Out-Law News 3 min. read
19 Apr 2011, 5:11 pm
The Commission has said that it will review its data retention rules after adopting a report that criticises the effectiveness of the current law. The report was commissioned to provide feedback on the impact the Directive was having on businesses and consumers, and how it was being implemented in EU countries.
The evaluation report (44-page / 226KB PDF) said that data retention limits a person's right to privacy and that protection safeguards were required to prevent breaches of security.
The Article 29 Working Party, which consists of the EU's 27 national privacy watchdogs, and the European Data Protection Supervisor Peter Hustinx have recently both criticised data retention laws saying that they are disproportionate to the terrorist threat they are designed to protect against.
On Monday the UK Open Rights Group called the report on the Directive a 'whitewash', while the European Digital Rights organisation published a spoof evaluation report (27-page / 295KB PDF) claiming that the Directive was an "unprecedented violation of the fundamental rights of 500 million Europeans."
The Commission said it would consider strengthening regulations of the storage, access to and use of retained data to improve the protection of personal data.
"The Commission will ensure that any future data retention proposal respects the principles of proportionality and is appropriate for attaining the objective of combating serious crime and terrorism and does not go beyond what is necessary to achieve this," the report said.
"It will recognise that any exemptions or limitations in relation to the protection of personal data should only apply insofar as they are necessary," the report said.
The report emphasised that, despite concerns over the use of personal data, data retention laws had been pivotal to preventing and solving crime.
"These data provide valuable leads and evidence in the prevention and prosecution of crime and ensuring criminal justice. Their use has resulted in convictions for criminal offences which, without data retention, may never have been solved," the report said.
The Directive was established in 2006 to make it a requirement for telecoms companies to retain personal data for a period determined by national governments of between six months and two years.
The Commission decided to regulate following terrorist attacks in Madrid in 2004 and London in 2005.
Telecoms firms are required to retain identifying details of phone calls and emails, such as the traffic and location, to help the police detect and investigate serious crimes, the Directive said. The details exclude the content of those communications.
The report found that EU member states had interpreted the Data Retention Directive differently, making some national laws inconsistent with others. This caused problems for telecoms providers because they are reimbursed differently across Europe for the cost of retrieving data, which is something the Commission should try to better harmonise, the evaluation report said.
"Most transposing member states, in accordance with their legislation, allow the access and use of retained data for purposes going beyond those covered by the [Data Retention] Directive, including preventing and combating crime generally and the risk to life and limb. Whilst this is permitted under the [Privacy and Electronic Communications Directive], the degree of harmonisation achieved by EU legislation in this area remains limited," the evaluation report said.
"Differences in the purposes of data retention are likely to affect the volume and frequency of requests and in turn the costs incurred for compliance with the obligations laid down in the [Data Retention] Directive. Furthermore, this situation may not provide sufficiently for the foreseeability which is a requirement in any legislative measure which restricts ... privacy," the report said.
Courts in Germany, Romania and the Czech Republic all rejected the Directive as 'unconstitutional', the report said.
"The German Constitutional Court said that data retention generated a perception of surveillance which could impair the free exercise of fundamental rights ... the Romanian Constitutional Court ... held that a 'continuous legal obligation' to retain all traffic data for six months was incompatible to the rights of privacy and freedom of expression in ... the European Convention of Human Rights," the report said.
A Czech courtsaid the wording was imprecise and could lead the public not to trust authorities tasked with securing personal data, the report said.
The Commission promised to look at these concerns when it drafts an update to the Directive and will now conduct an impact assessment that looks at ways to harmonise the approach to data retention laws in EU member countries.
Among the things the impact assessment should consider is shortening the mandatory time that telecoms companies should retain data for, ensuring an independent authority monitors requests for data access and limiting the authorities that can access the data in the first place, the report said.
Technology law news is also available from Bootlaw, a free resource for technology start-ups, with regular events hosted by Pinsent Masons.
