The European Parliament has approved proposals on data retention that would compel telecom firms to keep customer email logs, details of internet usage and phone call records for between six months to two years.
The plan - designed to assist law enforcement in the fight against terrorism and serious crime - leaves it up to individual governments to decide how long service providers will be obliged to keep data.
Police and intelligence agencies would have access to call records (including data on lost calls), location information and internet logs without getting access to the content of the information communicated. MEPs decided to drop provisions to make it mandatory for member states to reimburse telecom companies for additional costs incurred in servicing law enforcement requests.
The EU directive on data retention passed by 378 votes in favour to 197 against and 30 abstentions during its first reading on Wednesday. The measures were put forward by Britain after the 7 July bomb attacks on London.
Who foots the bill?
A spokesman for the UK Internet Service Providers' Association (ISPA) said it remained to be seen how the directive will be implemented into UK law. Voluntary co-operation already exists between ISPs and UK law enforcement agencies over requests for communications data but implementation of the directive would change this from a voluntary arrangement into a mandatory code of practice.
"We are concerned that ISPs may have to foot the bill for mandatory data retention. ISPs are not law enforcement agencies so they should not have to pay for it all," he said.
The amounts involved are not small. ISPA cites estimates from one large UK-based ISP that it would cost £26m a year to set up data retention kit on its systems and £9m a year in running costs to service law enforcement requests.
MEPs agree with the need to retain data for the detection, investigation and prosecution of crime, but only for "specified forms" of serious criminal offences (terrorism and organised crime), and not for the mere "prevention" of all kinds of crime.
Dai Davis, a consultant lawyer at Nabarro Nathanson, said the European Parliament had fudged important issues such as how long records should be kept and who would end up footing the bill for data retention.
Safeguards (including independent oversight) have been put in place by MEPs to make sure data retention requests can't be used to trawl through databases and need to be sanctioned on a case by case basis. But Davis said that it was unclear if checks and balances established in the directive provide adequate safeguards against abuse. ®