Commission confirms illegality of Data Retention Directive
This article is also available in:
Deutsch: Kommission bestätigt Widerrechtlichkeit der Vorratsdatenspeicherung
The EDRi-member Quintessenz - Austria has published a leak of an internal paper from the Commission intended to inform DAPIX, the Council's working party on information exchange and data protection, of the results of the Commission's consultation in April 2011 on the reform of the Data Retention Directive (DRD). It raises a number of issues with the Directive that the Commission wishes to tackle in order to cast it in a better light. The Commission admits that "there is a continued perception that there is little evidence at an EU and national level on the value of data retention in terms of public security and criminal justice, nor of what alternatives have been considered". It then asks at the end of the document: "What are the most effective ways of demonstrating value of data retention in general and of the DRD itself?"
The origin of the "perception" that there is little evidence existing as to the value of the Directive is shown by the Commission's statement that only 11 of 27 Member States have provided data that could be used in order to highlight the added value of the Directive. Legal uncertainties that have been overlooked during the drafting process of the Directive are now posing a certain number of problems for the Commission.
In the document, the Commission acknowledges for example the lack of a "logical separation between data stored and then accessed for a) business purposes, b) for purposes of combating 'serious crime' and c) for purposes other than combating serious crime" and the lack of a monitoring system showing "data (that) would not have been available to law enforcement without mandatory retention". The question of distinguishing between data retained for business purposes from data retained under the Directive is asked but left unanswered.
The Commission also states that unclear definitions in the DRD have led to service providers storing instant messaging, chats and filesharing details even though these types of data are outside the scope of the Directive. It is often unclear to businesses in the telecommunications sector which data should be stored. Law enforcement agencies have apparently lobbied the Commission for a "technological neutrality" of the Directive to ensure a broad "ability to know who communicated with whom, when, where and how" - despite, it appears, being able to justify the retention of the data already being stored.
Moreover, the paper repeats EDRi's concern regarding the "serious crime" limitation, which is not defined at EU level or in many Member States, and regarding the lack of a clear limitation of the purposes for which data is being retained. It states that there have been many demands for the extension of the use of data to copyright infringements or for such vaguely defined offenses as "hacking" and "urgent cases". According to the document, the Directive has also led to an unclear situation for citizens due the absence of a procedure for reporting and redressing data breaches and the absence of a monitoring system to know who actually accessed the data.
Furthermore, the Commission states that, depending on the country, there is no or only a very low reimbursement of storage costs, which leads to a distortion of the free market. Especially the costs for small businesses are being rated as "disproportionately high". This also means that countries having implemented the Directive will have an economic interest and will pressure other countries into implementing data retention.
In order to justify limitations of fundamental rights, such as the right to privacy and to data protection, measures must be necessary and proportionate. The leaked document however shows that the Commission can neither prove necessity nor proportionality of the Data Retention Directive - but still wants to keep the Directive. Despite unending implementation problems and proven failure of the current Directive, the Commission is maintaining its pressure on Member States that have not already implemented the Directive, to do so.
The Commission is currently examining the possibility amending the Directive and is conducting a study on data preservation ("quick freeze") which is due for May 2012.
Leaked Commission document (15.12.2011)
Commission's DRD implementation report (18.04.2011)
EDRi's Shadow implementation report (17.04.2011)
(Contribution by Kirsten Fiedler - EDRi)