Monday, 7 April 2014
Background to the EU Data Retention Directive
By Chris Jones, Researcher for Statewatch
As the fallout from the Snowden leaks rumbles on, the Court of Justice of the European Union (CJEU) will today decide a case (Digital Rights Ireland, Seitlinger and Others that could spell the end for the EU’s Data Retention Directive in its current form. The Directive mandates the mass storage by private companies of individuals’ telecommunications data, in case it is required by law enforcement authorities to investigate cases of serious crime or terrorism.
The judgment follows the handing down of a critical opinion by Advocate General Cruz Villalón in December 2013, which proposed that the Court declare the Directive as a whole incompatible with EU Charter articles 52(1) (limitations on rights “must be provided for by law and respect the essence of those rights and freedoms”) and 7 (right to privacy). This post, based on work undertaken by Statewatch as part of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy and Effectiveness), outlines the history of the 2006 Data Retention Directive; the key points of the legislation; and its problematic national implementation, which has been the subject of legal challenges across Europe. Two further posts will examine the implementation of the Directive and the challenges to it.
The Data Retention Directive: a brief overview
The 2006 Data Retention Directive obliges Member States to ensure that telecommunications and Internet Service Providers (ISPs) retain various types of data generated by individuals through the use of landline phones, fax machines, mobile phones, and the internet, “in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime”.The data that must be retained are:
The source of a communication;
The destination of a communication;
The date, time and duration of a communication;
The type of a communication;
Users’ communication equipment or what purports to be their equipment; and
The location of mobile communication equipment.
The retention period is a minimum of six months and a maximum of two years.
Member States decide exact duration as well as the conditions under which it may be accessed.
The European Data Protection Supervisor has called the Directive “without doubt the most privacy-invasive instrument ever adopted by the EU in terms of scale and the number of people it affects,” and it ranks among the most controversial pieces of counter-terrorism legislation the EU has ever adopted. Fierce debate as to its legitimacy and effectiveness has raged since the earliest stages of its drafting to the present day.
The policy-making process
According to the preamble of the Data Retention Directive, the terrorist attacks in Madrid in March 2004 and in London in July 2005 “reaffirmed… the need to adopt common measures on the retention of telecommunications data as soon as possible.” However, law enforcement agencies had been seeking data retention legislation long before the destruction of the World Trade Centre on 11 September 2001, and the Directive does not limit data retention to combating terrorism.
Demands for data retention can be traced back to the “International Law Enforcement and Telecommunications Seminars” (ILETS) held at the FBI academy in Quantico, Virginia, which commenced in 1993 with the aim of developing global “interception requirements” – standards for telephone-tapping by police and security agencies to be provided in all telephone networks.
Following the first ILETS meeting, the very first EU Council of Justice and Home Affairs (JHA) Ministers adopted a Resolution in November 1993 – which was not published – calling on experts to compare the needs of the EU vis-à-vis the interception of telecommunications “with those of the FBI”.
A second EU Resolution based on ILETS’ work was adopted in January 1995 and introduced obligations on telecommunications companies to cooperate with law enforcement agencies in the “real-time” surveillance of their customers. This was never actually discussed by the Council of Ministers. It was adopted instead by “written procedure” (where legislative texts are circulated among ministries and adopted if there are no objections). The Resolution, which was not published in any form until November 1996, formed the basis of the provisions on the interception of telecommunications in the EU Convention on Mutual Legal Assistance of 2000.
ILETS continued every year and in 1999 identified a new problem. Valuable “traffic data” – particularly mobile phone and internet usage records – were being erased by service providers after customers had been billed, a particularly acute issue in the EU because of the recently enacted EC Directive on privacy in telecommunications, which obliged service providers to delete traffic data after its use for billing purposes (usually within three months).
ILETS thus introduced the principle of mandatory data retention regimes that would oblige service providers to keep data for much longer periods. This demand then surfaced in other intergovernmental fora concerned with police and judicial cooperation, such as the G8. The American Civil Liberties Union, Privacy International and Statewatch would later dub this process “policy laundering”: “the use by governments of foreign and international forums as an indirect means of pushing policies unlikely to win direct approval through the regular domestic political process.”
In 2000 the EU decided to update the aforementioned 1997 Directive on privacy in telecommunications to take into account “new technologies” and proposed what would become known as the “e-Privacy” Directive. The draft Directive proposed scrapping the clause obliging service providers to delete traffic data after billing use. As a First Pillar matter (dealing with the functioning of the internal market), the European Parliament had what was then a rare vote on what was effectively a Justice and Home Affairs or Third Pillar issue (police surveillance). Following an extensive campaign by privacy advocates the proposal was rejected. However in 2002, with the events of 11 September 2001 providing a fresh justification, a left-right alliance of the European Socialist Party (PSE) and the European People’s Party (PPE) agreed the e-Privacy Directive and the “data retention amendment”, with the liberals, greens and left parties opposed. This paved the way for Member States to introduce their own optional national data retention regimes.
Yet no sooner was the ink dry on the e-Privacy Directive than a confidential draft Framework Decision on the compulsory retention of subscriber and traffic data for 12-24 months across the EU was circulated among Member States and leaked by Statewatch.
Following widespread criticism of the proposal in European media, the then-Danish presidency of the EU was moved to issue a statement saying that the proposal was “not on the table”.
If not ‘on the table’, the proposal appears to have remained close at hand – following the Madrid train bombings in March 2004, the ‘EU Declaration on combating terrorism’ endorsed the principle of mandatory data retention across the EU.
One month later the UK, France, Sweden and Ireland submitted a revised draft Framework Decision on data retention to the Council. By now, a majority of EU Member States had also introduced national data retention regimes. The EU proposal suffered another major setback when Statewatch published the confidential legal advice of the EU Council and Commission Legal Services, both of which had been withheld from MEPs and the public despite stating that the Framework Decision was unlawful because it had the wrong legal basis. Data retention, said the EU’s lawyers, was a First Pillar issue because it regulated the activities of service providers in the single market.
The European Commission, despite previously opposing data retention, redrafted the proposal as a Directive. This complicated things further. Whereas the European Parliament was only consulted on the draft Framework Decision, with the EU Council free to ignore its opinion, it would now enjoy full powers of “co-decision”. Moreover, during the consultation process on the Framework Decision, the Parliament had voted to reject mandatory data retention because it was “incompatible with Article 8” of the ECHR (protection of personal data).
However, between the defeat of the proposal for a Framework Decision and the publication of the proposal for a Directive, the July 2005 London tube bombings happened. These were used as a fresh justification for an EU data retention law, although the UK prime minister suggested at the time that “all the surveillance in the world” could not have prevented the attacks.
The UK then used its presidency of the EU Council to impose a deadline of the end of 2005 for the European Parliament to agree the measure, with Charles Clarke, UK Secretary of State, lecturing the EP on the need to adopt the proposal. Home Office officials were reported to have told MEPs in private that if parliament failed to do this they “would make sure the European Parliament would no longer have a say on any justice and home affairs matter.”
Led by Privacy International and the European Digital Rights Initiative, 90 NGOs and 80 telecommunications service providers wrote to MEPs, imploring them to reject the measure.
Despite their efforts, the EP finally agreed the measure on 14 December 2005, with another PSE-PPE alliance reversing the position on the draft Framework Decision that the parliament had taken just eight months earlier. The Directive completed its passage through parliament following a single reading, meeting the UK’s demands on the timeframe.
The Council of the EU adopted the legislation by qualified majority, with Ireland and the Slovakia voting against, and the Directive passed into law in March 2006.
Two further observations are relevant to any substantive consideration of the policy-making process.
The first concerns the role of the UK government, which took its attempts to enforce data retention to EU institutions after it had been prevented from a domestic mandatory data retention regime by the houses of parliament. In what appears to be a clear case of “policy laundering”, the subsequent EU Directive, championed by the UK government, was binding on the UK and implemented by statutory instrument, in the form of the Data Retention (EC Directive) Regulations 2007 and 2009.
The second observation concerns the role played by the US government in pushing for mandatory data retention in Europe, bilaterally in its discussions with the European Commission and EU Presidency, and in multilateral fora like the G8. This is noteworthy because at that time there were no corresponding powers in the USA, nor any intention to introduce them.
In place of blanket “data retention”, US law enforcement and security agencies are obliged to seek “preservation orders” from special surveillance courts.
However, recent leaks such as that of the FISA court order imposed on Verizon, demonstrate that US agencies and their special “surveillance court” have interpreted these principles so widely as to cover entire telephone networks and all of their users.
Nevertheless, a more principled implementation of such a regime would be more privacy-friendly than the EU’s current blanket approach.
Opposition to the Data Retention Directive in Europe included advocacy from civil society organisations for the development of this model as an alternative, with judicial supervision to try and ensure that access to private data is necessary and legitimate. This is still the preferred option of the Ministry of Justice in Germany, where implementation of the Directive has been highly controversial and the subject of a Constitutional Court ruling that demanded its redrafting.