, the relevant areas concerning Data protection are focused on the Internet and the Social Networks. Following Dr. Höhn, indeed, there are more than 50.000 twitter accounts connected to ISIS members. These accounts, are not just leading to radicalization on the web, they are in fact illegal because they go against laws and terms of reference of the platforms. As the problem is evident, the question is “How to make sure that this material is found and removed quickly?” To “solve” it following Höhn, more trained people and software are needed and of course more cross-border cooperation is needed, as cross border implications require cross border solutions.
Concerning the issue of traveler’s detection, Schengen should be the solution not the problem. There is the need to implement and coordinate systematic controls on the people coming back to Europe. That means, more control on the external boarders, once solved this, the internal part and obviously the connected Schengen benefits won’t be that problematic.
Prof. F. Fabbrini on his side introduced the audience to the decisions of the European Court of Justice (ECJ) on digital rights after Snowden’s revelations. Concerning this issue, the normative framework at the European level started with directive 94\46 which is now 20 years old. Indeed taking a closer look, on the one side the EU legislation is very much protective especially compared to the one in the US but on the other hand, it is quite intrusive on Data retention directives. This directive ensured yes a high level of privacy protection but left many powers to the national level. As a consequence after 9\11 many states modified their data restriction policies on a national level. Since 2009 these norms are effectively binding, so when the ECJ was asked to judge it, the judgment was very critical. The ECJ indeed made a proportional analysis pointing out the following questions:
- A) Is there interference between the national and communitarian level ? YES
- B) Is the interference justified ? NO
According to Prof. F. Fabbrini, this judgment stands for a major victory for the ECJ, crowning a set of cases where the ECJ proved to protect human rights.
As new cases are coming up, will the European Court of Justice persist? When asked, Prof. F. Fabbrini stated that the evidence is that the ECJ is acting more as a human right court or a constitutional court than a court of justice! There is no way national law can bypass EU Data protection directives. In fact national States have no margin to pass EU legislation. A possible proposal to introduce can be the so called “Emergency time factor.” The closer to a terrorist attack, the faster the reaction should be. Fabbrini’s last point took into account the implications of the ECJ decision from a broader perspective. In this case it is necessary to take into account the huge similarities between EU and US from a constitutional point of view?
Doing so, the attention will focus on two elements:
- 1) Privacy protection must be updated, and therefore there is the need for new and advanced IT technologies;
- 2) The irrelevance of private Vs public surveillance.
Prof. Adriana Vedaschi and Mr. Gabriele Marino shed light on the PNR agreements. As a starting point it is good to mention that the US have three agreements emerged after 9/11. The last one was reached 2011 and is actually in force since 2012. The main struggles concerning the PNR issue are about the retention period and the way they are archiviated as most of the collected data are just anonymized after 5-10 years of retention but not destroyed. Instead of an indiscriminate data collection and storage, data could be used on a case to case basis to protect individual rights. Concerning the canadian case, an agreement on PNR had to be reached without breaking the EU law. An agreement has been reached between two states that aim to prevent terrorism, but a definition of terrorism is still missing. The Canadian case rules on government retention for PNR data are divided in 2 categories: 1) Passengers not under investigation 2) Passengers under investigation ( in this case daa collected remain there maximum six years, at the end of the retention period every data is destroyed). This agreement focuses on a closer attention to fundamental rights than the one reached with the US, because there is a direct reference to canadian domestic law, not a common definition of crime. Prof. Ariana Vedaschi analyzed the PNR agreements in the light of the ECJ. In this context it is useful to stress 4 points, so Vedaschi:
1) The ECJ calls for precise provisions, especially if these provisions restrict personal rights; 2) Extension of retention period. Last April the ECJ was thinking maximum one year should be ok;
3) Clearer distinction between suspect and non suspect, with the ECJ against massive and indiscriminate surveillance;
4) Concerning the access to collective data it should be clearer in which case, data are accessible and by which kind of procedure.
The PNR agreements with Canada and the USA are not consistent with the EU law and in fact if the ECJ wants to remain coherent it needs to take position and decide against.
The second panel of discussion:”Snowden’s revelations and their aftermath”, chaired by Prof. Ane Weyembergh, saw the contributions of Prof. Schulhofer, Prof. Slobogin and Prof. De Capitani.
Prof. Slobogin in his part: “Domestic Surveillance of Public Activities and Transactions with Third Parties: Melding European and American Approaches”, introduced the audience to the following questions:
-When may surveillance target an individual? (Targeting issue) Short term monitoring versus prolonged tracking time limits.
-When may governments establish a surveillance program? (Programmatic issue)
Rules have to be promulgated about collection, verification, disclosure, destruction and at an independent agency as the German approach suggest. But if compared tk the US, they are not following the german model. In the United States of America there is often no legislation on this issue and if there is a legislation it is mostly vague: e.g. Section 215 of the fusion center statutes.
Prof. Emilio de Capitani spoke about his experience as a former Secretary of the European Parliament Civil Liberties Committee, stating that the EP is under pressure to create a legislation about the collection of PNR data. The EP resists in front of the Council but there ja a huge need for the legislator to improve EU legislation: “PNR can be seen as the beginning of a new world”, so De Capitani.
Prof. S. Schulhofer: Regarding the privacy issue, while dealing with the US one has to be aware that the NSA is a huge player in this context. In many aspects the US law is better than the EU one. « Privacy would be best, avoiding legiative regulation on an international level and ‘strenghten’ legislations more on a national level » but well international cooperation is and remains a good base.
Why did privacy protection collapse?
First, because nowadays it is cheap and easy to collect data and second because often there are no obstacles on a legislative way. Snowden has stressed how far the US have gone concerning collecting personal data and mass surveiilance. That’s why it’s usefull to stress how the Snowden’s loophole exposed US citizens to massive surveillance. To solve this situation a universal human right should be adressed! But the risks of reaching an international regulation on this issues have to take into account that there are big differences even between western democracies. Concerning the privacy issues, it may be useful to point out the fact that in Europe most countries have known dictatorship and the citizens as a consequence are very attaced to personal liberties, and privacy and data collection are more sensitive topics than in the US. Finally it’s usefull to remember that for such an agreement lots and lots of time would be required.
The third panel: “Protection of privacy: transnational convergence or divergence in the use of surveillance techniques? Chaired by Ms. Myléne Bouzigon saw the interventions of Dr. C. Murphy, Dr. E. Fahey, Dr. B. Petkova and Prof. J. Hafetz.
Dr C. Murphy in his intervention stated that Counter Terrorism made by States as it’s nowadays is inadequate for the world we are living in. The pressure to fight against the Islamic State led to the UN Resolution 2178, adopted last November. The resolution 2178 requires criminal law to be adapted against terrorists (Article 6), and Article 4 instead is about the prevention of radicalization. The problem concerning this issue, is that a real definition of terrorism, or of foreign fighters is missing, rendering the things more complex.
Dr E. Fahey, in her intervention about “Right-centric rule making beyond the nation state in the surveillance area: the case study on cybercrime and cyber security”, pointed out different examples of rule making beyond the States, we distinguish:
- Non conventional rule making processes, characterized by a complex new configuration of sovereignty, territory and jurisdictions;
- The internal and external dichotomy of the transfer of authority (not only a European matter or an Eurocentric vision);
- Public and private actors as multiple instruments or a plurality of sources.
Dr. B. Petkova on her side stated that there is an emerging consensus about transnational cooperation from an US perspective. Pursuing privacy is better done at a local level than at the federal one.
Prof. Hafetz: Snowden revealed data collection about major companies. These companies have many incentives to gather and continue gathering data mostly for economical reasons, but at the same time they are pressured to cooperate with the governments sharing data. The main problem about the private sector sharing and collecting data can be found in the sector itself missing any kind of privacy protection. Google, Facebook and other major informatics companies signed an agreement to release data on security issues if requested. Snowden’s revelations shed light on the urgent need to build a more privacy protective software, protecting and implementing people’s liberties without endangering their security.
The fourth panel: “Worldwide experiences of surveillance and transfer of information: challenges and prospects”, chaired by Mr. Van de Rijt, saw the interventions of Dr. B. Bulag, Prof. D. Bilchitz and Ms. Cocq.
Dr. Bulaks part focused on “Preventive surveillance, data protection and the rule of law in Turkey with regard to European studies.” In this context it is useful to stress the fact that Article 8 § 1 of the European Convention on Human Rights has been transposed to the Turkish constitution but with a different wording. In the Turkish constitution’: “Everyone has the right to demand respect for his\her private and family life” “… To request the protection of his\her personnel data”.
Regarding the case Sinan Isik Vs Turkey in the year 2010, the controversy was about the religious mention on the ID cards and on the disclosure of information.
Concerning the Data Protection legislation, the Convention nr. 108 for the protection of individuals was signed in the year 1985 but not ratified yet. In Turkey, the surveillance agency can collect data about communications, included the ones of foreign citizens. The mention of national security is a vague terminology to cover the activities of the Agency. Moreover there is a huge problem concerning accountability in Turkey, independence of judiciary, separation of power and rule of law.
Prof. D. Bilchitz:” Privacy, Surveillance and the Duties of Corporations in South Africa”.
Concerning South Africa, the scope of personnel space shrinks as the person moves for its activities. Usually there is a high level of protection at home compared to a weaker one outside. So what is the major problem about the obligation of corporation?
First of all, it’s a “negative” obligation to avoid harming personnel rights, as the duties of employees that are working for a company on computers and servers that do not belong to them. In this case, there is no distinction between personnel info and information’s related to the work. Corporations may have a legitimate expectation that they are entitled to see the work performed by employees and monitor them. That’s one of the main reasons why Bilchiz states that there is the need to impel such approach by law, it is a duty to protect also private actors.
Ms. C. Cocq: Digital era can be seen as an opportunity to share information but also as a threat if used in a criminal way. Nowadays boundaries are erased except for human rights, this makes it harder to spread values on data protection.
Regarding the threat of terrorism in the Association of Southeast Asian Nations, it is not a new phenomenon in the region. Asea is characterized by many different cultures, where a high importance is given to national sovereignty, making cooperation resulting harder to obtain. In this area the development of binding norms was very recent (see Human rights declaration 2013) and a definition of organized crime is still missing. For this reason, following Cocq, we can’t ask these countries to implement the same level of Human Rights protection as the one we have nowadays in Europe.
The attempts in this direction consist in working more with soft law, trying to render it compatible with the hard one or trying to reach something called “police cooperation” based on information sharing, but nothing about Personal Data yet.
Malaysia was the first country in the association to develop a data protection law. This law had a very narrow scope; it was used only for commercial activities nothing about criminal law or security.
All of the Asean countries require an adequate level of protection to cooperate between them but they don’t have a definition of national protection, which complicates the things. The prospect of reaching a regional agreement requires a huge amount of time and resources.
Keynote speech:
- Hustinx: Privacy is essential for innovation; Privacy is a very big deal especially after Snowden’s revelations. With the advent of the Digital Era the world’s vulnerability emerged, having a vast impact on mass surveillance and directly on the NSA, whose mission seems to be: collect the data, collect them all.
As the entire Internet infrastructure is an infrastructure of surveillance, the reaffirmation of the need for privacy regulations after the Snowden case is urgent. The scope of private life has increased, so there is sometimes private life in public space. Negative obligation addressed to the States and a positive one to prevent interferences.
The case law about privacy was developed during the 70’s as a consequence of the need to create a right to be protected; this should be gradually applied with transparency and proportionality. The essential requirements of this law are listed in Article 8 § 2 and 3. At stake there is the need to make the safeguards more effective. European law and the one of the Council of Europe on this manner do not coincide. First problem arising in this context is about the issues of security matters which are sole competence of member states while Member states security is the base for en European security. As we can see, there is the need for a new deal to make sure that it’s effective.
Following the Former European Data Protection Supervisor, 40 % of their consultations refer to Justice and Home Affairs. It seems that they are moving into the right direction, assuring stronger rights, supervision and regulations.
Concerning international conflicts; the negotiation about PNR lead an international conflict emerge, because of the different perspectives regarding the American and European point of view. Hustinx tells himself optimistic about the PNR reform which should not be affected by the TTIP negotiations.
Panel 5 “Surveillance and oversight: balance or complementarity?” chaired by Prof F. Fabbrini, saw the contributions of Ms. Bos-Ollermann, Prof. Rotenberg and Dr. Galli.
Dr. Galli in her part: “Law enforcement data retention and EU constitutional principles: reinventing a common framework?” focused the attention on the ECJ, especially the Ireland Vs Council, Digital Rights Case. In this case, the directive violates privacy and data protection. Moreover the directive does not respect the compliance proportionality principle.
As a reaction a Memorandum was created ruling the national legislation to be amended if not compatible with the European law.
But what should Member States do at this point?
The reactions were different: taking Austria’s case the constitutional court annulled data retention legislation. In Denmark or Sweden instead data retention was judged in compliance with privacy rights.
These examples shed light on the complexity of the issue and on the need for European policy makers to take actions, also if it is not easy given the situation. Moreover following Galli, a new balance between data protection and retention should be found, may with a greater involvement of the European Parliament.
Ms. Bos-Ollermann on “Mass surveillance and oversight”.
Oversight bodies to bring objectivity; oversights of mass surveillance have to prove effectiveness. In many countries we are experiencing a lack of oversight quality; a lack of capacity instead, could be a serious pitfall.
How to improve the current situation?
It’s important that oversight bodies are made up of experts in privacy, they should seek for information themselves, instead of waiting for being informed. There are still many bodies that hesitate to publish their findings, but they have to inform the public, or at least it would be better by doing so, improving the transparency. As most bodies are national, if they don’t start cooperate and compare their findings, it will take decades to reach a national oversight. Moreover oversight bodies cannot continue to perform their tasks in silence, and should also professionalize their methods.
Prof. M. Rotenberg: What should an Electronic Privacy Info Center do?
- It should open government’s litigations, trying to inform public debates. (There are more than 100 reported cases to the FBI or NSA);
- It should give advices to courts providing unique expert perspectives, based on data and authoritative reports and studies;
- Engage direct actions, trying to establish new principles. These principles should also include the right to petition government for redress of grievance, as the one included in the American Constitution.
Charline Quillérou, Patrick Zingerle