Brussels workshop on telecom data retention

By EDRi · September 22, 2004

The consultation from the European Commission on new EU plans for mandatory retention of telecom traffic data resulted in 65 answers, most of them negative about any regime of mandatory data retention. Two thirds of the answers came from industry (telephony and internet providers, both individual companies as well as associations) and almost one third from civil society, including the one from Privacy International and European Digital Rights.

Besides, 3 national Data Protection Authorities filed an answer, and 1 (unnamed) ministry of Justice. Philip Gerard, responsible for the regulatory framework within the Commission’s DG Information Society, presented these results during an open workshop on data retention on 21 September in Brussels. In spite of the explicit and repeated requests to law enforcement authorities, none of them answered any of the specific questions about the need for which data to be retained for what period of time, Gerard said.

While the representative from DG Justice said the Commission held no opinion on the proposal, it clearly saw the need for increased co-operation among the member states, based on clear definitions of data retention regimes. He added that, since April, when the proposal was tabled in the European Council, DG Justice had received many phone-calls from the industry, expressing grave concerns about the desired level of approximation.

The main theme in the written answers from the industry was cost reimbursement, Gerard summarised, while each of them underlined the major technological differences between telephony, mobile telephony, internet and future 3G-applications. Many respondents questioned the need for data retention, and inquired about alternative solutions for law enforcement, such as preservation (freezing) of the data of a specific suspect. Also, many people referred to the need for improved co-operation between the judicial authorities in Europe, and first assess the impact of such a new obligation before creating new powers for law enforcement.

Officially the workshop was dedicated to the specific needs of law enforcement and governments, and the current business practices. Painfully absent from the agenda was a debate about privacy and fundamental human rights. Andreas Dietl, the EU Affairs Director of European Digital Rights addressed this in the opening session, and argued for a new follow-up session specifically dedicated to the balance between law enforcement and civil rights. His call was endorsed by many speakers that followed, including Baroness Ludford from the UK (liberal) ELDR fraction, who suggested this should be addressed in a separate parliamentary hearing.

A spokesperson from the International Chamber of Commerce (representing 130 business members) underlined the fact that the Commission clearly made a political choice by organising a hearing on data retention, in stead of organising an open debate about the different options, such as data preservation. She compared this to the famous choice car-factory Ford offered their customers in the 20’s of the previous century: “Any colour you like, as long as it’s black.”

At this point the Motion Picture Association thought it was time to intervene. This representative clearly saw a need for all traffic data to be kept, “in order to prevent essential data from being destroyed.” She added a warning: “Don’t believe that infringers can hide behind data protection instruments!”

2 more defences of mandatory data retention were given by representatives from the Swedish ministry of Justice and the French ministry of Internal Affairs. The French government official argued it was necessary to keep data for a sufficiently long period of time, in order to be able to trace back for example terrorist groups. She added that a French decree was going to “come out in the next few days”, demanding a 1 year storage period for _yet unspecified_ types of telecom traffic data. The Swedish representative said they had many examples of cases that were only solved with the help of retained data, but didn’t give any example. She warned that data retention was necessary because otherwise internet would completely succumb to criminality.

The Spanish telecom provider Telefonica and the German Deutsche Telecom provided some more details about the number of requests they received. Deutsche Telecom said they received ten thousands requests for data per year, and only received symbolic reimbursement, amounting to maybe 2% of the real costs for the company. Telefonica said they received 600 requests per month for the fixed network and 1.500 requests for the mobile network. If there was a demand for preserved data, in practice it never exceeded 3 months. In the specific case of the Madrid attacks, the data for the period December 2003 to March 2004 were requested, and obviously sufficient.

A UK-speaker added that of the 4 mobile telephone companies 1 only stored customer-data for 6 months, while the others maintained the data for 12 months. There was never any complaint raised by law enforcement authorities, and in practice more than 80% of the demands for the other 3 companies concerned data younger than 6 months.

Concluding the workshop, the Commission said more consultation was needed, but it was clear that maybe the minimum term of 12 months should be reconsidered if 6 months turned out to be long enough. Secondly, data preservation should be investigated as a serious alternative to general data retention. And finally, considering the total lack of input from law enforcement, new research was necessary in order to strike a balance between crime investigation and civil rights.