MEPs have rejected a retention scheme that the Government put forward, writes Karlin Lillington
Attempts to introduce a pan-European data retention scheme - which involves the long-term storage of information sent and received by phone, fax and e-mail - were temporarily foiled in Brussels last week after MEPs voted to reject a proposed framework directive from the Council of Ministers.
But a milder counter-proposal by the European Commission met immediate opposition from the European data protection supervisor Peter Hustinx, who warned that the second proposed directive could be illegal.
To further confuse matters, the MEPs' vote is not binding and the council has the option to impose the framework directive - opposed by business and civil rights groups for being too severe - on member states, many of which have no national retention law.
The council proposal to store data for up to three years, originally put forward by Ireland, Britain, Sweden, France and championed by the British in their current presidency, would require telecommunications and internet operators to fund the storage and management of the huge amounts of data that would be collected annually.
MEPs said they opposed the council proposal because mandatory retention of traffic data for such long periods of time is an invasion of citizens' privacy.
They also argued that the intent and methods of the directive are out of proportion to the threat they are supposed to counter, primarily terrorism, serious crime and child pornography.
MEPs were also annoyed to have the council attempt to impose mandatory retention, which the European Parliament has rejected in the past and which the United States, though understood to have been pushing Europe to adopt as an anti-terrorist policing measure, has not introduced for its own citizens.
The parliament issued a statement after the vote on September 27th, stating: "MEPs want the rules to be proportional to any threat and for the parliament to have an equal say with national government in this area."
MEPs are concerned that national governments will impose data retention laws, regardless of the parliament's position on the issue.
Ireland is a case in point, having introduced mandatory three-year data retention for phone, mobile and fax data in February, one of the longer periods of retention in the EU. Minister for Justice, Michael McDowell, pushed an amendment allowing retention into last February's Criminal Justice (Terrorist Offences) Act in the final hours before it was passed, when few were in the Dáil chamber to debate the unexpected proposal.
For the previous two years, the Department of Justice had promised a separate bill and full Oireachtas debate on retention, after business organisations, internet and telecommunications companies, and human rights and privacy groups expressed alarm at leaked department proposals for up to four years of mandatory data traffic retention.
In addition, then data protection commissioner Joe Meade had threatened to take the Government to the High Court for violating the Constitution for having imposed mandatory data retention secretly in 2002 via a cabinet direction.
Meade also argued that three years was disproportionate and said a retention period of six months - conforming with Irish data protection law - was adequate.
Ireland had pushed for a framework directive on data retention when it held the EU presidency.
One political source said this week that the Government had hoped having the demand for retention come from Europe would defuse it politically and allow them to avoid being blamed for introducing the measure.
However, despite numerous attempts, that proposal never got off the ground during the Irish or Dutch presidency.
The commission's proposal is considerably milder than Ireland's existing national law. It proposes a retention period of one year for phone data rather than the three years of the council's proposal and the Irish law. It also mandates six months' retention for internet data, which currently is not retained under Irish law.
The commission's proposal also says that states would have to carry the cost of managing and storing data, not telecommunications and internet service providers.
However, one Irish legal expert said he expected that the commission would be pressured to drop this part of the proposal, as individual states would not agree to funding retention in this way.
He also expects that while the commission might push for establishing maximum time limits for retention of six to 12 months, the council will pull for those to be minimum periods, with the final decision remaining with the member states.
"The commission is coming out with 'data retention lite' and council will try to toughen it up," he said.
However, Hustinx came out strongly against the commission proposal and hinted that legal action would be pursued if the commission tries to introduce retention.
"This is an incredibly sensitive issue," he wrote in an opinion on the proposal issued last week.
"The directive has a direct impact on the protection of privacy of EU citizens and it is crucial that it respects their fundamental rights, as settled by the case law of the European Court of Human Rights. A legislative measure that would weaken the protection is not only unacceptable but also illegal."
Although the proposal pledges to put all data processing and handling under the supervision of the data protection authorities in each member state, Hustinx said that he did not believe the directive was necessary in the first place. The council is due to meet on October 12th to further discuss data retention.
What the European Commission says about its new data retention proposal; differences from the European Council's proposed framework directive (FD):
• Contrary to the draft FD, the new draft directive proposes harmonised retention periods of one year for fixed and mobile telephony data, and six months for IP-based communication data.
• The FD sets a minimum term of retention for all data categories of one year, but allows for possible exceptions to this for periods between six and 48 months.
• Contrary to the draft FD, the new draft directive foresees a provision which obliges the member states to compensate the electronic communication services providers for additional costs incurred as a consequence of the retention obligation.
• Contrary to the draft FD, the new draft directive foresees the collection of statistics on cases in which data was requested, as well as an evaluation of the instrument and its impacts, taking account of those statistics.
• Neither the draft FD nor the new draft directive are applicable to the content of communications.
Source: European Commission
