.gif)
Data retention
The Directive on data retention, approved by the Council of the European Union in February this year, has created a number of issues which have yet to be addressed. Graeme Gordon investigates
The effect of the attacks on the World Trade Centre over five years ago is, in some ways, still being felt in the communications industry. Subsequent investigations and prosecutions have highlighted the importance to law enforcement agencies of obtaining access to electronic data which can then be used as evidence. This does not, however, include access to the content of a communication itself, but to the supporting data.
A new Directive on data retention was approved by the Council of the European Union on 21 February 2006. This took many observers by surprise because the moving force behind the Directive was not (as is normally the case) the Commission but the Council itself and the Commission seemed to have had little input into the Directive until the last moment.
The Directive aims to harmonise Member States' rules guaranteeing the availability of traffic and location data for law enforcement purposes, and will require all operators to retain the records of every e-mail, phone call, fax and text message for a period of between 6 months and 2 years. Once transposed, Member States will have to bring into effect national laws which implement the terms of the Directive, within 18 months. In some ways the Directive strays into the territory of security and law enforcement where Member States have traditionally safeguarded their independent right of action. However, this may be an inevitable consequence of obtaining a united front on retention matters in the face of cross-border terrorist threats.
At present, the Directive on the processing of personal data and the protection of privacy in the electronic communications sector ('Privacy Directive') sets out a general policy requiring communications. Operators must erase or make anonymous traffic data, such as data processed for the purpose of the conveyance of communication via an electronic communications network, or location data, which includes data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user once it is no longer required for the purpose of the transmission.
Recent changes in the industry, such as the growth of VoIP, pre-paid and free electronic services, means that operators will not routinely store this data for billing purposes. Therefore there is a possibility that it will not be available for use by law enforcement agencies to assist in the detection and prevention of serious crime.
There has also been a growing disparity in the interpretation of the current rules across Europe. Generally member states have taken the current rules to mean that routine retention is permitted up to the expiry of a billing period, which is around six months. More recently this has been stretched to 12 months, although retention for this period of time is not easy to justify under the current rules. This position is not universal; for example Ireland had already brought in specific legislation to permit retention for a longer period of [up to] three years. Such variations had added to the growing concerns of security services and law enforcement agencies that the current rules did not address their needs for data to be retained for future access.
Considerable impact
The new Directive will have a considerable impact on the communications industry, and will require communications operators to store data necessary to trace and identify the source, location, destination, date, time, type and duration of a communication; as well as details of connections made to the Internet, e-mail and internet telephony services. However, the Directive only relates to data generated or processed as a result of a communication and does not relate to 'content'. Operators will also, for the first time, be required to retain data relating to unsuccessful call attempts (where a call is successfully connected but unanswered or there has been a network management intervention).
The most significant impact for operators will be the financial cost of compliance. They will be required to store huge volumes of data, while ensuring that they can promptly identify and extract data following requests by law enforcement agencies. The cost of compliance has been estimated at more than £204 million, for a two year retention period, with annual operating costs of around £34 million, for a large network and service provider.
The European Commission originally recommended that Member States be obliged to reimburse companies for the additional cost of data retention, which would be incurred as a result of the Directive. This represents the position which the industry has negotiated in the UK, but this is not the case in most other European jurisdictions. The European Parliament decided to delete this paragraph and therefore, companies will have to absorb these additional expenses as part of their normal operating costs – unless national jurisdictions, following the example of the UK, decide otherwise.
What is very significant is that traditional states which have historically been proponents of the civil liberties arguments, such as the Scandinavian countries, have not opposed the Directive. This may be a sign that governments consider that the debate has moved on; more likely it demonstrates that no government wishes to step out of line and risk organised crime or terrorists seeing their territory as a 'safe haven' where retention laws do not apply. This however has not satisfied many individuals and civil liberties pressure groups, who argue that a longer retention period is a major intrusion into individual privacy, which is not justified by any practical benefits in solving major crimes. And even some criminal practitioners argue that the effect will be to encourage law enforcement agencies to amass data and put this before the court rather than conduct rigorous targeted investigation. Such arguments have not found favour among any member states.
Longer retention period
Interestingly, the one legal challenge to this Directive has been launched by Ireland which favours a longer retention period and has rejected the civil liberties arguments, implementing a three year domestic retention period. Ireland's legal challenge reflects procedural concerns about the use of a Directive in these circumstances and considers that a Framework Decision (requiring unanimity) rather than a Directive (which can be passed on majority voting) would have been the appropriate vehicle for legislation concerning trans-national security. The challenge has been subsequently supported by Slovakia and it may well be that a compromise could be reached that will give Ireland the reassurance it seeks in return for dropping the legal proceedings, which otherwise could continue until the middle of next year. Even if the challenge succeeds the longer retention period is certain to be introduced, whatever the ultimate process.
Due to the fact that the member states are starting from different points it follows that the degree of legislation required to implement the new rules will vary immensely. In some countries, like Ireland (leaving aside the legal challenge which we have mentioned), the national rules already meet or exceed the requirements of the Directive. In others, like the UK, only minimal change will be required. The minister will only need to make Statutory Instrument under the Anti-Terrorism Crime and Security Act 2001, implementing the new rules and bringing an end to the voluntary Code of Practice on retention that has been in operation. There will be no requirement for a Parliamentary debate. In many jurisdictions, however, primary legislation will be required. It may be that the ensuing parliamentary debates will give the opportunity for the civil liberties arguments to be aired even though that, in reality, member states will have no option but to implement the Directive.
The new rules will undoubtedly represent a significant cost for all existing and potential communications providers within the EU, and for other companies wishing to expand their current services into Europe. While harmonised rules will undoubtedly mean that pan-European players will not need to address the current piecemeal approach to data retention, this will have to be balanced against the financial impact and civil liberty concerns raised. It is too early to say whether the correct balance has been achieved, but it can safely be assumed that the debate will continue for some time to come.
Graeme Gordon is telecommunications partner at international law firm, Eversheds
Share this article with others
Post to del.icio.us
Printed from http://www.eurocomms.com/features/111506/Data_retention.html
Comment on this article
Skip to comments
We encourage users to analyse, comment on and even challenge European Communications's articles, including the one above - 'Data retention'
User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site.
Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. We will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site.