Kosovo government through the Ministry of European Integration has been considering for the third time a problematic dragnet electronic interception and data retention draft law. The draft is undergoing consultation until Friday 3rd April with the aim of sending it to the Parliament for approval, before it dissolves in a couple of weeks for early elections.
The media have reported that the reason for it being drafted by the Ministry of European Integration is that the Government might want to bypass the Intelligence Agency Oversight and Security Parliamentary Committee which has turned down two previous drafts. Currently surveillance in Kosovo is permitted by the Penal Code with a warrant although more detailed rules are lacking.
The law would give the Kosovo Intelligence Agency the ability to tap into communication networks for the purpose of recording internet and telephone metadata. Court warrant is not mandatory, instead, only lawful authorisation is mentioned.
The Minister of European Integration says that the law has been signed off by the EU and the Council of Europe. My emails to the EU Mission in Kosovo have not been returned – it is possible that that is the case. Directive 2006/24/EC on data retention being transposed in this law is highly problematic even in the EU countries. Article 5 on the type of data to be retained is exhaustive. They are, of course, metadata, but metadata can reveal plenty. Implementations of the Directive have been thrown out by high courts in Germany, Czech Republic, and Romania and are being contested in Austria, Ireland and Slovenia. Sweden was threatened for years with heavy fines by the European Commission to implement it, as was Romania. The Directive assumes that we are all potential criminals who can’t be trusted.
In Kosovo we have received a rule of law mission from the EU in order to fix what EU considers a weak legal system, yet by mandating this law in the process of visa liberalisation with Kosovo, EU is creating great opportunities for abuse with the data collected.
The current draft law foresees hefty fines in cases of violations that affect national security but none in cases of violations of citizens’ privacy.
Four concerns that should be clarified in the law are:
a) All electronic interception should be done with a court warrant only;
b) The Intelligence Agency or other institutions should not have parallel means of wire-taping electronic communications;
c) Wire-tapping devices should be open source that is publicly available to ensure that there are no backdoors similar to those unveiled by Snowden;
d) The data retention obligation should be removed because it is disproportionate, highly contested by the Courts, endangers citizens’ privacy in case of data breaches, and the legal system in Kosovo is too weak to ensure it won’t be abused by government institutions. Furthermore, as the draft currently stands, it is in violation of Article 1.1 of Directive 2006/24/EC as it does not limit the scope for which the data can be used to serious crimes only.
Please tell the sponsors of this draft law, as the sticker goes, to come back with a warrant.
Arianit is Member of the Board of FLOSS Kosova, an NGO promoting free software in Kosovo.