|Internal memo on EU communications data retention directive leaked (26 Jan 2012)
The highly controversial surveillance measure of telecommunications data retention is noticeably losing its legitimacy. A leaked internal memo by the European Commission setting out a six months roadmap for the evaluation of the EU's 2006 data retention directive attests to its complete failure. Previously denounced as a "paradigm shift" and a "deviation in constitutional norms" by legal scholars and practitioners, the leaked memo leads critics to predict that data retention is nearing its end.The German Working Group on Data Retention ("AK Vorrat") has translated and issued a commentary on the document which was recently published by the Austrian civil rights organization "Quintessenz". In a surprisingly frank manner, the Commission raises a number of problems of the directive, including breaches of law and flaws in its implementation. Perhaps the most remarkable aspect of the report is the Commission questioning the notion of data retention itself.
The official report on the evaluation of the data retention directive, presented by the Commission on 18 April 2011, failed to prove the necessity of the instrument. Despite numerous deadline extentions, only 11 out of 27 EU Member States submitted the obligatory statistics on data retention. Furthermore the data that was provided was largely unusable. AK Vorrat concluded that the Commission's report was a political document rather than the result of an independent and scientifically sound analysis that would deserve the name of "evaluation".
While the Commission now admits that “there is a continued perception that there is little evidence at an EU and national level of the value of data retention”, it does not refrain from forging ahead with the question: "what would be the most effective way of demonstrating the value of data retention in general and of the DRD itself?""Even six years after its adoption, the Commission has failed to prove the necessity of the data retention directive," says Frank Herrmann of AK Vorrat. "Instead the Commission is asking the EU Member States for arbitrary examples of benefits of data retention. This obliterates any trust in the impartiality of the Commission. To accept the failure of the data retention directive would be the right decision - and a courageous one."
The confidential memo proceeds to report that restrictions on access to retained communications data (to cases of "terrorism" and "serious crime") have become meaningless. No EU-wide definition of the notion of “serious crime” exists, leading to broad misapplication in some Member States.
The internal report not only discusses the possibility of extending the data retention directive in order to allow for massive data access in cases of copyright
infringements, "hacking" or
"emergencies". It also considers requiring the retention of instant messaging, Internet chat and Internet upload and download records.
The report also indicates a need for regulation of data handling by private entities and governments, noting the lack of standards for notification of data retrieval and the absence of a right to obtain information or compensation in cases of data theft or abuse.On the other hand, the Commission examines the situation of the providers that are compelled to retain data: Depending on the country, there is no or nearly no reimbursement of storage costs, which leads to a hitherto unknown distortion of the free market. Especially the costs for small businesses are being rated as "disproportionately high". Because of the lack of a definition under which conditions which authority is authorised to access retained communications data, providers are being driven into the unpopular role of interpreters of vague data retention legislation. This is particularly insidious considering that the EU data retention directive was not adopted as a law enforcement tool, but as an instrument of market harmonization. If the EU Commission now admits that the Directive has led to a distortion of competition rather than harmonization, the legal basis and thus the legality of the controversial directive collapses.
Is it necessary to separate data retained unter the data retention directive from data companies keep for operational reasons? The memo leaves this question unanswered. The two different types of communications data (operational data and law enforcement data) are not always distinguished, which not only increases data security risks but also makes it impossible to assess the purported usefulness of blanket data retention legislation specifically.
Few of the numerous and diverse concerns raised by civil rights and other non-governmental organizations[3,4] are addressed in the memo. An analysis of the social and sociological implications of recording the entire population's communications is entirely absent and apparently irrelevant in the eyes of the Commission.
Many conservative politicians claim again and again that there was no alternative to collecting and retaining complete sets of telecommunications traffic data on every European citizen for months or years. Yet the necessity of this sweeping and indiscriminate policy and its conformity with human rights remains unproven, even five years after the coming into force of the EU data retention directive.
AK Vorrat calls for immediately putting an end to the EU-wide obligation of blanket data retention legislation. Together with the 64,074 signatories of the successful German petition against data retention, we demand that Germany continue to refuse implementation of the data retention directive into German law until the European Court of Justice has decided on the compatibility of the directive with our fundamental rights.
The EU Commission intends to consider its options for withdrawing or amending the data retention directive or making a proposal on data preservation (“quick freeze”) by May 2012. Draft legislation to amend the directive is to be presented by July 2012.
AK Vorrat regrets that the Commission is not considering the option of an EU-wide ban on blanket data retention legislation or of letting each Member State decide whether or not to have communications data recorded on all of its citizens in the absence of any suspicion of criminal wrongdoing. Claims that the EU was legally unable to harmonise data retention legislation only where it is in place are considered unfounded by legal scholars.