Heard the one about the two landmark EU data rights' rulings? These countries haven't

Their data slurp laws don’t comply with human rights – watchdog

Most EU member states’ rules on data retention do not comply with fundamental human rights, according to a survey by civil rights campaign group Privacy International.

The group assessed (PDF) the legislation on bulk data retention - which ask telcos to store large amounts of data for access by government agencies - in 21 member states, finding that laws are “poorly drafted”, outdated and lack clarity.

The work focuses on how the member states’ legislation stands up to two recent landmark judgements from the Court of Justice of the European Union - the 2014 Digital Rights Ireland case and the 2016 case brought by Labour MP Tom Watson and Swedish telco Tele2.

The first of these saw the CJEU rule one EU directive (No2006/24) invalid, while the second reaffirmed the court's position, and stressed that access to retained data must only be given in cases of serious crime.

Member states are legally obliged to comply with CJEU rulings and should update their national legislation to do so - but an investigation by Privacy International has shown this is not the case.

The group asked whether 21 member states’ legislation - including that of the UK, Luxembourg and Germany - were up-to-date with the CJEU’s decisions.

It found that 40 per cent of the countries still had a pre-2014 regime in place: a number of countries, including Croatia, France and Portugal, have yet to repeal or amend their laws as a result of the Digital Rights Ireland case.

Privacy International said that some national courts had been interpreting Digital Rights Ireland “compatibly with their national legislation”, while others - including the Czech Republic - have "recognised the national regimes’ flaws but have not invalidated them".

The group added that most of the countries that have changed their laws have only done so in response to challenges brought by human rights NGOs in national courts, rather than by parliaments making proactive changes.

Governments and legislators have been “largely inactive”, the group said, with the exception of Luxembourg, as the Ministry of Justice formulated a new bill in 2015 - but this has yet to come into force.

Meanwhile, some 20 per cent of countries that do have new legislation are still not consistent with the most recent ruling, the Tele2 case in 2016, including Bulgaria, Belgium and Italy.

These regimes “might allow indiscriminate retention of data in bulk or provide vague and ill-defined regulation on access to that data by relevant authorities”, the report said.

In the UK and Sweden, litigation is still underway and no amendments have been made to existing laws, the report said.

Indeed, data retention legislation is still being considered, or is on hold, in 30 per cent of countries - including Austria and the Netherlands - the report said.

But Privacy International was critical of the delay, saying: “We are now eight months into the CJEU decision, and the slow pace by which changes are evolving in these jurisdictions is concerning, given how impactful these data retention regimes are on Europeans’ fundamental rights and freedoms.”

The group called on the member states to review their legislation and amend it as necessary, while asking the companies subject to the laws to challenge countries if the legislation isn’t compliant.

It also recommended that the European Commission issue guidance for states to review their data retention laws, to ensure they are compliant with the fundamental rights as the CJEU has interpreted them.

The countries surveyed were: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, France, Germany, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK. ®

Other stories you might like

  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading

Biting the hand that feeds IT © 1998–2022