Data retention has been an important issue for law enforcement agencies and privacy rights organizations alike. Governments have made efforts to require telecommunications service providers to record and retain information, such as telephone calls, emails, or other communications. This article examines the European Union Directive on Mandatory Retention of Communications Traffic Data, which was enacted in March 2006. The article goes on to look at criticisms of the Directive as well as recent efforts calling for the repeal of this Directive.
Background: The 2006 EU Data Retention Directive
The EU Data Retention Directive 2006/24/EC required that operators of public electronic communication networks store specific data for the investigation, detection and prosecution of serious crime. The Directive requires that Internet service providers operating in Europe retain telecom and Internet traffic data about all their clients’ communications for at least six months, to a maximum of two years from the date of the communication. This is for the potential use of law enforcement authorities. Retained data includes the traffic and location data, but not the contents of the communications.
Of specific concern to privacy professionals was that the retained data included the following:
• Fixed network telephony
• Mobile telephony
• Internet access
• Internet email
• Internet telephony
The data retention regulations listed four data security principles, applicable to the retained data. These regulations are outlined below:
1. The data must have the same security levels when retained and must remain the same quality.
2. Security measures (both technical and organizational) must be enacted to protect against accidental or unlawful disclosure, access, alteration or loss of the data.
3. The retained data should only be accessible by authorized persons.
4. All retained data must be appropriately destroyed at the end of the retention period.
As part of the terms of the Directive, the data could only be made available to competent national authorities in particular cases, in line with national law. EU member states are responsible to ensure that any intentional access or transfer of this data is punishable by administrative or criminal penalties. Member states were also required to have a public authority responsible for implementing and monitoring the Directive within 18 months after it was introduced. Each state developed their own version of the Directive, which was integrated into their national laws.
Controversy Surrounding the Directive
For public communications providers throughout the EU, the Directive presented a number of different challenges. Service providers were mandated to retain communications data to allow requested access for investigations. This meant that they were faced with the challenge of harmonizing their data center with hundreds of storage devices and petabytes of data. This significantly increased the size of IT infrastructures. Many critics argued that the mandated retention practices made organizations more vulnerable to privacy risks.
Observers also argued that the requirements of the Directive amounted to a type of surveillance. The Directive requires member states to collect personal data about citizens, without the consent of the citizens. It also allows the states to apply the data to monitor and control citizens, by applying criminal penalties.
For these and other reasons, many European privacy activists have strongly opposed the Directive.
One example was the Freedom Not Fear movement, which organized protests in major cities across Europe. These demonstrations aimed to raise public awareness of increased surveillance and data retention practices. The Freedom Not Fear movement also demanded the following:
• Cutbacks on surveillance measures
• Evaluation of existing surveillance powers
• Moratorium on new surveillance powers
• Ensure the freedom of expression, dialogue and information on the Internet
During 2007, the German Working Group on Data Retention represented 35 000 people and filed a class-action lawsuit against data retention laws. The court found the laws unconstitutional, which led to requirements for the immediate deletion of all data retained under the law.
During 2009, the Romanian Constitutional Court ruled that the Directive was in direct violation of Article 8 of the European Convention on Human Rights, guaranteeing the right to respect for private life and correspondence. The Court held that data retention turns all those who use public communication networks into potential criminals.
Also during 2009, the European Commission initiated a lawsuit with the Swedish government, which had refused to implement the Data Retention Directive within the required time frame. Political leaders argued that the Directive was inconsistent with the European Convention on Human Rights, as well as being an expensive and ineffective means of protecting citizens’ rights and freedoms. In addition to Sweden’s non-cooperation with the Directive, Austria, Greece, Ireland, the Netherlands and Poland also did not implement data retention laws within the April 2009 deadline stipulated by the Directive.
Calls to repeal the Directive
During the 32nd Annual Conference of Data Protection and Privacy Commissioners, which was held during October 27-29, 2010, privacy authorities called for the repeal of the Data Retention Directive.
A vocal participant in this discussion was the Electronic Frontier Foundation (EFF), which has protested the indiscriminate collection of traffic data. According to the EFF, there is no clear link between data retention and effective law enforcement. Rather, such retention leads to abuse of authorities, including excessive tracking and over-collection. Furthermore, many of the retention practices pose a serious violation of individuals’ rights and freedoms.
This article explores the 2006 European Union Data Retention Directive, which required member states to implement laws requiring communications service providers to retain data from anywhere between six months to two years. This was supposedly to facilitate law enforcement efforts, particularly anti-terrorist programs. The Directive was met with widespread public outcry, given the potential for surveillance, monitoring and abuse, in addition to arguments that it was a violation of rights and freedoms. The article explores a number of different responses to the Directive, including citizens’ movements throughout Europe, national court rulings against the Directive and non-compliance issues.
CIPP Exam Preparation
In preparation for the Certification Foundation (Foundations) exam and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Data Retention & Destruction – Period of Retention (CIPP/IT; I.E.a.)
• Privacy Concerns – Government Surveillance (CIPP/IT; II.A.k.)
• Modern Principles of Privacy – Europe (Foundations; I.D.a.ii.)
• Privacy & Data Protection Regulation – Europe (Foundations; I.F.b.ii.)