Data retention proposal European Commission

The European Commission has finally launched its proposal for a directive
on data retention. During a press conference today (21 September 2005),
commissioner Frattini underlined how important it was that data retention
would be decided in the first pillar, by Commission and Parliament and not
by the ministers of Justice in the third pillar. Frattini was confident
the proposal would be adopted by the European Parliament before the end of
the year. But the happy information feeling didn’t last until the end of
the conference. When asked by a journalist why the Commission did not
include failed call attempts, Frattini said that was indeed an omission,
and would be one of the first updates to the list. Failed attempts are
important, Frattini said, because law enforcement needs very complete
information from the base stations used for mobile telephony. By storing
failed call attempts law enforcement gets a complete picture of all the
mobile phones that were near a base station at a certain point in time,
including mobile phones that were not engaged in a conversation.

The Commission proposal is very similar to the last versions of the
proposal from the Ministers of Justice (JHA Council) for a framework
decision. The Commission proposal only differs in a shorter retention
period: one year retention for data about telephony behaviour, including
location data of mobile phones. Internet data should be stored for 6
months. Like the JHA Council, the Commission fails to provide any evidence
for the need and benefits of data retention. The Commission repeats
meaningless sentences like “It has now become urgent to adopt harmonised
provisions at the EU level on this subject.”

The purpose of the retention is “the prevention, investigation, detection
and prosecution of serious criminal offences, such as terrorism and
organised crime.” The JHA Council didn’t want to limit to purpose to
‘serious’ crime, but on the other hand, never considered ‘prevention’ a
valid purpose. In that respect the Commission seems to invite law
enforcement to start data-mining on a large scale on the travel and
communication patterns of completely innocent citizens.

Internet data are defined as “data related to electronic communications
taking place wholly or mainly the Internet protocol”. In the annex of data
to be stored, the required internet data are limited to internet access,
e-mail and internet telephony.

But this list of data is completely meaningless, given the procedure the
Commission proposes to update this list. Opening a backdoor matching the
size of the law enforcement ambitions of the UK presidency, the Commission
proposes a flexible procedure to revise the list in ‘comitology’. This
typical EU procedure means representatives of the member states form a
special committee. The European Commission can send proposals to such a
committee. In the case of data retention, the Commission has chosen the
form of a ‘regulatory committee’. If a qualified majority of members
agrees, the Commission can send a proposal for drastic expansion of the
kinds of data to the Council. Within 3 months they have to decide by
qualified majority to reject or adopt the proposal. If they don’t agree
within 3 months, the Commission may continue and adopt the proposed
measure.

In this procedure, the national parliaments are completely excluded and
the European Parliament only has a so-called right of scrutiny. If the EP
feels a proposed measure “would exceed the implementing powers provided
for in the basic instrument”, the Commission must re-examine its proposal,
but can completely ignore the protest from the EP.

Looking at the Council versions of June and July, a majority of member
states still rejects the proposal from Austria to specifically exclude the
subject line of e-mails from the list. This is just one example of the
pressure that will be exerted on the Commission to weaken the fundamental
protection of communication secrecy. On the Internet, the difference
between content and meta-data is blurred, a danger many experts have
warned about for a long time. Data such as subject lines and surfing
behaviour reveal detailed and intimate reading patterns. According to the
last working party version of the Council proposal, from 16 September
2005, Belgium, Denmark, Spain, Lithuania and Sweden insist on retention of
logs of web browsing, Internet chat and peer-to-peer communications. The
Council acknowledges once more all the legal criticism of dealing with
data retention in the third pillar, but will return to the framework
decision in the last formal JHA Council of 2005, in December, if
Commission and Parliament won’t have obliged by then. This is phrased as:
“During the proceedings, the Council will need to decide if it accepts the
approach of a Directive or if it will take measures on data retention on
the basis of the draft Framework Decision.”

Some slight changes in the final Commission document compared to the
previously leaked version are:

-No longer will the Commission consult an advisory forum of data
protection authorities and industry for every update of the Annex. In
stead, the Member States can decide by themselves in comitology;

-In stead of the providers, the Member States bear the responsibility to
provide yearly statistics on the use of retained data to the Commission;

-The Commission -for the first time- says something in public about the
results of the consultation procedure in September 2004. But the summary
is grotesquely inaccurate when it comes to digital rights organisations.
The Commission writes: “In general terms, they questioned whether periods
of retention longer than six months can be considered to be proportional.
They also expressed concerns about the finality and aims of the retention,
which should be clearly specified.” In reality, over a 100 digital rights
organisations signed the petition from EDRI and Privacy International that
objected to _any_ form of systematic retention of data on innocent
citizens.

Commission press release (21.09.2005)
http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&doc=IP/05/1167|0|RAPID&lg=EN

Commission memo (21.09.2005)
http://europa.eu.int/rapid/pressReleasesAction.do?reference=MEMO/05/328&format=HTML&aged=0&language=EN&guiLanguage=en

Leaked Commission proposal for a directive (15.09.2005)
http://www.statewatch.org/news/2005/sep/com-data-retention-prop.pdf

Working party version of the Council framework decision (16.09.2005)
http://www.quintessenz.at/doqs/000100003338/2005_09_16,EU_council_copen_42_telecom_90_data_retention.pdf

July version of the Council proposal (29.07.2005)
http://www.statewatch.org/news/2005/sep/eu-data-ret-draft-jul05.pdf

EDRI-gram analysis of first version Commission proposal (27.07.2005)
http://www.edri.org/edrigram/number3.15/commission

Press release EP rapporteur Alexander Alvaro (04.05.2005)
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-204208

EDRI and PI response to Commission consultation (15.09.2004)
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-103020

FAQ about comitology procedure
http://europa.eu.int/comm/secretariat_general/regcomito/aide.cfm?page=faq&CL=en