EU: data retention to be "compulsory" for 12-24 months
01 August 2002
Even as the European Parliament was discussing and voting on fundamental changes to the 1997 EC Directive on privacy in telecommunications the Belgian government was drafting (and circulating for comment) a binding Framework Decision on the retention of traffic data and access for the law enforcement agencies - a copy of which has been leaked to Statewatch.
Under the guise of tackling "terrorism" the EU's Justice and Home Affairs Minister decided on 20 September 2001 that the law enforcement agencies needed to have access to all traffic data (phone-calls, mobile calls, e-mails, faxes and internet usage) for the purpose of criminal investigations in general.
What stood in the way was the 1997 EC Directive on privacy in telecommunications. This was the follow-up to the hard-won 1995 EC Directive on data protection, now law across the EU. The 1997 EC Directive said that the only purpose for which traffic data could be retained was for billing (ie: for the benefit of customers) and then it had to be erased. Law enforcement agencies could get access to the traffic data with a judicial order for a specific person/group.
The "deal" agreed between the Council (the 15 governments) and the two largest parties in the European Parliament (PPE, conservative and PSE, Socialist groups) means that there are two crucial amendments: i) the obligation to erase data has been deleted and ii) EU member states are allowed to pass laws requiring communications providers to keep traffic data for a so-called “limited period”.
One of the arguments used to legitimise the move during the discussions in the European Parliament was that the change to the 1997 Directive simply enabled governments to adopt laws for data retention if national parliaments agreed. The document leaked to Statewatch shows that EU governments always intended to introduce an EC law to bind all member states to adopt data retention.
The draft Framework Decision says that data should be retained for 12 to 24 months in order for law enforcement agencies to have access to it. In theory the agencies will still need a judicial order to trawl back through the records of a targeted person(s) - though this legal nicety has never stopped the internal security agencies getting access in many countries. The Framework Decision also carries a strong hint that another measure is in the pipeline, one to allow law enforcement agencies access to the content as well as the traffic data of communications.
Now the traffic data of the whole population of the EU (and the countries joining) is to be held on record. It is a move from targeted to potentially universal surveillance.
On 14 August the Danish Presidency put out to all EU governments a "Questionnaire on traffic data retention" for completion and return "preferably by e-mail" by Monday 9 September. See below for full-text of documents 11490/02 and 11490/1/02 - the only difference between the two documents is that the reference to "in collaboration with the Commission" has been deleted from the final version.
Tony Bunyan, Statewatch editor, comments:
““EU governments claimed that changes to the 1997 EC Directive on privacy in telecommunications to allow for data retention and access by the law enforcement agencies would not be binding on Members States - each national parliament would have to decide. Now we know that all along they were intending to make it binding, “compulsory”, across Europe.
The right to privacy in our communications - e-mails, phone-calls, faxes and mobile phones - was a hard-won right which has now been taken away. Under the guise of fighting "terrorism" everyone's communications are to be placed under surveillance.
Gone too under the draft Framework Decision are basic rights of data protection, proper rules of procedure, scrutiny by supervisory bodies and judical review”