28 March 2012
EU: Revision of Data Retention Directive put on hold with "no precise timetable" for a new proposal
Revision of the controversial EU Data Retention Directive - which requies the storage of internet and phone records for between six months and two years - has been put on hold by the European Commission. It is now seeking to establish a new data protection regime before revising the Data Retention Directive at the same time as a conflicting piece of legislation, the e-Privacy Directive.
An email sent to the members of EuroISPA ("The voice of the ISPs in Europe") at the beginning of July states that:
"After discussions at cabinet level between Commissioners Kroes and Malmström, the decision has been taken to postpone the revision of the Data Retention Directive to have it in parallel with the e-Privacy Directive." 
The reason for revising both pieces of legislation together is that Article 15(1) of the e-Privacy Directive permits the "the retention of data for a limited period" if it is considered:
"A necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. state security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system." 
This needs to be reconciled with the Data Retention Directive, the purpose of which is retention of data for the investigation and prosecution of serious crime, "which is not defined at EU level or in many Member States." 
The opinion of the Commission, according to a spokesperson, is that:
"Any revision of the Data Retention Directive should ensure that retained data will be used exclusively for the purposes foreseen in this Directive, and not for other purposes as currently allowed by the e-Privacy Directive."
The EuroISPA email states that "a revision could be announced in 2013 or 2014, depending on the progress of the General Data Protection Regulation," which is currently the subject of discussion in the Council and the Parliament.
The Commission spokesperson also said that there was "no precise timetable for the Commission's proposal," but "preparations for that proposal continue, including on the impact assessment."
The impact assessment alone has been causing a headache for the Commission. A paper issued at the end of 2011 on the "emerging themes and next steps" in reforming the Directive noted that "strong qualitative evidence of the value of historic communications data in specific cases of terrorism, serious crime and crimes using the internet or by telephone" had been received from only 11 of 27 Member States.
At a meeting of the Working Party on Terrorism on 12 March of this year, Member State delegations were informed of a letter sent by Commissioner Malmström to all Member States "with a request for reliable quantitative and qualitative data that would demonstrate the necessity of data retention for security purposes." 
The Commission repeated its call for evidence on 3 April 2012 at a meeting of the Article 36 Committee (known as CATS), and "also informed delegations about its plans for improving the 2006 Data Retention Directive, for which the impact assessment would soon be ready." 
It appears that in the course of the assessment it became apparent that revision of the e-Privacy Directive would also be necessary, and this was duly announced to the Parliament at a meeting of its LIBE Committee in early July. 
First however, a new data protection package will need to be agreed by the Council and the Parliament, with Member States in the Council currently disagreeing on a number of elements. 
The rocky road to revision
It is clear that there are many problems with the Data Retention Directive: the European Data Protection Supervisor has called it "the most privacy invasive instrument ever adopted by the EU,"  and there are serious issues regarding proportionality, legal precision, differing interpretation by telecommunications providers and national authorities, and the costs incurred by telecommunications providers.
Law enforcement authorities have complained of difficulties with "rapidly exchang[ing] telecom data and the unavailability of some types of telecom data,"  although alleviating these concerns would almost certainly have further detrimental impacts upon individual privacy. This is well-illustrated by current debates in the UK over a proposed new telecommunications surveillance law which is intended to allow the more extensive surveillance of phone and internet usage. 
Yet despite all this, it seems that there is little appetite for reform amongst Member States. At a meeting of CATS on 24 May, "several Member States intervened" during a presentation by Commission on reform of the Directive in order to:
"[E]xpress their qualms regarding any possible legislative proposal to amend the 2006 Directive and in particular the retention periods contained therein given the law enforcement need to access those data." 
This reflects comments made in January, the month after the Commission issued its paper on "emerging themes and next steps", at a meeting of the Parliament's LIBE Committee. Here, Commissioner Malmström informed MEPs "that there was no appetite for revision in the Council." 
History of controversy
The Data Retention Directive (2006/24/EC) obliges telecommunications providers in EU Member States to store numerous types of information that allow the authorities "to retrace telephone and internet behaviour of all persons in the EU whenever they use telephone or internet up to a period of two years,"  and has been widely criticised, with a number of Member States attempting to delay or halt its transposition into national law.
At the end of May this year, it was announced that the European Commission was to take Germany to court for failing to introduce new legislation, which was rejected by the country's constitutional court in March 2010. 
Legal problems and challenges have also arisen in Austria, Bulgaria, the Czech Republic, Hungary, Ireland, Romania and Sweden, although many of these states have now transposed the law.
In March the Swedish parliament voted through a data retention law in the face of possible legal action by the European Commission, with one dissenting parliamentarian saying that "the need for, and the benefits of, the directive do not compensate for the invasion of privacy." 
The transposition of the law in Ireland saw a legal challenge brought by the group Digital Rights Ireland.  The case is ongoing, with the Council recently invited to submit its observations on whether elements of the Data Retention Directive are compatible with fundamental rights and various other aspects of EU law. 
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: 10 Queen Street Place, London EC4R 1BE. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.