The European Commission has finally launched its proposal for a directive on data retention. During a press conference today (21 September 2005), commissioner Frattini underlined how important it was that data retention would be decided in the first pillar, by Commission and Parliament and not by the ministers of Justice in the third pillar. Frattini was confident the proposal would be adopted by the European Parliament before the end of the year. But the happy information feeling didn't last until the end of the conference. When asked by a journalist why the Commission did not include failed call attempts, Frattini said that was indeed an omission, and would be one of the first updates to the list. Failed attempts are important, Frattini said, because law enforcement needs very complete information from the base stations used for mobile telephony. By storing failed call attempts law enforcement gets a complete picture of all the mobile phones that were near a base station at a certain point in time, including mobile phones that were not engaged in a conversation.
The Commission proposal is very similar to the last versions of the proposal from the Ministers of Justice (JHA Council) for a framework decision. The Commission proposal only differs in a shorter retention period: one year retention for data about telephony behaviour, including location data of mobile phones. Internet data should be stored for 6 months. Like the JHA Council, the Commission fails to provide any evidence for the need and benefits of data retention. The Commission repeats meaningless sentences like "It has now become urgent to adopt harmonised provisions at the EU level on this subject."
The purpose of the retention is "the prevention, investigation, detection and prosecution of serious criminal offences, such as terrorism and organised crime." The JHA Council didn't want to limit to purpose to 'serious' crime, but on the other hand, never considered 'prevention' a valid purpose. In that respect the Commission seems to invite law enforcement to start data-mining on a large scale on the travel and communication patterns of completely innocent citizens.
Internet data are defined as "data related to electronic communications taking place wholly or mainly the Internet protocol". In the annex of data to be stored, the required internet data are limited to internet access, e-mail and internet telephony.
But this list of data is completely meaningless, given the procedure the Commission proposes to update this list. Opening a backdoor matching the size of the law enforcement ambitions of the UK presidency, the Commission proposes a flexible procedure to revise the list in 'comitology'. This typical EU procedure means representatives of the member states form a special committee. The European Commission can send proposals to such a committee. In the case of data retention, the Commission has chosen the form of a 'regulatory committee'. If a qualified majority of members agrees, the Commission can send a proposal for drastic expansion of the kinds of data to the Council. Within 3 months they have to decide by qualified majority to reject or adopt the proposal. If they don't agree within 3 months, the Commission may continue and adopt the proposed measure.
In this procedure, the national parliaments are completely excluded and the European Parliament only has a so-called right of scrutiny. If the EP feels a proposed measure "would exceed the implementing powers provided for in the basic instrument", the Commission must re-examine its proposal, but can completely ignore the protest from the EP.
Looking at the Council versions of June and July, a majority of member states still rejects the proposal from Austria to specifically exclude the subject line of e-mails from the list. This is just one example of the pressure that will be exerted on the Commission to weaken the fundamental protection of communication secrecy. On the Internet, the difference between content and meta-data is blurred, a danger many experts have warned about for a long time. Data such as subject lines and surfing behaviour reveal detailed and intimate reading patterns. According to the last working party version of the Council proposal, from 16 September 2005, Belgium, Denmark, Spain, Lithuania and Sweden insist on retention of logs of web browsing, Internet chat and peer-to-peer communications. The Council acknowledges once more all the legal criticism of dealing with data retention in the third pillar, but will return to the framework decision in the last formal JHA Council of 2005, in December, if Commission and Parliament won't have obliged by then. This is phrased as: "During the proceedings, the Council will need to decide if it accepts the approach of a Directive or if it will take measures on data retention on the basis of the draft Framework Decision."
Some slight changes in the final Commission document compared to the previously leaked version are:
-No longer will the Commission consult an advisory forum of data protection authorities and industry for every update of the Annex. In stead, the Member States can decide by themselves in comitology;
-In stead of the providers, the Member States bear the responsibility to provide yearly statistics on the use of retained data to the Commission;
-The Commission -for the first time- says something in public about the results of the consultation procedure in September 2004. But the summary is grotesquely inaccurate when it comes to digital rights organisations. The Commission writes: "In general terms, they questioned whether periods of retention longer than six months can be considered to be proportional. They also expressed concerns about the finality and aims of the retention, which should be clearly specified." In reality, over a 100 digital rights organisations signed the petition from EDRI and Privacy International that objected to _any_ form of systematic retention of data on innocent citizens.
Commission press release (21.09.2005)
http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&am...
Commission memo (21.09.2005)
http://europa.eu.int/rapid/pressReleasesAction.do?reference=MEMO/05/32...
Leaked Commission proposal for a directive (15.09.2005)
http://www.statewatch.org/news/2005/sep/com-data-retention-prop.pdf
Working party version of the Council framework decision (16.09.2005)
http://www.quintessenz.at/doqs/000100003338/2005_09_16,EU_council_cope...
July version of the Council proposal (29.07.2005)
http://www.statewatch.org/news/2005/sep/eu-data-ret-draft-jul05.pdf
EDRI-gram analysis of first version Commission proposal (27.07.2005)
http://www.edri.org/edrigram/number3.15/commission
Press release EP rapporteur Alexander Alvaro (04.05.2005)
http://www.privacyinternational.org/article.shtml?cmd³³0³=x-347-204208
EDRI and PI response to Commission consultation (15.09.2004)
http://www.privacyinternational.org/article.shtml?cmd³³0³=x-347-103020
FAQ about comitology procedure
http://europa.eu.int/comm/secretariat_general/regcomito/aide.cfm?page=...