EU Data Retention: Access All Areas

Even before the final text was officially published, the directive had been criticised by several of Europe‘s data protection authorities, with safeguards proposed by a European parliamentary committee ignored as the directive was driven hard through the legislative process.

Known as the EU Data Retention Directive, it demands that details of people’s phone calls and emails be stored by companies for up to two years, in case the police or intelligence services require access to them. Intended as an anti-terrorism measure, the directive will be used in investigating terrorism and serious crime. Such records have been used, for example, in the investigation following the Madrid bombings, where mobile phones were used to detonate the bombs. Indeed, the Madrid and London bombings were the catalyst for this legislation: it was driven into law by the UK, which held the European Union Presidency in the period immediately after the 7 July bombings last year.

The data to be stored is what’s known as communications traffic data. This is data about a phone call or email, but not the content of it. For call data it includes the registered owner of the phone, the numbers dialled, the length of a call and, in the case of mobile phones, the location of the caller. For email it includes the registered owner of the email address and the email addresses of their correspondents. Because the stored data offers historic information, it allows an individual’s calling patterns to be tracked over long periods of time. Regular numbers called, and an individual’s network of contacts, can therefore be identified.

In criminal investigations communications traffic data will be used to find out who a suspect is talking to, and how frequently. This information may provide clues as to either the whereabouts of the suspect, or to their connections. Details of web browsing activity will not be collected, nor will the content of emails, so investigators will not be able to learn anything more than names and contact details. It is also unlikely that retained data will be permitted as evidence in court proceedings. It will, however, provide the police or intelligence services with leads for collecting evidence. Further, on the basis of existing international agreements, the data could be accessed by the United Statessecurity authorities, who are already under the spotlight for covertly collecting phone records of US citizens.

Phone companies and internet service providers (ISPs) will be obliged to comply with government demands that they store communications traffic data for up to two years, and to provide access to retained data on request from police or intelligence services. As the directive has travelled through the legislative machinery of Brussels, lobbyists for phone companies and ISPs have raised concerns that financial burdens associated with storing such data will be prohibitive. But they are not the only ones worried.

Privacy authorities and campaigners are concerned that retaining and accessing communications traffic data could constitute an intrusion on privacy. They want strict controls on access to retained data, so that it cannot be used in civil cases such as divorce, or misused by commercial companies.

From a privacy perspective, data retention is part of the wider concern about electronic surveillance and the activities of commercial companies. Many such organisations hold vast amounts of data on individuals in so-called customer relationship management (CRM) systems. UK supermarket chain Tesco has a system which stores all of the products purchased by every one of its ten million Clubcard holders. If you’re a Clubcard holder, it sends you discount offers based on your previous purchases, but it also uses its databases to make decisions about store layout, pricing and stock. Similarly, search engine company Google also holds data on how its users use the web. It has recently been involved in a high profile legal battle with the US Department of Justice over requests for access to that data.

Systems like Google and Tesco Clubcard represent sophisticated advances in data storage, search and retrieval technologies over the past ten or so years. There is a sense in which data retention seeks to take these commercial, technological advances and apply them to public surveillance.

But for individuals, there is always a trade-off. We may not mind a supermarket knowing what we buy if they give us money off other goods in return, in which case we are happy to sign up to a Clubcard or similar scheme. In the public sphere, it’s more complicated. Most of us don’t mind the police having access to phone data when they are investigating a specific incident such as the 7 July bombings. However, we might not like a police investigator looking into our phone calls if we believe we are innocent of any crime. And we might want the right to be informed about it. It’s important therefore that any legislation on data retention achieves an appropriate balance between our right to privacy and the right of the government to use our data for public benefit.

Data retention laws already exist in many EU countries. The UK, Ireland and Italy already have their own national data retention laws, but they are all different in scope and substance. For example, the period for communications traffic data to be stored varies by country from 3 months to 3 years. In the UK, data must be stored for 6 months (internet) or 12 months (telephony). In Ireland, the retention period is 3 years.

EU-wide proposals were first put forward in 1998, but were rejected then for being too draconian. The idea only got real political support in April 2004, after the Madrid bombings. A draft proposal for legislation was put to the European Council by four governments – Britain, Sweden, France and Ireland. But there was no agreement on this proposal and the idea took a back seat while the European Commission looked in to it. The Commission came up with a new draft proposal in September 2005. And, perhaps surprisingly, following a series of amendments, the Data Retention Directive, was agreed in just three months. The final step was a vote in European Parliament on 14 December. It became law on 3 May, following its publication in the European Journal.

Critics – including privacy campaigning groups such as European Digital Rights, the Open Rights Group, Digital Rights Ireland and Statewatch – suggest that the Commission proposal was rushed through the EU legislative process too quickly for proper scrutiny. It was a complex process involving so-called "trialogue" discussions between the European Commission, the European Parliament and the European Council of Ministers.

In EU legal jargon, the directive went through under the "co-decision" procedure. This means that all that was required was the approval of both the Parliament and the Council for the directive to become law. In order to get that approval, there had to be a text that both were agreed on. The British presidency was determined to get it through during its term, and as such the text had to be agreed and voted on before the end of December. It’s not clear, though, why there was a need for such haste. This matter was raised in a recent report from the European Economic and Social Committee, a Brussels advisory committee comprised of legal and other experts. It pointed out that there was no "deadline that necessitate[d] immediate action".

The directive’s critics also allege that the process was carried out mostly behind closed doors, with the European Parliament merely putting a rubber stamp onto something that was previously decided upon in secret. The trialogue discussions appear to have taken place outside the parliamentary forum, and the European Parliament was asked to confirm a pre-agreed text. (It’s worth noting that even though the European Parliament is elected, it only has partial legislative powers and the Council has the higher authority to legislate.)

The European Economic and Social Committee also raised concerns about privacy, which is set out in EU law as a fundamental and human right. In its view, data gathered under data retention constitutes an invasion of privacy.

It’s not what’s in the directive, but what is left out, that is of concern. The directive is not specific about who can access retained data and the level of authority they need. Nor does it specify security measures or what exactly the data may be used for. Instead, it asks each country to interpret the directive in terms of national law. Thus, some countries will have weaker laws than others, and in those countries without sufficient access controls, individual privacy could be put at risk.

The committee’s views are shared by other experts who believe that there are gaps in the directive in relation to privacy protection. This concern has been expressed by the Article 29 Working Party, the party responsible for data protection supervision in Europe. This independent advisory body on data protection and privacy comprised of national data protection commissioners, lawyers and academics and chaired by the German Data Protection Commissioner, Peter Schaar, released an official opinion dated 26 March 2006, that stated that the directive "lacks adequate safeguards" regarding the use of retained communications data.

The opinion is couched in official, diplomatic language. But effectively it calls for EU countries to work together in order to ensure that individual citizens’ privacy will be protected. It outlines seven areas to be addressed. These include putting limits on access, and asking judges to oversee it. The Article 29 Working Party also wants to improve security requirements and prevent the retained data from being analysed by phone companies and ISPs to learn about their customer’s use of telephone and email.

The Working Party’s statement follows an earlier opinion from the Data Protection Supervisor, Peter Hustinx, issued in February. He considers that relying on national law to implement access controls is "insufficient". He also states that phone companies and ISPs are being asked to implement the law, without "the necessary safeguards for the data subject" being in place.

But what’s even more interesting is that certain safeguards were also put forward by the European Parliament. The Committee on Civil Liberties, Justice and Home Affairs published its recommendations last November, before the directive went to the vote. It also asked for fundamental rights to be respected and specified judicial authority over access, and limits on what could be done with the data. These particular recommendations were not taken on board.

This article by Monica Horten was originally published on openDemocracy.net under a Creative Commons Licence. If you enjoyed this article, visit openDemocracy.net for more.