New EU Commission proposal data retention
The European Commission has finally produced its draft directive on data retention. According to the Commission, all fixed and mobile telephony traffic and location data from all private and legal persons should be stored for 1 year. Data about communications ‘using solely the internet protocol’ should be stored for 6 months. The Commission does not provide any argument about the usefulness and necessity of data retention, but considers the directive to be proportionate if providers are reimbursed for ‘demonstrated additional costs’. The last compromise achieved by the ministers of Justice and Home Affairs (the JHA Council) to create a two-step approach, starting with telephony data and introducing internet data retention at a later stage, is completely ignored by the Commission.
The Commission claims it seeks a balance between law enforcement, human rights and competition aspects by defining the purpose, limiting the categories and time period. The purpose is derived from Article 15 of the E-Privacy directive of 2002 and is actually larger than what the JHA Council proposed. The Commission includes the prevention of criminal offences and safeguarding national security, defence and public security besides the JHA purpose of the investigation, detection and prosecution of criminal offences.
The JHA Council always claimed much more room for member states to adopt longer periods, up to the 4 years already implemented for fixed telephony data in Italy. The Commission intends to proceed with this directive in the first pillar, with full co-decision rights for the European Parliament. However, the JHA Council has also made it clear it will not withdraw the proposed third pillar framework decision, and has vowed to reach (unanimous) agreement in the formal JHA Council of 12 October 2005. The tension will probably reach a climax in Newcastle on 8 and 9 September 2005, during the informal JHA meeting.
EDRI has received a copy of the so-called ‘Interservice Consultation’, which is circulated amongst Commission officials from several Directorate Generals. The final, possibly amended version is expected to be published some time in August 2005, before the informal JHA Council. The Commission writes it wants to set up a permanent advisory platform with representatives of law enforcement, providers and the Article 29 Working Party of Data Protection Authorities to be consulted “whenever the details of the list of data to be retained are to be amended.” Besides, the Commission intends to create “a Comitology mechanism to allow for quick amendments to the details of the data which need to be retained.”
The proposal includes a “result-oriented” list of data that providers must be able to make available to the competent authorities. “Such a ‘result-oriented’ list provides a certain degree of flexibility to the Member States in deciding what obligations will need to be met and to the operators on how to meet these obligations.” The specific data are summed up in the Annex (p. 15 and 16). At this point in time, the Commission does not mention a full IP logfile from every ISP to trace every incoming and outgoing communication, but limits the demands to IP-address, the Computer internal MAC address, username, e-mail addresses and a logfile of every sent and received e-mail. The operators of mobile telephony surely won’t be pleased with the proposal to store SMS traffic data for 1 whole year, nor with the obligation to keep detailed location data for 1 year, including mapping Cell IDs to the geographical location of the caller.
The Commission clearly admits the weakness of the need for data retention by creating a new obligation for providers to keep statistics on the usage of traffic data and present them to the Commission on a yearly basis. “Today no verifiable statistics exist at the European level on the usage of traffic data.(…) This information, once aggregated, will provide the factual information necessary to evaluate the effectiveness of the Directive.” The Commission does not promise any publication of these statistics.
The Commission follows the draft framework decision very closely, even to the point of copying the completely misleading sentence “Many Member States have adopted legislation providing for the retention of data by service providers (…)”. To the best of EDRI’s knowledge, only 2 of the 25 Member States have actually implemented data retention legislation; Ireland (since April 2005, only for telephony) and Italy (only for fixed telephony). General data retention legislation has been adopted, but not implemented due to massive differences in opinion, in France, Denmark and Spain.
Member States have to implement the directive, if it is adopted by the European Parliament, within 15 months after publication in the Official Journal. The Commission plans to evaluate the directive after 3 years.
New EU Commission proposal data retention (20.07.2005)
Last UK prepared version of the JHA working document on data retention (29.06.2005)