Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


The framework decision & national laws

The European Union’s Council of Ministers is considering a measure that would require communications providers to retain for up to two years data related to every communication they carry. The “Draft Framework Decision on the Retention of Traffic Data and Access to this Data in Connection with Criminal Investigations and Prosecutions” is a Belgian proposal, that had been under discussion in the EU’s Third Pillar, devoted to Justice and Home Affairs issues. If approved by the Council, and subsequently ratified by the European Parliament, the Framework Decision would require Member States to adopt national legislation mandating data retention by providers operating from their territories.

The EU has not yet made the proposed legislation public. However, the text has been made available on the Internet by one non-governmental organisation concerned about the legislation’s likely impact on civil liberties. The proposal would require communications providers to retain for a minimum of 12 months and a maximum of 24 months, data necessary to follow and identify the source of every communication, and to identify the time a communication was made, its destination, the subscriber name and the communications device involved. The Framework Decision defines a communication as all information exchanged or routed between a finite number of parties via an electronic communications network accessible to the public. The data retention requirement would therefore apply to all means by which individuals relate to each other remotely, including land-based telephones, mobile telephones, pagers, data text messaging and electronic mail. The data retained would subsequently be made available as needed to law enforcement agencies in the course of the investigation and prosecution of criminal offenses.

Possibly reflecting the altered mindset that led to the proposed Framework Decision, a number of European Member States separately have moved to enact national legislation that similarly would compel the retention of traffic data. These efforts are gathering pace. At least nine of the 15 Member States either have, or intend to enact, legislation calling for mandatory traffic data retention, and the large majority Member States have expressed broad support for an EU-measure calling for mandatory data retention. While authorities in a few states like Germany and Finland remain skeptical, authorities in Greece, Denmark, Austria, Spain, Belgium and most of the rest of Europe are supportive. Where legislation already has been enacted, it typically calls for retention of traffic data for up to 12 months, although at least one Member State has set a 3-year retention period. These trends are worrying, and we would argue, violate of fundamental privacy rights embedded in European law.