Data retention laws are regressive legislation
The Framework Decision and comparable national laws represent the latest stage in the steady erosion since September 2001 of European privacy safeguards. EU legislation in force prior to that date prohibited communications providers from retaining data for any longer than necessary to resolve billing disputes. A narrowly-worded exception allowed Member States to deviate from this standard to the extent necessary to safeguard national security and to investigate and prosecute criminal offences. Reacting to the September 11 attacks, and under pressure from the U.S., the EU widened this exception substantially in 2002. Controversial new legislation that year permitted Member States to “adopt legislative measures providing for the retention of data for a limited period” for national security or criminal justice purposes. The Framework Decision shifts the balance still further in the direction of security at the expense of individual privacy, transforming the permissive language of the 2002 legislation into an obligation on Member States to require data retention by communications providers. As noted above, the majority of Member States perhaps sensing this shift in orientation have since enacted, or are in the process of enacting, legislation that would mandate traffic data retention.
The proposal to make blanket retention of traffic data mandatory throughout the EU has drawn criticism from data protection officials, civil liberties groups and industry bodies. As these groups have pointed out, mandatory data retention regimes such as that embodied by the Framework Directive have a major, and negative, impact on individuals and on business in the European Union and beyond:
• The requirement that communications providers retain traffic data for up to two years (and even longer under some national legislation) would effectively create a massive database reaching indiscriminately into the personal and business affairs of each and every user of EU-based communications services. Whatever national rules were developed to regulate access to traffic data by law enforcement agencies, the very existence of this database would put at the disposal of the State an unprecedented amount of information about the everyday activities of its citizens. This would be a significant departure from the traditional approach in societies based on the rule of law, where the State’s ability to monitor individuals is strictly limited and regulated by such requirements as probable cause and a duly-authorised warrant. Interestingly, although the U.S. government has encouraged the European Union to adopt more extensive data retention powers, U.S. law permits data retention by communications providers only in respect of specific investigations that are already underway.
• The retention of traffic data by communications providers would also greatly enhance the risk that personal information could be stolen and exploited by third parties. Stored traffic data would present an attractive target for hackers, who would be able to access multiple personal details about individuals in one place. Moreover, because the information would be stored, hackers would be able to sort through stolen data at their leisure, rather than trying to intercept valuable personal details in real time, as at present. Thus, in the name of facilitating the investigation and prosecution of crimes, mandatory data retention laws would in fact make the job of the cybercriminal considerably easier.
• Concern about the misuse of sensitive personal information could undermine public confidence in electronic communications systems. A blanket requirement on communications providers to retain traffic data would give all users of electronic services reason to fear that stored data relating to their personal lives might be improperly accessed. As the 2002 EU legislation recognised, “the successful cross-border development of these services is partly dependent on the confidence of users that their privacy will not be at risk.” A loss of public confidence could, in particular, retard the role of the Internet as a channel of social intercourse and a vehicle for electronic commerce. The failure of the Internet to live up to its potential in either respect would represent a significant loss for society at large, as well as for individuals in their capacities as both citizens and consumers.
• Indiscriminate data retention requirements would raise the cost of electronic services to the consuming public. By requiring communications providers to retain data on every communication carried, this would create a need to store massive amounts of information, out of all proportion to the quantity of information law enforcement agencies actually need. Storage of this data for up to two years would impose significant additional costs on business, which would inevitably be passed on to consumers in the form of higher prices. This, too, would tend to retard the development of the Internet, and other electronic services, in Europe.