The current EDPS is Peter Hustinx, formerly the President of Holland's national data protection authority. As EDPS he is responsible for monitoring the processing of personal data by the Community institutions and bodies.
"This is an incredibly sensitive issue,” wrote Mr Hustinx. “The Directive has a direct impact on the protection of privacy of EU citizens and it is crucial that it respects their fundamental rights, as settled by the case law of the European Court of Human Rights. A legislative measure that would weaken the protection is not only unacceptable but also illegal."
The Commission’s proposal, published last week, provides for an EU-wide harmonisation of the obligations on providers of publicly available electronic communications, or a public telecommunications network, to retain data related to mobile and fixed telephony for a period of one year, and internet communication data for six months.
The proposed Directive would not be applicable to the actual content of the communications. It also includes a provision ensuring that the service or network providers will be reimbursed for the demonstrated additional costs they will have.
But it is not the only data retention initiative before the EU. In April last year the UK, France, Ireland and Sweden published a draft Framework Decision on the issue and, despite its rejection by MEPs in June, the four Member States are still pushing the Council of Ministers to approve the proposals.
The draft Framework Decision would oblige the retention of communications data from phone calls and emails for a minimum period of 12 months. It could be adopted by the Council acting alone, without any debate in Parliament – unlike the Commission’s proposals, which require the approval of both the Council and European Parliament.
This second legislative route, according to Mr Hustinx, is the only acceptable way forward.
“Only this procedure,” he wrote, “constitutes a transparent process of decision-making with full participation of the three institutions involved and with due respect to the principles on which the Union is founded. “
The EDPS Opinion
Mr Hustinx has not, and does not yet intend to give an Opinion on the draft Framework Decision. The Opinion published today relates only to the Commission’s proposals.
Hustinx makes it clear that he is not convinced that a Directive on data retention is necessary – a requirement of human rights legislation.
“The circumstances in society may have changed due to terrorist attacks, but this may not have as an effect that high standards of protection in the state of law are compromised,” he warns.
Hustinx says that if the Council and the European Parliament decide that data retention is necessary for the purpose of serious crime investigation, it will be justifiable only if it is proportionate and includes:
- Strictly limited retention periods – the periods must reflect the needs of law enforcement and they must be harmonised in the Member States, laying down maximum periods of retention. Longer periods than 6 and 12 months, as proposed, are not acceptable.
- A limited number of data to be stored – the number must reflect the needs of law enforcement and ensure that access to content data is not possible.
- Adequate safeguards – specific provisions on access to the retained data by competent authorities are needed to ensure that no one but the relevant law enforcement services can use the data in individual cases.
- Adequate technical infrastructure must be put in place to ensure the security of the data, including financial incentives to this effect.
- Data subjects must be able to exercise their rights and data protection authorities must be enabled to supervise effectively.
To be fully effective, says the EDPS, the draft Directive must fully harmonise all elements of the proposals, including the type of data to be retained, the length of time it my be retained and the purposes for which the data may be given to relevant authorities.
Leaving parts of the proposals to the whim of individual states would not help the internal market, enforcement agencies or the principles of human rights and data protection, he warns.
The EDPS also recommends tightening some clauses, to specifically limit access to the retained data for defined purposes and to clarify the length of time it may be retained. A paragraph on data protection is also necessary, he says. It is not sufficient to simply refer to other existing data protection legislation in this context.