Joris van Hoboken

Chris Soghoian’s research about law enforcement access to customer records in the United States, made it to the Cobert Report:

The Dutch data retention implementation law (31145) is on the plenary agenda of the Dutch Senate next Monday and Tuesday, 6 and 7 July 2009. So far, the Senate has been very critical of the implementation law, has held an expert meeting and asked two rounds of questions to the Dutch government expressing its reservations with regard to the fundamental rights of citizens and the effectiveness of the proposed data retention framework.

This is a really great lecture! Julie Cohen manages to touch upon almost everything I am interested in, in about half an hour.

Heise online reports from a RIPE conference in Amsterdam, that the Dutch Government Agency CIOT has called for extension of their current database (with personal data on Internet users) with data to be retained because of the implementation of the data retention directive.

The implementation law is currently waiting for a plenary debate in the senate, which is planned to take place on 23 June 2009.

The respectable LSE professor Willem Buiter has ‘taken up’ the debate on regulating search and is all in favor. In fact, he proposes to regulate Google (not search), and more precisely to break it up and put it out of business if possible.

I must say that I do like his style of writing and I agree that Google’s treatment of privacy and copyright are important issues to discuss. But unfortunately, the content of the essay is not all of high quality: it’s a kind of Google bashing that could ultimately do more harm than good, because the debate about Google in Europe needs economists like Buiter to explain what’s going on or even better to lay out a vision for the policies and laws of the future.

Copyright and theft

I have a particular problem with Buiter’s claims about copyright and Google. He claims that some of Google’s services are (or should be) illegal under copyright law:

Google has been making available copyrighted material for download on its websites for years (books through Google Books, music through YouTube, newspaper material through Google News), often without obtaining prior consent of the copyright holder and generally without making any payments to the copyright holders. There is a word for that kind of behaviour: theft. Just because you steal using internet technology does not make it anything other than theft. As an author, this naturally concerns me.

It’s hard to defend that YouTube is illegal altogether, simply because users can upload infringing videos. In addition, Youtube is more and more positioning itself as a partner for the audiovisual industry, because it seems need them to monetize the service. It would be helpful to get an economic perspective on that.

The Google Book Search scanning program is more complicated. From Buiter, one would expect an analysis of the public welfare benefits of a comprehensive full-text book search service.

Finally, the word ‘theft’ obfuscates the nature of the protection of intellectual labor through legally enforced monopolies for a period of time. This protection can hardly be called property. It’s not unfair to profit from each others intellectual work. The whole idea of copyright protection is to make it profitable for society as a whole. A university professor and successful author should know that.

With these superficial remarks Buiter does not add anything to the debate about copyright and Google, other than his name and some exaggerated qualifications in defense of an industry that opposes change but should be looking for answers instead. His claims are normative without economic foundation. If anything, the news, music and publishing industry probably need the platforms provided by companies like Google and Yahoo to retain some control over consumption of creative products.

Privacy

Buiter’s complaints about privacy and the importance of default settings are more to the point. He is rightly concerned about the unprecedented collection of user data by companies like Google and Yahoo and the access to that information by government agencies. But I dislike and distrust his reference to the maltreatment of copyright in this context. Politically, these issues are of a completely different nature.

Can we trust Google not to abuse the information they collect? Of course not. This is a profit-seeking company. Its owners, CEO and top managers are typical amoral capitalists who want to make as much money as they can without ending up in jail. Their ruthless, unethical behaviour as regards copyright, Of course we cannot trust them. They must be regulated and restrained by law so we can sleep at ease even though we know we cannot trust them.

I do agree that Google and others should develop an anonymous search experience and use an opt-in for their behavioral targeting program because I think that access to information and ideas should remain free (as in freedom). But default settings are hard to regulate, as an economist should know, because there are so many different products and services, default settings are part of the innovation, it’s partly a matter of technological design and legally speaking contractual freedom poses a hurdle to reckon with. It’s to simple to compare this with H-bombs. This is precisely the type of ‘do no evil’ engineering ethics that makes it harder and not easier to debate the real issues.

Buiter’s opt-out?

Buiter finishes his rant by claiming that he will start deleting everything from Google. Maybe he should also ask the FT to remove his blog from Google search (by adding its directory to this file), remove his website and publications, and tell his agent to stop advertising his speaker qualities through Adwords. Or maybe Google does offer something valuable? I hope Buiter will reconsider and come up with some more realistic proposals.

(sidenote: I took the first part of the title from a reaction to his article at the FT site.)

The Dutch Government has answered (in Dutch) an additional set of questions by the Dutch Senate about the implementation of the Data Retention Directive. In the end of last year the Senate had held a hearing with technical experts. This final set of questions and answers probably concludes the written back and forth between the government and the Senate so the Senate can be expected to have a plenary debate about the implementation proposal later this Spring. (UPDATE: The plenary debate has been scheduled to take place on 23 June 2009.) Below I listed some excerpts (my translation) from the Q&A, which I found most remarkable.

A data retention agenda for the future

First, because they stipulate quite clearly that the Dutch government sees the current proposal for data retention as being of a limited nature. It already points to a possible extension of data retention at the European level, in particular a drastic extension of data retention obligations with regard to online communications and with regard to the term.

What fundamental rights?

Second, because it downplays the interference with fundamental rights. To compare access to the complete set of traffic data, including location data, of the entire population for national security and law enforcement purposes with a specified bill for billing purposes is quite remarkable. It’s also remarkable to point to the strict conditions for access to these data because these conditions are not strict at all and have been much criticized when they were adopted a few years ago. To point to the technical nature of the data involved is even more flawed. The fact that citizens and consumer have become part of a data-processing ecosystem that no longer involves human decision makers is more of an extra threat to personal liberty and autonomy than the other way around.

Pointing to Europe

Third, because the Dutch government again takes no full responsibility to legitimate the interference with fundamental rights but points towards the European legislature. I have argued, in response to the data retention directive judgment of the ECJ, that the reasoning of the Court implies that the Member states carry most of the responsibility for legitimizing the interference with fundamental rights. The reason is that the directive does not harmonize crucial aspects of the data retention regime, such as the term, the maximum set of data and most of all access to these data. The Dutch government simply can not rely on the balance that has been struck at the European level, because the directive leaves too many things open.

And endorsing a flawed judgment of the ECJ

Finally, because the government at the same time endorses the judgment of the ECJ and gives the primary argument why the Court should have struck it down. The government states explicitly (and this time in my opinion convincingly) why differences between data retention obligations between the member states cannot harm the competitiveness within the internal market. There is still a level playing field. The negative effects on the internal market were the reason why the directive was legally adopted (in the ECJ’s eyes).

The relevant excerpts:

Answering a question about the ineffectiveness of the proposal because a lot of online communication services fall outside of its scope:

User data of social network sites like Hyves and LinkedIn and the use of certain forms of Internet telephony like Skype currently fall outside of the scope of the proposal because of a lack of political support within the European Union to retain data relating to the use of the Internet, other than simple Internet access. [...] If it would turn out that because of this an important set of data would fall outside of the scope of the Data retention directive, this can be addressed in the context of the evaluation of the directive and this will possibly lead to amendment of the directive.

Answering the question about the justification of the data retention term of one year:

Weighing all interests and taking into account all circumstances, I take the view that the critical boundary [with regard to the legality of the interference of Article 8 ECHR] is not being reached with a term of one year. [] I take the view that the evaluations will be able to provide more insight into the importance of the data in concrete investigations and thereby also in the optimal length of data retention. The evaluation has to be concluded before 15 September 2010.

Downplaying the interference with fundamental rights:

The risk of the interference with the private life of data subjects consists primarily of the image that these data provide of communicative behavior. On that point, there is little difference with the specified bills that telecom providers offer as an extra service. In addition, there is a risk of linking the data to criminal activity of persons. However, a similar risk is also present in the context of requests for license plate information by the police. The Criminal Procedural Code stipulates strict conditions for the access to data by law enforcement officials. The above does not alter the fact that subjects have a right that the data about their communications are being processed with exceptional care.

Again downplaying the interference with fundamental rights, pointing to the technical nature of the data processing infrastructure:

The right to protection of private life, enshrined in Article 8 ECHR and Article 10 of the Dutch Constitution, is only at issue to limited extent. Nothing is being stored about the contents of communications. The data are of a technical nature and are usually stored in dispersed form in the systems of the providers.

Pushing the responsibility for the interference with fundamental right toward the EU:

With regard to the necessity of the interference in a democratic society, there is a margin of appreciation for the member states. The data retention obligation, however, follows from a European directive and the [Dutch] data retention term falls within the limitations of the Directive.

And finally arguing that the difference between member states, in terms of costs for providers does not mean there is not a level playing field for electronic communication providers:

I find the fear for negative effects on the competitiveness within the EU ill-founded. All public providers that are active in the Netherlands, i.e. small and large, can make an appeal to the reimbursement regulation in Article 13.6 of the Telecommunications law. This regulation is applicable, regardless of the origin of the provider. For all providers between themselves, there will still be a level playing field after the adoption of the data retention obligation.

Today, the European Court of Justice issued its judgment in the case Ireland v. the European Parliament and Council. The Court concludes that the Data Retention Directive (2006/24/EC) relates predominately to the functioning of the internal market, so it was necessary to adopt it on the basis of Article 95 EC Treaty.

The Court makes clear at the outset that its judgment concerns not the question whether the Directive violates fundamental rights such as the right to privacy. It bases its judgment about the appropriateness of the legal base on three arguments, each of which seems enough (for the Court) to come to that conclusion:

UPDATE (COMMENTS):

It’s not too hard to comment on the ruling because I am not very impressed by its logic. Since I have already commented on some of the main arguments, which are informed by the Opinion of the Advocate General, I will restrict myself to one main point, that is the implications of this ruling for the question whether the directive is a violation of fundamental rights.

Although it is true that the Court was not asked directly to rule on the interference of blanket data retention with fundamental rights, the Court’s complete separation of that issue from this case is striking. In fact, Slovakia directly claimed the Directive could only be a third pillar measure because the interference could only be argued to be proportional in view of the fight against crime and terrorism.

It is questionable whether such far-reaching interference may be justified on economic grounds, in this case the enhanced functioning of the internal market. The adoption of an act outside the scope of Community competence, the primary and undisguised purpose of which is the fight against crime and terrorism, would be a more appropriate solution, providing a more proportionate justification for interference with the right of individuals to protection of their privacy.

The Court decides to separate these issues. The Commission had stated that “the reference to the investigation, detection and prosecution of serious crime falls under Community law because it serves to indicate the legitimate objective of the restrictions imposed by that directive on the rights of individuals with regard to data protection.” The Court does not address this specific question explicitly but states that “the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy contained in Directive 2006/24.” Implicitly, it seems to agree with the Commission and the AG (who had adopted the Commission’s position on this matter).

If we combine this argument with the Court’s conclusion that the directive is not about access to the data, the result is striking. The references to the investigation, detection and prosecution of serious crime in the directive no longer serves as a restriction with regard to the purposes of the retained data but merely as an indication that national law can legitimately retain these data for that purpose. Hence the directive does not obligate the member states to restrict lawful access to certain cases, but it also does not obligate them to provide access in certain cases. The preliminary ruling of the German Constitutional Court is thereby legal under European law.

However, it is clear that merely giving an indication of the purpose of an interference is not enough to respect the proportionality and subsidiarity required by Article 8 ECHR. Interferences need to be narrowly targeted. Thus access to the data need to be restricted in some manner, depending on the line that is drawn as a result of this test. The lack of access restrictions in the directive moves the burden to establish the proportionality and subsidiarity entirely to the member states. In my opinion this significantly weakens the already weak case for the proportionality and subsidiarity of the European legislature’s interference with fundamental rights through the enactment of the Directive.

Advocate-General Yves Bot has offered his opinion in the case about the data retention directive challenge by Ireland. The European Court of Justice AG’s opinion is clear, but disappointingly superficial and flawed in some of its reasoning.

Currently, the EU has three pillars. The directive was adopted under the first pillar, which is the most integrated part of the EU, also called the (European) Community, governed by the EC-Treaty. The third pillar is reserved for police and judicial cooperation. In the third pillar every member state has a veto. The constitution and the Lisbon treaty would have changed this structure significantly but both have not been ratified.

The data retention directive (2006/24/EC) is based on article 95 of the EC-Treaty, which provides a legal basis for directives regulating the internal market. It amends the e-Privacy Directive (2002/58/EC), which harmonizes privacy in the market of electronic communications. The ePrivacy Directive is also based on Article 95 EC-Treaty. The constitutional problem is that a legislative measure can sometimes be adopted under the wrong legal basis for political strategical reasons (such as preventing a veto from the Irish government). A more fundamental problem is that the pillars in some way reflect (amongst many other things) that measures relating to law enforcement and criminal justice have a more fundamental impact on the relation between the State and its citizens than internal market regulations. Criminal procedural law such as data retention laws trying to guarantee tracebility are different from a law regulating roaming or consumer protection.

The Opinion

The AG agrees with the Council that the primary goal of the data retention directive is the harmonization of the Internal market. He finds evidence for this in the mentioning in the directive of obstacles for the internal market because some member states adopted data retention legislation and others not.

85. It follows that, in the absence of harmonisation, a provider of electronic communications services would be faced with costs related to the retention of data which differ according to the Member State in which he wishes to provide those services. Such differences may constitute obstacles to the free movement of electronic communications services between the Member States and may therefore create obstacles to the establishment and functioning of the internal market in electronic communications. They may, in particular, slow down the cross-border development of new electronic communications services which are regularly introduced in the information society. They may also give rise to distortions in competition between undertakings operating on the electronic communications market.

Note the use of the word ‘may’. It is not clear how different costs would obstruct the development of the Internal market. It is even more difficult to understand how the directive would prevent that because this is something the directive does not harmonize. This should have been known by the AG. Some member states have decided to let the industry pay all costs, some let the industry pay part and some such as the UK has decided to refund costs. The directive does not solve this problem of costs to any extent. This makes the following conclusions flawed, because they are both based on the cost argument:

.

86. As is clear from recital 6 in the preamble to Directive 2006/24, such disparities between the laws of the Member States ‘present obstacles to the internal market for electronic communications, since service providers are faced with different requirements regarding the types of traffic and location data to be retained and the conditions and periods of retention’.

87. In so far as Directive 2006/24 proceeds with harmonisation of national laws on the obligation to retain data (Article 3), the categories of data to be retained (Article 5), periods of retention of data (Article 6), and data protection and data security (Article 7), I take the view that it facilitates the development of the internal market for electronic communications by providing common requirements for service providers.

What the AG should have done here is consider the original purpose of the ePrivacy Directive 2002/58/EC. That directive protects the privacy of users of electronic communications network while ensuring the functioning of the internal market. As with the general Privacy Directive, the idea is that privacy legislation can be an obstacle for the internal market because it can block the free processing of personal data across the EU in an uniform matter. For this internal market reason these directives harmonize the protection of privacy.

The question the AG should have asked himself is to what extent the data retention directive ensures the free processing of the traffic and location data in question across the EU. Of course it does not and I am happy about it, precisely for the reason I think it should have been discussed (and vetoed) in the third pillar. Data retention is organized on a national level, country by country, with rather extreme differences. To think of it in terms of preventing obstacles for the internal market is simply flawed. The AG summarizes the test as follows:

In summary, in order to justify recourse to Article 95 EC as the legal basis, what matters is that the measure adopted on that basis must actually be intended to improve the conditions for the establishment and functioning of the internal market.

This test is simply not fulfilled.

Although this is unnecessary for the AG’s conclusion, the AG also takes the view that the directive does not provide at all for harmonization of access to data for law enforcement:

[] Directive 2006/24 contains measures which relate to a stage prior to the implementation of police and judicial cooperation in criminal matters. It does not harmonise [] the issue of access to data by the competent national law-enforcement authorities.

In my opinion this is wrong. The directive states that it “aims to harmonise Member States’ provisions concerning the obligations of the providers of [providers] with respect to the retention of [data], in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.” So the directive harmonizes that the dataset as defined in the directive is available for the detection and prosecution of serious crime. On top of this, this can only mean that it is accessible as well.

The infringement of the right to privacy

As was to be expected the AG did not address the question about the legitimacy of the infringement of privacy. This issue was not before the Court. The following consideration addresses the issue, stating that the mentioning of a need to infringe privacy is vital for its justification. A rather formal approach:

the mention of such an overriding requirement of public interest is vital in order to justify the interference by the Community legislature in the right to privacy of the users of electronic communications services.