Statewatch News Online: EU: Mandatory data retention - the shifting sands of compromise

There are some significant shifts in the parliament's "compromise amendments" between those of 14 November and 17 November:

1. (Article 3 para 2) Where the earlier draft said the retained data should only be provided through a "push system, in specific cases", ie: law enforcement agencies (LEAs) would have to request data in specific cases which would be located and handed over by the service providers rather than a "pull system" under which the LEAs would have direct access to look for whatever they want.

This has been deleted and replaced by, data to be provided "following the approval of the judicial authorities in specific cases". This amendment is included in the final text it would have the same effect as the earlier version.

The inclusion of this amendment is essential as without it the LEAs would effectively be "self-regulating" - and the example from the UK where LEAs have unfettered access to a service provider would become the norm, see: Data retention and police access in the UK - a warning for Europe

2. (Article 3a new, k in 17.11.05) The new version says that data can be forwarded to:

"third countries, or other third parties only under special circumstances"

What "special circumstances" mean is utterly unclear.

3. (Article 9) This article on the provision of statistics has a significant deletion in the 17.11.05 amendments: "including intelligence and security services" has been deleted.

The Council's position

Following the first "trialogue" (Council, Commission and European Parliament) meeting on 15 November a Council report from the UK Presidency (doc no: 14328/05) The next "trialogue" meeting is on 22 November. The report to COREPER (committee of permanent representatives of each EU government, based in Brussels) asks how much "flexibility exists within the Council". It sets out 11 areas where the European Parliament's amendments require changes to the draft Directive from the Commission. These are:

"1. Data should be retained for the purpose of investigation, detection and prosecution of serious criminal offences, where "serious criminal offences" would be defined by way of reference to the offences listed in Article 2(2) of the Framework Decision on the European Arrest Warrant, and not for prevention purposes.
2. The list of data should be shifted from the Annex to the body of the text of the draft Directive and the references to comitology procedures should be deleted.
3. The draft Directive would replace Article 15(1) of Directive 2002/58/EC with the effect that the list of data in the draft Directive would be a "maximum list" and that Member States could not provide, on a national basis, for the retention of other data.
4. Location data should be limited to data at the start of a communication.
5. The list of data should, concerning Internet data, be limited to log-on and log-off data (i.e. the IP address).
6. Data on unsuccessful call attempts should not be included, but Member States should have the possibility to provide for their retention on the basis of national legislation.
7. The draft Directive should contain detailed provisions on access to the retained data, including provisions to the effect that: access should only be allowed where undertaken for the purpose of investigating, detecting or prosecuting a serious offence by a competent national authority; that the data should be accessed by way of a "push system"; that the authorisation by a competent national authority was required; that the access by other government bodies or other parties should be prohibited; and that data-mining should be prohibited.
8. It was essential to include detailed provisions on data security and data protection and that (criminal) sanctions for their infringements should be introduced.
9. The retention period should be between 6 months and 12 months - whether these periods should be understood as a minimum and a maximum period for all data covered by the draft Directive or whether there should be different retention periods depending on the categories of data (Internet data, telephone data) needed to be discussed further.
10. All additional costs (investment and operating costs) incurred by providers, including the costs for additional data protection and data security measures, should be reimbursed by Member States.
11. The obligation to collect statistics proposed by the Commission should be extended and serve as a basis for revision of the draft Directive. A "sunset clause" should provide for the expiry of the draft Directive after a specified period unless its continuation was agreed by co-decision with the EP."

The Council report suggest minor additions on data security and national supervisory authorities (point 8 above). It also suggests accepting the Commission's proposal on the collection of statistics - which does not go as far as those proposed by the European Parliament.

On the major issue concerning the control of access by law enforcement agencies to the retained data the report:

"notes the Council's view that access was best regulated at national level"

This position of doing nothing on controlling access to the retained data is quite unacceptable. First, it should be noted that there was meant to be a separate proposal on the table from the Commission for a Framework Decision on the issue - this relates back to the legal basis of the Council original proposal which was adjudged highly likely to be challenged in court because of the different legal basis (ie: the mandatory retention of data comes under the TEC and rules of access under the TEU). Second, there is no report or study on exactly what are the "national" rules on access and how they differ. Third, the Council and Commission's argument for the proposal is to "harmonise" the rules for the retention of data so that the same ones apply across the EU - by the same logic the same rules of access, judicial authorisation and of protection for privacy should also be "harmonised".

For full background documentation see: Statewatch's Observatory on the surveillance of telecommunications in the EU

Filed 20 November 2005