PI Comments to EU Forum on Data Retention

Privacy International

November 27, 2001

EU FORUM ON CYBERCRIME

WORKING PAPER ON DATA RETENTION

Privacy International (PI) welcomes the opportunity to submit our comments regarding the discussion paper. In the interests of brevity, we will focus our comments on the draft document (and related retention initiatives), and reserve our comments regarding such issues as international cooperation, and lawful access powers such as preservation and interception. While we have in recent times been active on commenting on related initiatives dealing with these latter powers, we are looking forward to the discourse within the EU Forum during future sessions.

PI represents member organisations and individuals from a wide variety of backgrounds specialising in privacy, surveillance, data protection and freedom of information in over 40 countries and has offices in London and Washington, D.C. PI engages is a wide variety of educational and other activities each year including testifying before many national and international bodies, organising campaigns, issuing reports, holding conferences, and co-producing the annual international survey on Privacy and Human Rights (available at http://www.privacyinternational.org/survey). The organisation and its members have been actively involved in deliberations and campaigns on electronic surveillance in many jurisdictions worldwide for over 10 years.

Overall, we are concerned that the discussion paper ignores long-established data protection principles to facilitate law enforcement interests. The paper claims from the outset that a balanced approach is favoured. We welcome such a statement, but we do note that this aspect has been sorely lacking in previous fora such as the Council of Europe and the G8. We regret that the content of the discussion paper fails to reflect such a balance. Many of the questions raised in the document have been extensively debated and resolved n the development of instruments as the Data Protection Directive, the OECD Privacy Guidelines and the Council of Europe Treaty 108. We see no reason to revisit these discussions. We believe that any attempt to ignore the genesis of data protection can only result in a comprehensive weakening of essential human rights protections. Data protection principles already reflect a balanced approach.

While the discussion paper does make reference to data protection principles, and while such principles are said to be supported by the European Parliament, the discussion document simultaneously promotes the interests of such issues as the combating of child pornography. As a result, we do not see any indication of balance. In fact, data protection principles have already been carefully designed with such interests in mind.
In the paper, traffic data retention is described primarily as a tool to combat crime and to enhance criminal investigations. But the paper does not stop at data that are already collected for billing purposes; it even encourages the development of national policies where data storage, based solely on the requirements of law enforcement, would be extended to other types of data. This position - with respect to existing data protection principles – is unacceptable.

The discussion paper, particularly in Annex II (that lists types of data that may be retained), appears to have lifted some of its content from the Discussion Paper from Workshop 1 of the G8 Industry-Government meeting in Tokyo 2001 (and reflective of results from Berlin 2000). However in taking ideas and content from this prior work, the Expert Meeting discussion paper fails to adopt the content relating to the problems that were identified. The Tokyo discussion paper includes sections on privacy risks and concerns (as well as identified costs), including the opinions and recommendations of European institutions such as the Article 29 Working Group and the European Data Protection Commissioners. Most importantly, it is noted within the document that the requirement of specificity does not apply to data being disclosed, but rather to the data being collected and stored. Even the conclusions of the Tokyo workshop, which appear to accept that service providers are concerned that retention would erode consumer confidence, are not recognised; let alone the complexity and costs concerns. In fact, the most significant conclusion was that "given the complexity of the above noted issues, blanket solutions to data retention will likely not be feasible."

Our responses to the questions posed to civil liberties organisations are set out below.

1. Why traffic data should be erased after completion of a communication for data protection and privacy reasons?
• Are traffic data sensitive and why?
•Are there traffic data with different degrees of sensitivity?
•Is there a special problem related to location data ?

In accordance with the fair information practices and existing law, data should not be retained that are no longer required for the purpose for which it was collected or some other articulated purpose at the time of collection (presumably under some form of consent). While this applies to all forms of personally identifiable information, the fair information practices should apply even more so to traffic data. Traffic data is indeed sensitive, and in many ways should be considered as sensitive as content data. This data as collected by modern communications infrastructures such as digital telephony, mobile telephony, and Internet communications networks reveals a large amount of detail of – and perhaps a comprehensive profile on - any individual. This data is generally not retained.

When surfing the net, a user can visit dozens of sites in just a few minutes and reveal a wide and detailed spectrum of their personal situation and interests. This can include medical, financial, social interests and other highly personal information. For example in a standard visit to www.google.com, a search engine site, the content of that communication are the packets returned which consists of graphics and text; but this does not include the actual request to www.google.com, which might be:

http://www.google.com/search?hl=en&q="Aids+treatment"&btnG=Google+Search

which quickly becomes as invasive as the interception of content information for the purpose of investigations because it reveals the interests of the user and the details of the content they are reading.

The detailed and potentially sensitive nature of the data makes it more similar to content of communications than telephone records, and it should thus be treated as content subject to interception or retention following the well established procedures on the interception of contents of communications.
The same concerns apply to access of email header information. While superficially this would appear analogous to the collection of telephone calling records, there are important differences which make the information more sensitive and thus requiring greater legal protections: 1) unlike the telephone system, which is a point to point system between two fixed devices that can be used by anyone with physical access, email is usually a person to person system; 2) email communications usually include a subject which gives an indication of the content; and 3) the size of the communication can also reveal the nature of the content (i.e. a media file or long text or a short answer).

Moreover as communications devices become even more mobile, we encounter new privacy concerns. Mobile communications systems reveal more information about an account holder, including location data, which results in an increased amount of data collection. Thus, such an extension of surveillance is hardly a maintenance of traditional powers. Location information can provide details of individuals’ movements and activities and with whom they have associated. Such a condition affects not only a users privacy, but also rights of association, organising and free speech.
At the same time, these devices may be shared, misplaced, or stolen. Traffic data that is collected will affect the data quality -- decisions may be made about individual based on the data associated to his devices rather than the individual himself. This data quality issue may also be applied to other communications infrastructures. The related issues have been raised by other experts.

Finally, location data is particularly sensitive because this form of data was not even envisioned in previous years. Thus the concerns articulated within the discussion paper about 'lost data' due to new services and technologies seems contradictory. While we understand that law enforcement agencies may believe this information is valuable, we do not agree that its use is a proportionate development relative to existing powers.

2. What is the relation or similarity between retention of traffic data and interception, if any, from a data protection perspective?

As noted above, whether surfing data and search parameters, or data limited to servers and services requested and used, a great deal of information can be learned and assumed about an individual by monitoring their use of communications services through traffic data collection, storage, and processing. We consider this data to be transactional and interactive, with the intents and interests and lifestyle of the individual embedded within. As a result, this data deserves the highest level of protection even under preservation and disclosure requests. We are alarmed that retention is even being considered.

While the content of communications is already recognised as deserving protection under constitutional laws because of its sensitivity, we believe that traffic data also reflects a level of interaction between the individual and her environment that rests on similar grounds.

3. Why does mandatory retention pose legal problems with regard the European Convention for Human Rights?
•To what extent does it depend on the amount and type of data or the duration of the retention?
• Why does the state have the burden of proof on the necessity to retain traffic data?
•Why does the retention of traffic data of all users of electronic communications services without the condition of concrete suspicion on each individual cause problems?

We predict that mandatory retention will conflict with the proportionality, fair use and specificity requirements of data protection laws. It is also likely that such retention of data will breach Article 8 of the ECHR, in that it may constitute a “driftnet fishing operation” over personal communication. Unless under exceptional circumstances, data may not be collected, processed or transmitted with the sole intention of providing a future speculative data resource. Moreover, if the expert meeting considers, as we do, that traffic data may be as sensitive as communications data, and that interception must be applied only when all other sources of investigative data have been exhausted, the same measures should be applied here. As a result, if traffic data retention is to be discussed, then authorities are also likely to consider content retention. At that point the public backlash would be significant. It is only because traffic data is not currently so well understood by the general public that this backlash has not yet occurred.

4. Are data protection authorities aware currently of any data retention practice within their jurisdiction?
- Do data protection authorities have a supervisory role in data retention and access practices by LEA within their jurisdiction?

Privacy and Data Protection Commissioners should play a key role in the development and oversight of any data retention practices in every jurisdiction. Data retention, especially as proposed by the paper, threatens the privacy of all users, not just those who are suspected of committing a crime. Given the vast amounts of data that can potentially be collected about users, and its consequent impact of individual’s rights, action without oversight will lead to systematic abuses in the same way that many countries have systemically abuses their interception powers over the years.

5. Would mandatory transfer of the necessary data to a trusted third party infringe personal data protection ?
•Which entities could fulfil such a role ?
•What conditions should apply for storage of data by third parties ?
•What conditions should apply for access to data stored by third parties ?

Retention, disclosure, and sharing of data are all actions described within the fair information practices. Presumably, the consideration by the EU is that data stored by third parties would resolve the concerns around disclosure. This, for two reasons, is in fact not the case. First, sharing the data with a third party would contravene data protection principles. Secondly, in some national systems, because law enforcement authorities must interact with the communications providers, who are in turn bound by law on liability and illegal disclosure, this will limit possible abuses. Therefore, while third party storage may be ideal for service providers, it does not serve the public interest in adequate oversight.

6. What are the views of the consumers on the issue of data retention?

We agree with the conclusion within the G8 Tokyo workshop that retention "erodes consumers’ confidence in doing business on the Internet due to privacy concerns." A recent report on the economic implications of the UK’s Regulation of Investigatory Powers Bill, commissioned by the British Chambers of Commerce, concluded that such practices would substantially weaken consumer confidence in e-commerce. Moreover, it is our belief that with sufficient education of consumers regarding traffic data, consumers will react negatively to retention practices.

Responses to Questions to all:

1. What other questions than those mentioned already in this working paper would need to be addressed in your view?

The unlawful disclosure of stored data requires far more sensitive consideration. Moreover, the data quality issues require further investigation. Data held in other jurisdictions need to be considered, and particularly whether retention is practiced and whether conditions of access are reasonable. Likewise, mutual legal assistance to gain access to this data without requirements on dual criminality must be assessed.

2. Given the need to limit to the absolute necessary the amount of data that could be retained, do we need to define the relevant data not as "traffic data" but in a different way and possibly use a different term, such as for instance "connection data"?

Each communication infrastructure reveals sensitive data in different categories. Traffic data should be defined both in the context of the infrastructure, its nature of collection, the level of consent granted, and then cumulatively, the sensitivity of the data. A simplistic categorisation of the types of data that may be collected will not resolve the privacy risks and concerns.

4. Additional remarks?

We continue to be concerned with the lack of understanding and regard for data protection principles. Data retention fundamentally breaches several long-held data protection provisions. There is little difference – in privacy terms - between the retention of content data, and the retention of traffic data. Any discussion should reflect this view.