![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
This article analyses a recent legislative provision adopted by the Belgian legislator imposing on all communication service providers the requirement that they retain traffic data for a minimum period of 12 months, in addition to the recent European debates about Echelon and traffic data retention in the light of the requirements of Article 8 of the Council of Europe Convention on Human Rights and Fundamental Freedoms. The equilibrium between state security requirements and privacy protection imperatives leads the proposal of a certain number of limitations, as regards to cyber‐surveillance by governmental authorities in order to maintain the efficient functioning of our democracies.
Notes
Correspondence: Yves Poullet, Centre de Recherches Informatique et Droit, 5 Rempart de la Vierge, 5000 Namur, Belgium. E‐mail: [email protected].
The author is Dean of the Faculty of Law of the FUNDP, Namur, Belgium and Director of the Centre for Research into Computing and Law (CRID), Namur (http://www.crid.ac.be).
Concerning Section 1, §2, Article 109b of the Belgian law of 25 March 1991 as introduced by the Belgian law of 28 November 2000 on cyber‐criminality.
In this connection, apart from the opinion delivered by the Commission for the protection of privacy regarding the law of 28 November 2000 quoted below in note 4, we draw attention to the following opinions: Opinion of the Commission on privacy of 20 March 2000 on the proposed law concerning the identification and the location of the postal numbers of communications or telecommunications and modifying Articles 90c, 90d, 90f and 90g of the Criminal Code; Opinion of the Commission on Privacy of 9 July 1997 on the application of Articles 202 and 203 of the law of 21 December 1994 containing social and other provisions (technical cooperation of the operators in carrying out judicial measures regarding wire‐tapping); Opinion of the Commission on Privacy of 27 November 1994 on the amendments to the proposed law modifying the law of 30 June 1994 relating to the protection of privacy against wire‐tapping, to obtaining cognizance of and recording private communications and telecommunications; Opinion of the Commission on Privacy of 23 March 1998 on the proposed organizational law for the intelligence and security services; Opinion of the Commission on Privacy of 24 March 24 1999 on the draft of the royal decree relating to the carrying out of the provisions of the law of 30 June 1994 relating to the protection of privacy against tapping, to obtaining cognizance of and recording private communications and telecommunications and of Article 109c E, §2 of the law of 21 March 1991 applying reforms to certain economic public enterprises, concerning the obligation for the operators of networks of telecommunications and suppliers of telecommunications to lend their support; Opinion of the Commission on privacy of 28 February 2002 on the draft of a law modifying Article 44 of the organizational law of 30 November 1998 of the intelligence and security services.
Directive 2002/58/CE of the European Parliament and of the Council of 12 July 2002 concerning the treatment of personal data and the protection of privacy in the sector of electronic communications, J.O.L.202/37, 31 July 2002.
European convention on cyber crime, Council of Europe, European Treaty No. 185, open to the signature of the Member States, 23 November 2001, Budapest (available on the site of the Council of Europe: http://www.coe.int/treaty/fr/projets/cybercrime.htm).
For an analysis of this provision, the reader is referred to the articles published on the law of 28 November 2000 on computer crime; see C Meunier ‘The law of November 28 2000 relating to computer crime, in current law relating to information technologies and communication’ CUP, Actualites du Droit, Vol 30, February 2001, in particular p 151; Fl De Villenfagne and S Dusollier ‘Belgium takes up arms against cyber crime’ Authors and Media, 2001, p 77; Y Poullet ‘Concerning the proposed law No. 214: the struggle against cyber crime in cyber space set against the principle of the regularity of evidence’, in H Vuye and Y Poullet (eds) Liber amicorum J. du Jardin, Kluwer, Dordrecht, 2001, p 20. Compare also the writings of the author of the proposed law on the subject: P van Ecke Criminaliteit en Cyberspace Miys and Breesch, Gent, 1997, in particular, p 107; and P van Ecke ‘Het voorontwerp van wet inzake informaticacriminaliteit’, in Recente ontwikkelingen in informatica‐en telecommunicatie recht, ICRI, Die Keure, Brugge, 1999, p 238.
A first draft of a royal decree determining these ‘technical means’ had been severely criticized by the Commission (opinion No 12/99 of 24 March 1999). A second draft of the royal decree is currently being examined. Compare in this connection, the opinion of the Commission for the protection of privacy No 09/97 of 20 March 1997 (Reporters B De Schutter and Y Poullet): ‘With regard to such considerations and to the extent that Article 22 of the Constitution reminds us of the necessity for legislative measures for any authorization that goes against the principle of respect for privacy, the Commission cannot admit that the question be settled by a royal decree without strict limits being set on this royal intervention. The Commission further furnishes the reminder, in particular, that such technical measures cannot legitimize the practices of preventive localization or interception, that they cannot lead the authorities to have at their disposal information that is disproportionate to that needed for the investigation, and that they must respect the strictly exceptional nature of wire‐tapping’.
Opinion No 33/99 of 13 December 1999 relating to the Bill relating to computer crime (reporters B De Schutter and Y Poullet), opinion available on the site of the Belgian Commission for the protection of privacy (http://www.privacy.fgov.be) and published in the parliamentary documents of the House of Representatives (Doc. Parl. Chambre, 0213/004). It should be noted that this opinion was initiated by the Commission, the latter not having been consulted by the Government. Compare also the very critical opinion of the State Council, published in Doc. Parl. 213/002).
We shall return below in No 21 to the provisions of the Convention of the European Council regarding cyber crime, in particular Article 17 which provides for a ‘rapid display and disclosure of data relating to the traffic’. This convention, which was adopted on 8 November 2001, did not of course exist when the Commission gave its opinion on the law of 1998.
The new section 3 of Article 109c E in fact sanctions the supplier who does not fulfil his legal obligations with 3–6 months' imprisonment and/or a fine of 26–20,000 Bff.
The proposal mentioned the obligation to conserve the data on Belgian territory in order to avoid the procedural questions of international penal cooperation in the case where the request concerned data stored abroad (compare the arguments of the Minister, in Doc. Parl., Chambre, 0213/004, p 47). The EC (Opinion contained in Doc. Parl. Chamber, 0213/011, p 17) reacted strongly against a provision judged contrary to European principles of freedom to provide services and freely circulate them. The Belgian government gave in to these European arguments (Doc. Parl. Senate, 2‐392/2, p 6).
The time limit for conservation was fixed at ‘a minimum of 12 months’ at the last minute. The first proposal of law allowed the King to fix the time limit. In its opinion the Commission had considered that it was necessary for the legislator himself to pronounce on the time limit in view of the impact of this provision on our personal freedom. The Commission for the protection of privacy (opinion already given) had pleaded for a shorter time limit: 3 months as advocated by German law and Recommendation No 3/99 relating to the conservation of data relating to the communications for the offerers of Internet service with a view to ensuring respect for the law of the Group for the protection of data instituted by Article 29 of the Directive 95/46/CE, a text available on the site of the server of the European Union at the address: http://www.europa.eu.int/comm/dg15/fr/media/dataprot/wpdocs. There was a fierce parliamentary debate between the supporters of long conservation in response to the requirements of police enquiries and those who were concerned by the fact that a long wait would constitute a threat to freedom as well as being a financial burden to our business enterprises (also along these lines the opinion of the EC contained in Doc. Parl., Chambre, 0213/011, p 18). At the last minute the idea of fixing the time limit at 12 months was replaced by the current text which strongly favours those who uphold the protection of public order and investigatory requirements (concerning this debate, read Doc. Parl. Senate, 2‐392/3, p 47: the hearing of a member of the National Computer Crime Unit and p 62: the way in which the balance between privacy and public order must be established according to the Senate).
The notion of ‘communications service’ refers to that defined by the law of 21 March 1991 on autonomous public enterprises: ‘service consisting, in part or wholly, in the transmission and distribution of signals by telecommunications signals, with the exception of radio and television’. Compare with the notion of ‘service provider’ adopted by the Convention of the Council of Europe on cyber crime (Article 1). ‘ “Service provider” designates any public or private entity that offers among its services the possibility of communicating by means of a computer system; any other entity treating or stocking computer data for this communications service or its users’.
The Belgian commission criticized the royal delegation considering that Article 22 of the Constitution required a law (opinion published in Doc. Parl. Chambre 0213/004, p 30).
In this respect, see the remark by the Commission for the protection of privacy, p 9.
The account of the reasons (Doc. Parl., Chambre 0213/001, p 30) makes it clear that it is notably a question of data relating to the origin, destination, duration and localization of the calls. The Senate (Doc. Parl., 2‐392/3, p 31) thus considers that the IP addresses of computers used for sending and receiving electronic telecommunications, the log‐ins and log‐outs, the time and beginning of the Internet addresses visited form part of the call data.
The EC (opinion published in the parliamentary documents of the Chamber (0213/011, p 18) strongly criticizes the absence of any definition of such notions. Similarly, the criticisms of the Commission for the protection of privacy, opinion published in the parliamentary documents of the Chamber (0213/004, p 30).
Annex 2 of the Discussion paper (29 October 2001) prepared by the services of the Commission in the framework of the EU Forum on Cyber crime of 27 November 2001 and of the preparatory meeting of experts of 6 November 2001 draws up the long list of types of data likely to be recorded and does so by type of Internet service: thus, for the e‐mail server: SMTP log; date and time of connection of client to server; IP address of sending computer; message ID; sender e‐mail address; receiver e‐mail address; status indicator; POP log or IMAG log; date and time of connection of client connected to server; IP address; user ID; (in some cases) identifying information of e‐mail retrieved; file upload and download servers; for the FTP(File Transfer Protocol) log, date and time of connection; IP source address; user ID; Path and filename of Data object uploaded or downloaded; for the web services: http log; date and time of connection; IP source address; operations (types of command); path of operation; last visited page; response codes; etc.
Y Poullet and J‐M Dinant ‘Le réseau Echelon existe‐t’il? Que peut‐il faire? Peut‐on et doit‐on s'en protéger?' Specialists' report drawn up for the attention of the Permanent Committee of Control of the Intelligence Services, May 2000, confidential Doc., p 6; compare by the same author the excellent report drawn up on the European project ECLIP, available on: http://www.droit.fundp.ac.be/textes/privacy_law_tech_convergence.rtf.
See, note 21 below.
Concerning this convention, we pick out, among other commentaries, the following: E M Gning ‘The proposed convention on crime in cyber space’ Lex Electronica, Vol 6, No 2, 2001 available on: http://www.lex‐electronica.org/Articles/v6‐2/gning.htm; L Costes ‘La Convention du Conseil de l’ Europe du 8 novembre 2001: Premier traité international contre le “cyber crime”’ Lamy, Cahiers droit de l'Informatique, No 142, 1–9, December 2001.
Thus, the US, a non‐member of the Council of Europe, signed the Convention the day it was open to signing by the States.
Available on http://www.coe.fr/cm/ta/rec/1995/f95r13.htm.
The conservation period of one year had been foreseen. It was considerably reduced following the pressure of the bodies controlling the protection of data and by associations concerned with the defence of civil liberties.
It should be noted that the European Parliament in its opinion of 6 September 2001 had insisted on the fact that ‘a general principle of conservation should not be introduced’.
In this connection, we can stress the role played by EPIC (US), International Privacy (UK) and the Electronic Frontier Foundation.
This is shown very clearly by Recommendation 2/99 concerning the respect for privacy in the context of the interception of telecommunications, adopted 3 May 1999 (WP 18, 5005 99/final).
Read the specialist report on this network drawn up for the attention of the Belgian Committee for the surveillance of intelligence services by Poullet and Dinant, op cit, note 18, available at http://www.crid.ac.be: and especially the remarkable study by D Yernault ‘De la fiction à la réalité: Echelon, le programme d’espionnage électronique global et la responsabilité des Etats en ce qui concern le respect de la Convention européenne des Droits de l'Homme' Revue belge de droit international, 2000, p 136.
Compare the report ‘An evaluation of the techniques of political control (September 1998) and several studies (April and May 1999) published by the STOA (Scientific and Technological Options Assessment) of the European Parliament.
Compare in particular, the recommendation concerning the respect for privacy in the context of the interception of telecommunications (Recommendation 2/99 of 3 May 1999, Doc. 5005/99 final WP; 18, available at the address: http://europa.eu.int/comm/dg15/en/media/dataprot/wpdocs).
In this respect, we note that the Treaty of Nice, which fixes the European Charter of fundamental rights, clearly distinguishes the protection of a person’s private and family life (traditional view of privacy) and the protection of privacy (a modern and enlarged view of privacy). Concerning this distinction, see our comments that will appear in ‘For a justification of Articles 25, 26 and 4 of the directive 95/46 in respect of the protection of data’, a paper presented at the International Conference organized by the European Commission on the transposition of the directive 95/46/CE (30 September to 1 October 2002).
On the evolution of this concept in the global information society, our remarks can be found in Poullet and Dinant, op cit, note 18, on the Echelon network.
On the characteristics of this third Pillar, its particular procedures and its merits, see D Vignes ‘Plaidoyer pour le 3ème pilier’ Common Market Review, 1996, p 273. Regarding computer crime, the Commission recently introduced in the context of this third pillar a proposal for a decision by the Council concerning attacks on information systems (Brussels, 19 April 2002, COM [2002°173 final]). This proposal seeks to harmonize the way criminal infractions are defined and to define the competence of each Member State in respect of the legal proceedings taken against such infractions, as well as the way they can collaborate.
Communication of the Commission to the Council, to the European Parliament, to the Economic and Social Committee and to the Regional Committee: ‘Create a safer information society by reinforcing the security of the information infrastructure and by fighting against cyber crime’, Brussels, COM (2000) 890 final.
In conformity with the community directives on the protection of data of a personal nature, and more precisely with the general principle of limiting transfers to a specific purpose, a principle expressed in the directive 95/46/CE and with the particular provisions contained in the directive 97/66/CE, the traffic‐related data must be erased or rendered anonymous as soon as the telecommunications service has been provided, except when the data are required for invoicing purposes. In the case of fixed or free access to the telecommunications services, the suppliers of the services are, in principle, not entitled to keep the data relating to the traffic.
The precise communication, echoing moreover the provisions of Article 14 of the directive 97/66/CE and of Article 13 of the directive 95/16.CE, is the following: ‘However, any legislative measure taken on a national scale which would provide for the conservation of the data relating to the traffic in order to be able to implement the laws should fulfil certain conditions. The proposed measures should in fact be appropriate, necessary and proportionate to the goal being pursued, as provided by community law and international law, notably directive 97/66/CE and directive 95/16.CE, the Convention for safeguarding human rights and fundamental liberties of 4 November 1950 and the Convention of the Council of Europe of 28 January 1981 for the protection of persons in respect of the automated treatment of data of a personal nature. The respect for these conditions and principles is all the more important for the measures that involve the systematic conservation of data for a large portion of the population.
The legislative resolution containing the opinion of the European Parliament on the common action proposed has been adopted by the council on the basis of Article K.3 of the Treaty of the European Union—in respect of the fight against child pornography on the Internet, amendment 17 (JO, C219 of 30 July 1999, p 68).
Compare in particular the articles published by the newspapers in October following the discussions between President George Bush and the Belgian Prime Minister, Belgium then taking over the presidency of the EU; e.g. la Libre Belgique of 22 October 2001; Gazet van Antwerpen of 26 October 2001.
‘Uniting and strengthening america by providing appropriate tools required to intercept and obstruct terrorism’ (USA Patriot Act) Act of 2001, H.R. 3162, 1st Session, 107th Congress, available on site http://thomas.loc.goc, approved by the Senate 25 October 2001 and signed by President Bush 26 October 2001.
In this respect, we can note the declarations of Bush following the passing of this law, when he was putting the presidential signature to the law: ‘This law will give intelligence and law enforcement officials new tools to fight a present danger to counter a threat like no other our nation has ever faced’.
Section 222: ‘Nothing in this Act shall impose any additional technical obligation or requirement on a provider of a wire or electronic communication service or other person to furnish facilities or technical assistance …’.
Section 223: ‘Civil Liability for certain unauthorized disclosure’.
Section 212 inserting notably a new §2703 ‘Required disclosure of customer communications or records’: ‘A provider of electronic communications service or remote computing service shall disclose a record or other information pertaining to a subscriber or to a customer of such service (not including the contents of communications covered …) to a governmental entity’.
Section 224. Concerning those measures which, according to Senator T Dashle, ensure ‘an appropriate balance between protecting civil liberties, privacy and ensuring that law enforcement has the tools to do what it must’: ‘Negotiators have placed safeguards on the legislation, like a four‐year expiration date on the wiretapping and electronic surveillance portion, court permission before snooping into suspects’ formerly private educational records and court oversights over the FBI’s use of a powerful e‐mail wiretap system' (J J Holland ‘Senate sends antiterrorism legislation to Bush’ text available at: http://www.washingtonpost.com/wp‐dyn/Articles/A51682‐2001Oct25.html).
JO, L.24 of 1 January 1998, p 1.
On this common position, see Y Poullet, S Louveaux and M V Perez‐Asinari ‘Data protection and privacy in global networks: a European approach’ EDI (Electronic Data Interchange) Law Review, 2001, p 147.
The common position was adopted by the Council on 21 January 2002 (Institutional Dossier 2000/0189 [COD], 15396/01).
Directive 2002/58/CE, JO. 31. 7. 2002, L.201/37.
Under pressure from the French and English governments.
The commission, through its commissioner E Likkanen, had insisted on the fact that such a phrase could not have the status of a ‘Recital and could not be included in the text of the convention’.
‘The Council requests the EC to submit proposals for ensuring that law enforcement authorities are able to investigate criminal acts involving the use of electronic communications systems and to take legal measures against their perpetrators. In this context, the Council will be making a particular effort to strike a balance between the protection of personal data and the law enforcement authorities' need to gain access to data for the purposes of criminal investigations.' (On these conclusions, see the report of the English association Statewatch, EU governments want the retention of all telecommunications data for general use by law enforcement agencies under terrorism plan, available at http://www.statewatch.org/news/2001/sep/20authoritarian.htm.)
A first hearing had been organized on 7 March 2001 regarding its communication on cyber crime in such a way as to allow the representatives of each category of interests (network operators; service providers; public bodies for the protection of data; associations for liberties) to put forward their point of view.
Regarding this meeting, compare the discussion paper prepared by the services of the Commission and available on the Commission's site at the address: http://europa.eu.int/information_society/topics/telecoms/internet/crime/wpapnov/index.htm.
Compare in particular the position of AOL: ‘AOL retains only data that is necessary either for billing purposes, fraud prevention or security’. ‘AOL cannot cost a potential data retention obligation without understanding fully what would be required from us. However, some costs consideration would be, not only the storing of data but more importantly the cost of keeping the integrity of the data and the costs associated with data retrieval.’ Compare also the position of the European Association of Consumers and Electronic Manufacturers (EICTA) and of EACEM who consider that the obligation to conserve data imposes substantial financial costs on service providers and who oppose any compulsory conservation of traffic‐related data except in the case of legal proceedings relating to specific infractions: ‘Under a data preservation order, service providers store data related to a particular person, rather than store all users’ data for potential future investigations. Because data preservation requirements are directed at a particular person or persons, they do not pose the same privacy concerns as general data retention.'
In this connection, see the speech by P Schaar at the meeting of experts on 6 November 2001 and that of D Smith at the hearing of 27 November 2001. Moreover, reference will be made to the ‘opinions’ expressed by the Group for the protection of data of Article 29, in particular, the last‐mentioned (5074 final) adopted on 5 November 2001 concerning the Communication of the Commission: ‘Creating a safer information Society by improving the security of information infrastructures and combating computer‐related crime’ (available on: http://europa.eu.int/commm/internal8market/en/dataprot/wpdocs/index.htm).
Compare in particular the hearing of the Norwegian police where attention was drawn to the following infringements: ‘breaking into computer systems; theft of trade secrets; sabotage of critical IT systems; abuse of telephone systems; fraud; threats of life and death; blackmail; harassment and defamation …’.
Preamble No 11 notes: ‘In line with directive 95/46/CE, the present directive does not deal with the questions of the protection of rights and fundamental liberties linked to activities which are not governed by community law. It does not therefore modify the existing balance between the rights of individuals to privacy and the possibility that the Member States have to take measures such as those envisaged in Article 15, paragraph 1, of the present directive, that are necessary for the protection of public security, defence, the safety of the State (including the economic prosperity of the State when it is a question of activities linked to the safety of the State) and the application of criminal law. In consequence, the present directive does not affect the faculty of the Member States to legally intercept electronic communications or to employ other measures should this prove necessary to attain one of the above‐mentioned goals, while respecting the European Convention on Human Rights and Fundamental Liberties, such as interpreted by the European Court on human rights in its rulings. These measures must be appropriate, strictly in proportion to the goal being pursued and necessary in a democratic society. They should also be subject to appropriate guarantees, in respect of the European convention for the safeguard of human rights and fundamental liberties’.
JOCE, C. 191, 29 July 1992 and M.B., 30 October 1993.
J Rideau and J F Renucci ‘Dualité des protections juridictionnelle des droits fondamentaux: apport ou faiblesse dans la sauvegarde de ces droits?’ Justices, No 6, 1997, p 95; F Picod ‘The community judge and the European interpretation’ in F Sudre (ed) The Interpretation of the European Convention, Brussels, Bruylant, 1998, p 289, which speaks of the ‘phase of knowledge and exploitation’ of the jurisprudence of Strasbourg by the CJCE. In this respect, the impressive list of rulings by the Court of Justice of the European Communities, cited by Renucci, Droit européen des droits de l'Homme 2nd edn, LGDG, 2001, p 339.
Law No 2001‐1062 of 15 November 2001 relating to daily security, J.O. of 16 November 2001.
Article 15.3 expressly stipulates that: ‘The group for the protection of individuals with respect to the treatment of data of a personal nature, instituted by Article 29 of the directive 95/46/CE, also fulfils the tasks envisaged in Article 30 of the said directive concerning the matters covered by the present directive, namely, the protection of rights and fundamental liberties as well as legitimate interests in the sector of electronic communications’. This explicit increase in the competence of group 29 is remarkable. It allows it notably, in conformity with Article 30.2 and 3 of directive 95/46 to make recommendations on the way the text should be interpreted and especially, if it finds divergences that are likely to affect the equivalence of the protection provided by the legislation or practices of the Member States, to inform the Commission which can then, in accordance with the mechanism foreseen in the text of directive 2002/58/CE, provide for a modification of the text of the directive.
Concerning this fundamental decree and its application regarding wiretapping by the State security services, read B Havelange and Y Poullet ‘Sureté de l’Etat et protection des données: comment réconcilier l'irréconciliable?' in International Conference of 20 January 1999 organized by the Committee R, in ‘Law of information and communication technologies’ Cahiers du Crid, No 16, Brussels, Bruylant, 1999, p 235. On the notion of democracy stemming from this decree, see the article by F Ost ‘Le concept de démocratie dans la jurisprudence de la Cour européenne des droits de l’Homme' Journal des Procès, No 124, 1998, p 13.
Recommendation adopted 3 May 1999 (Doc. 5005/99/final, WP 18, already cited). We remind the reader that this recommendation had been made in the context of the European reactions to the discovery of the Echelon network (compare above, No 15).
Sur cette jurisprudence, lire le remarquable article de (on that case law, read the noticeable article of) D Yernault ‘Echelon’ et l'Europe—La protection de la vie privée face à l'espionnage des télécommunications' Journal des Tribunaux de Droit Européen (J.T.D.E.), 2000, p 190.
In this respect, the firm case law of the Council of Europe, D Yernault ‘From fiction to reality: the global electronic spying program; Echelon, and the international responsibility of the States with regard to the European Convention on Human Rights’ Belgian Review of International Law, 2000, p 198. Recently concerning wiretapping, condemnation on the part of the UK, simple circulars from the Home Office clarifying the questions for wiretapping, the report of the Commission of 14 January 1998, Aff. Govell v. The United Kingdom, 6 62 and especially the Court ruling in the case Khan v. The United Kingdom, 12 May 2000, §27.
Concerning these first two conditions, we draw attention to the Malone ruling of 12 August 1984: ‘The law must employ terms that are sufficiently clear to show everyone in a sufficient way and under what conditions it authorizes the authorities to exercise such a secret infringement’ and that of Leander of 26 March 1987: ‘In a system applicable to all citizens, … the law must employ terms that are sufficiently clear to show them in an adequate way in what circumstances and under what conditions, it authorizes the authorities to interfere in this secret, and virtually dangerous way, in their private lives … . The law itself must define the extent of the power attributed to the competent authority with sufficient clarity—taking into account the legitimate goal being pursued—in order to provide the individual with adequate protection against arbitrary power’.
In this respect, note the ruling of the president of the Belgian Commission for the Protection of Privacy, Mr Thomas, during his hearing at the Justice Commission of the House when the proposed law on computer crime was being examined (Doc. Parl. Chambre, sess. 1999–2000, 50, 0213/004, p 32): ‘We should not end up creating separate and supplementary data bases by imagining that they can always be useful’. This ban on exploratory and general surveillance is affirmed by the Klass ruling of the European Court on Human Rights already cited; it is also affirmed by the Committee on Human Rights of the United Nations, general observation, No 16.
On this condition, see the Huvig and Kruslin rulings of 24 April 24 1990 and the Valenzuela Contreras versus Spain ruling of 30 July 1998: the guarantees to figure in the law concern ‘the definition of the categories of persons liable to be placed under wiretapping surveillance, the nature of the infractions, the fixing of a time limit for the duration of the surveillance; the conditions for making a synthesis of the transcripts of the conversations intercepted; the precautions to be taken to communicate the recordings to be checked by the judge and the defence; the circumstances under which the recordings can and must be erased’.
That is, the person connected with the person under surveillance and their localization in the case of contact by mobile phone.
Compare in this respect, the case of Amann v. Switzerland (16 February 2000) which questions the rules of criminal procedure adopted by Switzerland when they concern ‘the third parties presumed to receive from or transmit information to the latter (the persons suspected or charged)’, without regulating in detail the case of these interlocutors wiretapped ‘by chance’ as ‘necessary participants’ in a telephone conversation recorded by the authorities. ‘In particular, the law does not state clearly the precautions to be taken with regard to them’.
Concerning these last two conditions, see the Buckley ruling of 25 September 1996 (§76) made by the European Court of Human Rights: ‘According to the case law of the Court, even if Article 8 does not contain any procedural condition, the decision process that leads to measures of interference must be fair and show proper respect for the interests of the individual that are protected by Article 8’.
In the case Rotaru v. Rumania of 4 May 2000, the Court demands that as a last resort even in the case of administrative wiretapping, the last recourse should be the judiciary for ‘it offers the best guarantees of independence, impartiality and regular procedure’.
It is a question of the requirement of which we are reminded by the Berlin Group (an international working group for the protection of data in the telecommunications sector) adopted during the meeting in Hong Kong on 15 April 1998, a recommendation on ‘Public Accountability in relation to interception of private communications’.
In particular in the European networks of police and judiciary cooperation, like Europol and Infopol, and even, as the USA wanted, to the American defence authorities.
Compare above, No 18.
Compare above, No 19.
We remind the reader that the first proposition of the directive did not mention this finality, subsequently introduced at the request of the operators. The vague nature of this new finality for conserving data gives cause for concern even if it goes without saying that the principles of Article 6 of the so‐called general directive for the protection of data apply and henceforth oblige the provider or operator of communications services to proceed to loyal treatment only for fixed and compatible finalities, only in respect of relevant data and in relation to those finalities and finally only for the strictly necessary period of time.
We can push this reasoning to the point of absurdity. Shall we draw from the fact that it seems that the accomplices of Bin Laden—insofar as he is guilty—made use of razor blades in their attack, the consequence that any individual buying such razor blades should have a file opened on them?
We should note in this connection the resolution adopted by the European Parliament on 4 May 2000 and the Communication of the European Commission of 30 November 2000 regarding the fight against forgery and pirating in the sole market that in fact encourages collaboration between the private sector and the police and judicial authorities in their fight for the protection of intellectual property. The proposal for a directive is expected on this point for October of this year.
Compare above, No 255 in fine.
It is a question of ‘excluding, when drawing up the decree, the communication data that can be considered as indirect data of content or behaviour. Certain technical data can in fact provide knowledge of the content of the information transmitted (for example, the URL of the sites visited, the IP address of the server consulted or the heading of an e‐mail), or on the behaviour of netsurfers (address of the addressee of an e‐mail, for example). The Forum considers that this type of data must not be mentioned in the decree being drawn up. However, it considers that the IP address of the user certainly forms part of the data needed for establishing the communication and reveals nothing of the content of the information consulted or of the behaviour of the surfer’. (Forum of Internet rights, Recommendations to the authorities: conservation of data relating to an electronic communication, 18 December 2001, available at: http://www.foruminternet.org/recommandations/lire.phtml?id=230).
Thus, the current debate in France regarding the interest shown by the Tax Administration in connection data. ‘The Senate adopted, on 18 December, in the context of the proposed law of amended finance 2001, amendments giving access to customs officers and the investigating officers of the Commission for stock exchange dealings (COB) to the data conserved by access providers and telecommunications officers under the Security Act provisions. It profited from the occasion, however, by proposing a new amendment which extends this right of access to tax officers. By means of a new amendment, modifying Article L 32‐3‐1 of the Code for the Post and Telecommunications, it completes the operation by foreseeing that ‘For the needs of tracking down, sanctioning and identifying irregularities in accordance with the provisions of the customs code, the general tax code or the monetary and financial code, the operators […] and service providers mentioned in Articles 43–7 and 43–8 of the law of 30 September 1986 […] must communicate [….] the data which they are asked for by the authorized agents in the customs and the services responsible for the recovery of taxes and dues […]’. The tax agents therefore obtain right of access to data conserved by the operators for invoicing purposes.
In this respect, read H Brulin and D Moreau ‘Coopération policière internationale et autorités de contrôle: un mariage d’amour ou de raison?’ in E Montero (ed) Droit des technologies de l'information. Regards prospectifs, Brussels, Bruylant, 1999, p 185.
Opinion of the Belgian Commission for the Protection of Privacy, already cited above, note 6.
Forum for Rights on Internet, Recommendations to the authorities; conservation of data relating to an electronic communication, 18.12.2001, available at: http://www.foruminternet.org/recommandations/lire.phtml?id=230. No doubt it is also to be recommended that the conservation by the providers and operators as well as by the police is done with ‘free software’ allowing manipulations to be avoided that can take place without being detected by the controlling authorities.
Our conclusions take certain passages from the speech of the author during the hearing organized by the EC in Brussels on 27 November, a hearing relating to the fight against cyber crime. The speech was published at length under the title ‘Sécurité ou Libertés? Ubiquité’ Revue de droit des technologies de l'information, Brussels, Larcier, 2002, p 3.
Compare on this point, h. 252 above.
In this respect, see J Boyle ‘Foucault in cyberspace: surveillance sovereignty and hard‐wired censors’ available at http://www.wel.american.edu/pub/faculty/boyle/fouc1.html. The author compares the police systems of electronic surveillance to a virtual ‘Panopticon’, which is much more effective than the real one proposed by J Bentham.
B Frappat ‘La dictature de la transparence’ Etudes, 58, 1999.