Position paper on data retention


Background 

Statement data retention 2CEPIS has already taken position on the issue of data retention in its discussion paper dated 01.01.2004. At that time CEPIS had already identified some crucial issues to be taken into account when the EU regulated the issue of retention of traffic and location data. The final text of the data retention Directive [1] was adopted on the 15th of March 2006.

According to Article 14 of the Directive the Commission shall submit to the European Parliament and the Council an evaluation of the application of this Directive and its impact on economic operators and consumers, no later than 15 September 2010.

Introduction

CEPIS has serious concerns with regard to the data retention Directive as follows:

The Directive mentions that the retained data shall be available for the purpose of the investigation, detection and prosecution of serious crime. It does not, however, define what a serious crime is, leaving this task to the national laws of the Member States. This can have as a consequence that some Member States may allow the use of the retained data for very few crimes, while in other the data may be broadly used by law enforcement authorities.

The data have to be retained by providers of publicly available electronic communications services or of public communications networks. The Member States will have to specify who falls under the term “providers of publicly available electronic communications services or of public communications networks” and furthermore specify who will be responsible for retaining which data. The Directive explicitly mentions that data should be retained in such a way as to avoid their being retained more than once. It is not however always evident which provider shall retain the data. This is the case for instance for transit providers, who use IP addresses to provide their services, although they don‟t have any relation with the end customer. It is still unclear whether they have a data retention obligation, as foreseen in the data retention Directive.

Social Media Statement 3The categories of data to be retained, as well as a detailed list of data concerning fixed network telephony, mobile telephony and internet access, internet e-mail and internet telephony that fall under each category, are included in the text of the Directive. The Member States, during the implementation of the Directive, shall define clearly the data that need to be retained and create lists that can be easily amended so that they can follow the progress of technology. Data concerning internet browsing are not included in the list of data to be retained and content data are explicitly excluded. However traffic and location data can reveal a lot of information about the user and the actual need to retain them has to be reconsidered.

Concerns

CEPIS has expressed its concerns with regard to the fact that data can be stored for up to a two year retention period. Unfortunately, the European Union decided on a retention period of not less than six months and not more than two years from the date of the communication. The actual need for such a long retention period is questioned and furthermore it can be debated whether it is proportional to the goals pursued [2].

The fact that the Member States can choose between a six month and two year retention period and that they can provide for the retention of different data will have a big impact on the industry. Companies with activities in several Member States will have to comply with variable retention obligations and will have to use different systems that will conform to the data protection legislation.

Statement data retention 4The Directive does not provide for the way the data have to be stored. Whether the data will be stored encrypted and what other protection measures will be used are issues to be decided upon by the Member States or might even be left to the providers.

The security of the storage of the data is an issue of great importance as traffic and location data might reveal valuable information about the identity and the habits of a person. Also relevant is the issue of the retrieval of the data so that they are sent to the competent authorities. Several companies have already developed systems that will assist the providers in the storage and the retrieval of the data.

CEPIS has already identified, in its first position paper on data retention, the importance of defining a process for mutual cooperation between service providers and the authorities. The procedure of how the data will be transferred from the providers to the law enforcement authorities is not described in the Directive. The European Telecommunications Standards Institute (ETSI) is, however, preparing a document, which describes a generic “Handover Interface for the request and delivery of retained subscriber and traffic data from a Network Operator, an Access Provider or a Service Provider to the Requesting Authority “

Another concern of CEPIS is the fact that the Directive does not discuss the issue of reimbursement of the costs incurred by the providers in order to comply with their data retention obligations. The providers have to invest not only in setting up a system to retain the data, but incur significant operating costs for the retrieval and disclosure of data.

The provisions of the Directive regarding fixed and mobile telephony had to be transposed into the national legislation of the Member States by the 15th of September 2007, while the Member States had the option to postpone the application of the Directive to the retention of communications data relating to Internet Access, Internet e-mail and Internet Telephony until the 15th of March 2009. Currently only a few Member States have transposed the Directive into national legislation.

Recommendations

Based on these findings CEPIS recommends:

1. Member States shall take into consideration the statement made by the Council of the European Union: “In defining „serious crime‟ in national law Member States shall have due regard to the crimes listed in Article 2(2) of the Framework Decision on the European Arrest Warrant (2002/584/JHA) and crime involving telecommunication” [3].

2. When Member States define which data have to be retained and by which providers, they shall take into account the layered structure of services in the internet, in order to avoid data being retained more than once.

3. Member States are cautioned about how much communication content can be revealed by traffic and location data.

4. Member States shall reconsider adopting a 2 year retention period and opt for a shorter period of time, preferably 6 months.

5. The retained data shall be stored in a way to ensure the security of the data and shall be further transferred to the competent authorities in a secure way.

6. CEPIS supports the initiative of ETSI to standardise the handover interface for the request and delivery of retained data (DTS/LI-00033).

7. Member States shall reimburse the costs of the providers.

8. CEPIS urges the Commission to complete a timely evaluation of the Directive, as it is foreseen in its Article 14, considering the 7 points above.

 

References

[1] Directive 2006/24/EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, Official Journal L105, pp. 54-63 (March 15, 2006)

[2] Statement of the European Data Protection Commissioners at the International Conference in Cardiff (9-11 September 2002) on mandatory systematic retention of telecommunication traffic data, available at http://www.datenschutz-berlin.de/doc/eu/konf/02_manda_sys.htm

[3] Council of the European Union, Statements, Council doc. 5777/06 ADD 1 (February 10, 2006)

 

Donwload the Position paper on data retention