EC adopts net and phone data retention proposal

Not law yet, though

The European Commission this week adopted a proposal for a Directive on the retention of communications traffic data that would see internet data held for six months, phone data held for one year, and ISPs and telcos compensated for their compliance costs.

But the proposal has tough competition: it needs the support of the European Parliament and Council of Ministers to become law – and the Council has its own plans for data retention, set out in a Framework Decision. The Council plan allows for data retention periods of up to three years and it could be adopted by the Council acting alone, without any debate in Parliament.

An earlier version of the draft Directive – an “Interservice Consultation” version – had been leaked to lobby group European Digital Rights (EDRi) in July. EDRi posted that version online (16-page/2.2MB PDF). The Commission's information on the new version appears to reflect that leaked version closely.

The Commission's proposal

The proposal provides for an EU-wide harmonisation of the obligations on providers of publicly available electronic communications, or a public telecommunications network, to retain data related to mobile and fixed telephony for a period of one year, and internet communication data, for six months.

The proposed Directive would not be applicable to the actual content of the communications. It also includes a provision ensuring that the service or network providers will be reimbursed for the demonstrated additional costs they will have.

Commission Vice President Franco Frattini, responsible for Justice, Freedom and Security, said: “This proposal is a very balanced and constructive one, which takes account of the fundamental rights to security, to a private life and protection of personal data, as well as different interests, in particular those of law enforcement authorities and communication providers.”

He pointed out that EU citizens expect the three EU institutions to work jointly on this sensitive but important issue and to form a united front in the fight against terrorism and organised crime.

He added: “I am dedicated to working on a co-decision basis with the European Parliament and the Member States in the Council, and in particular its UK Presidency, to try to reach an agreement on this issue before the end of this year – counter terrorism effectively requires that we have no time to loose.”

The proposal was developed in full agreement with Commissioner Viviane Reding, responsible for Information Society and Media.

“The Commission proposal now puts data retention rules on a sound legal basis, ensures the full co-decision of the European Parliament and limits the data retention periods to the extent absolutely necessary," she said. "In contrast to the text at present discussed in the Council, the Commission proposal in particular requires that all additional costs for the industry, which are proven to have been caused by data retention obligations under the new Directive, will have to be reimbursed.”

Law enforcement agencies can use communications traffic data to identify associations between persons and events by time and location. The tragic events of Madrid in March 2004 and London in July 2005 and the investigations that followed have driven the demand for data retention.

Squaring data retention with data protection

The Commission says its proposal balances the needs of security services with fundamental rights and applies "solid data protection rules".

To protect citizens’ fundamental rights and freedoms, and in particular their privacy and personal data, Community law currently provides for the deletion of traffic data once it is no longer needed for the purpose of the transmission of the communication. However, some may be kept and further processed by service and network providers for their own business purposes such as billing or with the consent of the consumers.

Beyond these business purposes, "public order" purposes can also be invoked to justify the further processing of traffic data. This is why public authorities in the Member States are in principle, if necessary and in accordance with applicable law, able to request access to traffic data stored by electronic communications operators.

Legitimate requests for the retention of specific data – otherwise called data preservation – are also allowed when necessary for specific purposes, such as investigations and prosecutions. Data preservation ensures the onward storage of specific data on specific users as from the date of the request.

However, with changes in business models and service offerings, such as the growth of flat rate tariffs, pre-paid and free electronic communications services, traffic data may not always be stored by all operators to the same extent as they were in recent years, depending on the services they offer. This trend is reinforced by recent offerings of Voice over Internet Protocol (VoIP) communication services, or even flat rate services for fixed telephone communications.

Under such arrangements, the operators would no longer have the need to store traffic data for billing purposes. If traffic data are not stored for billing or other business purposes, they will not be available for public authorities whenever there is a legitimate case to access the data.

In other words, the Commission considers that these developments are making it much harder for public authorities to fulfil their duties in preventing and combating crime and terrorism, and easier for criminals to communicate with each other without the fear that their communications data can be used by law enforcement authorities to thwart them.

The responses of Member States so far

To respond to this concern, a number of Member States have adopted, or plan to adopt, national general data retention measures. Compared to data preservation measures, which are targeted at specific users and for specific data, general data retention measures aim at requiring some or all operators to retain traffic data on all users so that they can be used for "public order" purposes when necessary and allowed.

The need to take legislative action in this area at the European level has been confirmed by the European Council in its Declaration on Combating Terrorism of 25 March 2004, adopted shortly after the tragic events in Madrid on 11 March.

In that Declaration the European Council explicitly recognises the importance of legislative measures on traffic data retention, through its instruction to the Council to examine measures in the area of “proposals for establishing rules on the retention of communications traffic data by service providers”.

The European Council Declaration continues to state that: “Priority should be given to proposals under the retention of communication traffic data ... with a view to adoption by June 2005”.

The priority attached to adopting an appropriate legal instrument on this subject was recently confirmed in the Conclusions of the European Council of 16 and 17 June, as well as at the special JHA Council meeting of 13 July 2005 following the London terrorist bombings.

The issue of retention of traffic data has initially been dealt with in a draft Framework Decision, submitted in April 2004 as an initiative of France, Ireland, Sweden and the UK – which is a so-called third pillar legal instrument. Issues of common security and defence policy can be decided under the third pillar – without the need for majority voting.

Today’s patchwork

The data retention regimes introduced or planned by the Member States vary significantly in scope, their purposes, the data to be retained, the duration of the retention, the reimbursement possibilities and the conditions for access to the data.

There is at present therefore a patchwork of national data retention obligations in Member States, which can be summarised as follows:

  • A majority (about 15 according to 2004 figures) of Member States at present do not have mandatory data retention obligations;
  • In about half of the Member States with mandatory data retention obligations laws in place, data retention is not operational since implementing measures are still missing;
  • In those Member States with data retention obligations in operation, the period (between three months and four years) and scope vary substantially e.g. just pre-paid mobile, not the internet, all services etc.

The current situation is therefore one which is unsatisfactory in terms of addressing the concerns voiced by the European Council, and in terms of addressing the consequences of the diverging measures adopted by Member States for the effectiveness of international law enforcement co-operation, as well as the consequences for telcos and ISPs, especially those who provide services in different Member States of the European Union.

The Commission’s position has been that the largest part of that Framework Decision – the part concerning obligations on providers to retain certain traffic data – should be adopted on a first pillar legal basis (learn more about the pillar structure). This position has also been adopted by the Legal Service of the Council and by the European Parliament.

How the Commission’s proposal differs from the Council’s text

The Commission says its proposal "has taken account to a significant extent of the work done by the Council on the draft Framework Decision, especially as far as the categories of data to be retained are concerned."

But it differs from the draft Framework Decision in a number of important areas:

  • Unlike the draft Framework Decision, the draft Directive proposes harmonised retention periods of one year for fixed and mobile telephony data, and six months for IP based communication data. The Framework Decision sets a minimum term of retention for all data categories of one year, but allows for possible exceptions to this for periods between 6 and 48 months;
  • Unlike the draft Framework Decision, the draft Directive foresees a provision which obliges the Member States to compensate the electronic communication services providers for additional costs incurred as a consequence of the retention obligation;
  • Unlike the draft Framework Decision, the draft Directive foresees a Comitology procedure for amendments to the list of data to be retained, providing for the flexibility needed to ensure that the instrument stays up-to-date in a rapidly changing technological environment;
  • Unlike the draft Framework Decision, the draft Directive foresees the collection of statistics on cases in which data was requested, as well as an evaluation of the instrument and its impacts, taking account of those statistics.

Neither the draft Framework Decision nor the draft Directive are applicable to the content of communications. Also, in both texts internet related data to be retained are limited to email and IP-telephony data – which means that no data on web pages visited will need to be retained.

The Comission's proposal will follow the co-decision procedure with full involvement of the European Parliament, and consultation of the Economic and Social Committee and the Committee of the Regions.

Copyright © 2005,

OUT-LAW.COM is part of international law firm Pinsent Masons.

Other stories you might like

  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading
  • Pictured: Sagittarius A*, the supermassive black hole at the center of the Milky Way
    We speak to scientists involved in historic first snap – and no, this isn't the M87*

    Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

    Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

    Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

    Continue reading
  • Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...
    We take a look at low, low subscription prices – not that we want to give anyone any ideas

    A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

    According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

    The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

    Continue reading
  • Ukrainian crook jailed in US for selling thousands of stolen login credentials
    Touting info on 6,700 compromised systems will get you four years behind bars

    A Ukrainian man has been sentenced to four years in a US federal prison for selling on a dark-web marketplace stolen login credentials for more than 6,700 compromised servers.

    Glib Oleksandr Ivanov-Tolpintsev, 28, was arrested by Polish authorities in Korczowa, Poland, on October 3, 2020, and extradited to America. He pleaded guilty on February 22, and was sentenced on Thursday in a Florida federal district court. The court also ordered Ivanov-Tolpintsev, of Chernivtsi, Ukraine, to forfeit his ill-gotten gains of $82,648 from the credential theft scheme.

    The prosecution's documents [PDF] detail an unnamed, dark-web marketplace on which usernames and passwords along with personal data, including more than 330,000 dates of birth and social security numbers belonging to US residents, were bought and sold illegally.

    Continue reading

Biting the hand that feeds IT © 1998–2022