Proposition 54K1567

Projet de loi relatif à la collecte et à la conservation des données dans le secteur des communications électroniques.

General information ¶

Submitted by

MR Swedish coalition

Submission date

Jan. 11, 2016

Official page

Visit

Status

Adopted

Requirement

Simple

Subjects

protection of privacy electronic mail data protection Internet public safety personal data Internet access provider criminal procedure telecommunications protection of communications terrorism

Voting ¶

Voted to adopt

CD&V LE ∉ Open Vld N-VA LDD MR VB

Voted to reject

Groen Ecolo PS | SP PVDA | PTB

Abstained from voting

Vooruit

Contact form ¶

Do you have a question or request regarding this proposition? Select the most appropriate option for your request and I will get back to you shortly.

Discussion ¶

May 4, 2016 | Plenary session (Chamber of representatives)

Full source

The rapporteurs are Özlem Özen, Carina Van Cauter, Peter Dedecker and Nele Lijnen. They refer to the written report.

Dear colleagues, I must apologize for the absence of my colleague, Karine Lalieux, who is suffering and who asked me to intervene with the lifted foot in order to give the position of the PS group on this problem. I tried to impress myself with what had been done and to understand well, I believe that a brief history is still important.

In 2006, the European Commission adopted Directive 2006/24 and required Belgium to transpose it by 15 March 2009. At that time, in fact, the Belgian law already allowed access to data in very broad terms, with little framework on both conservation and access and a large delegation was given to the King to frame these measures.

At the end of September 2012, three years after the deadline, Belgium had still not transposed the text of the European Commission. The Court of Justice of the European Union has obviously put Belgium in trouble and has drawn its attention to the monetary sanctions that the Court of Justice could impose on it. At the time, the problem was that there was no agreement in the various successive governments. At the level of the PS Group, we really wanted to restrict access to data that seemed to us to be extremely personal.

Following the transposition and the request of the European Commission, we had accepted a text that was, for us, maximalist. This text was voted by our Parliament in July 2013, in an emergency. It was time, you might say.

On 8 April 2014, the European Court of Justice invalidated Directive 2006/24 in its entirety on the grounds that it exceeds disproportionately the limits imposing respect for the right to privacy and the protection of personal data guaranteed by the Charter of Fundamental Rights of the European Union.

As a result, on 11 June 2015, the Constitutional Court annulled the July 2013 law transposing this Directive on the retention of data. Since then, the European Commission has not taken any new initiative in this area.

On the other hand, I think we need to legislate. On the other hand, my group regrets – and that is why it will not vote this text – the urge to pass this law. The Directive dates from 2006. A year more or less will not fundamentally change things. We regret this willingness to vote urgently, as the European Court of Justice must answer in the coming months a preliminary question raised by a Swedish court. Therefore, it would seem more logical to us to wait for the opinion of the Court. In fact, its decision could, for example, invalidate again a law passed in urgency. In addition, we had requested the hearing in commission of some experts, but this was refused to us.

We do not understand your urge in view of the time it has taken and we ask that this text be returned to the committee, in which we could also freely receive experts. It is a shame not to remember the lessons of the past. I add that the issues of this text are important in terms of protecting the privacy of all our fellow citizens.

So our request is simple: could we not take a little time and wait for the opinion of the European Court of Justice, which risks invalidating a vote of our assembly again? If this was not the case, we would be sorry to tell you – although I’m sure it won’t bother you much – that the PS group will not vote on this bill.

Mr. Speaker, our group has several remarks regarding this bill that we have been following since 2013, Mr. Mathot, at the time we were already in the opposition and you, unfortunately, in the majority.

As you mentioned, Mr. Mathot, Article 126 of the law was repealed by the Constitutional Court, which is very rare. The law had already been challenged by the Greens in July 2013 and, even more rarely, the directive underlying the transposition law itself was cancelled.

In this context, in this factual rarity in the Chamber, there was a minimum of hearings needed and this is what the Ecolo-Groen group requested. Hearing, for example, of the Secretary of State in charge of privacy (a rare fact in Belgian politics, there was one, Mr. Tommelein and we have one today), expert hearings, starting with experts who have been heard by the European Court of Justice or the Constitutional Court, possibly a study (as the Bundestag did), which demonstrated that indiscriminate data collection brought, in most cases, no added value to judicial investigations and a joint meeting of the Justice and Infrastructure Committees. These last meetings were held separately, which facilitated neither the analysis nor the debate on the text.

Nothing of all this has been achieved! Also, Ecolo-Groen Mr. Van Hecke and myself, for the Infrastructure Committee, requested a second reading to Parliament to give at least time to this Parliamentary Assembly to analyze this text in detail, which we did.

Here is the context. Now on the principle. What is it about here? It is about retaining the data and metadata of electronic interactions of all Belgians who surf the internet, make telephone calls or communicate through their electronic devices. It is more or less, according to operators, 13 million SIM card holders. This refers to all people connected to the Internet, wirelessly or by wire. This refers to all people who have a telephone conversation via their fixed line.

This is the case for all Belgians. We are not at all in the case of the laws that we voted a few years ago, on the methods of data collection or the particular methods of research, which allow the police, the State Security, the military intelligence services, to have data on a few potentially dangerous people. These persons, because they represent a danger, are listened to, are subject to a precise, meticulous analysis of all electronic interactions they have with other persons in order to be able to counter any possible danger to society, property, persons, the security of the State.

So here it is a complete paradigm shift and the broken directive, the broken law, engages, creates this complete paradigm of potentially generalized surveillance, since, I repeat it here, all Belgians are concerned with this law, and more only a few suspects. So we move from a paradigm where we were all presumed innocent, to another paradigm where we are all potentially guilty. The first element.

The second is about efficiency. The Minister of Justice, Mr. Foret just asked you a question about the collaboration of American communications apps (such as WhatsApp, Viber, Skype, Facebook) and I would add Russian (such as Telegram). What is the collaboration of these foreign communications companies in the fight against organized crime, large crime and terrorism? You explained, rightly, that without the collaboration of these companies, we will not be able to improve the fight against these harmful and dangerous people for our society.

These applications are today the main communications vectors and are invisible grounds for our security services. Today, terrorists, big criminals, the mafia use these means of communication, starting with Telegram because they know that they are being tracked on normal networks (gsm, sms and internet). It is in these applications that action must be taken to combat major crime, starting with terrorism. This law, which collects data from all Belgians, will bring nothing to the fight against serious crime, starting with terrorism.

In the cases that make one of the news, there was information about the suspects. The problem is that this information was too much and that too much information makes the inquiry unmanageable. The challenge for greater effectiveness is to have the appropriate information about the person concerned, nothing more but also nothing less.

To improve the effectiveness of our police and intelligence services, it’s not about having information about everyone. Having information about everyone does not make the information relevant and, therefore, does not make the information effective.

The Court of Justice of the European Union, as well as the Constitutional Court, appealed against Article 126, which was repealed because it was found disproportionate. We need a balance between, on the one hand, the obvious and fundamental need for security and, on the other hand, the fundamental right to privacy. On that basis the law was repealed. That’s why, three years later, this draft law on the profession is being returned. We rework it.

A general principle that is defended by the Privacy Protection Commission, which depends on our institution, the House of Representatives, but which is also defended by all bodies in charge of privacy in Europe, is that when it comes to data collection, we must have as little data as possible to collect, make it accessible to those who need it and as few people as possible.

Mr. Minister, you have worked effectively – I recognize – on the number of people who have access to it.

You give access to the data – and that’s well thought out compared to the previous law – to as few people as possible. This is very effectively described in the law and no longer in the royal decrees, as was the case before, which constitutes a certain advance.

On the other hand, with the durations of six, nine or twelve months, you make it possible to access this data for a large number of requests, whereas you would have had to do the opposite: allow as little access to the data as possible.

This is the comparison between Article 126 and Article 122. Pursuant to article 126 that you amend, access to a series of data is granted for six, nine or twelve months, depending on the severity of the alleged facts, to a number of persons belonging to the police, the State Security, the military intelligence services and the federal prosecutor’s office. Always following this article, the more serious the facts are, the greater the amount of data accessible, the less serious the facts are, the lower the amount of data accessible.

In the Infrastructure Committee, De Croo, stated that Article 122 regulates the access and storage of data by communications companies for commercial and marketing purposes. But from the discussions we had at the committee – this is stated in the report – it turns out that police services that may have access to the operator database, under Article 126, may have access to the data collected for commercial and marketing purposes that we have no control over. The law does not specify what a marketing or commercial data is. Those police or intelligence services will therefore be able to access this data under Article 122, which is very worrying to us.

Finally, the protection of the officials in charge of each of the operators to transmit data to the police services is established by law. I have asked questions about this in the committee. What happens if, one day, an employee of a communications company finds a serious breach, i.e. finds that data should not be transmitted to the services concerned because they are too old, inadequate or disproportionate? What should the data officer do if he finds a breach?

by Mr. De Croo replied, “He warns his hierarchy.” Today we have lots of recent examples of whistleblowers who are attacked by their former employer. I think of the ongoing LuxLeaks case, where it is ultimately the whistleblower who is in court and is being examined in detail, while it is the fraudsters who should be the subject of this review.

What will happen today if a whistleblower at Base, Orange or Proximus finds that his company breaches the law? It was answered by mr. De Croo – I was in the Infrastructure Committee and I couldn’t go to Justice at the same time – that he “should warn his hierarchy.” I think that a royal decree should provide, since one can still settle this by royal decree, that in the case of a serious breach found by the data officer in an operator, a procedure at the IBPT, the prosecutor's office or I don't know where but in a place outside of his company, is planned.

Thus, we would ensure that this essential law for the protection of the privacy of citizens, and I repeat that it applies to all Belgians, can be applied in the safest and most correct way possible. Thus, prospective whistleblowers would be protected and could go to court or a third-party body. I think of the IBPT or the prosecutor’s office, so that whistleblowers can report the serious facts they would find within their company.

You have understood that we feed the worst fears in relation to this text. We have the same comments about it as we made in 2013. Though there are some improvements that I have noticed, our fundamental comments remain, and that’s why the Ecolo-Groen group will vote against this text.

The present bill has undergone only a small facelift since its rejection and destruction by the Constitutional Court. That destruction was not aimed at a detail in the text, but against the basic principle of the bill itself, the bulk collection of private data of all citizens. The Constitutional Court then ruled that the retention of metadata of all communications of all Belgian citizens was not proportionate to the objective pursued by law and that this exceeded the limit of what is proportionate. Furthermore, the law did not provide sufficient guarantees against misuse of the obtained data.

The government claims that the new text takes into account the criticism of the Court as it adds some new conditions and rules on access to and security of data. However, the basic principle itself that the collection of data applies to all persons has remained unchanged in the new text, while that was the first and main concern of the Constitutional Court.

In 2014, the European Court of Justice already made the same principle of structurally massively collecting data from all citizens in a destruction of the Irish and Austrian bills, on which the current bill of the Belgian government looks like two drops of water.

I would like to remind you of the sharp reasoning of the Court. First, the bulk collection of data from all citizens is a violation of the Charter of Fundamental Rights of the European Union. Secondly, the Court considers that – I quote – “the Directive constitutes a very broad and ⁇ serious interference with the fundamental rights, privacy and protection of personal data guaranteed by Articles 7 and 8 of the Charter”. Third, the Court further states that such detention and its use without the citizen being aware of it – I cite – “creates the feeling that their private life is constantly monitored, that the vague sense of being controlled can have a certain impact on the exercise by European citizens of their freedom of expression and information and that therefore also an interference with the rights guaranteed by Article 11 of the Charter must be established”.

The consequence of a law that considers every citizen as a suspect is indeed that everyone has constantly felt controlled. In a rule of law, this is unacceptable.

Legal organizations and human rights organizations, the French-speaking and Dutch-speaking leagues for human rights, NURPA and datapanik therefore wrote a joint position against this bill. They ask that Parliament express itself clearly against this draft – I quote – “and against the unfettered keeping of our communications data. If we do not do so, we will have to give up our rights and freedoms again without any benefit in the fight against terrorism and serious crime.”

Those who violate privacy also violate other fundamental rights and freedoms. For what is left of freedom of expression, freedom of organization and freedom of the press, if every communication via the internet or the telephone is recorded and can, among other things, be requested by the State Security?

The world famous whistleblower Edward Snowden explains the importance of privacy as follows. I quote, “Privacy is essential for a lot of our activities. Whether you call a suicide line, visit an abortion clinic or a porn site, or make an appointment for rehabilitation, get treated for a disease, or if a whistleblower calls a journalist, there are countless reasons to want to keep that kind of activity for yourself and that have nothing to do with qualifying as illegal or wrong.”

The law contains two other questionable arguments for carrying out that breach of privacy. They were cited by the ministers in the committee: the fight against terrorism and the fact that many operators now already have the right to retain such data of their customers for commercial purposes, while many citizens nowadays throw their privacy to commercial firms like Facebook and Google anyway.

For this last argument, I can be brief. If the government considers that the privacy of its citizens is compromised by the commercial activities of large corporations such as those multinationals, then I see it preferring to propose a bill to protect the privacy of its citizens from those multinationals than, on the contrary, to make that data massively available to the state itself.

The Minister’s argument that this bill could contribute to the fight against terrorism and serious crime is also wrong. The legal and democratic civil society expressly states this. Moreover, it was painfully demonstrated by the tragic events of the last few months. The mass collection of data from innocent citizens that can never be processed will not contribute to the fight against terrorism. On the contrary, it prevents a targeted and effective approach. In a rare moment of repentance, even Minister Geens admitted, a few days after the horrific attacks in Brussels and Zaventem, that the problem with the security services is not that they have too little data, but just that they have too much data, which they cannot process. As a result, the court is always facing facts. Instead, a preventive and targeted approach should be applied. Preventive screening of potentially dangerous individuals can prevent crimes without compromising the privacy of innocent citizens.

Following the Paris attacks, the PVDA has submitted a resolution for a democratic and effective fight against terrorism. The resolution breaks with the ideological dogmas of this government in favor of an approach that really works to prevent attacks by targeted investigation of suspected individuals. There must be an ideological struggle against Salafist extremism. The social and economic food ground for recruiters must be removed, and a foreign policy must be conducted that weakens Islamic State, rather than supporting extremist regimes like that of Saudi Arabia and sowing more war and chaos in the region.

Since the reverse approach, the fig-to-passe policy where everyone is guilty rather than innocent until the contrary is proven, has proven its bankruptcy in France and Belgium and the rest of the world, the PVDA will not support this bill. We hope that all Democrats in this hemisphere will follow us.

We abstained in the Committee on Justice and in the Committee on Infrastructure, especially for methodological reasons. The underlying objectives are quite commendable but the approach is questionable. This text was studied in two different committees while an analysis of the two committees gathered together would have been much more relevant, more enriching and would have allowed everyone to have a comprehensive view of its impacts. The same applies to hearings that were expected and which could not be organized, which we regret.

This law had been voted before while the CDH was in the government. The text has nevertheless been improved even though many imperfections remain. We will see what the Constitutional Court will say.

But we must move forward in those matters that also affect security, the current context reminds us of this every day. Therefore, the CDH will vote in favour of this law.

Why was it necessary to amend this law? Telecom operators are in absolute uncertainty. Can data be collected at the moment? Is the use of this data legal? We want to clarify the situation as soon as possible in order to avoid any problems in the future.

Mr Hellings, you repeated the remarks you made in the committee. I feel like you didn’t really listen to the answer. You say there is no view on commercial data. This is not correct, and I have answered you on this issue in the committee. The general rule is that operators cannot keep the data. However, there are two exceptions. The first is about invoicing. There is a list of data that can be retained for the time necessary for invoicing or to settle a dispute relating to invoicing. The second provides that data may be retained for a marketing purpose for a reasonable period of time. When you say that there is no view and that we are collecting a lot of data in an unreasonable way, that’s not at all what’s in the law. This has been discussed extensively in the Committee.

You also say that what is established here is mass surveillance, etc. In my opinion, this is not at all the case. There is a big difference between data collection and data access. It is not because we collect data, but because everyone has access to it. Access is defined in a very strict manner and does not change compared to the previous law. Defining this as a collection of everything about everyone with the possibility of having investigations in all directions is inaccurate. We try to create a framework that is, I think, reasonable and that gives the possibility to conduct research when needed.

Mr. Speaker, I can only confirm the answers that my dear colleague, Alexander De Croo, has given regarding the urgency and the fact that it is not because the data must be kept that we are drowned in them. On the contrary, they should be asked if necessary.

Mr Mathot, as regards the Swedish preliminary question to which you refer, it is clear that the question has been considered and that one can never be sure of its effect before a court or court. Furthermore, with the opinions we have received from the State Council and the Privacy Protection Commission, both positive, we have good hopes to pass the test, especially since within the European Justice Council we have had the right to an eloquent consultation, which reassured us about the possibility for the Court of Justice to pass a law that differentiates according to the type of offences and the type of threats, what we are doing in this case.

I would still like to point out that the complaints of the opponents of this bill in the name of privacy – I’m not sure I’ve understood it as such – while at the same time insisting on the openness given to the international operators of Facebook and others, are unwelcome. In fact, in order to properly understand the IP of a Facebook address, it is necessary from time to time to wait nine months and reconnect that address given by Facebook to our national telecom operator. We really need the storage of this data outside of the business framework of my colleague Alexander De Croo.

Here are some of the reasons why we believe that the vote on this bill is urgent in the interests of national security.

Mr De Croo, for commercial data, you stated, in commission (article no. 122-123 of the report relating to these commercial data on page no. 14), "that it is not possible to determine this duration in a specific number of months". This means that today, telecom operators keep, for an uncertain number of months, data that can be made available to police and intelligence agencies if they request it.

I don’t have to remind you that databridges, i.e. the existence of malware or backdoors in the servers of telecom operators, is not cinema. This is not James Bond. Two years ago, on the server of a subsidiary of Belgacom, which has since become Proximus, the entire metadata stored on that server was returned to a foreign instance, namely the British intelligence services (GCHQ) which, as we know, work closely with the American NSA. What are we talking about here? We talk about that. Therefore, in order to prevent personal data from being hacked by a private company or a foreign intelligence service, it is necessary to collect the lowest possible amount of data. This is where the length plays.

A priori, we are not against rational data collection but it is about making sure that the data to be kept is as short as possible. In this case, you have a problem. This is not science fiction. When we discovered the backdoor installed by the GCHQ, two years ago, it was on the server of the main telecom operator in Belgium, namely Belgacom becoming Proximus.

I will not extend the debate, but rather try to add value to it. We are actually entering a very interesting debate, I think, with in particular what could be called the "territoriality of data" that exists in France. In France, the data must be on the French territory and cannot be in another country, which leads to an impossibility of hacking by other states or requests emanating from abroad and to which one would respond favorably.

What we just said is that we were not in total and limited opposition to this project. At the time, we voted in a different way. Nevertheless, we ask ourselves questions about this urgency after ten years. The urgency is very relative. Everything has been fine for ten years and now we could no longer live without this law!

This is what we regret because this file creates debate and would deserve to be much more in-depth in commission with experts and studies that could enlighten us on the positions to hold and possibly on the law.

We do not know what the Court of Justice will say tomorrow, but we know that we are only a few months away from a decision. Is the emergency here again? Can we not wait for a few months to at least not find ourselves, in the same way, with an obligation to abolish a law that we would have voted for?