EU/Surveillance of telecommunications:
Data retention comes to roost - telephone and internet privacy to be abolished


- proposal broader in scope than 2002 version; grave gaps in civil liberties protection remain;
- data to be held for between 12 and 36 months, though member states can opt for longer if they choose;
- data to be retained extended from "traffic data" to traffic and "location data";
- scope extended from 32 specific offences to any crime;
- scope extended from specific investigations and prosecutions to "prevention and detection" of crime;
- "This is a proposal so intrusive that Ashcroft, Ridge and company can only dream about it, exceeding even the US Patriot Act"

The governments of the UK, France, Ireland and Sweden have proposed a draft EU Framework Decision that if adopted will see all communications location and traffic data retained for between 1 and 3 years, or longer, should the member states choose. The proposal was endorsed by the EU summit on 25 March 2004 as part of a raft of proposals to combat terrorism in the wake of the Madrid bombings. This proposal (like many others) is in no way limited to terrorism, and will apply to the:

"prevention, investigation, detection and prosecution of crime or criminal offences including terrorism"

The proposal brings home to roost long standing demands by the law enforcement community for the compulsory retention, and thus surveillance, of all telecommunications. It is notable that these demands are coming not from the security and intelligence services but from national criminal intelligence services. In August 2002, Statewatch leaked a confidential draft of this Framework Decision drawn-up by the Belgian government (see background section, below).

New proposal worse than before; grave gaps in civil liberties protection remain

The new version of the proposed Framework Decision is, in privacy and civil liberties terms, worse than before. The original Belgian proposal contained:

- no grounds for refusing to execute a request on human rights grounds;
- no limits as to what data can be exchanged where member states allow for the retention of data on all crimes;
- no reference to supervisory authorities on data protection;
- no reference to the individual's right to correct, delete, block data nor compensation for misuse or for related judicial review;
- no reference to controls on the copying of data;
- no rules for checking on the admissibility of data searches.

With the exception of the inclusion of a reference to "rules on correction and judicial review" (which may prove meaningless in practise - see analysis below), these shortfalls remain in the UK/Ireland/France/Sweden proposal. Moreover, two important safeguards, restricting access to data and limiting the use of the provisions have been dropped. The new proposal is also considerably broader:

- the time period for the storage of data is extended from 12-24 months to 12-36 months (though member states can opt for longer if they choose);
- the data to be collected is extended from "traffic data" to traffic and "location" data;
- scope extended from 32 specific offences to "any crime";
- scope extended from specific investigations and prosecutions to "prevention and detection" of crime.

The new proposal does introduce two derogations for member states, though these are quite limited. Detailed analysis of the proposal follows below.

An unjustified, unlawful and expensive proposal

The original Belgian proposal in 2002 provoked a furious reaction. EU Data Protection Commissioners issued a statement describing the plans as:

an improper invasion of the fundamental rights guaranteed to individuals by Article 8 of the European Convention on Human Rights, as further elaborated by the European Court of Human Rights.

A legal opinion obtained by Privacy International agreed that:

The data retention regime envisaged by the (EU) Framework Decision, and now appearing in various forms at the Member State level, is unlawful.

And a coalition of civil society groups called on the European Parliament to oppose data retention and:

promote and preserve the most fundamental values democratic societies must defend: the right to privacy, freedom of expression, and presumption of innocence.

It should also be pointed that the proposals will lead to enormous costs for the telecoms and internet industry. Major commercial associations have already expressed strong concerns about plans for data retention. A coalition comprising the International Chamber of Commerce (ICC), the Union of Industrial and Employers' Confederation of Europe (UNICE), the European Information, Communications and Consumer Electronics Technology Industry Association (EICTA) and the International Telecommunications Users Group (INTUG), said in a statement last year:

data retention is an intrusive measure that should not be taken until less intrusive alternatives, such as a European data preservation regime, have been tested and proven insufficient.

The proposed measures would affect not only consumer confidence but also business competitiveness the coalition said, and the costs of storage should not be borne by the industry, nor the customer.

Background

The proposal brings home to roost long standing demands by the law enforcement community for the compulsory retention of all communications data. Their demands have already resulted in an amendment of the 1997 EC Directive on privacy in telecommunications which said that the only purpose for which traffic data could be retained was for billing (ie: for the benefit of customers) and then it had to be erased (law enforcement agencies could, however, get access to the traffic data with a judicial order for a specific person/group). Despite significant opposition to the proposed amendments, the obligation to erase data was finally deleted after an "unholy alliance" between the two largest parties in the European Parliament (PPE, conservative and PSE, Socialist groups) reversed the EP's pre 'September 11' belief that the measure was entirely disproportionate. This allowed member states to begin passing national laws on data retention; a survey by Statewatch shows that nine of the 15 EU countries have already done so (see background documentation, below).

In August 2002, Statewatch published a leaked draft Framework Decision on mandatory data retention drawn-up by the Belgian government. The then Danish presidency issued a statement saying that the proposal "was not on the table". Nor was it - it was "under the table" waiting for the right time to be produced. Behind the scenes the UK joined the Belgian government in endorsing the proposals, but because of public opposition the two were not prepared to formally present the proposal to the Council (member states).

No sooner had the dust settled from the Madrid bombings, than the UK went public with plans to resurrect the Framework Decision; it also figured in proposals from the Commission and the Council. Again: the proposal is in no way limited to terrorism and concerns "crime in general". Ireland and France joining the UK in putting their names to the proposal comes as little surprise - Ireland leads the member states in having introduced data retention for at least three years ("Directions" were issued by the Minister for Public Enterprise in April 2002 under the Postal and Telecommunications Services Act 1983), while France has mandatory data retention for up to one year (under Article 29 of the Law on Everyday Security of 15 November 2001). That Belgium is no longer sponsoring the proposal maybe significant, suggesting that they could endorse such intrusive measures (although Belgium does have data retention for at least 12 months under its Computer Crime Act 28 November 2000). Sweden's support is curious, though it had previously indicated support for a binding EU measure on data retention. The UK argues that data retention is included in the Anti-Terrorism, Crime and Security Act 2001 but only in relation to purposes "directly or indirectly connected with national security". The UK would thus use EU legislation as a broader legal basis for data retention than provided by ATSA.

Ben Hayes of Statewatch comments:

"If this proposal was a genuine anti-terrorism measure it would be clearly restricted to terrorist offences. The fact that it is so broad as to potentially cover any crime shows just how cynically EU governments are exploiting the climate engendered by 'September 11' and now 'March 11'.

This is a proposal so intrusive that that Ashcroft, Ridge and company can only dream about it, exceeding even the US Patriot Act.

What is needed is good intelligence on specific threats, rather than mass surveillance of everyone, generating more data than can usefully be analysed. The increase in convictions of people exchanging child pornography has come without wide-ranging data retention. This proposal is disproportionate, unnecessary and has no place in a democracy."


Documents and background material

1. Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism, 8958/04, 28 April 2004: full-text

2. EU "HOMELAND SECURITY" PLANS - Key documents:
a). Adopted Declaration on combating terrorism; b). Statewatch's analysis finding 27 out of 57 proposals have little or nothing to do with tackling terrorism ­ they deal with crime in general and surveillance, see: Statewatch Scoreboard; c). Statewatch coverage of the conclusions: Summit nods through "EU Homeland Security" package: report

3. Mandatory retention of telecommunications data "unlawful": Legal opinion (October 2003)

4. Major commercial associations express strong concerns about plans for data retention: Report (June 2003)

5. Majority of governments introducing data retention of communications: Statewatch survey (January 2003)

6. European Conference of Data Protection Commissioners opposes EU Framework Decision on data retention: statement (September 2002)

7. Draft Framework Decision on data retention leaked to Statewatch: full-text and analysis (August 2002)

8. Amendment of 1997 EC Directive on privacy and telecommunications: "European Parliament caves in": report and background (May 2002)


Analysis of proposed Framework Decision

1. The scope of the Framework Decision is very broad indeed. It will put in place the compulsory retention of all communications traffic and location data - land and mobile telephones, faxes, e-mails, internet histories and any future communications technology (see Article 2). It is highly doubtful whether a general reference requiring the Framework Decision to apply automatically to all 'future technology' is precise enough to be compatible with human rights law.

2. Communications data is to be retained for the "purpose of prevention, investigation, detection and prosecution of crime or criminal offences including terrorism". (the 2002 draft limited the scope to specific investigations and prosecutions). The idea of data retention for "crime prevention" as distinct from investigation and prosecution is particularly disturbing, at least outside the scope of very serious crimes such as terrorism. This is also clearly unacceptable to the more democratic countries in the EU and article 1(3) allows them to restrict the scope of Framework Decision. However, this clause is badly written, and appears to allow a member state to exclude application of the Framework Decision to the "prevention" of crimes/criminal offences, but must apply it to the "investigation, detection and prosecution" of crimes/criminal offences. This means individual member states cannot limit the Framework Decision to terrorism only, or even to selected crimes only.

3. The key provisions are in Article 3, which places an obligation on service providers to retain and make accessible this data to law enforcement agencies, Article 4, which sets a time period of 12-36 months (though the member states may exceed this) and Article 5, under which the member states will share retained data with one another.

4. Article 2(1) defines data to include not only "traffic data" but "location data", which would certainly apply to mobile phones users. "user" and "subscriber" data is potentially unrestricted and inexplicably applies to natural persons who may are not necessarily "users" or "subscribers"! It appears that that this proviso means they mean that if a "user" calls an individual, they can keep data that individual, even if that individual is not a "user".

5. Article 2(2) sets out a mandatory list of data types to be retained but uses the non-exhaustive term "data shall… include". Falling short of "content", which is prohibited under this Framework Decision by Article 1(2), is this ambiguity to allow for the collection of data from a computer or phone other than the content of the conversation? This is clearly another unpalatable demand for some member states and another opt-out is available for member states (see Article 4(2)). However, the opt-out does not apply to "telephony" and only appears to give the power to make the retention period shorter; it is not clear whether retention could be refused altogether. This begs further questions in regard to the "dual criminality" principle, under which judicial cooperation between states can only take place where both countries criminalise the activities under investigation. Can a member state call upon another to send the retained data in relation to actions it does not regard as criminal (on protestors, for example)?

6. The ambiguous wording of article 2(2) means it is unclear exactly what the proposal covers, for instance, information on which websites people have visited? This would appear to be tantamount to the transmission of "content" in the case of web surfing.

7. Article 2(3) covers the retention of data generated by specific communications "infrastructures, architectures and protocols". Art. 2(3)(a) applies the Framework Decision to "Telephony excluding Short Message Services [SMS/"text messages" from mobile phones], Electronic Media Services and Multi Media Messaging Services". Article 2(3)(b) then goes on to include SMS/text messages and multi-media communications within the scope of the Framework Decision, while 2(3)(b) adds e-mails, voice over IP (internet telephony), broadband etc. The inherent contradiction between (a) and (b) is only explained by a further opt-out for the member states to exclude the data in (b) and (c) from the scope of the Framework Decision (see Article 4(2)). Member states who do choose to derogate from these provisions and limit retention must inform the other member states in writing.

8. Under Article 4 data "shall be retained for a period of at least 12 months and not more than 36 months following its generation". However, Member States "may have longer periods" if they believe it "constitutes a necessary, appropriate and proportionate measure within a democratic society", giving them carte blanche to go beyond 36 months. The complex procedural mechanisms for member states who wish to limit the retention period to not apply to those who wish to extend it.

9. There are grave gaps in civil liberties protection even compared to Schengen, the Cyber-crime convention or other recent EU measures like the arrest warrant. The gaps are:

a). there is no ground for possible refusal to execute a request from another Member State on human rights grounds (unlike in the arrest warrant, proposals on confiscation and freezing, Article 15 of the Cyber-crime convention etc.). The only possibility is for the requested state to impose "conditions" on access to the data that reflect national procedures (Article 3).

b). two important safeguards in the data protection provisions in the 2002 version have been dropped. Access to retained traffic data was originally to be "given only to judicial authorities or, in the extent that they have autonomous power in criminal investigation prosecution, to police authorities" and "not authorised when other measures are possible which are less intrusive in terms of privacy and leading to similar results regarding criminal investigation and prosecution". These restrictions have been replaced with more ambiguous references to "competent authorities" and "case-by-case basis" (Article 6(a)).

c). there is no reference to the involvement of supervisory authorities on data protection (as in the SIS rules).

d). Article 6 states that the member states must have rules on "judicial remedies" but makes no direct reference to an individual right to access, deletion, correction or blocking of data, or compensation where it used unlawfully. Unless individuals have subject access or at the very least the supervisory authorities have the power to check what is going on, then how on earth can this be enforced? How will anyone be able to bring judicial review proceedings to start with?

e). the Framework Decision must be applied "in accordance with national law". However, there must surely be a risk that the whole process of providing for this massive data retention obligation will surely encourage member states to relax the rules which currently apply to national access to this data - the law enforcement lobby will doubtless say it is "odd" that all this information is being kept just for the benefit of other member states.

f). there are no specific rules on controls on the collection or the copying of the data (as in the SIS rules) except for a reference to "accordance with national law".

g). there are no rules on checking on the admissibility of searches (as in the SIS rules).


Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin

© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.