Prove data retention law's usefulness or repeal it, says EU privacy chief

Out-Law News | 07 Dec 2010 | 1:50 pm | 2 min. read

The Data Retention Directive is the most privacy-invasive piece of legislation ever adopted by the European Union and has never been fully justified, Europe's top privacy watchdog has said.

European Data Protection Superviser (EDPS) Peter Hustinx said that a European Commission review of the law must make the case for its very existence. If the law cannot be shown to have achieved results it must be repealed, he said in a speech (6-page / 35KB PDF) to a conference on the issue.

The Data Retention Directive tells countries to pass laws ordering phone and internet companies to keep a record of usage of their services for between six and 24 months. The information, which does not include the content of communications, can be used by law enforcement authorities investigating serious crime.

The Directive is currently subject to a review and Hustinx has used a speech to call on the European Commission to demonstrate its worth in solving serious crime or repeal it.

"Retaining communication and location data of all persons in the EU, whenever they use the telephone or the internet, constitutes a huge interference with the right to privacy of all citizens. The Directive is without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects," he said.

Hustinx said that it was not enough for this retention to be "useful". It must be "strictly necessary" for the solving of the crimes, meaning that no other measure will achieve the same result.

"It is still highly doubtful whether the systematic retention of communication data on such a wide scale constitutes a strictly necessary measure," he said. "Alternatives which are less privacy intrusive, taking a targeted approach, have always been available."

"The issue is in fact not whether access to some telephone and internet data may be necessary in the combat of serious crime, but whether this requires that traffic data of all citizens are retained routinely for periods up to two years?" he said.

The review of the law should expose the actual numbers of cases in which the Directive was necessary for the solving of the case. It is on this evidence that a decision whether to keep the Directive in force or not should be made, he said.

"At the moment, the Directive is only based on the assumption that it constitutes a necessary and proportionate measure. However, the time has come to actually provide sufficient evidence of this," said Hustinx. "Without such evidence, the Data Retention Directive should be withdrawn or replaced by a more targeted and less intrusive instrument."

Hustinx said that a loophole in the Directive allowed for interpretations which enabled countries to order the use of retained information for purposes other than the investigation of serious crime. He said this should not be the case.

"In my view, the possibility of such an interpretation undermines the purpose of the Data Retention Directive - an internal market instrument - which intends to create a level playing field for business, based on an equal and effective level of protection of the privacy of citizens and other users across the EU," he said.