Content In Addition To Implementation Of The Information Retentiveness Directive

By Chris Jones, Statewatch researcher

This is the mo inward a serial of posts examining the EU's Data Retention Directive, which is the land of study of today's judgment of the Court of Justice of the European Union (CJEU). It is based on piece of occupation undertaken past times Statewatch every bit business office of the SECILE project (Securing Europe through Counter-terrorism: Impact, Legitimacy together with Effectiveness).

The post begins with an article-by-article examine of the Directive together with after examines the troubled national transposition together with review physical care for overseen past times the European Commission. The first post examined the background to the Directive, together with a subsequent, terminal post volition expect at national courtroom cases challenging the implementation of the Directive.

The Directive, clause-by-clause

Article 1 sets out the land of study affair together with ambit of the Directive, which covers all legal entities and: “[A]ims to harmonise Member States’ provisions concerning the obligations of the providers of publicly available electronic communications services or of populace communications networks with honor to the retentivity of surely information which are generated or processed past times them, inward monastic enjoin to ensure that the information are available for the piece of occupation of the investigation, detection together with prosecution of serious crime, every bit defined past times each Member State inward its national law.”

Article 1(1) of the Directive states that serious criminal offense is “as defined past times each Member State inward its national law”. Article 1(2) states that the Directive does non apply to the retentivity of the content of communications. However, it has long been argued that “retaining [internet] traffic information makes it possible to reveal… what websites people conduct keep visited”, indicating that surely content information tin hold upwards retained nether the Directive. The EU’s Article 29 Working Party on information protection issued an Opinion in 2008 making clear that the Directive is “not applicable to search engine providers”, every bit “search queries themselves would hold upwards considered content rather than traffic information together with the Directive would so non justify their retention.”

Article 2 contains definitions. Article 3 outlines the obligation for telecoms providers to retain data, through derogation from a number of Articles (5, 6 together with 9) of the e-Privacy Directive. Article 5 of that Directive obliges Member U.S. of A. to: “[E]nsure the confidentially of communications together with the related traffic information past times way of a populace communications network together with publicly available electronic communications services” through the prohibition, except when legally authorised, of “listening, tapping, storage or other kinds of interception or surveillance.” Article 6 of the e-Privacy Directive prohibits the retentivity past times telecommunication providers of “traffic information relating to subscribers together with users” except if necessary for billing or marketing together with with the users' consent. Article ix states that location information relating to users or subscribers “may only hold upwards processed when they are made anonymous, or with the consent of the users of subscribers to the extent together with for the duration necessary for the provision of a value added service.”

Article 4 of the Data Retention Directive covers access past times Member States’ competent regime to retained data, which should only occur “in specific cases together with inward accordance with national law”. The phrase “competent authorities” is undefined inward the Directive. Member U.S. of A. create upwards one's heed which of their agencies together with institutions tin asking together with access retained data. Member U.S. of A. also define the procedures regime should follow to larn access to retained data. This has led to broad difference betwixt Member U.S. of A. inward which regime tin access retained data, together with how they practise so. The Directive also fails to stipulate that national law should include judicial scrutiny of requests for retained data, allowing Member U.S. of A. to flora self-regulatory systems that dispense with traditional surveillance “warrants”.

Article 5 lists inward exceptional the information that must hold upwards retained past times service providers:

The rootage of a communication;
The goal of a communication;
The date, fourth dimension together with duration of a communication;
The type of a communication;
Users’ communication equipment or what purports to hold upwards their equipment; and
The location of mobile communication equipment.

Article 6 covers periods of retentivity (“not less than half dozen months together with non to a greater extent than than ii years from the appointment of the communication”). Article 7 outlines measures for the protection together with safety of retained data, compliance with which is to hold upwards supervised past times “one or to a greater extent than populace authorities” inward accordance with Article 9.

Article eight states that the storage of retained information must allow for its transmission to competent authorities, when requested, “without undue delay”. Article 10 obliges Member U.S. of A. to furnish annual statistics to the Commission. Article eleven makes an amendment to Article fifteen of the e-Privacy Directive, paragraph 1 of which permits Member U.S. of A. to enact their ain information retentivity measures if they consider them: “[A] necessary, appropriate together with proportionate mensurate inside a democratic guild to safeguard national safety (i.e. State security), defence, populace security, together with the prevention, investigation, detection together with prosecution of criminal offences or of unauthorised exercise of the electronic communication system.”

The Data Retention Directive supplemented this past times stating that: “Paragraph 1 shall non apply to information specifically required past times [the Data Retention Directive] to hold upwards retained for the purposes referred to inward Article 1(1) of that Directive.” This legislative overlap has been problematic together with the European Commission, which is reviewing the Data Retention together with e-Privacy Directives inward parallel, has suggested that: “Any revision of the Data Retention Directive should ensure that retained information volition hold upwards used solely for the purposes foreseen inward this Directive, together with non for other purposes every bit currently allowed past times the e-Privacy Directive.”

Article 12 permits Member U.S. of A. to extend retentivity for “a express period” if they appear upwards “particular circumstances”, land of study to the post-facto blessing of the Commission. Article thirteen obliges Member U.S. of A. to ensure that provisions of EU information protection law dealing with judicial remedies, liabilities together with sanctions apply to Member States' transposing measures. It also requires the penalisation past times “penalties, including administrative or criminal penalties, that are effective, proportionate together with dissuasive,” of whatever illegal access to or transfer of retained data.

Article fourteen obliged the Commission to undertake “an evaluation of the application of this Directive together with its touching on economical operators together with consumers” together with nowadays it to the European Parliament together with the Council (see farther below). Article fourteen also obliged the Commission to determine at this fourth dimension “whether it is necessary to amend the provisions of this Directive”, a determination that the Commission has deferred, leaving no precise timetable for a novel proposal. 

Articles 15-17 require Member U.S. of A. to transpose the Directive into national law past times fifteen September 2007. Article 15(3) allows Member U.S. of A. to “postpone application of this Directive to the retentivity of communications information relating to Internet Access, Internet telephony together with Internet e-mail” for upwards to iii years. Austria, Belgium, Cyprus, Czech Republic, Estonia, Finland, Germany, Greece, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Slovenia, Sweden together with the Britain all took upwards this option. The national legislation through which Member U.S. of A. transposed the Directive is listed inward the EUR-Lex register.

Transposition together with review

Nearly 7 years after the deadline for implementation, the Directive has yet non been implemented past times all the states it covers together with genuine “harmonisation” appears a remote prospect. Even with the extra room for manoeuvre on mesh information retention, half dozen Member U.S. of A. yet found themselves subjected to infringement proceedings brought past times the Commission after failing to implement national legislation on time.

The Commission brought proceedings against Austria, the Netherlands together with Ireland together with Sweden after adopted legislation; Deutschland has failed to practise together with so together with an infringement activity is pending at the European Court of Justice. In Kingdom of Norway (obliged to implement the Directive through membership of the European Economic Area) legislation is yet to hold upwards agreed past times parliament, together with in that location is an on-going campaign past times civil guild organisations against it. The Commission recently demanded that Kingdom of Belgium “change its information retentivity laws to comply with the provisions of the European legislation”, together with a draft pecker aimed at ensuring total implementation was introduced into the Belgian Parliament inward July 2013.

The Commission's evaluation of the Directive, due inward September 2010, was eventually published in Apr 2011. It concluded that: “[D]ata retentivity is a valuable tool for criminal justice systems together with for law enforcement inward the EU. The contribution of the Directive to the harmonisation of information retentivity has been limited, inward price of, for example, piece of occupation limitation together with retentivity periods, together with also inward the expanse of reimbursement of costs incurred past times operators, which is exterior its scope.”

Retention menses together with scope

That the Directive failed to harmonise retentivity periods is hardly surprising – it allowed Member U.S. of A. to select from anywhere betwixt 6 together with 24 months. The failure of the Directive to define “serious crime” also led to broad divergences across Member States: “Ten Member U.S. of A. (Bulgaria, Estonia, Ireland, Greece, Spain, Lithuania, Luxembourg, Hungary, Netherlands, Finland) conduct keep defined ‘serious crime’, with reference to a minimum prison theater sentence, to the possibility of a custodial judgement beingness imposed, or to a listing of criminal offences defined elsewhere inward national legislation. Eight Member U.S. of A. (Belgium, Denmark, France, Italy, Latvia, Poland, Slovakia, Slovenia) require information to hold upwards retained non only for investigation, detection together with prosecution inward relation to serious crime, but also inward relation to all criminal offences together with for criminal offense prevention, or on full general grounds of national or nation and/or populace security. The legislation of 4 Member U.S. of A. (Cyprus, Malta, Portugal, UK) refers to ‘serious crime’ or ‘serious offence’ without defining it.”

Most Member U.S. of A. also “allow the access together with exercise of retained information for purposes going beyond those covered past times the Directive, including preventing together with combating criminal offense to a greater extent than oftentimes than non together with the conduct chances of life together with limb”.

Access to retained data

The regime permitted to access retained information differ significantly from nation to state. Every Member State allows constabulary access together with all except the Britain together with Republic of Ireland hand access to prosecutors. fourteen states furnish access to safety together with intelligence agencies (only 12 are easily identifiable inward the study – Bulgaria, Estonia, Spain, Latvia, Lithuania, Luxembourg, Hungary, Malta, Poland, Portugal, Slovenia together with the UK). Six (Finland, Hungary, Ireland, Poland, Spain, UK) hand access to taxation and/or customs authorities; together with 4 to border constabulary (Estonia, Finland, Poland, Portugal). The Britain allows other populace regime access to information retained if “authorised for specific purposes nether secondary legislation.”

The type of authorisation required for access is also uneven: “Eleven Member U.S. of A. require judicial authorisation for each asking for access to retained data. In iii Member U.S. of A. judicial authorisation is required inward most cases,” but the information provided inward the study is non specific plenty to allow identification of these states. Influenza A virus subtype H5N1 senior authority, but non a judge, must hand authorisation inward 4 other Member U.S. of A. (five Member States' information – Cyprus, France, Hungary, Italy, Poland – appears to lucifer this description). In ii Member States, “the only status appears to hold upwards that the asking is made inward writing,” although the information provided indicates that iii states conduct keep such systems: Ireland, Republic of Malta together with Slovakia.

Legitimacy together with effectiveness

The Commission has acknowledged that many groups together with individuals consider mandatory information retentivity “in principle… unjustified together with unnecessary”. Nevertheless, European Union Home Affairs Commissioner Cecilia Malmström has stated that “data retentivity is hither to stay”. This has non allayed concerns most either the legitimacy or effectiveness of the Directive. In May 2011 the European Data Protection Supervisor issued a formal Opinion on the Commission’s evaluation report. Amongst other things, he said, the Commission needed to “invest inward collecting farther practical evidence from the Member U.S. of A. inward monastic enjoin to demonstrate the necessity of information retentivity every bit a mensurate nether European Union law”, together with that all those Member U.S. of A. inward favour of information retentivity should show “quantitative together with qualitative evidence” demonstrating its necessity.

In Dec 2011 the European Commission wrote to the European Union Council’s Working Party on Data Protection together with Information Exchange (DAPIX) to inform Member States’ representatives of the results of the consultation that informed its Apr 2012 evaluation report. The Commission argued that it was necessary to “explain improve the value of information retention” due to “a continued perception that in that location is piddling evidence at an European Union together with national grade on the value of information retentivity inward price of populace safety together with criminal justice”: “We conduct keep received potent views from law enforcement together with the judiciary from all Member U.S. of A. that communications information are crucial for criminal investigations together with trials, together with that it was essential to guarantee that these information would hold upwards available if needed for at to the lowest degree 6 months or at least… 1 year. We conduct keep also received potent qualitative evidence of the value of historic communications information inward specific cases of terrorism, serious criminal offense together with crimes using the mesh or past times telephone – but only from eleven out of 27 Member States.” Furthermore, “[t]he statistics required nether Article 10 practise not, every bit it is currently interpreted, enable evaluation of necessity together with effectiveness”. Therefore, the Commission concluded, “all Member U.S. of A. – non but a minority – demand to furnish convincing evidence of the value of information retentivity of safety together with criminal justice”.

Member States’ delegations inward DAPIX had already discussed the demand for farther evidence of the “necessity” of mandatory information retentivity at a coming together inward May 2011. They concluded that retention: “[C]ould non hold upwards argued on the reason of statistical data… the gravity of the offences investigated thank you lot to traffic data, rather than the mere number of cases inward which traffic information were used should have due attention. Quantitative analysis should hold upwards complemented with qualitative assessment."

In March 2013 the Commission published a study that attempted to depict together “[e]vidence which has been supplied past times Member U.S. of A. together with Europol inward monastic enjoin to demonstrate the value to criminal investigation together with prosecution of communications information retained nether Directive 2006/24/EC.” The study contains an overview of the ways inward which communications information are used inward criminal investigations together with judicial proceedings; the sorts of cases inward which retained information are important; the “consequences of absence of information retention”; together with a department on statistics together with quantitative data. This notes that 23 Member U.S. of A. conduct keep provided “some statistics since 2008”, but that they “interpret inward different ways price from the DRD such every bit ‘case’ together with ‘request’, together with statistics vary inward format which limits their comparability”. However, what the statistics practise demo is massive variation inward the extent that Member U.S. of A. are using their information retentivity powers, with total annual requests ranging from 23 (Portugal) to 777,040 (UK).

In Nov 2012 – half dozen years after the adoption of the Directive – the Commission adopted together with disseminated “more comprehensive guidance on provision of statistics nether Article 10”. Such problems meant that the bulk of the Commission's March 2013 study (20 of thirty pages) was given over to anecdotal evidence, including 91 reported cases from across Europe inward which retained information assisted inward finding the perpetrators of a diversity of serious crime.

Alternative approaches

“Data preservation” regimes offering an alternative to information retention, past times limiting retentivity of information to specific authorised investigations. In Nov 2012 the European Commission published a report it had commissioned on “current approaches to information preservation inward European Union Member U.S. of A. together with 3rd countries”. Data preservation was defined every bit the “expedited preservation of stored information or ‘quick freeze’” in: “[S]ituations where a somebody or scheme (which may hold upwards a communications service provider or whatever physical or legal somebody who has the possession or command of the specified calculator data) is required past times a nation ascendance to save specified information from loss or modification for a specific menses of time”.

The study explained that information preservation is already mandated past times the Council of Europe Convention on Cybercrime (the Budapest Convention), which entered into strength on 1 July 2004 together with is opened upwards for worldwide signature. All European Union Member U.S. of A. conduct keep signed the Convention although Greece, Ireland, Luxembourg, Poland together with Sweden yet demand to ratify it (as of 7 Apr 2014). Under the Convention information may hold upwards preserved “for the piece of occupation of specific criminal investigations or proceedings”.

The Convention, different the Data Retention Directive, explicitly permits the storage of communication content. While the German linguistic communication Ministry of Justice believes that information preservation is fundamentally an alternative to mandatory retention, the study concludes that: “[D]ata retentivity together with information preservation are complementary rather than alternative instruments… information retentivity plays a role inward ensuring that information is kept together with that this is sometimes a prerequisite for information preservation, every bit information may conduct keep already been deleted earlier a information preservation monastic enjoin is issued.”

Revision of the Directive

Article fourteen requires the European Commission to determine, on the reason of its review, whether it is necessary to amend the provisions of the Data Retention Directive. In August 2012 the Commission announced that it was postponing the revision of the Data Retention Directive with “no precise timetable” for a novel proposal. The Commission spokesperson cited the demand to review the “e-Privacy” Directive to “ensure that retained information volition hold upwards used solely for the purposes foreseen inward this Directive, together with non for other purposes every bit currently allowed past times the e-Privacy Directive.”

Before the revision of either of these ii Directives takes place, the Commission wants to view its draft information protection packet agreed past times the Council together with the Parliament. At nowadays the ii institutions disagree significantly on the proposal, with farther disagreement alongside the Member U.S. of A. inward the Council. However, to a greater extent than cardinal to the hereafter of the Directive may hold upwards today's judgment of the European Court of Justice.


Barnard & Peers: chapter 9, chapter 25

Share this post