Even before the final text was officially published, the directive had been criticised by several of
Known as the EU Data Retention Directive, it demands that details of people’s phone calls and emails be stored by companies for up to two years, in case the police or intelligence services require access to them. Intended as an anti-terrorism measure, the directive will be used in investigating terrorism and serious crime. Such records have been used, for example, in the investigation following the
The data to be stored is what’s known as communications traffic data. This is data about a phone call or email, but not the content of it. For call data it includes the registered owner of the phone, the numbers dialled, the length of a call and, in the case of mobile phones, the location of the caller. For email it includes the registered owner of the email address and the email addresses of their correspondents. Because the stored data offers historic information, it allows an individual’s calling patterns to be tracked over long periods of time. Regular numbers called, and an individual’s network of contacts, can therefore be identified.
In criminal investigations communications traffic data will be used to find out who a suspect is talking to, and how frequently. This information may provide clues as to either the whereabouts of the suspect, or to their connections. Details of web browsing activity will not be collected, nor will the content of emails, so investigators will not be able to learn anything more than names and contact details. It is also unlikely that retained data will be permitted as evidence in court proceedings. It will, however, provide the police or intelligence services with leads for collecting evidence. Further, on the basis of existing international agreements, the data could be accessed by the
Phone companies and internet service providers (ISPs) will be obliged to comply with government demands that they store communications traffic data for up to two years, and to provide access to retained data on request from police or intelligence services. As the directive has travelled through the legislative machinery of
Privacy authorities and campaigners are concerned that retaining and accessing communications traffic data could constitute an intrusion on privacy. They want strict controls on access to retained data, so that it cannot be used in civil cases such as divorce, or misused by commercial companies.
From a privacy perspective, data retention is part of the wider concern about electronic surveillance and the activities of commercial companies. Many such organisations hold vast amounts of data on individuals in so-called customer relationship management (CRM) systems.
Systems like Google and Tesco Clubcard represent sophisticated advances in data storage, search and retrieval technologies over the past ten or so years. There is a sense in which data retention seeks to take these commercial, technological advances and apply them to public surveillance.
But for individuals, there is always a trade-off. We may not mind a supermarket knowing what we buy if they give us money off other goods in return, in which case we are happy to sign up to a Clubcard or similar scheme. In the public sphere, it’s more complicated. Most of us don’t mind the police having access to phone data when they are investigating a specific incident such as the 7 July bombings. However, we might not like a police investigator looking into our phone calls if we believe we are innocent of any crime. And we might want the right to be informed about it. It’s important therefore that any legislation on data retention achieves an appropriate balance between our right to privacy and the right of the government to use our data for public benefit.
Data retention laws already exist in many EU countries. The
EU-wide proposals were first put forward in 1998, but were rejected then for being too draconian. The idea only got real political support in April 2004, after the
Critics – including privacy campaigning groups such as European Digital Rights, the Open Rights Group, Digital Rights Ireland and Statewatch – suggest that the Commission proposal was rushed through the EU legislative process too quickly for proper scrutiny. It was a complex process involving so-called "trialogue" discussions between the European Commission, the European Parliament and the European Council of Ministers.
In EU legal jargon, the directive went through under the "co-decision" procedure. This means that all that was required was the approval of both the Parliament and the Council for the directive to become law. In order to get that approval, there had to be a text that both were agreed on. The British presidency was determined to get it through during its term, and as such the text had to be agreed and voted on before the end of December. It’s not clear, though, why there was a need for such haste. This matter was raised in a recent report from the European Economic and Social Committee, a
The directive’s critics also allege that the process was carried out mostly behind closed doors, with the European Parliament merely putting a rubber stamp onto something that was previously decided upon in secret. The trialogue discussions appear to have taken place outside the parliamentary forum, and the European Parliament was asked to confirm a pre-agreed text. (It’s worth noting that even though the European Parliament is elected, it only has partial legislative powers and the Council has the higher authority to legislate.)
The European Economic and Social Committee also raised concerns about privacy, which is set out in EU law as a fundamental and human right. In its view, data gathered under data retention constitutes an invasion of privacy.
It’s not what’s in the directive, but what is left out, that is of concern. The directive is not specific about who can access retained data and the level of authority they need. Nor does it specify security measures or what exactly the data may be used for. Instead, it asks each country to interpret the directive in terms of national law. Thus, some countries will have weaker laws than others, and in those countries without sufficient access controls, individual privacy could be put at risk.
The committee’s views are shared by other experts who believe that there are gaps in the directive in relation to privacy protection. This concern has been expressed by the Article 29 Working Party, the party responsible for data protection supervision in
The opinion is couched in official, diplomatic language. But effectively it calls for EU countries to work together in order to ensure that individual citizens’ privacy will be protected. It outlines seven areas to be addressed. These include putting limits on access, and asking judges to oversee it. The Article 29 Working Party also wants to improve security requirements and prevent the retained data from being analysed by phone companies and ISPs to learn about their customer’s use of telephone and email.
The Working Party’s statement follows an earlier opinion from the Data Protection Supervisor, Peter Hustinx, issued in February. He considers that relying on national law to implement access controls is "insufficient". He also states that phone companies and ISPs are being asked to implement the law, without "the necessary safeguards for the data subject" being in place.
But what’s even more interesting is that certain safeguards were also put forward by the European Parliament. The Committee on Civil Liberties, Justice and Home Affairs published its recommendations last November, before the directive went to the vote. It also asked for fundamental rights to be respected and specified judicial authority over access, and limits on what could be done with the data. These particular recommendations were not taken on board.