Open Letter on data retention to the European Parliament
‘=>PDF version of this letter in English.
=>Voir la version Francaise sur le site d’IRIS. Également disponible en PDF.
=>Dieser Brief auf Deutsch. Auch in PDF
=>Esta Carta en Espanol.
To the presidents of the political groups in the European Parliament
Monday 6 June 2005
We kindly request your attention on the matter of the plenary vote (scheduled for 7 June 2005) on the report from LIBE rapporteur Alexander Alvaro on mandatory data retention, nr. 2004/0813(CNS). We are appealing to you on behalf of European Digital Rights, a not-for-profit association of 17 digital civil rights organisations from 11 European countries, Privacy International, an international non-governmental organisation with members in over 30 countries and Statewatch, an organisation that monitors civil liberties in Europe with correspondents in 14 European countries.
Communications data retention is a policy that significantly expands powers of surveillance in an unprecedented manner. It simultaneously revokes many of safeguards in European human rights instruments, such as the Data Protection Directives and the European Convention on Human Rights.
As we expressed to the European Commission in September 2004, in a statement that was endorsed by 200 organisations from the private sector and civil society:
- Data retention is an invasive tool that interferes with the private lives of everyone in Europe
- Retaining personal data on everyone is an illegal practice in terms of Article 8 of the European Convention on Human Rights as it is disproportionate
- Security gained from retention may be illusory, as it is likely that traffic data that is associated to one individual may actually be linked to activity taken by another, or by a process that is unrelated to the activities of that user.
- The means through which this policy is being pursued is illegitimate, as some member states who have failed to pass this policy through their own Parliaments are now trying to push it through the EU instead in the name of harmonisation and international cooperation.
Such a regime is likely to have costly repercussions on the delivery of telecommunications products and services within Europe. This will not only place European industry at a disadvantage, it will also likely lead to increased costs for consumers, and reduced growth in a sector that is essential to the advancement of the European economy and society.
Therefore we endorse the report from the LIBE rapporteur. No research has been conducted anywhere in Europe into the need and necessity of creating such a large-scale database containing such sensitive data on the 450 million people in Europe. We also agree with the rapporteur that the measure is ineffective and does not comply with the fundamental principle of the presumption of innocence.
The Justice and Home Affairs Council has continuously rejected consideration of less privacy-invasive means to combat crime, such as through the preservation of specific data on individuals of interest. Rather, the Council constantly widens the scope of the retention. For instance, the very purpose of retention and access to this data began as a project to ‘the fight against terrorism’, though it soon thereafter expanded to ‘terrorism and serious crime’. It did not take long for the Council to widen it further to ‘terrorism and crime’, only to change it finally to ‘criminal offences’. This widening of the scope without any evidence regarding value of this policy to law enforcement raises serious doubts about the possibility of ever being able to meet a proportionality test.
But perhaps most offensive is that the draft Framework decision completely lacks a legal basis in the third pillar. The JHA Council seems resigned to ignore all the serious legal protests about the grave effects of the decision on the internal market. As stated by the European Commission on 22 March 2005, as confirmed by the JURI commission in their advice to LIBE on 31 March 2005 and finally as confirmed by the legal service of the Council itself on 5 April 2005, only the European Commission can propose such a possible measure, with full co-decision rights for the Parliament, in a full democratic procedure.
This has not prevented the Presidency of the JHA Council from issuing a triumphant press release on 2 June 2005 that
“All the Member States agree on the necessity for a data retention instrument to prevent and effectively control certain types of organised crime.”
The press release also notes that a majority of ministers have agreed to base the framework decision on Title VI of the European Union Treaty articles 31 and 34, i.e. in the third pillar. While the European Commission has already announced that it will come up with a proposal for a directive, the ministers of Justice and Home Affairs refuse to give up on the framework decision, in complete disrespect of the European Parliament, the European Commission and several national parliaments that have expressively forbidden their governments to agree on any policy on data retention.
We would like to draw to your attention that only 2 of the 25 EU member states currently have mandatory data retention in place, and only for telephony: Italy and Ireland (the latter only since late February 2005). Some other member states (Belgium, Denmark, France and Spain) have adopted general framework legislation that enables the introduction of a data retention regime. However, none of these countries have implemented their laws, mostly due to strong resistance from industry and civil society. In the United Kingdom, one of the countries pushing this policy, the government has only sought a voluntary retention scheme, negotiated in detail with industry.
For an in-depth analysis of the legality, legitimacy, effectiveness and proportionality we kindly point you to the extensive legal and technological analysis conducted by Privacy International and European Digital Rights. We also recommend Statewatch’s analysis of the Legal Opinions of the Commission and the Council , and the Opinion 9/2004 of the committee of European data protection commissioners on the illegality of retention under Article 8 of the European Convention on Human Rights.
As civil liberties organisations with experience and expertise in technology policy, we are deeply concerned about the ill-thought consequences of this policy proposal. Therefore we hope you will adopt the report by Alexander Alvaro as a first step to start a serious democratic debate.
European Digital Rights
And the members of European Digital Rights, in alphabetical order:
*Association Electronique Libre (AEL) – Belgium
*Bits of Freedom – Netherlands
* Campaign for Digital Rights (CDR) – United Kingdom
*Chaos Computer Club (CCC e.V.) – Germany
*CPSR-ES – Spain
*Digital Rights – Denmark
*Electronic Frontier Finland (EFFI) – Finland
*Förderverein Informationstechnik und Gesellschaft (FITUG e.V.) – Germany
*Forum InformatikerInnen für Frieden und gesellschaftliche Verantwortung (FIfF e.V.) – Germany
*Foundation for Information Policy Research (FIPR) – United Kingdom
*GreenNet – United Kingdom
*Internet Society Bulgaria
*Imaginons un Réseau Internet Solidaire (IRIS) – France
*Netzwerk Neue Medien (NNM e.V.) – Germany
*quintessenz – Austria
*Swiss Internet User Group (SIUG) – Switzerland
*VIBE!AT – Austria
- “Invasive, Illusory, Illegal, and Illegitimate: Privacy International and EDRi Response to the Consultation on a Framework Decision on Data Retention”, submitted to the European Commission DG JHA and Information Society, 9 September 2004, available at http://www.privacyinternational.org/issues/terrorism/rpt/responsetoretention.html.
- “EU: Data Retention proposal partly illegal, say Council and Commission lawyers”, Statewatch, available at http://www.statewatch.org/news/2005/apr/02eu-data-retention.htm.
- “Opinion 9/2004 on a draft Framework Decision on the storage of data processed and retained for the purpose of providing electronic public communications services or data available in public communications networks with a view to the prevention, investigation, detection and prosecution of criminal acts, including terrorism”, ARTICLE 29 Data Protection Working Party, 11885/04/EN/WP99, available at http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2004/wp99_en.pdf.