This article is also available in:
Deutsch: [ENDitorial: Vorratsdatenspeicherung – den Mutigen gehört die Welt |]

Six years ago, as a result of pressure from the UK, the European Union
adopted the Data Retention Directive. The measure was intended to
harmonise the EU single market for telecommunications, requiring all EU
operators to retain data for the purposes of “investigation, detection
and prosecution of serious crime,” including terrorism. Member States
were placed under an obligation to produce statistical information about
the use of such data, with an evaluation report planned for September 2010.

None of the elements of that plan has been achieved: The evaluation
report which the Commission was legally obliged to produce by September
2010 was finally released in March 2011. Despite the fact that the legal
basis of the Directive is the creation of a “Single Market”, the report
produced a long list of examples of how the Directive has failed to
harmonise the single market – to the point of probably having created
new barriers. The report also shows that several EU Member States have
no definition of “serious crime”, meaning that the core safeguard
against disproportionate use of the data has no agreed meaning. Finally,
the report illustrates that the Member States have, with very few
exceptions, failed to live up to their obligation under the Directive to
provide statistical information.

In the context of the lamentable failure of the Directive, Commissioner
Cecilia Malmström has taken the only decision available to her. She has
decided to review the legislation and her services have recently
completed an “impact assessment” which details the various policy
options available to her. In order for a new proposal to become law, it
would need to be approved by a majority of Member States (based on a
complicated weighted voting system) and a majority in the European
Parliament. It is the mathematics of this process which makes the
Commissioner’s choice a very difficult political one.

Whatever solution is found also needs to deal realistically with the
fact that the “e-privacy Directive” (Article 15) recognises a right for
Member States to introduce data retention with very vague, unclear
safeguards. The uncertainty and confusion created by that provision
(also a UK initiative) was illustrated in the recent Bonnier Audio case
in the European Court of Justice (Case C-461/10). Even a full repeal of
the Data Retention Directive would not stop Member States from
exploiting that loophole to impose retention measures and maintaining
their confused, disproportionate and counterproductive domestic
legislation. The repeal of Article 15 of the E-Privacy Directive is
therefore the only logical policy – and internal Commission politics
(the e-Privacy Directive is not administered by Commissioner Malmström’s
services) should not stop this from happening.

Once that essential step has been taken, the Commission has four
options: it can do nothing, it can propose minor reforms that it knows
the Council will accept, it can propose major reforms or it can repeal the Directive.

Option 1: Do nothing

On 3 May 2009, Commissioner Malmström took a personal oath to uphold the
European Charter of Fundamental Rights. The Charter includes Article 52,
which says that restrictions on fundamental rights are only permissible
if they “necessary and genuinely meet objectives of general interest
recognised by the Union.” It is impossible to read the Commission’s
implementation report of the Directive and conclude that there is any
possibility that this requirement is currently being met. Doing nothing
also does not solve the problem that the Data Retention Directive is a
“single market Directive” that has not harmonised the single market and
cannot do so in its current form.

Option 2: Minor reforms

Similarly, proposing minor amendments would be expedient and is
definitely a politically attractive option. The Commission could propose
measures that it knows the Member States would accept, such as a small
reduction in the maximum retention period and some others, like
cost-reimbursement for operators, which the Member States would not
accept. The Commission would then have “clean hands” and could blame the
Member States for not accepting all of its “reforms”. This approach also
comes with considerable risks. In particular, the European Parliament is
somewhat unpredictable on this dossier. On the other hand, the UK, which
single-handedly pushed through the initial Directive, is now proposing
even more extreme measures, such as the creation of vast silos of
communications data – a 1.8 billion pound set of databases of
essentially every online interaction of every citizen. As a Liberal,
Commissioner Malmström would hardly like to be remembered as the
Commissioner whose legislative proposal has led to EU-wide surveillance
of a scale that would have shocked Orwell.

Option 3: Major reforms

While keeping data retention, the Commission could propose big
reductions in retention periods, to bring them approximately in line
with technically necessary retention of data (for billing and network
security purposes). The problem with this approach is that it would
generate huge opposition among the Member States in the Council. One of
the unwritten rules in the Council is that, if two large Member States
are opposed to a proposal, it is not even put to a vote. Currently,
three large Member States (UK, France, Italy) are vehemently opposed to
any significant reform. Despite the difficulty of the task, overturning
a big majority would however show leadership, show that the Commission
does respect the Charter of Fundamental Rights and show due deference to
the legal framework of the European Union more broadly. A strong
leadership from the Commission supporting fundamental rights stands a
good chance of support from the European Parliament, which would help
put pressure on the Member States.

Option 4: Repeal

All other things being equal (Ceteris paribus), getting enough political
support from the Council and the Parliament for a repeal of the
Directive faces as many barriers as a major reform. However, there is
now a referral of data retention to the European Court. The court has
already expressed concern about the legality of data retention. In the
Telefonica/Promusicae case, the Advocate General questioned whether “the
storage of traffic data of all users without any concrete suspicions –
laying in a stock, as it were – is compatible with fundamental rights”.

With the background of the ECJ referral, the failures of the Directive
to achieve its goals and the European Parliament’s long-standing
antipathy to the principle of Data Retention, existing doubts in the
European Court about the legality of data retention, a repeal is not as
extreme as it sounds. Solving the single market and predictability
problems created by a repeal of the Directive will be less challenging
than solving the single market and predictability problems created by
the continuing existence of the Directive.

In any event, one thing is clear, the easiest solutions for Commissioner
Malmström are the least defensible. Courage is needed.

(Contribution by Joe McNamee – EDRi)