This article is also available in:
Deutsch: [Vorratsdaten: Zehn irreführende Behauptungen der Europäischen Kommission |]

The European Commission adopted its evaluation report on the Data Retention
Directive this week. In anticipation of the Commission to hide the numerous
failures of the Directive by omission and dissemblance, EDRi produced a
“shadow report” providing a more accurate assessment of the Directive, using
the Commission’s own methodology. The Commission lived down to our
expectations, with the report itself and the Commissioner’s press conference
producing an imaginative selection of misleading statements. The following
are ten of the most egregious examples:

1. The evaluation report shows value of “retained data”

In its implementation report and its press spin, the Commission made
repeated reference to the value of retained data for law enforcement
purposes. What it studiously avoided saying is that the vast majority of the
data used for law enforcement purposes do not rely on the Data Retention

2. The Madrid and London bombings showed the need for data retention

The Commission seeks to justify the excesses of the Directive by referring
to the terrorist attacks in Madrid and London. Retained data were indeed
useful in Madrid – but the data used were retained by operators for billing
purposes and, therefore, irrelevant to the data retention Directive.

3. “Data retention is a necessary measure”

The European Commission neither sought nor was provided with any evidence
that the extra data retained under the Data Retention Directive was either
necessary or useful. In the absence of any evidence, it is impossible for
the Commission to credibly make this statement.

4. “Industry needs data retention”

It is equally not necessary for the industry, which fought against the
measure prior to its adoption and has seen the range of rules and
obligations get more and more onerous and fragmented as the Commission has
lobbied for adoption of the Directive by the Member States. Why would the
industry need an instrument which creates rather than removes barriers?

5. The Constitutional Courts did not criticise data retention per se.

This is factually untrue in relation to Romania.

6. The Commission must take infringement proceedings against Member States
that have not implemented the Directive

It is remarkable that the Commission is acting vigorously against Member
States that have not implemented the Directive, yet has taken no measures –
and has threatened no measures – against Member States that have
implemented it incorrectly in ways which further undermine citizens’ rights.
Examples include countries that have been identified in the report that have
no process for deleting the data once it has exceeded the retention period.

7. The Directive was asked for by the Member States unanimously

Member States have never unanimously asked for a data retention Directive.
In fact, it was precisely because unanimity was not possible that the EU was
not able to adopt data retention as a security measure. As a result of that
failure of Member States to achieve unanimity, the Commission proposed a
Directive, to force Member States that do not believe that data retention is
necessary to impose it anyway.

8. There are no examples of abuses of retained data

The Commission’s document suggests that there are no examples of retained
data being abused. This is despite the fact that the Commission is aware of
at least two major abuses, namely:

– German telecommunications giant Deutsche Telekom illegally used
telecommunications traffic and location data to spy on about 60 individuals
including critical journalists, managers and union leaders in order to try
to find leaks. The company used its own data pool as well as that of a
domestic competitor and of a foreign company.

– In Poland retained telecommunications traffic and subscriber data was used
in 2005-2007 by two major intelligence agencies to illegally disclose
journalistic sources without any judicial control.

9. Some of the data retention is “permitted” by the E-Privacy Directive,
rendering analysis of the impact of the Data Retention Directive

This analysis is bizarre because the Commission itself made a statement when
the E-Privacy Directive was adopted saying that the E-Privacy Directive
“should neither prohibit nor approve any particular measure Member States
may deem necessary,” because a single market instrument could not place
limits on a third pillar (i.e. law enforcement) policy area. No retention
measure is therefore permitted by the E-Privacy Directive.

10. Data from 20 Member States shows an average of 148 000 requests per year
for retained data

Statistically correct, this statement by Commissioner Malmström omits to
mention that half of those requests were in one Member State, Poland, which
has implemented the Directive in a way which permits vast abuses of the data
being retained. Commissioner Malmström in her speech went on to say that “if
the data were not helpful, law enforcement authorities would presumably not
spend human and financial resources on requesting them in those numbers”.
She is either unaware or indifferent to the fact that they are not asking
for the data in those numbers – apart from Poland, they are asking for
vastly fewer data.

Commission statement on the E-Privacy Directive

Commissioner Malmström’s speech on the evaluation report – Data Retention
Directive – a valuable tool in fighting serious crime and terrorism, but in
need of improvement (18.04.2011)

Official data retention evaluation report (18.04.2011)

EDRi shadow data retention report (17.04.2011)

Commission faces battle on data retention (19.04.2011)

(Contribution by Joe McNamee – EDRi)