Data retention directive "invalid"

Caspar Bowden (lists) lists at casparbowden.net
Sun Apr 13 07:37:26 BST 2014 

On 12/04/14 15:46, Andrew Cormack wrote:
> Some of the purposes ISPs can use traffic data for are listed in Regulation 8 of the Privacy and Electronic Communications Regs (there are others scattered through the Regs):
>
> (a)the management of billing or traffic;

with what what justification for emails, or IP telephony, in flat-rate 
packages? Setting triggers for logging after some cap is reached on 
volume is somewhat defensible, but the level of intrusion constituted by 
traffic data is more widely recognized today, so throttling as cap is 
approached is obviously more proportionate

> (b)customer enquiries;

hard to see that being applicable

> (c)the prevention or detection of fraud;

it's not going to be defensible to extend retention times for all to 
deal with fraud. If fraud is rife, then the ISP is doing something 
wrong, if it is occasional it won't be proportionate to intrude on 
privacy of all

> (d)the marketing of electronic communications services [with consent, according to Reg 7]; or
> (e)the provision of a value added service [with consent, according to Reg 7].

n/a, except possibly to stuff to do with location data, or managing 
contacts, and in any case the consent cannot be take-it-or-leave, and 
must be fully informed of the risks to privacy

> ISPs that don't keep enough information to deal with complaints of breaches of their own AUPs, e.g. which IP address was allocated to which user, tend to be regarded unfavourably and may ultimately find their (customers') ability to send e-mail etc. to other networks being reduced. LINX produced a Good Practice Guide on Traceability many years ago, which was approved by the then Data Protection Commissioner (yes, *that* many years ago).

Those were shameful days for the industry, bending over backwards in 
complicity with ICO to manufacture a blanket data retention policy from 
the commercial exemptions.

What has changed today is a recognition that the application of these 
exemptions has to be proportionate, compared to the interests of the 
ISP. The exemptions apply narrowly to what the ISP can justify - there 
is no "public policy/public interest" interpretation.

What this boils down to is that if Member States allow interpreting 
these exemptions to justify retention of email logs, on the basis of the 
dealing with the odd spammer, they will face the same problem of 
proportionality now dealt with definitively by CJEU. Any logging on the 
above grounds will have to be based on actual individual suspicion of 
breaching ToS, and limited in scope and time

This fudge tombstone 
<https://www.whatdotheyknow.com/request/qcs_opinion_on_data_retention_in> from 
2002 (not an easy read), just moved to centre-stage, and I discuss in my 
ISC submission 
<http://blog.privacystrategy.eu/public/published/Submission_ISC_7.2.2014_-_Caspar_Bowden.pdf>

Caspar


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140413/528d19ae/attachment.html>

More information about the ukcrypto mailing list