EU: Surveillance of telecommunications
European Commission sells-out, European Parliament vote due in May


The Council of the European Union (the 15 EU governments) and the European Parliament are on a potential collision course over data retention. The division of opinion between the Council and the European Parliament (and the European Commission until December 2001) concern: i) the current requirement for service providers to delete traffic data when no longer needed for billing purposes; ii) replacing a current provision under the 1997 Directive allowing for the retention of data in specific cases (ie: when authorised to do so by a warrant or judicial order) by a power authorising the retention of all data - which can be accessed by the law enforcement agencies (LEAs, police, customs, immigration, security and intelligence agencies).

Background

The revision of the 1997 EU Directive on privacy in the telecommunications sector was proposed by the European Commission in 2001. This was intended to be simply an update with no major changes. But the new proposal ran into a long-standing demand by the EU's LEAs for the retention of communications data and their right to have access to it - a position which the majority of EU governments supported. However, the European Commission, the EU Data Protection Commissioners and the Article 29 Data protection working party were against any major changes - so too was the European Parliament. This was the position in the summer of 2001.

Post 11 September

After 11 September a specially called meeting of the EU's Justice and Home Affairs Council on 20 September adopted a series of "Conclusions" which included requiring service providers to retain traffic data (instead of destroying it) and for LEAs to have access to it "for the purposes of criminal investigations" - not it should be noted to counter terrorism.

Added weight to the demand came in the form of 40 demands on the EU in a letter from President Bush (16.10.01) which included: "draft privacy directives that call for mandatory destruction" should be revised "to permit the retention of critical data for a reasonable period" - even though there is no similar obligation for the general retention of data in the USA even after the PATRIOT Act.

The fact that the Council of the European Union was using 11 September to try and introduce the general retention of data for criminal investigations in general and not to counter terrorism was highlighted by a report from the Council's own Legal Service (12.10.01). This said that EU governments already had powers under the existing 1997 Directive for exceptional circumstances.

On 13 November the European Parliament adopted its 1st reading report which rejected the changes being proposed by the Council. On 28 January the Council formally adopted its "Common Position" - the measure comes under "co-decision" which means the Council, the Commission and the parliament have to agree on the final text.

Just two days later the Commission produced its assessment of the Council's view. The parliament now has to adopt its 2nd reading position after which (unless it accepts the Council's position), the Council will in turn reject, then the issue will go to a Conciliation Committee.

The European Commission caves in

The pressure for the Commission to cave in built up after 11 September with the 20 September "Conclusions" followed by the US/Bush.

The Council's proposed changes to the critical Article 15.1 reads:

"Member States may inter alia provide for the retention of data for a limited period justified on the grounds laid down in this paragraph, in accordance with the general principles of Community law"

When combined with the deletion of the obligation to erase data from Article 6 this proposal renders privacy in communications worthless.

The European Parliament's 1st reading position says:

"These measures [to retain data] shall be entirely exceptional, based on a specific law which is comprehensible to the general public and be authorised by the judicial or other competent authority on a case-by-case basis. Under the European Convention on Human Rights and pursuant to ruling issued by the European Court of Justice, any form of wide-scale general or exploratory electronic surveillance is prohibited"

At the meeting of the Telecommunications Council on 6-7 December the Commission signalled that it intended to drop its opposition to changes leading to the retention of data (Article 6) and to the Council's formulation for Article 15.1. In response the EU's Article 29 Data Protection Working Party issued a strongly worded report on 14 December. This said that:

"Measures against terrorism should not and need not reduce standards of fundamental rights which characterise democratic societies.. [and rejected the] increasing tendency to represent the protection of personal privacy as a barrier to the efficient fight against terrorism"

This was to no avail. On 29 January the Council issued its "Statement" of reasons for rejecting the parliament's position which was based on:

"a wording better reflecting the balance between protection of privacy requirements and the needs of Member States authorities responsible for ensuring security in a democratic society"

A euphemism for saying that the latter has priority over the former with the Council explicitly saying that certain issues had to be clarified "in the light of the threat posed by the events of 11 September 2001".

On 30 January the European Commission issued its official reaction to the positions of the Council and the parliament and said: "the Commission can accept the added sentence in Article 15.1" by the Council.

The line of the Brussels "spin machine" is that there is no problem, the power set out in the Council's draft Article 15.1 is not binding on member states and therefore cannot be portrayed as introducing the general retention of data. What this view ignores is the fact that all EU governments are committed to introducing the general retention of data because surveillance only works if all countries have the same powers. Even before 11 September the Netherlands, Belgium and France had, or were planning, to introduce such powers and the UK had a voluntary agreement in the pipeline (now superseded by the Anti-terrorism, Crime and Security Act 2001, ATCS) - now across the EU these powers are being introduced. The "Regulatory Assessment" on the UK ATCS Act says:

"Data relating to specific individuals under investigation will only be available if data relating to the communications of the entire population is retained"

The EU's Police Chiefs Operational Task Force wants to get access to communications data for "research purposes", that is, not for specific investigations but for "fishing expeditions".

Whether the European Parliament will maintain its opposition to the proposals remains to be seen. What is certain is that once the fundamental principles in the existing 1997 Directive on privacy and telecommunications are cast aside they will never be reinstated - and that the EU will continue down an increasingly authoritarian road where the entire population can be placed under surveillance.

This article was written for CILIP, Berlin (April 2002)



Statewatch News online | Join Statewatch news e-mail list | If you use this site regularly, you are encouraged to make a donation to Statewatch to support future research | Subscribe to Statewatch online just £10 a year

© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.