Data Protection or Data Retention?

(This article was originally published in the iTech Supplement of the Times of Malta in February 2003)

With the many uncertainties on the possible introduction of a Framework Decision on data retention in telecommunications is the EU transforming itself into Big Brother?

The European Data Protection Commissioners showed their disagreement to a possible EU Framework Decision on the retention of telecommunications data for access by law enforcement agencies in a statement full of strong words. Copy of the proposal was leaked to Statewatch, a British based civil liberties group, in August 2002 but the EU denied that any work had been done on this Framework Decision.

In the meantime, in November 2002, the European Council dispatched a questionnaire on traffic data retention asking Member States their opinion on the possibility of harmonising data retention at the European level. The answers received by the Member States varied. While Denmark held that it can support a European Instrument, Greece, Ireland, Italy, Luxembourg, Spain, Portugal, the UK and Sweden warmly supported the idea, with Belgium declaring to contemplate a European Framework Decision proposal. The leaked proposal was in fact a Belgian unofficial proposal for European data retention.

In relation to the questionnaire, Finland also proposed to set a two years period for mandatory retention while France stated that data retention would now be authorised after the adoption of Directive 2002/58/EC. The only delegations expressing some uncertainties were Austria and Germany.

Law enforcement agencies have for long advocated in favor of the adoption of data retention. These requirements would compel communications service providers to capture and archive traffic data information detailing the telephone calls, mobile calls, e-mail messages and other forms of communications of their users.

On May 30, 2002, the European Parliament voted on a Directive on Privacy and Electronic Communications (Directive 2002/58/EC) that leaves each Member States free to adopt laws authorizing data retention. EU countries have until October 31, 2003 to implement the Directive. The Maltese legilator has already issued Legal Notices 16 and 19 in January of this year which will introduce regulations reflecting Driective 2002/58/EC. Some of the member countries, such as Spain, France and the United Kingdom, have already provided for the retention of electronic communications data.

In August 2002, Statewatch claimed that the EU was currently considering detailed proposals drawn up by Belgium that would force telecoms firms to hang on to traffic data for a year or more, adding that these rules were going to be compulsory for all member states.

Statewatch held that this draft Framework Decision lays down that data should be retained for 12 to 24 months in order for law enforcement agencies to have access to it. In theory, the agencies will still need a judicial order to search through the records of a selected individual.

Fears that the proposed Framework Decision will be followed by other measures that would allow law enforcement agencies access to the content as well as the traffic data of communications started to ignite. The data to be retained would include information identifying the source, destination, and time of a communication, as well as the personal details of the subscriber to any communication device.

The Danish presidency of the EU immediately denied these allegations to launch proposals to store records of private e-mails, faxes and phone calls. In its statement it held that so far the EU was only consulting member states on how to harmonise their rules on data retention and that in-depth guidelines were not being discussed at this stage, referring to a consultation document.

The consultation document that was issued in June last year urged member states to approve measure allowing EU countries to harmonise their rules on the obligations of telecommunications companies to retain data. It was also emphasized that such regulation must be established in compliance with European privacy conventions and the EU data protection directive.

Meanwhile, during a conference held last September, the Data Protection Commissioners of the Member States expressed their doubt as to the legitimacy and legality of the broadness of the measures proposed to be introduced by the Framework Decision, stating that data retention should only be allowed on a case-by-case basis and subject to strict conditions. They also maintained that the proposed Framework Decision would be an improper invasion of the fundamental rights guaranteed by Article 8 of the European Convention on Human Rights.

In the statement, the European Data Protection Commissioners drew attention to the excessive costs that would be involved for the telecommunication and internet industry with the introduction of these extreme data retention measures. It was also pointed out that these measures are absent in the United States.

The Data Protection Commissioners continued that where traffic data is to be retained in specific cases, there must be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law, in a way that provides sufficient safeguards against unlawful access and any other abuse.

The Data Protection Commissioners concluded that systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and therefore unacceptable in any case.

It was over a year a go that the EU's Justice and Home Affairs decided that the law enforcement agencies needed to have access to all traffic data for the purpose of criminal investigations in general. Traffic data includes phone-calls, mobile calls, e-mails, faxes and Internet usage.

From then onwards it has been a constant ping-pong between the EU authorities and civil liberties groups.

Statewatch claims that one of the arguments used to legitimise was that the change in the 1997 Directive on privacy in telecommunications simply enabled governments to adopt laws for data retention if national parliaments agreed. Statewatch holds that from a document that leaked to them it can be shown that EU governments always intended to introduce an EC law to bind all member states to adopt data retention.

The EU is defending its current effort for the introduction of data retention with insisting that these powers are necessary for law enforcement agencies to combat serious crime, added Statewatch. The data envisaged to be retained includes the source, destination and time of all messages but not the actual contents.

Under the current revised EU Directive on privacy in telecommunications, ISPs can retain data for billing purposes, after which it must be destroyed. However, if a person or group is suspected of criminal activity, law enforcement agencies can get access to their data traffic with a judicial order. After lengthy and explicit debates, it was agreed that the retention of traffic data for purposes of law enforcement should meet strict conditions under Article 15(1) of the Directive, that is in each case only for a limited period and where necessary, appropriate and proportionate in a democratic society.

The 21st January 2003 saw the presentation of a Recommendation to the European Council by a number or European Parliamentarians, amongst which are Marco Cappato, European Parliament Rapporteur on privacy in the electronic communications, as well as four other former shadow rapporteurs. In a letter to present the initiative, Marco Cappato stated that whilst many people are now asking for data retention to become not only possible but obligatory, he has invited the Council to take action against this potential development.

The new recommendation against data retention recalls once more, as stated by the Data Protection Commissioners, that broad measures providing for mandatory systematic preventive retention of traffic and location data concerning citizen's electronic communications for law enforcement purposes are a violation of the European convention of Human Rights and its jurisprudence, and are consequently contrary to the relevant EU data protection directives.

In his letter, Cappato continued that the general retention of traffic data concerning all communications and electronic transactions by all citizens for the sole purpose of providing law enforcement authorities with material for investigations would seriously risk to undermine the very democracy it claims to defend. Cappato believes that less privacy invasive measures such as onward preservation of traffic data in specific cases are already available and more suitable to achieve the objectives pursued.

In the new Recommendation it is being advocated that the access by law enforcement authorities to data preserved shall at least: (i) require judicial approval based upon the showing of a demonstrable need and the respect of a high level of probativeness; (ii) be strictly limited to those purposes for which the EU law and the ECHR allow exceptions to the principle of confidentiality of communications; (iii) be specific to a transaction or subscriber or user.

Whilst the EU is still denying allegations that a Framework Decision on data retention is being drafted, it has to be seen whether in the near future such proposals will actually concretize, albeit the strong criticisms against their introduction.