W7y8w3

Slovak RepublicThe quest for privacy in Slovakia: The case of data retentionEuropean Information Society Institute (EISi)Martin Husovec and Lubomir Lukicwww.eisionline.orgIntroductionShortly after a series of coordinated suicide attacksin Madrid in 2004 and central London in 2005, theEuropean Union reacted by passing the so-calledData Retention Directive in 2006. The directiveobliged all EU member states to implement lawsforcing telecommunications providers to monitorand store a wide range of metadata concerning theonline and phone activities of their citizens for periodsranging from several months to years. The hopewas that this data could help Europe to better fightterrorism and other serious crimes. Strong protestsby citizens in some of the member states could notstop the scale of this imposed surveillance.In September 2010, when the European InformationSociety Institute (EISi) was formed in theSlovak Republic (also known as Slovakia), the fightagainst surveillance in other member states had alreadybeen going on for several years. The GermanConstitutional Court in March of that year suspendedGermany’s implementation of the directive andmany other national initiatives began appearing.Encouraged by the efforts and fruits of the labourof our colleagues, EISi decided to make litigationagainst data retention in Slovakia its first goal.There was, at the time, no civil society organisationto do the job in the country; there was virtually nopublic debate and very little, if any, public resistanceagainst data retention.Policy and political backgroundAfter the Data Retention Directive was implementedat the national level throughout the EU,the resulting legislation was subject to numerouschallenges at the national level. 1 However, it tookalmost a decade to challenge the source of all ofthis: the directive itself. In April 2014, the Court ofJustice of the EU (CJEU) – in its historical role as aconstitutional court for the Union – repealed the1 Jones, C., & Hayes, B. (2013). The EU Data Retention Directive:a case study in the legitimacy and effectiveness of EU counterterrorismpolicy. secile.eu/data-retention-in-europe-case-studyentire Data Retention Directive 2 and also broadlyquashed any future hopes for similarly far-reachingmeasures. This, however, did not exhaust the advocacyrole for civil society groups. Today, there is agreat need to sweep clean numerous post-directiveconsequences. In Slovakia, this entails the reviewof the Act on Electronic Communications and someother acts.This report outlines the struggle of launchinga challenge against the implementation of thedirective in Slovakia. It presents a picture ofnon-responsive local authorities, a lack of publicawareness and little resistance to an invasionof privacy rights among Slovak civil society andultimately citizens. It also illustrates a misuse ofretained data and the real practice of disclosure,which is often distant from the letter of the law.Challenging the implications of the DataRetention Directive at the local levelSoon after its launch, EISi authored a brief reportpointing out the basic discrepancies between theAct on Electronic Communications (“the Act”) andits data retention provisions, and the fundamentalrights embodied in the Slovak constitution, theEU Charter of Fundamental Rights and Freedoms,and the Convention for the Protection of HumanRights and Fundamental Freedoms. This reportwas then presented in the form of a motion 3 to twolocal authorities, which were entitled to initiateproceedings before the Constitutional Court. Theseauthorities were the General Prosecutor’s Officeand the Ombudsman.Both of the local authorities, despite the evidence,reached the view that the data retentionprovisions do not lead to an interference with thefundamental rights and freedoms of citizens. And sothey refused to initiate any proceedings before theConstitutional Court, which could review the constitutionalityof the provisions of the Act.When easier ways of initiating proceedings beforethe Constitutional Court were exhausted, EISi2 Digital Rights Ireland C-293/12 and Kärntner LandesregierungC‐594/12.3 www.eisionline.org/index.php/projekty-m/ochrana-sukromia/22-podanie-generalna-prokuraturahad to try more complicated and resource-intensiveways. We put together a submission for the ConstitutionalCourt 4 and started asking for the supportof members of parliament, who can also initiatesuch a constitutional review. The required numberof signatures is relatively high – at least each fifthmember of parliament needs to sign such a submission(a total of 30 MPs).It probably does not need to be stressed toomuch that this requirement slowed down the process.Because EISi has no regular staff members,but only volunteers, it took a few years to both draftthe submission and get the necessary support forit. And had the work on the submission not beensupported by the research of one of its members, itcould have taken even longer than that.The ultimate aim of the submission, which waslater presented to MPs, was to succinctly point outconflicts between the data retention provisions andfundamental rights and freedoms. The submissiondescribed the overall situation, the fundamentalfeatures of which are presented below.According to the Act, an undertaking 5 is obligedto retain traffic data, location data and data of theparties who communicated. The data retentionperiod was set to six months in the case of internetaccess, email and voice over internet protocol(VoIP), and 12 months in the case of other types ofcommunications. The scope of the retained datais very broad. It can probably be best divided intothe following categories: i) data necessary to traceand identify the source of a communication; ii) dataneeded to identify the recipient of communicationor to identify the date, time and duration of communicationand iii) data needed to identify the type ofcommunication, the users’ end equipment (or whatseems to be their equipment) and the location ofmobile devices.In the opinion of EISi, the introduction of theseobligations constituted a substantial encroachmentupon the private life of individuals – especiallybecause this mandated a blanket monitoring ofall inhabitants of Slovakia, regardless of their innocenceor prior behaviour. The data retentionrequirements mandated that every day the dataabout every inhabitant of Slovakia must be collected,amassing a profile of who called whom, towhom someone sent an SMS or email, when the4 www.eisionline.org/index.php/projekty-m/ochrana-sukromia/28-vzorove-podanie-na-ustavny-sud-sr-vo-veci-plosneho-sledovaniaobcanov5 For the purposes of the Act on Electronic Communications,“undertaking” means every person who provides a networkor service; undertaking activity means a network or a serviceprovision in the electronic communications sector for a third party.person sent it, from which location, using what typeof device or service, how long the communicationtook, and many other details. It is needless to saythat the combination of this information made itpossible to perfectly describe the movement of everyinhabitant of Slovakia who uses a mobile phoneor the internet. In this way, the behaviour, circle ofacquaintances, hobbies, health, sexuality and otherpersonal secrets of all the citizens can be predicted.It therefore comes as no surprise that EISiconsidered the legislation to be entirely disproportionateand lacking any safeguards against themisuse of the sensitive data. The legislation createda regulatory free space which increasinglyminimised citizens’ privacy. Moreover, the mainduties and details of data retention regulationwere left to private companies, which are naturallymore interested in minimising their costs, since thestate did not reimburse them for the cost of thisobligation.The submission argued that in the light of theapplication of the proportionality test, the dataretention legislation turns out to be clearly unconstitutional.It also argued that the retention ofmetadata can in a concrete way result in even moreintrusive interference with the right to privacy thana scenario in which the content of the communicationitself is retained.Moreover, the legislation, in contrast with otherlegal requirements for criminal proceedings, didnot exempt persons who are otherwise bound byprofessional secrecy (e.g. lawyers, doctors), or whocannot be surveilled or wiretapped when they performcertain activities (e.g. relationships betweenadvocate and accused).EISi argued that the national provisions on dataretention were therefore in direct conflict with theprinciple that the restriction of fundamental rightsand freedoms has to comply with their essence andmeaning. The restrictions can only be implementedwhen there is a clear, stated aim. It is a violation ofprovisions if the state restricts fundamental rightsand freedoms in a way that both lacks an achievablegoal and, especially, threatens the very essence ofthose freedoms.We furthermore believed that blanket data retentionis unconstitutional for several reasons, andthat the Data Retention Directive itself is invalidbecause of this. First of all, data retention is not asufficiently effective tool to combat serious crime: itaffects ordinary people more than the perpetratorsof serious crimes. Therefore it disproportionatelyinfringes on the right to privacy and the right to protectionof personal data. It also disproportionately220 / Global Information Society Watch Slovak Republic / 221