![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
This paper describes the application of personal data protection rules in the process of e‐evidence handling. It focuses mainly on the application of Directive 95/46/EC rules to the digital environment. It also makes reference to the legal risks derived from the collection and processing of e‐evidence in violation of privacy and personal data protection law.
Notes
Correspondence: María Verónica Pérez Asinari, Centre de Recherches Informatique et Droit, 5 Rempart de la Vierge, 5000 Namur, Belgium. E‐mail: [email protected].
This paper has been written in the context of the CTOSE project (IST programme), and it is an adaptation and briefing of Deliverable 3.2 ‘Privacy and personal data protection constraints’. It was the basis for the presentation at the CTOSE Conference. This paper, however, is solely the responsibility of the author and does not represent the opinion of the other contributors to the CTOSE project or of the European Community. I am particularly grateful to Dr Cécile de Terwangne, Professor at the Faculty of Law, University of Namur and Director of Research at the CRID, Jean‐Marc Dinant, computer scientist and Director of research at the CRID, and Jan Dhont, Solicitor and researcher at the CRID, for their valuable comments during the drafting of the CTOSE Deliverable.
CTOSE Project results, available at: http://www.ctose.org/ResultsPaperv6.pdf.
E Jauchen ‘Tratado de la prueba en material penal’ Rubinzal‐Culzoni Editores, Buenos Aires, 2002; M Hairabedian ‘Eficacia de la prueba ilícita y sus derivadas en el proceso penal’ Ad‐Hoc, Buenos Aires, 2002; Y Poullet and O Leroux ‘En marge de l’affaire GAIA: De la recevabilité de la preuve pénale et du respect de la vien privée' Revue Générale de Droit Civil Belge, Vol 3, 2003, pp 163–176.
See: J M Dinant ‘Le visiteur visité’ Lex Electronica, 2001, available at: http://www.lex‐electronica.org/articles/v6‐2/dinant.htm, last visited 18 April 2002; J Reidenberg ‘Resolving conflicting international data privacy rules in cyberspace’ Stanford Law Review, Vol 52, 2000, pp 1315–1376; C Ducourtieux and S. Foucart ‘Les profileurs du Net traquent les internautes à leur insu’ Le Monde, 10 May 2002, p 20.
Specially in the SMEs sector, even the data controller (web site administrator) may be unaware about the fact that he/she is collecting personal data, since logfiles are created by default (see the concept of ‘personal data’ and ‘data controller’).
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23 November 1995. Hereinafter: ‘the Directive’.
Further information about the Process Model ‘phases’ can be found at http://www.ctose.org.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201, 31 July 2002.
Article 1.2 of Directive 2002/58/EC.
Article 2(d) of Directive 95/46/EC.
Article 2(e) of Directive 95/46/EC.
Article 16 of Directive 95/46/EC.
Article 17.3 of directive 95/46/EC.
Article 2(b) of Directive 95/46/EC.
Article 29 WP ‘Privacy on the internet—an integrated EU approach to on‐line data protection’ 21 November 2000, WP37, pp 22–23, (adaptation done by us). Available at: http://www.europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp37en.pdf.
Article 2 (d). COM (2002) 173 final.
A Kean The Modern Law of Evidence 5th edn. Butterworths, London, 2000, p 1.
To describe the technical aspects we follow the document ‘Privacy on the internet—an integrated EU approach to on‐line data protection’, 21 November 2000, WP37, elaborated by the Article 29 WP (op cit, note 15) to be given to the fact that technical aspects have been simplified in this paper. See also: A. Ambrosini La tutela del nome di dominio, Edizioni Simone, Napoli, 2002, pp 15–32.
Communication from the Commission to the Council and the European Parliament ‘The Organisation and Management of the Internet. International and European Policy Issues 1998–2000’, Brussels, 11 April 2000, COM(2000) 202 final. See mainly pp 19 and 20 of this document (Data protection aspects: registration and Whois data; Domain name registration data flows; Transparency and access to data.), as well as p 32 (Domain name registration data and data protection—Whois).
As we can see, it does not only contain the IP address of the person who has requested access to a certain website, but also, when, what did he want to see and whether the access was given or not. So, we see that we can even infer the content of what he has seen (in this example the IP addresses have been changed).
RIPE (Réseaux IP Européens, http://www.ripe.net), ARIN (American Registry for Internet Numbers, http://www.arin.net/), APNIC (Asia Pacific Network Information Centre, http://www.apnic.net/), etc. For an overview on privacy and data protection implications of Whois database, see Electronic Privacy Information Center (EPIC) ‘Whois’, available at: http://www.epic.org/privacy/whois, last visited 30 April 2003. International Working Group on Data Protection in Telecommunications ‘Common position on privacy and data protection aspects of the registration of domain names on the Internet’, adopted at the 27th Meeting of the Working Group on 4–5 May 2000 in Rethymmon, Crete, available at: http://www.datenschutz‐berlin.de/doc/int/iwgdpt/dns_en.htm, last visited 30 April 2003. European Commission, Internal Market DG, Data Protection ‘Contribution of the European Commission to the general discussion on the Whois database raised by the Reports produced by the ICANN Whois Task Force’, available at: http://www.dnso.org/dnso/notes/ec‐comments‐whois‐22jan03.pdf.
LINX Content regulation Committee ‘LINX best current practice—traceability’, version 1.0, last modified 18 May 1999, available at: http://www.linx.net/noncore.bcp/traceability‐bcp.html, last visited 12 July 2002.
Article 2(a) of the Directive.
This concept has, however, been interpreted differently in the UK. See for instance: Durant v FSA [2003] EWCA Civ 1746.
See M H Boulanger, C de Terwangne, T Leonard, S Louveaux, D Moreau and Y poullet ‘La Protection des données à caractère personnel en Droit Communautaire’ Journal des Tribunaux Droit Européen, June 1997, p 1 and ss.
We use the word ‘potentially’ because may be the search will not give a correct result, since the telephone could have been stolen, so we will find the owner but not the user, or the acronym ‘GSM’ meant something else than ‘Global System for Mobile communications’.
The InterNIC is an integrated network information centre and Whois service for the existing gTLDs, .COM, .NET and .ORG. Similar InterNIC and Whois services are provided by the country code Registries and the regional IP Registries, e.g. RIPE.
The only hypothesis in which the qualification of ‘personal data’ would remain is the case when the web administrator has collected personal data from different sources being able to identify the user of a given IP address.
Due to proxy servers, anonimizers, etc.
Article 29 WP, op cit, note 15.
See ‘Internet Protocol, Version 6 (IPv6) specification’ Network Working Group, December 1998. Available at: http://www.arin.net/library/rfc.rfc2460.txt, last visited 22 June 2002.
J‐M Dinant ‘The arrival of the new Internet network numbering system IPv6 and its major risks to data protection’ ECLIP (Electronic Commerce Legal Issues Platform), IST Project 1999‐12278. Available at: http://www.eclip.org, last visited 8 May 2002. Article 29 WP Opinion 2/2002 on ‘The use of unique identifiers in telecommunication terminal equipments: the example of IPv6’, 30 May 2002, WP58. Available at: http://www.europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp58en.pdf.
See Ducourtieux and Foucart, op cit, note 4, quoting Jean‐Marc Dinant.
The Belgian Data Protection Authority has issued an interpretative document in which it specifies different categories of data. Under point A.2 it includes ‘Données d’identification électronique: addresses IP, cookies, moments des connexion, …'. See ‘Lexique No. 3’. Available at: http://www.privacy.fgov.be/declarations/lexique3.htm, last visited 11 July 2002.
It will be a question of analysis considering, for example, the variables described above (e.g. deletion of the IAP logfile).
Avis d'initiative concernant la compatibilité de la recherche d'infractions au droit d'auteur commises sur Internet avec les dispositions juridiques protégeant les données à caractère personnel et les télécommunications, Numéro de rôle 44/2001. See also G Rue and F. de Patoul ‘L’affaire Napster ou le difficile équilibre entre le droit d'auteur et le respect de la vie privée' Revue Ubiquité. Dr. tech. Info, No 12, June 2002.
See the case ‘Metrobus c. Ouvaton’, TGI Paris, référé, 1 December 2003.
We will not develop the applicable law implications in this paper.
Articles 11 and 12 of Directive 95/46/EC.
Article 12(a) of Directive 95/46/EC.
L Bygrave ‘Minding the machine: Article 15 of the EC Data Protection Directive and Automated Profiling’ Computer Law & Security Report, Vol 17, pp 17–24, 2001.
Article 12(b) and (c) of Directive 95/46/EC.
Article 15.1 of Directive 95/46/EC.
Article 6(1)a of Directive 95/46/EC.
Article 6(1)b of Directive 95/46/EC.
Article 6(1)c of Directive 95/46/EC.
Article 6(1)d of Directive 95/46/EC.
Article 6.1.e) of Directive 95/46/EC.
Article 7(a) of Directive 95/46/EC.
Article 2(h) of Directive 95/46/EC.
Article 7(b) of Directive 95/46/EC.
Article 7(c) of Directive 95/46/EC.
Article 7(d) of Directive 95/46/EC.
Article 7(e) of Directive 95/46/EC.
Article 7(f) of Directive 95/46/EC.
Recital 30 of Directive 95/46/EC.
Article 17 of Directive 95/46/EC
Article 18 of Directive 95/46/EC
Article 13.1 of Directive 95/46/EC. See also Recitals 43, 44, and 45 of the Directive.
Article 15.1 of Directive 2002/58/EC.
Article 8.2: ‘There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well‐being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others’.
Words in italics added by us.
See S Louveaux and M V Pérez Asinari ‘New European Directive 2002/58 on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector—some initial remarks’ Computers and Telecommunications Law Review, Vol 9, No 5. M V Perez Asinari ‘La regulación de los datos de tráfico en la Unión Europea. ¿Entre la seguridad y los derechos fundamentales?’ Lexis Nexis, Jurisprudencia Argentina, Vol 4, pp 49–59, 2004.
Article 2(b) of Directive 2002/58/EC.
Article 5.1 of Directive 2002/58/EC.
Proposal for a Council Framework Decision on attacks against information systems, Brussels, 19 April 2002, COM (2002) 173 final.
Article 22 of Directive 95/46/EC.
For a complete study on data protection and civil liability issues see P Grimalt Servera ‘La responsabilidad civil en el tratamiento automatizado de datos personales’ PhD thesis, Editorial Comares, Granada, 1999.
Article 23.2 of directive 95/46/EC.
‘[Se] instituye un régimen de responsabilidad basado en el incumplimiento del estatuto jurídico del responsable del fichero, alejado de cualquier connotación de culpa; es decir, establece un régimen de responsabilidad objetiva por incumplimiento normativo […].’ (Grimalt Servera, op cit, note 69, p 369).
Article 24 of Directive 95/46/EC.
Tribunal de Grande Instance Villefranche sur Soane, ‘Roger G.’, 18 February 2003. In this case, an ‘internaut’ had created a website consecrated to the fight against the sects where the name of a physical person was mentioned. The mentioned person, considering himself a victim, brought a criminal lawsuit against the creator of the website. The defendant alleged that he had not notified the CNIL since he did not know about this obligation and since any information had been received neither from the media nor from the IAP. However, the Court rejected those arguments and condemned him to pay a fine. See ‘Un internaute condamné pour absence de déclaration de son site à la CNIL’ Forum des droits sur l'internet 26 March 2003, available at: http://www.foruminternet.org/tete/actualites/lire.phtml?id=527&print=1, last visited 28 April 2003.
European Court of Human Rights, Case of P.G. and J.H. v The United Kingdom, Application No. 44787/98, Judgment, Strasbourg, 25 September 2001.
Depresseux c. s.a. Creaspace & Masereel, Trib. Trab. Verviers (1re ch.), 20 March 2002.
We assume that the system administrator is in casu a data controller.
INUSOP, Cass., 5 April 1996, Arr. Cass., 1996, No. 111.