The invalid Data Retention Directive and Estonia

One of the most important decisions about protection of human rights in Europe (and perhaps the world) in recent times, was the 8 April 2014 decision of the European Court of Justice in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others. The case concerned the contentious Data Retention Directive, which required all Member States to keep so-called metadata about mobile and fixed phone and internet connections. The Court found that the directive interfered disproportionately the right to private life of all European residents and declared the so-called Data Retention Directive invalid in its entirety and from the time it came into force. There case came about because of Digital Rights Ireland and more than 12 000 private individuals in Austria had contested the validity of the data retention requirement (as it amounts to mass surveillance). There had already been constitutional challenges to the laws adopted based on the directive in many member states (Germany, Romania) and several refused to transpose the directive (Sweden), so it is clear that the directive was controversial. After all, it had been adopted in a three-month expedited proceeding after the London and Madrid terrorist attacks.

In Estonia the data retention requirements have so far not raised in formal legal constitutional issues. Looking through the procedure of adoption of the law, it seems that privacy rights argumentation was never really raised and there was almost no opposition to this (what many call totalitarian) law. The law was passed after six month legislative procedure with 82 members of parliament out of 101 voting in favour (with no votes against or abstaining). The explanatory note of the draft law states that the proposal was put together by two public officials (one from the Communications Board and another from the Ministry of Economy and Communications), with participation of “surveillance and security authorities” and the Estonian Information and Telecommunications Union. The only contentious issue that was raised seemed to be that the telecoms were not happy with having to pay for the data retention themselves (they still do).

The Estonian provision seems to be much wider than the directive, for example allowing the retained data to be used not only for serious crimes, but has been expanded to include also misdemeanours (even by the tax authorities!). This in itself seems excessive and disproportionate even if the directive was still valid. There are a number of other issues, but the most fundamental one is that according to European Court of Justice, mass surveillance is not allowed by law. It is disproportionate (even to fight terrorism) to preemptively gather, retain and process data about every single person.

So why did our constitutional system of protection of basic human rights (and the right to privacy) fail so spectacularly in this issue? In my opinion the reasons were the following:

• Not enough detailed human rights scrutiny of laws made due to harmonisation of laws based on EU directives. The Estonian authorities seemed to assume that since this was based on an EU directive, there was no inherent risk to human rights protection. The human rights architecture in Europe assumes that there is scrutiny in terms of human rights BOTH in EU level and in national level, but this time there seemed to be neither worked. President Ilves failed in his duties as he can refuse to sign the laws he believes are unconstitutional and instead proclaimed it without problems.
• The lack of independent NGOs dealing critically with human rights (and specifically with data protection). There was simply not enough specific expertise in Estonia to challenge the draft at any stage of the process.
• Lack of discourse critical of technological development, also unfounded trust in technology. Since the belief in the positive impact of technology is so engrained, any opposition to using mass data collection could be seen as standing against the ‘normal’ technological development of the society. The so-called tech and data protection experts are rather evangelists who stand to personally benefit from lack of critical discourse.
• Overall weak position and awareness of human rights. In many ways human rights are seen as declaratory, self-evident principles that have little impact in the daily lives of Estonian people, especially in specific matters.
• Hightened sense of vulnerability brought about by fear of terrorism. I think that in Estonia this is not so relevant, since the number one fear is still Russia and there has been no terrorist attacks on Estonian soil. However, decision makers might be influenced by this.

So what now? At the moment the law in Estonia is in place and the massive breach of privacy rights is allowed to continue. There has been almost no public debate and the governmental authorities seem to be waiting for the reaction of someone else (in Finland, the review of retention laws was announced a couple of days after the judgement).

The situation is remarkably problematic not only because of the continuing disproportionate infringement of privacy rights, but the credibility problem this poses for Estonia’s image as a technologically advanced country both internally and externally. Are Estonian people going to continue to trust in e-services when it is clear that the human rights safeguards are not working? Is the international community ready to admit that Estonia is not such a great example of tech-friendly society after all if it also means lack of regard to basic human rights?

Annex: The provision in question is as follows (English translation is only available for the future version, but there seems to be no change in terms of this provision):

§ 1111. Obligation to preserve data
(1) A communications undertaking is required to preserve the data that are necessary for the performance of the following acts:
1) tracing and identification of the source of communication;
2) identification of the destination of communication;
3) identification of the date, time and duration of communication;
4) identification of the type of communications service;
5) identification of the terminal equipment or presumable terminal equipment of a user of communications services;
6) determining of the location of the terminal equipment.
(2) The providers of telephone or mobile telephone services and telephone network and mobile telephone network services are required to preserve the following data:
1) the number of the caller and the subscriber’s name and address;
2) the number of the recipient and the subscriber’s name and address;
3) in the cases involving supplementary services, including call forwarding or call transfer, the number dialled and the subscriber’s name and address;
4) the date and time of the beginning and end of the call;
5) the telephone or mobile telephone service used;
6) the international mobile subscriber identity (IMSI) of the caller and the recipient;
7) the international mobile equipment identity (IMEI) of the caller and the recipient;
8) the cell ID at the time of setting up the call;
9) the data identifying the geographic location of the cell by reference to its cell ID during the period for which data are preserved;
10) in the case of anonymous pre-paid mobile telephone services, the date and time of initial activation of the service and the cell ID from which the service was activated.
(3) The providers of Internet access, electronic mail and Internet telephony services are required to preserve the following data:
1) the user IDs allocated by the communications undertaking;
2) the user ID and telephone number of any incoming communication in the telephone or mobile telephone network;
3) the name and address of the subscriber to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
4) the user ID or telephone number of the intended recipient of an Internet telephony call;
5) the name, address and user ID of the subscriber who is the intended recipient in the case of electronic mail and Internet telephony services;
6) the date and time of beginning and end of the Internet session, based on a given time zone, together with the IP address allocated to the user by the Internet service provider and the user ID;
7) the date and time of the log-in and log-off of the electronic mail service or Internet telephony service, based on a given time zone;
8) the Internet service used in the case of electronic mail and Internet telephony services;
9) the number of the caller in the case of dial-up Internet access;
10) the digital subscriber line (DSL) or other end point of the originator of the communication.
(4) The data specified in subsections (2) and (3) of this section shall be preserved for one year from the date of the communication if such data are generated or processed in the process of provision of communications services. Requests submitted and information given pursuant to § 112 of this Act shall be preserved for two years. The obligation to preserve the information provided pursuant to § 112 rests with the person submitting the request.
(5) The data specified in subsections (2) and (3) of this section shall be preserved in the territory of a Member State of the European Union. The following shall be preserved in the territory of Estonia:
1) the requests and information provided for in § 112 of this Act;
2) the log files specified in subsection 113 (5) and the applications provided for in subsection 113 (6) of this Act;
3) the single requests provided for in § 1141 of this Act.
(6) In the interest of public order and national security the Government of the Republic may extend, for a limited period, the term specified in subsection (4) of this section.
(7) In the case specified in subsection (6) of this section the Minister of Economic Affairs and Communications shall immediately notify the European Commission and the Member States of the European Union thereof. In the absence of an opinion of the European Commission within a period of six months the term specified in subsection (4) shall be deemed to have been extended.
(8) The obligation to preserve the data provided for in subsections (2) and (3) of this section also applies to unsuccessful calls if those data are generated or processed upon providing telephone or mobile telephone services or telephone network or mobile telephone network services. The specified obligation to preserve data does not apply to call attempts.
(9) Upon preserving the data specified in subsections (2) and (3) of this section, a communications undertaking must ensure that:
1) the same quality, security and data protection requirements are met as those applicable to analogous data on the electronic communications network;
2) the data are protected against accidental or unlawful destruction, loss or alteration, unauthorised or unlawful storage, processing, access or disclosure;
3) necessary technical and organisational measures are in place to restrict access to the data;
4) no data revealing the content of the communication are preserved.
(10) The expenses related to the preserving or processing of the data specified in subsections (2) and (3) of this section shall not be compensated to communications undertakings.
(11) The data specified in subsections (2) and (3) of this section are forwarded to:
1) an investigative body, a surveillance agency, the Prosecutor’s Office or a court pursuant to the Code of Criminal Procedure;
2) a security authority;
3) the Data Protection Inspectorate, the Financial Supervision Authority, the Environmental Inspectorate, the Police and Border Guard Board, the Security Police Board and the Tax and Customs Board pursuant to the Code of Misdemeanour Procedure;
4) the Financial Supervision Authority pursuant to the Securities Market Act;
5) a court pursuant to the Code of Civil Procedure;
6) a surveillance agency in the cases provided for in the Organisation of the Defence Forces Act, the Taxation Act, the Police and Border Guard Act, the Weapons Act, the Strategic Goods Act, the Customs Act, the Witness Protection Act, the Security Act, the Imprisonment Act and the Aliens Act.