EU: Surveillance of telecommunications

Updated 2 April 2015

EU: DATA RETENTION JUDGMENT: European Parliament: Legal Services: Opinion LIBE - Questions relating to the judgment of the Court of Justice of 8 April 2014 in Jolned Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and others - Directive 2006/24/EC on data retention - Consequences of the judgment (27 pages, pdf)

"The DRI judgment presents a novel aspect in so far as the Court of Justice refers specifically to a particular body of the case-law of the European Court of Human Rights on the issue of "general programmes of surveillance", The Court of Justice has now effectively incorporated the same principles, stemming from this case-law of the European Court of Human Rights, into EU law in this same field. In view of the fact that the cited case-law of the European Court of Human Rights itself relates to a diverse category of surveillance measures (which is not at all limited to data retention issues), it is to be expected that the Court of Justice will, in future, also apply the same reasoning when assessing the validity, under the Charter, of other EU legislative acts in this same field of "general programmes of surveillance....

All new and pending ED legislative proposals which concern the special context of "general programmes of surveillance" must clearly now take account of the reasoning of the Court of Justice in the DRI judgment. Great care must therefore be taken in such cases to ensure full respect for the Charter.

The same considerations will apply also in the case of international agreements under negotiation, given that the EU legislature's discretion, in external relations, to conclude international agreements, under the Treaty and in accordance with the Charter, cannot be wider than the discretion, in internal matters, to adopt ED legislation applying within the ED legal order....

Following the DRI judgment, Member States run an even higher risk than before of having their legislation annulled by the national courts, in a similar way to what has already happened in a number of Member States."

But: "bilateral agreements concluded by the Member States with third countries requiring mass collection of personal data and exchange of personal data for law enforcement purposes would presumably have been concluded in the exercise of the competence of the Member States. Consequently the Charter would not be applicable to such agreements and so the DRI judgment would not then have any particular consequences in this regard." [emphasis added]

See also: European Parliament: Legal Service Opinion on the ECJ judgment (dated 8 April 2014, pdf)

EU: MANDATORY DATA RETENTION: Are national data retention laws within the scope of the Charter? (EU Law Analysis, link)

Following the annulment of the EU’s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons why they are.

EU: MANDATORY DATA RETENTION: European Parliament: Legal Service Opinion on the ECJ judgment (pdf) and see: Swedish ISP deletes all retained customer data in wake of EU court ruling (PC World, link) and: Finland must revise its data protection laws (Helsinki Times, link)

Also: European Data Protection Supervisor (EDPS): Press Statement: The CJEU rules that Data Retention Directive is invalid (pdf): "The judgment also means that the EU should take a firm position in discussions with third countries, particularly the U.S.A. on the access and use of communications data of EU residents."

ECJ-DATA RETENTION JUDGMENT: European Court of Justice: The Court of Justice declares the Data Retention Directive to be invalid (Press release, pdf) and Judgment (pdf): "It entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary" and Commission 2011: Evaluation report on the Data Retention Directive (Directive 2006/24/EC) (pdf). See Digital Rights Ireland (link) and :

The data retention judgment: The CJEU prohibits mass surveillance (EU Law Analysis, link):

"The Court’s judgment can be seen in the broader context of continued revelations about mass surveillance. Its reference to the retention of data by third States is a thinly-disguised allusion to the spying scandals emanating from the United States. It also responds, sotto voce, to the very great concerns of national constitutional courts about this Directive, discussed in detail in Chris Jones’ post on this issue.

More broadly, the CJEU has seized the chance to give an ‘iconic’ judgment on the protection of human rights in the EU legal order. Time will deal whether the Digital Rights judgment is seen as the EU’s equivalent of classic civil rights judgments of the US Supreme Court, on the desegregation of schools (Brown) or criminal suspects’ rights (Miranda). If the Charter ultimately contributes to the development of a ‘constitutional patriotism’ in the European Union, this judgment will be one of its foundations."

See also Chris Jones’ post : National legal challenges to the Data Retention Directive (link) and What does the death of the EU data directive mean? (euobserver, link).and Commission 2011 evaluation (pdf)

ECJ-DATA RETENTION JUDGMENT: European Data Protection Supervisor (EDPS): The CJEU rules that Data Retention Directive is invalid (Press statement, pdf):

"We anticipate that the Commission, taking into account the Court's judgment will now reflect on the need for a new Directive, which will also prevent member states from keeping or imposing the same legal obligations nationally as laid out in the now invalid Data Retention Directive.

The judgment also means that the EU should take a firm position in discussions with third countries, particularly the U.S.A. on the access and use of communications data of EU residents."

NETHERLANDS: REMOTE ACCESS TO COMPUTERS: NGO "Open Letter" to government: Dutch plans to remotely conduct searches and delete data on foreign computers (pdf) Statewatch is one of 43 NGOs supporting this initiative.

See also: Statewatch Analysis: EU agrees rules for remote computer access by police forces – but fails, as usual, to mention – the security and intelligence agencies (pdf) and Statewatch Analysis: State Trojans: Germany exports “spyware with a badge” (pdf)

European Court of Human Rights to examine complaint against ban on anonymous prepaid mobile phone cards

A member of the Schleswig-Holstein parliament and a civil liberties activist have filed a complaint with the European Court of Human Rights against a German law which makes identification compulsory when buying prepaid mobile phone SIM cards. Laws to that effect exist in 9 of the 27 EU Member States (Bulgaria, Denmark, France, Germany, Greece, Hungary, Italy, Slovakia and Spain). The applicants hope that the Court will recognize their right to anonymous communications and anonymous Internet access.

EU: Revision of Data Retention Directive put on hold with "no precise timetable" for a new proposal

Revision of the controversial EU Data Retention Directive - which requies the storage of internet and phone records for between six months and two years - has been put on hold by the European Commission. It is now seeking to establish a new data protection regime before revising the Data Retention Directive at the same time as a conflicting piece of legislation, the e-Privacy Directive.

MANDATORY DATA RETENTION: Commission takes action against Germany: Data retention: Commission takes Germany to Court
requesting that fines be imposed
(pdf). See also: Germany faces legal action for not implementing EU rules German coalition govt divided over data retention rules (Reuters, link)

EU: DATA PROTECTION BODIES CRITICISE COMMISSION LAW ENFORCEMENT PROPOSALS: European Data Protection Supervisor (EDPS): Press release (pdf) welcomes the General Data protection proposals but says of proposed Directive on the exchange of personal data by law enforcement agencies:

"the EDPS strongly regrets the inadequate content of the specific Directive on data protection in the area of police and justice. Peter Hustinx states: “The Commission has not lived up to its promises to ensure a robust system for police and justice. These are areas where the use of personal information inevitably has an enormous impact on the lives of private individuals. It is difficult to understand why the Commission has excluded this area from what it intended to do, namely proposing a comprehensive legislative framework.” and:

"The EDPS regrets in particular that: the Commission does not propose stricter rules for the transfer of personal data outside the EU, data protection authorities are not given mandatory powers to effectively control the processing of personal data in this area and the possibilities for the police to access data processed in the private sector are not regulated."

The Article 29 Working Party on data protection (national data protection bodies) takes a similar view: Press release (pdf): "Chairman Kohnstamm however regrets the Commission’s level of ambition in the area of police and justice and underlines the need for stronger provisions in this field."

New Directive on the exchange of personal data by law enforcement agencies: Proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (pdf)

- Report on infamous 2008 law enforcement Directive: Report from the Commission: based on Article 29 (2) of the Council Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (pdf)

EU: Commission still seeking proof of the necessity of mandatory data retention

"An ongoing campaign by data protection authorities and civil society organisations has attempted to have the Data Retention Directive either severely amended or repealed altogether. However, it seems that the statement of Commissioner Malmström in a December 2010 speech to a consultation workshop on the Directive remains true: "data retention is here to stay". Moreover, judging from the tone of the Commission's note, it is likely to continue to prioritise the requirements of law enforcement authorities over the rights of individuals."

EU: MANDATORY DATA RETENTION DIRECTIVE: European Commission Consultation concludes: "all Member States - not just a minority – need to provide convincing evidence of the value of data retention for security and criminal justice":

"there are serious shortcomings with the EU framework – including retention periods, clarity of purpose limitation and scope, lack of reimbursement of cost to industry, safeguards for access and use - which must be addressed. In particular, all Member States - not just a minority – need to provide convincing evidence of the value of data retention for security and criminal justice."

See: Consultation on reform of Data Retention Directive: emerging themes and next steps (pdf)

EU: MANDATORY DATA RETENTION: Letter to the European Commission signed by 34 NGOs including Statewatch: Letter (pdf):

"We remain convinced that a comprehensive impact assessment will definitively show that data retention is neither necessary for market harmonisation nor for the fight against serious crime and is, therefore, illegal."

GERMANY: Federal Constitutional Court - Press office: Data Retention in present form is unconstitutional (March 2010, link)

EU: MANDATORY DATA RETENTION OF TELECOMMUNICATIONS: Council of the European Union: Report from the Commission to the Council and the European Parliament Evaluation report on the Data Retention Directive (Directive 2006/24/EC) - Discussion paper (pdf).

Following on from the Commission Evaluation report the Council Presidency poses a number of questions: 1) the "missing definition of serious crime" has lead to "diverging, national practices and indeed, legal uncertainties"; 2) EU court have ruled that the "permanent collection of traffic data constitutes an interference with the right to privacy"; 3) So should the EU define what is a "serious crime"?; 4) Should statistics be used to demonstrate necessity and proportionality, especially as "tables of statistics include generally more empty fields than filled in ones"? "Missing statistics continue to raise questions.." 5) The current retention limits are a minimum of six months and a maximum of two years - should these be longer or shorter? 6) Should the use of unregistered (anonymous) SIM cards be banned? and 7) Should "data preservation" be used?

Tony Bunyan, Statewatch Director, comments: "The Council's Discussion Paper raises fundamental issues about the legality of Member States continuing to to gather and retain details of all communications under the Directive."

EU: Mandatory data retention: Press release by the German Working Group on Data Retention (AK Vorrat), Impossible to Ensure Legality of EU Communications Data Retention Directive Says German Parliament (pdf). See also Statewatch's Observatory: The surveillance of telecommunications in the EU

EU: Report from the Commission to the Council and the European Parliament: Evaluation report on the Data Retention Directive 2006/24/EC (COM 2011, 225 final, pdf). See EDRi evaluation of data retention shows it has significant costs but no benefits (link), Action group calls for ban on telecommunications data retention in the EU (link)

EU: European Commission: Mandatory data retention: Data retention: Commission refers Sweden back to Court for failing to transpose EU legislation (pdf).

EU: MANDATORY DATA RETENTION: German Working Group on Data Retention (AK Vorrat): Study finds telecommunications data retention ineffective (link) and Study (pdf)

EU: MANDATORY DATA RETENTION: Data Retention Directive evaluation: expect the unexpected? (Bits of Freedom, link):

"The evaluation of the controversial Data Retention Directive takes an unexpected turn, for the worse. At a crucial one-day conference in Brussels, aimed at gathering input for the evaluation, long-term critic of the Directive Commissioner Malmström (Home Affairs) surprisingly announced that ‘data retention is here to stay’."

Peter Hustinx, European Data Protection Supervisor (EDPS) said of the "notorious" Directive

"Let me underline this today: retaining communication and location data of all persons in the EU, whenever they use the telephone or the internet, constitutes a huge interference with the right to privacy of all citizens. The Directive is without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects."

- Commissioner Cecilia Malmström speech: Taking on the Data Retention Directive (3 December 2010, pdf)
- European Data Protection Supervisor: speech (3 December 2010, pdf) and Press release (pdf)
- Data retention conference, 3 December 2010: Discussion paper (pdf)
- Note on the consultation meeting, 3 December 2010 (pdf)

- Civil society letter to Commissioner, September 2010 (pdf)
- Joint Statement by the Panoptykon Foundation and the Helsinki Foundation for Human Rights (pdf)
- Directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (pdf)

POLAND: Data retention and population surveillance. Poland is leading EU country in terms of access granted to its law enforcement agencies and secret services to retained telecommunication data:

Polish law enforcement agencies requested in 2009 access to traffic data as many as 1.06 million times. This gives 27.5 requests per 1,000 inhabitants, this is in comparison to other EU Member States like the UK (8.6 requests) or the Czech Republic (10 requests), not mentioning Germany (0.2 requests). The statistical data was collected by the Office for Electronic Communications for the purposes of Polish government's response to a questionnaire prepared by the Commission and recently made public by a Polish NGO, the Panoptykon Foundation, in collaboration with the Helsinki Foundation for Human Rights. Evaluating directive 2006/24/EC on the retention of communications data both NGOs stressed that the directive 'was transposed in Poland in a semi-secret way, without adequate public debate'. They add that data retention regime as implemented in Poland 'amounts to invasive surveillance of the entire population, which cannot be accepted in a democratic society'. Finally, they concluded that the implementation of the directive has led to a systemic problem with ensuring safeguards for fundamental rights and the rule of law. Joint Statement by the Panoptykon Foundation and the Helsinki Foundation for Human Rights (pdf)

IRELAND: Data Retention: DIGITAL RIGHTS IRELAND WINS RIGHT TO TAKE CASE TO ECJ: Judgment re Preliminary Reference, Standing, Security for Costs (link): This is a copy of a judgment of the Irish High Court in relation to the constitutional challenge brought by Digital Rights Ireland against data retention in Europe. The judgment is from the 5th of May 2010 and relates to three key procedural questions: 1. Does DRI have standing to make arguments based on privacy and other fundamental rights? 2. Must DRI lodge money into court as security for the costs of the State? 3. Is this an appropriate case to refer to the European Court of Justice to determine whether the Data Retention Directive is compatible with fundamental rights.

All three questions are decided in favour of DRI and the court holds that: 1. DRI can make these arguments; 2. DRI need not pay money as security for costs; and 3. The case will be referred to the European Court of Justice. (NB: the judgment is marked "unapproved" meaning that it is not a final version - there may still be typos, etc., to be amended before it is finalised).

See also: European Court to rule on communications data retention (link)

NGO Letter to EU Commissioners rejecting the Directive on mandatory data retention (pdf). The Letter signed by 106 NGO

German High Court Limits Phone and E-Mail Data Storage (Spiegel Online, link). Full-text of the judgment (German, link). See also: On the BVG ruling on Data Retention: “So lange” – here it goes again (link). Press release of court in English (link)

10 February 2009: ECJ: The Data Retention Directive is founded on an appropriate legal basis (Press release, pdf) and Full-text of judgment (pdf). See also: Press release by German Working Group on Data Retention, 10 Feb 2009: After ruling on data retention: activists remain confident  

29 October 2008: EU: DATA RETENTION: Press release by Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data Retention), 29 October 2008: "Resistance against watering down of traffic data protection

In a letter to EU Commissioner Viviane Reding published today, 11 German organisations are criticising a European Parliament move that would allow telcommunications providers to collect traffic data for "security purposes".

The civil liberties, journalists, lawyers and consumer protection organisations are warning in the letter that the European Parliament's vote on the telecom package of 24 September contains a "blank cheque" for the collection of more traffic data than is currently being collected even under the directive on data retention, without setting a time limit. The series of data abuses and incidents that have occurred in Germany, Italy, Greece, Latvia, Bulgaria, Slovakia and Hungary in recent years demonstrates that only erased data is safe data, the letter continues. The EU Council (where the telecom package will be debated on 27 November) is asked to reject the proposal.

A background paper published today by the German Working Group on Data Retention points out that the European Parliament move is the result of lobbying by the US-based Business Software Alliance (BSA). The BSA recently sent a hitherto unpublished paper to EU member states, pushing for even more extensive data collection powers and for exempting Internet usage data from data protection law."

The letter sent by 11 organisations (in German):
The Working Group's background paper on the issue (in English)
The Business Software Alliance's lobbying paper (in English):

May, 2008: HUNGARY: Constitutional complaint filed by HCLU against Hungarian telecom data retention regulations (Hungarian Civil Liberties Union) (pdf)

May, 2008: BULGARIA: EU MANDATORY DATA RETENTION DIRECTIVE: We have to abolish Regulation ¹ 40, which gives the Ministry of Interior the right to retain data for every Internet-user (2.5MB, pdf) and Bulgaria: Against Internet “Bugging” (link to Global Voices). For background see: Statewatch's Observatory on The surveillance of telecommunications in the EU

EU-MANDATORY-RETENTION-OF-TELECOMMUNICATIONS-DATA: Germany: Press freedom under attack: Big Brother Eyes German Journalists (Speigel Online, link) See: Statewatch Observatory: The surveillance of telecommunications in the EU

September 2007: UK: Mandatory retention of telecommunications in UK - as predicted - "nodded" through parliament and comes into effect on 1 October 2007: Statutory Instruments 2007 No. 2199, Electronic Communications: The Data Retention (EC Directive) Regulations 2007 After a perfunctory and ill-informed exchange, which just lasted a few minutes:House of Lords (pdf), no reference was made to the fact that the transposition of the existing "voluntary" agreement into a mandatory one would normally require primary legislation. As from October records all phone-calls, e-mails, faxes, mobile phone calls (including locations) have to be retained by service providers for access by law enforcement agencies. Within 18 months a further Statutory instrument will cover the retention of internet usage (sites visited etc and voice telephony via internet). See: Statewatch analysis: Mandatory retention of telecommunications traffic to be "nodded" through in the UK (pdf) and UK: Data retention and access consultation farce: Government to allow access for crime purposes to records which can only be held for “national security”

EU: Data Protection Commissioners calls for harmonised safeguards on the use of mandatory data retention Tony Bunyan, Statewatch editor, comments: "Time and time again EU governments are "harmonising" the powers of the state to place individuals under surveillance, when are they going to "harmonise" the right of the individuals against the misuse and abuse of state power?"

Article 29 Data Protection Working Party Opinion (WP 119) on mandatory data retention (pdf)

Final version of the Directive on mandatory retention of traffic data from the Official Journal (pdf)

See also: Data retention and police access in the UK - a warning for Europe

January 2006

EU: Mandatory data retention vote in the European Parliament on 14 December 2005 The final vote on the legislative resolution was 378 in favour, 197 against with 30 abstentions. The Green/EFA and GUE (left group) voted against while the ALDE (liberal group) split with 25 MEPs voting in favour and 37 against (including Mr Alvaro, the rapporteur). The two biggest parties, the PSE (socialist group) and PPE (conservative group) overwhelmingly voted in favour - 39 PPE MEPs voted against (10 abstained) and 24 PSE MEPs voted against (2 abstained).

EU: Another nail in democracy's coffin: European Parliament, 14 December 2005: The EP today voted in favour of "deal" on mandatory data retention agreed in secret meetings between the Council (EU governments) and the "grand coalition" of the PPE (conservative group) and the PSE (socialist group). The measure was "fast-tracked" through the parliament on 1st reading. The vote was 378 votes in favour, 197 against and 30 abstentions. The GUE, Greens and UEN groups and some members from the ALDE group voted against the directive in the final vote. The rapporteur, Alexander Nuno Alvaro (ALDE, DE) withdrew his name from the report. Amendments adopted by EP (pdf) For documents and background please see: Statewatch analysis: "The European Parliament and data retention: Chronicle of a 'sell-out' foretold?" (pdf) by Professor Steve Peers, Open Letter from civil society groups to the European Parliament calling on MEPs to reject Data Retention, UK-EU: Data retention and police access in the UK - a warning for Europe and for full background, see Statewatch's Observatory on the surveillance of telecommunications in the EU

Tony Bunyan, Statewatch editor, comments:

"The European Parliament has failed on almost every count to protect fundamental rights and privacy. The two big parties in the parliament believe more in "inter-institutional loyalty" to the Council (the EU governments) than their responsibility to the people who elected them.

The way this measure was passed is a democratic travesty - rushed through with deals negotiated in secret and not in open committee. When civil society and national parliaments have no chance to find out what is happening, when the proper co-decision timetable is discarded, there is little chance to intervene. Such a procedure diminishes respect for the European Parliament and lacks any legitimacy whatsoever.

Mandatory data retention will place all the communications of everyone under surveillance. In 2002 the same grand coalition steam-rolled through the Directive on privacy in telecommunications opening the door to state agencies. In December 2004 the mandatory taking of finger-prints for passports was agreed and in April 2004 an EU PNR (passenger name record) for everyone flying in and out too. The asylum procedure directive - which is a disgrace to any notion of humanity and the rule of law - was formally adopted last week. The cost of the "war on terrorism" to democratic standards is mounting as each year goes by. Today we have seen another nail driven into democracy's coffin"

EU: Mandatory data retention: Council agreed position on mandatory retention of communications data (dated 2.12.05, pdf) Press reports suggest that the European Commission will accept these changes to its draft Directive. To work though the European Parliament has to adopt exactly the same amendments at its plenary session 12-15 December - the deadline for amendments is 7 December. Posted 3.12.05.

Tony Bunyan, Statewatch editor, comments:

"This is turning into a democratic fiasco. The Council has a long list of reservations by member states and four substantive issues where it disagrees with the European Parliament. The European Parliament rapporteurs have had three secret trialoges with the Council and the Commission - now the PPE (conservative group) and the PSE (socialist group) appear to be carrying out their own negotiations with the Council with the aim of rushing through the measure before Xmas under the "fast-track" procedure (intended for non-controverisal measures).

It is quite impossible for anyone, outside of a handful of people, to follow what is going on. If national parliaments and civil society cannot track the decision-making procedure they are unable to make their views known. This is compounded by a virtual media silence - until the "deal" on the measure was sown-up on 2 December - leaving the people of Europe in ignorance about the decision to place under surveillance everyone's communications.

A decision taken in this fashion will utterly lack legitimacy."

1. Draft Council text of the Directive (doc 15101/05, 1.12.05)
2. Extensive list of Member State Reservations on the draft text in 15101/05 (doc 15101 ADD 1, 1.12.05)
3. Note from Presidency setting out four areas for decision of Council on its position (doc: 15220/05, 1.12.05)

Council position as at 29 November 2005

* EU: Mandatory data retention: Report from the European Parliament Committee on Civil Liberties as amended (see below) dated 28
November 2005. This followed a series of further "compromise" amendments supported by yje PPE (conservative), PSE (socialist) and ALDE
(liberal) groups: Data retention a step closer - privacy sell out as EP committee approves "compromises" reached in secret meetings
The vote was 33 to 8 in favour of the PPE-PSE amendments, with 5 abstentions, Green/ALDE and GUE (left) MEPs voting against (see Green
group press release).

* The first negotiating "trialogue" between the Council, Commission and the European Parliament was held on 15 November (the next is on 22
November). After the meeting:

- Mr Cavada, the chair of the Committee on Civil Liberties (LIBE) sent a letter to Mr Borrell, the President of the European Parliament: Cavada
letter to Borrell

- the UK Presidency of the Council sent a report to COREPER set out 11 areas of difference with the European Parliament: Council report from
the UK Presidency (doc no: 14328/05)

- the European Parliament set of an amended list of "compromise amendments": EP, 17 November - amendments
- key points in Council and EP positions above: Mandatory data retention - the shifting sands of "compromises" reached out of public
view

* EU: Mandatory data retention: European Parliament rapporteurs agree list of "compromise" amendments: "Compromise amendments" -
14.11.05
(19 pages, pdf) - this has been whittled down from the: Full list of amendments (167 pages, pdf). The parliament's new list of
amendments were the basis for a "trilogue" (closed meeting between rapporteurs, Council and Commission) on 15 November. If a common set of
"compromise" amendments can be agreed between the parliament and the Council they will be "fast-tracked" through to the plenary session on
14-15 December for adoption.

* Meanwhile the UK Select Committee on European Scrutiny in the House of Commons put out a Report (pdf) on 8 November which
says that the proposal is still under scrutiny awaiting further information from the Home Office Minister. It notes: "No date set" for the proposal to
be discussed in Council. In Brussels the UK Presidency of the Council hopes to get agreement before the Justice and Home Affairs Council on
1-2 December and for the measure to be adopted before Christmas. How national parliaments are meant to keep under meaningful scrutiny a
proposal whose content is changing day by day is a mystery.

* Council negotiating position (8.11.05)
* Comparative chart showing Commission draft Directive, the Council's view and EP amendments: Chart (pdf) The first "trilogue" between the
Council and the European Parliament (EP) will take place on 10 November: A timetable has been circulated to MEPs which would allow a
"compromise" to be reached with the Council and for the measure to be agreed at 1st reading ("fast-track") at the plenary session on 14-15
December.
* EU: Mandatory data retention: Amendments proposed to the Council's draft Directive for the Committee on Civil Liberties in the
European Parliament

* UK-EU: Data retention and police access in the UK - a warning for Europe
* Critical Opinion of the Article 29 Working Party on Data Protection (pdf)

This Observatory is tracking the legislative process in the EU on the Council's (the 25 EU governments) proposal to introduce the mandatory
retention of telecommunications data by service and network providers which will be accessed by law enforcement agencies. If adopted it will
mean that everyone's communications (phone-calls, e-mails, faxes, mobile phone-calls including location, and internet usage) will be stored and can
be accessed in relation to any suspected crime, however minor.

The Council, through its UK Presidency, is putting pressure on the European Parliament to rush through the measure at 1st reading (even though
the Council has taken over four years to come up with a proposal - which is still not finalised in the Council). Negotiations between the Council
and the European Parliament to try and reach a fast-track "deal" begin on 15 November (this "trialogue" will include the UK Ambassador, Mr
John Grant and the Commission).

Discussions on access to telecommunications by the law enforcement agencies began in 1993 in Quantico, USA (the Headquarters of the FBI).
For the history and documentation see: EU-FBI Observatory Later developments are included in: SOS Europe

Background: The issues and documentation

The background and documentation are divided into five sections:

  1. The Council
    2. The European Commission
    3. EU Data Protection Authorities
    4. The European Parliament
    5. Civil society

"If the security and intelligence agencies - who are at the forefront in stopping terrorist attacks - need access to the telecommunications
data to be retained it is very hard to believe that EU governments would have taken over four years to come up with a proposal which
will not come into effect for at least two further years. If this is the case they would be guilty of gross negligence and failure to protect
the people of Europe. However, if additional powers are needed they should be strictly limited to dealing with terrorism and related
offences."
- Tony Bunyan, Statewatch editor.

  1. The Council

Under the last Austrian EU Council Presidency in 1998 the infamous "ENFOPOL 98" (see: EU governments to give law enforcement
agencies access to all communications data - analysis
) was circulated, but the proposal was dead after widespread condemnation by civil
society groups and individuals. This remained the situation until Conclusions of the special meeting of the Justice and Home Affairs Council,
20 September 2001
. This was followed by the George Bush's letter to the EU of 16 October 2001 which included the demand to:

"Revise draft privacy directives that call for mandatory destruction to permit the retention of critical data for a reasonable period."

In August 2002 Statewatch was leaked a proposal drafted by the Belgian government (backed by the UK) to introduce mandatory data retention
and the exchange of the data between law enforcement agencies: EU: data retention to be "compulsory" for 12-24 months (pdf) and
CONFIDENTIAL: Belgian proposal. The Danish EU Presidency issued a statement denying the existence of the Belgian draft (already
published by Statewatch): EU Presidency issues statement on data retention

In 2003 Statewatch published an analysis showing that nine out of 15 EU governments were intending to introduce data retention at national level.
The position in EU member states (based on unpublished documents): EU: Majority of governments introducing data retention of
communications

It was not until 28 April 2004 that four member states (French Republic, Ireland, the Kingdom of Sweden and the United Kingdom) to put
forward a proposal: 8958/05 (pdf). Between 28 April 2004 and 31 May 2005 six versions of the proposals were available on the Council's
register of documents, eight were partially accessible ("PA", with the names of member states blanked out so that no-one could see what their
governments were arguing) and one was not accessible. Between 1 June and 25 October 2005 there are no less than 13 substantive Council
drafts, none of which are publicly available on the Council's register of documents.

The latest full draft of the Council's proposal, dated 10 October 2005: 12894/1/05 - this shows that there were major reservations by many
member states on issues of substance. For example:

"In order to address the reservations in relation to Internet data, the Presidency had proposed a compromise package whereby "Internet
chat" was included in Article 2(2) along with the wording proposed by FI ("provided by publicly available electronic communications
service providers"). In conjunction with that, a "review clause" was inserted in Article 8. Several delegations (IT/HU/ES/CZ) could
accept or supported the Presidency proposal. Others wanted to go further and include logs of web browsing, Internet chat and
peer-to-peer communications (BE/SW/LT/DK). However AT/FI/LV/DE/FR/IE/GR/SK/EE could not accept the inclusion of Internet chat
or other Internet data types expressing concern that the inclusion of such data might have an impact on the costs incurred and / or
require more in-depth consideration in respect of a clear distinction between traffic data and content data which might risk delaying
discussions. They thought that the outcome of the meeting of the Working Party in July 2005 reflected the minimum consensus and
wanted to revert to that wording. The proposed review clause met with acceptance."
(emphasis added)

However, despite this "compromise" Greece and Estonia maintained a "Scrutiny reserve" on the whole of Article 2 and Austria, Poland, Czech
Republic, Cyprus, Slovenia, Latvia, Hungary and Finland maintained "Scrutiny reservations" on paragraphs 2-6 of Article 2.

The concern expressed by nine governments over "a clear distinction between traffic data and content data" has, under Article 8, simply been
deferred until 1 January 2008 when:

"The Council shall thereafter review the list of data to be retained in particular with reference to the possibility of including additional
types of Internet data."

A clear distinction between access to traffic data and its content is thus blurred.

A further document, 24.10.05, shows the Council working on two tracks: 1) to try and finally agree their own proposal and 2) proposing
amendments to the Commission draft Directive: 13624/05

The big issue, which has obscured the debate over the substantive issues, is the legal basis of the Council proposal. Both the Legal Services of the
Council and the European Commission said that the proposal had to be split in two - the mandatory retention of data by service providers coming
under the TEC (Treaty establishing the European Communities) where the European Parliament has powers of co-decision (ie: the Council and
parliament have to agree on the final text) and access to the retained data by LEAs as a Framework Decision under the TEU (where the
parliament is only consulted). See: Statewatch report and the Opinions of the Legal Services. Both concluded that if the Council were to
pursue a single measure it would almost certainly be challengeable in the Court of Justice. Indeed the Council itself notes if adopted as a single
measure it could:

"be annulled: this could result in claims for compensation from any operator who had already been obliged to implement the measure"
(EU doc no: 13036/05)

Although these Opinions were dated 22 March 2005 (Commission) and 5 April 2005 (Council) the Council carried on for five months as if they
did not exist - only belatedly has the Council grudgingly suggested that it might agree to back the Commission's draft Directive on mandatory data
retention, but only if agreement can be reached with the European Parliament by the beginning of December (in time for the Justice and Home
Affairs Council on 1-2 December), see, letter from UK Home Secretary, Charles Clarke, representing the UK Council Presidency: Clarke letter
to Cavada
(Mr Cavada is chair of the parliament's Committee on Civil Liberties).

The latest Council document (13789/05, dated 28.10.05) sets out:

  1. Outstanding issues to be agreed by member states
    b. The Council's proposed amendments to the Commission's draft Directive
    c. The latest versions of the Council's draft Framework Decision (to be read in conjunction with: 12894/1/05) doc no: (13789/05, dated
    28.10.05) and 14023/05 (8.11.05) - effectively the Council's negotiating positions.

What is quite extraordinary about the Council's demand that the European Parliament rush the measure is that the Council has not even agreed its own final text.

  1. The European Commission

Following the initiative in the Council by four member states the European Commission DG Information Society and DG Justice and Home Affairs
held a public consultation on the issue of traffic data retention in August 2004: Consultation document (pdf)

In the autumn of 2004 the Commission placed on record its reservation about the legal basis of the Council's proposal. Once the legal opinions of
both institutions were published it was only a matter of time before the Commission put forward its own proposal, which it did on 21 September
2005: Commission proposal for a Directive and Commission Extended Impact Assessment

The Commission's proposal differs from that of the Council in terms of scope. While the Council's proposal covers:

"the purpose of investigation, detection and prosecution of criminal offences."

the Commission says it should cover:

"the purpose of the prevention, investigation, detection and prosecution of serious criminal offences, such as terrorism and organised
crime."

The scope of the Commission's definition is more limited but as "serious criminal offences" are today defined by the EU very broadly it is a major
extension from covering terrorism and directly related offences.

What is worthy of note is that the powers under the UK's Anti-Terrorism, Crime and Security Act, passed in 2001, the scope of the
retention of data by service and network providers is strictly limited to "national security" and offences "directly or indirectly
related to it. Under the Act the Home Secretary can request the retention of data:

"(a) for the purpose of safeguarding national security: or
(b) for the purpose of prevention or detection of crime or the prosecution of offenders which may relate directly or indirectly to national
security
"
(Section 102.3, emphasis added)

The Commission's proposal is also:

" far more invasive than the Council proposal. The Commission defines 'communication' as involving "any information exchanged or
conveyed between a finite number of parties by means of a publicly available electronic communications service". Therefore the
Commission is proposing the tracing of all forms of Internet transactions. This means that communications service providers could be
compelled to store their mail server logs, web cache logs, and IP flow logs[4] for six months without any regard to necessity or
proportionality."
(NGO letter to MEPs, 26.9.05)

The Commission's proposal utterly fails to deal with data protection. As its proposal comes under the "first pillar" (TEC) the personal data retained
by service and network providers comes under the 1995 Data Protection Directive. Its Extended Impact Assessment simply asserts that as the
1995 Directive has been implemented by all member states there is no need for any further provisions and that "citizens can exercise their powers
as granted under these instruments" (p20). But what are the powers of the citizens at national level? Do the powers and resources vary from state
to state?

Well the conclusion of the only report on the operation of the 1995 Directive in the member states was published in 2003: 1st report on the 1995
Directive
and its Technical report. The first report notes that there were variations in powers between states, many data protection authorities
were under-resourced and patchy compliance by data controllers. It concludes that if these tendencies are confirmed:

"they are reasons for serious concern and reflections need to be undertaken between the Commission and the Member States and the
supervisory authorities to determine their causes and design feasible solutions."

In particular the report notes that:

"The provisions containing safeguards have not been adopted by all Member States. Where they exist, they are often unsatisfactory. The
situation is similar as regards Article 8 (4) and (5) - the processing of sensitive data for reasons of public interest or with regard to
criminal convictions
. The absence of safeguards means the required level of protection for individuals is not being met, which should be
a matter of concern for the Member States, as it is for the Commission."
(emphasis added)

Whereas the justification for the Commission's proposal on mandatory data retention is to get rid of a "patchwork" of different powers in member
states, when it comes to data protection there is silence. The 1995 Directive was implemented in the then members states by 1998 since when
there has been just one report whose reservations has also been meet with an institutional silence. Moreover, with the shift of responsibility for data
protection from the Internal Market DG to the so-called "Freedom, Justice and Security" DG there is little prospect of any action, see: Data
protection handed to the DG for “law, order and security”

As noted above the Council's proposal covers two areas: 1) the mandatory retention of telecommunications data by service and network providers
- to which the Commission has responded with a proposed Directive and 2) access to the retained data by law enforcement agencies and the
exchange of that data between them (and under the "principle of availability" to non-EU states too) - however, the Commission has yet to
published a proposal for a Framework Decision on this second aspect. It is hard to see how the European Parliament can properly
consider the first proposal without having sight of, and time to consider, the second one.

  1. EU data protection authorities

The European Data Protection Supervisor (EDPS) has produced a report on the Commission's proposal calling for substantial changes: EDPS
Report

The Article 29 Data Protection Working Party on the Council initiative by four members states - the Council proposal in November 2004: Article
29 Working Party opinion
The the Working Party has adopted a further report on the Commission's proposal: WP 113 (21 October). See also:
Privacy International comments

The European Parliament should seeks to effect all the recommended amendments proposed by these two bodies.

  1. The European Parliament

The first battle for the European Parliament was to insist that the Council proposal be dropped - due to its faulty legal basis - and for two
proposals to be presented. One based on the mandatory retention of data under the TEC, on which it has powers of co-decision, and another on
access to the data and its transfer under the TEU on which it is only consulted.

A report adopted by the parliament's Data retention by Mr Alvaro the rapporteur from the Committee on Civil Liberties sought to clear up the
legal basis. Mr Alvaro has since prepared: Amendments to the Commission proposed Directive (19.10.05)

European Digital Rights (EDRI) report that Charles Clarke was not at his most diplomatic when he addressed the Committee on Civil Liberties on
13 October. He told the Committee that if they did not agree the proposal before December Justice and Home Affairs Council (1-2 December)
the Council would adopted their draft Framework Decision. Moreover he is reported to have told MEPs that if parliament failed to do this "he
would make sure the European Parliament would no longer have a say on any justice and home affairs matter". "Technical" briefing by the
Commission
to the European Parliament's Committee on Civil Liberties.

As is clear from the Clarke letter to Cavada (UK Home Secretary, Charles Clarke, representing the UK Council Presidency and Mr Cavada is
chair of the parliament's Committee on Civil Liberties) the Council is trying to blackmail the European Parliament with the threat that it will go
ahead with its own Framework Decision. In his letter to Mr Cavada, Clarke says:

"the Framework Decision will remain on the table, as an option favoured by a large number of delegations. However, a majority of
delegations were also open to a Directive"

The Council is saying if the Directive can be adopted "by the end of the year" and the text matches their demands then they will go down this
path. In truth the Council has no choice but to drop its proposal and go along with two draft measures and it knows it.

Clarke's letter to 17 October is slightly more conciliatory but contains the same veiled threat of reverting to the original Council proposal. He wants
to work closely with the parliament "to maximise common ground... by the end of the year". He ends by saying that if all three institutions (Council,
Commission and European Parliament) cooperate it will:

"show that we are serious about working together to make a difference to the daily lives of our citizens"

A statement that is ambiguous to say the least - the measure will certainly make a difference, the question is what kind of difference?

At the meeting in the European Parliament of the "Conference of Presidents" (the Group leaders of the parties) on 20 October mandated Mr
Cavada and the committee to pursue negotiations with the Council. Such "trilogue" meetings between the Council, Commission and European
Parliament representatives take place behind closed doors.

The only way the parliament can meet Charles Clarke's early December deadline is through a first reading co-decision "deal" - by agreeing a set of
common amendments to the Commission draft Directive which are then formally adopted by the Council and by the Committee on Civil Liberties
and then plenary session of the parliament - this "fast-track" procedure is intended to deal with uncontroversial measures, which is certainly not true
in this case.

It should be remember that the need for this proposal was agreed by the Council over four years ago (20 September 2001) so it is to be hoped
that the parliament will not succumb to "inter-institutional" pressure and take all the time necessary to ensure that the liberties and privacy of the
people of Europe are properly protected.

  1. Civil society

Civil society - NGOs and groups working on civil liberties, privacy, lawyers and journalists - have opposed the measure from the start. They
remain unconvinced as to the need and are equally certain that if introduced the powers will, on occasion, be misused and abused. They are not
convinced that EU data protection provisions will give any meaningful protection to the individual, who will have no right to be told they have been
under surveillance - unless, of course, they are arrested and charged. And if they have no "right to know" they will have no right to correct the data
or to be told which agencies information on them has been passed and how it has been added to (inside and outside the EU).

These views are exacerbated by the so-called "principle of availability", invented under the Hague Programme, where intelligence and information
held by an agency in one member state can be passed to that in another or to a non-EU state.

Where governments, officials and many parliamentarians are inclined to place their trust in the law enforcement (and security) agencies, concerned
civil society see this measure as one of many where these agencies will become self-regulating and unaccountable.

In September 2004 an Open Letter opposing mandatory data retention was sent to the European Parliament from 170 groups/companies - 90
NGOs and 80 telecoms companies: Open letter on mandatory data retention

Among the main concerns are:

  1. If the security and intelligence agencies - who are at the forefront in stopping terrorist attacks - need access to the telecommunications data to
    be retained it is very hard to believe that EU governments would have taken over four years to come up with a proposal which will not come into
    effect for at least two further years. If this is the case they would be guilty of gross negligence and failure to protect the people of Europe.
    However, if additional powers are needed they should be limited to dealing with terrorism and related offences.
  2. The terrible terrorist attacks in the USA, Madrid and London should not be used to justify placing all communications in the EU under
    surveillance, making everyone a potential "suspect". This is exactly what the EU governments (the Council) want to do when they propose that the
    retained data can be used for any suspected criminal offence, however minor.
  3. The wholesale retention of all communications of everyone is contrary to the findings of the European Court of Human Rights (under Article 8).
    This interference with the privacy rights of every user of European-based communications services cannot be justified under the limited exceptions
    envisaged by Article 8 because it is neither consistent with the rule of law nor necessary in a democratic society. The indiscriminate collection of
    traffic data offends a core principle of the rule of law: that citizens should have notice of the circumstances in which the State may conduct
    surveillance, so that they can regulate their behaviour to avoid unwanted intrusions. Moreover, the data retention requirement would be so
    extensive as to be out of all proportion to the law enforcement objectives served.
  4. The question of cost has been fudged by the Council and the Commission. What has not been highlighted is that service and network
    providers will be asked to retain a lot more data on each communication than they ever did for billing purpose.
    The "institutional
    consensus" seems to be to leave it to national decision-making whether government are going to help pay for the storage and access to mountains
    of data or whether the cost will be passed on to the customer. Either way we will all end up paying for our own surveillance.
  5. Even the USA has not proposed such a measure, nor will it apply to a service providers from outside the EU.
  6. The bottom line is, what kind of society do we want to live in - one where democratic values and standards are maintained in the face in terrorist
    attacks or one which no Western country would have dared bring about during the Cold War?

"Therefore the European Parliament now faces a crucial decision. Is this the type of society we would like to live in? A society where all
our actions are recorded, all of our interactions may be mapped, treating the use of communications infrastructures as criminal activity;
just in case that it may be of use at some point in the future by countless agencies in innumerable countries around the world with
minimal oversight and even weaker safeguards."
(NGO letter to MEPs,2.9.05)

Tony Bunyan, Statewatch editor, comments:

"The Council has failed to convince many of us of the need for this measure. But it is good that on such a momentus issue - placing all
the communications of everyone under surveillance - that the European Parliament has the full powers of co-decision. These are powers
it should use to the full:

  1. The initiative for this measure came out of the EU's reaction to 11 September 2001, its scope should thus be limited to terrorism and
    directly related offences. If the security and intelligence agencies - who are at the forefront in stopping terrorist attacks - need access to
    the telecommunications data to be retained it is very hard to believe that EU governments would have taken over four years to come up
    with a proposal which will not come into effect for at least two further years. If this is the case they would be guilty of gross negligence
    and failure to protect the people of Europe.
  2. To call on the Commission to prepare a report on data protection laws and practices in all member states - the Commission says in its
    proposal that nothing more is needed on data protection as this is catered for in national laws, but what protection do these laws provide
    and do they vary?
  3. To introduce amendments to put in place all the recommendations from the European Data Protection Supervisor and the Article 29
    Working Party on data protection
  4. To review the critiques of NGOs and groups in civil society

The Council has taken four years to bring forward this proposal and still does not have its own agreed text. The European Parliament
should take all the time it needs to properly consider the measure for this is what the people of Europe expect - to ensure that these
powers are strictly limited in scope and that their rights to data protection and privacy are not endangered."

  1. Civil society letter to Members of the European Parliament on data retention proposals, from 21 NGOs
    2. Open letter on mandatory data retention with 170 signatories - 90 NGOs and 80 from industry, September 2004
    3. Privacy International
    4. EDRI: European Digital Rights
    5. Quintessenz
    6. The Register
    7. Data retention is no solution - petition signed by 54,998 individuals and 79 organisations
    8. Statewatch database search for "data retention"
    9. International Campaign Against Mass Surveillance (ICAMS) Report
    10. Dutch ISPs letter to the European Commission (pdf)
    11. The Information Technology Association of America (ITAA) comments on proposal (pdf)

for the general context see:

  1. While Europe sleeps - under the "war on terrorism" a veneer of democracy is legitimating the creation of a surveillance state
    12. There is no “balance” between security and civil liberties – just less of each
    13. Data retention comes to roost - telephone and internet privacy to be abolished (Statewatch News Online, April 2004)

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error