European Data Retention Laws: Not such a “Fine Balance”

Picasso: Life

There has been much criticism of the Patriot Act by Europeans (as well as by Americans), and most of it rightly so. One problem is that in Europe, similar legislation is being passed both on the local level and at the European Union level as well. These are know as Data Retention Laws or are often clauses hidden inside the Data Protection and Privacy Laws. For a good description of the dangers of these laws, see this post from Digital Rights Ireland. In general, the government, when passing legislation that limits the privacy rights of its citizens, must strike a balance between the national security interests and those of its citizens as individuals. Now, I am no expert on US Constitutional Law (and in particular on the First and Fourth Amendments), but using a strictly US legal analysis of these laws, there are serious procedural concerns with regards to the infringement of citizens’ fundamental rights. Here is how I reason through these issues:

Essentially, the EU Data Retention Directive (as I undersand it) requires all Internet Service Providers (“ISPs”), telephone companies, and other similar technology providers to maintain all user data for several years. Such data would include your emails, sms, the internet pages you browse, phone records, and the like. The purpose of retaining said data is for law enforcement, meaning that the police can access said data to evaluate whether a particular individual has committed a crime.

Most companies keep customer data for a reasonable amount of time, not for the police to access, but for two basic reasons: (i) to track the customers’ behaviours for marketing purposes and (ii) in case billing disputes arise. With Internet companies, tracking and storing ALL user traffic data has an enormous cost — storage space, memory, and speed.

Our privacy interests can only be limited by the most important of state interests before the government (police or regulatory agency) may access our personal information. Searches and seizures (as per the 4th Amendment and its corresponding jurisprudence), require that the police first get a judicially approved warrant in order to search one’s property. These warrants are to specify the area to be searched, that which is being searched for, and that these searches are supported by probable cause. In certain exigent circumstances, the police may conduct a search without a search warrant. Examples of constitutionally acceptable warrantless searches include situations where police have probable cause that a crime has been committed due to something that they perceive and can articulate (the Plain View Doctrine), where there is effervescent evidence (evidence that is likely to be destoyed on the spot, like flushing drugs down the toilet), when the police are chasing a suspect (the Hot Pursuit Doctrine), other exigent circumstances (e.g. danger to the police), when an autmobile has been impounded, or when a search is conducted subject to a lawful arrest (Chimmel Search in the “grabbale” area).

The courts will also ask whether an individual has a reasonable expectation of privacy when a search is conducted absent a warrant. For example, when can the police listen to our phone calls without a warrant? When do we reasonably believe that we are having a private conversation? Do we have the same privacy expectation when talking on the phone at home as on a public telephone? Do we have a reasonable expectation of privacy when we throw our trash into the garbage and leave that garbage on the street?

In terms of electronic communications, do we have a reasonable expectation of privacy when we send an email? We should know that the email passes through many different points and is stored in servers both during the sending process and upon receipt. But is it unreasonable to believe that such an email may be read by the police? When the police want to put a wire tap on our telephone so they can listen into our conversations, they must do so via a court sanctioned warrant. And even that warrant will be limited in time and scope. Should it be the same with emails?

Generally, the police can get around the warrant requirement when investigating a crime by asking for certain information from the companies that we use on a regular basis. For example, in the investigation of a crime, the police may ask the phone company for the records of calls made from our house to see whether we were at home at the time of the crime or to see who we called. The police may get our credit card records from Visa or Mastercard to confirm whether we made a certain transaction or where our location was at a certain time. The police can do this without a warrant because they are not invading the individual’s privacy but the privacy of the company (there is no “State Action”). The company consents to the search. If the company refuses to consent to the search, the police then get a subpoena from a judge. A subpoena is a court order that requires the production of evidence or testimony.

So what happens when the law forces companies to act as their agents in criminal investigations? Essentially those companies become State Actors. “State Action” is when an action taken is sufficiently connected to the State as to be attributed to the State. Sounds confusing? It basically means that the private entity is acting like the State (and to the State’s benefit), and therefore will be held to the same standards of the State. In the US, “state actions” are subject to judicial scrutiny for violations of the rights of due process and equal protection under the 14th Amendment of the US Constitution. But, if there is State Action, then what should we worry about? We should worry because normally the State (government, regulatory agency, or police) would need a warrant to conduct the search. The new EU directive would simply require the companies to turn over the personal data without a warrant or prior judicial decision on sufficient probable cause to conduct the search.

But, if this helps to combat horrible crimes committed or faciliated through the Internet or electronic transmissions and we haven’t done anything wrong, then what is there for us to be worried about? Doesn’t it make us all safer?

There is plenty to be worried about. Imagine that the post office was required to photocopy all of the mail that we send. They can then keep those photocopies for years. Whenever the police want, they can go and read our mail. They don’t need a court order. They just read it. It is like a fishing expedition. Whenever the government wants to go fishing, they stick the line into the water and wait to see if they can catch a criminal. Imagine you haven’t done anything wrong. Why should the police be investigating you in the first place. Where is your privacy? Why should we be constantly stopped or investigated just in case we happened to have done something wrong? This is the great tragedy of racial profiling in the US. In Europe, it is common practice for the police to stop immigrant-looking people to ask for their immigration papers. Is this the kind of society we want to live in? Where the police can investigate a crime because you fit the descirption of someone who might have committed a crime before the police even have knowledge of the commission of a crime? The probable cause of the crime is simply what you look like or where you came from. With the EU Data Retention Directive, what will be the police’s articulable justification be for snooping through your personal files?

The US does not have the strong data protection and privacy laws that exist in Europe. These European laws basically prohibit companies from turning personal data over to the police without a court order. Maybe this is why the EU is creating such an oppressive directive.

Remember that we are all innocent until proven guilty. We are not suspects until we have acted in a reasonably suspicious manner that the police are capable of articulating. The government should not be able to rummage through our personal belongings and thoughts. We should be free from excessive government interference, not only when walking down the streets, driving in our cars, or in our homes, but also in our thoughts and communications.

Imagine how such a new data retention directive would affect the traditionally protected relationships between lawyer and client, doctor and patient, priest and layperson, husband and wife. All of these relationships are priveleged. Does this mean that, for example, lawyers should no longer communicate via email with their clients for fear that the government will freely violate confidences at will? Should doctors refrain from storing patient data in their computer systems? Doesn’t this very directive then hinder technological development? Next thing you know, the police are going to search the psychological records of patients to see whether they were predisposed to committing certain crimes.

One day the government will require us to record our dreams and inner most thoughts so they can convict us not for our crimes, but for our guilty thoughts. Orwell wrote 1984, and then Europe invented the Big Brother reality shows. Here he comes! For now, there’s not such a fine balance.

 

 

 

 

5 Comments

Filed under Essays

5 responses to “European Data Retention Laws: Not such a “Fine Balance”

  1. Te has vaciau…

    Ha estado muy bien este despliegue de conocimientos 🙂

    Mi opinión es que hay que intentar contrarestar estas leyes con avances o medidas tecnológicas implementadas por parte del usuario, por ejemplo, mediante la encriptación de los datos. Desencriptar una conversación resulta ya lo suficientemente costoso para que no se haga de forma masiva o se piense mucho que se va a desencriptar por los recursos que se van a necesitar.

    Aunque coincido contigo que no se resuelve el problema de fondo y que la relación de compromiso derechos,libertades versus obligaciones no la satisfacen estas leyes porque uno de los poderes del estado quiere abarcar más de lo que tradicionalmente se ha considerado lo óptimo.

    Saludos

  2. eric

    La verdad es que me pasé un poco con el post (en el sentido de que es demasiado largo), pero creo que es importante saber que los gobiernos están obligando a terceros a almacenar nuestras correspondencias y actividades. Y bien como dices tú, habrán otras tecnologías quizás mejores para lograr los mismos objectivos sin interferir tanto en nuestras vidas privadas. De momento, solo podemos esperar. Parece que no hay mucha gente protestando en Europa. Solo protestan lo que hacen en EEUU. No hace falta mirar tan lejos.

  3. Eric,

    La verdad que una empresa actúe de depositaria de la autoridad del estado es muy peligroso. Me imagino que esas leyes contemplen una forma y un estricto proceso para el almacenamiento de los datos, es más, como ocurre en otros sitios (consulta de expedientes en hospitales), saber quién y cuando accedió a esa información. Sino la verdad es que es más que grave de lo que pueda parecer en un principio…

    ¿Qué contemplan esas leyes en cuanto a la forma de almacenar la información/comunicaciones de los ciudadanos?

  4. eric

    Dani,

    De momento las empresas tienen que mantener los datos un mínimo de 6 meses y un máximo de 2 años. En realidad, solo se puede registrar la información sobre la conectividad de las comunicaciones (o sea, desde donde llamaron, conectaron, etc) y no el contenido. Pero igual es muy fuerte. No especifica como lo tienen que almacenar sino que tienen que usar tecnologías para hacerlo.

  5. Pues si…es bastante grave. Aunque “solo” tengan que guardar esa información sigue siendo información sensible. Sigo pensando que lo mínimo sería garantizar que toda vez que se acceda a ese tipo de información quede registrado quién, cuándo y desde que terminal se hizo.

    No lo sé si será así…pero tal como lo pintas cualquiera que trabaje en una compañía telefónica europea y tenga acceso a esa base de datos (por ej. conocer al que gestiona esa base de datos) podrá acceder a esa información porque sino queda registrado en ningún sitio… ¿No hay ningún sitio de alguna ley donde se diga quién exactamente tiene que gestionar eso y bajos que principios? ¿La ley de protección de datos no dice nada al respecto?

    Saludos,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s