Statute of limitation and Data Retention Corporate Policies

There is a common opinion that personal data should be deleted almost immediately and, anyway, as soon as they become useless: a sensitive problem in particular under the (now defunct) Data Retention Directive, once the mandatory retention period expired.

This position is not correct since a company has a legitimate motive – and a legal obligation – to preserve whatever information, including personal data, that are necessary to abide the law and to protect both its right of defense and the right to a due process. This means that under the term set forth by the Statute of limitation a company might, at its own will, choose to continue retaining personal data of its customer base.

In Italy, the ordinary Statute of limitation is ten years. So companies can be sued by customers and tax authorities for alleged charges that go way back into the past. This is what happened in a court case tried in front of the Justice of peace of Grosseto (Tuscany) that on January 2014 ruled a quarrel started in 2011 between a telecom company and a client. The ruling said that, under the rule of evidence for civil trials, the telecom company has the duty to provide evidence of having actually delivered its services and that this duty is fulfilled by showing the traffic-data log.

It is clear that by interpreting the Italian Data Protection Act in a way that forces the deletion of the traffic data after a few months, an ISP or a telecom operator wouldn’t be able to defend itself if the trial starts within the Statute of limitation term but after the traffic data have been deleted.

A similar situation might happens in the antitrust field and in case of investigations run by the Italian Internal Revenue Service, so the conclusion is that the Data Protection Legal Framework cannot be interpreted in such a strict manner to endanger the legitimate rights of a company.

The Impact of the Data-Retention ECJ Ruling on the Law Enforcement Activities

From the Law Enforcement perspective, the ECJ ruling that on Apr. 8, 2014 declared invalid the Data Retention Directive didn’t harm its investigation to such a greater extent as somebody has claimed. There are, indeed, other legal tools that can be used to fit the purpose of getting traffic data of interest.

First, ISPs and telco operators might still retain traffic data for other legitimate purposes and for longer periods than the six months “sponsored” by the ECJ. This can happens either with the consent of the customer (for marketing and commercial purposes) or without (in case the traffic data have to be retained to meet under a statutory term (in Italy, ten years) the legal obligation to provide evidence to the tax authorities that the billed services have actually been provided and that the ISP is not involved in a money laundering activity. Thus as soon as some data – though not all the one retained under the now defunct DRD – are available, a prosecutor can always seize it.

Second, the Budapest Convention on cybercrime allows the public authorities to issue a “data-freeze” order to avoid the deletion. Again, this might be a second best solution, but it is currently working and viable.

Third, the national Data Protection Authorities have the power, under the Directive 95/46, to issue orders to “customize” the implementation of this legal instrument so to match the requirements of the ECJ, thus legally keeping alive, though maybe partially, the intrinsic admissibility of the data-retention as such under the current European Data Protection legal framework.

The EU Data Retention Directive Trashed by the EU Court of Justice

Today the Europan Court of Justice has declared invalid the Data Retention Directive that forced ISP’s to retain some traffic data to be made available for the law enforcement agencies. Though the decision is immediately effective, until the local parliaments don’t update the concerned internal regulations, as crazy as it may sounds,  the data-retention is still a legal obligation to be fulfilled.

It would be of great help if the local data protection authorities would issue a statement saying that they will not enforce anymore their own controls on data-retention, since any activity in this direction could be challenged on the ECJ decision.

A final remark: how is it possible that the data-protection authorities all over Europe didn’t spot the “little”, “tiny” problem of the Data Retention Directive?

Friday Night (Data Retention) Fever

Here is a real case that happened just a couple of days ago, while helping an ISP to find a way to handle the deletion of data after the mandatory term imposed by the Eu Data Retention Directive expires. Whatever the solution, thank to the rigidity of the provisions, a law will not be obeyed.

Background:

  •   The automatic processing of the data-deletion is usually made so that a script matches daily the data-creation date with the current date, and if the match says that the retention term is expired, then the script delete the data,
  • The only exception is a “freeze” order issued by a Court or a prosecutor. In this case it is possible to avoid the requested data to be destroyed,
  • The “freeze” order are notified either by fax, secure email or direct order to the “Protocol department” (that handles the incoming communications, and that “route” the messages to the concerned people),
  • While when the offices are closed there is always at least one resource belonging to the technical department to be alerted in case of urgency, the administrative offices just shut down the curtains of Friday at – say – 5P.M.,

Scenario:
– let’s say that a secure mail or a fax containing the “freezing” order arrives when the Protocol Department is closed. This means that the request will be processed the next day,

– let’s say that the “freezing” order concerns data that are going to be destroyed the very same Friday night when the order arrived,

What happens is that the “freezing” order arrived timely, before the data were destroyed, but since the internal route of the order is handled when the term is expired, the data have been deleted.

A possible solution could be to extend the deleting time frame of three days (thus accounting for the week-end gap) but it doesn’t work. Here is why.

If I have to destroy the data on Friday, and I kept it until Monday just to check if some Court order has been notified in the meantime, it might happens that on the very same Monday a Court order might be notified in relationship to the Friday-to-be-deleted data (when the data are supposed not to exist anymore).

So, if I follow the DRD I must refuse to comply with the Court order because though the data are there, they can be processed only if the Court order were notified within the original term. On the other hand, I can’t refuse to obey to a Court order, if I still have the concerned information.

A contemporary version of the Buridan’s Ass Paradox.

 

Data Protection vs Data Retention

One of the oddities of the Data Protection legal framework is the relationship between Data Retention and Data Protection and the (wrong) notion that when the retention period has expired, the retained data must be deleted.

Let’s start from scratch: as soon as the services work properly, an ISP has no need to preserve the traffic data, but since we don’t live in a perfect world, problems happen so it is necessary to retain some information for troubleshooting and traffic shaping; furthermore, customers’ claims, billing and legal issues strongly support the need to save some more information. Thus, ISPs – though on a voluntary basis – do collect and retain traffic-related information as long as these information are useful to pursue legitimate goals.

Enter the Data Retention. With a questionable motive, ISPs are now forced – forced – to retain for a limited time some traffic data for the sake of the law enforcement community. In other words, what before the Data Rention Era was voluntary, now is mandatory.

But what happens when the mandatory retention period expires? The answer is (supposed to be) easy: the ordinary Data Protection legal regime comes back into force, so the ISPs are – or should be – free to either continue keeping those data (for legitimate purposes) or deleting it.

The Datagate Legal Implication under German Law

An interesting article from Axel Spies, a Washington-based ICT lawyer, assesses the impact of the US spying over the German Chanchelor, Angela Merkel.

Here is an excerpt from the “Conclusion” section:

Most Blog participants were more pessimistic about the legal remedies having any leverage against spying. To quote a key statement in the Blog: “What Germany can “legally” do against wiretapping is likely to be on a similar level as asking what Pakistan can do ” legally” against U.S. drone attacks on its territory. Politically, maybe some counteraction in the areas of punitive tariffs on imports from the U.S. or the termination of international treaties is conceivable. But this is less a question of being allowed, rather than being able to follow through with sanctions and thus hardly the subject of a legal discussion.” Müller further added this observation: “If there were an effective counter-espionage [in Germany], also against supposed “friends” [in the U.S.], then it would hardly be possible to spy on the head of a befriended government’s private and political communication.”

The freedom of being a stone-age man or I don’t want to live “smart”

One of the most revealing books I’ve read (that I translated into Italian for local publisher) is Alan Cooper‘s The Inmates are Running the Asylum. Is a book about programming and the fact that core decisions come from a bunch of geeks working down below the basement of the company’s building, while marketing and PR guys occupy the fancy upper floors (have you seen the British sit-com “The IT Crowd“?) Continue reading

Aggregate data and Italian Data Protection Authority

An Italian Data Protection Authority decision issued on June, 25, 2009 set the deadline of Sept. 30, 2009 for telco operators and ISPs that must notify the Data Protection Authority the list of their mining activities executed on customers’ aggregate data (such as traffic volumes, paths and so on.) The aim of this decision is to spot illegal (at least, under Data Protection Authority opinion) data handling “masked” by activities performed to keep the infrastructure running

The Data Protection Authority, after having received the information, will decide what can be still done without informing the customer, what can be done AFTER having informed the customer and obtained his approval and what cannot be done at all. Furthermore, the Data Protection Authority will release a set of technical and management rules to ensure the concerned subjects’ compliance.

If these new set of rules will mimic those recently established for data-retention purposes and system administrators, telcos and ISPs will face again a mayhem of useless bureaucracy so hard to understand that the Data Protection Authority itself did release a FAQ to explain what these regulation actually meant (and we’re still waiting for the FAQ interpretation.)

Although the decision is limited to the Internet and telephony world, it is clear that in the near future it will affects too energy firms, banks, insurance companies and, in general, everybody who relies upon aggregate data to tweak its supply chain of services.

Once again, the Italian Data Protection Authority is proved to be one of the biggest blocking factor of Italian telco market, while not granting citizens some sort of protection.

Italy To Enforce A Global Censorship Legislation?

a contribution to European Digital Rights Intiative‘s bulletin, EDRI-Gram

The Italian Senate approved – and the Camera dei deputati (Italian “Low Chamber”) is ready to finally pass – draft law 733 named Pacchetto sicurezza – “Security Package”, a series of (supposely) coordinated provisions aimed at improving, whatever that means, police bodies and public prosecutors powers.
Of course, the law wouldn’t have been complete without “taking care” of the Internet, and legislators didn’t lose the chance. Under sect. 50 bis of this forthcoming law, if a public prosecutor has “serious circumstantial evidence” of a criminal online activity (to be specific: inciting crime) he can ask the Minister of Home Affairs to issue a “shut down” order. This order, aimed at ISPs, simply shut down the “concerned” network resource with no trial. ISPs refusal to comply with Minister’s order should be fined with a penalty up to 250 000 Euros.
The provision is clearly flawed from a constitutional standpoint. The basis of every western democracy, indeed, is the separation of power, thus is not legally possible to have such a cross-jurisdiction mess between the public prosecutor (the judiciary power) and a Ministership (the executive power). Furthermore, there would have been a double trial for the same fact, one of which (the Home Affair Ministership one), done without the legal guarantee of a criminal trial (fair process, etc.).
But this is only the tip of the iceberg. Crime-inciting wrongdoing is very difficult to handle, since the border between free-speech and law violation is often blurred (would a website supporting freedom fighter of a country be – per se – inciting to commit crimes?). Furthermore, if ISP’s must prevent access to a network resource located outside their network (abroad, for instance) this would mean that the result will be achieved through deep-packet inspection, or similar, privacy threathning techniques. Thus – with the excuse of “protecting” Italian citizens – the D’Alia amendment (named after the MP that proposed it) is likely to be the first step toward a global censorship system. A Cassinelli amendment (again, from the MP name of its author) that followed the D’Alia one, tried to circumvent the above mentioned problems, but with no real changes in the substance of the matter and the political, net-phobic approach.
Italy had a “sound” tradition in trying to enforce citizen’s global surveillance systems through ISPs and telco operators, adopting every sort of justifications (from copyright, to child pornography, to online gambling and now to crime-inciting actions). Oddly enough, nevertheless, these “good intentions” fell always on innocent citizens’ shoulders, while true criminals stay absolutely free. Or, to put it straight: to (maybe) catch a few criminals, the whole nation network usage will be subjected to “third parties” – namely, ISPs – systematic scrutiny.

So long, human rights.