Illusory and illegitimate
Though there are vast amounts of information generated by activity on modern communications networks, linking this information to individuals’ actions is not simple. The illusion of benefits to security must be confronted with some realities. First, traffic data does not easily link to individual conduct. Second, this policy is linked with the increased identification requirements. Finally, there are also significant technological and financial ramifications.
Linking an individual to a set of actions, recorded in logs, is increasingly difficult. Both the Council and the Commission propose the retention of tracing data, but tracing the individual log data back to the individual is increasingly difficult particularly as use increases of pre-paid mobile phones, open wire-less hubs, and countless smaller devices to interact with others across jurisdictions. It is increasingly difficult to ensure that communications data retention has investigative and evidentiary value. To ensure its value would require the registration of every internet user, blocking of every open network, registration of the identity of all mobile phone users, the logging of ID numbers at cybercafés and libraries, and forcing Europeans to only use EU-based mail providers (banning the use of Gmail, Hotmail, and other such services).
The ever-increasing volume of telecommunications data is one of the reasons why there has been no serious data retention proposal made in the US. National Security Agency director Lt. General Michael Hayden noted in 2001 that "Today there are over 180 million computers — most of them networked. There are roughly 14 million fax machines and 40 million cell phones, and those numbers continue to grow."1 Realising the extensive burden this would place on US industry, the US Department of Justice has instead adopted powers allowing for the preservation of specific information on specific users under investigation.
The Commission and Council proposals would therefore place European residents and industry at a global disadvantage. EU-based mail providers would have to retain logs of e-mails sent and received while US-based providers would not. Multi-national service providers may not invest in European infrastructure due to the additional costs.
The Commission documentation claims that industry is demanding harmonised retention policy. This is an absurd claim. To date we have not seen lobbyists from communications service providers calling for the implementation of retention rules in countries that are currently without. No amount of harmonisation will solve the problem that companies outside the EU will not have to comply with retention requirements.
There are additional burdens on industry within both proposals. The Council proposal foresees retained data being accessed by all EU Member States upon request for investigation into any criminal activity, yet also requires that the data be kept secure with 'technical and organisational measures' to protect against accidental or unlawful access, loss, or destruction. The Commission proposal requires that this data is stored "in such a way that it can be transmitted upon request to the competent authorities without undue delay". These regulatory and design burdens will involve substantial costs.
The Commission proposal does call for the reimbursement for compliance with the draft directive. This would not account for an increased cost of operation, higher compliance risks, and challenges to smaller enterprises. The money disbursed will still come from European citizens, while gains are unclear and unsubstantiated.
In the Commission's impact analysis the reported costs for retention continue to vary widely, ranging from hundreds of thousands of euros for each telephone and mobile phone provider according to government estimates to hundreds of millions of euros for each network provider according to industry estimates. More research is required before the Parliament even considers a proposal that could affect European industry and users so greatly.
Data retention is not a new policy. In fact it has been tried and has failed in a number of jurisdictions around the world. Now the European Parliament is being asked by the Commission to be complicit in the act of policy laundering: to pass laws at the EU level that failed in Member States.
The UK Government failed to achieve a mandatory regime in Britain after September 11, but is now seeking such a regime at the EU level. The German Parliament and the Dutch have voted to prevent their interior ministers from agreeing to the Council proposals. The Irish Justice Minister admitted that he was waiting for the 'EU cavalry' to come to his aid but when it did not, he was forced to rush telephone data retention through the Irish Parliament.2
The Commission argues that harmonisation is the key purpose for the directive. However, the majority of Member States do not have mandatory data retention obligations. Even fewer have functioning regulatory regimes for actually implementing data retention.3 Existing retention periods vary widely (between three months and four years) as does the scope of retention, where some require just pre-paid mobile, others just telephone, etc. Yet the European Commission seems intent on harmonising a failed and yet broad policy. And the Commission is asking for the European Parliament's approval in this venture.
When the Council of Europe was drafting its cybercrime convention it specifically avoided data retention. There is no data retention in the United States and Canada. In fact, data retention policy seems mostly limited to Europe. Although Argentina has passed a retention law, the Argentinean government suspended that law in May 2005. Retention is an unpopular policy that few countries have and fewer want.
The European Commission contends that it performed a consultation and the results were in favour of retaining data for six months. For years the Commission has been discussing retention, and for years the opposition to the regime has prevented its implementation. Last year the Commission consulted on the Council’s Framework Decision and received many responses, including one response that was endorsed by 190 industry and non-governmental organisations. That response was clear in its opposition to data retention. The Commission then reported that these responses all supported a six-month regime.
Both the Council and the Commission proposals are sullied by unaccountable and undemocratic procedures. The Council proposal acknowledges that some countries may retain data for four years and others only for six months. If countries opt for six months, however, the Council requires a 'national procedural or consultative process' and a review every five years. No national consultation is required to implement retention for one to four years. Meanwhile, the Commission proposal enumerates the data to be retained but proposes the creation of a Committee that will in the future decide what additional types of data must be retained because of the 'fluid nature' of technology.
The European Parliament is thus being called on to approve a policy that has failed elsewhere. Deliberation on data retention has not often occurred at the national level, and little debate has occurred at the level of the EU. Where these debates have taken place opposition was high, and the arguments against were reasoned and justifiable. The Commission and the Council are sweeping these concerns aside and are promoting bad behaviour by calling for harmonising measures to increase surveillance while failing to harmonise safeguards against abuse.
- 1. ames Bamford. Eyes in the Sky, Ears to the Wall, and Still Wanting. New York Times, 8 September 2002. Available from http://www.mindfully.org/Reform/2002/Terrorism-Dumb-Luck-Technology8sep0...
- 2. Mr. Michael McDowell: "There is no EU cavalry coming down the hill to help me. I must sort out this conflict." Stated in Seanad Debate, Volume 179 No.4, February 3, 2005.
- 3. Less than half, according to impact assessment, p.6.