Analysis of proposed Framework Decision on data retention

1. The scope is very broad as it would apply to all data in relation to land and mobile telephones and Internet connections.

2. The key provisions are Article 3(1), the obligation of service providers, and Article 3(4), governing access by law enforcement authorities to that data for at least the usual list of "Euro-crimes".

3. Articles 3(1) and 3(2) vague as to what exactly will be collected on top of the mandatory list in 3(1) but falling short of content, which is prohibited under this Framework Decision by Article 3(2). Perhaps this is to cover data on where the mobile phone is located, or collection of data from a computer or phone other than the content of the conversation? The data collection obligation in Article 3(1) is not limited to traffic data and that 3(1) uses the non-exhaustive wording, "in particular".

4. In Article 3(4) there is a reference to data which is retained during the application of the article then a reference to "traffic data". Are these two different and if so, what the first category consists of?

5. There are grave gaps in civil liberties protection even compared to Schengen, the Cyber-crime convention or other recent EU measures like the arrest warrant, despite the references to harmonising procedural guarantees in the preamble. The gaps are:

a. there is no ground for possible refusal to execute a request from another Member State on human rights grounds (ie the arrest warrant, proposals on confiscation and freezing, Article 15 of the Cyber-crime convention)

b. there are no grounds to refuse as regards differences in the scope and timing of data retained under different Member States (although this is vaguely hinted at by Article 7(4) - logically why should the executing authority be allowed to request such data unless it would be able to refuse the request on those grounds). Put another way, if Member State A only gives law enforcement authorities access for the usual list of 'Euro-crimes' and Member State B gives them access for investigating any alleged crime at all (eg: under the UK's Anti-Terrorism, Crime and Security Act 2001 which cover all crimes), can the authorities of MS B contact the authorities of MS A and insist that the latter obtain the traffic data which the service providers have held? Is MS A required or permitted to refuse access? This data could then end up with Europol or various national agencies if it is released; it could even end up back with the law enforcement authorities of MS A - indeed they would gain access to it simply through the process of transmitting it to MS B (this is more likely since there are no controls on copying the information - see below). If the authorities in MS A are unethical they could even ask MS B's authorities to send such a request just so they could escape the constraints in their national law.

c. the term "at least" concerning the 32 offences listed plus the Cybercrime convention suggests that if a member state allows for access to data covering all crimes then this is allowed.

d. there is no reference to the involvement of supervisory authorities on data protection (cf SIS rules)

e. in fact there are no grounds to refuse execution of requests on any grounds, even if it might jeopardise an ongoing investigation;

f. there is no reference to individual rights to access, correction, deletion, blocking of data or compensation for misuse, or for related judicial review to this end (cf the SIS rules), either against the authorities or the service providers/TTPs (also Article 15 of the Cyber-crime convention requires judicial or other review of decisions and sets out a principle of proportionality)

g. there is no reference to controls on the collection or the copying of the data (see SIS rules)

h. there are no rules on a date to review the keeping of data or the destruction of data by the law enforcement authorities (as distinct from the service providers or TTPs, who are subject to limits in 3(1))

i. there are no rules re checking on the admissibility of searches (cf SIS rules)

j. Article 4(1) does not limit access to those authorities who need the data for a specific investigation (3.4 does not expressly do this either)

6. There is one difference in the list of 'Euro-offences' in that there is a reference to the Cyber-crime convention rather than just 'cybercrime'. But this just makes more explicit the underlying problem with the use of such a list on the grounds that the substantive criminal law has been sufficiently harmonised. For the cybercrime convention gives Member States a number of options to refuse fully or partly to criminalise a number of the acts listed within it, even on matters of such great public concern as child pornography.

7. The 'Eurolist' of offences arguably performs a different function here than in other measures. In all other measures the list abolishes double criminality requirements, whereas here it is not at all clear whether a double crminality requirement could still apply in the absence of the Eurolist.

Analysis: Article by Article

The Recitals

The Draft Framework Decision starts with 16 Recitals followed by 10 Articles. In the Recitals it is argued, as is now common, that there is a need for:

"maintaining a balance between the protection of personal data and the need of the law and order authorities to have access to data for criminal purposes" (Recital 3)

This is a balance which is struck in favour of the "law n' order agencies".

Again in Recital 4 is another familiar argument used to legitimise new measures in the EU. The argument involves, including buzz words like "paedophile" and "racism" to justify intrusive new powers (in the 1990s the words were "organised crime" and "illegal immigrants"). Thus the Recital reads:

"Access to traffic data is particularly relevant in the case of criminal investigations into cybercrime, including the production of paedophile and racist material"

The EU's concept of "cybercrime" is itself high problematic and is by no means limited to "paedophile and racist material".

The argument in the next four Recitals (5-8) is that laws in EU member states generally allow access to communications traffic data where authorised by a court or Minister for a specific investigation. "Many Member States" have also, it says, passed legislation requiring compulsory "a priori retention" but "the content of the legislation varies considerably" - the direction of the argument is obvious, there is a need for harmonisation (which would also have the effect of bringing up to speed member states who were not intending to do this). Thus:

"These differences present problems... and are prejudicial to cooperation in criminal matters. A harmonisation is therefore desired both by the authorities responsible for criminal investigations and by the providers of telecommunications services"

In sum:

"The purpose of this present framework decision is to make compulsory and to harmonise the a priori retention of traffic data in order to enable subsequent access to it, if required, by the competent authorities in the context of criminal investigation."

The overall rationale finishes with the bland statement that although the retention of data "constitutes an interference in the private life of the individual" it "does not violate" international laws on privacy "where it is provided for by law and where it is necessary in a democratic society, for the prosecution of criminal offences" (Recital 9). This argument has many potential dangers not the least of which is, what if a law is adopted which undermines a democratic society?

The Recitals then move on to deal with the details. Apparently:

"a minimum period of 12 months and a maximum of 24 months for the a priori retention of traffic data is not dispropionate" (Recital 12)

Recital 14 says that it "would be disproportionate" if the minimum list of "types of data to be retained" was extended "to the content of messages exchanged or of the information sources consulted under whatever form" (eg: pages visited on internet sites). It remains to be seen whether this version will end up in the adopted text - there will be those in the "law enforcement community" who will argue that there is only limited value in keeping only the traffic data but not the content.

It appears there are likely to be at least four further Framework Decisions. One will cover a "minimum list of data to be retained" by telecommunications service providers. Second, although the draft Framework Decision says that it will not apply "to data at the time of transmission, that is by monitoring, interception or recording of communications" this is coded language for saying than another Framework Decision is in the pipeline (the "real-time" interception of communications was included in the "Requirements" adopted in January 1995). Third, a certificate for the exchange of data between EU Member States. Fourth, we can expect another to cover access to the content of communications.

The Articles

Article 1 covers "Definitions" the most important of which is on "traffic data", defined here as "all data processed which relate to the routing of a communication by an electronic communications network" which is not very illuminating. But there is a footnote referring to the Council of Europe Cybercrime Convention (Article 1 point d) which says:

"Traffic data" means any computer data relating to a communication by means of a computer system, generated by a computer system that formed part of the chain of communication, indicating the communication's origin, destination, route, time, date, size, duration or type of underlying service

Article 2 would allow access to "the authorities responsible for criminal investigations and prosecutions" - which is interesting in the light of the UK government's attempt to give access to traffic data to some 1,039 public authorities (see Statewatch News online, June 2002).

Article 3.1 says that there will be an "obligation" on a telecommunications service provider or a "trusted third party" (not defined) to retain "for a period of 12 months minimum and 24 months maximum" the following categories of traffic data:

"a) Data necessary to follow and identify the source of a communication;
b) Data necessary to identify the destination of a communication;
c) Data necessary to identify the time of a communication;
d) Data necessary to identify the subscriber;
e) Data necessary to identify the communication device"

Article 3.2 says that the "types of data" must be:

"limited to what is necessary in a democratic society for criminal investigation and prosecution"

This begs a major question: what is necessary in a "democratic society" is not static. The boundaries for "what is necessary" have expanded leaps and bounds over the past few years and in particular since 11 September. Indeed it has to be asked are there any boundaries?

Article 3.4 sets out a minimum list of 33 "serious" offences to be included, which is the same as set out in the European arrest warrant. They include: trafficking in human beings, computer-related crime, facilitation of unauthorised entry and residence and motor vehicle crime. This same list of offences appears in a number of recent measures (including the Framework Decisions on the European arrest warrant and the Freezing of assets) and looks like becoming a list of "quasi-federal" offences - many have not been harmonised or even defined.
Article 4 sets out "Procedural rules and data protection", which contains no provision on data protection.

The Article again says that access to traffic data retained will on be allowed for:

"judicial authorities or, to the extent that they have autonomous power in criminal investigation prosecution, to police authorities" (Article 4.1)

It says further that: "Data to which access has not been asked at the end of the mandatory retention are destroyed" (ie: after 12 or 24 months).

Article 4.2 says nothing in this Article limits national laws which cover: "access to data during their transmission, including tracking, interception and recording of telecommunications".

Articles 5-8 deal with requests and the exchange of traffic data between the "competent authorities" of EU Member States.

Thus Article 6 defines "competent authorities" as follows:

"The issuing authority shall be the authority of the issuing State which is competent to issue a decision of access to retained traffic data by virtue of the law of the issuing State" (Art 6.1)

Under the proposal of the UK government, that was withdrawn for re-consideration after a public outcry, a "competent authority" could be any one of the 1,039 "public authorities" authorised under the Regulation of Investigatory Powers Act 2000 - for which there is no comprehensive oversight in place.

The "executing authority" (ie: the authority agreeing to the request) shall be a "judicial authority of the executing State" (Art 6.2).

Article 7 sets out the procedure for the exchange of data. The "issuing authority" will send a request to the "executing authority" in the form of a "certificate" which will simply cover:

"a) the issuing authority;
b) information allowing to identify the provider of telecommunication services which must have retained the traffic data;
c) the criminal conduct under investigation;
d) indications allowing to select the searched data among all retained data"

The "executing authority" is allowed (Article 7.4) to ask for "further information to enable it to decide whether access to retained data would be authorised in a similar national case". However, if the "issuing state" simply states that the "criminal conduct under investigation" is one of the 33 listed crimes there is no apparent reason why further information would be required.

Article 7.5 deals with the special situation of the UK and Ireland who are not yet full members of the Schengen Convention on policing matters. The UK and Ireland may state in a declaration the "central authorities" to be notified "when the provisions on mutual assistance of the Schengen Implementing Convention are put into effect for them". Article 8 "Conditions of execution" appears to allow Member States, like the UK, who want to authorise hundreds of "authorities" to request access, to apply the same rules when answering a request. Implementation of the Framework Decision is set for 31.12.03 (Article 9.1)

© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.