The tension between privacy law and criminal law is a ticking time bomb. Under pressure from Europe, the legislative framework related to which communication data companies are allowed to retain about us is threatening to collapse. In other words: without that framework, data retention becomes impossible. A good thing for our privacy, but at the same time “we are heading for an unmitigated disaster”, says Professor Gert Vermeulen, professor of international criminal and privacy law.
There is a good chance that you do not remember where you were last year on, say, 13 February at 2 p.m. or with whom you WhatsApped. However communication companies, they know. They collect a lot of data on all citizens for billing purposes. But they also keep a record of that data. There is a retention obligation of traffic data. Governments must be able to access this data if they think that state security is at risk, or for the purpose of combating terrorism or crime. That, in itself, is a good thing.
But the fact that companies are allowed to simply keep all the data on everyone violates the right to privacy, according to privacy expert Gert Vermeulen: “Of course the safety of citizens is important. But it is mind-boggling how much data large companies like Telenet, Facebook and Google keep on us, and how easily police services and the judiciary can consult them.”
Fighting terrorism without data?
Gert knows what he is talking about: he was a privacy commissioner in the Belgian Privacy Commission, the current Data Protection Authority. He sits on many European bodies that monitor privacy and today also acts as an expert in the negotiations on an additional protocol to the Cybercrime Convention. This convention, drawn up by the Council of Europe, tries to create a global solution to the problems of cross-border access to electronic evidence in criminal cases. A privacy expert at the highest level, therefore, who helps steer Europe’s fight for privacy protection.
At the same time, he looks at the matter as a professor of international criminal law and is one of the few (if not the only) at European level who specializes in the crossroads of both domains. From the perspective of criminal law, the current evolution is a ticking time bomb.
“What if telecom companies are soon no longer allowed to keep data? Then police services are faced with a very serious problem. How can they still crack down on terrorist networks, for example? Imagine the aftermath of the Brussels attacks without the possibility of using data traffic. The perpetrators would never have been caught.”
Privacy and crime do seem inextricably linked. You cannot touch one without also affecting the other.
The end of the illusion of security
Since the attacks of 11 September 2001, the illusion of security has come to an abrupt end, especially in Western countries. From that moment on, America resolutely chose the safety of its citizens over their freedom. Barely a month after the attacks, the USA introduced the Patriot Act, which gives the American government many possibilities for gathering information.
Under pressure from America, the European Commission followed a few years later. In 2006, an EU directive required all telecom companies in the Member States to keep track of traffic data for a period of six months to two years. Gert: “Initially, this retention obligation was mainly intended to combat terrorism: the judiciary, police and intelligence services can request communication data on citizens with the aim of protecting the state.” Soon that data was eagerly used in other cases: “Nowadays, investigators mainly request the data to crack down on drug gangs or to solve missing persons and rape cases.”
Legislation has reached its limits
The retention obligation has meanwhile been extended to everything concerning electronic communication. All this data tells us nothing about the content of the communication, but about who you are in contact with, for example, or where you are. That information is available regarding every telephone call and every message you send. Gert: “We don’t realize it, but really all the information about what we have done in the past year, about all the places we have visited, is in a kind of box. And it can open at any time. That’s absolutely terrifying.”
Despite the tendency to keep track of all that data, there is increasing recognition at the European level that general data retention violates privacy. In 2014, the European Court of Justice annulled the EU directive on data retention. The Court ruled that keeping records of an entire population is too great an invasion of privacy for too many people and is a disproportionate measure. Belgium added some extra access locks to the law, just like other European countries. But the law is still based on a general and unlimited retention obligation for operators. In October, the European Court ruled for the first time that a generalized national retention obligation violates the right to privacy, also in relation to intelligence work.
The ball is now in the court of the Member States to come up with new legislation. And that’s where the problem lies, because not much is happening. “I find it delusional that nobody is preparing for this. Our legislation is clearly at its limits. National retention laws are in danger of being overturned. And then companies will no longer be allowed to store data. That’s when we’ll have a real problem,” Gert says of the ticking time bomb.
To make the story even more complex, there is also the question of where exactly the data is located. Our communication is not only via the classic Belgian telecom operators, such as Telenet or Proximus, but also - and especially - via fast data connections. Gert: “Every WhatsApp message I send is captured somewhere, in the cloud. Where exactly, nobody knows.”
And because there is no legal framework for this data at a global level, in reality it is often the case that police services turn to large providers. Gert: “I find that problematic too. For citizens it is not so reassuring that Microsoft, for example, can just make decisions about their data. That’s an American company, and not even one from a country where there is no rule of law.”
In order to do something about this, the Safe Harbour system was introduced between Europe and the US. Companies with offices on American soil can commit to the stricter privacy laws of the EU, and thus become ‘safe havens’ in terms of data management within the unsafe United States. But after Edward Snowden’s revelations about the NSA, privacy advocate Max Schrems went to the European Court of Justice. The court ruled that data traffic between Europe and the United States could not be carried out safely because of the generalized American government surveillance, and consigned Safe Harbour to the waste bin. New negotiations between the EU and the US led to a new framework: the Privacy Shield. But last July the European Court of Justice also declared that new framework invalid.
New model of data retention
Bottom line: all legislative frameworks on data management are actually problematic. While data can be very useful: “A lot of cases are solved that way. The use of traffic data is so convenient that it has become an essential tool. Everyone counts on all that data just being available. If that data disappears tomorrow, it would be a disaster. And for the time being, all services are burying their heads in the sand.”
That is why Gert has been trying for years to warm policymakers and practitioners to a new model of data retention that keeps the balance between privacy and criminal law. He is currently working on a number of building blocks.
Christmas markets and smugglers
His model works with selectors and moves away from general data retention: by specifying that you’ll no longer keep all data from everyone, but do so only on the basis of certain criteria. “That is not easy, because you cannot discriminate. You have to exclude certain prejudices.” It can relate to, for example, ethnic profiling. “But it is perfectly possible: you can select on the basis of objective data that you obtain from knowledge about crimes in the past or from targeted detective work. So we can translate that knowledge into a selective retention obligation.”
He gives a concrete example. “Suppose we know that there is an increased risk of a terrorist attack at Christmas markets. Then you can collect all the data from all the Christmas markets in the country during the Christmas period. Or another example: we know that people smugglers use a certain route. For example, the route goes via the Maximilian Park in Brussels, via the motorway to Zeebrugge and from there to the UK. It is possible to collect data only from that route. If you see that a particular mobile device is regularly following that route, the chances are very good that it is a smuggler.”
A needle in a smaller haystack
That kind of selective data retention is in line with what the European Court of Justice has ruled. But doesn’t that mean you risk missing data? Only to a very limited extent, according to Gert: “If we can collect data in this way, it is much more effective and efficient than simply keeping track of everything for everyone. Now we are actually making it more difficult for ourselves by collecting everything. You are always looking for a needle in a haystack. With selective retention, you make that haystack much smaller.”
The model is not yet finished; it requires input from the police services themselves, and from technicians. Gert: “I am still only in the first phase. Now cooperation with different services is essential to refine it.” And then the real work begins: “I have already planted seeds here and there with both national and European security services and providers, but in the next few months I will be raising the issue more actively with them.”
The goal? “To leave alone the mass of ordinary citizens who will never pose a threat and at the same time, retain the ability to fight crime thanks to data. Privacy is a fundamental right. It is perfectly possible to use relevant personal data without violating that right,” says Gert. “Soon it will be completely impossible to keep traffic data and use it in a court case. That way things will inevitably go wrong. So implementing such a model as soon as possible is essential.”
Gert Vermeulen graduated as a lawyer in 1991. He obtained his doctorate in 1999 with a dissertation on the balance between legal protection and enforcement in cross-border information and evidence gathering in the EU. His favourite spot at Ghent University is the balcony terrace of his office on campus Aula, with a view of the three towers of Ghent.