Out-Law News 3 min. read
04 Nov 2005, 1:52 pm
In a recently published Opinion, the Working Party also details 20 safeguards that should be included in the draft.
Plans for an EU-wide scheme of data retention were first mooted by the UK, France, Ireland and Sweden in April 2004. They have since been joined by other Member States in pushing the Council of Ministers to adopt a draft Framework Decision on the proposals, under a procedure that does not require any Parliamentary approval.
Concerned that the legal basis for the proposals was flawed, the Commission adopted a rival law in September 2005 – a draft Directive on data retention. The draft Directive was less far-reaching than the Council’s proposal. Also, because it was a Directive, procedural rules meant that both the Council of Ministers and the European Parliament would have the opportunity to approve it.
In October, European Justice Ministers agreed that they would accept a compromise in the form of a draft Directive, but stressed that they were prepared to push through their draft Framework Decision if MEPs had made no progress with the Directive by the end of 2005.
All attention is now focused on the draft Directive, which, in its current form, will oblige ISPs and telcos to retain fixed and mobile telephony data for a minimum period of 12 months, and IP-based communications data for a minimum period of six months.
The proposals allow for a maximum retention period of two years, although Member States, such as Ireland and Italy, who already have national retention periods going beyond that, will be allowed to stick to their existing timescales.
In addition, the deal allows Member States to decide at a national level whether to reimburse industry for the additional costs that the scheme will incur, and confirms that the measure will be reviewed after five years to ensure that it is working properly.
But the draft Directive has been criticised for failing to live up to the standards required by human rights laws.
These fears were echoed last month by the EU Data Protection Working Party an independent EU advisory body, which has the task of assessing the privacy implications of such proposals.
The Working Party stresses the need to balance the interests of national security with the right to privacy of citizens.
“This is why any restrictions of this fundamental right must be based on a pressing need, should only be allowed in exceptional cases and be the subject of adequate safeguards," it wrote. "The retention of traffic data – including location data – for purposes of law enforcement should meet strict conditions, in particular it must take place only for a limited period and when necessary, appropriate and proportionate in a democratic society.”
The Working Party is particularly concerned about the justification for a mandatory and general data retention scheme. It advises:
“...the circumstances justifying data retention, even though they are said to be based on the requests coming from the competent authorities in Member States, do not appear to be grounded on crystal-clear evidence. Accordingly, the proposed terms do not appear convincing as yet.”
It queries whether other short-term, case-specific procedures would not be more appropriate.
The Opinion also says the Directive should make it clear that the period of data retention set out in the draft is a maximum, although Member States will be allowed to reduce this if necessary. The Directive should also make it clear that the retained data should be deleted at the end of the period.
The wording of the proposals in this regard is “not satisfactory,” according to the Working Party.
It welcomes the Commission proposal that the evidence behind the setting of retention periods should be reassessed every two or three years, but calls for these evaluations to be published.
It also warns that the measures imposed should be time-limited, so that national implementing legislation would cease to be effective after three years, requiring a reassessment and further legislation.
The Working Party warns that it is imperative to set out adequate safeguards before data retention obligations are imposed on ISPs and telcos. It advises that these safeguards be included within the Directive itself, rather than left to other legislation.
Finally, the Working Party sets out 20 specific safeguards that it believes should be addressed by the Directive.
These include setting out a clear and limited purpose of fighting terrorism and organised crime rather than a vague reference to tackling “serious crime”.
Also included are requirements that any retrieval of retained data be recorded, that access to data be authorised on a case-by-case basis by an appropriate authority, and that the Directive contain a definitive list of the type of data to be retained.
