The Dutch data retention law will have its day in court on Feb. 18, when the District Court of the Hague hears a legal challenge to it filed by a broad coalition of organizations. The Dutch government decided in November largely to maintain the national data retention law on the grounds that it “is indispensable for the investigation and prosecution of serious criminal offenses.” Only a few adjustments to the law were deemed necessary, mainly tightening who has access to the data and under which circumstances. By maintaining the law, the government also ignored the advice given by the Council of State, a constitutional advisory body that concluded that the Dutch data retention law should be withdrawn because it violates fundamental privacy laws.
A new law on cybersecurity, previously reported in the EDRi-gram, was adopted by the Romanian Parliament at the end of 2014. The law gives the Romanian Intelligence Agency (SRI) access to any computer data owned by private companies, without a court order. The law was sent to the Constitutional Court for analysis and it will be judged on 21 January 2015.
Moreover, the situation regarding surveillance practices in Romania seems to have recently become even blurrier. Even as the events in France were unfolding, a special inter-institutional group formed by several ministries and SRI had already met a couple of times to decide about a revival of the surveillance laws declared unconstitutional in 2014 – the data retention law and the mandatory registration of telephony prepaid cards.
The European Parliament (EP) legal services last week presented an opinion on the Court of Justice of the EU’s (CJEU) ruling on the Data Retention Directive (DRD) and its implications. The opinion, after restating the principles that are essential to permit any interference on fundamental rights (proportionality, justification and necessity), answered specific questions raised by the Civil Liberties, Justice and Home Affairs.
For Mexico City, the International Data Privacy Day also marks the official endorsement by the Mexican Federal District data protection authority (InfoDF) of the International Principles for the Application of Human Rights to Communications Surveillance, 13 guiding principles about limiting surveillance. This is timely, as the Mexican Federal Telecommunications Agency (IFT) is currently developing guidelines for cooperation between the government and the Internet Service Providers. This guidelines are one step towards the implementation of the data retention mandate law adopted last year.
An inquiry revealed that the new mandatory data retention scheme in Australia still remains unclear for telecommunications and service providers. While it is clear that organisations would need to retain data, it is less clear, for example, whether providers of voice-based web services would need to keep data for two years.
Moreover, the president of the online privacy advocacy group Electronic Frontiers Australia, Jon Lawrence, raised considerable concerns about the proposal on privacy grounds. He said the nature of the data to be retained needed to be articulated in the legislation, and not in a regulation made subsequently by the attorney general.
Additionally, in written submissions to the inquiry, most law enforcement agencies were unable to provide information on how telecommunications data has been used to prevent crime and the age of the data requested.
Today, 8 January 2015, the Ministry for Information Society called an inter-institutional working group to urgently analyze CJUE data retention decision’s impact on national law. Using the terrorist attacks in France as pretext, Romanian authorities are pushing for the urgent adoption of a package of mass surveillance measures which violate fundamental rights.
This comes in the context of the Parliament's unanimous vote on the Law on cybersecurity which states that 'owners of a cyber infrastructure' (basically every legal person with a computer) needs to allow access to data at the simple demand of 9 different Romanian security and intelligence agencies. The cybersecurity law was sent to the Constitutional Court on the 23rd of December 2014.
So far, the Romanian Constitutional Court declared the data retention law unconstitutional two times. The last decision was on the 8th of July 2015 (see some remarks in English here and in Romanian here). At the same time, the Court also declared unconstitutional the law for registering pre-pay SIM cards and Wi-Fi users by Decision no. 461 of 16 September 2014 (available here in Romanian). This was the 4th attempt to introduce this kind of law in the last 3 years.
Civil society and private parties are left out of any discussion.