Commission confirms illegality of Data Retention Directive

By EDRi · January 18, 2012

This article is also available in:
Deutsch: [Kommission bestätigt Widerrechtlichkeit der Vorratsdatenspeicherung | https://www.unwatched.org/EDRigram_10.1_Kommission_bestaetigt_Widerrechtlichkeit_der_Vorratsdatenspeicherung?pk_campaign=edri&pk_kwd=20120127]

The EDRi-member Quintessenz – Austria has published a leak of an
internal paper from the Commission intended to inform DAPIX, the
Council’s working party on information exchange and data protection, of
the results of the Commission’s consultation in April 2011 on the reform
of the Data Retention Directive (DRD). It raises a number of issues with
the Directive that the Commission wishes to tackle in order to cast it
in a better light. The Commission admits that “there is a continued
perception that there is little evidence at an EU and national level on
the value of data retention in terms of public security and criminal
justice, nor of what alternatives have been considered”. It then asks
at the end of the document: “What are the most effective ways of
demonstrating value of data retention in general and of the DRD itself?”

The origin of the “perception” that there is little evidence existing as
to the value of the Directive is shown by the Commission’s statement
that only 11 of 27 Member States have provided data that could be used
in order to highlight the added value of the Directive. Legal
uncertainties that have been overlooked during the drafting process of
the Directive are now posing a certain number of problems for the
Commission.

In the document, the Commission acknowledges for example the lack of a
“logical separation between data stored and then accessed for a)
business purposes, b) for purposes of combating ‘serious crime’ and c)
for purposes other than combating serious crime” and the lack of a
monitoring system showing “data (that) would not have been available to
law enforcement without mandatory retention”. The question of
distinguishing between data retained for business purposes from data
retained under the Directive is asked but left unanswered.

The Commission also states that unclear definitions in the DRD have led
to service providers storing instant messaging, chats and filesharing
details even though these types of data are outside the scope of the
Directive. It is often unclear to businesses in the telecommunications
sector which data should be stored. Law enforcement agencies have
apparently lobbied the Commission for a “technological neutrality” of
the Directive to ensure a broad “ability to know who communicated with
whom, when, where and how” – despite, it appears, being able to justify
the retention of the data already being stored.

Moreover, the paper repeats EDRi’s concern regarding the “serious crime”
limitation, which is not defined at EU level or in many Member States,
and regarding the lack of a clear limitation of the purposes for which
data is being retained. It states that there have been many demands for
the extension of the use of data to copyright infringements or for such
vaguely defined offenses as “hacking” and “urgent cases”. According to
the document, the Directive has also led to an unclear situation for
citizens due the absence of a procedure for reporting and redressing
data breaches and the absence of a monitoring system to know who
actually accessed the data.

Furthermore, the Commission states that, depending on the country, there
is no or only a very low reimbursement of storage costs, which leads to
a distortion of the free market. Especially the costs for small
businesses are being rated as “disproportionately high”. This also means
that countries having implemented the Directive will have an economic
interest and will pressure other countries into implementing data retention.

In order to justify limitations of fundamental rights, such as the right
to privacy and to data protection, measures must be necessary and
proportionate. The leaked document however shows that the Commission
can neither prove necessity nor proportionality of the Data
Retention Directive – but still wants to keep the Directive. Despite
unending implementation problems and proven failure of the current
Directive, the Commission is maintaining its pressure on Member States
that have not already implemented the Directive, to do so.

The Commission is currently examining the possibility amending the
Directive and is conducting a study on data preservation (“quick
freeze”) which is due for May 2012.

Leaked Commission document (15.12.2011)
http://quintessenz.org/d/000100011699

Commission’s DRD implementation report (18.04.2011)
http://ec.europa.eu/commission_2010-2014/malmstrom/archive/20110418_data_retention_evaluation_en.pdf

EDRi’s Shadow implementation report (17.04.2011)
http://www.edri.org/files/shadow_drd_report_110417.pdf

(Contribution by Kirsten Fiedler – EDRi)