Data retention news: EU Council, Germany, Spain

By EDRi · March 24, 2005

The Council of European Ministers of Justice and Home Affairs (JHA
council) seems set for a frontal collision with the European Commission
with the proposal for a framework decision on mandatory data retention. On
14 April 2005 the Council will discuss the proposal, possibly including a
functional list, in spite of the urgent request from EU Justice
Commissioner Frattini to drop the proposal completely and wait for a
proper democratic initiative from the Commission. For national members of
parliament all over Europe the national preparatory debate about the
agenda for this JHA Council will probably be the last chance to stop their
ministers from agreeing and first demand a thorough investigation into the
necessity and proportionality of data retention.

The last publicly
available Council document dates from 24 February 2005. The proposal now
demands a retention period of 12 months for all data generated or
processed by telecom providers, with a maximum of 36 months. There is also
a new minimum of 6 months for countries that wish to derogate from the
proposal. Any such derogation has to be reviewed annually and reported to
Commission and Council.

The footnotes show some countries have expressed reservations, but the
names have been deleted from the document. At least one delegate has tried
to remove failed caller attempts from the list of data to be retained, the
lobbying focus from the powerful telecom companies, but apparently

Meanwhile the European Parliament is left in its powerless role as
consultant on the decision, without any right to amend or veto the
proposal. The critical questions from Dutch social democrat MEP Edith
Mastenbroek on 14 October and 12 December 2004 have finally been answered
by the Council on 14 March 2005 in a very condescending manner, summing up
the well-known factual history of the proposal without answering any of
the questions about the proportionality and democratic content of the
proposal. Why it has taken the Council this long to answer the questions
will probably remain as mysterious as the precise contents of the proposal
itself until after it has been adopted. The deadline for the (unanimous)
adoption remains set at June 2005.

The united national and regional data protection authorities of Germany
have strongly criticised the plans during their annual conference in Kiel
on 10 and 11 March 2005. The German DPAs were relatively quiet the last
few months about the subject after the German parliament had clearly
ordered the minister of the interior not to agree with any kind of
mandatory data retention for German companies. But surprisingly Schily,
the minister of the Interior, used the opening of CeBIT 2005 (a mega IT
exhibition in Hannover, Germany) on 13 March 2005 to speak out in favour
of 12 months mandatory data retention. Law enforcement authorities should
“use all possibilities to discover planned crime and terrorist actions”
but negotiations with the telecom industry “were not closed yet”. The next
day Schily joined the informal meeting of the interior ministers in
Granada of the ‘big 5’ (UK, France, Germany, Spain and Italy). The
ministers discussed data retention measures amongst other proposals to
“monitor and control the use of the Internet in international terrorism
and organised crime.”

According to the president of the DPA conference, Dr. Thilo Weichert, also
chair of the Schleswig-Holstein DPA, “the systematic surveillance of the
telecommunication behaviour of all innocent citizens can only provide
minimal help in solving criminal cases, because internationally organised
criminals and terrorists have the technical means to circumvent the
tracking of their traffic data.” Weichert also pointed at the costs for
the telecom industry, raising the costs for individual subscribers and
hurting competition and innovation.

The German DPAs note that the proposal is not only unconstitutional in
Germany, but also in violation of the draft European Constitution in which
privacy and telecommunications secrecy are enshrined as pillars of a free
democratic society.

In Spain the Public Prosecutor’s Office has allegedly produced a set of
recommendations for the Ministry of Economical Affairs on the exact type
of data that should be stored by telecom providers. In spite of several
appeals by the Spanish Internet user association Internautas to the
freedom of information act, drafts have not yet been made public. Spain
was the first country in the EU to adopt general framework legislation
demanding data retention in the summer of 2002, immediately after the EU
privacy directive was adopted which allowed for national legislation on
data retention. But like in all other EU countries except for Italy, the
legislation never materialised in specific regulations. According to
Internautas the Public Prosecutor demands a longer period for data
retention than 12 months and also wishes to give regular police officers
access to the data without any judicial order. Remarkably, the Prosecutor
seems to defend general data retention without any reference to terrorism.
He only refers to child pornography, which also makes it necessary to
create mandatory identification by service providers of all IRC users
(internet chat networks) and visitors of cybercafes.

Last (partially public) version of the draft framework decision on data retention (24.02.2005)

UK and EU allies plan moves against terror websites (18.03.2005)

Deutschland prescht bei Speicherpflicht vor (German, 14.03.2005)

La retenciĆ³n de datos y el secreto de las comunicaciones (Spanish, 17.03.2005)