Telecommunication data retention
EDRI has obtained secret documents in preparation of a Declaration against Terrorism that will be published during the Spring Summit of EU heads of state. The draft from the Irish presidency specifically mentions the need to prioritise mandatory data retention for GSM and internet providers. The Commission input for the Summit, issued a few days earlier, does not mention data retention, but proposes many other measures that will have a chilling effect on the daily lives of European citizens and their freedom to travel and communicate.
The desire for mandatory data retention was already expressed last week, on 19 March, during an emergency meeting of the EU's Justice and Home Affairs ministers in Brussels. Following a German initiative, the ministers discussed a catalogue of measures in the fight against
EDRI has obtained a confidential draft declaration on fighting terrorism for the EU Spring Summit, which will be held in Brussels on 25 and 26 March. The draft plans mandatory data retention of communications traffic data by service providers.
On Friday 12 March the German Parliament (Bundestag) will discuss the proposal for a new Telecommunication Law in second and third reading. The government coalition (made up of Social Democrats and Greens) has softened many of the proposed new telecommunication surveillance powers.
There won't be mandatory general data retention and the costs of handing-over data about customers will be reimbursed on a case-by-case basis. Also, the idea - introduced in the draft of 15 October 2003 - to introduce mandatory identification for pre-paid phone-cards is gone. (See an earlier report in EDRI-gram 21)
Originally the Bundesrat, the council of the federal states, demanded that service providers should store all data about all the telecom activities of their users for a period of 6 months, including for example information
The UK Government has given a guarded welcome to a review of its data retention powers. The review came from the Newton Committee, which was set up by the Anti-Terrorism, Crime and Security Act 2001 that created these powers.
The Committee, even though empowered to revoke some powers, supports the principle of data retention for up to a year. The review recommends some changes to the form of the legislation, widening the scope from fighting terrorism to the more general area of serious crime.
The Government has just published a response to this review, which agrees with the proposal to move retention from anti-terrorism to general legislation. It suggests that the most appropriate location for the powers would be in an addition to the Regulation of Investigatory Powers Act 2000, which already governs access by authorities to stored
On 28 January 2004, the Italian Lower House approved of a governmental decree-law on mandatory data retention by telephone and internet companies. Government issued the decree on 24 December 2003, without any prior parliamentary debate. All data about electronic communications must now be stored for a period of 5 years.
According to the privacy-group ALCEI, the new law isn't much more restrictive, or mischievous, than rules and practices that were already into force or are likely to follow. "The decree is messy, poorly conceived and confusing - hastily put together to amend the previous one (from June 2003) that made data retention compulsory but (for alleged 'privacy' reasons) set a limit of 30 months."
In the new decree, the retention period is extended from 30 to 60 months. The older data must be separately accessible and usage is limited to particularly serious crimes including kidnapping, organised crime and terrorism, as well as crimes against IT or online systems.
On 13 November, the UK House of Lords unexpectedly approved a very controversial 'Snoopers' Charter'. The three pieces of secondary legislation approve a 'voluntary' data retention scheme, and give a long list of government agencies self-authorised access to phone and Internet logs.
Throughout the debate it appeared that the government's proposals to place every UK email and phone account under surveillance was doomed. Conservative, Liberal Democrat and Cross Bench peers had vowed to oppose them. The Joint Human Rights Committee of the Parliament had expressed 'grave reservations' about the plans. Independent legal analysis had ruled them unlawful. Grim faced Home Office Officials sitting in the Advisors Box of the Lord's had admitted they were expecting the worst.
A legal opinion commissioned by EDRI-member Privacy International and provided by the law firm Covington & Burling concludes that mandatory data retention plans in the EU are unlawful.
The opinion, which relates to an EU framework directive on the retention of communications data, has profound ramifications for ten EU states that have implemented, or are planning to implement, measures to place communications users under blanket surveillance.
The opinion states: "The data retention regime envisaged by the (EU) Framework Decision, and now appearing in various forms at the Member State level, is unlawful.
Industry and human rights campaigners have condemned new data retention proposals from the UK's Home Office (Ministry of Internal Affairs).
The draft Statutory Instruments (secondary legislation) would approve 'voluntary' retention by Internet Service Providers, but preserve the power of the Home Secretary to impose a compulsory code. Data on customers would be retained for up to 12 months, and could be accessed by a large number of government bodies for many different purposes. While the 'Snoopers Charter', that enabled access for almost every government-related agency was officially withdrawn in June 2002, the new proposals show no change of heart.