EC Decision to Revamp, Not Reject, Controversial Data Storage Law Angers Civil Rights Advocates
Telephone and Internet traffic data storage “has proved useful in criminal investigations” but the EU data retention directive needs reworking, EU Home Affairs Commissioner Cecilia Malmström said Monday. A European Commission evaluation of how the measure is working found wide-ranging differences in how it’s adopted and used across the EU, which Malmström said she'd remedy in amendments, but also general agreement by governments that it’s helping guard against serious crime. But civil rights advocates flayed the EC for recognizing the law’s failings but refusing to find a less privacy-invasive alternative.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Overall feedback from EU nations during the review was that the directive is necessary and, in specific cases, crucial, Malmström said at a press briefing. But there are no EU-wide statistics on whether crime has dropped as a result of it, she said. Adoption of the directive into national law is “uneven,” with major differences in the purposes for which it’s used, how the traffic data is accessed, how long it’s held, how personal data is protected and secured, and how statistics are kept, the EC told the European Council and Parliament. Constitutional courts in Romania, Czech Republic and Germany have thrown out the national legislation and not all 27 EU nations have even adopted the directive yet, it said.
The law has failed to harmonize data storage rules, creating problems for telecom operators, the EC said. The obligation to retain and retrieve data is a substantial cost to telecom and Internet service providers that differs from country-to-country, it said. And while there are no concrete examples of serious privacy breaches, the risk of data security incidents will remain without better safeguards, it said.
Future revisions will ensure that retention requirements are proportionate to the goal of fighting serious crime and terrorism, the EC said. It will also recognize that any limitations on the right to personal data protection should apply only when necessary, it said. An impact assessment will gauge the implications of tougher storage, access and usage rules to law enforcement needs, privacy and costs to public administrations and operators, it said.
Among other issues the impact assessment will tackle are more consistency in and possibly shorter periods of mandatory retention, now six months to two years, and limits on the authorities authorized to access the data, the EC report said. The number of categories of data to be stored may be reduced and metrics and reporting procedures introduced to allow comparisons and evaluations of a future law, it said. The EC is now in “listening phase” with stakeholders, Malmström said. It’s too early to say what changes it will propose and when, she said. It’s better to get it right than fast, she said.
The report shows that the directive “has failed on every level,” European Digital Rights (EDRI) said in a counter-evaluation. It hasn’t respected citizens’ rights, harmonized the single market or proved necessary to fight serious crime, it said. The European Data Protection Supervisor called the directive “the most privacy invasive instrument ever adopted by the EU,” EDRI said. Moreover, many of the countries the EC polled for its review were unable to provide any relevant statistics about the law’s effectiveness, and those that did said the vast majority of data used by law enforcement agencies would have been available without it, EDRI said.
The measure has created a patchwork of national laws, with some countries retaining data four times longer than others, some reimbursing operators’ capital investment and others paying nothing at all, it said. Some lack a process for deleting the data and verifying the deletion when the retention period ends, it said.
EDRI urged the EC to “reject dogmatism” and pressure from governments by getting rid of blanket and indiscriminate telecom data withholding. Instead, it said, the EC should opt for a system of expedited preservation and targeted collection of data for use in specific investigations, an idea that’s part of the Council of Europe cybercrime convention.
Malmström rejected the idea of blanket data storage in 2005, said the German working group on data retention. She said then that she was unconvinced by the arguments in its favor and worried about its privacy implications, the organization said. Now, however, she has admitted to mistakes and risks while avoiding the “only credible conclusion,” which is to give up the concept of indiscriminate data retention without cause, it said. The EC report is a “political document,” not an independent and scientifically sound analysis, it said. The European Court of Justice is expected to throw out the directive in 2012 for violating the European Convention on Human Rights, it said.
The EC clearly intends to go ahead despite growing criticism from constitutional courts and civil society, said Internet regulation consultant Innocenzo Genna. The telecom industry has been “quite prudent” until now, choosing to fight only to limit the scope of the directive and for reimbursement of costs, he said in an email. But the report is unsatisfactory on the latter point, “so one could argue that this approach may change,” he said.