Three EU governments - UK, France and Belgium - press ahead with 12 months retention of telecommunications data - ditching citizens' rights on data protection and privacy under EU law

As the Council of the European Union (representing all 15 governments) is discussing the draft "Conclusions" (see:
S.O.S.Europe) on giving law enforcement agencies access to communications data, the UK, France and Belgium already have plans to introduce the retention of telecommunications data for at least 12 months. These plans are revealed in official responses to a survey of national positions on computer crime carried out by the EU Police Cooperation Working Party (dated 24 April 2001).

The survey confirms the determination of EU law enforcement agencies to achieve a number of objectives:

i) to stop the deletion of telecommunications data which is required under the law as laid down in the EC Directives on data protection and privacy;

ii) to stop users having anonymity in their communications (see attack on cybercafes below);

iii) to ensure that the law enforcement and security agencies have access to the retained/archived data;

iv) to ensure that data is retained, in the first instance, for at least 12 months - once the EC Directives are breached they can argue for seven years, ten years or more later.

The report distinguishes between "computer-targeted offences" ("hacking", where the report says that EU legislation "adequately protected") and offences concerning "Information technology as a tool in committing an offence" (ie: using a computer).

Under the heading: "The rights and obligations of those involved in new technology in the European area" the report notes that all European states "have incorporated into their legislation provisions to safeguard the processing of personal data" by implementing, under national laws, the Council of Europe Recommendations and EC Directives on data protection and privacy in telecommunications, the report says the effect is that:

"Each operator is generally required to delete the traffic data or render them inaccessible at the end of each call (or at the latest when the time required for their commercial processing has elapsed)"

Data retention for 12 months - in the first instance

It goes on to says that:

"The issue of storing connection data therefore seems crucial. Two apparently contradictory interests have to be reconciled:

– the protection of personal data and, more generally, respect for privacy;
– the need for investigators to have access to the data stored by the service providers for the purposes of the investigation.

At present the issue of the storage of connection data and the length of that storage is clearly the weak link in the fight against cyber-crime. As witness, few countries have a legal requirement concerning the length of time connection data must be kept.

The Netherlands requires Internet service providers to store connection data for three months following the initial processing. Belgian legislation also requires Internet service operators to store call data for a certain period, which may not be less than 12 months. Failure to comply is an offence punishable with a prison sentence... France is currently preparing a draft law requiring telecommunications and network operators to store connection data for twelve months.

While no legislative provisions exist, some States, such as the United Kingdom, have concluded informal arrangements with national service providers whereby the UK investigative departments hope that connection data will be stored for 12 months.

Faced with the legislative vacuum, Italian service providers have adopted a self-regulation code involving active collaboration with the police."

The report then goes on to state: "Member States' wishes" which are:

"The Member States are seeking standardisation or at least harmonisation of legislation, at any rate as regards its basic legal principles, given that the 1989 Recommendation of the Council of Europe, on which the national legislation of many Member States is based, is not binding. On the other hand, ratification and implementation of the draft Convention (PC-CY) of the Council of Europe would represent considerable progress in the fight against computer crime, particularly since the European Community could accede ex officio to this criminal law Convention aimed at combating network crime.

All the representatives considered that access and on-line service providers should be obliged to store connection data for a minimum period. As regards the length of storage, the Belgian example, providing for a minimum period of 12 months, appears to be the most balanced solution both from the point of view of the principle of the protection of privacy and in terms of the need for judicial investigation in order to respect the right of victims to obtain compensation for damage suffered." (emphasis added)

There could not be a clearer statement on the intent of  EU states, the "principle" of "privacy" would be fatally breached.

It also notes that France and the UK - two governments intending to introduce 12 month data retention provisions - could provide no statistics on the extent of computer-related crime (ie: where a computer is used as a "tool in committing the offence").

The EU member states also want to remove anonymity from those who use cybercafés:

"It is also imperative that a solution be found to the problems raised by the various forms of anonymity on the World Wide Web, the most significant example being cybercafés, which have been the source of a number of cases of fraud."

Criminal sanctions against victims?

The report says that having examined national laws: "there is no obligation on the victims of computer-related crime to report the offence". This leads, it says, to "actual, visible and convicted" offences. "Visible" being the crimes brought to the attention of the authorities. It notes the great reluctance of:

"companies to report to judicial or police authorities that fact that they have been the victim of computer crime, for fear of having weaknesses in their computer systems revealed, with resultant damage to their company image."

UK government misleading the public?

In the UK the law enforcement and security agencies have called for:

1) an end to the restrictions imposed by the EU's data protection and privacy Directives
2) communications data to be preserved
3) data to be kept for seven years or more
4) an "informal" agreement with the telecommunications industry (which would not require legislation)

See the report from the UK National Criminal Intelligence Service (NCIS) on behalf of the police, customs, MI5, MI6(SIS) and GCHQ:
NCIS report

The UK government said it would not act on these demands, when it was planning just the opposite. All of these demands are to be met with the single exception that the period of data retention will be one year not seven years - which will not be seen as important because once the principle of privacy in the EU Directives is breached the period can be extended later.

As recently as 28 January 2001 two government Ministers - Patricia Hewitt (Department of Trade and Industry) and Charles Clarke (Home Office) - denied that the government was planning any measure on data retention (letter to the Sunday Independent). Or rather they said: "We have no plans to introduce legislation mandating the retention of such data", which is true - the government is not planning legislation but a "voluntary code" with UK network and service providers.

Tony Bunyan, Statewatch editor, commented:

"While the Council is discussing an EU-wide policy on the retention of all communications data a number of governments are steaming ahead at national level so that they can then argue for "harmonisation" across the EU. Moreover, we now know that UK government Ministers have made quite misleading statements.

The issue of how long the data is kept is secondary at this stage. First the governments want to establish the principle that communications data is retained and not destroyed and that the anonymity of users is banned - which requires totally undermining the current data protection and privacy laws in the EU. Second, they want law enforcement and security agencies to have access to the archived data. Third, they want the data to be retained for 12 months initially. Once these three objectives are in place they can easily argue later for the retention period to be extended."

Full-text of: ENFOPOL 38 (pdf file)
Full-text of questionnaire: ENFOPOL 62 (pdf) + ENFOPOL 62 + COR

back to: S.O.S.Europe: Updates

S.O.S.Europe   Statewatch News online

© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.