Data retention directive "invalid"
Caspar Bowden (lists)
lists at casparbowden.net
Sun Apr 13 07:37:26 BST 2014
On 12/04/14 15:46, Andrew Cormack wrote:
> Some of the purposes ISPs can use traffic data for are listed in Regulation 8 of the Privacy and Electronic Communications Regs (there are others scattered through the Regs):
> (a)the management of billing or traffic;
with what what justification for emails, or IP telephony, in flat-rate
packages? Setting triggers for logging after some cap is reached on
volume is somewhat defensible, but the level of intrusion constituted by
traffic data is more widely recognized today, so throttling as cap is
approached is obviously more proportionate
> (b)customer enquiries;
hard to see that being applicable
> (c)the prevention or detection of fraud;
it's not going to be defensible to extend retention times for all to
deal with fraud. If fraud is rife, then the ISP is doing something
wrong, if it is occasional it won't be proportionate to intrude on
privacy of all
> (d)the marketing of electronic communications services [with consent, according to Reg 7]; or
> (e)the provision of a value added service [with consent, according to Reg 7].
n/a, except possibly to stuff to do with location data, or managing
contacts, and in any case the consent cannot be take-it-or-leave, and
must be fully informed of the risks to privacy
> ISPs that don't keep enough information to deal with complaints of breaches of their own AUPs, e.g. which IP address was allocated to which user, tend to be regarded unfavourably and may ultimately find their (customers') ability to send e-mail etc. to other networks being reduced. LINX produced a Good Practice Guide on Traceability many years ago, which was approved by the then Data Protection Commissioner (yes, *that* many years ago).
Those were shameful days for the industry, bending over backwards in
complicity with ICO to manufacture a blanket data retention policy from
the commercial exemptions.
What has changed today is a recognition that the application of these
exemptions has to be proportionate, compared to the interests of the
ISP. The exemptions apply narrowly to what the ISP can justify - there
is no "public policy/public interest" interpretation.
What this boils down to is that if Member States allow interpreting
these exemptions to justify retention of email logs, on the basis of the
dealing with the odd spammer, they will face the same problem of
proportionality now dealt with definitively by CJEU. Any logging on the
above grounds will have to be based on actual individual suspicion of
breaching ToS, and limited in scope and time
This fudge tombstone
2002 (not an easy read), just moved to centre-stage, and I discuss in my
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ukcrypto