But
the proposal has tough competition: it needs the support of the
European Parliament and Council of Ministers to become law – and
the Council has its own plans for data retention, set out in a
Framework Decision. The Council plan allows for data retention
periods of up to three years and it could be adopted by the Council
acting alone, without any debate in Parliament.
An earlier version of the draft Directive – an “Interservice
Consultation” version – had been leaked to lobby group European
Digital Rights (EDRi) in July. EDRi posted
that version online (16-page / 2.2MB PDF). The Commission's
information on today's version appears to reflect that leaked
version closely.
The Commission's proposal
The proposal provides for an EU-wide harmonisation of the
obligations on providers of publicly available electronic
communications, or a public telecommunications network, to retain
data related to mobile and fixed telephony for a period of one
year, and internet communication data, for six months.
The proposed Directive would not be applicable to the actual
content of the communications. It also includes a provision
ensuring that the service or network providers will be reimbursed
for the demonstrated additional costs they will have.
Commission Vice President Franco Frattini,
responsible for Justice, Freedom and Security, said: “This proposal
is a very balanced and constructive one, which takes account of the
fundamental rights to security, to a private life and protection of
personal data, as well as different interests, in particular those
of law enforcement authorities and communication providers.”
He pointed out that EU citizens expect the three EU institutions
to work jointly on this sensitive but important issue and to form a
united front in the fight against terrorism and organised
crime.
He added: “I am dedicated to working on a co-decision basis with
the European Parliament and the Member States in the Council, and
in particular its UK Presidency, to try to reach an agreement on
this issue before the end of this year – counter terrorism
effectively requires that we have no time to loose.”
The proposal was developed in full agreement with Commissioner
Viviane Reding, responsible for Information
Society and Media.
“The Commission proposal now puts data retention rules on a
sound legal basis, ensures the full co-decision of the European
Parliament and limits the data retention periods to the extent
absolutely necessary," she said. "In contrast to the text at
present discussed in the Council, the Commission proposal in
particular requires that all additional costs for the industry,
which are proven to have been caused by data retention obligations
under the new Directive, will have to be reimbursed.”
Law enforcement agencies can use communications traffic data to
identify associations between persons and events by time and
location. The tragic events of Madrid in March 2004 and London in
July 2005 and the investigations that followed have driven the
demand for data retention.
Squaring data retention with data protection
The Commission says its proposal balances the needs of security
services with fundamental rights and applies "solid data protection
rules".
To protect citizens’ fundamental rights and freedoms, and in
particular their privacy and personal data, Community law currently
provides for the deletion of traffic data once it is no longer
needed for the purpose of the transmission of the communication.
However, some may be kept and further processed by service and
network providers for their own business purposes such as billing
or with the consent of the consumers.
Beyond these business purposes, "public order" purposes can also
be invoked to justify the further processing of traffic data. This
is why public authorities in the Member States are in principle, if
necessary and in accordance with applicable law, able to request
access to traffic data stored by electronic communications
operators.
Legitimate requests for the retention of specific data –
otherwise called data preservation – are also allowed when
necessary for specific purposes, such as investigations and
prosecutions. Data preservation ensures the onward storage of
specific data on specific users as from the date of the
request.
However, with changes in business models and service offerings,
such as the growth of flat rate tariffs, pre-paid and free
electronic communications services, traffic data may not always be
stored by all operators to the same extent as they were in recent
years, depending on the services they offer. This trend is
reinforced by recent offerings of Voice over Internet Protocol
(VoIP) communication services, or even flat rate services for fixed
telephone communications.
Under such arrangements, the operators would no longer have the
need to store traffic data for billing purposes. If traffic data
are not stored for billing or other business purposes, they will
not be available for public authorities whenever there is a
legitimate case to access the data.
In other words, the Commission considers that these developments
are making it much harder for public authorities to fulfil their
duties in preventing and combating crime and terrorism, and easier
for criminals to communicate with each other without the fear that
their communications data can be used by law enforcement
authorities to thwart them.
The responses of Member States so far
To respond to this concern, a number of Member States have
adopted, or plan to adopt, national general data retention
measures. Compared to data preservation measures, which are
targeted at specific users and for specific data, general data
retention measures aim at requiring some or all operators to retain
traffic data on all users so that they can be used for "public
order" purposes when necessary and allowed.
The need to take legislative action in this area at the European
level has been confirmed by the European Council in its Declaration
on Combating Terrorism of 25th March 2004, adopted
shortly after the tragic events in Madrid on 11th
March.
In that Declaration the European Council explicitly recognises
the importance of legislative measures on traffic data retention,
through its instruction to the Council to examine measures in the
area of “proposals for establishing rules on the retention of
communications traffic data by service providers”.
The European Council Declaration continues to state that:
“Priority should be given to proposals under the retention of
communication traffic data ... with a view to adoption by June
2005”.
The priority attached to adopting an appropriate legal
instrument on this subject was recently confirmed in the
Conclusions of the European Council of 16th and
17th June, as well as at the special JHA Council meeting
of 13th July 2005 following the London terrorist
bombings.
The issue of retention of traffic data has initially been dealt
with in a draft Framework Decision, submitted in April 2004 as an
initiative of France, Ireland, Sweden and the UK – which is a
so-called third pillar legal instrument. Issues of common security
and defence policy can be decided under the third pillar – without
the need for majority voting.
Today’s patchwork
The data retention regimes introduced or planned by the Member
States vary significantly in scope, their purposes, the data to be
retained, the duration of the retention, the reimbursement
possibilities and the conditions for access to the data.
There is at present therefore a patchwork of national data
retention obligations in Member States, which can be summarised as
follows:
- A majority (about 15 according to 2004 figures) of Member
States at present do not have mandatory data retention
obligations;
- In about half of the Member States with mandatory data
retention obligations laws in place, data retention is not
operational since implementing measures are still missing;
- In those Member States with data retention obligations in
operation, the period (between three months and four years) and
scope vary substantially e.g. just pre-paid mobile, not the
internet, all services etc.
The current situation is therefore one which is unsatisfactory
in terms of addressing the concerns voiced by the European Council,
and in terms of addressing the consequences of the diverging
measures adopted by Member States for the effectiveness of
international law enforcement co-operation, as well as the
consequences for telcos and ISPs, especially those who provide
services in different Member States of the European Union.
The Commission’s position has been that the largest part of that
Framework Decision – the part concerning obligations on providers
to retain certain traffic data – should be adopted on a first
pillar legal basis (learn
more about the pillar structure). This position has also been
adopted by the Legal Service of the Council and by the European
Parliament.
How the Commission’s proposal differs from the Council’s
text
The Commission says its proposal "has taken account to a
significant extent of the work done by the Council on the draft
Framework Decision, especially as far as the categories of data to
be retained are concerned."
But it differs from the draft Framework Decision in a number of
important areas:
- Unlike the draft Framework Decision, the draft Directive
proposes harmonised retention periods of one year for fixed and
mobile telephony data, and six months for IP based communication
data. The Framework Decision sets a minimum term of retention for
all data categories of one year, but allows for possible exceptions
to this for periods between 6 and 48 months;
- Unlike the draft Framework Decision, the draft Directive
foresees a provision which obliges the Member States to compensate
the electronic communication services providers for additional
costs incurred as a consequence of the retention obligation;
- Unlike the draft Framework Decision, the draft Directive
foresees a
Comitology procedure for amendments to the list of data to
be retained, providing for the flexibility needed to ensure that
the instrument stays up-to-date in a rapidly changing technological
environment;
- Unlike the draft Framework Decision, the draft Directive
foresees the collection of statistics on cases in which data was
requested, as well as an evaluation of the instrument and its
impacts, taking account of those statistics.
Neither the draft Framework Decision nor the draft Directive are
applicable to the content of communications. Also, in both texts
internet related data to be retained are limited to e-mail and
IP-telephony data – which means that no data on web pages visited
will need to be retained.
The Comission's proposal will follow the co-decision procedure
with full involvement of the European Parliament, and consultation
of the Economic and Social Committee and the Committee of the
Regions.
