Majority of governments introducing data retention of communications
- nine states adopting data retention laws so far
- ten out of 15 governments favour a "harmonsing" EU measure on data retention
- Ireland heads the table with data retention for 3 years
On 12 July 2002 the EU agreed fundamental changes of the 1997 EC Directive on privacy and telecommunications preventing the erasure of data and allowing member states to introduce new laws requiring communications providers to keep traffic data and make it accessible to the law enforcement agencies).
A draft, binding, EU Framework Decision prepared by the Belgian government (and backed by the UK) has temporarily been put on the shelf due to widespread criticism. But a secret document shows that at the national level nine out of 15 member states have, or are planning to, introduce mandatory data retention (only two member states appear to be resisting this move). In due course it can be expected that a "harmonising" EU measure will follow.
Terrorism pretext for mandatory data retention
Mandatory data retention had been demanded by EU law enforcement agencies and discussed in the EU working parties and international fora for several years prior to 11 September 2000. On 20 September 2001 the EU Justice and Home Affairs Council put it to the top of the agenda as one of the measures to combat terrorism. But now, over 16 months later, it is nowhere near being in operation in most EU states.
So the question has to be asked: does this mean that all telecommunications have not been under surveillance since 11 September? Of course they have, not by the law enforcement agencies but by the security and intelligence agencies. The National Security Agency (USA) and the Government Communications Headquarters (GCHQ, UK) have been surveilling global communications since 1947 (UKUSA agreement). During the Cold War this was for military and political purposes, later through the new Echelon system political and economic intelligence was targeted. Echelon, NSA and GCHQ were already moving to cover terrorism (and associated serious crime) before 11 September - after it became a new priority. But even then, for example, with the new, huge, NSA online storage system (Petraplex) designed to hold all the world's communications for 90 days, this is almost useless unless the agencies know (through gathering human intelligence on the ground, HUMINT) what to look for.
The EU's law enforcement agencies demand for data retention, now backed by their governments, has little or nothing to do with terrorism but rather is primarily to deal with crime and internal threats posed by public order, refugees and asylum-seekers, and migrant communities.
Following the fundamental changes to the 1997 EC Directive on privacy in the telecommunications sector formally adopted on 12 July 2002 the door was open for new measures to require data to be retained at national and EU levels (see Statewatch, vol 12 no 3/4).
Two key privacy protections were removed. The first of which said that data could only be held for the purposes of billing (ie: for the customer to check the details), usually only for a few weeks. The second allows member states to adopt national laws to require communications providers to retain data for a specified period so that law enforcement agencies can get access to it.
"Under the table", out of public view, was a binding Framework Decision drafted by the Belgian government which would have made data retention mandatory in all EU states (and all applicant states) and rules for the exchanges of data between states/agencies (see Statewatch, vol 12 no 3/4 for details). Statewatch was leaked a copy of the draft Framework Decision and when it was published, with much critical commentary, the Danish Presidency of the Council of the European Union claimed to know nothing about it.
However, a set of non-binding draft Conclusions, prepared by the Danish EU Presidency, said:
"within the very near future, binding rules should be established on the approximation of Member States' rules on the approximation of Member States' rules on the obligation of telecommunications service providers to keep information concerning telecommunications in order to ensure that such information is available when it is of significance for criminal investigations" (Conclusion 9, doc no 10358/02, 24.6.02, emphasis added).
Five further drafts were produced prior to the adoption of the Conclusions at the Justice and Home Affairs Council on 19 December 2002. The first, on 3 October, said that two delegations were not in favour of the draft document and five had scrutiny reservations - this was to rise to nine by the time of the next draft on 23 October. The disagreement centred on the issue of data retention in Conclusion 7 (the renumbered no 9 in the adopted text).
The 3 October version said "binding rules should be established on.. retain[ing] traffic data". By 23 October the word "binding" had disappeared, and now a "dialogue" leading to "rules.. should be established and implemented". The draft of 22 November 2002 was firmer, saying that there should be: "as a matter of priority, the necessity of establishing and implementing binding rules.. to retain specific traffic data". But the version of 28 November (which became the final version) said that:
"before adopting rules.. to retain specific traffic data.. a dialogue between interested parties should take place.. [and that] If it is found necessary to establish such rules, they should at any rate ensure that such traffic data is available"
So, on the face of it mandatory data retention across the EU would appear to be on hold for the moment. Indeed, no other EU government wants to pick up and formally put forward the Belgian government's draft binding Framework Decision - it thus remains "under the table".
This lack of decisive action is all the more surprising as Conclusion 4 of the specially-called meeting of the Justice and Home Affairs Council on 20 September 2001 (and the Bush letter of 16 October 2001) called for measures to be brought forward urgently.
The true picture is more complex. First, the law enforcement agencies already have the power in every EU state to place under surveillance named, specific individuals or organisations (the procedure varies from state to state but has been in place for years). Investigations into suspected terrorists are thus ongoing and unhindered. Second, a majority of EU member states have, or are in the process of, adopting national laws on mandatory data retention (see below). Third, the costs imposed on communications providers is unresolved. Fourth, in some countries there is, in addition to privacy considerations, a perceived conflict between new surveillance powers to combat terrorism being extended to crime in general. Fifth, the widely reported adverse critiques on sweeping changes, by civil liberties groups and civil society, has embarrassed some governments - can democracy be defended by undermining it? Finally, the agencies mainly involved in tackling terrorism (as distinct from crime) - the security and intelligence agencies - have virtually unfettered powers of surveillance in many EU states.
EU survey on current laws and on the introduction of mandatory data retention at national level
Mandatory data retention has primarily demanded by the law enforcement community (police, criminal investigation, immigration, customs etc) from well prior to 11 September 2001.
On 14 August 2002 the Danish Presidency sent out a questionnaire on data retention to member states. The initial results of the survey were presented to the EU's Multidisciplinary Group on Organised Crime in a Room document (no 7) at its meeting on 16 September 2002 and the final document covering all member states (14107/02) was circulated to the same working group on 20 November 2002.
Statewatch applied to the Council of the European Union for a copy of Room document no 7 discussed on 16 September, But on 3 December 2002 the Council wrote to Statewatch refusing access. The reasons given were as follow:
"Room document 7 relates to the state of play on retention of traffic data. It refers to problems law enforcement authorities have encountered in this field and highlights the weaknesses and vulnerabilities of the Member States' law enforcement systems on this topic.
This information would be useful for criminals who want to exploit those weak spots in order to pursue their activities in these Member States and other countries of the European Union. This would undermine the protection of the public interest as regards public security. Furthermore, parts of this information were provided on a confidential basis by the law enforcement authorities themselves on the condition that the results would be used only for communication between Member States. Disclosure of this information would be a breach to their trust and could make them reluctant to provide more of such information in future. Access to these documents is therefore denied pursuant to article 4(1)(a) of the Regulation (public security)."
Statewatch has appealed against the refusal of access.
However, both documents (16 September and 20 November 2002) are now in the public domain. What they show is that the information provided is a description of the present state of the law on telecommunications surveillance in each EU state and the plans, if any, to amend the legal framework.
An analysis of the answers to the questionnaire give the following picture:
The existing law is under Section 93 of the Law on Telecommunications (TKG) plus the Surveillance Regulation (UVO) which establishes and obligation to cooperate on service providers. A new Law on Communications is being drafted and: "Consideration is being given to the inclusion in the draft of a rule obliging providers to retain exchange data for a given period for prosecution purposes".
On the proposal that there should be an EU instrument on data retention: "The Austrian Ministry of Justice and the Austrian Ministry of the Interior would welcome a binding rule (possibly in the form of a framework decision)." (The Federal Chancellory, responsible for data protection, is "sceptical").
Belgium has adopted a new law, the Computer Crime Act (28.11.00) [Loi sur la criminalite informatique] which "has settled the principle of compulsory data retention" for a minimum of 12 months.
On the proposal that there should be an EU instrument on data retention: "it is essential to have common policies.. the EU instrument could be a framework decision". It is important to show that "the orientation of EU criminal law is not only repressive [by introducing safeguards] which is unfortunately more and more argued among the civil society".
The Danish Administration of Justice Act was amended by Act No 378 of 6 June 2002 (the Anti-Terrorism Act of the Ministry of Justice). Section 786 has been amended so that communications providers have to retain data for 12 months.
On the proposal that there should be an EU instrument on data retention: The Ministry of Justice "supports" the "solution of creating an instrument on traffic data retention for law enforcement purposes.. at a European level".
The main legislation is the Finnish Data Protection Law. Under the Decree on the Protection of Privacy and Data Security in Telecommunications operators are obliged to keep traffic data for at least three months for billing purposes.
The police and Ministry of the Interior considers that the appropriate and effectice time for operators to keep traffic data (including connection information, "logs") should be 2 years. This should be taken into account when updating the Privacy Protection Act.
On the proposal that there should be an EU instrument on data retention: "it is hard to judge how it should be handled at the European level".
Article 29 of the Law on Everyday Security of 15 November 2001 makes mandatory the retention of data "for the purpose of investigating, establishing and prosecuting offences" for up to one year.
On the proposal that there should be an EU instrument on data retention: "Data retention for the purposes of public security is explicitly authorised by Article 15 of Directive 58/2002/EC, dergoating from the general principle of erasure.. This new Directive.. marks a further step in dealing with this matter".
Two laws cover this issue, the law on teleservices (TDG) and the law on telecommunications (TKG). Under section 89, para 2., of the TKG and section 7 of the Regulation (TDSV) and section 6 of the teleservices data
protection law data may only be retained (for up to six months) for billing purposes.
The Federal Constitutional Court has laid down "restrictive conditions for the retention of personal data for purposes other than for the original purpose of processing for official requirements or for the purpose of concluding a contract". Moreover, on economic grounds and for reasons of data protection, the associations and service providers tend to be critical of any obigation to retain traffic data. Exceptionally, there is an obligation in Germany for those who are the subject of the [surveillance] order to be notified that data is being disclosed.
On the proposal that there should be an EU instrument on data retention: The need has to be shown for this. The government thus first has to consider whether it is "actually necessary" and second whether it is "permissible pursuant to the German constitutional law".
The current law on the protection of personal data in the telecommunications sector is covered by Law No 2774/1999 compliant with the 1997 EC Directive. That is, data may be kept for billing purposes and access to data by law enforcement agencies can only be made for "specific cases and not on an absract, general or preventive basis".
However, for the present, the tendency in Greece is to retain data for one year.
On the proposal that there should be an EU instrument on data retention: "Greece considers the creation of such a legal tool to be important, useful and essential".
Directions were issued by the Minister for Public Eneterprise in April 2002, under the Postal and
Telecommunications Services Act 1983, to require operators "to retain existing traffic data and future traffic data for not less than 3 years". Primary legislation is being prepared to require operators to retain data.
On the proposal that there should be an EU instrument on data retention: an amendment should be made at EU level "to ensure that law enforcement agencies access to call related data is in accordance with national legislation".
Under law no 171 of 13/5/1998 the retention of data is not allowed except for billing purposes. However, the law is being reviewed as "this lack of precious information in support of criminal investigations could pose serious obstacles".
The Italian submission notes that: as a general principle, the longer that traffic data is retained the better it is.
On the proposal that there should be an EU instrument on data retention: "international cooperation in this matter is always welcome", an instrument should also cover the exchange of data between countries.
A new law is being drafted to incorporate the changes made to the EC Directive on privacy in telecommuncations as regards data retention.
On the proposal that there should be an EU instrument on data retention: "Harmonisation of procedures at European level is always appropriate".
Article 13.4 (2) of the Telecommunications Law requires the retention of "certain sets of data" (traffic data) for three months.
On the proposal that there should be an EU instrument on data retention: the Netherlands is conducting a review and says there should be a legal instrument under Title VI of the TEU (ie: a Framework Decision).
The current Law 69/98 of 28 October 1998 says data must be erased when it was served the purposes for billing. However, there is an intention to "transpose" the new, amended EC Directive (12 July 2002) into national legislation.
On the proposal that there should be an EU instrument on data retention: "We feel that such a measure would be of great importance".
Article 12.1 of the Information Society and Electronic Services Law (Law 34/2002 of 11 July) is an amendment in line with the major changes to the 1997 EC Directive on 12 July 2002 which says "connection and traffic data" must be retained for 12 months.
On the proposal that there should be an EU instrument on data retention: Spain "very highly" backs such a proposal.
A government committee has considered the implications of the amended 1997 EC Directive and has made no suggestion that data retention should be mandatory. The issue is however "the subject of discussions".
On the proposal that there should be an EU instrument on data retention: "it is difficult to see how cooperation could be successful if the rules on traffic data retention seriously diverge among its signatories" - in other words they would support such a proposal.
The position in the UK (as outlined above) is that data retention is included in the Anti-Terrorism, Crime and Security Act 2001 but only in relation to purposes directly or indirectly connected with national security.
On the proposal that there should be an EU instrument on data retention: not surprsingly the UK says, "To resolve these issues on a European basis would be very useful".
On the basis of this survey it can be broadly concluded that at this stage:
1. Nine of the 15 EU states have or intend to introduce an obligation for the retention of data, two member states have no plans and four are unclear.
2. The norm for the period of data retention would appear to be 12 months, although Ireland is way out ahead with 3 years.
3. Ten of the 15 EU states would support a EU measure, only two are against this and three are unclear.
1. Source: Answer to questionnaire on data retention, General Secretariat to Multidisciplinary Group on Organised Crime (MDG), doc on 14107/02, 20.11.02.
2. see: SOS Europe: Statewatch Observatory on Surveillance in Europe
3. see: EU-FBI surveillance plan - origins of the current developments
Statewatch News online | Join Statewatch news e-mail list | Statewatch websites