Opinion EU privacy authorities on data retention

By EDRi · November 17, 2004

The European Working Party of data protection authorities has finally
released an opinion on the proposed retention of communication traffic
data. The Working Party concludes the proposal is not acceptable within
the legal framework set by Article 8 of the European Convention on Human
Rights. According to the Working Party data retention deserves the same
level of protection as interception. They cite jurisprudence from the
European Court of Human Rights that decrees that all interception of
telecommunications data must fulfil three fundamental criteria; a legal
basis, the need for the measure in a democratic society and conformity
with a legitimate and listed aim. The proposal sent to the European
Council on 28 April 2004 by France, Sweden, Ireland and the UK does not
meet any of these criteria, according to the data protection

On the necessity of the measure the Working Party remarks: “Not everything
that might prove to be useful for law enforcement is desirable or can be
considered as a necessary measure in a democratic society, particularly if
this leads to the systematic recording of all electronic communications.
The framework decision has not provided any persuasive arguments that
retention of traffic data to such a large-scale extent is the only
feasible option for combating crime or protecting national security.”

With little more than 3 pages the Opinion is very brief, but should only
be considered a first step. “In view of the early stage of discussion in
the relevant working party of the Council, this opinion has a preliminary
character. The Working Party intends to reconsider the subject, on the
basis of a revised draft, at a later stage.”

Such a revised draft has already been prepared and will be discussed in
the Council of ministers of Justice and Home Affairs (JHA Council) of 19
November. The document is still kept secret, but is listed in the index of
the Consilium as document number 14190/1/04 REV 1 (Not publicly

According to the annotated agenda of the upcoming JHA Council, the debate
will focus on the difference between storing existing data, and a possible
obligation to gather new kinds of data, specifically for law enforcement
purposes. “Considering the scope of the minimum set of data as proposed in
Article 2(2) of the draft framework decision, it is of great importance to
determine whether an obligation to retain data that is imposed on
providers should be restricted solely to data which are retained for
commercial or business purposes, or whether it should also cover data
which the providers possess as part of their own business operations.”

If the obligation would only see to existing data, market parties with a
focus on privacy could decide to only store a minimum amount of data.
Logging visited URLs would be completely out of the question, since there
is hardly any provider in the world that has a legitimate business purpose
to gather those data outside of their own content-range.

Another issue that will be discussed in the upcoming Council is the need
of law enforcement authorities for systematic retention of the information
about all incoming and outgoing communications of every citizen (in stead
of concentrating on suspects of specific crimes). Both the Working Party,
and earlier EDRI and Privacy International in their long paper against
mandatory data retention, underline the total lack of evidence, and the
conspicuous absence of law enforcement representatives from the political
debate both nationally and at the European level.

Article 29 Data Protection Working Party, Opinion 9/2004 (15.11.2004)

EDRI and Privacy International paper against data retention (15.09.2004)

Annotated agenda of the JHA Council on 19.11.2004

Public register of Council documents (many ‘Not Available’)