European Council Fails to Compromise on Telecom Data Retention
European national justice ministers Wed. failed agree on requiring retention of Internet and telecom traffic data, instead raising the possibility they'd consider approving a compromise measure floated this week by the European Union (EU) Presidency. After meeting in Brussels, the EU Justice & Home Affairs (JHA) Council said the original framework decision will remain under consideration as an option some nations favor. But, it said, “a majority of delegations were also open to the idea of adopting a directive” if it contains the scope, retention period, costs and review provisions the Presidency suggested.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Those terms rankle communications services providers (CSPs) who oppose both the draft framework decision and a recent European Commission (EC) directive proposal. The issue is whether telcos and ISPs must store data on communications they carry for possible law enforcement use.
On Oct. 10, the Presidency wrote the JHA Council that problems could flow from questions -- raised by the European Parliament (EP), the EC and the Council’s own legal service -- on the legal basis for the draft Council framework decision. “The measure would be annulled: this could result in claims for compensation from any operator [communications services provider] who had already been obliged to implement the measure,” the Presidency said. It urged ministers to approve a modified directive, saying it would press the EP to okay the measure by year’s end.
Some member states fear mandating retention of data on communications traffic via directive rather than framework decision would set an unacceptable level of harmonization of retention periods and costs, carry implications for EU rules on state aid, and unduly constrain EU law enforcement due to the Community control oversight method, the Presidency said, adding it believes those concerns can be addressed. The directive could offer varying retention periods within the directive’s terms, and refrain from ordering member states to set a compensation mechanism to reimburse CSPs for costs arising from their data retention responsibilities.
The extent to which state aid rules apply wouldn’t change whether the data retention law is a directive or a framework decision, the Presidency said. As for oversight, it said, the Community role simply is to assess national laws to ensure they're compatible with the functioning of a single market. And the directive legally could let member states set longer retention periods for data excluded from the directive.
The Presidency’s compromise negotiating package calls for the directive to include traffic data on fixed-network and mobile telephony; Internet access and communications services such as telephony and e-mail; and unsuccessful call attempts, with an extended implementation period of 2 additional years for Internet data and data on unsuccessful call attempts. The memo noted that 5 nations want an opt-out clause for unsuccessful calls, but said the Council legal service made clear neither a directive nor a framework decision would permit opt-outs.
The compromise has minimum retention periods: 6 months for Internet traffic, 12 months for telephony and a maximum term of 2 years. Each EU country would decide whether to reimburse CSP costs. A fixed technical list would describe data to be stored but review would occur in 5 years to see how the directive is working and whether the list of data should be realigned to reflect changes in technology.
The Presidency proposal, like the framework decision, differs from the draft EC directive in several ways. The EC set fixed, harmonized retention terms (6 months for Internet Protocol traffic, 12 for fixed and mobile telephony). The Council sought a minimum year term for all communications data, allowing for possible exceptions for periods from 6-48 months. The compromise does not mention reimbursement. The EC draft “foresees” a provision requiring compensation to CSPs. As the Council decision does, the compromise posits a fixed list of data to be retained subject to later review, unlike the EC version, which employs the committee process to update the list.
The Council agreed to move work on a data retention measure ahead “urgently,” it said Wed. It instructed its committee of permanent representatives to “finalize agreement on all outstanding issues as soon as possible” and agreed to revisit data retention at its next meeting “with a view to a final decision before the end of the year.” It agreed informal contacts with the EP should continue to find as much common ground as possible on substantive issues.
The Presidency’s attempt to rush lawmakers drew fire from Tony Bunyan, editor of Statewatch, which monitors civil liberties in the EU. “Five member states introduced the proposal 18 months ago (April 2004) and still have not sorted out a number of ‘outstanding questions’ in the Council,” Bunyan wrote. “Now they have the cheek to ‘pursue’ the EP to rush it through on first reading as if it was an uncontroversial measure.” Instead, he said, with the instrument’s legal basis sorted out, the EP should “take all the time it needs to properly consider a measure which will put all the communications of everyone in Europe under surveillance for the foreseeable future.”
The compromise doesn’t resolve 2 key CSP concerns, said Axel Spies, a German lawyer who represents the German Competitive Carriers Assn. (VATM). Telcos still insist that “who orders the piper must pay for the music,” he said, meaning the directive must make clear EU member states bear data storage capital and operational costs. And the compromise mandates data retention periods and data categories far in excess of what providers now store for billing or other business purposes, or what German law enforcement agencies have said they need, Spies said. Instead, data as the Presidency package construes them should only be held for 6 months from the date of the communication.
Data Protection Efforts Said Lacking
The EU drive to boost antiterrorist efforts by easing law enforcement agencies’ exchange of personal data has bids to improve data protection. Last week, the EC floated a draft framework decision aimed at guarding private data against law enforcement zealotry. The draft is part of a package, the 2nd piece of which the Commission unveiled Wed. The proposal would make some existing law enforcement information -- including phone numbers and other communications data -- that are available in a member state accessible to equivalent authorities in other EU countries or at Europol.
The EC data protection proposal “will be analysed in an opinion to be issued a few weeks from now,” European Data Protection Supervisor Peter Husting told us. While it’s important and welcome, “it doesn’t contain any specific safeguards as required in the context of the proposed [EC] data retention directive,” Husting said. In principle, it doesn’t even apply to the interface between law enforcement and telecom providers (and thus has no bearing on whatever data retention measure emerges). “These specifics should be dealt with in the proposed directive, and I am confident that the EP will make amendments to that effect in the course of the co-decision procedure,” Husting said. He earlier criticized the EC data retention proposal as lacking sufficient privacy protection.