New data retention draft raises many questions

By EDRi · October 20, 2004

The Dutch presidency of the European union drafted a revised proposal for the mandatory storing of telecommunication data. The new proposal seems to let the members states free in choosing the time period and raises many questions with regard to its scope.

France, Ireland, the UK and Sweden drafted the original proposal to the Council of the European Union to store the telecommunication data of all 450 million EU citizens for a period of 12 to 36 months, for law enforcement purposes. These so-called traffic data reveal who has been calling and e-mailing whom, which websites they have visited, and even where people were with their mobile phones.

The plan addresses providers of telephony and internet, both networks and services. They will have to store the traffic data of all their users, not just those of suspects. The traffic data will be accessible for law enforcement authorities and intelligence services, not just nationally, but across all EU-borders. The member states decide themselves on the powers they grant to obtain access nationally.

The new, revised proposal sets the retention period to 12 months. But no member state will be bound by this limit: “Member States may have longer periods for retention of data dependent upon national criteria when such retention constitutes a necessary, appropriate and proportionate measure within a democratic society”. Where the original proposal puts the maximum limit at 36 months for law enforcement purposes, the new draft has no limit at all. The new draft also allows the retention of certain data (especially internet traffic data) for a shorter period.

The most significant change might be in article 3 of the draft. The new draft states that the mandatory retention applies to “data processed and stored for billing, commercial or any other legitimate purposes by providers”. It is unclear and unexplained how to interpret this line. One could read that mandatory retention does only apply to data already stored by a provider. In other words, if a provider doesn’t store a particular type of data at all, the data retention obligations would not apply. Such an interpretation raises many questions. Can telecommunication providers decide themselves what to store or will members states make a list of those data? The proposal does not offer any explanation on this crucial sentence.

Draft Framework Decision on the retention of data (14.10.2004)