Feeds

Brussels tables data retention law

All your data are belong to us

  • alert
  • submit to reddit

Boost IT visibility and business value

The European Council has quietly proposed pan-European data retention laws that will require communications service providers to keep user data for a minimum of a year, and possibly indefinitely.

The draft framework will apply to data generated by an exhaustive list of comms architectures and protocols: phone, text, MMS, email, Voice over IP, and Web communications among them.

It has been rather hastily published in line with the European Council declaration that followed the bombings in Madrid. In this declaration, the Council said it would bring forward the debate around data retention. The fact that this document surfaced so quickly suggests, some say, that it has been floating around for some time.

The draft is very broad in its scope, and very loose in its definitions, which may sound familiar. The stated aim is not to store content, just the data generated by the flow of traffic, and its associated user information. However, as Joe McNamee of lobbying group Political Intelligence points out, at no point does this draft specify exactly what consitutes content, and what constitues traffic data.

Broad and loose

Consider article 2.3, part(c). This states that service providers will be required to retain FTP logs. Are these content, or traffic data? This question needs to be resolved, especially as (in article 2.4) the draft makes the provision that it will cover all future communications technologies too.

It is also noticeably imprecise about how long the information must be kept for: article 4.1 provides a time bracket of between 12 and 36 months, but goes on to say that it may be kept for longer if the member state feel it is neccessary.

Draconian, you might think. Bound to get the civil libertarians up in arms? But wait: 4.2 contains the get-out clause. It says that any member state can derogate from 4.1 (i.e. ditch it), should they feel it is unacceptable.

"Sometime the most effective thing you can do, politically, is not be rigid," McNamee says. "This clause is very clever. It gives a perfect counter-argument to any criticism without actually backing down: the Council can always argue that it is not forcing the legislation on any of its member states, even though it is extremely unlikely that any will actually take advantage of the option."

In the covering letter, the writers explain that although this kind of retention of data may constitute an "interference in the private life of an individual", this doesn't violate European law, provided the interference is "appropriate and strictly proportionate".

Is it legal?

It is interesting, then, that 18 months ago both Ireland and Sweden said they had no problems (see question five in the link) that would be solved by tighter laws on data retention.

This raises a fundamental question about this proposal: is it legal? Is it possible to reconcile the proposed data retention requirements with the fact that two of the countries putting the draft forward say they have no need for such laws? How can legalising interference in a person's private life be judged appropriate or proportionate by either Ireland or Sweden?

This isn't just a question of nosy politicians snooping on the citizens they are supposed to be representing. It has implications for businesses too. The costs of complying with any resulting legislation will almost certainly be passed to the service providers, for instance.

It is a wide range of data that companies will need to store,and they will need to store it very safely, or they will fall foul of other legislation. In the UK, we are already struggling to implement data protections laws properly, for example. This will certainly add to the confusion, as keeping data you don't need to keep is strictly an abuse under the Data Protection Act (DPA). But not keeping it will mean you violate the data retention laws.

But what of those innocent citizens whose digital movements will be tracked? Everything you do online must be recorded: that means that FTP logs about images you download, even in a spam email, are kept on a database somewhere. "If I was Joe Public, I don't think that would make me feel very secure," McNamee concludes. ®

Related stories

US defends cybercrime treaty
French ISPs to carry the can for dodgy content
UK firms must monitor staff IMs
EC: implement e-privacy directive or else
Govt restricts access to snooping powers
Net snooping to cost UK taxpayers £100m+. A year

The Essential Guide to IT Transformation

More from The Register

next story
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
Chips are down at Broadcom: Thousands of workers laid off
Cellphone baseband device biz shuttered
Feel free to BONK on the TUBE, says Transport for London
Plus: Almost NOBODY uses pay-by-bonk on buses - Visa
Amazon says Hachette should lower ebook prices, pay authors more
Oh yeah ... and a 30% cut for Amazon to seal the deal
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.