Data retention: Council barks but cannot bite

By EDRi · October 20, 2005

Charles Clarke from the UK Home Office uttered some incredibly harsh
threats to the European Parliament committee on civil liberties (LIBE) on
13 October, the day after the Council meeting, but his barking could not
conceal the fact the ministers of Justice and Home Affairs did not have
any teeth to bite with. Several national parliaments (Germany, Austria,
the Netherlands) have not given their ministers the go-ahead on the
framework decision on data retention. But according to Council
conclusions, “The Council agreed to revert to this issue at its next
meeting with a view to a final decision before the end of the year.”

Clarke obviously thought it was a good strategy to try to intimidate the
MEPs. If they didn’t agree before December in first (and last!) reading on
introducing data retention, he said, the ministers would pull out the
framework decision anyway in the last formal JHA Council under UK
Presidency, on 1 December 2005. Besides, if parliament failed, he would
make sure the European Parliament would no longer have a say anymore on
any JHA matters.

In fact, the Council suddenly took the advice from its own legal service
into account (dating back to April 2005), according to a last minute note
from the UK Presidency from 5 October 2005. This advice warns the
ministers that if they would proceed, any ISP could take the Council to
court once the measure was introduced and would most likely get full cost
reimbursement for having to implement an illegal measure.

But in spite of the strong legal position of the European Parliament, the
presidents of the political groups meeting in the European Parliament
today (20 October) have just decided to let this time pressure prevail
above the content of the directive. To ensure smooth negotiations, they
propose to withdraw the mandate of rapporteur Alexander Alvaro and give it to the chairman of LIBE (the EP committee on civil liberties), the French
centre-right Jean-Marie Cavada. The LIBE committee will have to vote on
this proposal in their meeting of 24 October and the outcome is unclear.
However, the proposal from the group presidents makes it very clear their
main cause for concern was not getting formal co-decision power, not in
the gross undermining of fundamental civil rights by the systematic
surveillance of all innocent citizens.

The LIBE committee has until 26 October 2005 to enter amendments on the
proposal from the European Commission and on the proposal from Alexander
Alvaro. The secondary committee on Industry (ITRE) already had to file
amendments before 18 October 2005. With regards to the content of the
Commission proposal, the JHA Council made it clear they will not accept
the maximum terms proposed by the Commission. They can live with the
minimum of 6 months for internet data and 12 months for telephony, but
wish to reserve the freedom to extend this period to 2 years, or as long
as the member states have already seen fit. This is a specific gesture to
Italy and Ireland, who have introduced data retention for 4 and 3 years
respectively. Secondly, the Council does not want a general cost
reimbursement for the industry, but wants to leave it to member states.
Thirdly, the Council still insists on the inclusion of failed call

But on another crucial point about the scope of the obligation, Commission
and Council seem to agree. According to sources around the Commission, all
data mentioned in the Annex must be captured by all parties that can
possibly detect them, both by network operators and by service operators.
This means the term “data generated or processed by providers” includes
any data transported on any network. This causes great concern when it
comes to internet data, that can only be captured successfully by the
party that actually provides the services, not by operators that merely
let the data pass through their pipelines. If Commission and European
Parliament agree on this very wide margin of interpretation, in reality
all providers will have to create full wiretaps on all their networks to
capture every byte and select the appropriate traffic data from this
immense data mountain.

After the JHA Council the Danish minister of Justice, conservative Lene
Espersen, made the headlines again with a brutal quote. After the previous
informal JHA Council of 8 and 9 September she served off the telecom
industry. “They should stop all their whining,” she told reporters. “When
you know these people are making money making their systems available to
criminals, then maybe they should have a more humble attitude.” This time,
according to the BBC, she said: “We have to decide who we are most afraid
of – the European Parliament or terrorists.”

The evening before the JHA Council, the European Internet Foundation
organised a special dinner debate on the matter, with representatives from
the European Parliament, European Commission, industry and police. EDRI
was also present (the editor) and was given the chance to explain its
objections against mandatory data retention. At the very last minute the
representatives from the Council and from the European Commission DG
Justice cancelled their presence. The representative from the Belgian
police, Chief Commissioner Luc Beirens of the Federal Computer Crime Unit,
explained how useful traffic data were. An example he gave was the
possibility of having your free webmail account hacked. This could result
in blackmail “worth as much maybe as 200 euro” to get the account back or
having child pornography spread in your name to your friends and

His speech was warmly welcomed by representatives from the music and
film-industry, the IFPI and the MPA. They both claimed data retention did
not change anything at all, since member states already had the
possibility to introduce mandatory data retention. Obviously, they did not
bother to explain that an option is completely different from a binding
European obligation. The IFPI representative insisted piracy was a form of
organised crime that should be fought with all legal means, including
tracing back the exact internet behaviour of all suspects for a
substantial amount of time.

Mr. Beirens claimed Belgium had also introduced mandatory data retention
for telephony traffic data. This could not be confirmed to EDRI-gram by
either the Federal Privacy Commission or by the Belgian ISPA. In fact,
Belgium has re-introduced the possibility of data retention on 13 June
2005 with the introduction of a new telecommunication law, but like before
with the law on computer crime established in 2001, the actual royal
decree stipulating what kind of data should be stored by which market
parties for what period of time was and is never issued. Therefore, any
traffic data stored by market parties beyond the direct purposes of
transmission or billing, are plainly illegal.

There are still only 2 countries in the EU with actual and legal data
retention legislation, Italy and Ireland, but both only for telephony, not
for internet data.

Justice and Home Affairs Council Conclusions (12-13.10.2005),0.pdf

BBC: EU states agree phone record law (12.10.2005)

Last JHA Council version (10.10.2005)

UK Presidency letter to Council (05.10.2005)