In April, the UK, France, Ireland and Sweden published a draft
Framework Decision setting out provisions for the creation of an
EU-wide system of retaining communications data. Such data identify
the caller and the means of communication (e.g. subscriber details,
billing data, e-mail logs, personal details of customers and
records showing the location where mobile phone calls were made)
but not the content of the communications.
In the UK, the Retention of Communications Data (Code of
Practice) Order of 2003 lays out a voluntary Code of Practice for
ISPs and telcos, but has met with resistance from these companies –
which believe that it will expose them to claims under data
protection and human rights laws.
A draft European framework Decision on data retention has been
discussed for years, much to the concern of civil liberties groups.
Earlier this year human rights group Privacy International obtained
a legal Opinion on the proposals – which suggested that the draft
Decision was unlawful, finding that it breached the Convention on
Human Rights.
However, the political will for such a scheme was jolted by the
Madrid bombings, and the draft Framework Decision published shortly
thereafter.
The EU Data Protection Working Party, an independent EU advisory
body, has the task of assessing the privacy implications of such
proposals and this month published a preliminary Opinion on the
draft Decision. It will reconsider the Decision later, when the
Council has completed its own discussions and published a revised
draft.
The existing proposals do not, according to the Working Party,
conform with the requirements of the European Convention on Human
Rights as they do not fulfil three basic criteria: "a legal basis,
the need for the measure in a democratic society and conformity
with one of the legitimate aims listed in the Convention".
While the Working Party did not consider the legal basis of the
Decision (in view of the preliminary nature of the Council
discussions), it expressed concern as to the actual aim of the
Decision.
Is it solely for the "prevention, investigation, detection and
prosecution of crime and criminal offences", as stated in the
current draft? This, says the Working Party, must be made clear at
the very outset.
But the Working Party's most serious concerns relate to the
second criterion – the need for the measure in a democratic
society.
"The routine, comprehensive storage of all traffic data, user
and participant data proposed in the draft decision would make
surveillance that is authorised in exceptional circumstances the
rule," said the Opinion. "This would clearly be disproportionate.
The draft framework would apply, not only to some people who would
be monitored in application with specific laws, but to all natural
persons who use electronic communications."
"Not everything that might prove to be useful for law
enforcement is desirable or can be considered as a necessary
measure in a democratic society, particularly if this leads to the
systematic recording of all electronic communications," continued
the Working Party.
Nor was the Working Party convinced that data needed to be
retained for longer than six months – as opposed to the 12-month
period currently envisaged in the Decision. So far, said the
Working Party, law enforcement agencies have failed to show why
such far-reaching measures are necessary.
"Not only does the draft Framework Decision fail to cover those
conditions, it expressly seeks to nullify them by not requiring
definite grounds of suspicion and a reliable basis in fact in
individual cases and providing for comprehensive data storage as
precautionary measure in future legal proceedings against any users
of electronic communications systems," it concluded.
