Data Retention Directive

The Data Retention Directive compels communications service providers routinely to capture and archive information detailing the telephone calls, web surfing, e-mail messages and other communications of their users.

The vote on the final resolution was adopted in the European Parliament by 378 votes in favour to 197 against, with 30 abstentions.

The Directive remains highly controversial and has been rejected as unconstitutional in several member states. In others, access requirements have been successfully challenged.

The Directive is being challenged at the European Court of Justice by Digital Rights Ireland on human rights grounds, and the case is due to be heard within 18 months (from when?). An earlier ECJ ruling on the legitimacy of the process by which the Directive was adopted failed.

Main provisions

According to EU Law, under the 2006/24/EC Data Retention Directive, all members states are required to retain for between 6 and 24 months all data necessary:

To trace and identify the source of a communication;

To trace and identify the destination of a communication;

To identify the date, time and duration of a communication;

To identify the type of communication;

To identify the communication device;

To identify the location of mobile communication equipment.

The UK has discussed going above and beyond EU Law by retaining third party data whereby communications made through websites such as GMail and Facebook would be monitored(still the traffic data, not the content).

It is important however, to consider the European Convention of Human Rights, in particular Article 8 where this statement is found:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Does the Data Retention Directive go against this principle? Many say it does. Including us.

Summary of issues with the directive

Retaining traffic data makes it possible to reveal who has been calling and e-mailing whom, what websites people have visited and even where they were with their mobile phones. Telephone companies and internet services providers must store all specified traffic data of their customers. Police and intelligence agencies in Europe are granted access the traffic data. No safeguards are stipulated by the Directive.

The gathered data can be made available without special warrants, and without limit to certain types of crime. There is no independent evaluation, and no extra privacy and no specific security safeguards. The data will be retained for periods ranging from 6 months upwards.

Implementation into UK law

The data to be collected is specified in this Statutory Instrument.

Review of the Directive 2011 onwards

The Commission reviewed the Directive and its implementation starting in 2011.

Challenges and non-implementation

Norway (expected)

A further challenge is expected in Norway, where an organisation called Digitalt Personvern (Digital Privacy) has collected NOK 800,000 in order to challenge the measure in their courts when implemented.^[1]

Austria December 2012

The Austrian Constitutional Court has referred the Directive to the ECJ to see if it is compatible with the EU Charter of Fundamental Rights^[2] The case was brought by over 11,000 citizens.^[3][4]

Sweden: non-implementation

Sweden refused to implement the Data Retention Directive for a long period, finally adopting it on 21 March 2012.^[5] It came into effect on 1 May 2012.

Ireland February 2009: first ECJ challenge

Ireland (in February 2009) and Slovakia (on a different date) both issued a legal challenge in 2008.^[6]

The challenge was based on the process by which the directive was passed by the EU, claiming it didn't go through the proper channels for the type of legislation it was. The directive was passed in the way bills relating to private financial interests are passed, and Ireland and Slovakia argued that it affected policy and justice, and so should have been put through the scrutiny associated with bills in that category.

43 NGOs (Including ORG) from 11 countries across the EU sent a brief to the European Court of Justice setting out our concerns in light of the Irish and Slovakian (in particular the Irish) cases against the directive.^[7]

The European Court of Justice sided with the European Commission, saying that in fact the bill was not one regarding policy and so passed through the proper channels. However, they made it clear that they were not ruling on human rights issues so left the door for a future challenge on those grounds (see below).

Romania October 2008

Romania's constitutional courts appear to be blocking the directive.

The courts said that the Data Retention Directive directly conflicted with the citizen's fundamental right to secrecy of correspondence enshrined in the Romanian constitution and heavily implied in Article 8 of the European Convention of Human Rights.

Bulgaria 11 December 2008

Bulgaria's Supreme Administrative Court made the same ruling when the Access to Information Program filed a lawsuit against the legislation. The lawsuit was brought to a lower court and overturned, but this decision by the Supreme Administrative Court can not be subject to appeal, and so is final. The court said that the directive was not in compliance with the Bulgarian constitution, nor ECHR, and did not provide sufficient safeguards to protect personal data from misuse.

Germany early 2010

And similarly, Germany's courts have made a similar decision and are challenging the directive.^[8] The German Federal Constitution Court has ruled that the German law introduced to implement the directive is not in accordance with privacy rights that are guaranteed by the German Constitution, but the court said that the law can be amended to become constitutionally acceptable. The courts said that there were not enough safeguards to prevent misuse of citizen's personal data, and that the German data protection commissioner should have oversight of the operation. It was a class action suit brought to the court by 35 thousand German citizens, and was successful. The law as it was passed in 2008 must be amended before it can be put into action again.

In April 2012, the EU Commission warned Germany that they could be fined for failing to implement the Directive.^[9] Politicians in Germany were warned that requirements for "quick freeze" (retention after identifying a suspect) would not amount to transposition of the Directive.

Czech Republic March 2011

The Czech Republic rejected the Directive as unconstitutional in March 2011. They are however now reconsidering introducing it after the EU Commission threatened Germany with fines.^[10]

Data requests have dropped tenfold, while crime detection rates have increased, according to Luridicum Remedium (LuRe), analysing police data.^[10]

Cyprus February 2011

Cypriot courts rejected the local implementation of the Directive as unconstitutional on 1 February 2011.^[10][11] They resricted their judgement to matters that weren't required in the Directive, specifically means of access. The court ruled that access by police through courts to the data was in three cases illegal, and annulled the requests for access.

Ireland May 5th 2010 onwards: Irish High Court case and referral to ECJ

On May 5th 2010 the Irish High Court ruled against the Data Retention Directive in a case brought forward by Digital Rights Ireland.^[12] The court ruled that DRI was a legitimate group representing the public interest and arguing for a serious and "fundamental public importance". For the same reason potential costs were also waived by the court in the case of DRI losing.

The High Court recommended that the case be brought before the European Court of Justice for review, which could have serious implications across the EU. It is currently in the process of being heard by the European Court of Justice, but no judgment has yet been made over the issue.^[13]

A decision could be expected within 12 to 18 months, though this may depend on whether the ECJ decides the matter as a Grand Chamber rather than a smaller chamber.

Article 29 Data Protection Working Party on Data Retention

The Article 29 Data Protection Working Party regularly submit briefs and consultations on Data Retention and other related subjects.^[14]

Action you can do to help

Sign the stopdataretention petition.

See also

• Data Retention
• Text of the Directive
• stopdataretention petition
• News, position papers on and analysis of the directive
• Which UK MEPs voted, and how
• FFII press release
• English video stream of today's plenary session (Windows Media format)
• Electronic Privacy's Data Retention Directive

References

1. ↑ Digitalt Personvern website
2. ↑ Austrian Judges Question The Validity Of EU Data Retention Directive TechWeekEurope
3. ↑ Press release from the court (German)
4. ↑ Full decision (German)
5. ↑ Deutsche Welle 22 March 2012
6. ↑ Information Overlord
7. ↑ ORG blog, 2008
8. ↑ Germany's data retention law ruled unconstitutional over privacy concerns, Outlaw 3 March 2010
9. ↑ Germany Misses EU Data Retention Deadline, Could Face Court Action, PC World 27 April 2012
10. ↑ ^{10.0 10.1 10.2} PC Advisor
11. ↑ EDRIGram 9.3
12. ↑ DRI: Data retention ruled against by Irish court Open Rights Group blog
13. ↑ Data retention challenge on Scribd
14. ↑ Article 29 Working Party