Proposed Retention of Electronic Communications Data in Europe
Current proposals for a legal requirement for the retention of electronic communications data, which would include details of mobile phone calls and internet traffic, will affect the privacy of every EU citizen. A recent draft framework proposing the retention of electronic data by communications service providers for up to three years was rejected by the European Parliament. A separate proposal by the European Commission for a new Directive on the retention of electronic communications data has now been considered by the European Data Protection Supervisor (the EDPS), Peter Hustinx, who delivered his opinion on the proposal on 26 September 2005.
The provisions of the proposed Directive were considered by the EDPS with regard to data protection legislation and the protection of privacy given by Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (the ECHR). The EDPS has suggested amendments to the proposal that would provide a legal basis for the retention of data by service providers and access to the data by law enforcement agencies of the Member States.
The EDPS recognises that access to certain traffic and location data by law enforcement agencies can assist in the combat of terrorism and other serious crime. However, the necessity of the obligation to retain data must be demonstrable and proportionate. The EDPS is not convinced of the absolute necessity of the retention of traffic and location data for law enforcement purposes, or that it is in itself an effective response, unless additional safeguards apply including that:
- the data should be transmitted from the service providers to the authorities, rather than allowing them direct access
- access should be prohibited for data-mining activities or for routine fishing operations
- access by the authorities should only be for the investigation of certain serious criminal offences, and should be subject to judicial control
- data protection principles must be expressly provided for, such as the exercise of rights by the data subject, the need for data quality and security, and limitations as to lawful purposes of retention of data.
The new Directive provides that the obligation to retain data should apply for a maximum period of 6 months in the case of Internet communications data, and for up to one year for the retention of other communications traffic data. The retention of all data for such periods will mean the creation of huge databases, and require technological measures to ensure that data is erased after the relevant retention period, the provision of a verifiable audit trail of actions, and an adequate and effective search engine to allow for targeted searching for specific data.
The costs of data retention and related technological measures such as effective search engines will be considerable. Providers must be offered compensation as an incentive to install the technological and procedural security measures to retain the data and control access. Member states will bear the cost of compensating the service providers. There are interesting cross-border jurisdictional issues, for example in cross-border phone calls, crossing a border during a phone call, and the use of a provider in another country than that where the individual resides.
The Council of Europe is scheduled to meet on 12th October to discuss the issue of data retention further. The full text of the Opinion of the European Data Protection Supervisor on the Commissions Proposal can be found at http://www.edps.eu.int/12_en_opinions.htm.
By Judy Beck, CCLRC, UK
Editor: Heather Weaver, CCLRC, UK