How did AOL look at the content of its subscribers’ communications? By screening the files attached to emails to determine whether their hash numbers (which can be assimilated as ‘fingerprints’) are identical or similar to the hash numbers of allegedly unlawful files.
The question that I am asking now is whether the situation is the same in Europe and in particular in England? In Europe and in England it is crucial to take into account both privacy and data protection laws (deriving from the transposition of the data protection Directive of 1995 and the e-privacy Directive of 2002 into the Data Protection Act 1998 and the Privacy & Electronic Communications (EC Directive) (Amendment) Regulations 2011, respectively). Under the special rules deriving from e-privacy Directive, ISPs such as AOL can only “process” (i.e. collect, store…etc.) metadata for a range of limited and specific purposes: for subscriber billing, interconnection payments, traffic management and network security. For the purpose of marketing electronic communications services or for the provision of value added services, ISPs have to obtain the informed consent of their subscribers first. Generally speaking, in all other cases ISPs must erase or make metadata anonymous when they are no longer needed for the purpose of the transmission of a communication. In addition, ISPs should respect the principle of the confidentiality of communications (Article 5). Finally, transferring subscribers’ personal data to third parties requires at a minimum informing ISPs’ subscribers and eventually requesting their prior consent (if the third parties want to use the data for a purpose distinct to that for which the ISPs are using them).
Other OSPs that are not ISPs, such as web services, are regulated by the common rules deriving from the Data protection Directive. The data protection rules are less specific than the e-privacy ones in that they do not precisely identify the types of purposes for which metadata and content data can be processed. With this said, the processing has to be for a legitimate and specific purpose (Article 6). In addition, the principle of the confidentiality of communications is of general application: every European citizen has the right to have the confidentiality of its communications protected (this derives from both the European Convention on Human Rights and the European Charter of Fundamental Rights and the protection of the right to private life).
So could an OSP in Europe (and, in particular, in England) look at the metadata and the content of its subscribers’ communications and then send these data of its subscribers’ communications to law enforcement bodies?
Under European/English law, the purpose of the peeping would have to be specified.
It could be argued that an OSP has a legitimate interest in regulating the uses of its services by its subscribers and should therefore be allowed to collect subscribers’ data to detect illegal activities irrespective of the consent of its subscribers. However this argument is subject to criticisms.
- First, it is arguable that the processing of subscribers’ data for the purpose of detecting illegal activities is too vague and precise categories of illegal activities should be identified as well as precise detection practices.
- Second, for ISPs at least such a purpose is neither expressly mentioned by the e-privacy Directive nor by its transposition at the national law. Interestingly the Article 29 Working Party has just declared that derogations to specific principles, rights and obligations provided by Article 13(1) of the data protection Directive [to which Article 15(1) of the e-privacy Directive refers], and in particular the principle of the confidentiality of communications and the related traffic data, “should then be laid down by Member State’s laws, which in many cases also need to provide additional safeguards”. This would mean that for ISPs at least consent would not justify the processing in the absence of a clear legal basis.
What about other OSPs? Could they rely upon consent? Well if the communications are confidential, there is an argument that a clear national legal basis would also be needed.
As a result, it can be argued that unless a clear legal basis states that OSPs can process metadata and content data for the purposes of detecting certain types of illegal activities and informing law enforcement bodies, OSPs cannot rely on their privacy policies! [is this too radical?]
Finally, and this last point should not be under-estimated, the last issue is whether metadata and content data obtained in violation of data protection and privacy laws can constitute admissible evidence before the courts. Here it becomes messier. At the national level rules can vary. Under English law, for example, unlawful evidence can be admissible. And the European Court of Human Rights has held on occasion that unlawful evidence does not necessarily render the judicial proceedings as a whole unfair.
The question is then whether data protection law really makes a difference!