Slashdot Mirror
Court Overturns Dutch Data Retention Law, Privacy More Important
wabrandsma writes According to DutchNews.nl: "Internet providers no longer have to keep their clients phone, internet and email details because privacy is more important, a Dutch court ruled on Wednesday." Digital rights organization Bits of Freedom writes in a blog: "The law's underlying European directive was meant as a tool in the fight against serious crimes. The Dutch law, however, is much more expansive, including everything from terrorism to bike theft. During the hearing, the state's attorneys avowed that the Public Prosecution does not take the law lightly, and would not call on the law to request data in case of a bicycle theft. The judge's response: it doesn't matter if you exploit the possibility or not, the fact that the possibility exists is already reason enough to conclude that the current safeguards are unsatisfactory."
The article does not state which court it was and if the ruling is likely to be overturned, but it's great to see a sudden outbreak of common sense like this one.
I am happy to maintain my illusion of privacy as far into the 3rd millennium as possible..
First, the EU directive on which this law was built upon, itself was already pulled because of being too unbalanced. Thus the Netherlands are no longer required to have a data retention law at all. So, from an EU point of view, no one in Brussels actually cares anymore if the Netherlands have a data retention law. They can do so if they want, but that's an entirely different matter (and even a new one has to take into account the verdict of the European High Court which pulled the old directive).
Second: If a new directive was in place which conforms to the verdict of the European High Court, the member states have to work out new data retention laws which also conform to the verdict and to their respective constitutions. If they don't manage to do so, they will be sued for EU contract violation, and then they have to argue why their new data retention law is not in place yet. This could even work out to the theoretical new directive being pulled too, if not enough member states are able to create constitutionally acceptable data retention laws.
But all those laws define requirements for telcos and internet providers, they totally leave out the ability or the legality of secret service agencies to gain access to the data and create their own data retention. My guess is that the whole data retention bruhaha came up because the spy agencies already did all those things without a legal base, and now the governments wanted them to be legalized in a way that the results could be used in the open. Maybe some envy between police forces and spy agencies also played a role, and the police wanted to have the same abilities.
The short answer is that a national judge's ruling doesn't directly affect other countries, although it could indirectly affect them if it leads to an appeal to a European court and their ruling clarifies the law in a way which is incompatible with other countries' implementations.
The longer answer: EU law works by means of "directives" which each country then implements in its national law. Each directive comes with a deadline to implement it, although typically most countries miss the deadline. But in principle the European Commission can sue a country which fails to implement a directive, and fines can be levied. The issue here is that the Dutch implementation of the Data Retention Directive went further than the minimal requirements, and the judge has ruled it incompatible with other European law. (It's not clear from either of the articles whether that was the Data Protection Directive or the European Convention on Human Rights*).
The two main options now would be that the Dutch government appeals to a European court (the European Court of Justice if it was the Data Protection Directive that formed the basis of the ruling, or the European Court of Human Rights if it was the ECHR); or that it passes a replacement law which sticks closer to the Data Retention Directive. If it doesn't do either of those, it would be failing to fulfil its obligation to implement that directive.
* Not EU law, but I think all EU countries are members of the European Council, and the most recent constitutional treaty of the EU commits the EU as an organisation to acceding to the ECHR.
Ah, looking at the other answers it turns out that I'd missed that the Data Retention Directive has been overturned by the ECJ. Still, I hope I've given you a useful framework for understanding other news about European legislative matters.
It is in fact a rather surprising decisions, since Dutch judges have no tradition of ruling in 'contra legem' procedures; they are in fact forbidden by the Constitution to do so (article 120 says judges shall not judge the constitutionality of laws and treaties).
Now, the loophole here is that treaties are considered higher law than the Constitution, so judges can rule local laws in violation of a treaty[1]. They don't tend to do that in mere district court though.
Apparently the case made by complainant was compelling enough, and the governments argument weak enough, that a mere district judge felt they could safely make that ruling.
[1] On the gripping hand, the principle of subsidiarity means that if a case is covered by the Constitution as well as a treaty, judges are supposed to use the Constitution as the basis for their decision, once again invoking art. 120. But of course if the Constitution and the treaty align enough, appealing to treaty law wouldn't work anyway.
"I know I will be modded down for this": where's the option '-1, Asking for it'?
I've never understood the willingness to use(or the willingness to accept often enough to make using worthwhile) the "Just trust us and our discretion!" argument.
So, benefit of the doubt, maybe they are telling the truth when they say "During the hearing, the state's attorneys avowed that the Public Prosecution does not take the law lightly, and would not call on the law to request data in case of a bicycle theft." Fan-fucking-tastic. Even if I do believe them, do I have any reason to suspect that their successors will be as disciplined, or even as interested? No, no I don't.
It seems like some sort of category error, possibly related to the fact that (in evolutionary terms) we were basically living in tiny kin groups about 10 minutes ago; but in political science terms we haven't really been doing that in a millennium or two. "Trust" is all well and good(actually, very good, it has all sorts of advantages in making things go smoothly and reducing stress and anxiety) among people you interact with; but it's a dangerous thing to extend to institutions, except in its(quite different) sense of 'something is "trusted" if the overall correct function of the system depends on that thing behaving as expected, and there are not external constraints that will assure this'.
When it comes to neighbors, friends, and the like, sure, "trust" is a good thing. When it comes to institutions, the most trustworthy person is the one who says "I'd like to think that you'd find me personally trustworthy, if you knew me socially; but in my official capacity, I don't want you to have to trust me. You should have independent safeguards that would function even if I were a total shitweasel.
In this sort of law enforcement case, if they are so responsible and all, and would never use the law for minor purposes, why does the law allow for use in minor cases? Shouldn't it be uncontroversial to principle-of-least privilege and eliminate the possibility of such use? After all, law enforcement has already said that they have no interest in such capabilities, so surely they won't mind?