|Kosovo’s experience with data retention: A case of adopting negative EU standards||440.11 KB|
Kosovo’s experience with data retention: A case of adopting negative EU standards
The Kosovo government, through the Ministry of European Integration, was in the first part of 2014 considering the third draft of a problematic dragnet electronic interception and data retention law. The adoption of the law was thwarted in large part thanks to the reaction of civil society, a European Union Court of Justice ruling that came just in time, and ultimately the disbanding of the Kosovo Parliament for early elections. It will come back.
The process highlights a case of imposing dubious standards from the European Union (EU) on a country, which often results in weak democracies and breaches of the rule of law.
Attempts to pass the law
A draft law on electronic interception and data retention was previously considered in 2012-2013, with the latest attempt being in 2014. In 2013 the second attempt was turned down by the Intelligence Agency Oversight and Security Parliamentary Committee.
The bill returned with similar problems in 2014. This time it came alongside the dialogue on visa liberalisation which the EU has been having with Kosovo for years with meagre success.1
Currently, electronic surveillance in Kosovo is permitted through the Penal Code and the Code of Penal Procedure, provided a warrant is secured, although some have argued that more detailed rules are lacking. Kosovo has enshrined privacy in its quite modern constitution and has implemented a data protection law and established a data protection agency based on EU legislation.2
As reintroduced, the bill would have given the Kosovo Intelligence Agency the ability to tap into communications networks for the purpose of recording internet and telephone metadata and content. A court warrant was not mandatory; instead, only lawful authorisation was mentioned.
The Minister of European Integration stated that the draft law had been endorsed by the EU. Emails to the EU Mission in Kosovo were not returned. Directive 2006/24/EC3 on data retention was already considered highly problematic, even in the EU countries. Article 5 on the types of data to be retained is exhaustive. They are, of course, metadata, but metadata can reveal a lot.4 The implementation of the Directive had been thrown out by high courts in Germany, the Czech Republic and Romania and was being contested in Austria, Ireland and Slovenia. Sweden was threatened for years with heavy fines by the European Commission to implement it, as was Romania.5
On 7 April, just a day before the Court of Justice of the EU (CJEU) was due to hand down its verdict on the matter of data retention, the Ministry sent a new draft to a selected number of civil society organisations. This again was in violation of consultation procedures mandated by law which stipulate publication for general public access.6 This draft was much more precise in language and with noticeable improvements, limiting, for example, the number of institutions that would have access to the data. Two points giving rise to concern, however, remained: data retention and the ability of the Kosovo Intelligence Agency to surveil without a warrant.
On 8 April, the CJEU ruled Directive 2006/24/EC on data retention invalid.7 The Directive was key to the data retention portion of the Kosovan draft law.
In its ruling, referring to the Directive, CJEU notes that it covers “in a generalised manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime” (paragraph 57). Furthermore, “the access by the competent national authorities to the data retained is not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions. Nor does it lay down a specific obligation on Member States designed to establish such limits” (paragraph 62).
The Court cites the opinion of the Advocate General of the CJEU: “The fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” (paragraph 37). Have in mind that the Court is only addressing metadata here, unlike Kosovo's draft law. The Court deems that by adopting the Directive, “the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter [of Fundamental Rights of the European Union]” (paragraph 69). It can be concluded from the above that in the CJEU's view, general surveillance of citizens not suspected of committing serious crimes without the authorisation of a court is neither necessary nor proportionate.
On 29 April, the Kosovo government announced that it would be sending a revised Draft Law on Interception of Electronic Communication to parliament.8 The draft underwent some positive changes in light of the CJEU decision, but still had noticeable problems. Below are the significant issues.
Interception interfaces: The first major problem is the separate interception interface it provides to the Kosovo Intelligence Agency (KIA). While the draft requires court warrants also for the KIA, in practice the KIA would be assigned its own interface. The law calls for two types of electronic solutions: monitoring facilities placed at the authorised institutions that would get the feed that they have been authorised to receive upon showing the warrant, and interception interfaces placed at communications companies that do the actual feeding of the data. But the KIA also gets one of these interfaces at its own facility. This provides no means of control against abuse and practically gives the Agency carte blanche to intercept.
Data retention: This is the second major problem. Despite promises by the sponsoring Minister Vlora Çitaku9 and the CJEU ruling annulling the EU Directive, data retention was still present in the draft, albeit in a somewhat lighter version. Data to be retained for 12 months included a long list of metadata.10 The minister has stated that the draft has been approved by the European Commission, and EU Special Representative/Head of EU Office in Kosovo, Samuel Žbogar, stated that the law, while not perfect, meets minimum standards. It was clear that the European Commission was suggesting to Kosovo what the interpretation of the CJEU ruling was, although a public formal interpretation of the ruling by the Commission was not available.
Authorised institutions: The draft law did not limit the “special laws” that could be used for issuing warrants. This means that if passed in this form, attention would be required to make sure that other institutions do not get access using other less onerous laws through the back door.
Purpose (Art. 1 and 12.7): The EU Directive was specifically directed at fighting serious crime, although when implemented it became subject to much abuse. In the draft the reference to the Directive was expunged, but a limitation of the scope to “serious crime” was at this point introduced. This was an advance.
Notification: This draft referred to the Criminal Code and the KIA Law as two of the legal bases for getting warrants. While the Criminal Code has the concept of notification of citizens upon surveillance built in, the KIA Law does not. Therefore no citizen would be allowed to know that they had been surveilled by the KIA, since unless otherwise expressly allowed by another law, notification is prohibited by this one. As ruled by the European Court of Human Rights,11 notification is a right, hence the draft is in violation of the European Convention on Human Rights, which Kosovo has unilaterally embraced – but its citizens still cannot seek redress from the European Court of Human Rights because Kosovo is not formally a party to the Convention.
Interception assistance (Art. 9): As the draft law states, “Based on a lawful inquiry, in full compliance with the Criminal Procedure Code of Kosovo” it allows for the violation of citizens’ anonymity by requesting the identity of a suspect in preparation for a warrant. Indirectly, this article states that no warrant would be required for this procedure. Furthermore, the notification principle is once again violated in this article, as notification is expressly prohibited.
Records of interception (Art. 11 and 13): The need to keep records and provide data on the number of interception requests was a positive change in this draft. Yet this point becomes somewhat moot when considering that the KIA would have its own interface. In the reporting requirements, there are no criteria about the effectiveness and indispensability of data retained to combat crime, only on the effectiveness of the ability to provide data, which privacy advocates in Europe have argued against with regard to the Data Retention Directive.
Penalties (Art. 15): For non-compliance violations, a network operator or service provider could be fined at least EUR 86,000 and up to 7% of the annual income from their economic activity in electronic communications. There were no penalties foreseen for violations that harm the privacy of citizens, clearly erring in favour of sharing citizens’ data with the authorities.
Data transmission security standards (Art. 5.5): The draft law refers to the data security standards used by the operator and says this will be dealt with in secondary legislation.
Looking at how well written the relevant parts of the Criminal Code12 and the Criminal Procedure Code13 are, there could be only two reasons to push this new law: data retention and the extension of the KIA’s ability to tap.
The power of the EU in Kosovo is immense; as a result, the new attempt to pass this law was given to the Ministry of European Integration. There was another strong reason for having this ministry sponsor the draft law: the government had twice before failed to take the draft law beyond the Intelligence Agency Oversight and Security Parliamentary Committee. Bypassing the specialists at the public security and intelligence committee was apparently part of the agenda.
Kosovo has good laws, but implementation is lacking. Since 2008 Kosovo has been unique in having a European Union Rule of Law Mission (EULEX) to address the shortcomings of public security institutions and the legal system. It is for this very reason that the various reports issued by the European Commission on Kosovo find faults which hamper Kosovo’s progress towards visa liberalisation with the Schengen area, as well as overall European integration.
For new surveillance powers to be granted, all the necessary legal safeguards within a state would have to function in order to control the additional authority being provided. This situation does not currently exist in Kosovo and any move in this direction should be made with increased caution above and beyond that found in the EU member states.
The EU also has a heightened responsibility to monitor the surveillance practices of the states where it has political influence to ensure that they do not further undermine human rights, instead of merely exporting its own standards as fit-for-purpose. In the case of Kosovo, the EU should not only come out loud and clear against any sort of mass surveillance, but should also insist that the KIA abide by the same rules as other security institutions.
1 The requirement is framed in this way: “Ensure that future legislation on interception distinguishes clearly between judicial interception and interception for intelligence services, in line with European best practices, while the provisions on data retention for law enforcement purposes comply with the EU acquis on data retention.” See the Report from the Commission to the European Parliament and the Council on Progress by Kosovo in Fulfilling the Requirements of the Visa Liberalisation Roadmap, 8 February 2013. ec.europa.eu/dgs/home-affairs/e-library/documents/policies/international-affairs/general/docs/report_on_progress_on_kosovo_visa_liberalisation_en.pdf
2 Kosovo has transposed EU’s Directive 95/46/EC on Data Protection via Law No.03/L – 172 on the protection of personal data.
3 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.
4 Leber, J. (2013, June 18). Mobile Call Logs Can Reveal a Lot to the NSA. MIT Technology Review. www.technologyreview.com/news/516181/mobile-call-logs-can-reveal-a-lot-to-the-nsa
5 EDRi. (2013, June 5). EC goes after governments for not implementing data retention. EDRi. 5 June 2013. history.edri.org/edrigram/number11.11/ec-fines-sweden-data-retention
6 Art. 32 of Regulation No. 09/2011 on Rules and Procedure of the Government of the Republic of Kosovo foresees the publication of draft normative acts for consultation.
7 See Para. 71, Joined Cases C‑293/12 and C‑594/12, Requests for a preliminary ruling under Article 267 TFEU from the High Court (Ireland) and the Verfassungsgerichtshof (Austria).
8 Versions of the draft law have been distributed only via email to several non-governmental organisations and there was no official publication. The author’s copy is available here: https://www.dropbox.com/s/9rcswy6a8bsozkv/Draft%20law%20on%20interception%20as%20sent%20to%20parliament%20-%2029%20April.doc
9 Vlora Citaku, https://twitter.com/vloracitaku/status/461093395017236480
10 See note 8, Article 12.
11 Boehm, F., & de Hert, P. (2012). Notification, an important safeguard against the improper use of surveillance – finally recognized in case law and EU law. European Journal of Law and Technology, 3(3). jlt.org//article/view/155/264
12 Republic of Kosovo. (2012). Criminal Code of the Republic Of Kosovo No. 04/L-082. Official Gazette of the Republic of Kosovo, No. 19.
13 Republic of Kosovo. (2012). Code Nr. 04/L-123 of Penal Procedure. Official Gazette of the Republic of Kosovo, No. 37.
This report was originally published as part of a larger compilation: “Global Information Society wach 2014: Communications surveillance in the digital age” which can be downloaded from http://www.giswatch.org/2014-communications-surveillance-digital-age.
Creative Commons Attribution 3.0 Licence ‹creativecommons.org/licenses/by-nc-nd/3.0› Some rights reserved.