Data retention in EU JHA Council

By EDRi · December 2, 2004

The European Council of ministers of Justice and Home Affairs will meet on 2 and 3 December 2004. Telecommunication data retention is an important item on the agenda. The Dutch EU Presidency tried to force the Council to reach a quick unanimous decision on the proposed framework decision, but has now changed course. According to an explanation given by minister Donner of Justice on 1 December 2004 to the judicial committee of the Dutch Lower House, a large majority of EU Member States is now in favour of an extended obligation. Supposedly lead by France, most countries now insist on a large set of data that should be collected and stored by telecom and internet providers, in stead of limiting the retention to data that are already collected for business purposes.

Not a single example of these extra data was given, but providers should be prevented from ‘obscuring personal data’ and ‘there must be certainty about the set of available data across Europe’, said minister Donner. The JHA Council will now proceed to discuss the extent of the extended obligation, in stead of focussing on the need and necessity of storing intimate data about all citizens as opposed to preserving data of individual suspects.

The German Lower House committee on Justice and Home Affairs has unanimously adopted a draft-motion on 1 December 2004 forbidding the German government to support a decision in any EU body that would oblige companies in Germany to store traffic data “with reservation to the presentation of appropriate legal justification.”

EDRI-member IRIS adds that France has never published a decree stipulating mandatory data retention, but has been working on it since 15 November 2001. Though a French official announced on 21 September in a Commission workshop that the publication was ‘imminent’, it has not surfaced yet. It is widely expected to include web-surfing, data most providers can only obtain by sniffing their entire network. That means putting a wiretap on every customer and distilling the necessary data from this unwholesome amount of data. According to an urgent open letter from 160 Dutch internet providers (including all the major European ISPs such as Tiscali, UPC and Wanadoo) to Parliament, an ordinary broadband provider with 100.000 customers transports 5.5 terabyte data per day, or 8.500 CD’s. To sniff all those connections and distil traffic data from it, is technically impossible, they claim.

In full support of the open letter, the Dutch judicial committee asked Donner to provide proof of the necessity, proportionality and costs of the obligation, before adopting any official Dutch position. Minister Donner said he would write a letter to Parliament in January, answering some of these questions, but said it wasn’t possible for parliament or internet-providers ‘to frustrate the European decision making process’, since the Netherlands were ‘only accommodating this process as chairman of the EU.’

Pressured to give examples of the necessity of data retention for law enforcement, Donner admitted he had not told the ‘full truth’ to Parliament in the previous meeting when he pointed to ‘the success of mandatory data retention in the UK’. He now acknowledged there was no legal obligation to retain data in the UK, only a self-regulatory code to which many providers don’t comply. He admitted he only “talked to English law enforcement officials who said mandatory data retention was a very good idea.”

Meanwhile the European Commission has not yet published its opinion on mandatory data retention, an opinion that was due on 19 November, the date of the previous JHA Council. The Council has now asked the Commission to provide specific input on the issue of ‘regular’ or ‘extended’ data retention.

Bundestag will Datenschutzreform anmahnen (01.12.2004)

Open letter 160 Dutch ISPs (in Dutch, 29.11.2004)

PI/EDRI statement, endorsed by 90 civil rights organisations (15.09.2004)