Monday, October 15, 2012

State’s access to individuals retained data

State’s access to individuals retained data is a very sensitive topic from a privacy rights perspective. In the beginning of October (2012) a proposal[1] to amend Article 166a (7) of the Electronic Communications Act was made in the Slovenian Parliament. This Act (among others) regulates the rights of electronic communication users and the protection of secrecy and confidentiality of electronic communications.[2] 

Current regulations in Article 107a (5) order operators to keep records of certain data[3] by obtaining traffic data in an electronic communications network. The law stipulates three situations in which data can be accessed:
1) In criminal proceedings, as stated in the Slovenian Criminal Procedure Act[4] 
2) In issues of national security, as provided by law governing the Slovenian Intelligence and Security Agency[5] 
3) For defence purposes as provided by Slovenian Act on defence[6].
Article 107.č orders operators to transmit the retained data as soon as they receive a legal decision of a competent authority. A competent authority is to be understood as a trial judge (Criminal Procedure Act) but can also, in special and legally prescribed situations, mean the Slovenian Intelligence and Security agency as well as the Intelligence and Security Service of the Ministry of Defence. 

The new proposal would grant access to retained data to the police without obtaining a legal decision of a trial judge ordering access to data needed in criminal procedure. The same applies for the Slovenian Intelligence and Security Agency. Following the new proposal, the Slovenian Information Commissioner has expressed concerns that the new proposal is not in accordance with Article 37 of Slovenian constitution, which ensures confidentiality of correspondence.[7] The Information Commissioner also noted that the request to review the new proposal’s constitutionality has already been lodged to the Slovenian Constitutional Court. The proposal, if it came into force, could interfere with Slovenians’ right to privacy. This article’s aim is to discuss if the new proposal stands in conflict with any EU legislation, including the jurisdiction of the European Court of Human Rights.

European Union law related to the protection of personal data were not created to regulate intervention of public authorities.[8] The Data Retention Directive was created to strengthen the fight against crime in and among Member States.[9] Article 4, which settles provisions regarding access to data, obliges Member States toensure that data retained in accordance with this directive are provided only to the competent national authorities in specific cases and in accordance with national law.”[10] Member States must define procedure and conditions that have to be fulfilled in order to access the retained data in their national legislation. The Data Retention Directive encompasses matters relating to data traffic. Issues related to content of such data are regulated by the Data Protection Directive, which is also directed in the section 15 of the Data Retention Directive.  Yet the Data Protection Directive’s scope does not extend beyond processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law.[11] Therefore the only regulatory mechanism that state parties have to follow, in relation to the authority of the police or other national authorities, are the standards set in Article 8 of European Convention on Human Rights (ECHR). 

Article 8 in the European Convention of Human Rights (ECHR) grants individuals the protection of their personal data: "Everyone has the right to respect for his private and family life, his home and his correspondence."[12] However, Article 8(2) exculpates national authorities to interfere with individual’s right to respect for correspondence if such interference is “in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.[13] Member State’s must therefore adjust their national legislation and grant their national authorities access to individual’s retained data only if it is necessary in a democratic society and only for legitimate aim. As presented above, in Slovenia the police get access to the retained data on a basis of a trial judge’s legal decision if it is necessary for criminal proceedings. The police have to convince the trial judge of the necessity of such interference. The trial judge is a procedural safeguard, and amending the current legislation in accordance with the new proposal would take this safeguard away. The police would be able to access retained data directly. It is controversial if such an amendment falls within the scope of being necessary in a democratic society.

The European Court of Human Rights (ECtHR) has provided some case law regarding the issue of national authorities’ interference with individual’s right to respect for correspondence.[14] ECtHR ruled that collection and storage of information in files which are closed for public eyes might be necessary for state authorities for the successful protection of national security.[15] Furthermore, the authorities are allowed to use this information in cases where they are searching for a suitable employee for a position involving matters of state security.[16] This was questioned in a case Leander v. Sweden[17] and the ECtHR held that there is no violation of individual’s rights according to Article 8(1) if the state provided sufficient and effective safeguards to prevent possible abuse of power.[18] However in this area the ECtHRt makes decisions on a case by case basis and does not link it to the other systems and jurisdictions.[19] The ECtHR has to determine whether defending the national security of a state meet the safeguards that the same state provided for the protection of the individuals’ rights.[20] Therefore it is hard to connect from similar case law whether Article 166a (7) of the Electronic Communications Act decrease the level of effective procedural safeguards that prevent severe abuses. 

When it comes to the issue of the State’s interference into the individuals’ right to privacy, an individual and a State have opposing interests. An individual wants high standards and effective procedural safeguards in cases when national authorities access personal data. The national authorities on the other hand are less concerned about individuals privacy when pursue legitimate aims that are set in Article 8(2) of ECHR. In order to protect individuals the ECtHR has laid down specific requirements in its case law: “the standards of accessibility and foreseeability inherent in the concept of the rule of law.”[21] Safeguards for an individual’s protection must be sufficient in order to pass “the quality of law test”.[22] Public authorities should minimize their interference with individual’s right to respect for private life and try to achieve their aim with as little harm for an individual as possible. Because of the daily use of electronic devices there is enormous amount of stored data. German communication provider T-Online presented a research that only 0,0004% of retained data is needed further for law enforcement.[23] The Data Retention Directive and the Slovenian Electronic Communications Act both involve a lot of storing a lot of irrelevant data. Such indiscriminate storage is questionable from the proportionally and necessity requirements.[24] Therefore every Member State has to be especially careful to which national authority they grant access to retained data. In the proposed amendment of the Slovenian Electronic Communications Act important safeguards are removed with potentially serious consequences for the individual. The police would not need a legal decision from the trial judge anymore, but would be able to access retained data directly. It is questionable if this amendment would pass the quality of law test and the procedural safeguards remain sufficient.

[1] The Proposal is accessible on a Government of Republic of Slovenia's website. Retrieved October 10, 2012, from[single]=%2Fupv%2Fvladnagradiva-12.nsf%2F18a6b9887c33a0bdc12570e50034eb54%2Ff282e7625a2de1aec1257a850046be9a%3FOpenDocument&cHash=176bb19e9a31d014a2cc58a605fc970b.
[2] Electronic Communications Act, Uradni list RS no. 13/2007, February 15 2007.
[3] Operators must store data presented in Article 107b. (Electronic Communications Act).
[4] Criminal Procedure Act, Uradni list RS no. 8/2006, January 26 2006.
[5] Act on Slovenian Intelligence and Security agency, Uradni list RS št. 81/2006, July 31 2006.
[6] Act on Defense, Uradni list RS no. 103/2004, September 23 2004.
[7] Appeal of the Information Commissioner for caution regarding the powers to intervene in the communication privacy. Retrieved October 10, 2012, from
[8] Bignami, F. (2007). Privacy and Law Enforcement in the European Union: The Data Retention Directive. Retrieved October 10, 2012, from, p.5.
[9] Directive 2006/24/EC. (2006, March 15). the European Parliament and the Council. Retrieved October 8, 2012, from
[10] Ibid.
[11] Article 3(2) of the Directive 95/46/EC, (1995, October 24). the European Parliament and the Council . Retrieved October 8, 2012, from
[12] The European Convention on Human Rights. (1950, November 4). Council of Europe. Retrieved October 6, 2012, from
[13] The European Convention on Human Rights.
[14] Kilkelly, U. (2003, August). The rights to respect for private and family life. Retrieved October 6, 2012, from, p.35.
[15] Kilkelly, 2003, p. 35.
[16] Ibid.
[17] The Court found interference with applicant’s rights according to Article 8 (1) but the interference was “necessary in a democratic society with reference to the safeguards available to protect the applicant’s rights from abuse.[17] In this case the Court held that the procedural safeguards were sufficient. (Leander v. Sweden. (1987, March 26). European Court of Human Rights. Retrieved October 8, 2012, from
[18] Kilkelly, 2003, p. 37.
[19] Ibid.
[20] Ibid.
[21] Mitrou, 2007, p. 17
[22] Ibid.
[23] Ibid.
[24] Id., p. 18.