Privacy: France and the Internet

France with its near socialist culture would be expected to have leanings towards liberty and freedom, particularly because of its close relation with the ECHR, which upholds the Human Rights Act, and includes Article 8 and the right privacy.

However, the current President Sarkozy, has put forward a law which would effectively ban illegal downloading, with the punishment of banning internet access to anyone caught. This would be enforced by monitoring access to the internet, possibly with software installed on the internet users machines, to detect file downloading activity. Which has huge ramifications.

Much of the French legal system is not keen on this, and its unlikely to go ahead. But the fact that this is being pushed forward is a worrying trend.

The President’s wife lives in the light of the media and movie industry, as do his close friends  and supporters, and Sarkozy certainly does not hide from that industry.

The fact that such a strict law, which would fundamentally change peoples access to data, could be proposed by somebody who is closely linked with the movie industry is a worrying  fact.

But having seen the UK’s seedy underbelly of expenses in Parliment, it is hardly surprising.

Prum Convention: Technology

The Prum Convention, which has many detractors (not lost of which is the House of Lords), is quietly increasing its footprint.

Just this month the Belgium police released a new fingprint system, this has several benifits including being more accurate, but it also allows more effective exchange of data with those countries signed upto the Prum Convention.

But fingerprints are infallable, so surely that cannot be a problem?

Data Retention: Article 29 Working Party

Within the EU there is a body with the catchy title of “Working Party on the Protection of Individuals
with regard to the Processing of Personal Data”, this group produces guidelines and policy in relation to personal data on every thing from the police to direct sales.

Despite a name that just rolls off the tongue, the Working Party are often known simply as “Article 29 Working Party“,  this is because they were formed under Article 29 of the even more catchy “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Article 29 states that:

  1. A Working Party on the Protection of Individuals with regard to the Processing of Personal Data, hereinafter referred to as ‘the Working Party’, is hereby set up.
    It shall have advisory status and act independently.
  2. The Working Party shall be composed of a representative of the supervisory authority or authorities designated by each Member State and of a representative of the authority or authorities established for the Community institutions and bodies, and of a representative of the Commission.
    Each member of the Working Party shall be designated by the institution, authority or authorities which he represents. Where a Member State has designated more than one supervisory authority, they shall nominate a joint representative. The same shall apply to the authorities established for Community institutions and bodies.
  3. The Working Party shall take decisions by a simple majority of the representatives of the supervisory authorities.
  4. The Working Party shall elect its chairman. The chairman’s term of office shall be two years. His appointment shall be renewable.
  5. The Working Party’s secretariat shall be provided by the Commission.
  6. The Working Party shall adopt its own rules of procedure.
  7. The Working Party shall consider items placed on its agenda by its chairman, either on his own initiative or at the request of a representative of the supervisory authorities or at the Commission’s request.

Even back in 1997, just a few years after the Article 29 WP, was set up it published a report identifying the problems of companies collecting large amounts of data about EU citizens.

The report  entitled,  Anonymity on the Internet, stated that:

Over the past 25 years it has become apparent that one of the greatest threats to this fundamental
right to privacy is the ability for organisations to accumulate large amounts of information about
individuals, in a digital form which lends itself to high-speed (and now very low-cost) manipulation,
alteration and communication to others. Concerns about this development and the potential misuse
of such personal data has led all European Member States (and now the Community with directive
95/46/EC) to adopt specific data protection laws which set down a framework of rules governing
the processing of personal information.

Over the past decade  with the development of the data protection laws within the EU and its member states, Article 29 WP has continued to push for  better privacy and protection for inidivuals.

In 2008 Article 29 WP started to push the search engines to reduce the amount of data they retain from EU citizens, with a push for the data to be stored no longer than 6 months.  Google has reduced its data retention to 18 months, Microsoft is considering 6 months,  and Yahoo! has stated it will go as low as 3 months.

S and Marper: Will the Police Delete your DNA?

After the  historic ruling at the ECHR  for S and Marper v United Kingdom, there is an expectation that the police will be forced to delete all of the DNA collected and retained from  innocent people.

While they [the Police] probably should delete the DNA samples collected from people who were never charged or found not guilty, there is no major announcement from the Home Office to that effect.

In fact, even if the UK creates a new law, based on this test case stating that Police cannot retain DNA from the innocent/non convicted people they may still not delete the data,  for a simple reason – there is no deterrent to keeping it, even if retaining the DNA is illegal.

In US Law there is the concept of “fruit of the poisoned tree”. This means that not only is evidence collected illegally inadmissible it also  means that all evidence found from that information is also inadmissible. For example if a search is illegal, and the search reveals evidence that proves a case, that evidence will not be accepted.

In the UK this is not the case, in fact there are specific laws addressing just this question.

Section 78 of PACE allows the courts to exclude information if it is has been collected illegally, but it does not require it. In fact there are several cases where data that has been collected illegally, has been allowed. Section 76 of PACE deals with similar issues, but in relation to coerced confessions.

Therefore if the police retained the DNA evidence, rather than deleting it it, and then used the DNA sample to locate somebody then that conviction would probably stand, i.e. there is no deterrent to reatining, illegally,  the DNA samples held.

In fact there is case law to support this exact case.

Test Case – ATTORNEY GENERAL’S REFERENCE NO. 3 OF 1999  (14 DECEMBER 2000)

In 1990s when the DNA collection laws where first created the police could only collect DNA after charging, and then had to delete the sample if the individual was found not guilty. This was prior to the laws changing in 2001 and 2004, which allowed the police to take DNA prior to charging and retain it even if the person was not guilty. It is this change in the law that led to the  S and Marper case.

In 1997, when the original DNA collection laws were in place, a male committed a particularly horrific rape of on a 66 year old woman. The offender was detected via a DNA sample left at the scene,  which was matched against the National DNA database. The offender was arrested and  new DNA sample taken (as there always is), and the DNA match confirmed. This DNA evidence resulted in the conviction of the offender. However, the defence team appealed this as the original DNA sample, which led to the arrest was obtained from crime he was not convicted of, and as such should have been deleted.

This argument was initially won, in the Court of Appeal, but was then referred to the House of Lords, at which point the House of Lords stated the DNA sample should have been allowed to be used. As the House of Lords is the superior court this means that the DNA samples that have been kept or obtained illegally can be used to detect offenders.

Therefore it is entirely possible that the following occurs:

The S and Marper case directs the UK to not collect more DNA samples prior to charging, and that those DNA samples of of innocent people that are retained should be deleted. But, the police do not delete the samples and continue to use them as evidence.

Will the police delete your DNA? Probably not.

Internet Censorship

On 18th April 2008 the EU decided to start the censorship of the Internet; with similar laws to our liberal cousins in Saudi Arabia.

The EU stated in the press release of the time:

Today the Council reached a common approach on the amendment of the Framework Decision on combating terrorism proposed by the Commission on 6 November [2007]. The amendment up-dates the Framework Decision making public provocation to commit a terrorist offence, recruitment and training for terrorism punishable behavior, also when committed through the Internet

While this all sounds very laudable, stopping terrorism and the exchange of biological weapons on the Internet, there are a few concerns about this:

Firstly, who decides what “training for terrorism” is? Would a stag weekend in eastern Europe, involving firing machine guns count? What about kids fastening fireworks together? Or what about students reading the Jolly Rodger Cook Book?

Secondly, what if this definition shifts slightly? The UK have “shifted” laws over time, initially only the fingerprints of the guilty could be taken, then it was anyone arrested, now the government is issuing guidelines that allows children as young as 4 to have their fingerprints taken at school (2 million taken so far).  What if, once the powers have been created, the governments decide to tweak the laws slightly and change the phrasing to “terrorist related training”? That would hardly make the news but it could mean that paint-balling could count as training, or what about web sites that have information about how easy it is to avoid CCTV , ANPR, or  fingerprint scanners? Would they be shut down?

Thirdly, the UK has lived with the IRA for 300 years, the Spanish have ETA, the French have the Algerians, and Germany had “Munich”, yet despite all of this nobody suggested censorship on this scale – its worth pointing out that the IRA killed more than the 9/11 attacks.  So why the the sudden fear of the bogey man? What’s the driving force?

Finally, who are the biggest arms dealers in the world, who are the ones who buy and sell weapons to dubious regimes around the world? The 5 biggest dealers are – USA, China, Russian, UK and France.

Companies like BAe, Lockheed Martin and others clearly sell weapons, often to places that conduct torture and, by many legal definitions, terrorism. But, despite this they will almost certainly be allowed to  have a web site.

So who is the censorship aimed at?

I v Finland: Background

Below is the background of the case of I v Finland, in which an individual, “I”, sued the Finish government in the ECHR for failing to protect her medical records.

Background of the Case:

The claimant “I” was a nurse who worked in Finland. Between 1989 and 1994 she worked on fixed terms contracts in a state/public hospital (i.e working for Finland). From 1987 onwards “I” had become a patient at the same hospital she worked at,  as she had been diagnosed with HIV.

In early 1992 “I” began to suspect that her colleagues were aware that she had HIV.  In the early 1990’s staff had free access to the patient lists and who was being treated by who, so it was entirely possible that they would find out.

In the summer of 1992  I confided her suspicions to her doctor in summer 1992, the hospital’s register was amended so that only the treating clinic’s personnel had access to its patients’ records. i.e a person in the Oncology unit could not see who was being treated in the HIV unit. In addition to this the applicant was re-registered under a false name, to try and hide her identity. Apparently, to further try and hide her illness she later had her identity was changed and she was given a new social security number.

In 1995 the  “I”  lost her job as her temporary contract was not renewed. She believed that this was because of access to her medical records 3 years earlier.

On 25 November 1996, the applicant complained to the County Administrative Board (lääninhallitus, länsstyrelsen) in Finland, requesting it to examine who had accessed her confidential patient record.  F

ollowing this request, the director in charge of the hospital’s archives provided a formal statement with the County Administrative Board. The statement said that is was not possible to find out who, if anyone, had accessed the applicant’s patient record as the data system revealed only the five most recent consultations  – and this was by department and not a named individual. And even this scant information was deleted when the records were returned to the archives.

Following this investigation the Finnish County Administrative Board decided, on 20 October 1997, that there e should be privacy for the individual, but the records are not detailed and therefore Board concluded that it could not further rule on whether information had been viewed inappropriately.

However, it did advise the records should be changed so that access to the files is recorded in the future.

As a result of this decision by the board the hospital’s register was amended,  in March 1998, so that it became possible retrospectively to identify any person who had accessed a patient record.

In 15 May 2000, the applicant “I” instituted civil proceedings against the District Health Authority (sairaanhoitopiirin kuntayhtymä, samkommunen för sjukvårdsdistriktet), which was responsible for the hospital’s patient register at the time of the incident, claiming non-pecuniary and pecuniary damage for the alleged failure to keep her patient record confidential.

On 10 April 2001, the District Court (käräjäoikeus, tingsrätten) rejected the action.  The applicant then appealed to the Court of Appeal (hovioikeus, hovrätten), maintaining her claim that the hospital had not complied with the domestic law, in breach of her right to respect for her private life

On 7 March 2002, the Court of Appeal, found against the applicant and ordered her to pay costs for the respondents legal expenses for both the district court and appeals court – 2,000 and 3271 euros  respectively.

Following this “I”, then applied to the Finish Supreme Court (korkein oikeus), claiming that there been a violation of her right to respect for her private life. On 23rd Decemeber 2002 the Supreme Court refused leave to appeal.

Still pursuing the case “I” applied to the ECHR and requested that her name was with held. On  20th June 2003 the president of the Chamber (Nicolas Bratza) agreed to this. On 19th January 2006 the ECHR decided that there was a case to hear.

On 17th July 2008 the court decided in favour of “I” and against Finland

S and Marper v UK: Judgment

The judgement for the historic case of S and Marper v the United Kingdom is below.

The background case details for S and Marper are available here

Result for the case, in brief, are available here

The key question, of “Will the police delete DNA as a result of the ruling” is discussed here?


EUROPEAN COURT OF HUMAN RIGHTS

880

4.12.2008

Press release issued by the Registrar

GRAND CHAMBER JUDGMENT
S. AND MARPER v. THE UNITED KINGDOM

The European Court of Human Rights has today delivered at a public hearing its Grand Chamber judgment1 in the case of S. and Marper v. the United Kingdom (application nos. 30562/04 and 30566/04).

The Court held unanimously that:

· there had been a violation of Article 8 (right to respect for private and family life) of the European Convention on Human Rights;

· it was not necessary to examine separately the complaint under Article 14 (prohibition of discrimination) of the Convention.

Under Article 41 (just satisfaction), the Court considered that the finding of a violation, with the consequences that this would ensue for the future, could be regarded as constituting sufficient just satisfaction in respect of the non-pecuniary damage sustained by the applicants. It noted that, in accordance with Article 46 of the Convention, it would be for the respondent State to implement, under the supervision of the Committee of Ministers, appropriate general and/or individual measures to fulfil its obligations to secure the right of the applicants and other persons in their position to respect for their private life. The Court awarded the applicants 42,000 euros (EUR) in respect of costs and expenses, less the EUR 2,613.07 already paid to them in legal aid. (The judgment is available in English and French.)

1.  Principal facts

The applicants, S. and Michael Marper, are both British nationals, who were born in 1989 and 1963 respectively. They live in Sheffield, the United Kingdom.

The case concerned the retention by the authorities of the applicants’ fingerprints, cellular samples and DNA profiles after criminal proceedings against them were terminated by an acquittal and were discontinued respectively.

On 19 January 2001 S. was arrested and charged with attempted robbery. He was aged eleven at the time. His fingerprints and DNA samples2 were taken. He was acquitted on 14 June 2001. Mr Marper was arrested on 13 March 2001 and charged with harassment of his partner. His fingerprints and DNA samples were taken. On 14 June 2001 the case was formally discontinued as he and his partner had become reconciled.

Once the proceedings had been terminated, both applicants unsuccessfully requested that their fingerprints, DNA samples and profiles be destroyed. The information had been stored on the basis of a law authorising its retention without limit of time.

2.  Procedure and composition of the Court

The application was lodged with the European Court of Human Rights on 16 August 2004 and declared admissible on 16 January 2007. The Chamber to which the case was assigned decided to relinquish jurisdiction to the Grand Chamber on 10 July 20073.

The National Council for Civil Liberties and Privacy International were granted leave to intervene in the written procedure before the Grand Chamber.

A public hearing took place in the Human Rights building, Strasbourg, on 27 February 2008.

The judgment was given by the Grand Chamber of 17 judges, composed as follows:

Jean-Paul Costa (France), President,
Christos Rozakis (Greece),
Nicolas Bratza (United Kingdom),
Peer Lorenzen (Denmark),
Françoise Tulkens (Belgium),
Josep Casadevall (Andorra),
Giovanni Bonello (Malta)
Corneliu Bîrsan (Romania),
Nina Vajić (Croatia),
Anatoly Kovler (Russia),
Stanislav Pavlovschi (Moldova),
Egbert Myjer (Netherlands),
Danutė Jočienė (Lithuania),
Ján Šikuta (Slovakia),
Mark Villiger (Switzerland)4,
Päivi Hirvelä (Finland),
Ledi Bianku (Albania), judges,

and also Michael O’Boyle, Deputy Registrar.

3.  Summary of the judgment5

Complaints

The applicants complained under Articles 8 and 14 of the Convention about the retention by the authorities of their fingerprints, cellular samples and DNA profiles after their acquittal or discharge.

Decision of the Court

Article 8

The Court noted that cellular samples contained much sensitive information about an individual, including information about his or her health. In addition, samples contained a unique genetic code of great relevance to both the individual concerned and his or her relatives. Given the nature and the amount of personal information contained in cellular samples, their retention per se had to be regarded as interfering with the right to respect for the private lives of the individuals concerned.

In the Court’s view, the capacity of DNA profiles to provide a means of identifying genetic relationships between individuals was in itself sufficient to conclude that their retention interfered with the right to the private life of those individuals. The possibility created by DNA profiles for drawing inferences about ethnic origin made their retention all the more sensitive and susceptible of affecting the right to private life.

The Court concluded that the retention of both cellular samples and DNA profiles amounted to an interference with the applicants’ right to respect for their private lives, within the meaning of Article 8 § 1 of the Convention.

The applicants’ fingerprints were taken in the context of criminal proceedings and subsequently recorded on a nationwide database with the aim of being permanently kept and regularly processed by automated means for criminal-identification purposes. It was accepted that, because of the information they contain, the retention of cellular samples and DNA profiles had a more important impact on private life than the retention of fingerprints. However, the Court considered that fingerprints contain unique information about the individual concerned and their retention without his or her consent cannot be regarded as neutral or insignificant. The retention of fingerprints may thus in itself give rise to important private-life concerns and accordingly constituted an interference with the right to respect for private life.

The Court noted that, under section 64 of the 1984 Act, the fingerprints or samples taken from a person in connection with the investigation of an offence could be retained after they had fulfilled the purposes for which they were taken. The retention of the applicants’ fingerprint, biological samples and DNA profiles thus had a clear basis in the domestic law.

At the same time, Section 64 was far less precise as to the conditions attached to and arrangements for the storing and use of this personal information.

The Court reiterated that, in this context, it was essential to have clear, detailed rules governing the scope and application of measures, as well as minimum safeguards. However, in view of its analysis and conclusions as to whether the interference was necessary in a democratic society, the Court did not find it necessary to decide whether the wording of section 64 met the “quality of law” requirements within the meaning of Article 8 § 2 of the Convention.

The Court accepted that the retention of fingerprint and DNA information pursued a legitimate purpose, namely the detection, and therefore, prevention of crime.

The Court noted that fingerprints, DNA profiles and cellular samples constituted personal data within the meaning of the Council of Europe Convention of 1981 for the protection of individuals with regard to automatic processing of personal data.

The Court indicated that the domestic law had to afford appropriate safeguards to prevent any such use of personal data as could be inconsistent with the guarantees of Article 8 of the Convention. The Court added that the need for such safeguards was all the greater where the protection of personal data undergoing automatic processing was concerned, not least when such data were used for police purposes.

The interests of the individuals concerned and the community as a whole in protecting personal data, including fingerprint and DNA information, could be outweighed by the legitimate interest in the prevention of crime (the Court referred to Article 9 of the Data Protection Convention). However, the intrinsically private character of this information required the Court to exercise careful scrutiny of any State measure authorising its retention and use by the authorities without the consent of the person concerned.

The issue to be considered by the Court in this case was whether the retention of the fingerprint and DNA data of the applicants, as persons who had been suspected, but not convicted, of certain criminal offences, was necessary in a democratic society.

The Court took due account of the core principles of the relevant instruments of the Council of Europe and the law and practice of the other Contracting States, according to which retention of data was to be proportionate in relation to the purpose of collection and limited in time. These principles had been consistently applied by the Contracting States in the police sector, in accordance with the 1981 Data Protection Convention and subsequent Recommendations by the Committee of Ministers of the Council of Europe.

As regards, more particularly, cellular samples, most of the Contracting States allowed these materials to be taken in criminal proceedings only from individuals suspected of having committed offences of a certain minimum gravity. In the great majority of the Contracting States with functioning DNA databases, samples and DNA profiles derived from those samples were required to be removed or destroyed either immediately or within a certain limited time after acquittal or discharge. A restricted number of exceptions to this principle were allowed by some Contracting States.

The Court noted that England, Wales and Northern Ireland appeared to be the only jurisdictions within the Council of Europe to allow the indefinite retention of fingerprint and DNA material of any person of any age suspected of any recordable offence.

It observed that the protection afforded by Article 8 of the Convention would be unacceptably weakened if the use of modern scientific techniques in the criminal-justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such techniques against important private-life interests. Any State claiming a pioneer role in the development of new technologies bore special responsibility for striking the right balance in this regard.

The Court was struck by the blanket and indiscriminate nature of the power of retention in England and Wales. In particular, the data in question could be retained irrespective of the nature or gravity of the offence with which the individual was originally suspected or of the age of the suspected offender; the retention was not time-limited; and there existed only limited possibilities for an acquitted individual to have the data removed from the nationwide database or to have the materials destroyed.

The Court expressed a particular concern at the risk of stigmatisation, stemming from the fact that persons in the position of the applicants, who had not been convicted of any offence and were entitled to the presumption of innocence, were treated in the same way as convicted persons. It was true that the retention of the applicants’ private data could not be equated with the voicing of suspicions. Nonetheless, their perception that they were not being treated as innocent was heightened by the fact that their data were retained indefinitely in the same way as the data of convicted persons, while the data of those who had never been suspected of an offence were required to be destroyed.

The Court further considered that the retention of unconvicted persons’ data could be especially harmful in the case of minors such as the first applicant, given their special situation and the importance of their development and integration in society. It considered that particular attention had to be paid to the protection of juveniles from any detriment that could result from the retention by the authorities of their private data following acquittals of a criminal offence.

In conclusion, the Court found that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, failed to strike a fair balance between the competing public and private interests, and that the respondent State had overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention in question constituted a disproportionate interference with the applicants’ right to respect for private life and could not be regarded as necessary in a democratic society. The Court concluded unanimously that there had been a violation of Article 8 in this case.

Article 14 in conjunction with Article 8

In the light of the reasoning that led to its conclusion under Article 8 above, the Court considered unanimously that it was not necessary to examine separately the complaint under Article 14.

***

The Court’s judgments are accessible on its Internet site (http://www.echr.coe.int).

Press contacts
Adrien Raif-Meyer (telephone: 00 33 (0)3 88 41 33 37)
Tracey Turner-Tretz (telephone: 00 33 (0)3 88 41 35 30)
Sania Ivedi (telephone: 00 33 (0)3 90 21 59 45)

The European Court of Human Rights was set up in Strasbourg by the Council of Europe Member States in 1959 to deal with alleged violations of the 1950 European Convention on Human Rights.

1 Grand Chamber judgments are final (Article 44 of the Convention).

2.  DNA stands for deoxyribonucleic acid; it is the chemical found in virtually every cell in the body and the genetic information therein, which is in the form of a code or language, determines physical characteristics and directs all the chemical processes in the body. Except for identical twins, each person’s DNA is unique. DNA samples are cellular samples and any sub-samples or part samples retained from these after analysis. DNA profiles are digitised information which is stored electronically on the National DNA Database together with details of the person to whom it relates.

3 Under Article 30 of the Convention, where a case pending before a Chamber raises a serious question affecting the interpretation of the Convention or the protocols thereto, or where the resolution of a question before the Chamber might have a result inconsistent with a judgment previously delivered by the Court, the Chamber may, at any time before it has rendered its judgment, relinquish jurisdiction in favour of the Grand Chamber, unless one of the parties to the case objects.

4 Judge elected in respect of Liechtenstein.

5 This summary by the Registry does not bind the Court.

Follow

Get every new post delivered to your Inbox.

Join 32 other followers