15 minute read
2.3.4 Judicial data and privileged data
Drivers behind the barriers and potential solutions
The overview above showed that the barriers are indirect, and relatively universally serve to benefit the authenticity and integrity of the data. The table below illustrates how this objective could be supported at EU level without needlessly impairing the free flow of data.
Advertisement
Figure 10 – Drivers behind the barrier observed and potential solution (Citizen data and company records)
Nature of the barrier Objective / driver behind the barrier Potential solution?
Designation of a specific legal entity that manages an official database
A specific mandate under law or from a specific body is required to access or use the data
Ensuring sufficient security/confidentiality and authoritative nature of the data Clarification from national lawmakers that the requirement can be met if the data remains under the exclusive control of the designated legal entity.
Ensuring security/confidentiality, and supporting accountability and supervision If authorisation is deemed a requirement, there should be EU level recognition so that country-to-country authorisations are avoided. EU level whitelisting of acceptable service providers can similarly be considered.
Prohibition against third party access and/or disclosure
Ensuring sufficient security/confidentiality Clarification from national regulators, supervisors and lawmakers of the necessary information security requirements to restrict access and editing rights in order to satisfactorily meet this obligation, e.g. offsite storage should not necessarily be considered as constituting third party access and disclosure.
Requirement for the data to be destroyed under certain circumstances
Ensuring control over the data, avoiding breaches of confidentiality Use of security/cryptographic controls that impede third party access and ensure that data can be made inaccessible.
Joint management or updating of the data is foreseen to maintain the data, i.e. there is cooperation with specific organisations such as municipal or supervisory authorities
Ensuring the completeness and accuracy of the data Use of appropriate role / authorisation management tools to enable remote storage without eliminating joint management.
Besides the designation of a local entity to manage authoritative data, another principal barrier that is difficult to address is the ability to ensure the destructibility of data. Encryption ensures that, even if the data is not literally destroyed, it is at least unusable to an attacker. However, the ability of encryption schemes to withstand cryptographic attacks devolves over time. Therefore, encryption can only provide limited relief on this front and it is by no means a conclusive answer. Cryptography may not be sufficient to ensure conclusively that a third party will not be able to access or retain data over a longer period of time. Therefore, alternative approaches should be considered as outlined by the European Network and Information Security Agency (ENISA).
2.3.4 Judicial data and privileged data
Overview and subtypes of data
Continuing the examination of particularly sensitive types of data for which barriers would conceivably exist, the correspondents were asked to look into:
Privileged information, such as information held by lawyers in relation to their clients and information which is covered by national security obligations, i.e. officially classified information such as RESTRICTED, SECRET, and TOP SECRET. Judicial data, including court data and police records
The following types of data were more specifically reported upon:
Figure 11 – Types of barrier observed (Judicial data and privileged data)
Country Source
Bulgaria Закон за адвокатурата (обн. - ДВ, бр. 55 от 25.06.2004 г.; изм. и доп., бр. 97 от 07.12.2012 г.), Bar Act (promulgated on 25 June 2004, last amendments as of 07 December 2012).
Етичен кодекс на адвоката (приет с Решение № 324 от 8 юли 2005 г. на ВАС (Обн., ДВ, бр. 60 от 22.07.2005 г.; изм. и доп., бр. 43 от 08.06.2010 г.), Professional Ethics Code of Lawyers (promulgated on 22 July 2005, last amendments as of 08 June 2010.
Restriction imposed on providers / users / data
lawyers Indirect Lawyers are obliged to keep the confidentiality of any information they have obtained from their clients indefinitely. Such information can be disclosed only if such a disclosure is necessary before a court in connection with an ongoing dispute with the client. Such information shall be kept confidential by any and all of the lawyer’s staff and any other person who is involved in his professional duties. Further, all of the lawyer’s papers, records, electronic documents, computer equipment and other information media are inviolable and cannot be reviewed, copied, examined or be subject to a seizure. on. It does not seem to explicitly prohibit the storage or transportation of this type of information. However, it is unclear how this protection may apply to lawyer’s information stored by an external service provider (for example, cloud service provider) who is not subject to protection any review, copy, examination or seizure of information. Thus, in practice, it could be considered that if a lawyer uses an external service provider for the storage and/or transportation of his confidential information and is aware that such service provider cannot prevent eventual seizure by state authorities of this information, the lawyer does not comply with his confidentiality obligation.
Direct or indirect Summary of obligation / restriction
Czech Republic
Act No. 141/1961 Sb. (Code of Criminal Procedure) § 85b, subsequently Act. No. 85/1996 Sb. (Advocacy Act); Decision No. Nt 615/2014 (Municipal Court in Prague, 9. 7. 2014); Opinion of the Supreme Court No. Tpjn 306/2014, publ. as 35/2015 Sb. tr. rozh Solicitors Indirect The provision of the Advocacy Act lays down confidentiality obligations of solicitors with regards to client communications. The provision of the Code of Criminal Procedure lays down the attorney-client privilege, i.e. it restricts law enforcement bodies from being able to search and seize data that are processed by solicitors about their clients. In case of need to use such data in criminal investigation, the Police or the Public Prosecution Office has to turn first to the Bar Association for permission. If that permission is not granted, it is possible to the court to overrule and to grant a special permission for search and seizure. The Decision was made in a case when a search warrant was asked for client data that were stored by a solicitor. The storage was outsourced in a cloud that was physically located outside premises of the solicitor. The court held that when data is physically located outside premises officially used by the
solicitor (e.g. in a delocalized cloud), they are not protected by attorney-client privilege. In result, the Police or state Prosecution Service might obtain just simple warrant (not the special warrant required for search and seizure of solicitor premises) in order to get that data. The opinion No. Tpjn 306/2014 stated that the place of performance of advocacy (i.e. the place where attorney-client privilege applies) is not limited only to physical premises of the solicitor but it extends also to logical document storage spaces incl. cloud services.
Romania Government Decision no. 585/2002 approving the national standards for the protection of classified information; Government Decision no. 781/2002 on the protection of restricted information; Law no. 182/2002 on the protection of classified information; and Order no. 16/2014 approving the INFOSEC - INFOSEC 2 Directive. All legal or natural persons which handle classified information Indirect Government Decision no. 585/2002 state that transferring classified information to other users requires security certificates and authorization access according to the appropriate level of secrecy. Top secret information cannot be stored, processed or transmitted in automatic information and/or communication systems which are actually or potentially exposed to users without security clearance. Every transmission requires repeated approval. Information and Communication System must have an authorization from the National Registry Office for Classified Information or its subordinate agencies. Updates and modifications to information and communication systems in absence of a human operator are forbidden. Annex no. 10/C describes the protection measures of the information systems which process data and classified information together with the protection measures of the building where these information systems are based. Government Decision no. 781/2002 stipulates the authorisation procedure for access rights which requires written authorization by the director of the unit which holds classified information. Law no. 182/2002 sets the need for mandatory cypher or other cryptographic elements established by competent authorities. Order no. 16/2014 describes the security operation manners/approaches (for different types of classified information and related specific measures for security certificates and authorization certificates. It requires that information and communication systems handling classified information can use the Internet or similar public networks only subject to adequate cryptographic protection. The National Registry for Classified Information is primarily in charge of supervising compliance, together also with representatives of the Romanian Security Agency, Ministry of Defence, Ministry of Interior, Ministry of Justice, External Information Service, Protection and Guard Service, Special Telecommunication Service, heads of public authorities, economic agents with partial or full share capital and of other public entities and also the authorities or people responsible with the general framework for contraventions.
43
Slovenia 1. Zakon o tajnih podatkih (Uradni list RS, št. 60/11), (Classified Information Act), Articles 14 and 15. All organizations and bodies that have access to or handle, store, or transfer information classified according to the Classified Information Act. Direct (organizat ions need clearance, issued by competen t ministry) and indirect (organizat ions need to establish adequate security measures) The Classified Information Act prescribes that classified information may only be transferred outside secure zone if encrypted, by methods confirmed by a committee for information security (Art. 14 in 15). All systems where classified information is held must be protected against electromagnetic radiation. The measurements are made by the Ministry of defence, the Police, The intelligence agency and other authorities by the committee (Art. 17).
Whenever classified information is processed outside the original location security measures must be comparable to those that must be implemented at the original location. If the information is stored electronically it must be separated from other possible information by way of physical or virtual separation. Only persons with clearance, issued according to the regulation which defines checking procedures, issued by the competent ministry, may have access to the information (Article 16).
The information may only be transferred/ outsourced to those organizations that have acquired clearance, issued according to the regulation which defines checking procedures, issued by the competent ministry.
44
The police databases and national security information are arguably slightly less relevant for the purposes of this study, since it does not seem unreasonable to argue that they relate directly to the core public task of ensuring the fundamental right to safety, security and justice to the European citizens. As such, the information is an inherent part of the public task, for which policies requiring such data to remain exclusively in the hands of the national competent authorities is unsurprising. These barriers will be examined in the following sections as well to ensure a comprehensive overview.
Three out of the four reported barriers are indirect. The direct barrier is reported in Slovenia with respect to national security information, where security requirements are defined at such a high level of detail that foreign storage of data would be practically infeasible. As above, cases for which the legislation directly designates a specific administration that should retain ownership of the data are considered to be indirect, unless (as in the Romanian and Slovenian cases) additional requirements apply that render foreign storage practically difficult.
Scope of the barrier
The following barriers were reported upon:
Figure 12 – Nature and scope of barrier observed (Judicial data and privileged data)
Nature of the barrier
Designation of a specific legal entity that manages an official database Observed in which countries?
RO
Why is this (potentially) a restriction to the free flow of data within the European Union?
Can be interpreted as solely permitting storage / transfer of the data by that specific legal entity
A specific mandate under law or from a specific body is required to access or use the data, including to store it
RO Imposes a potentially cumbersome requirement on service providers abroad, who may not be aware of the requirement or who may be unable to meet it.
General confidentiality obligation prohibition against third party access and/or disclosure
BG, CZ Can be interpreted as prohibiting passive offsite storage (i.e. storage outside the facilities of the data holder that requires no further processing by the storage service provider).
Requirement to impose confidentiality obligations on all persons with access to the data
BG Can be interpreted as prohibiting passive offsite storage (i.e. storage outside the facilities of the data holder that requires no further processing by the storage service provider).
Legal protections against information seizures
BG, CZ May be hard to enforce with an external service provider, since legal investigators may not be aware that the information is privileged and cannot be seized.
Requirement for recipients of the data to hold certain certifications
RO, SI Can be interpreted as prohibiting passive offsite storage, unless the storage service provider can ensure that all persons who access the facility hold such certifications
Prohibition against transfers of data without human intervention
Controls exist that limit the hardware or software that can be used to process data
RO
RO, SI Nationally defined requirements may be hard to obtain necessary information, understand, or observe by foreign providers because they may only be available in the local language or may necessitate access to controls that are only
Prohibits data transfers without human intervention
National technical storage / exchange requirements
RO, SI Nationally defined requirements may be hard to obtain necessary information, understand, or observe by foreign providers because they may only be available in the local language or may necessitate access to rules or guidelines that are only available locally, not internationally
Requirement to use encryption RO, SI
Data segregation requirements SI available locally, not internationally
Nationally defined requirements may be hard to obtain necessary information, understand, or observe by foreign providers because they may only be available in the local language or may necessitate access to approaches for encryption management that are only available locally, not internationally
Nationally defined requirements may be hard to obtain necessary information, understand, or observe by foreign providers because they may only be available in the local language or may necessitate access to approaches for data segregation that are only available locally, not internationally
It is interesting to observe that there are barriers that limit data transfers (storage or transfer) to designated and authorised / certified entities, but none that explicitly tie this issue to geography. The principal barrier for police and national security records is the existence of national requirements in relation to security, certificates, hardware and software choices, and data segregation.
With respect to lawyers’ information – arguably a better candidate for improving the free flow of data than classified information that would necessarily remain within the competence of Member States as a matter of national security policy – a unique element in the survey and interview reports from this study is the need to ensure and legally impose confidentiality obligations for all persons who are able to access to the data and the fact that national laws foresee specific legal protections against the seizure of information. Both of these elements are intended to protect professional privilege. However, they are both harder to implement when data is stored offsite, including particularly in a cross border context: while it is possible (and indeed not uncommon as a part of current market practices) to require a service provider to conclude confidentiality agreements with all persons who are able to access data in a data centre, it is less clear and certain that foreign governments would recognise the privileged character of lawyers’ information and apply comparable legal safeguards as those required under national law9 . This would seem to complicate the use of non-specialized foreign storage services, i.e. those for which a lawyer would be unsure whether appropriate protections would be applied.
Drivers behind the barriers and potential solutions
For these particular categories of data, the principal drivers are the assurance of national security, the organisation of an appropriate judicial system, and the assurance of legal privilege to support the protection of legal rights. Nevertheless just as with objectives for barriers to cross-border flow in
9 On this topic, see also http://www.ccbe.eu/NTCdocument/EN_04042014_Comparat1_1400656620.pdf.
health data, some of these objectives for barriers to cross-border flow in judicial and privileged data could arguably continue to be met without harming existing public interests.
Figure 13 – Drivers behind the barrier observed and potential solution ((Judicial data and privileged data)
Nature of the barrier Objective / driver behind the barrier
Designation of a specific legal entity that manages an official database
Ensuring sufficient security/confidentiality and authoritative nature of the data Clarification from national lawmakers that the requirement can be met if the data remains under the exclusive control of the designated legal entity.
Potential solution?
A specific mandate under law or from a specific body is required to access or use the data
Ensuring security/confidentiality, and supporting accountability and supervision If authorisation is deemed a requirement, there should be EU level recognition so that country-to-country authorisations are avoided. EU level whitelisting of acceptable service providers can similarly be considered.
General confidentiality obligation - prohibition against third party access and/or disclosure
Ensuring sufficient security/confidentiality Clarification from national regulators, supervisors and lawmakers that the requirement can be met if substantive access to the contents of lawyers’ data is made impossible. Offsite storage should not necessarily be considered as constituting third party access and disclosure.
Requirement to impose confidentiality obligations on all persons with access to the data
Legal protections against information seizures
Ensuring that there are no loopholes in legal protections EU level alignment on such requirements (e.g. through model confidentiality agreements)
Ensuring that client privilege cannot be easily breached Implementation of procedures at the EU level for such seizures and/or EU level whitelisting of specialised service providers so that these can be easily recognized by criminal investigators.
Requirement for recipients of the data to hold certain certifications
Prohibition against transfers of data without human intervention
Controls exist that limit the hardware or software that can be used to process data
National technical storage / exchange requirements
Requirement to use encryption
Ensuring the appropriateness of security clearance of recipients EU level alignment on such requirements and/or EU level whitelisting of specialised service providers where all recipients hold such certifications.
Ensuring that there are no loopholes in legal protections
Ensuring sufficient security and confidentiality of the data EU level alignment on such requirements and/or EU level whitelisting of specialised service providers that offer appropriate security controls.
Ensuring sufficient security and confidentiality of the data EU level alignment on such requirements and/or EU level whitelisting of specialised service providers that offer appropriate security controls.
Ensuring sufficient security and confidentiality of the data EU level alignment on such requirements and/or EU level whitelisting of specialised service providers that offer appropriate security controls.
Data segregation requirements
Ensuring sufficient security and confidentiality of the data EU level alignment on such requirements and/or EU level whitelisting of specialised service providers that offer appropriate security controls.
EU level alignment on such requirements
