Surveillance of telecommunications: Data retention to be "compulsory"
01 May 2002
- EU Council, Commission and European Parliament agree "deal" on surveillance;
- Draft Framework Decision to make data retention and access for surveillance by law enforcement agencies "compulsory" leaked to Statewatch - traffic data to be kept for 12 to 24 months
Even as the European Parliament was discussing and voting on fundamental changes to the 1997 EC Directive on privacy in telecommunications the Belgian government was drafting (and circulating for comment) a binding Framework Decision on the retention of traffic data and access for the law enforcement agencies.
When the European Commission proposed changes to the 1997 Directive in July 2000 this was simply to update it in an uncontroversial way. But this was immediately seen by the EU's law enforcement agencies as an opportunity to get access to telecommunications traffic data. Ever since the Council of the European Union adopted on 17 January 1995 the "Requirements" (to be placed on communications providers) drafted by the FBI the agencies have been calling for access to this data.
The EU's list of "Requirements" was extended last year and covers both "real-time" interception (following a communication or series of linked communications as they happen) and procedures to be followed when an interception order is issued by a judicial authority (or Minister).
The powers of the law enforcement agencies were therefore used in a targeted way, that is to say they had all the powers they needed to place under surveillance anyone or any group they suspected of committing an offence on condition that there was sufficient evidence to justify the issuing of an judicial order. Thus after 11 September the EU's agencies had all the powers they needed to track down suspected terrorists.
Under the guise of tackling "terrorism" the EU's Justice and Home Affairs Minister decided on 20 September 2001 that the law enforcement agencies needed to have access to all traffic data (phone-calls, mobile calls, e-mails, faxes and internet usage) for the purpose of criminal investigations in general.
What stood in the way was the 1997 EC Directive on privacy. This was the follow-up to the hard-won 1995 EC Directive on data protection, now law across the EU. The 1997 EC Directive said that the only purpose for which traffic data could be retained was for billing (ie: for the benefit of customers) and then it had to be erased. Law enforcement agencies could get access to the traffic data with a judicial order for a specific person/group.
The "deal" agreed between the Council (the 15 governments) and the European Parliament means that there are two crucial amendments: i) the obligation to erase data has been deleted and ii) EU member states are allowed to pass laws requiring communications providers to keep traffic data for a so-called limited period.
One of the arguments used to legitimise the move during the discussions in the European Parliament was that the change to the 1997 Directive simply enabled governments to adopt laws for data retention if national parliaments agreed. The document leaked to Statewatch shows that EU governments always intended to introduce an EC law to bind all member states to adopt data retention.
The draft Framework Decision says that data should be retained for 12 to 24 months in order for law enforcement agencies to have access to it. In theory the agencies will still need a judicial order to trawl back through the records of a targeted person(s) - though this legal nicety has never stopped the internal security agencies getting access in many countries.
When the measure was first mooted the European Commission and the European Parliament were firmly opposed. They backed the EU’s Data Protection Commissioners, the EU’s Article 29 Working Party on data protection and a host of civil society groups. The Commission caved-in last December and in the European Parliament the PSE (Socialist group) joined hands with the PPE (conservaitve group)