Panoptykon looks for the rationale behind the blanket data retention

By EDRi · November 17, 2010

This article is also available in:
Deutsch: [Panoptykon auf der Suche nach dem Sinn der anlasslosen Vorratsdatenspeicherung | http://www.unwatched.org/node/2356]

On 9 and 10 November 2010 the representatives of the EDRi-member Panoptykon
Foundation met with the representatives of the European Commission in
order to discuss the evaluation of the Data Retention Directive (DRD)
and the rationale behind the regime of blanket data retention . The
meetings were held with representatives from Reding Cabinet first and
secondly with members of the Directorate General for Home Affairs – DG
Home. The following is a summary of the main issues that were
discussed according to Panoptykon’s point of view.

It seems that the Commissioner Reding remains very critical about the
current data protection regime. The following might be identified as the
main problems with the Directive: (i) there is too much room for
interpretation for Member States as to what “serious crime” means; (ii)
retention periods are too long; (iii) the scope of data to be retained
remains undefined (especially with regard to the Internet); (iv) there
should be an obligatory judicial control mechanism provided in the DRD
itself.

On the next day with DG Home there were discussed three main problems:
(i) the evaluation process and their plans for the near future; (ii)
the implementation of DRD and its planned revision; (iii) the
proportionality of the data retention regime in principle.

Regarding the evaluation process, DG Home admitted that they were
still working on the report and 3 March 2011 remains their internal
deadline for publishing it. The delay in the process is due to the
lack of response from the Member States – only 13 responded, sending
rather low quality data (e.g. no statistical information on how the
retained data was used and with what effect for law enforcement). Only
the UK made an effort to give more insight into how the retained data
was used in investigations.

There might be nine key issues in the evaluation report: purpose,
period, scope, modalities, authorities, operators, costs, crime and
data security. Later on, DG Home will probably move on to make an
impact assessment, which is officially treated as a second stage of
the whole process. This will include public consultation and the
invitation to voice concerns. The third stage will be the drafting of
a proposal for DRD revision. The important thing is that there will be
a proposal for review and not just re-casting of the DRD.

As far as the implementation and considered revision of DRD is
concerned, from the discussion with DG Home it appears that not a
single Member State has implemented the directive as it was intended
by the Commission. However, it seems that the evaluation report will
not mention particular states.

While discussing the shortening of the retention period, DG Home
quoted a survey saying that while the retained data is requested
within the first 3-6 months in investigating minor crimes or offences,
in the case of most serious crimes (like terrorism) data is requested
even 2 years after the crime occurred. So the argument is that if
someone wants to fulfill the original goal of the DRD, a long retention
period might be a necessity.

It was our understanding that DG Home seems convinced that the amount of
data stored byoperators under DRD remains the same as it was under the
e-Privacy Directive (Art.15). Also that DRD remains an alternative legal
basis for implementing the data retention regime to Art.15 of the e-Privacy
Directive . That would mean that DRD was not seen as lege specialis (!).

Finally, on the point of the adaptation of the data retention regime
to “technological change”, there were possibilities of increasing the
scope of DRD to cover Information Society Service providers like
Google or Facebook. This is because the data retention in the current
shape might be seen as not efficient and easy to circumvent.

A long discussion related with the proportionality issue. One opinion was
that the reasoning applied by the European Court of Justice in the Marper
case can be used to legitimise the blanket data retention regime. This might
be understand as the Court criticised “indiscriminate and blanket” retention
of data only on the grounds of the time factor (i.e. that DNA profiles were
supposed to be stored forever) and not to the scope of the data collected
(i.e. that UK wanted to collect and store data of everyone who has ever been
suspected of committing an offence). Therefore blanket data retention might
remain, in some views, legitimate and proportional as long as it is limited
in time (e.g. the maximum period of 2 years).

EDRi-gram: Continuing the battle against data retention (3.11.2010)
http://www.edri.org/edrigram/number8.21/against-data-retention-directive

(contribution by Katarzyna Szymielewicz – EDRi-member Panoptykon Foundation – Poland)