The European Union Court of Justice (EUCJ) ruled on 8th April, 2014 that “Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is invalid” . This ruling follows requests by associations representing civil society in Ireland (Digital Rights Ireland, Ltd.) and Austria (Verfassungsgerichtshof). It requires the European Union to provide enhanced protection for Internet and telecommunications users; while recognizing the legitimate concerns posed by criminal and terrorist activities by imposing improved protection of personal data and privacy.
Last few years, internationally; the system, the legislation and the politics have revolved around giving assurances that data protection is being ab/used and is definite must to combat crime. To top it up the principle applied has been – don’t worry, if you have nothing to hide; while a general suspicion of the broad population is always being considered or understated as sort of “collateral “damage”; or The end justifies the means. However, there is very little data available on how such large-scale collection and retention of citizen data by governments in the name of national security is helping in reduction of crime.
The EUCJ establishes clearly as part of its ruling:
• The existence of an interference with the fundamental right to privacy by collecting and retaining data available in public information network, it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way.(Para 33)
• Directive 2006/24 provided for criminal prosecutions even in case of indirect or remote link without any evidence for whom the electronic data is being retained. The person can be implicated without any knowledge of how he/ she is involved by being just in a situation. There is also no exception even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy (Para 58)
• Absence of time period of retention and objective criterion for access of the data by others (Para 59 & Para 62)
This ruling besides being landmark can be termed as one of the most advanced legislation in the world regarding the protection of Internet user’s rights and privacy, though; it raises questions at home and internationally.
• Justice A P Saha report which is the bedrock for formulating privacy legislations in India mentions in Sec 7.9 that the Privacy Act in India must articulate the constitutional basis of privacy as a fundamental right deriving from Article 21 of the Constitution of India and in Section 7.10 talks about exception to the rights in case of national security, public order or disclosure in public interest which may require reevaluation.
• Data Security Council of India (DSCI) framework on Security and Privacy which works on Industry specific privacy standards and has embodied the elements of national privacy principles and includes distilled guidelines of best privacy and security practices around the world now needs to be specific.
• ICANN – the agency for maintain the domain name system of Internet; will have to relook into the contracts for top level domains (TLD) specifically for the EU registrars and maintaining the WHOIS service globally.
For those not familiar with the legal system of the European Union, when the new Directive will have been adopted as a result of this ruling, it will be transposed into the national legislation of each Member State. And this may take some time.