Call for mandatory data retention of all telecommunications
The draft proposal on the table is:
1. legally flawed and open to legal challenge
2. confused as to its scope - is it to deal with terrorism or crime in general?
3. requires service providers to retain data they have never collected before
4. the cost and technical capacity of service providers is unknown
5. the value in terms of tackling terrorism is highly questionable
6. it will store data on all the communications of everyone in the EU, suspect or not
7. there are no data protection provisions nor any external supervision
A special meeting of the EU Justice and Home Affairs Council will take place in Brussels on Wednesday (13 July) following the terrorist bombings in London on 7 July. The UK Home Secretary, Charles Clarke, will call for the mandatory retention of all telecommunications traffic data across the EU. He is quoted as saying: "Telecommunications records, whether of telephones or of e-mails, which record what calls were made from what number to another number at what time, are of very important use for intelligence. I am not talking about the content of any call but the fact that a call was made" (Times, 11.7.05). Mr Clarke is also to address the Committee on Civil Liberties of the European Parliament.
A proposal for an EU Framework Decision on the mandatory retention of all traffic data was put forward by the UK, Ireland, France and Sweden on 28 April 2004. The proposal covers the retention of communications data by service providers, access to the data by law enforcement agencies and the exchange of data between EU states. The traffic data to be retained would cover phone-calls, e-mails, faxes, mobile phone calls (and their location) and internet usage.
Flawed legal base
In April 2005 Statewatch published a legal analysis of the proposal based on the legal Opinions of the Council and Commission Legal Services who both concluded that the measure required two separate legal bases: See: Statewatch analysis: EU: Data Retention proposal partly illegal, say Council and Commission lawyers
The problem is recognised in the 24 May 2005 draft of the proposal: EU doc no: 8864/1/05 (pdf). The report from the EU Presidency says:
"The proposal for a Framework Decision is based on Article 31(1)(c) and 34(2)(b) TEU. The Commission reserved at an early stage of the negotiations a scrutiny reservation on the legal basis, and maintained that position at the JHA Council on 2 December 2004. After having studied the question, the Commission has entered a reservation on the legal basis. The Commission services have in 7735/05 COPEN 64 JUR 138 given the reasons for this reservation. In the view of the Commission, the parts of the proposal providing for a harmonisation of the categories of data to be retained and the period for retaining such data fall within EC competence and would need to be adopted on the basis of Article 95 TEC.
The Legal Service of the Council has given its opinion on the question in 7688/05 JUR 137 COPEN 62 TELECOM 21. The Legal Service has come to the conclusion that the harmonisation of data to be stored by service providers during a given period and setting up the duration of that period are matters for the Community's sphere of competence, and has specified that these aspects may not be the subject of a Framework Decision based on Title VI TEU, as such a Framework Decision would affect the provisions of Directive 2002/58/05 and would thus be adopted in breach of Article 47 TEU. It follows from the conclusions that other parts of the draft Framework Decision, such as Article 6 (access to retained communication data) and Article 7 (requests for transmission of retained communication data under judicial cooperation in criminal matters), do fall within Title VI TEU."
This basically means that the requirement to be placed on all service providers to retain specified categories of data for up to four years needs to be a "first pillar" measure under the Treaty establishing the European Community (TEC) - and would be subject to co-decision with the European Parliament. While the powers to give access to the retained data by law enforcement agencies and the exchange of that data comes under the Treaty on the European Union (TEU) under which the European Parliament is only "consulted".
However, despite the legal advice, the same report notes that:
"The four delegations of the Member States having submitted the proposal for a Framework Decision (FR/UK/SE/IR), supported by some delegations that thought that the proposal had been correctly based on Title VI TEU."
The European Commission, which has entered a scrutiny reservation on the proposal is: "in the process of preparing a proposal for a Directive on data retention", to meet the legal issue.
However, by 29 June 2005 the "Incoming Presidency" (ie: the UK) EU doc no: 10609/05 (pdf) said that:
"Regarding the legal basis, a majority of delegations thought the draft instrument belonged in the third pillar."
If this position is held to the Council could be on a collision course with both the European Commission and the European Parliament and potential legal challenge.
The UK report however does note that costs and proportionality would have to be addressed as well as discussions with the industry to resolve who is going to pay for the costs of retention.
The draft proposal
The scope of the proposed Framework Decision seems confused. The title refers to retaining and accessing communications data for the purpose of:
"investigation, detection and prosecution of crime and criminal offences including terrorism"
The reference to "prevention" has been deleted - which is perhaps one of the most relevant powers to tackling terrorism.
Recitals 3 and 5 refer to tackling "organised crime and terrorism".
Recital 7 says that the Framework Decision would not provide data retention rules for the purpose of "public security" - which seems the most necessary purpose when tackling terrorism. Under the existing powers in Article 15 of the Directive on privacy and telecommunications (2002/58/EC) data can be collected and retained for this purpose.
The actual scope as set out in Article 1 simply concerns all "criminal offences".
Article 3 sets out in details the data to be kept - which includes data which service providers do not currently keep even for a few days. This poses the question not just of costs but also of technical capability. In the new non-binding Recital 16 member states are asked to "consider" contributing to the costs.
People could end up paying for being put under surveillance.
Article 4 says communications data should be retain for 12 months - but derogations are possible to extend this period to 4 years or for the shorter period of 6 months. Variable periods of data retention make absolutely no sense in terms of tackling terrorism.
Article 6 covers access to the retained data which sets no time limit on how long the data can be held by state agencies, there is simply a general commitment that it should be "no longer than is necessary for the purpose for which the data was collected".
Article 7 allows for the exchange of data between member states' agencies on request - the power to subject the request to "any conditions which would have been observed in a similar national case" is supported by only nine out of 25 member states.
Article 8 says that EU member states must comply within two years of the adoption of the Framework Decision - by about 2008.
There are no data protection provisions.
European Parliament rejects proposal
On 7 June the plenary session of the European Parliament unanimously adopted the report from the Committee on Civil Liberties calling for the rejection of the proposal from the Council of the European Union (governments) on the mandatory retention of all telecommunications traffic data. The parliament's resolution said it:
1. Rejects the initiative by the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom;
2. Calls on the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom to withdraw their initiative;
In the Explanatory Statement, the rapporteur, Alexander Nuno Alvaro, says:
"The rapporteur, however, takes the view that the proposed measures affect two separate areas. On the one hand, the Council's proposal attempts inter-alia to establish the obligation for service providers to retain data, the definition of data and the retention period, all of which comes under the area of Community law. On the other hand, the proposal mentions access to and the exchange of data stored in the Member States, which is classed as common action in the area of judicial cooperation in criminal matters, meaning it comes under the third pillar."
"If all the traffic data covered by the proposal did indeed have to be stored, the network of a large Internet provider would, even at today's traffic levels, accumulate a data volume of 20 - 40 000 terabytes. This is the equivalent of roughly four million kilometres' worth of full files, which, in turn, is equivalent to 10 stacks of files each reaching from Earth to the moon.
With a data volume this huge, one search using existing technology, without additional
investment, would take 50 to 100 years. The rapid availability of the data required seems, therefore, to be in doubt."
Adopted EP report (pdf)
Are new powers needed to combat terrorism?
It is arguable that the security and intelligence agencies (and the police) already have all the powers they need to place the telecommunications of terrorist suspects under surveillance. This is allowed for both under national laws and under the Directive on privacy in telecommunications (2002/58/05) which, under Article 15, allows for the retention of communications data "for the purposes of the prevention, investigation, detection or prosecution of crime and criminal offences". and for "safeguaridng national security (ie: state security, defence and public security"). Thus where the agencies have specific terrorist suspects they are able to require service providers to collect and retain data on the "target".
In addition, the UK's Government Communications Headquarters (GCHQ) in conjunction with the National Security Agency (NSA) in the USA have, since 11 September 2001, routinely gathered all relevant telecommunications (communications data and contents where suspicious) on terrorism - backed by the ongoing, joint, ECHELON data trawling system.
Tony Bunyan, Statewatch editor, comments:
"After the dreadful terrorist attacks in London on 7 July 2005 it is absolutely right for the intelligence and security agencies concerned with finding the perpetrators to have all the necessary powers.
If this proposal was limited to tackling terrorism that would be one thing but it is not. It will put everyone in the EU under surveillance, be used to tackle crime in general and potentially could be used for social and political control. The agencies already have the powers to place suspects under surveillance and this will add little to the existing intelligence - it will simply build a bigger "haystack" from which to find the same number of needles.
It is understandable that governments want to respond to the tragedy but to put in place a system that: makes everyone in the EU a "suspect", which is potentially open to misuse and abuse, and which has no data protection provisions at all would seriously undermine the democracy that is being defended."
1. 29 June 2005, "Incoming Presidency" (ie: the UK) draft, EU doc no: 10609/05 (pdf)
2. 24 May 2005 draft EU doc no: 8864/1/05 (pdf)
3. European Parliament: Adopted report (pdf)
4. Statewatch analysis: EU: Data Retention proposal partly illegal, say Council and Commission lawyers
5. Dutch study fails to prove usefulness and necessity data retention (thanks to EDRI): Report Erasmus University (in Dutch only, 22.06.2005)
6. Statewatch analysis, with full historical and background references, to the original proposal
7. Statewatch database search for "data retention"
Statewatch News online | Join Statewatch news e-mail list | Search Statewatch database
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.