Article 29 WP rejects data retention once more

In a carefully worded report, the coalition of EU privacy commissioners (the Article 29 Working Party) criticises both the Council and the Commission policies on data retention. The Article 29 Working Party calls for restraint and safeguards that have to date not appeared in any national or EU policy. “The Working Party questions whether the justification for an obligatory and general data retention coming from the competent authorities in Member States is grounded on crystal-clear evidence. The Working Party also doubts whether the proposed data retention periods in the draft Directive are convincing.” And when it comes to safeguards, the Working Party states: “imposing the said data retention obligations on communication service providers without having first realised adequate, specific safeguards is not to be accepted within the existing European legal framework.”

This opinion follows many previous statements by the Working Party rejecting the policy of retention. In November 2004, the Working Party used very strong words on the lack of proven necessity. “Not everything that might prove to be useful for law enforcement is desirable or can be considered as a necessary measure in a democratic society, particularly if this leads to the systematic recording of all electronic communications.” This time, under pressure from the UK privacy commissioner in particular, the Working Party had to consider what a retention policy would look like ideally.

Within this vacuum the Working Party outlines twenty specific safeguards for any policy on retention. The purpose of retention should be limited to combating terrorism and organised crime rather than to what it considers the ‘undetermined’ serious crime language. There should be a maximum retention period in all Member States for a maximum set of data, and the law should evaporate after 3 years unless Parliament and Commission should decide to re-confirm the need (a sunset clause). The Working Party also calls for a publicly available list of designated law enforcement authorities that may access the data in specific investigations into terrorism. With regards to the fear of further registration demands (for example for prepaid access), the Working Party says: “It is important to clarify also in this Directive that there is no obligation for identification in cases where the identification is not necessary for billing purposes or other purposes to fulfil the contract.”

Article 29 WP Opinion on data retention (21.10.2005)
http://www.edri.org/docs/Art29-WP113en-Data_Retention_Oct2005.pdf

Opinion EU privacy authorities on data retention (17.11.2004)
http://www.edri.org/edrigram/number2.22/dataretention

(Thanks to Gus Hosein, Privacy International)