• Home /
• Statewatch Database /
• EU: Mandatory retention of communications data: update and developments, by Chris Jones

EU: Mandatory retention of communications data: update and developments, by Chris Jones

01 April 2011

Opposition mounts in Member States and the Council of the European Union decides that in its defence head-lines stories should replace the provision of reliable statistics.

The Directive requires service provider to keep communications data concerning: phone-calls, faxes, mobile phone calls (including location) and internet usage – it should be noted that the monitoring of internet usage also reveals the content.

This highly controversial legislation was passed in 2006, its path cleared by the terrorist attacks in London and Madrid. Both these occasions provided the Council with the opportunity to introduce EU-wide data retention measures.[1] Within the structures of the European Union and its Member States, there is a significant history of law enforcement agencies and their political allies attempting to obtain increased access to the telecommunications data of individuals.[2]

Perhaps the most well-known comment on the Data Retention Directive is that of the European Data Protection Supervisor, who referred to it as “the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.”[3] This statement reinforced the arguments made by numerous civil society organisations, individuals and politicians.

It is because of the highly invasive nature of the surveillance and monitoring permitted by mandatory data retention that the directive was annulled or suspended by court decisions in several Member States. This has happened in Bulgaria, the Czech Republic, Germany and Romania. Sweden has yet to implement the provisions, and its government’s recent decision to postpone implementation for another year puts the administration at risk of being fined up to €68 million by the European Commission. Austria also refused to implement the directive, but after facing the Commission at the Court of Justice in 2010 it has now done so.[4] The Belgian transposition of the legislation is ongoing. A case brought by Digital Rights Ireland against the directive is waiting to be heard before the European Court of Justice.

Opposition in Member States

National controversy over the directive has arisen more recently in the Netherlands, where the Dutch Senate approved in July a shortening of the retention period to six months. At the same time, the Senate published its correspondence with the Dutch Minister of Security and Justice on the topic of April’s evaluation report on the directive. The Senate considered the evaluation “unsatisfying”, “unconvincing” and “disappointing”. Noting that the evaluation fails to demonstrate the necessity and proportionality of the retention measures, the Senate asked the Minister explicitly whether the Directive should be withdrawn. The Senate noted furthermore that it was possible for law enforcement bodies to obtain traffic data before the implementation of Directive 2006/24/EC, and thus its blanket retention is both unnecessary and unjustifiable.[5]

In Germany the suspension of the law implementing the Directive has come under fire from a number of conservative MPs, who would like to see “unrestricted data storage”. Citing the terrorist attacks in Norway, they argue for the lifting of the ban on data retention as proposed by the EU. Opposing this are MPs who are in favour of a more restricted storage of data. Members of the Free Democratic Party would like to see the storage only of telephone and internet data of “suspects in crime and terror investigations.”[6] However, the idea that data retention and greater surveillance of telecommunications will help in the “fight against terrorism” is persistent, and seems to be resonating across Europe. The situation in Norway and the failure of police and security services to prevent the attacks has given rise to a number of arguments for enhanced surveillance of the internet.[7]

At the EU level, there remains a significant lobby opposing any comprehensive re-thinking of how data retention should work, or whether it is necessary at all. A number of Member States are strongly in favour of retaining the Directive as it stands – a recent leaked paper drafted by France, Ireland and the UK states that data retention “has played a key role in maintaining public security throughout Europe.”[8] The paper attempts to justify current data retention legislation on numerous grounds, not least through recounting tales of specific cases where retained data has been successfully utilised. Yet it may have been entirely possible to solve these cases without mandatory, blanket retention of all telecommunications information by targeting suspects. Alternative options include a process known as “quick-freeze”, whereby law enforcement bodies are able to ensure the retention of specific telecommunications data after an investigation has begun. Those in favour of blanket data retention are quick to dismiss less intrusive options, but a study by the German Parliament “found no practical effects of data retention on crime clearance rates in EU Member States.”[9]

Forget statistics, rely on head-line stories

The differences between Member States were reflected at a recent meeting of the Working Party on Data Protection and Information Exchange.[10] Following a presentation by the European Data Protection Supervisor on the Commission’s evaluation, a number of Member States “intervened to express their support for the Data Retention Directive, which, in their view, was a necessary instrument in order to effectively combat “serious crime.” Other Member States were “less positive” about the Directive, noting the data protection concerns around the legislation, as well as “the lack of comparable data” available to demonstrate the usefulness of retention.

This lack of data may well lead to a minor change of tack in the arguments of those in favour of continued blanket retention. Those wanting to maintain the Directive noted that it is difficult “to provide legal evidence of the necessity/indispensability of traffic data”. With this in mind, certain delegations pointed out that:

[T]he necessity to store such data could not be argued on the basis of statistical data… the gravity of the offences investigated thanks to traffic data, rather than the mere number of cases in which traffic data were used should receive due attention. Quantitative analysis should be complemented with qualitative assessment.

In other words, prosecutions for particularly serious crimes in which retained data has been used as evidence will be highlighted, in order to try to convince people of the necessity of an instrument of mass surveillance. It remains to be seen whether the original Directive will be amended or repealed in order to better respect the rights to privacy and data protection provided by Articles 7 and 8 of the European Charter of Fundamental Rights, and the right to privacy outlined in Article 8 of the European Convention on Human Rights. The issue remains on the 18 month programme of the Council, running from 1 July 2011 to 31 December 2012. It is interesting to note that despite a previous Court of Justice ruling that declared provisions relating to the single market were the correct legislative basis for the Data Retention Directive, it is filed under the heading “Internal Security” in the work programme. Moves by legislatures across the globe to introduce various forms of data retention may provide a basis for those in favour of the current arrangement to further argue their point.[11] The challenge for those opposed is to mount a campaign strong enough to overcome these entrenched institutional arguments.

Footnotes

1. European Council, Declaration on Combating Terrorism, 25 March 2004; Declaration on the EU response to the London Bombings, 13 July 2005

2. Statewatch News Online, Europol document confirms that the EU plans a “common law enforcement viewpoint on data retention”, May 2002

3. European Data Protection Supervisor, The “moment of truth” for the Data Retention Directive: EDPS demands clear evidence of necessity, 3 December 2010

4. Jan Libbenga, Sweden postpones EU data retention directive, faces court, fines, The Register, 18 March 2011

5. European Digital Rights Initiative, Dutch Senate “Disappointed” With Data Retention Directive Evaluation, 13 July 2011

6. John Stonestreet, German MPs pressure minister on data retention, Forex Yard, 7 July 2011

7. Cyrus Farivar, More online surveillance needed, officials in Europe say, Deutsche Welle, 26 July 2011

8. France, Ireland and the United Kingdom, The Data Retention Directive 2006/24/EC, p.1

9. European Digital Rights, Shadow evaluation report on the Data Retention Directive (2006/24/EC), 17 April 2011, p.7; see also Matthew J. Schwartz, ISP Data Retention Doesn’t Aid Crime Prosecution, Information Week, January 28 2011

10. Working Party on Data Protection and Information Exchange, Summary of discussions, 30 May 2011

11. For example, Australia is currently attempting to implement stringent data protection provisions: see Michael Lee, Data retention not a month’s work: Telstra, ZDNet, 1 August 2011; in the US, proposals for data retention have been strongly opposed but legislation was recently passed: Declan McCullagh, US House panel approves ISP data retention bill, ZDNet, 29 July 2011