The comments also affect similar legislation that the UK recently laid before Parliament.
Communications data is limited to data that describes the caller and the means of communication (e.g. subscriber details, billing data, e-mail logs, personal details of customers and records showing the location where mobile phone calls were made) but not the content of the communications.
Since the September 11th tragedy, security and law enforcement agencies have urged governments to look at ways of retaining and accessing this data, which can be used to build a comprehensive dossier on the contacts, friendships, interests, transactions, and movements of an individual.
The EU is developing a framework directive, known as the "Draft Framework Decision on the Retention of Traffic Data and Access to this Data in Connection with Criminal Investigations and Prosecutions," while ten Member States are already creating their own national legislation to deal with the issue.
In the UK, the draft Retention of Communications Data (Code of Practice) Order 2003 was laid before Parliament in mid-September. This lays out a voluntary Code of Practice for ISPs and telcos, but has met with resistance from these agencies – which believe that it will leave them open to claims under data protection and human rights laws.
The Government has said that it will bring in a mandatory Code of Practice if the ISPs and telcos do not co-operate – but rather than solving the problem, this could simply shift the problem, according to the Opinion published this week, written by US law firm Covington & Burling.
According to the Opinion, "The data retention regime envisaged by the Framework Decision, and now appearing in various forms at the Member State level, is unlawful."
The problem relates to Article 8 of the European Convention on Human Rights (ECHR), which guarantees every individual the right to respect for his or her private life, subject only to narrow exceptions where government action is imperative.
According to the Opinion:
"The Framework Decision and national laws similar to it would interfere with this right, by requiring the accumulation of large amounts of information bearing on individuals' private activities. This interference with the privacy rights of every user of European-based communications services cannot be justified under the limited exceptions envisaged by Article 8 because it is neither consistent with the rule of law nor necessary in a democratic society."
The indiscriminate nature of the legislation means that individuals cannot avoid the surveillance. Individuals cannot be told what crime they have to commit, or behaviour they have to exhibit, before the surveillance begins – it is always there.
The Opinion continues:
"The indiscriminate collection of traffic data offends a core principle of the rule of law: that citizens should have notice of the circumstances in which the State may conduct surveillance, so that they can regulate their behaviour to avoid unwanted intrusions. Moreover, the data retention requirement would be so extensive as to be out of all proportion to the law enforcement objectives served."
Privacy International has warned that it intends to pursue test cases in at least two EU countries where mandatory retention has been implemented.
The civil liberties group has also lodged complaints with the Information Commissioner. It argues that the blanket retention of communications data breaches the principle of proportionality, that the practice flouts the specificity principle, and that the existence of a voluntary code for communications providers takes no account of the consent principle (i.e. breaches of the First, Second and Third Data Protection Principles).
However, Dr Chris Pounder of Masons, the firm behind OUT-LAW.COM, and Editor of Data Protection and Privacy Practice, commented:
"The Home Secretary has indicated that if there is any successful challenge to the policy of retention of communications data, then he would sign a certificate which would exempt the application of most data protection principles, on the grounds that the processing would be necessary for safeguarding national security."
Privacy International has also lodged an Open Government request for disclosure of the Government's legal advice relating to the regulations before the Parliament.
Simon Davies commented:
"This is an important legal analysis. It clearly exposes the government's intention not only to snoop unnecessarily on innocent people, but also to force unwilling companies to be complicit in an unprecedented and disproportionate surveillance regime."