This article is also available in:
Deutsch: ENDitorial: Vorratsdatenspeicherung – den Mutigen gehört die Welt

Six years ago, as a result of pressure from the UK, the European Union adopted the Data Retention Directive. The measure was intended to harmonise the EU single market for telecommunications, requiring all EU operators to retain data for the purposes of “investigation, detection and prosecution of serious crime,” including terrorism. Member States were placed under an obligation to produce statistical information about the use of such data, with an evaluation report planned for September 2010.

None of the elements of that plan has been achieved: The evaluation report which the Commission was legally obliged to produce by September 2010 was finally released in March 2011. Despite the fact that the legal basis of the Directive is the creation of a “Single Market”, the report produced a long list of examples of how the Directive has failed to harmonise the single market – to the point of probably having created new barriers. The report also shows that several EU Member States have no definition of “serious crime”, meaning that the core safeguard against disproportionate use of the data has no agreed meaning. Finally, the report illustrates that the Member States have, with very few exceptions, failed to live up to their obligation under the Directive to provide statistical information.

In the context of the lamentable failure of the Directive, Commissioner Cecilia Malmström has taken the only decision available to her. She has decided to review the legislation and her services have recently completed an “impact assessment” which details the various policy options available to her. In order for a new proposal to become law, it would need to be approved by a majority of Member States (based on a complicated weighted voting system) and a majority in the European Parliament. It is the mathematics of this process which makes the Commissioner's choice a very difficult political one.

Whatever solution is found also needs to deal realistically with the fact that the “e-privacy Directive” (Article 15) recognises a right for Member States to introduce data retention with very vague, unclear safeguards. The uncertainty and confusion created by that provision (also a UK initiative) was illustrated in the recent Bonnier Audio case in the European Court of Justice (Case C-461/10). Even a full repeal of the Data Retention Directive would not stop Member States from exploiting that loophole to impose retention measures and maintaining their confused, disproportionate and counterproductive domestic legislation. The repeal of Article 15 of the E-Privacy Directive is therefore the only logical policy – and internal Commission politics (the e-Privacy Directive is not administered by Commissioner Malmström's services) should not stop this from happening.

Once that essential step has been taken, the Commission has four options: it can do nothing, it can propose minor reforms that it knows the Council will accept, it can propose major reforms or it can repeal the Directive.

Option 1: Do nothing

On 3 May 2009, Commissioner Malmström took a personal oath to uphold the European Charter of Fundamental Rights. The Charter includes Article 52, which says that restrictions on fundamental rights are only permissible if they “necessary and genuinely meet objectives of general interest recognised by the Union.” It is impossible to read the Commission's implementation report of the Directive and conclude that there is any possibility that this requirement is currently being met. Doing nothing also does not solve the problem that the Data Retention Directive is a “single market Directive” that has not harmonised the single market and cannot do so in its current form.

Option 2: Minor reforms

Similarly, proposing minor amendments would be expedient and is definitely a politically attractive option. The Commission could propose measures that it knows the Member States would accept, such as a small reduction in the maximum retention period and some others, like cost-reimbursement for operators, which the Member States would not accept. The Commission would then have “clean hands” and could blame the Member States for not accepting all of its “reforms”. This approach also comes with considerable risks. In particular, the European Parliament is somewhat unpredictable on this dossier. On the other hand, the UK, which single-handedly pushed through the initial Directive, is now proposing even more extreme measures, such as the creation of vast silos of communications data – a 1.8 billion pound set of databases of essentially every online interaction of every citizen. As a Liberal, Commissioner Malmström would hardly like to be remembered as the Commissioner whose legislative proposal has led to EU-wide surveillance of a scale that would have shocked Orwell.

Option 3: Major reforms

While keeping data retention, the Commission could propose big reductions in retention periods, to bring them approximately in line with technically necessary retention of data (for billing and network security purposes). The problem with this approach is that it would generate huge opposition among the Member States in the Council. One of the unwritten rules in the Council is that, if two large Member States are opposed to a proposal, it is not even put to a vote. Currently, three large Member States (UK, France, Italy) are vehemently opposed to any significant reform. Despite the difficulty of the task, overturning a big majority would however show leadership, show that the Commission does respect the Charter of Fundamental Rights and show due deference to the legal framework of the European Union more broadly. A strong leadership from the Commission supporting fundamental rights stands a good chance of support from the European Parliament, which would help put pressure on the Member States.

Option 4: Repeal

All other things being equal (Ceteris paribus), getting enough political support from the Council and the Parliament for a repeal of the Directive faces as many barriers as a major reform. However, there is now a referral of data retention to the European Court. The court has already expressed concern about the legality of data retention. In the Telefonica/Promusicae case, the Advocate General questioned whether “the storage of traffic data of all users without any concrete suspicions – laying in a stock, as it were – is compatible with fundamental rights”.

With the background of the ECJ referral, the failures of the Directive to achieve its goals and the European Parliament's long-standing antipathy to the principle of Data Retention, existing doubts in the European Court about the legality of data retention, a repeal is not as extreme as it sounds. Solving the single market and predictability problems created by a repeal of the Directive will be less challenging than solving the single market and predictability problems created by the continuing existence of the Directive.

In any event, one thing is clear, the easiest solutions for Commissioner Malmström are the least defensible. Courage is needed.

(Contribution by Joe McNamee - EDRi)