Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

Invasive and illegal

Invasive

The Council and the Commission both acknowledge that the retention of traffic data is an intrusion upon the privacy rights of the individual. Over the years the proposals have been modified in recognition of this intrusion.1

The type of data collected under the proposed retention schemes will create a map of all of our contacts and relationships over a period of at least one year. Information will be retained on every phone call we make, every location we travel to, every communications service we use, every email we send and receive, and possibly more. This information will be kept to make a future judgement about us.

Never before have democratic governments had such information at their fingertips. And yet weak safeguards would apply to their use of this information.

The Council is demanding that data be retained for one year, though Member States may demand longer periods up to four years. The Commission proposal establishes two retention regimes, with one year for telephone and mobile services, and six months for Internet services.

The UK Presidency has promised that with respect to the Internet the Council proposes only to collect data regarding log-ins and log-offs. The Commission definition is far more invasive than the Council proposal. The Commission defines 'communication' as involving "any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service". Therefore the Commission is proposing the tracing of all forms of Internet transactions. This means that communications service providers could be compelled to store their mail server logs, web cache logs, and IP flow logs2 for six months without any regard to necessity or proportionality.

Illegal

The privacy of communications is given a high standard of protection in international human rights instruments and in many national constitutions. Communications secrecy is necessary for a functioning society.

All parties agree that the collection and retention of information creates challenges for the right to privacy enshrined in Article 8 of the European Convention on Human. Proponents of retention emphasise that safeguards are only required for access to this data. That is, they do not believe that the act of retention is an intrusion upon the privacy rights of individuals. The European Court of Human Rights appears to disagree with this interpretation.

Article 8 guarantees every individual the right to respect for his or her private life, subject only to narrow exceptions where government action is imperative. This interference with the privacy rights of every user of European-based communications services cannot be justified under the limited exceptions envisaged by Article 8 because it is neither consistent with the rule of law nor necessary in a democratic society. The indiscriminate collection of traffic data offends a core principle of the rule of law: that citizens should have notice of the circumstances in which the State may conduct surveillance, so that they can regulate their behaviour to avoid unwanted intrusions. Moreover, the data retention requirement would be so extensive as to be out of all proportion to the law enforcement objectives served.

The European Court of Human Rights has ruled that the recording of traffic data is a violation of Article 8 rights.3 The Court also found that the storing of records on past activities constituted an interference.4 The Court also deems surveillance as unlawful if it was indiscriminate and lacked a specific regime of regulation.5 Lawful surveillance can only take place when there are effective safeguards in place to ensure minimum impairment to privacy, and alternative means are exhausted.6

Data retention necessarily involves an intrusion upon the private life of an individual; results in the collection of vast dossiers on past activities of everyone; and does so in an indiscriminate manner even while alternative means of surveillance exist that are less disproportionate.

One of the greatest flaws of these retention proposals is that the grounds for accessing the retained data remain obscured. In the Council's Framework Decision, it is promised that this data will be accessed in accordance with national law in a proportionate manner. But the Framework Decision does not prescribe any guidelines for national law nor a proportionality test. This data is stored for the wide set of purposes of "investigation, detection and prosecution of crime and criminal offences including terrorism", leaving little constraint of national law. This is consistent with existing national policies on retention. For instance in the UK traffic data may be accessed by almost every government body, including local councils and the environment agency.

On the other hand, the Commission proposes that the stated purpose of retention is to ensure that data is available for the "prevention, investigation, detection and prosecution of serious criminal offences, such as terrorism and organised crime". What constitutes 'serious crime' leaves much to the imagination, particularly as Commission documents note that retention will be of use for cybercrime investigations, international investigations that are renown for lacking dual criminality tests7 and for investigating "intellectual copyright infringements” (sic).8

Even as the Commission moves forward on harmonisation of retention it doesn’t appear to have produced the necessary research to understand the variety of existing access powers within Member States. Before the Parliament approves a measure that would vastly increase the data stores at the disposal of government departments across Member States, we would expect an evaluation of the differences in national laws and practices.

The indiscriminate retention of vast stores of information on everyone in Europe with unclear safeguards and limited means of regulating access leaves the Commission's proposal in problematic legal territory. It is likely that an EU policy on data retention will lead to a number of court cases in Member States and EU courts.

Footnotes

  • 1. Some may now argue that the mere collection and retention of this data is not an intrusion upon the private lives of individuals and instead only access to this information is problematic. Such an argument would not reflect the law, nor does it reflect the clearly stated positions of both the Council and Commission proposals.
  • 2. This involves both packet level data on source, destination, traffic type, etc. and the flows of these packets. It is common to collect this data for short periods (and often on a statistical basis) in order to spot denial of service attacks, to assess link usage and other network management reasons. Even though this information is collected and kept for a short period of time, under the Commission proposals it would have to be kept for six months.
  • 3. In the case of Amann v. Switzerland
  • 4. In Rotaru v. Romania
  • 5.  Kruslin v. France, Amann v. Swizerland and Kopp v. Switzerland
  • 6. Foxley v. United Kingdom
  • 7. This is why the Council of Europe Convention on Cybercrimeenables the power of expedited preservation.
  • 8. Commission Staff Working Document, Annex to the Proposal for a Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC, EXTENDED IMPACT ASSESSMENT, {COM(2005) 438 final}, page 5.