EU: Revision of Data Retention Directive put on hold with "no precise timetable" for a new proposal

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

13.08.12 - Revision of the controversial EU Data Retention Directive - which requires the storage of internet and phone records for between six months and two years - has been put on hold by the European Commission. It is now seeking to establish a new data protection regime before revising the Data Retention Directive at the same time as a conflicting piece of legislation, the e-Privacy Directive.

An email sent to the members of EuroISPA ("The voice of the ISPs in Europe") at the beginning of July states that:

"After discussions at cabinet level between Commissioners Kroes and Malmström, the decision has been taken to postpone the revision of the Data Retention Directive to have it in parallel with the e-Privacy Directive." [1]

The reason for revising both pieces of legislation together is that Article 15(1) of the e-Privacy Directive permits the "the retention of data for a limited period" if it is considered:

"A necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. state security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system." [2]

This needs to be reconciled with the Data Retention Directive, the purpose of which is retention of data for the investigation and prosecution of serious crime, "which is not defined at EU level or in many Member States." [3]

The opinion of the Commission, according to a spokesperson, is that:

"Any revision of the Data Retention Directive should ensure that retained data will be used exclusively for the purposes foreseen in this Directive, and not for other purposes as currently allowed by the e-Privacy Directive."

The EuroISPA email states that "a revision could be announced in 2013 or 2014, depending on the progress of the General Data Protection Regulation," which is currently the subject of discussion in the Council and the Parliament.

The Commission spokesperson also said that there was "no precise timetable for the Commission's proposal," but "preparations for that proposal continue, including on the impact assessment."

Impact assessment

The impact assessment alone has been causing a headache for the Commission. A paper issued at the end of 2011 on the "emerging themes and next steps" in reforming the Directive noted that "strong qualitative evidence of the value of historic communications data in specific cases of terrorism, serious crime and crimes using the internet or by telephone" had been received from only 11 of 27 Member States.

At a meeting of the Working Party on Terrorism on 12 March of this year, Member State delegations were informed of a letter sent by Commissioner Malmström to all Member States "with a request for reliable quantitative and qualitative data that would demonstrate the necessity of data retention for security purposes." [4]

The Commission repeated its call for evidence on 3 April 2012 at a meeting of the Article 36 Committee (known as CATS), and "also informed delegations about its plans for improving the 2006 Data Retention Directive, for which the impact assessment would soon be ready." [5]

It appears that in the course of the assessment it became apparent that revision of the e-Privacy Directive would also be necessary, and this was duly announced to the Parliament at a meeting of its LIBE Committee in early July. [6]

First however, a new data protection package will need to be agreed by the Council and the Parliament, with Member States in the Council currently disagreeing on a number of elements. [7]

The rocky road to revision

It is clear that there are many problems with the Data Retention Directive: the European Data Protection Supervisor has called it "the most privacy invasive instrument ever adopted by the EU," [8] and there are serious issues regarding proportionality, legal precision, differing interpretation by telecommunications providers and national authorities, and the costs incurred by telecommunications providers.

Law enforcement authorities have complained of difficulties with "rapidly exchang[ing] telecom data and the unavailability of some types of telecom data," [9] although alleviating these concerns would almost certainly have further detrimental impacts upon individual privacy. This is well-illustrated by current debates in the UK over a proposed new telecommunications surveillance law which is intended to allow the more extensive surveillance of phone and internet usage. [10]

Yet despite all this, it seems that there is little appetite for reform amongst Member States. At a meeting of CATS on 24 May, "several Member States intervened" during a presentation by Commission on reform of the Directive in order to:

"[E]xpress their qualms regarding any possible legislative proposal to amend the 2006 Directive and in particular the retention periods contained therein given the law enforcement need to access those data." [11]

This reflects comments made in January, the month after the Commission issued its paper on "emerging themes and next steps", at a meeting of the Parliament's LIBE Committee. Here, Commissioner Malmström informed MEPs "that there was no appetite for revision in the Council." [12]

History of controversy

The Data Retention Directive (2006/24/EC) obliges telecommunications providers in EU Member States to store numerous types of information that allow the authorities "to retrace telephone and internet behaviour of all persons in the EU whenever they use telephone or internet up to a period of two years," [13] and has been widely criticised, with a number of Member States attempting to delay or halt its transposition into national law.

At the end of May this year, it was announced that the European Commission was to take Germany to court for failing to introduce new legislation, which was rejected by the country's constitutional court in March 2010. [14]

Legal problems and challenges have also arisen in Austria, Bulgaria, the Czech Republic, Hungary, Ireland, Romania and Sweden, although many of these states have now transposed the law.

In March the Swedish parliament voted through a data retention law in the face of possible legal action by the European Commission, with one dissenting parliamentarian saying that "the need for, and the benefits of, the directive do not compensate for the invasion of privacy." [15]

The transposition of the law in Ireland saw a legal challenge brought by the group Digital Rights Ireland. [16] The case is ongoing, with the Council recently invited to submit its observations on whether elements of the Data Retention Directive are compatible with fundamental rights and various other aspects of EU law. [17]

Previous Statewatch coverage and further reading

- Statewatch News Online: Commission still seeking proof of the necessity of mandatory data retention (20 January 2012)
- Statewatch Analysis: Mandatory data retention: update and developments (pdf)
- Statewatch Observatory: The surveillance of telecommunications in the EU (2004-present)

Sources

[1] 'Data Retention Directive reform delayed by a year', LINX Public Affairs, 10 July 2012
[2] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
[3] European Commission, 'Consultation on reform of Data Retention Directive: emerging themes and next steps', 15 December 2011, p.4
[4] Working Party on Terrorism, 'Summary of discussions', 15 March 2012, p.3
[5] CATS, 'Outcome of proceedings of CATS on 3 April 2012', 18 April 2012, p.3
[6] 'Summary record of the meeting of the LIBE Committee, held in Brussels on 9 and 10 July 2012', 12 July 2012, p.2
[7] 'National concerns over the proposed EU Data Protection Regulation', Infosecurity, 6 August 2012
[8] European Data Protection Supervisor, 'The moment of truth for the Data Retention Directive', 3 December 2010, p.1
[9] CATS, 'Outcome of proceedings of CATS on 24 May 2012', 27 July 2012, p.3
[10] Privacy International, 'CCDP'
[11] CATS, 'Outcome of proceedings of CATS on 24 May 2012', 27 July 2012, p.3
[12] 'Summary record of the meeting of the LIBE Committee on 23, 25 and 26 January 2012', 31 January 2012, p.8
[13] 'Opinion of the European Data Protection Supervisor on the Evaluation report from the Commission to the Council and the European Parliament on the Data Retention Directive', 31 May 2011
[14] 'EU to take hard line on German resistance to data storage', Reuters, 29 May 2012
[15] 'Swedish parliament passes controverial data storage bill', EUbusiness, 21 March 2012
[16] 'High Court decision on our data retention challenge', Digital Rights Ireland, 5 May 2010
[17] 'Case before the Court of Justice of the European Union C-293/12', 20 July 2012

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error