Industry and civil society agree against data retention

By EDRi · May 4, 2005

The rapporteur for the European Parliament on telecommunication data retention, Alexander Alvaro, has organised on 3 May a round table discussion with the title ‘How does the internet work and how does data retention effect industry and society’. A broad cross section of civil society and industry representatives criticised the current Council framework proposal on data retention for its content and procedure. The meeting was held under the flag of the alliance of liberals and democrats (ALDE) in the European Parliament. Several MEPs attended the meeting, including Mastenbroek, Cederschiƶld and Duquesne.

“We need a genuine debate, one which has been sorely missing”, said Alexander Alvaro. “The current proposal lacks a proper legal base, is disproportionate and ineffective. It needs a thorough rethink”, he added. Almost all speakers attacked the European Council’s proposal regarding proportionality, necessity and costs. Both industry and civil society organisations agreed on the grave impact that data retention will have on civil liberties, internal market and consumer trust.

Gus Hosein from Privacy International expressed his disbelief that a data retention proposal is still being discussed. Hosein pointed out that both in the US and Europe the misconception exists that the US has passed the most invasive legislation on the interception and retention of telecommunications. Hosein however reminded the audience that a data retention proposal would not even be considered for one minute by any US government. Hosein also criticised the policy laundering by national governments in the EU concerning data retention. Both the UK and Ireland have initiated the Council’s proposal because national proposals on mandatory data retention could not be pushed trough. According to Hosein the Irish minister of justice recently admitted that he is waiting to implement data retention until “the EU cavalry is coming in”. Hosein called the Council proposal invasive, illusory, illegal, and illegitimate. Privacy International and EDRI submitted such criticism to the European Commission in September 2004. Andreas Gebhard representing EDRI-member Netzwerk Neue Medien called data retention “the civil society’s worst nightmare”. Gebhard pointed out that data preservation, as laid down in the Cyber-Crime Treaty, offers a less intrusive and less costly alternative to data retention.

Christina Vela, representing the European Telecommunications Network Operators’ Association (ETNO), called for a proper impact assessment and justification for any mandatory data retention measure. Vela also called upon the Council and the Commission to consider solutions that are less intrusive. ETNO is concerned that the industry will be caught between strict data protection rules and very broad data retention provisions. Christiane Eichele of the Federation of German Industries (BDI) said that data retention does not only effect the telecommunication industry but called it a general issue of industry policy. She labelled the decision making process on data retention a clear example of how it should not be done.

Ilias Chantzos of Symantec didn’t speak out in favour or against the proposal but raised several issues regarding the volume and security of retained data. Chantzos pointed out that the volume of the retained data will present law enforcement with the very difficult task of “finding the needle in the haystack”. Chantzos emphasised that the costs of data retention are not limited to the collection, storage and retrieval of traffic data. The physical and network security of the storage systems will be a key factor in the total costs. The abuse of retained data through security breaches will pose huge risks. This point was followed up by Klaus Landefeld of EuroISPA, the European alliance of ISP associations. Landefeld noted that the data retention proposal asks for secure and redundant storage which is not at all the standard for keeping logs in the ISP industry. EuroISPA fears that a data retention obligation will force ISPs to engage in data mining, a craft in which they have no expertise.

Rapporteur Alvaro noted in his closing remarks that in the past months he has met very few people that think the data retention proposal is the right way forward. MEP Mastenbroek expressed strong criticism of the Councils proposal saying that the necessity for the measure has not been investigated. She also demanded that the Council stops negotiating about the proposal now that legal opinions from the Commission, the Council itself and the EU Parliament’s legal committee state that the proposal is illegal and in breach of the EU Treaty.

A representative of eBay in the audience was one of the few that spoke out in favour of data retention which he saw as a solution to reduce identity theft. Gus Hosein blasted this argument as false: “Identity theft is caused by data aggregation”. A representative for the Commission expressed, as a personal opinion, his dissatisfaction with the absence of law enforcement input into the public debate. He also called for more understanding for the needs of law enforcement regarding retention.

No news about an upcoming Commission proposal on data retention came out of the meeting. But privately many insiders expressed their confidence that a decision on data retention will be in the hands of the Commission and Parliament and that the Council will at some point redraw it’s current proposal. It will however be a challenge to remind the Parliament that the redrawal of the Council’s proposal does not mean that the fight over data retention has been won. Any future Commission proposal will still have to be scrutinised by Parliament for its necessity, proportionality and cost reimbursements.

The Parliament’s Committee on Legal Affairs has advised the LIBE Committee that the Council proposal is illegal. It advises that a EU Commission directive should regulate which data have to be retained and how long. “In the light of these considerations, two separate measures could be envisaged: one based on the first pillar (ECT) on harmonisation of categories of data and the length of time such data must be retained, and the other based on the third pillar (TEU) on aspects relating to cooperation on criminal matters, in particular on the subject of access to and exchange of such data.”

The Council has released a new censored draft for the data retention proposal that allows members states to retain data for up to 48 months. This proposal is in accordance with the secret minutes that EDRI-gram published on 6 April. The proposal also shows that the Council is continuing with negotiations, ignoring all opinions on the legality of the proposal.

Presentations of the speakers will be made available on the ALDE public hearing website (03.05.2005)

Press release: ALDE rapporteur considers Council proposals “disproportionate, invasive and illusory” (04.05.2005)

Invasive, Illusory, Illegal, and Illegitimate: Privacy International and EDRi Response to the Consultation on a Framework Decision on Data Retention (15.09.2004)

Opinion of the EU Parliament’s Committee on Legal Affairs (31.03.2005)

New Council Draft proposal (14.04.2005)

Secret minutes EU data retention meeting (06.04.2005)

(Contribution by Maurice Wessling, EDRI-member Bits of Freedom)