At their Spring Summit in March European leaders discussed anti-terrorist proposals that would tighten security throughout Europe, including proposals for a Europe-wide system of retaining communications data.
Communications data are data that identify the caller and the means of communication (e.g. subscriber details, billing data, e-mail logs, personal details of customers and records showing the location where mobile phone calls were made) but not the content of the communications.
Since the September 11th tragedy, security and law enforcement agencies have urged governments to look at ways of retaining and accessing this data, which can be used to build a comprehensive dossier on the contacts, friendships, interests, transactions, and movements of an individual.
In the UK, the Retention of Communications Data (Code of Practice) Order 2003 lays out a voluntary Code of Practice for ISPs and telcos, but has met with resistance from these agencies – who believe that it will leave them open to claims under data protection and human rights laws.
A draft European framework Decision on data retention has been discussed for years, much to the concern of civil liberties groups. Indeed earlier this year human rights group Privacy International obtained a legal Opinion on the proposals – which found that the draft Decision was unlawful because it breaches the Convention on Human Rights.
However, the political will for such a scheme was jolted by the Madrid bombings, and with remarkable haste, the draft Framework Decision has now been polished up and published.
It will shortly be sent to the European Parliament for the opinion of MEPs.
The Draft Framework Decision – a brief overview
Prepared by France, Ireland, Sweden and the UK, the draft excludes the retention of the content of exchanged communications, although it does not define what "content" actually is. It also allows Member States to opt out if they do not find the purposes behind the draft sufficient to make the retention acceptable.
The draft provides for the data to be retained "for a period of at least 12 months and not more than 36 months following its generation." Member States may retain the data for longer if their "national criteria" permit it.
Provisions are also made for the access by one Member State to data retained by another Member State. Data protection safeguards are included, and there is an obligation on each Member State to ensure the security of the data retained.
The "Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism" can be found as a 14-page pdf