Renewed rejection of data retention by European institutions

By EDRi · October 5, 2005

On 12 October the Council of ministers of Justice and Home Affairs (JHA Council) will debate about data retention once again, both about the framework decision and about the directive proposal from the European Commission. In response to the final launch of the Commission proposal on 21 September, the UK Presidency of the EU announced it would wait for 2 months for the Commission and Parliament to agree with each other. Otherwise, it would use the last official JHA Council of 1 December 2005 to table the framework decision as an A-item (a decision item). In the last version of the Council proposal, dating from 3 October 2005, this position is described as: “The Presidency is strongly committed to reaching agreement on the substance of the proposal at the October 2005 JHA Council. The Presidency also holds the view that serious consideration will need to be given to the proposal for a Directive on data retention, which the Commission adopted on 21 September 2005.”

The European Parliament had a second vote on the proposed JHA framework decision on 27 September 2005. Similar to the massive majority with which the EP adopted the Alvaro report against data retention on 7 June 2005, the Parliament rejected the framework decision almost unanimously. A day before this important vote, the European Data Protection Supervisor (EDPS), Peter Hustinx presented his very critical opinion of the European Commission proposal.

Though he welcomed the proposal in principal as a more moderate and legally more decent way to approach the issue because it involves co-decision, the need remains unproved, in spite of the examples provided in the British paper. Referring to case law from the European Court of Human Rights, “the necessity and the proportionality of the obligation to retain data – in its full extent – have to be demonstrated.” Hustinx concludes “more safeguards are needed. A simple reference to the existing legal framework on data protection (in particular, the directives 95/46/EC and 2002/58/EC) is not sufficient.”

But once the EP accepts the proportionality, the EDPS suggests a lot of amendments to better limit the retention periods, the number of data and the kind of cases in which access is granted. By limiting the access to _specific_ serious criminal offences, routine access for “fishing operations” or for data mining activities can be excluded. During his strong speech to the LIBE committee of the European Parliament, Hustinx also demanded attention for the danger of data-mining by intelligence services. Though the European Union cannot control the access of security or intelligence services, he said, the issue should not remain invisible. The Commission should make sure member states take the necessary steps to regulate this kind of access.

Privacy International and European Digital Rights sent a long letter to the members of the European Parliament on 26 September, the day before the vote, urging them to keep all the earlier objections in mind that systematic data retention is very invasive, illegal, illusory and illegitimate. In the letter the Commission proposal is analysed in detail and compared with the draft JHA framework decision.

PI and EDRI conclude: “(Of course) the retention of communications traffic data may be of use in some investigations. This is true of any invasive collection and retention of any form of personal information, whether fingerprints, DNA, medical records, financial records, religious information, travel details, sexual preferences, etc. All of this information could be kept indefinitely to aid the police in investigations, and the data would likely be of some assistance. Therefore the European Parliament now faces a crucial decision. Is this the type of society we would like to live in? A society where all our actions are recorded, all of our interactions may be mapped, treating the use of communications infrastructures as criminal activity; just in case that it may be of use at some point in the future by countless agencies in innumerable countries around the world with minimal oversight and even weaker safeguards.”

The expected opinion of the Article 29 Working Party of data protection authorities on the Commission proposal has not been published yet. The DPAs started to work on this opinion at their annual conference in Montreux, but have found it difficult to find agreement. In an attempt to support the Working Party to reject data retention once more, PI and EDRI have sent another long analysis of the proposals to them as well. This second, not public briefing, analyses all the examples provided for the need and usefulness and comments on the legal landscape. Commenting on the demand of the EDPS to exclude any fishing operations, PI and EDRI say they are not optimistic on the likelihood of such regulations. “We are concerned that the policy of data retention is being sought as a harmonising measure even while the access to this data is being subject to national law and vague international rules of co-operation.”

Most recent version of the Council framework decision (03.10.2005)
http://www.statewatch.org/news/2005/oct/council-dataret-3-oct-05.pdf

EP rejects initiative on data retention (27.09.2005)
http://www.europarl.eu.int/news/expert/infopress_page/019-669-270-9-39-902-20050921IPR00560-27-09-2005-2005–true/default_en.htm

PI and EDRI letter to the European Parliament against data retention (26.09.2005)
http://www.edri.org/docs/retentionletterformeps.pdf

Opinion Peter Hustinx (26.90.2005)
http://www.edps.eu.int/legislation/Opinions_A/05-09-26_Opinion_data_retention_EN.pdf