pages tagged EUCJhroy.euhttps://hroy.eu/tags/EUCJ/hroy.euikiwiki2023-10-30T20:57:52ZOverview of FDN & La Quadrature’s challenge against Data Retentionhttps://hroy.eu/posts/overviewChallengeAgainstDataRetention/2023-10-30T19:54:26Z2015-04-01T11:29:23Z
<p><a href="https://hroy.eu/posts/startingAgainstDataRetention/">Last month</a>,
French Data Network and La Quadrature du Net filed a lawsuit to the
Conseil d’État, one of the supreme courts, against the French
government. Our objective is simple: we want to take down French data
retention laws.</p>
<h2 id="who">Who?</h2>
<ul>
<li><p>the <a href="http://fdn.fr">French Data Network (FDN)</a>, the
oldest French internet access provider, and a nonprofit organisation
promoting the Internet and spreading knowledge on how it works.</p></li>
<li><p>the <a href="http://ffdn.org">Fédération FDN</a>, a federation of
ISP very much like FDN (FDN is one of the founding members of the
Fédération), created to spread and distribute efforts accross
geographical locations to serve the same goal.</p></li>
<li><p><a href="https://laquadrature.net">La Quadrature du Net</a>, an
organisation of activists (which used to be an unorganisation ;-))
defending our rights in the digital age. Maybe you know them for their
successful campaigns against <a
href="http://www.laquadrature.net/en/acta">ACTA</a>.</p></li>
</ul>
<h2 id="how">How?</h2>
<p>On December 24, the government issued a <em><a
href="http://en.wikipedia.org/wiki/Decree#France">décret</a></em>, an
order by the executive branch to enable the application of the law
(issued by the Parliament). Décrets can be challenged in court, directly
to the Conseil d’État, until two months after they are published. This
is the procedure we’re in.</p>
<p>Formally, our target is a décret of the 2013 law setting the strategy
for military operations and prerogatives for the near future (the “LPM”
law). Specifically, article 20 of this law set new ways for the state to
access data retained by telcos and internet ISPs.</p>
<p>For us, this was just a legal opportunity to seize in order to bring
our arguments in front of a judge, against the concept of general data
retention, i.e. keeping metadata and records on communications of the
whole population.</p>
<p>In the aftermath of the <span class="selflink">European Union Court
of Justice</span>’s landmark decision in <em>Digital Rights Ireland</em>
(April 8, 2014; C‑293/12 & C‑594/12), data retention laws in Europe
are being cancelled, almost automatically, one by one (lately, in the
Netherlands, see the preliminary injunction by the Hague court, March
11, 2015). Almost automatically indeed, because national judges, in
matter of European Union law, have to apply EU principles and case law
directly.</p>
<p>So this is what we’re trying to do in France, albeit one difference.
Unlike other data retention laws in Europe, French laws predate the 2006
EU data retention directive; so our task seems a bit more difficult.</p>
<h2 id="what">What?</h2>
<p>Anyway, here comes an overview of our main arguments:</p>
<ul>
<li>the décret tries to fix the law; because the law did not define
correctly its own scope (the definition of the type of data subject to
the law). But that’s something the government is not supposed to do! The
scope of the law is a legislative power prerogative, not the
executive’s.</li>
<li>the décret had to organise the administrative control defined in the
law, but the décret doesn’t do it. Thus, the government did not fullfil
the obligations the law created.</li>
</ul>
<p>And, of course, the main argument (part 4.1 of our legal
writing):</p>
<ul>
<li>This is a matter of European Union law. As the 2002 directive (so
called ePrivacy directive) says in its article 15, measures of data
retention must be made according to EU law principles.</li>
<li>Thus, the EUCJ <em>Digital Rights Ireland</em> decision is directly
applicable to French laws on data retention.</li>
<li>As a consequence, the judge must realise that data retention, as set
in French law, is clearly against our fundamental rights to free speech
and to the respect of private life! The government cannot legally
mandate telcos and internet ISPs to keep metadata and records on the
communications of the whole population (and for <em>a whole year</em> at
least)!</li>
</ul>
<p>If you’re interested, you can <a
href="http://www.fdn.fr/2014-1576/recours.pdf">read the whole thing</a>
(in French).</p>
<h3 id="what-next">What next?</h3>
<p>I’ll keep you posted on the blog about the
<a href="https://hroy.eu/tags/d%C3%A9cretLPM/">procedure</a>. It should take at minimum a year,
if nothing unexpected happens (but it can be significantly longer
depending on prejudicial and accessory procedures…).</p>
<p>But as you may know, the government is currently trying to pass new
law giving extremely broad powers to the state with regard to
surveillance measures, including new ways to access our communications
and our data, all of this without effective judicial oversight.</p>
<p>Our legal challenge has thus taken a new level, against the <a
href="http://www.nytimes.com/2015/04/01/opinion/the-french-surveillance-state.html">French
surveillance state</a>.</p>
<hr />
<p><em>Related:</em> <a
href="https://www.laquadrature.net/en/in-france-la-quadrature-du-net-brings-legal-challenge-against-mass-surveillance">La
Quadrature’s press release</a></p>
https://hroy.eu/posts/whatsGoingOnWithDataP/
Privacy notices under CC-0
https://twitter.com/neil_neilzone/status/543036681759514624
2023-10-30T19:54:26Z2014-12-11T14:27:22Z
<p>The <span class="selflink">EUCJ</span> has just published <a
href="http://curia.europa.eu/juris/documents.jsf?num=C-212/13">another
decision</a> regarding <a href="https://hroy.eu/tags/dataProtection/">data protection</a>
that got me puzzled (but I’m not the only one!).</p>
<p>This one is primarily concerned with the interpretation of exceptions
to the 1995 directive, but it also has interesting things to say
regarding the infamous <a href="https://hroy.eu/tags/rightToBeForgotten/">so-called right
to be forgotten</a> decision where
<a href="https://hroy.eu/posts/rtbf-what-cjue-got-wrong/">legitimate interests in
personal data processing</a> were involved.</p>
<p>The facts are simple: someone puts a camera to monitor the entrance
of his house. One day, people break in, but they are later identified
thanks to the camera. Then, these suspects challenge the legality of the
camera system on the grounds that they were not notified of the
processing of their personal data.</p>
<p>Article 3 of the 1995 directive provides:</p>
<blockquote>
<p>2 This Directive shall not apply to the processing of personal data:
[…]</p>
<p>– by a natural person in the course of a purely
<strong>personal</strong> or <strong>household activity</strong>.’</p>
</blockquote>
<p>But for the Court, (emphasis is mine)</p>
<blockquote>
<p>33 To the extent that video surveillance such as that at issue in
the main proceedings <em>covers, even partially, a public space and is
accordingly directed outwards from the private setting</em> of the
person processing the data in that manner, it cannot be regarded as an
activity which is a purely ‘personal or household’ activity</p>
</blockquote>
<p>This is a strange reasoning in my opinion, as it seems to make no
distinction between <em>purely personal activities</em> and <em>purely
household activities</em>–they are now combined under the criteria of
the “private setting.”</p>
<hr />
<p>So here’s how this applies to us: thanks to <a
href="http://neilzone.co.uk/">Neil</a>, we already have a solution!</p>
<div class="embedexternal">
<blockquote class="twitter-tweet" lang="en">
<p>
Following today’s CJEU ruling, I have launched new data protection
compliance stickers for everyone with a smartphone
<a href="http://t.co/WHa72i05iM">pic.twitter.com/WHa72i05iM</a>
</p>
— Neil Brown (<span class="citation"
data-cites="neil_neilzone">@neil_neilzone</span>)
<a href="https://twitter.com/neil_neilzone/status/543013244894711808">December
11, 2014</a>
</blockquote>
<script async src="https://hroy.eu//platform.twitter.com/widgets.js" charset="utf-8"></script>
<blockquote class="twitter-tweet" lang="en">
<p>
Don’t want to be filmed or photographed? Get my new, trendy “right to
object” jumper-based notification:
<a href="http://t.co/sCwmsXtgGd">pic.twitter.com/sCwmsXtgGd</a>
</p>
— Neil Brown (<span class="citation"
data-cites="neil_neilzone">@neil_neilzone</span>)
<a href="https://twitter.com/neil_neilzone/status/543035098732711936">December
11, 2014</a>
</blockquote>
<script async src="https://hroy.eu//platform.twitter.com/widgets.js" charset="utf-8"></script>
</div>
<h2 id="how-does-this-relate-to-the-so-called-right-to-be-forgotten">How
does this relate to the so-called right to be forgotten?</h2>
<p>The Court notes that:</p>
<blockquote>
<p>34 At the same time, the application of Directive 95/46 makes it
possible, where appropriate, to take into account — in accordance, in
particular, with Articles 7(f), 11(2), and 13(1)(d) and (g) of that
directive — <em>legitimate interests pursued by the controller, such as
the protection of the property, health and life of his family and
himself</em>, as in the case in the main proceedings.</p>
</blockquote>
<p>I wish the Court followed the same approach in the so-called Right to
be forgotten decision. But instead, the
<a href="https://hroy.eu/posts/rtbf-what-cjue-got-wrong/">legitimate interest of
the public to access published information has not been taken into
account</a>.</p>
Right to be forgotten — When the EUCJ forgot our freedom of expressionhttps://hroy.eu/posts/rtbf-what-cjue-got-wrong/2023-10-30T20:57:52Z2014-09-04T18:24:52Z
<p>It’s been a few months now since the controversial EUCJ
Google_Spain_v._González_(C-131/12) decision has been published. And I’m
too busy, lagging behind: my draft (in French) on why I disagree a lot
with this decision is still in the making. But it will eventually come.
Meanwhile I got some interesting discussions, for instance with Neil
Brown. I’m still waiting for Neil to set up is Known profile online
somewhere so we can copy/paste our discussion there. Just now, Reuben
Binns <a
href="http://www.reubenbinns.com/blog/why-i-trust-wikipedia-with-privacy-censorship-and-the-right-to-be-forgotten/">sent
me</a> a paper pointing out that, yes, the <a
href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2491486">EUCJ
decision overlooked the balance needed</a> to protect our right to
freedom of expression. <small>By the way, Reuben has also written an
interesting piece on <a
href="http://www.reubenbinns.com/blog/why-i-trust-wikipedia-with-privacy-censorship-and-the-right-to-be-forgotten/">how
Wikipedia deals with person’s subjective rights</a> – I think you should
read it because I think Wikipedia is a very good illustration on how to
do this right, and thus also an incredibly strong illustration on how
the EUCJ’s so called “right to be forgotten” (RTBF for short) is
wrong.</small></p>
<p>So, roughly and quickly, I’d like to point out a few flaws that I
think are very worrying considering the wider context; namely, the
European Union Court of Justice getting more powerful as a court dealing
with fundamental rights (in addition to the European Court of Human
Rights).</p>
<h3 id="what-does-privacy-mean-anyway">What does privacy mean
anyway?</h3>
<p>You may disagree but I think there’s no such thing as a personal,
subjective right to “privacy”. A right to privacy is not the same thing
in my opinion as a right to the “respect of your private life”. There is
an important distinction to make. Maybe.</p>
<p>Privacy is <a href="https://hroy.eu/posts/moglen_privacy_ecological/">an
ecological thing</a> as Moglen says, it’s not an individual thing.
Privacy is often understood only in a given context: a technological
context and a social as well as cultural context. We have different
privacy expectations and understanding depending on who we communicate
with, what we communicate about, where we communicate, by which means we
communicate and based on the cultural background of the communicating
parties. Note that “communicate” needs to be understood broadly and may
not be the right word.</p>
<p>Privacy and the right to the respect of private life are intertwined,
but not the same thing.</p>
<p>One of the most interesting researchers working on explaining privacy
is danah boyd. She lately published a piece: <a
href="https://medium.com/message/what-is-privacy-5ed72c66aa86"><em>What
Is Privacy?</em></a> (You should read <a
href="https://medium.com/message/what-is-privacy-5ed72c66aa86">the
entire piece, it’s not long</a>) in which she wrote:</p>
<blockquote>
<p>The notion of private is also a <strong>social convention</strong>,
but privacy <strong>isn’t a state</strong> of a particular set of data.
It’s a practice and <strong>a process</strong>, an idealized state of
being, to be <strong>actively negotiated</strong> in an effort to have
agency.</p>
<p>[…]</p>
<p>While learning to read social contexts is hard, it’s especially hard
online, where the contexts seem to be constantly destabilized by new
technological interventions. As such, context becomes visible and
significant in the effort to achieve privacy. Achieving privacy requires
a whole slew of skills, not just in the technological sense, but in the
social sense. Knowing how to read people, how to navigate interpersonal
conflict, how to make trust stick. This is far more
<strong>complex</strong> than people realize, and yet <strong>we do this
every day</strong> in our efforts to control the social situations
around us.</p>
</blockquote>
<p>The core of the point is, privacy is not an individual’s subjective
legal right. It’s a social and fragile, but needed social process. And
we should wary of courts or governments intrusions into this social
process.</p>
<p>In the EUCJ’s RTBF decision, the court does not give enough weight to
the right of the public to access lawfully published information that
can be of public interest. This is very worrisome because that right is
substantially a consequence of our right to free speech.</p>
<p>The rationale, however, of the EUCJ analysis is unclear. To make
their arguments justified by fundamental rights, the EUCJ takes <a
href="https://en.wikisource.org/wiki/Charter_of_Fundamental_Rights_of_the_European_Union#Article_7_.E2.80.93_Respect_for_private_and_family_life">article
7 of the EU Charter</a>. This article is not a right to privacy,
otherwise it would say just that: “a right to privacy.” Instead, it is a
right to the “respect for private and family life” and that’s not the
same thing.</p>
<p>On the one hand, the right to respect for private life is well
established as a person’s subjective right. For instance, in France it
used to be under general tort law (art. 1382) but then has taken its own
stance in <a
href="http://www.legifrance.gouv.fr/UnArticleDeCode.do?code=CCIVILL0.rcv&art=9">article
9 of the <em>code civil</em></a> and under the Declaration of human
rights of 1789.</p>
<p>One important condition of such a right in a civil context is that
there is a need to demonstrate <em>préjudice</em>, i.e. harm has been
done to that persons’ in way of infringing their private life.</p>
<p>On the other hand, as already pointed out, privacy is a process. And
as you know if you’ve read [the ECJ decision][c131-12], there’s no such
<em>need to demonstrate prejudice</em> in order for the RTBF to
apply.</p>
<p>The legal basis thus is not clear. Is this new so called “right to be
forgotten” based on the right for the respect of private life (in this
case it needs to be demonstrated that there is prejudice) or is it based
on another part of the EU Charter, the one that recognises personal data
protection? Well, if it’s the latter, then I think we should question
the balance that the ECJ strikes with the RTBF. Should the RTBF be that
powerful against the freedom to access lawful information that has not
been demonstrated to cause any harm?</p>
<h3 id="the-eucj-new-general-rule-harms-freedom-of-expression">The EUCJ
new “general rule” harms freedom of expression</h3>
<p>The personal data protection directive says in article 7:</p>
<blockquote>
<p>’Member States shall provide that personal data may be processed only
if:</p>
<p>…</p>
<ol start="6" type="a">
<li>processing is necessary for the purposes of the legitimate interests
pursued by the controller or by the third party or parties to whom the
data are disclosed, except where such interests are overridden by the
interests [or] fundamental rights and freedoms of the data subject which
require protection under Article 1(1).’</li>
</ol>
</blockquote>
<p>In the case where the service in question is accessible and used by a
large majority of the population, it means that we are talking about the
<em>legitimate interests of the public</em>. Surely, the right to access
lawfully published information is <em>a priori</em> a legitimate
interest of the public. Otherwise, what good is a right to freedom of
expression if nobody else has the right to hear you and that someone can
block access to your article when they feel like?</p>
<p>Now, let’s have another read at the article above (article 7). It is
clear that the general rule is that processing of personal data is
allowed when the right of the public to freedom of expression is at
stake, <strong>except</strong> where the data subject’s fundamental
rights should override them.</p>
<p>But as already pointed out, there is a confusion between fundamental
rights and thus the whole analysis on balance breaks, at the detriment
of the public’s right to access lawfully published information.</p>
<p>In the decision, the Court indeed invents a new “general rule”:</p>
<blockquote>
<p>The rights to privacy of the data subject override “as a rule, not
only the economic interest of the operator of the search engine
<strong>but also the interest of the general public in finding that
information</strong> upon a search relating to the data subject’s name.”
(¶ <a href="https://hroy.eu/law/eucj/C-131_12/##97.">97</a>)</p>
</blockquote>
<p>It is clear now that there’s a problem. The rule and the exception
have been exchanged.</p>
<hr />
<p>Interesting fact: I just learned that the Spanish plaintiff, M.
González, is a lawyer… This whole case and the decision to me, is an
illustration of what goes wrong when we try to solve problems that
should be best solved freely with our social processes. Solving privacy
with this kind of ruling is doing us no favour.</p>
<p>The real privacy issues for us today come from massive surveillance
by the NSA and other mass-surveillance State agencies aroudn the world.
They also come from surveillance operated by companies.</p>
<p>Search engines giving access to lawfully published information is not
the real privacy issue! The RTBF is the wrong fight, and it’s actually
wasting our time; time that should be better spent fighting the real
issues of massive surveillance which makes much more harm to our right
to have a private life outside the reach of the State’s agents.</p>
<p>Finally, the ultimate irony of the decision is that Google and the
like are the ones who have to apply individual’s requests to be deleted
from search engines results relating to their names. Thus, giving the
role of defining privacy to… Google. <a
href="http://www.laquadrature.net/en/the-right-to-be-forgotten-dont-forget-the-rule-of-law">Well
done for the rule of law</a>.</p>
<p>We should demand that the European commission does not to pursue this
RTBF nonsense, but instead focuses on the real issues affecting our
privacy and our autonomy.</p>