EC adopts net and phone data retention proposal
Not law yet, though
The European Commission this week adopted a proposal for a Directive on the retention of communications traffic data that would see internet data held for six months, phone data held for one year, and ISPs and telcos compensated for their compliance costs.
But the proposal has tough competition: it needs the support of the European Parliament and Council of Ministers to become law – and the Council has its own plans for data retention, set out in a Framework Decision. The Council plan allows for data retention periods of up to three years and it could be adopted by the Council acting alone, without any debate in Parliament.
An earlier version of the draft Directive – an “Interservice Consultation” version – had been leaked to lobby group European Digital Rights (EDRi) in July. EDRi posted that version online (16-page/2.2MB PDF). The Commission's information on the new version appears to reflect that leaked version closely.
The Commission's proposal
The proposal provides for an EU-wide harmonisation of the obligations on providers of publicly available electronic communications, or a public telecommunications network, to retain data related to mobile and fixed telephony for a period of one year, and internet communication data, for six months.
The proposed Directive would not be applicable to the actual content of the communications. It also includes a provision ensuring that the service or network providers will be reimbursed for the demonstrated additional costs they will have.
Commission Vice President Franco Frattini, responsible for Justice, Freedom and Security, said: “This proposal is a very balanced and constructive one, which takes account of the fundamental rights to security, to a private life and protection of personal data, as well as different interests, in particular those of law enforcement authorities and communication providers.”
He pointed out that EU citizens expect the three EU institutions to work jointly on this sensitive but important issue and to form a united front in the fight against terrorism and organised crime.
He added: “I am dedicated to working on a co-decision basis with the European Parliament and the Member States in the Council, and in particular its UK Presidency, to try to reach an agreement on this issue before the end of this year – counter terrorism effectively requires that we have no time to loose.”
The proposal was developed in full agreement with Commissioner Viviane Reding, responsible for Information Society and Media.
“The Commission proposal now puts data retention rules on a sound legal basis, ensures the full co-decision of the European Parliament and limits the data retention periods to the extent absolutely necessary," she said. "In contrast to the text at present discussed in the Council, the Commission proposal in particular requires that all additional costs for the industry, which are proven to have been caused by data retention obligations under the new Directive, will have to be reimbursed.”
Law enforcement agencies can use communications traffic data to identify associations between persons and events by time and location. The tragic events of Madrid in March 2004 and London in July 2005 and the investigations that followed have driven the demand for data retention.
Squaring data retention with data protection
The Commission says its proposal balances the needs of security services with fundamental rights and applies "solid data protection rules".
To protect citizens’ fundamental rights and freedoms, and in particular their privacy and personal data, Community law currently provides for the deletion of traffic data once it is no longer needed for the purpose of the transmission of the communication. However, some may be kept and further processed by service and network providers for their own business purposes such as billing or with the consent of the consumers.
Beyond these business purposes, "public order" purposes can also be invoked to justify the further processing of traffic data. This is why public authorities in the Member States are in principle, if necessary and in accordance with applicable law, able to request access to traffic data stored by electronic communications operators.
Legitimate requests for the retention of specific data – otherwise called data preservation – are also allowed when necessary for specific purposes, such as investigations and prosecutions. Data preservation ensures the onward storage of specific data on specific users as from the date of the request.
However, with changes in business models and service offerings, such as the growth of flat rate tariffs, pre-paid and free electronic communications services, traffic data may not always be stored by all operators to the same extent as they were in recent years, depending on the services they offer. This trend is reinforced by recent offerings of Voice over Internet Protocol (VoIP) communication services, or even flat rate services for fixed telephone communications.
Under such arrangements, the operators would no longer have the need to store traffic data for billing purposes. If traffic data are not stored for billing or other business purposes, they will not be available for public authorities whenever there is a legitimate case to access the data.
In other words, the Commission considers that these developments are making it much harder for public authorities to fulfil their duties in preventing and combating crime and terrorism, and easier for criminals to communicate with each other without the fear that their communications data can be used by law enforcement authorities to thwart them.
The responses of Member States so far
To respond to this concern, a number of Member States have adopted, or plan to adopt, national general data retention measures. Compared to data preservation measures, which are targeted at specific users and for specific data, general data retention measures aim at requiring some or all operators to retain traffic data on all users so that they can be used for "public order" purposes when necessary and allowed.
The need to take legislative action in this area at the European level has been confirmed by the European Council in its Declaration on Combating Terrorism of 25 March 2004, adopted shortly after the tragic events in Madrid on 11 March.
In that Declaration the European Council explicitly recognises the importance of legislative measures on traffic data retention, through its instruction to the Council to examine measures in the area of “proposals for establishing rules on the retention of communications traffic data by service providers”.
The European Council Declaration continues to state that: “Priority should be given to proposals under the retention of communication traffic data ... with a view to adoption by June 2005”.
The priority attached to adopting an appropriate legal instrument on this subject was recently confirmed in the Conclusions of the European Council of 16 and 17 June, as well as at the special JHA Council meeting of 13 July 2005 following the London terrorist bombings.
The issue of retention of traffic data has initially been dealt with in a draft Framework Decision, submitted in April 2004 as an initiative of France, Ireland, Sweden and the UK – which is a so-called third pillar legal instrument. Issues of common security and defence policy can be decided under the third pillar – without the need for majority voting.
The data retention regimes introduced or planned by the Member States vary significantly in scope, their purposes, the data to be retained, the duration of the retention, the reimbursement possibilities and the conditions for access to the data.
There is at present therefore a patchwork of national data retention obligations in Member States, which can be summarised as follows:
- A majority (about 15 according to 2004 figures) of Member States at present do not have mandatory data retention obligations;
- In about half of the Member States with mandatory data retention obligations laws in place, data retention is not operational since implementing measures are still missing;
- In those Member States with data retention obligations in operation, the period (between three months and four years) and scope vary substantially e.g. just pre-paid mobile, not the internet, all services etc.
The current situation is therefore one which is unsatisfactory in terms of addressing the concerns voiced by the European Council, and in terms of addressing the consequences of the diverging measures adopted by Member States for the effectiveness of international law enforcement co-operation, as well as the consequences for telcos and ISPs, especially those who provide services in different Member States of the European Union.
The Commission’s position has been that the largest part of that Framework Decision – the part concerning obligations on providers to retain certain traffic data – should be adopted on a first pillar legal basis (learn more about the pillar structure). This position has also been adopted by the Legal Service of the Council and by the European Parliament.
How the Commission’s proposal differs from the Council’s text
The Commission says its proposal "has taken account to a significant extent of the work done by the Council on the draft Framework Decision, especially as far as the categories of data to be retained are concerned."
But it differs from the draft Framework Decision in a number of important areas:
- Unlike the draft Framework Decision, the draft Directive proposes harmonised retention periods of one year for fixed and mobile telephony data, and six months for IP based communication data. The Framework Decision sets a minimum term of retention for all data categories of one year, but allows for possible exceptions to this for periods between 6 and 48 months;
- Unlike the draft Framework Decision, the draft Directive foresees a provision which obliges the Member States to compensate the electronic communication services providers for additional costs incurred as a consequence of the retention obligation;
- Unlike the draft Framework Decision, the draft Directive foresees a Comitology procedure for amendments to the list of data to be retained, providing for the flexibility needed to ensure that the instrument stays up-to-date in a rapidly changing technological environment;
- Unlike the draft Framework Decision, the draft Directive foresees the collection of statistics on cases in which data was requested, as well as an evaluation of the instrument and its impacts, taking account of those statistics.
Neither the draft Framework Decision nor the draft Directive are applicable to the content of communications. Also, in both texts internet related data to be retained are limited to email and IP-telephony data – which means that no data on web pages visited will need to be retained.
The Comission's proposal will follow the co-decision procedure with full involvement of the European Parliament, and consultation of the Economic and Social Committee and the Committee of the Regions.
Copyright © 2005, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
Sponsored: 2016 Cyberthreat defense report