That online service providers (OSPs), including Internet Service providers (ISPs), can do almost all what they want with our data, as long as they have a “decent” privacy policy, has just been confirmed in the US by the very recent decision of the District Court for the Southern District of New York. I have already written about it here. To refresh memories, a Mr F. under probation was facing criminal charges for the production and transportation of child pornography. His claim was that evidence derived from the examination of his emails by AOL (one of the main US ISPs) and the examination of his chats by Omegle (an online platform for text and video chat with strangers) was obtained in violation of the Fourth Amendment to the US Constitution. The Court confirmed that there is no expectation of privacy as regards the metadata (arguably network-level metadata e.g. IP addresses, location data) of online communications collected and stored by OSPs. In other words, OSPs can collect, store and transfer these metadata to almost whoever they want [to the exclusion of cybercriminals probably!].

In addition, the Court held that by consenting to AOL’s terms of use F. had consented to searches by AOL as a government agent. Because AOL’s policy expressly mentions that “‘AOL reserves the right to take any action it deems warranted’ in response to illegal behavior, including ‘terminat[ing] accounts and cooperat[ing] with law enforcement” and that “AOL reserves the right to reveal to law enforcement information about ‘crime[s] that [have] been or [are] being committed” AOL’s policy is considered to make it clear that AOL intends to actively assist law enforcement. To translate this into plain English, the upshot of this ruling is that under US Law, AOL can look at the content of its subscribers’ communications for monitoring purposes, send the content of its subscribers’ communications to law enforcement, and the content of its subscribers’ communications can then be used as evidence by law enforcement against these individuals.

How did AOL look at the content of its subscribers’ communications? By screening the files attached to emails to determine whether their hash numbers (which can be assimilated as ‘fingerprints’) are identical or similar to the hash numbers of allegedly unlawful files.

The question that I am asking now is whether the situation is the same in Europe and in particular in England? In Europe and in England it is crucial to take into account both privacy and data protection laws (deriving from the transposition of the data protection Directive of 1995 and the e-privacy Directive of 2002 into the Data Protection Act 1998 and the Privacy & Electronic Communications (EC Directive) (Amendment) Regulations 2011, respectively). Under the special rules deriving from e-privacy Directive, ISPs such as AOL can only “process” (i.e. collect, store…etc.) metadata for a range of limited and specific purposes: for subscriber billing, interconnection payments, traffic management and network security. For the purpose of marketing electronic communications services or for the provision of value added services, ISPs have to obtain the informed consent of their subscribers first. Generally speaking, in all other cases ISPs must erase or make metadata anonymous when they are no longer needed for the purpose of the transmission of a communication. In addition, ISPs should respect the principle of the confidentiality of communications (Article 5). Finally, transferring subscribers’ personal data to third parties requires at a minimum informing ISPs’ subscribers and eventually requesting their prior consent (if the third parties want to use the data for a purpose distinct to that for which the ISPs are using them).

Other OSPs that are not ISPs, such as web services, are regulated by the common rules deriving from the Data protection Directive. The data protection rules are less specific than the e-privacy ones in that they do not precisely identify the types of purposes for which metadata and content data can be processed. With this said, the processing has to be for a legitimate and specific purpose (Article 6). In addition, the principle of the confidentiality of communications is of general application: every European citizen has the right to have the confidentiality of its communications protected (this derives from both the European Convention on Human Rights and the European Charter of Fundamental Rights and the protection of the right to private life).

So could an OSP in Europe (and, in particular, in England) look at the metadata and the content of its subscribers’ communications and then send these data of its subscribers’ communications to law enforcement bodies?

Under European/English law, the purpose of the peeping would have to be specified.

It could be argued that an OSP has a legitimate interest in regulating the uses of its services by its subscribers and should therefore be allowed to collect subscribers’ data to detect illegal activities irrespective of the consent of its subscribers. However this argument is subject to criticisms.

• First, it is arguable that the processing of subscribers’ data for the purpose of detecting illegal activities is too vague and precise categories of illegal activities should be identified as well as precise detection practices.
• Second, for ISPs at least such a purpose is neither expressly mentioned by the e-privacy Directive nor by its transposition at the national law. Interestingly the Article 29 Working Party has just declared that derogations to specific principles, rights and obligations provided by Article 13(1) of the data protection Directive [to which Article 15(1) of the e-privacy Directive refers], and in particular the principle of the confidentiality of communications and the related traffic data, “should then be laid down by Member State’s laws, which in many cases also need to provide additional safeguards”. This would mean that for ISPs at least consent would not justify the processing in the absence of a clear legal basis.

What about other OSPs? Could they rely upon consent? Well if the communications are confidential, there is an argument that a clear national legal basis would also be needed.

As a result, it can be argued that unless a clear legal basis states that OSPs can process metadata and content data for the purposes of detecting certain types of illegal activities and informing law enforcement bodies, OSPs cannot rely on their privacy policies! [is this too radical?]

Finally, and this last point should not be under-estimated, the last issue is whether metadata and content data obtained in violation of data protection and privacy laws can constitute admissible evidence before the courts. Here it becomes messier. At the national level rules can vary. Under English law, for example, unlawful evidence can be admissible. And the European Court of Human Rights has held on occasion that unlawful evidence does not necessarily render the judicial proceedings as a whole unfair.

The question is then whether data protection law really makes a difference!

Sophie Stalla-Bourdillon