Out-Law News 3 min. read

MEPs approve Data Retention Directive

The European Parliament yesterday approved a draft Directive on data retention that will see ISPs and telcos retain phone and internet records for up to two years for use in investigation of criminal and terrorist offences.

MEPs had been under pressure to approve the proposals, which have formed a key part of the agenda of the UK Presidency. The UK Presidency comes to an end in the New Year, and Home Secretary Charles Clarke had made it a priority to reach agreement on the Directive before the handover.

MEPs had already rejected the data retention proposals on two previous occasions, leading to a threat from Ministers that the Council would push through its own proposals if the European Parliament could not approve a compromise draft by the end of the year.

Backroom talks ensued and yesterday – with 378 votes in favour, 197 against and 30 abstentions – MEPs voted to adopt the Directive.

But the adopted Directive represents a compromise position and differs in several ways from proposals approved by the Parliamentary Civil Liberties, Justice and Home Affairs Committee late last month.

German rapporteur Alexander Nuno Alvaro, who had led the Parliamentary discussion of the draft Directive, was so unhappy at the final approved draft that yesterday he withdrew as rapporteur to the Directive.

The Directive

In general terms the Directive sets out an EU-wide system of retaining communications data – data that identifies the caller, the time and the means of communication (e.g. subscriber details, billing data, e-mail logs, personal details of customers and records showing the location where mobile phone calls were made).

It does not allow for the retention of the content of the communications, but will retain details of connected, but unanswered calls. These, according to the Government, can be used as signals to accomplices or used to detonate bombs.

The inclusion of these so-called “lost” calls is controversial, and had been one of the sticking points between MEPs and Ministers. MEPs were concerned that telcos do not currently register such calls, because no bills are issued in respect of them, and it would be expensive for these firms to adapt their systems.

Under the approved proposals, the data will now be retained for a minimum of six months and a maximum of 24, and will be made available to the police and judiciary in order to investigate terrorism and serious crime. The data retained will only be disclosed in specific cases and will be subject to strict data protection rules. Any abuse of the data will be subject to sanctions.

MEPs also backed down on a requirement that Member States should be obliged to reimburse telcos and ISPs for the costs involved in retaining, storing and accessing the data. The approved Directive now leaves this issue up to the individual Member States.

Member States could begin implementing the new legislation as early as next year.

The Reactions

Home Secretary Charles Clarke welcomed the news.

"Agreement on retaining communications data places a vital tool against terrorism and serious crime in the hands of law enforcement agencies across Europe,” he said. “Modern criminality crosses borders and seeks to exploit digital technology. The measure is an important step in delivering the right to citizens across the EU to live in peace and free from the negative impact of terrorism and serious crime.”

Vice-President Franco Frattini, European Commissioner responsible for Justice, Freedom and Security, called the agreement a “victory for democracy, a victory for our EU citizens, and a victory for the fundamental rights and its constituting 25 Member States, are based upon.”

But others aren’t so happy.

According to reports, the Irish Government is planning to challenge the new Directive in the European Courts, on the procedural grounds that the proposals should have been pushed through by the Council alone.

There are various methods of creating legislation in the EU. One of these, as in this case, takes the form of a Commission-led Directive, which requires the approval of the European Parliament and a majority vote in the Council of Ministers.

Another method, which is usually used in dealing with security matters, is through a Council-led process, which requires a unanimous vote in the Council, and a non-binding opinion from MEPs.

The Irish Government, which wanted more stringent measures, is unhappy that it had no veto in what it regards as a security matter, according Euobserver.com.

ISPs are also worried. Speaking to The Register, a spokesman for the UK Internet Service Providers' Association (ISPA) said: “We are concerned that ISPs may have to foot the bill for mandatory data retention. ISPs are not law enforcement agencies so they should not have to pay for it all.”

Rights groups have their own concerns about the new legislation.

Privacy International's Senior Fellow Dr. Gus Hosein, said: “It is no surprise that governments introduce harsh laws after terrorist attacks. But what is surprising when you compare the surveillance laws in Europe and the US you find that the EU always goes further.”

“The EU plans to fingerprint all of its citizens, monitor all communications transactions, surveil all movement and travel,” he warned. “All these policies have been rejected by the US but are now law in Europe. The EU and some of its member states may paint the US as a monster when it comes to anti-terror powers and civil liberties but they need to look into the mirror every now and then."

Privacy International yesterday released a report comparing the US and EU anti-terrorism approaches. 

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.