W7y8w3

Table 3.Provision of personal information by ISPsYear Prosecution Police NISMilitary investigativeunit or othersTotalKosovoKosovo’s experience with data retention:A case of adopting negative EU standards2010 1,323,176 5,419,365 76,018 326,233 7,144,7922011 1,295,968 3,958,055 102,979 491,989 5,848,9912012 2,241,812 5,115,131 110,923 411,722 7,879,5882013 2,858,991 6,230,617 113,305 371,746 9,574,659information which telecommunications service providershave to generate or keep in order to provideit to the authorities. The data is processed only tomake it convenient for the agencies to electronicallytrace their subjects in real time. This practicegoes against data protection norms which requirethat collecting and using any personal informationshould be the minimum necessary.The data protection norms, including the country’sData Protection Act, grant many exceptionsto the intelligence and investigation agencies.The data generated under these exceptions mightalso be used for the financial benefit of the serviceproviders. Considering that the purpose of theconstitution and international human rights law isto protect private life, personal information, andthe privacy and freedom of communication fromany governmental surveillance, the present legalsystem in South Korea, such as PCSA and the DataProtection Act, means that the government is infringingon these human rights.Action stepsThere is a serious communication surveillance crisis,not only in South Korea but throughout the wholeworld. As a UN resolution 6 pointed out in November2013, it is necessary to improve domestic laws related6 UN General Assembly Resolution A/C.3/68/L.45/Rev.1 on “Theright to privacy in the digital age”, 20 November 2013. www.un.org/ga/search/view_doc.asp?symbol=A/C.3/68/L.45/Rev.1source: Government of the Republic of Koreato the protection of privacy, communication privacyand personal information in the digital age. It is essentialto establish an independent body that supervisescommunications surveillance conducted by the intelligenceagency and the investigation agencies. Neitherthe Personal Information Protection Commission andthe National Assembly in South Korea have performedthis supervisory role well enough.Additionally, an international norm to regulatesecret surveillance by intelligence agencies is neededin each country. As Edward Snowden revealed,as long as intelligence agencies across the worldcollect information by cooperating with or competingwith each other, no citizen of any nation can beguaranteed privacy.To achieve this, lawmakers in South Korea haveto recognise the seriousness of communicationssurveillance and improve domestic laws. They alsoneed to cooperate internationally to build proper internationalnorms on the issue. Human rights NGOswill continue taking vigorous action to demand thatthese steps are implemented. 77 Joint Statement by NGOs in the Republic of Korea on IntelligenceAgencies’ Internet Surveillance, 21 August 2013. act.jinbo.net/drupal/node/7636FLOSSKArianit Dobroshiwww.flossk.orgIntroductionThe Kosovo government, through the Ministry ofEuropean Integration, was in the first part of 2014considering the third draft of a problematic dragnetelectronic interception and data retention law.The adoption of the law was thwarted in large partthanks to the reaction of civil society, a EuropeanUnion Court of Justice ruling that came just in time,and ultimately the disbanding of the Kosovo Parliamentfor early elections. It will come back.The process highlights a case of imposing dubiousstandards from the European Union (EU) ona country, which often results in weak democraciesand breaches of the rule of law.Attempts to pass the lawA draft law on electronic interception and data retentionwas previously considered in 2012-2013,with the latest attempt being in 2014. In 2013 thesecond attempt was turned down by the IntelligenceAgency Oversight and Security ParliamentaryCommittee.The bill returned with similar problems in 2014.This time it came alongside the dialogue on visaliberalisation which the EU has been having withKosovo for years with meagre success. 1Currently, electronic surveillance in Kosovo ispermitted through the Penal Code and the Code ofPenal Procedure, provided a warrant is secured, althoughsome have argued that more detailed rulesare lacking. Kosovo has enshrined privacy in itsquite modern constitution and has implemented a1 The requirement is framed in this way: “Ensure that futurelegislation on interception distinguishes clearly between judicialinterception and interception for intelligence services, in line withEuropean best practices, while the provisions on data retentionfor law enforcement purposes comply with the EU acquis on dataretention.” See the Report from the Commission to the EuropeanParliament and the Council on Progress by Kosovo in Fulfilling theRequirements of the Visa Liberalisation Roadmap, 8 February 2013.ec.europa.eu/dgs/home-affairs/e-library/documents/policies/international-affairs/general/docs/report_on_progress_on_kosovo_visa_liberalisation_en.pdfdata protection law and established a data protectionagency based on EU legislation. 2As reintroduced, the bill would have giventhe Kosovo Intelligence Agency the ability to tapinto communications networks for the purpose ofrecording internet and telephone metadata andcontent. A court warrant was not mandatory; instead,only lawful authorisation was mentioned.The Minister of European Integration stated thatthe draft law had been endorsed by the EU. Emailsto the EU Mission in Kosovo were not returned. Directive2006/24/EC 3 on data retention was alreadyconsidered highly problematic, even in the EU countries.Article 5 on the types of data to be retainedis exhaustive. They are, of course, metadata, butmetadata can reveal a lot. 4 The implementation ofthe Directive had been thrown out by high courts inGermany, the Czech Republic and Romania and wasbeing contested in Austria, Ireland and Slovenia.Sweden was threatened for years with heavy finesby the European Commission to implement it, aswas Romania. 5On 7 April, just a day before the Court of Justiceof the EU (CJEU) was due to hand down its verdict onthe matter of data retention, the Ministry sent a newdraft to a selected number of civil society organisations.This again was in violation of consultationprocedures mandated by law which stipulate publicationfor general public access. 6 This draft wasmuch more precise in language and with noticeableimprovements, limiting, for example, the number ofinstitutions that would have access to the data. Twopoints giving rise to concern, however, remained:2 Kosovo has transposed EU’s Directive 95/46/EC on Data Protectionvia Law No.03/L – 172 on the protection of personal data.3 Directive 2006/24/EC of the European Parliament and of theCouncil of 15 March 2006 on the retention of data generated orprocessed in connection with the provision of publicly availableelectronic communications services or of public communicationsnetworks and amending Directive 2002/58/EC.4 Leber, J. (2013, June 18). Mobile Call Logs Can Reveal a Lot tothe NSA. MIT Technology Review. www.technologyreview.com/news/516181/mobile-call-logs-can-reveal-a-lot-to-the-nsa5 EDRi. (2013, June 5). EC goes after governments for notimplementing data retention. EDRi. history.edri.org/edrigram/number11.11/ec-fines-sweden-data-retention6 Art. 32 of Regulation No. 09/2011 on Rules and Procedure of theGovernment of the Republic of Kosovo foresees the publication ofdraft normative acts for consultation.162 / Global Information Society Watchkosovo / 163