Data Retention: A keeper or not?
Coincidence or not, in the evaluation process of the Data Retention Directive (2006/24/EC) the Directorate-General Home Affairs of the European Commission invited all stakeholders to participate on Friday the 3th of December at the 3th Data Retention Conference, themed ‘Taking on the Data Retention Directive’.
Cecilia Malmström, the Swedish European Commissioner for Home Affairs, summarised data retention in her speech as:
‘the mandatory storage of telecommunications traffic and location data for law enforcement purposes’.
The Directive sets out the requirements concerning this retention of electronic communications data, ranging from voice to Internet traffic, at two levels, (1) what data to retain and (2) how to retain it, but remains vague on the purposes for which it can be used and by whom.
It was adopted in 2006 following a knee-jerk reaction by Council to the Madrid (2004) and London (2005) bombings, and amidst quite some back and forth between the European Parliament and Council.
So what does it mean?
What does it mean for European citizens? Alex Arnbak, speaking on behalf of the European Digital Rights initiative (EDRi) and representing Bits of Freedom, pointed out that in 2010 ‘the average European [had] his traffic and location data logged in a telecommunications database once every six minutes’.
What’s the burden operators have to bear? Deutsche Telekom, for example, collects about 19.5 terabytes of data during the German retention period of 6 months, or not less than 4.85 billion DIN-A4 pages which represents a 25km long paper trail. In the end the operator had to deal in 2009 with 12.891 law enforcement agency requests for fixed telephony data, 6.450 for Internet and 19.466 for mobile telephony. Seeing these figures, and thinking of the number of European operators, it’s not hard to understand that all the associations that represent them have, in a seldom unanimity, urged the Commission to harmonise the focus on voice instead of Internet data.
So what do stakeholders say?
The Directive faces a barrage of criticism, as Alex Arnbak describes it as ‘the most controversial surveillance measure in Europe’, while Peter Hustinx, the European Data Protection Supervisor (EDPS), refers to it as the ‘most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects’. So from their point of view the Directive needs to be either withdrawn or replaced with a more proportional instrument.
They are supported by civil society, represented through signatories from 106 organisations from all over Europe, which sent a letter on the 27th of July 2010,to Commissioners Malmström, Kroes and Reding to:
‘urge [them] to propose the repeal of the EU requirements regarding data retention in favour of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe’s Convention on Cybercrime’.