New Data Security Requirements and the Proceduralization of Mass Surveillance Law after the European Data Retention Case

New Data Security Requirements and the Proceduralization of Mass Surveillance Law after the European Data Retention Case external link

2015

Abstract

This paper discusses the regulation of mass metadata surveillance in Europe through the lens of the landmark judgment in which the Court of Justice of the European Union struck down the Data Retention Directive. The controversial directive obliged telecom and Internet access providers in Europe to retain metadata of all their customers for intelligence and law enforcement purposes, for a period of up to two years. In the ruling, the Court declared the directive in violation of the human rights to privacy and data protection. The Court also confirmed that the mere collection of metadata interferes with the human right to privacy. In addition, the Court developed three new criteria for assessing the level of data security required from a human rights perspective: security measures should take into account the risk of unlawful access to data, and the data’s quantity and sensitivity. While organizations that campaigned against the directive have welcomed the ruling, we warn for the risk of proceduralization of mass surveillance law. The Court did not fully condemn mass surveillance that relies on metadata, but left open the possibility of mass surveillance if policymakers lay down sufficient procedural safeguards. Such proceduralization brings systematic risks for human rights. Government agencies, with ample resources, can design complicated systems of procedural oversight for mass surveillance – and claim that mass surveillance is lawful, even if it affects millions of innocent people.

Bibtex

Article{nokey,
	title = {New Data Security Requirements and the Proceduralization of Mass Surveillance Law after the European Data Retention Case},
	author = {Zuiderveen Borgesius, F. and Arnbak, A.},
	url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2678860},
	year = {1027},
	date = {2015-10-27},
	abstract = {This paper discusses the regulation of mass metadata surveillance in Europe through the lens of the landmark judgment in which the Court of Justice of the European Union struck down the Data Retention Directive. The controversial directive obliged telecom and Internet access providers in Europe to retain metadata of all their customers for intelligence and law enforcement purposes, for a period of up to two years. In the ruling, the Court declared the directive in violation of the human rights to privacy and data protection. The Court also confirmed that the mere collection of metadata interferes with the human right to privacy. In addition, the Court developed three new criteria for assessing the level of data security required from a human rights perspective: security measures should take into account the risk of unlawful access to data, and the data’s quantity and sensitivity. While organizations that campaigned against the directive have welcomed the ruling, we warn for the risk of proceduralization of mass surveillance law. The Court did not fully condemn mass surveillance that relies on metadata, but left open the possibility of mass surveillance if policymakers lay down sufficient procedural safeguards. Such proceduralization brings systematic risks for human rights. Government agencies, with ample resources, can design complicated systems of procedural oversight for mass surveillance – and claim that mass surveillance is lawful, even if it affects millions of innocent people.},
	keywords = {Data protection, data retention, GCHQ, Grondrechten, metadata, NSA, Privacy, security, Snowden, Surveillance, traffic data},
}

Your Digital Home is No Longer Your Castle: How Cloud Computing Transforms the (Legal) Relationship between Individuals and Their Personal Records external link

Irion, K.

International Journal of Law and Information Technology, vol. 23, num: 4, pp: 348-371., 2015

Abstract

In line with the overall trend individuals’ personal affairs, too, are composed of digital records to an increasing amount. At about the same time, the era of local storage in end user equipment is about to give way to remote computing where data resides on third party equipment (cloud computing). Once information, and even the most personal one, is no longer stored on personal equipment the relationship between individual users and their digital assets belonging to them is becoming increasingly abstract. This contribution focuses on the implications of cloud computing for individuals’ unpublicized digital records. The question to be answered is whether - taken together - the progressing virtualization and the disruption of physical control produce a backslide for individual positions of rights. The paper introduces the legal treatment of users’ digital personal records and how a technical transformation in combination with disparate legal protection and prevailing commercial practices are bound to impact the distribution of rights and obligations.

Links

cloud computing, Consumer law, control, EU law, Grondrechten, Privacy, security

Bibtex

Article{nokey,
	title = {Your Digital Home is No Longer Your Castle: How Cloud Computing Transforms the (Legal) Relationship between Individuals and Their Personal Records},
	author = {Irion, K.},
	url = {http://www.ivir.nl/publicaties/download/1584.pdf},
	doi = {https://doi.org/10.1093/ijlit/eav015},
	year = {0929},
	date = {2015-09-29},
	journal = {International Journal of Law and Information Technology},
	volume = {23},
	number = {4},
	pages = {348-371.},
	abstract = {In line with the overall trend individuals’ personal affairs, too, are composed of digital records to an increasing amount. At about the same time, the era of local storage in end user equipment is about to give way to remote computing where data resides on third party equipment (cloud computing). Once information, and even the most personal one, is no longer stored on personal equipment the relationship between individual users and their digital assets belonging to them is becoming increasingly abstract.
	This contribution focuses on the implications of cloud computing for individuals’ unpublicized digital records. The question to be answered is whether - taken together - the progressing virtualization and the disruption of physical control produce a backslide for individual positions of rights. The paper introduces the legal treatment of users’ digital personal records and how a technical transformation in combination with disparate legal protection and prevailing commercial practices are bound to impact the distribution of rights and obligations.},
	keywords = {cloud computing, Consumer law, control, EU law, Grondrechten, Privacy, security},
}

The Diginotar Case: Internet Security is No Abstract Matter external link

van Eijk, N.

Computers & Law Magazine of SCL, num: 6, pp: 1-2, 2013