<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/04/14 15:46, Andrew Cormack
wrote:<br>
</div>
<blockquote
cite="mid:61E52F3A5532BE43B0211254F13883AE9822AB2B@EXC001"
type="cite">
<pre wrap="">Some of the purposes ISPs can use traffic data for are listed in Regulation 8 of the Privacy and Electronic Communications Regs (there are others scattered through the Regs):
(a)the management of billing or traffic;</pre>
</blockquote>
<br>
with what what justification for emails, or IP telephony, in
flat-rate packages? Setting triggers for logging after some cap is
reached on volume is somewhat defensible, but the level of intrusion
constituted by traffic data is more widely recognized today, so
throttling as cap is approached is obviously more proportionate<br>
<br>
<blockquote
cite="mid:61E52F3A5532BE43B0211254F13883AE9822AB2B@EXC001"
type="cite">
<pre wrap="">(b)customer enquiries;</pre>
</blockquote>
<br>
hard to see that being applicable<br>
<br>
<blockquote
cite="mid:61E52F3A5532BE43B0211254F13883AE9822AB2B@EXC001"
type="cite">
<pre wrap="">(c)the prevention or detection of fraud;</pre>
</blockquote>
<br>
it's not going to be defensible to extend retention times for all to
deal with fraud. If fraud is rife, then the ISP is doing something
wrong, if it is occasional it won't be proportionate to intrude on
privacy of all<br>
<br>
<blockquote
cite="mid:61E52F3A5532BE43B0211254F13883AE9822AB2B@EXC001"
type="cite">
<pre wrap="">(d)the marketing of electronic communications services [with consent, according to Reg 7]; or
(e)the provision of a value added service [with consent, according to Reg 7].</pre>
</blockquote>
<br>
n/a, except possibly to stuff to do with location data, or managing
contacts, and in any case the consent cannot be take-it-or-leave,
and must be fully informed of the risks to privacy<br>
<br>
<blockquote
cite="mid:61E52F3A5532BE43B0211254F13883AE9822AB2B@EXC001"
type="cite">
<pre wrap="">ISPs that don't keep enough information to deal with complaints of breaches of their own AUPs, e.g. which IP address was allocated to which user, tend to be regarded unfavourably and may ultimately find their (customers') ability to send e-mail etc. to other networks being reduced. LINX produced a Good Practice Guide on Traceability many years ago, which was approved by the then Data Protection Commissioner (yes, *that* many years ago).</pre>
</blockquote>
<br>
Those were shameful days for the industry, bending over backwards in
complicity with ICO to manufacture a blanket data retention policy
from the commercial exemptions.<br>
<br>
What has changed today is a recognition that the application of
these exemptions has to be proportionate, compared to the interests
of the ISP. The exemptions apply narrowly to what the ISP can
justify - there is no "public policy/public interest"
interpretation.<br>
<br>
What this boils down to is that if Member States allow interpreting
these exemptions to justify retention of email logs, on the basis of
the dealing with the odd spammer, they will face the same problem of
proportionality now dealt with definitively by CJEU. Any logging on
the above grounds will have to be based on actual individual
suspicion of breaching ToS, and limited in scope and time<br>
<br>
This fudge <a
href="https://www.whatdotheyknow.com/request/qcs_opinion_on_data_retention_in">tombstone</a>
from 2002 (not an easy read), just moved to centre-stage, and I
discuss in <a
href="http://blog.privacystrategy.eu/public/published/Submission_ISC_7.2.2014_-_Caspar_Bowden.pdf">my
ISC submission</a><br>
<br>
Caspar<br>
<br>
<br>
</body>
</html>