Al link indicato:
Brussels, 21 September 2005
Data Retention Directive Is data retention needed?
Each and every move over electronic communications networks generates so-called ‘traffic data’ i.e. data processed for the purpose of conveyance of a communication on an electronic communications network or for the billing thereof. Traffic data include details about time, place and numbers used for fixed and mobile voice services, faxes, e-mails, SMS, and data on use of the internet. Subscriber (and sometimes user) data, such as the name and address of the subscriber, are also processed by providers or subscription-based electronic communications services.
To protect citizen’s fundamental rights and freedoms, and in particular their privacy and personal data, Community law provides for the deletion of traffic data once it is no longer needed for the purpose of the transmission of the communication. Some may however be kept and further processed by service and network providers for their own business purposes such as billing or with the consent of the consumers (See in particular the provisions of Directive 2002/58/EC on Privacy and Electronic Communications).
Beyond these business purposes, ‘public order’ purposes can also be invoked to justify the further processing of traffic data. This is why public authorities in the Member States are in principle, if necessary and in accordance with applicable law, able to request access to traffic data stored by electronic communications operators. Legitimate requests for the retention of specific data – otherwise called data preservation – are also allowed when necessary for specific purposes, such as investigations and prosecutions. Data preservation ensures the onward storage of specific data on specific users as from the date of the request.
However, with changes in business models and service offerings, such as the growth of flat rate tariffs, pre-paid and free electronic communications services, traffic data may not always be stored by all operators to the same extent as they were in recent years, depending on the services they offer. This trend is reinforced by recent offerings of Voice over IP/05/167 communication services, or even flat rate services for fixed telephone communications. Under such arrangements, the operators would no longer have the need to store traffic data for billing purposes. If traffic data are not stored for billing or other business purposes, they will not be available for public authorities whenever there is a legitimate case to access the data.
In other words, these developments are making it much harder for public authorities to fulfil their duties in preventing and combating (organised) crime and terrorism, and easier for criminals to communicate with each other without the fear that their communications data can be used by law enforcement authorities to thwart them.
Member States’ response so far
To respond to this concern, a number of Member States have adopted, or plan to adopt, national general data retention measures. Compared to data preservation measures, which are targeted at specific users and for specific data, general data retention measures aim at requiring (some or all) operators to retain traffic data on all users so that they can be used for ‘public order’ purposes when necessary and allowed.
The need to take legislative action in this area at the European level has been confirmed by the European Council in its Declaration on Combating Terrorism of 25 March 2004, adopted shortly after the horrific events in Madrid on 11 March. In that Declaration the European Council explicitly recognises the importance of legislative measures on traffic data retention, through its instruction to the Council to examine measures in the area of “proposals for establishing rules on the retention of communications traffic data by service providers”. The European Council Declaration continues to state that “Priority should be given to proposals under the retention of communication traffic data (...) with a view to adoption by June 2005”. The priority attached to adopting an appropriate legal instrument on this subject was recently confirmed in the Conclusions of the European Council of 16 and 17 June, as well as at the special JHA Council meeting of 13 July 2005 following the London terrorist bombings.
The issue of retention of traffic data has initially been dealt with in a draft Framework Decision, submitted in April 2004 as an initiative of France, Ireland, Sweden and the UK – which is a third pillar legal instrument.
The data retention regimes introduced or planned by the Member States vary significantly with respect to inter alia their scope, the purposes for which they have been adopted or planned, the data to be retained, the duration of the retention, the reimbursement possibilities, and the conditions for access to the data. There is at present therefore a patchwork of national data retention obligations in Member States, which can be summarised as follows:
A majority (about 15 according to 2004 figures) of Member States at present do not have mandatory data retention obligations; In about half of the Member States with mandatory data retention obligations laws in place, data retention is not operational since implementing measures are still missing; In those Member States with data retention obligations in operation, the period (between 3 months and 4 years) and scope vary substantially e.g. just pre-paid mobile, not the Internet, all services etc. The current situation is therefore one which is unsatisfactory in terms of addressing the serious concerns voiced by the European Council, and in terms of addressing the consequences of the diverging measures adopted by Member States for the effectiveness of international law enforcement co-operation, as well as the consequences for electronic communications service providers, especially those who provide services in different Member States of the European Union.
The Commission’s position has been that the largest part of that Framework Decision – the part concerning obligations on providers to retain certain traffic data – should be adopted on a first pillar legal basis. This position has also been adopted by the Legal Service of the Council and by the European Parliament.
What will the Directive do?
The Commission proposal provides for harmonisation of the obligations on providers of publicly available electronic communications or a public telecommunications network to retain data related to the usage of mobile and fixed telephony as well as the internet communications for a period of one year and six months respectively. It is not applicable to the actual content of the communications. It also includes a provision ensuring that the service or network providers will be reimbursed for the additional costs they will have to make to comply with the obligations imposed on them as a consequence of the Directive.
Fundamental rights aspects have been carefully weighed in the preparation of the proposal, and data protection authorities will be involved in the evaluation foreseen, as well as in any amendments to the list of data to be retained, which can be decided through a Comitology procedure. The data to be retained will be processed under the already existing legislation on data protection, in particular Directives 95/46 and 2002/58.
Is the Commission’s proposal different compared to the Council’s text?
Although the proposal has taken account to a significant extent of the work done by the Council on the draft Framework Decision, especially as far as the categories of data to be retained are concerned, it differs from the draft Framework Decision in a number of important areas. These can be summarised as follows:
Contrary to the draft FD, the draft Directive proposes harmonised retention periods of one year for fixed and mobile telephony data, and six months for IP based communication data. The FD sets a minimum term of retention for all data categories of one year, but allows for possible exceptions to this for periods between 6 and 48 months; Contrary to the draft FD, the draft Directive foresees a provision which obliges the Member States to compensate the electronic communication services providers for additional costs incurred as a consequence of the retention obligation; Contrary to the draft FD, the draft Directive foresees a Comitology procedure for amendments to the list of data to be retained, providing for the flexibility needed to ensure that the instrument stays up-to-date in a rapidly changing technological environment; Contrary to the draft FD, the draft Directive foresees the collection of statistics on cases in which data was requested, as well as an evaluation of the instrument and its impacts, taking account of those statistics. Neither the draft FD nor the draft Directive are applicable to the content of communications. Also, in both texts internet related data to be retained are limited to e-mail and IP-telephony data – which means that no data on web pages visited will need to be retained. The proposal will follow the co-decision procedure with full involvement of the European Parliament, and consultation of the Economic and Social Committee and the Committee of the Regions.
 Article 2a of Directive 2002/58/EC on Privacy and electronic Communications (OJ L 201, 31 July 2002)
 “Public order’ purposes are understood in the present document as referring to the public order interests mentioned in Article 15 of Directive 2002/58: national security (i.e. State Security), defense, public security, the prevention, detection and prosecution of criminal offences or of unauthorized use of the electronic communications system. For the sake of this document, law enforcement purposes are understood as restricted to the prevention, investigation, detection and prosecution of criminal offences."