New EU plans for mandatory data retention

EDRI has obtained secret documents in preparation of a Declaration against
Terrorism that will be published during the Spring Summit of EU heads of
state. The draft from the Irish presidency specifically mentions the need
to prioritise mandatory data retention for GSM and internet providers. The
Commission input for the Summit, issued a few days earlier, does not
mention data retention, but proposes many other measures that will have a
chilling effect on the daily lives of European citizens and their freedom
to travel and communicate.

The desire for mandatory data retention was already expressed last week,
on 19 March, during an emergency meeting of the EU’s Justice and Home
Affairs ministers in Brussels. Following a German initiative, the
ministers discussed a catalogue of measures in the fight against
terrorism. It does not come as a surprise that the hardcore law
enforcement faction in the Council of Europe used the occasion to put
several long-term projects in the spotlight.

Some of the bombs used in Madrid two weeks ago were detonated with
modified mobile phones. This gave UK Home Secretary David Blunkett (the
Minister of Internal Affairs) the opportunity to declare that it was
necessary for providers to retain all traffic data from cell phones as
well as from other forms of electronic communication. The UK delegation to
the European Union and other surveillance hard-liners have been pushing
this project for more than five years.

Anti-terrorism measures will be on top of the agenda of the EU Spring
Summit, which will be held in Brussels on 25 and 26 March. EDRI has
obtained confidential documents preparing a draft declaration on fighting
terrorism for that meeting. The document from the Irish Presidency to the
Council says: “The European Council, with a view to the further
development of the legislative framework set out above, instructs the
Council to examine measures in the following areas: proposals for
establishing rules on the retention of communications traffic data by
service providers; (…)”, and: “Priority should be given to the proposals
under the retention of communication traffic data (…) with a view to
adoption by June 2005.”

It is an open secret that law enforcement hawks started to draft a
Framework Decision that would introduce mandatory retention of
telecommunication data immediately after the directive on privacy and
electronic communications (2002/58/EC) was passed in May 2002. The
Directive contains a paragraph (Article 13) that explicitly allows
retention of traffic data “when such restriction constitutes a necessary,
appropriate and proportionate measure within a democratic society to
safeguard national security (i.e. State security), defence, public
security, and the prevention, investigation, detection and prosecution of
criminal offences or of unauthorised use of the electronic communication
system.”

Like the Council, the Commission calls for a number of understandable
anti-terrorism measures, such as a database of terrorists, better tracing
of weapons and explosives and new procedures for banning organisations.
Member states also want to establish an EU co-ordinator for the fight
against terrorism, and link secret services up with each other and police
forces. Some countries are in favour even of what has been referred to as
an ‘EU CIA’, but at the moment, this idea doesn’t seem to have any
suppport from the large EU members such as the UK and France.

But the proposal from the Commission goes way beyond the immediate threat
of terrorism and reads more like a general call for heavy electronic
surveillance of all European citizens.

The Commission paper mentions the need to enhance the exchange of data in
general, “including through enhanced access to data not produced for law
enforcement purposes.” The document does not specify the kind of databases
that this measure refers to.

Another remarkable proposal from the Commission is to publish a proposal
‘by the middle of 2004’ to allow the use of European passenger data (PNR)
for ‘other law enforcement purposes’. The wording is identical to the very
broad use the United States wish to make of PNR-data, in direct violation
of EU privacy-legislation and as such strongly opposed by the European
Parliament.

The Commission also suggests “(…) upgrading existing databases such as
SIS II with new functionalities, as well as making full use of advanced
technologies such as satellite ­enhanced (GALILEO) RFID (Radio Frequency
Identification Device) tracking.”

On the issue of biometric data in new EU passports, the Commission now
wishes to add the fingerprint to the mandatory requirements. In previous
plans this was just an option, on top of the requirement of an
electronical facial image. The documents says: “(…)the possibility to
adjust the pending Commission proposal on EU passports by making
fingerprints mandatory and to extend it to Identity Cards and other travel
documents.”

Finally the Commission suggests a specific measure for mobile phones.
Reprogramming should be criminalised and “measures should be taken so that
the sale of replacement SIM cards does not impede the efficient actions of
law enforcement authorities.”

Documents Commission and Presidency preparing a draft Declaration (19-22.03.2004)

Home

Irish presidency press release JHA-council (19.03.2004)
http://www.ue2004.ie/templates/news.asp?sNavlocator=66&list_id=438

Statewatch on EU Emergency Justice and Home Affairs Council (March 2004)
http://www.statewatch.org/news/2004/mar/16jha-prel-19March.htm

Agenda EU Spring Summit 25-26 March 2004
http://europa.eu.int/comm/councils/bx20040325/index_en.htm

Press release European Commission on counter terrorism efforts (12.03.2004)
http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&doc=MEMO/04/59|0|RAPID&lg=EN;

(Contribution by Andreas Dietl, EDRI EU affairs director)