EU: Commission still seeking proof of the necessity of mandatory data retention

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

"all Member States - not just a minority - need to provide convincing evidence of the value of data retention for security and criminal justice"

In December 2010, the European Commission organised a workshop on the proposed reform of the Data Retention Directive. In a speech to the conference, the European Data Protection Supervisor made clear that:

"At the moment, the Directive is only based on the assumption that it constitutes a necessary and proportionate measure. However, the time has come to actually provide sufficient evidence of this.

"Without such evidence, the Data Retention Directive should be withdrawn or replaced by a more targeted and less intrusive instrument which does meet the requirement of necessity and proportionality." [1]

A recent note from the Commission to the Working Party on Data Protection and Information Exchange [2] raises questions over what sort of evidence will be used to provide justification for the reform of the Directive, and whether that reform will be able to satisfy the demands of data protection authorities and privacy advocates.

Quantitative versus qualitative

The Commission states that "all Member States - not just a minority - need to provide convincing evidence of the value of data retention for security and criminal justice." This is considered necessary to address the "continued perception that there is little evidence at an EU and national level on the value of data retention in terms of public security and criminal justice, nor of what alternatives have been considered."

So far, only 11 of 27 Member States have provided evidence of the importance of retained data in cases of terrorism, serious crime, or telecommunications crime - and this was qualitative, rather than quantitative data. This is despite the Commission having had over a year to obtain further evidence from the Member States of the necessity of the retention measures.

Substantial quantitative data would best serve the interests of the Commission and the Member States who are insistent upon keeping the Directive. Yet further attempts to prove the necessity of retention seem likely to come in qualitative form (eg: selected high-profile examles). It was stressed by some delegations at a May 2011 meeting of the Working Party on Data Protection and Information Exchange that the necessity of data retention:

"[C]ould not be argued on the basis of statistical data… the gravity of the offences investigated thanks to traffic data, rather than the mere number of cases in which traffic data were used should receive due attention. Quantitative analysis should be complemented with qualitative assessment." [3]

The use of qualitative evidence has of course been used before in attempts to justify privacy-intrusive measures. The impact assessment accompanying the proposal for a Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime contains a series of anecdotes intended to prove the necessity of states storing and processing PNR data, with no statistics to back them up. [4]

A 2010 study by the German Federal Crime Agency into data retention, which did use quantitative evidence, found that data retention was "ineffective" and led to an overall decrease in crime clearance rates. [5]

There seems to be an ongoing problem with the collection and use of statistics when it comes to EU legislation and computer systems intended to ease the work of law enforcement authorities. A study completed in December 2010 on cross-border information exchange found that Member States could not answer many questions put to them "due to the lack of (comparable) statistics". Those undertaking the study found that "there were widespread gaps in the quantitative statistics available". [6]

The Commission versus the courts

The German Federal Crime Agency's 2010 study took place before a challenge to the law reached the country's Constitutional Court. In March 2010 the Court suspended the German transposition of the Directive, arguing that "such retention represents an especially grave intrusion" into individual privacy. [7]

There have also been legal challenges to the provisions in Bulgaria, Sweden, the Czech Republic and Ireland. [8] In late October, the Commission formally requested that Germany and Romania transpose the Directive into national legislation. [9] Romania's Senate has rejected a new draft law, [10] while in Germany a government spokesman has stated that "a reasonable compromise to present a stable constitutional solution" is being prepared. [11]

Despite these problems, the Commission is insistent that retention must continue. Indeed, it may well be that the reformed Directive, currently planned for July 2012, will have an even wider scope than the current legislation.

Privacy versus policing

The "unclear definitions in the DRD have encouraged heterogeneous interpretations" of the scope of the legislation, and "this can result in frustration for law enforcement". For example:

"Instant messaging, chat, uploads and downloads (but not anonymous SIM cards) are types of data held by information society services which is almost identical to traffic data but which is outside the scope of the DRD. There is no standard EU approach to accessing this data, so some law enforcement find it very difficult to get this data on time for their investigations."

Reform of the DRD is just one of a series of measures in the coming year that look set to extend the ability of law enforcement authorities to access the personal data of individuals. The Commission is due to issue a Communication on enhancing the traceability of users of pre-paid communication services for law enforcement purposes (almost certainly intended to deal with the ongoing 'problem' of anonymous SIM cards), as well as a Green paper on commercial information relevant to law enforcement and information exchange models.

At the same time, discussions are ongoing within the Commission on the proposed Police and criminal justice data protection directive, intended to replace the provisions of the highly-criticised Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

"Data retention is here to stay"

An ongoing campaign by data protection authorities and civil society organisations has attempted to have the Data Retention Directive either severely amended or repealed altogether. However, it seems that the statement of Commissioner Malmström in a December 2010 speech to a consultation workshop on the Directive remains true: "data retention is here to stay". [12]

Moreover, judging from the tone of the Commission's note, it is likely to continue to prioritise the requirements of law enforcement authorities over the rights of individuals.

[1] European Data Protection Supervisor, 'The moment of truth for the Data Retention Directive', 3 December 2010, p.2
[2] Commission Services, 'Consultation on reform of Data Retention Directive: emerging themes and next steps', 15 December 2011, 18620/11
[3] Working Party on Data Protection and Information Exchange, 'Summary of discussions', 30 May 2011, 10806/11, p.3
[4] European Commission, 'Summary of the impact assessment - Accompanying document to the Proposal for a European Parliament and Council Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime', 2 February 2011, SEC(2011) 133 final, p.3-4
[5] EDRi-gram, 'German study finds the data retention ineffective', 9 February 2011
[6] European Public Law Organisation & International Centre for Migration Policy Development, 'Study on the status of information exchange amongst law enforcement authorities in the context of existing EU instruments', December 2010, pp.48-50
[7] EDRi-gram, 'German Federal Constitutional Court rejects data retention law', 10 March 2010
[8] Chris Jones, 'Statewatch Analysis: EU: Mandatory data retention: update and developments', June 2011
[9] European Commission, 'Data retention: Commission requests Germany and Romania fully transpose EU rules', 27 October 2011
[10] EDRi-gram, 'Romanian Senate rejects the new data retention law', 18 January 2012
[11] Telecompaper, 'German govt says working on data retention', 30 December 2011
[12] Cecilia Malmström, 'Taking on the Data Retention Directive', 3 December 2010

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error