Final push for single EP vote on data retention

By EDRi · December 5, 2005

Behind closed doors, representatives of the Council of Ministers of Justice (JHA Council), representatives from the Commission and the leaders in the European Parliament of the social-democrat and christian-democrat groups have agreed to introduce an unprecedented law (directive) on mandatory data retention in the EU. The groups have agreed to introduce mandatory retention for fixed and mobile telephony data and for internet log-in-log-off, for e-mail records and for Voice over IP records. There is only one last formal hurdle; the plenary vote in the European Parliament on Monday evening 12 December 2005.

But in practice this vote hardly has any meaning, given the majority adoption of the principles of extensive data retention. The agreed minimum period is 6 month, the maximum period 24 months. But member states may also decide on any longer term they find necessary, including the new 15 years proposal from the Polish government (see article 3 in this EDRI-gram). This is foreseen by the new article 11: “A Member State facing particular circumstances warranting an extension for a limited period of the maximum retention period referred to in Article 7 may take the necessary (…) measures. The Member State shall immediately notify the Commission and inform the other Member States of the measures taken by virtue of this Article and indicate the grounds for introducing them.”

The goal ‘prevention’ is deleted from this Council/EP compromise version, but that won’t pose any problem for any member state that wishes to introduce or already has such legislation, since Article 15.1 of the e-privacy directive (2002/58/EC) is not replaced by this directive, but will still allow for any national retention rules. Thus member states that already have legislation for longer retention periods, such as Ireland and Italy, are not affected by this directive either.

The article about cost reimbursement is completely deleted, leaving it to the kindness of individual member states to reimburse providers or not. Access will be limited to the investigation of ‘serious crimes’, without any definition of ‘serious’ nor any limit to the access for security services. “The present Directive is without prejudice to the power of Member States to adopt legislative measures concerning the right of access to and use of data by national authorities as designated by them.”

The outcome of these secret trialogue meetings underlines a fundamental deficit in the democratic construction of the EU. Councils should meet in public, as the European Ombudsman also demands (See [EDRI-gram 3.21 |] ) and the European Parliament should not be forced into blind obedience by a Council that is unable to reach a unanimous decision itself.

The sudden change of heart of the German social-democrats, after their new coalition with the christian-democrats has most likely been the ultimate trump-card for the Council. Given the strong voting position of Germany (reflecting the amount of inhabitants) their consistent (and historically understandable) rejection of systematic surveillance was a major obstacle. In the new German government coalition, this resistance was reduced to the industry argument of not including failed caller attempts. The Council immediately jumped to this chance, and now only calls for the retention of some of these calls if companies already store such data.

“This shall include (…) unsuccessful call attempts where that data is generated or processed and stored (as regards telephony data) or logged (as regards Internet data) by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying the communication services concerned. This Directive shall not require the retention of data in relation to unconnected calls.”

In an interview with the German national radio on 2 December, the new minister of the Interior Wolfgang Schäuble explained his very positive view on data retention. Industry should not ask for cost reimbursement he said. Every citizen must keep financial records in order to file the annual tax declaration and nobody was claiming the Ministry of Finance should reimburse them for that civil duty. And because the main purpose from his perspective was the prevention of crimes, there should be broad access for security services, without any specific suspicion. The German coalition of regional data protection authorities, chaired by the independent authority of Schleswig-Holstein replied to the Council decision with a press release in which they reiterated their fundamental (constitutional) objections against the principle of retention. They call it a box of Pandora and conclude: “We expect that the European Parliament, the German parliament and the constitutional courts in Europe will make sure that this box will remain closed.”

A week before the meeting of the JHA Council, on 24 November 2005 the LIBE committee of the European Parliament had agreed to a more limited set of data and retention period of 6-12 months. While this outcome in the LIBE committee was a serious set-back for digital rights groups, at least the LIBE committee had the decency to introduce strict limits to the use of the data (only with a judicial warrant!), truly independent oversight mechanisms and demands for extensive, public statistics on the use.

The day before the vote in the LIBE committee, EDRI and XS4ALL presented the +58.000 signatures to the petition against data retention to the chairman of LIBE, Jean Marie Cavada and to rapporteur Alexander Alvaro. The petition was also presented to 3 MEPs opposing data retention: Kathalijne Buitenweg (group leader of the Greens); Edith Mastenbroek (social democrat) and Charlotte Cederschiˆld (christian democrat). Pictures of the presentation can be found at the campaign WIKI.

While Alvaro proposed a maximum retention of 3 months for telephony data only, LIBE enlarged the list with location data and internet log-in log-off data, for a period of 6-12 months (to the discretion of member states). Another serious set-back for civil society was the new definition of ‘serious crimes’, based on the European Arrest Warrant. This list includes ‘piracy’, and this will become a criminal offence under the proposed new Commission decision on Intellectual Property Enforcement, including cases of downloading ‘on a commercial scale’. But even this list is obviously too limiting for the Council, given its refusal to define serious crimes.

Possibly the Council and some members of parliament have fallen for the dramatic call from the audiovisual entertainment industry not to exclude them from access to the new European data well. In a press release from 23 November, the Creative and Media Business Alliance (companies and media associations) and IFPI urge the MEPs to include all criminal offences in the scope of the directive. They specifically refer to the Intellectual Property Enforcement Directive when they write: “For this legislation to be meaningful, it is essential that service providers retain the relevant data for a reasonable period and that the data can be disclosed for appropriate purposes. The proposed Directive on data retention should serve to facilitate this.”

On Wednesday morning 7 December, EDRI will participate in a public hearing about data retention in Brussels, represented by Sjoera Nas, your EDRI-gram editor. The hearing is organised by the Greens in the European Parliament. Other speakers include representatives from EuroISPA, ETNO and the European Data Protection Supervisor (EDPS).

Outcome of the JHA Council / new compromise Directive proposal (02.12.2005)

Note from Presidency setting out four areas for decision of Council on its position (01.12.05)

Interview with Wolfgang Schäuble, the new German minister of the Interior (in German, 02.12.2005)

Euractiv analysis of the LIBE voting results, with voting list (24.11.2005)

Final LIBE report, as amended (28.11.2005)

CMBA/IFPI statement pro data retention (23.11.2005)

Pictures of the petition presentation in Brussels (23.11.2005)

Decision against data retention of the 70th conference of German DPAs (in German, 27-28.10.2005)