IPerity Blog

What makes us think...

3 Things why data retention is against dutch law

3 Things why data retention is against dutch law

Data retention: a law to be upheld?

(This post is a liberal translation of the original dutch article found here)

Februari 18th was our day in court. Together with several other parties we filed civil proceedings against the Ministry of Security and Justice in order to put an end to the retention of telecommunications data. But what’s all the fuss about, really?

History of data retention

For a number of years telecom and internet providers in The Netherlands are required to store traffic meta data for possible querying from (bodies such as) the police. As a telco, SpeakUp also uses this data for billing and specifications for the customer, but the data is held for a longer period of time than would be necessary for our own purposes. Considering the privacy aspects, it would be preferable to anonymize or even completely destroy data much earlier. After all, data you don’t have can’t be misused, even accidentally.

1. Meta data & the EU

During the legal proceedings, the privacy impact of meta-data was brushed aside once more, which is really a bad thing: Analysis of meta-data can teach you an awful lot about someone.
In April last year, the European Court of Justice ruled that the European data retention directive is in conflict with the European Convention on Human Rights. This is important because a Dutch law that conflicts with a European treaty should not be carried out, according to the Dutch Constitution.

2. Effectivity of data retention

Data retention is a bad idea for more reasons. These invasions of our privacy, which in itself are bad enough, should serve a purpose: to more efficiently be able to track down and prosecute criminals.
But how many cases are really coming to a good end because of the availability of these data is cloudy at best. Data retention has been in place for 5 years, and the State Attorney was hard pressed to come up with more than a single example. Don’t get me wrong, I am also very much in favor that justice can tackle culprits in this society – but how much of our freedom will be sacrificed to achieve that? If we give up our privacy because of the reign of fear, hasn’t terrorism in fact reached its goal?

3. Limits of data availability

There’s even more, because were do we draw the line? These laws were put in place to address serious crimes, terrorism etc. but our lawyer also made clear that the requisition of meta-data is possible even for lesser crimes, like bike-theft or false tax reports. The State Attorney argued that this is not an issue, of course data requisitions are only utilised for serious offenses. But at the moment this is just not verifiable, not transparent. Not in advance, nor afterwards. This issue has been criticized quite a bit by several parties. Moreover, there are insufficient safeguards to protect whistleblowers in their contacts with journalists. And it’s not just a theoretical problem, our lawyer stated, citing an incident where one journalist’s data had been requisitioned in order for police to find a hacker who published a leak in one of our State Secretaries communications.

Easy solution?

Anyway, Data Retention directive gone, problem solved. Done deal, get rid of that retention – one would think. Unfortunately it is not that easy. Minister Opstelten had already announced he will enforce the law, and consulted on a bill with minimal changes. That means that if we cease our data retention, we act contrary to the Telecommunications Act and may get fined by the Ministry of Justice, and if we maintain the data we act in conflict with the European Convention on Human Rights and we could potentially face civil proceedings from our customers.

Bring clarity!

Effectively each telecom provider or ISP is between the rock and the hard place. We asked the Minister nicely, but he does not want to solve this problem for us. Cause for us to start our legal proceedings.

We hope the judge provides more clarity – clarity our government will definitely need, now that the Ministry of Defense and the Ministry of Interior Affairs are also working on new plans for large-scale data collection from Dutch citizens, regardless of any suspicions.

What do you think, is the best solution?