In a recently published Opinion, the Working Party also details
20 safeguards that should be included in the draft.
Background to the Directive
Plans for an EU-wide scheme of data retention were first mooted
by the UK, France, Ireland and Sweden in April 2004. They have
since been joined by other Member States in pushing the Council of
Ministers to adopt a draft Framework Decision on the proposals,
under a procedure that does not require any Parliamentary
approval.
Concerned that the legal basis for the proposals was flawed, the
Commission adopted a rival law in September 2005 – a draft
Directive on data retention. The draft Directive was less
far-reaching than the Council’s proposal. Also, because it was a
Directive, procedural rules meant that both the Council of
Ministers and the European Parliament would have the opportunity to
approve it.
In October, European Justice Ministers agreed that they would
accept a compromise in the form of a draft Directive, but stressed
that they were prepared to push through their draft Framework
Decision if MEPs had made no progress with the Directive by the end
of 2005.
All attention is now focused on the draft Directive, which, in
its current form, will oblige ISPs and telcos to retain fixed and
mobile telephony data for a minimum period of 12 months, and
IP-based communications data for a minimum period of six
months.
The proposals allow for a maximum retention period of two years,
although Member States, such as Ireland and Italy, who already have
national retention periods going beyond that, will be allowed to
stick to their existing timescales.
In addition, the deal allows Member States to decide at a
national level whether to reimburse industry for the additional
costs that the scheme will incur, and confirms that the measure
will be reviewed after five years to ensure that it is working
properly.
But the draft Directive has been criticised for failing to live
up to the standards required by human rights laws.
These fears were echoed last month by the EU Data Protection
Working Party an independent EU advisory body, which has the
task of assessing the privacy implications of such proposals.
The Working Party's Opinion
The Working Party stresses the need to balance the interests of
national security with the right to privacy of citizens.
“This is why any restrictions of this fundamental right must be
based on a pressing need, should only be allowed in exceptional
cases and be the subject of adequate safeguards," it wrote. "The
retention of traffic data – including location data – for purposes
of law enforcement should meet strict conditions, in particular it
must take place only for a limited period and when necessary,
appropriate and proportionate in a democratic society.”
The Working Party is particularly concerned about the
justification for a mandatory and general data retention scheme. It
advises:
“...the circumstances justifying data
retention, even though they are said to be based on the requests
coming from the competent authorities in Member States, do not
appear to be grounded on crystal-clear evidence. Accordingly, the
proposed terms do not appear convincing as yet.”
It queries whether other short-term, case-specific procedures
would not be more appropriate.
The Opinion also says the Directive should make it clear that
the period of data retention set out in the draft is a maximum,
although Member States will be allowed to reduce this if necessary.
The Directive should also make it clear that the retained data
should be deleted at the end of the period.
The wording of the proposals in this regard is “not
satisfactory,” according to the Working Party.
It welcomes the Commission proposal that the evidence behind the
setting of retention periods should be reassessed every two or
three years, but calls for these evaluations to be published.
It also warns that the measures imposed should be time-limited,
so that national implementing legislation would cease to be
effective after three years, requiring a reassessment and further
legislation.
The Working Party warns that it is imperative to set out
adequate safeguards before data retention obligations are imposed
on ISPs and telcos. It advises that these safeguards be included
within the Directive itself, rather than left to other
legislation.
Finally, the Working Party sets out 20 specific safeguards that
it believes should be addressed by the Directive.
These include setting out a clear and limited purpose of
fighting terrorism and organised crime rather than a vague
reference to tackling “serious crime”.
Also included are requirements that any retrieval of retained
data be recorded, that access to data be authorised on a
case-by-case basis by an appropriate authority, and that the
Directive contain a definitive list of the type of data to be
retained.
