Out-Law / Your Daily Need-To-Know

Commission to restrict data retention proposals

Out-Law News | 02 Jun 2005 | 5:37 pm | 3 min. read

The European Commission is shortly to put forward proposals for EU data retention legislation that will limit the retention period to one year, Information Society and Media Commissioner Viviane Reding announced on Tuesday.

Her remarks come a few days after an influential committee of the European Parliament recommended that the current proposals be rejected. MEPs are due to vote on the issue next week.

The existing proposals date back to April 2004, when the UK, France, Ireland and Sweden published a draft Framework Decision setting out provisions for the creation of an EU-wide system of retaining communications data – data that identifies the caller and the means of communication (e.g. subscriber details, billing data, e-mail logs, personal details of customers and records showing the location where mobile phone calls were made) but not the content of the communications.

The draft Framework Decision

In general terms, the draft excludes the retention of the content of exchanged communications, although it does not define what "content" actually is. It also allows Member States to opt-out if they do not find the purposes behind the draft sufficient to make the retention acceptable.

The draft, as amended by the Dutch presidency of the EU, proposes a minimum period of data retention of 12 months and leaves any maximum limit to the discretion of Member States.

Provisions are also made for the access by one Member State to data retained by another Member State. Data protection safeguards are included, and there is an obligation on each Member State to ensure the security of the data retained.

The opposition

A draft European framework Decision on data retention has been discussed for years, much to the concern of civil liberties groups. In 2003, human rights group Privacy International obtained a formal legal opinion on the proposals – which suggested that the draft Decision was unlawful, because it breached the Convention on Human Rights.

In November 2004, the EU Data Protection Working Party, an independent EU advisory body, issued a negative preliminary Opinion on the draft Decision.

"The routine, comprehensive storage of all traffic data, user and participant data proposed in the draft decision would make surveillance that is authorised in exceptional circumstances the rule," said the Opinion. "This would clearly be disproportionate. The draft framework would apply, not only to some people who would be monitored in application with specific laws, but to all natural persons who use electronic communications."

Nor was the Working Party convinced that data needed to be retained for longer than six months – as opposed to the 12-month minimum period envisaged in the Decision. So far, said the Working Party, law enforcement agencies have failed to show why such far-reaching measures are necessary.

Last week, the European Parliament's Civil Liberties Committee reached a similar conclusion.

In a report drafted by liberal MEP Alexander Nuno Alvaro the Committee recommended rejecting the proposal due to sizable doubts on the choice of the legal basis and the proportionality of the measures.

"The ends do not justify the means, as the measures are neither appropriate nor necessary and are unreasonably harsh towards those concerned," says the report. "Given the volume of data to be retained, particularly internet data, it is unlikely that an appropriate analysis of the data will be at all possible."

The report demands that the Member States produce a study proving the unquestionable need for the proposed data retention arrangements. It also suggests checking whether the Decision's objectives might be better achieved by implementing the Council of Europe's Convention on Cybercrime – the first international treaty on criminal offences committed against or with the help of computer networks.

The European Parliament is due to consider the report on 7th June.

The Commission's view

According to Reuters, the European Commission has now made it clear that it will recommend a maximum retention period of one year, when it puts forward its proposals on data retention in the next few days.

A longer retention period would place a huge burden on ISPs and telcos, said Commissioner Reding.

The Commissioner confirmed that she and Justice, Freedom and Security Commissioner Franco Frattini, would make replacement proposals to those put forward last year, on the grounds that any harmonisation of EU data retention laws should be made by the Commission rather than individual Member States.

This way the legislative process would also be more transparent, as it would require the approval of the Commission and Parliament, the Commissioner told Reuters. Under the current procedure, MEPs can only give their views on the proposals.