Morrison & Foerster : Legal Updates & News : Legal Updates : Data Retention

For more information on this legal update, please contact Sue McLean.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: International Privacy and Data Security Technology Transactions

Data Retention – A Bone Of Contention

February 2006
by Karin Retzer

On 14 December 2005, the European Parliament adopted amendments to the draft Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC (Directive). Once approved by the Council, the amended Directive would require European Union member states to introduce data retention schemes compelling telephone and electronic communications service providers to store and retain information on their clients' communications for law enforcement purposes. The minimum storage period agreed by the Parliament is six months from the date of the communication; individual member states may however extend the time period up to 24 months. The Directive was strongly opposed by privacy advocates and service providers alike because of the magnitude of data involved, the significant investment in equipment and technological expertise required for retaining and accessing the data, and because it may result in increased communication costs for consumers. The Parliament's plenary session decided to strike out the provision in the earlier Commission proposal requiring member states to compensate providers for their increased costs. Also there are serious concerns about the invasion of privacy and data security. The Parliament's plenary session, however, ignored these concerns and agreed with member states that broad retention obligations were (supposedly) necessary for law enforcement and anti-terrorism investigations across Europe.

Background

EU member states currently have very different rules on data retention. Whilst some states do not have specific data retention obligations, and, as a result, communication data collected by providers must be erased under the proportionality principle enshrined in the general Data Protection Directive when no longer needed for technical, billing, and other specific legitimate purposes, other states' laws do provide for retention obligations, ranging from a few months to four years.

The 1997 Telecommunications Privacy Directive stipulated that member states could, but were not obliged, to require telecom operators to retain communication data for law enforcement purposes. That Directive was replaced by the 2002 Electronic Communications Directive so as to adapt the EU legal regime to technical developments such as the growth of the Internet. The new Directive extended the scope of the 1997 Directive by allowing EU countries to compel telecom and Internet service providers (ISPs) to record traffic and location data when "appropriate and proportionate within a democratic society to safeguard national] security, public security, prevention of criminal offences etc or of unauthorised use of an electronic communications system."

Since then, law enforcement agencies have lobbied for broader and more harmonised retention schemes, particularly because mobile phone records were instrumental in tracking down the perpetrators of the Madrid bombings which killed 191 and injured approximately 1,800 people on 11 March 2004. In the aftermath of those bombings, the European Council made the Declaration on Combating Terrorism (the Declaration) and also updated the EU Plan of Action on Combating Terrorism (the Action Plan), which was first introduced in the wake of the terrorist attacks of September 11 2001. The Declaration and the revised Action Plan have resulted in, amongst others, two proposals to maximise capacity within EU bodies and member states to detect, investigate and prosecute terrorists and prevent terrorist attacks.

On 28 April 2004, France, Ireland, Sweden, and the UK put forward a proposal for a "Framework Decision on the retention for data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism" (Framework Decision).

The Framework Decision aims to ensure that an extremely wide variety of data - albeit no content - generated in the course of making or receiving a communication are retained by the communication service providers for a period of time between 12 and 36 months in order to enable both the subsequent investigation of the communication data and to facilitate judicial co-operation "for the purpose of prevention, investigation, detection and prosecution of crime or criminal offences including terrorism". The Framework Decision covers an extremely wide variety of data. Essentially, any communications data required to identify and trace the identity, source, destination, routing, date/time, location, device used, etc of a communication is covered. Each member state may request another member state to grant access to the retained data in accordance with the established procedures on judicial co-operation in criminal matters.

On 31 May 2005, the European Parliament's Committee on Civil Liberties, Justice, and Home Affairs published a report on the proposal for a Draft Framework Decision, recommending a draft resolution of the Parliament to reject the proposal and call on France, Ireland, Sweden, and the UK to withdraw their initiative. The report considered that the Decision's approach was flawed on three main grounds:

In respect of the legal basis, the Framework Decision conflicts with the provisions of the Data Protection Directive and the Electronic Communications Directive, and noted that the legal basis chosen by the Council was contrary to art 47 of the Treaty on the European Union (TEU), which provides that: "nothing in this Treaty shall affect the Treaties establishing the European Communities or the subsequent Treaties and Acts modifying or supplementing them." Accordingly, the report concludes that "The measures proposed must logically have the same legal basis as the existing legislation. Article 95 TEC, which provides for the co-decision procedure, should, therefore, again be used as a basis."
In respect of the proportionality, the report concludes that the proposed measures are neither appropriate nor necessary and are unreasonably harsh towards those who must bear the burden of data retention.
In respect of the compatibility with art 8 of the European Convention of Human Rights (ECHR), the report concludes that the proposed measures are incompatible with art 8 of ECHR, and points out that "the European Court of Human Rights has stressed that the contracting states do not have unlimited discretion to subject individuals within their territory to clandestine surveillance."

On 27 September 2005, the European Parliament adopted the Committee's report and resolved to reject the Draft Framework Decision and called on France, Ireland, Sweden and the UK to withdraw their initiative.

Moreover, the Parliament's rejection of the Framework Decision resulted in a new proposal for a Directive from the Commission covering the same subject. The Commission's proposal follows the co-decision procedure with the full involvement of the European Parliament, and consultation with the Economic and Social Committee and the Committee of the Regions. Its aim is "... to harmonise the provisions of the member states concerning obligations... in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime by each member state in its national law" (art 1.1).

As is the common procedure, the proposal was subsequently provided to the Council of the European Union and the European Parliament. On 28 November 2005 the responsible Civil Liberties, Justice and Home Affairs Committee at the Parliament produced an opinion on the draft, suggesting multiple amendments.

On 14 December, amendments to the proposed Directive were adopted at the first reading by 387 votes in favor to 204 against. The amendments finally adopted were a compromise achieved beforehand through informal meetings between the socialist PES and the conservative EPP parliament groups with the Council. The Justice and Home Affairs Council agreed on 2 December to reach by the end of the year, a "first reading deal" with the European Parliament.

The amendments differ in some key ways to the suggestions of the Civil Liberties Committee which caused Alexander Nuno Alvaro to withdraw his name as "rapporteur" in charge of the proposal. The compromise achieved between the Council and the Parliament may have also been prompted by the Council threatening to pass the Framework Decision if the Parliament did not adopt the Directive in its first reading.

The Scope

The Directive, in its final version covers "... providers of publicly available electronic communications service or of a public communications network .." '(art 3.1). As a result, telecommunication and Internet service providers must store location and traffic data generated through a wide range of communication services, including landline, mobile, and Internet telephony, voicemail, call forwarding, instant messaging and multi-media services.

A legal issue faced by European employers is whether they would also become subject to data retention obligations when they make internet access available to their employees. The Paris Court of Appeal (Cour d'Appel de Paris, "Court") in BNP Paribas v World Press Online (available at http://www.foruminternet.org/telechargement/documents/ca-par20050204.pdf.) found that while there was no legal obligation for the employer to actually reveal the identity of two employees who illegally sent emails from its premises, there was an obligation for the employer to retain and hand over all relevant traffic data. As a practical matter, it is conceivable that the traffic data may make it possible to identify the individual employee authoring the emails. Then again, depending on its internal configuration, identifying the author may require BNP's co-operation. The court found that the French data retention regime makes no distinction between ISPs who offer Internet access on a commercial basis, and employers who give Internet access to staff. BNP, the employer, had argued that obligations to protect employee privacy prevented it from retaining the communication and turning over the information. The employer also argued that data retention obligations were devised as part of the legal framework for ISPs, not to create new, costly data retention obligations for all employers providing Internet access to their employees. Therefore, it appears that the introduction of mandatory retention schemes for communication data may also be extended to employers. There is commentary in Germany to the same effect, and it remains to be seen how the new expanded retention regime is applied by courts and national regulators.

The Directive also covers a wide variety of data, but unlike the Draft Framework Decision, it is more specific in terms of how it defines data required to identify and trace the identity, source, destination, routing, date/time, location, device used, etc of a communication. No substantive changes to the Commission draft were suggested by the Parliament.

Furthermore, the Directive specifically provides in the Directive that the categories of data that must be retained should be revised on a regular basis.

The Directive as amended by the Parliament also requires retention of data on unsuccessful calls, defined as "a communication where a telephone call has been successfully connected but is unanswered or there has been a network management intervention." (Article 2(2)). This was a controversial provision because providers do not currently register lost calls for billing purposes and to do so will require using new technologies and will be expensive. Spanish members of the European Parliament strongly supported the requirement to retain data about unsuccessful calls, because such data was helpful in tracking down the perpetrators of the Madrid bombings. Data on an unsuccessful call attempt only has to be retained if the company already stores such data. In a recital, Parliament stated that, "considering that the obligations on providers of electronic communications services should be proportionate, the Directive requires that they only retain such data which are generated or processed in the process of supplying their communications services; to the extent that such data is not generated or processed by those providers, there can be no obligation to retain it. This Directive is not intended to harmonise the technology for retaining data, the choice of which will be a matter to be resolved at national level."

Data relating to "unconnected" calls remains outside the scope of the Directive, but the exact meaning of this term has yet to be clarified. The European Parliament's Civil Liberties. Justice, and Home Affairs Committee had suggested making it optional for organisations to keep data about incomplete calls.

A new amendment to the Directive also states that the Directive is not applicable to data revealing the content of communications. Also, Internet related data to be retained is limited to email and IP-telephony data - which means that no data on web pages visited will need to be retained.

Circumstances for Access to Retained Data

The aim of the Directive is to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member state in its national law. The Commission had included the objective of "prevention" which was deleted by Parliament. Parliamentary members felt that the concept of prevention was too vague and could lead to abuses. The Parliament also deleted the words "serious criminal offences such as terrorism and organised crime" preferring to use the term "serious crimes."

The Civil Liberties, Justice, and Home Affairs Committee had suggested a specific list of serious crimes in the investigation of which retained data could be used. The Parliament plenary session, however, voted against a definite list to allow for greater member state flexibility.

In this respect it is interesting to note that content owners (eg, recording industry, motion picture industry) have lobbied hard to have the Directive require retention of data for criminal offenses other than serious crimes, presumably so that law enforcement agencies could use retained data to prosecute violators of intellectual property laws. Those requests were rejected, but, depending on the breath of member states' definition of "serious crime", content owners may still be able to exploit data stored under the retention regime for tracing users breaching intellectual property rights.

Unlike the Draft Framework Decision, the Directive is more specific as to who may gain access to the retained data and stipulates that members stares should "... adopt measures to ensure that data retained in accordance with this Directive are only provided to the competent national authorities, in specific cases and in accordance with national legislation, for the purpose of the prevention, investigation, detection and prosecution of serious criminal offences, such as terrorism and organised crime." Qnly "competent authorities" determined by member states will have access to the retained data. The Civil Liberties Committee had suggested that only a judge may authorise access to data.

Further, member states must ensure that data retained in accordance with the Directive are only provided to the competent national authorities, in specific cases and in accordance with national legislation (the push-system).

Retention Period

The Directive imposes a less onerous retention period than the Draft Framework Decision and obliges each member state to ensure that the relevant data is retained "…for a period of not less than six months and for a maximum of two years from the date of communication" (art 7). Here the Parliament accommodated the demands of privacy advocates and industry for shorter retention periods, shortening the time period suggested by the Commission from twelve to six months for fixed and mobile telephony data.

Also a new clause has been introduced permitting derogation from the time period. A member state facing particular circumstances warranting an extension for a limited period of the maximum retention period may take the necessary measures. The member state shall immediately notify the Commission and inform the other member states of the measures and indicate the grounds for introducing them. The Commission shall, within six months after the notification, approve or reject the national measures involved after having verified whether or not they are a means of arbitrary discrimination or disguised restriction of trade between member states and whether or not they shall constitute an obstacle to the functioning of the internal market. In the absence of a decision by the Commission within this period the national measures shall be deemed to have been approved.

Data Storage

A new provision introduced by the Parliament states that each member state shall ensure that communication service providers respect, as a minimum, certain prescribed data security principles with respect to data retained. There is also a new obligation for member states to designate a public authority responsible for supervising compliance with the Directive, which "may be the same authorities as those referred to in art 28 of Directive 95/46/C". Hence, the data protection authorities may assume supervisory authority for compliance with the implementation legislation of the Directive.

The implementation of this Directive will be monitored by the Commission. The Commission will be aided in this respect through a specific clause in the Directive which provides for the obligation to collate statistical data on the actual requests made, and to provide the results to the Commission. In addition, a specific review clause is provided in the proposal, providing for an overall evaluation of the Directive three years after its adoption.

Storage should allow for sharing with law enforcement authorities without delay. However the technical implications will need to be defined in the implementation legislation. Data must be destroyed after the period of retention, except for those data that have been accessed and preserved.

There is a provision for "effective, proportionate and dissuasive" penal sanctions for companies who fail to store the data or misuse the retained information.

Reimbursement of Costs

The Parliament decided to delete the provision in the Commission proposal that mandated member states reimburse providers for additional costs of retention, storage and transmission of data. The draft tabled by the Commission had addressed the issue of cost as follows: art 10:

"Member states shall ensure that providers of publicly available electronic communication services or of a public communication network are reimbursed for demonstrated additional costs they have incurred in order to comply with obligations imposed on them as a consequence of this Directive".

This is a reflection of para 13 of the preamble:

"Given the fact that retention of data generates significant additional costs for electronic communication providers, whilst the benefits in terms of public security impact on society in general, it is appropriate to foresee that member states reimburse demonstrated additional costs incurred in order to comply with the obligations imposed on them as a consequence of this Directive."

In the explanatory notes accompanying the Draft Directive, the Commission stated as follows:

"The financial and administrative burden on national governments, economic operators and citizens has been minimised in a number of ways. Firstly, the Directive provides for harmonisation, which will mean reduced costs of compliance for providers of electronic communications services or of a public communications network. Secondly, costs have been minimised through strict limitations in the retention periods, as well as in the data sets to be retained. Given the importance of the measure in terms of preventing and combating crime and terrorism, the additional costs to be borne by the member states through the provision on cost reimbursement are considered to be proportionate ..."

Also, the Civil Liberties Committee had called for full reimbursement of all costs.

Conclusion

The majority of members of the Parliament felt that timely implementation of mandatory data retention obligations was needed for effective anti-terrorism measures, a move strongly supported by the United Kingdom Presidency who wanted to reach agreement before handing over the Presidency to Austria. The proposals made by the European Parliament's Committee on Civil Libertes, Justice, and Home Affairs were largely ignored.

Communications service providers are appointed by the parliament's attitude to cost reimbursement, as the cost of implementing a data retention capability is estimated to run into millions of euros, putting EU-based providers at a competitive disadvantage to their US or Asian competitors. In contrast law enforcement agencies have been accommodated in that member states are permitted to introduce longer retention periods than the maximum of 24 months.

Before the proposal can become law, it will, however, need the approval of the Council with a qualified majority. As mentioned earlier in this article, the final text approved by the Parliament was negotiated beforehand with the Council. Therefore, approval by the Council is likely, despite some member states having raised objections. In any event, the discussions concerning retention obligations are consistent with a broader trend towards tighter legal control over the internet, and signal a departure from the European Union's restrictive attitude towards personal data processing.