For several years, law enforcement agencies in various countries have urged the adoption of “data retention” requirements, which would compel communications service providers to routinely capture and archive information detailing the telephone calls, e-mail messages and other communications of their users. While many providers currently retain certain traffic data for billing and other business-related purposes for short periods of time, there are no government-imposed retention requirements in the major industrialized countries.
However, in March 2006, the European Union enacted a Directive on Mandatory Retention of Communications Traffic Data, which requires Member States to require communications providers to retain communications data for a period of between 6 months and 2 years. Member States have until September 16, 2007 to transpose the requirements of the Directive into national laws; however, a delay of 18 additional months, until March of 2009, is available. 16 of the 25 member states of the EU have declared that they will delay the implementation of data retention of Internet traffic data for the additional period.
On April 8, 2014, the European Court of Justice struck down the Data Retention Directive because it violated the fundamental right to privacy. According to the Court, the Directive imposed “a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.” The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the Charter of Rights. The Court also said to find a privacy violation, “it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way.”
- FCC Adopts Modest Privacy Rules for Broadband Services: The Federal Communications Commission today approved privacy regulations for broadband services. The rules require ISPs to obtain consumers’ consent for “sensitive” information, which includes web browsing history and app usage, but excludes IP and MAC addresses which are also used to track Internet users. (A document obtained by EPIC under the FOIA indicates that Google lobbied for this exception.) The rules establish data breach notification requirements but permit companies to charge users for privacy protection and permit arbitration when violations of privacy rights occur. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Oct. 27, 2016)
- Coalition Urges White House to Recognize EU Opinion; End NSA Telephone Records Program: In a letter to the White House, a coalition of US organizations urged the Administration to recognize the recent opinion by the Court of Justice, the highest court in Europe, that ended a European data retention mandate. The European law required telephone and internet companies to retain metadata on customers for national security purposes. The European Court of Justice ruled that this practice violates the fundamental right to privacy and is illegal. The US groups argue that the opinion “bears directly on the White House’s review of the NSA Telephone Records Collection Program and also the White House study of Big Data and the Future of Privacy.” The groups urged the White House to 1) recognize the Court’s decision in its upcoming report on big data and privacy; and 2) end the NSA telephone record collection program. The letter states that the decision by European Court “is the most significant legal opinion from any court in the world on the risks of big data and the ongoing importance of privacy protection.” Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA’s telephone record collection program unlawful. More recently, EPIC submitted extensive comments warning the White House of the enormous risks of current big data practices. For more information, see EPIC: Data Retention and EPIC: Big Data and the Future of Privacy. (Apr. 16, 2014)
- European High Court Strikes Down Data Retention Law: In a far-reaching and dramatic opinion, the European Court of Justice has ruled that the mass storage of telecommunications data violates the fundamental right to privacy and is illegal. The Data Retention Directive required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. According to the Court, the Directive imposed “a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.” The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the Charter of Rights. The Court also said to find a privacy violation, “it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way.” Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA’s telephone record collection program unlawful. For more information, see EPIC – Data Retention, In re EPIC. (Apr. 8, 2014)
- House Committee Approves Controversial Measure to Require Data Retention for All Internet Users: The House of Representatives Judiciary Committee voted to approve a bill that will require Internet Service Providers (ISPs) to retain data on every customer to allow the government to identify and track their online activity for one year. EPIC Director Marc Rotenberg testified against the bill at the subcommittee hearing, and his arguments were cited by committee members including Representative Jerrold Nadler (D-NY). After two days of deliberation, the bill was passed with an amendment to require ISPs to retain even more information: not only internet protocol addresses, but also customer names, addresses, phone records, type and length of service, and credit card numbers. This retention is a radical contradiction of the core American value that we are innocent until proven guilty, said Representative Jason Chaffetz (R-UT). The bill purports to use the data to prosecute child pornography, but Representative James Sensenbrenner (R-WI) was “not convinced it will contribute in any meaningful way to prosecuting child pornography,” and Representative Zoe Lofgren (D-CA) stated that it is an “unprecedented power grab by the federal government – it goes way beyond fighting child pornography.” Representative Bobby Scott (D-VA) pointed out the data would be available for many other uses, including copyright prosecution and divorce cases. This data will be made available to law enforcement officers without a warrant or judicial oversight, and is a convenient way for law enforcement to get powers they couldn’t get in the Patriot Act, said Representative Darrell Issa (R-CA). For more information, see EPIC- Data Retention. (Aug. 1, 2011)
- The European Commission Directorate on Competition will review Google’s $3.1 billion merger with internet advertising company DoubleClick. The news comes a few days after European consumer group BEUC sent a letter (pdf) urging Commission to investigate the merger. The Article 29 Data Protection Working Party recently expanded (pdf) an investigation of Google’s data retention policies to include the policies of all search engines. The U.S. Federal Trade Commission also is reviewing the merger. (Jul. 6, 2007)
- In a letter (pdf) to the European Commission, consumer organizations, including BEUC, urged an investigation into the proposed merger of Google and DoubleClick. This merger means that “Google could monopolize the on-line advertising business, thereby restricting competition and raising privacy concerns over control of consumer data,” the groups said. The situation is unique because, “Never before has one single company had the market and technological power to collect and exploit so much information about what a user does on the Internet.” The merger’s privacy and antitrust issues have been highlighted in an FTC complaint (pdf) by EPIC, CDD and U.S. PIRG, and a letter (pdf) from the New York State Consumer Protection Board. The Article 29 Data Protection Working Party has expanded (pdf) an investigation of Google to include the data retention policies of all search engines. (Jul. 2, 2007)
- The European Union and the United States have reached agreements on two forms of data sharing — that of passenger travel records and of consumers’ financial data. One agreement reduces the 34 pieces of data on passengers now collected by US law enforcement authorities to 19 data fields, including name, contact data, payment details, and itinerary information. In another agreement, the US will restrict use of any data received from banking consortium SWIFT exclusively for counter-terrorism purposes, and can retain the data for up to five years. In addition, the European Commission will appoint an “eminent European” who will conduct oversight of US use of SWIFT data. Last June, it was revealed that the US used broad, secret administrative subpoenas to review vast amounts of information from Belgium-based SWIFT, which routes financial data among 7,800 financial institutions in more than 200 countries. For more information, see EPIC’s page on EU-US Airline Passenger Data Disclosure and the Spotlight on Surveillance on the SWIFT program. (Jun. 29, 2007)
- Google will cut the period that it retains user data from a maximum of 24 months to a maximum of 18 months, the company said in a letter (pdf) to the Article 29 Data Protection Working Party. Last month, the Working Party began to investigate (pdf) Google’s privacy practices and asked whether the company has “fulfilled all the necessary requirements” to abide by EU privacy rules. In its letter, Google did not adequately explain why it needed to retain user data for 18 or 24 months, except to vaguely say that the data would help Google build new services, possibly help prevent fraud and abuse, and that the U.S. and EU member states might impose a 24-month retention requirement. (Jun. 12, 2007)
- Google Inc. announced that it will partly obscure the IP address associated with its users’ searches after somewhere between 18 and 24 months, “unless legally required to retain the data for longer.” The information on specific searches will remain indefinitely but it will be harder to tie searches to specific individuals or computers. The 18-24 month retention period represents the maximum period of data retention currently adopted in the EU Directive on Mandatory Retention of Communications Traffic Data. (Mar. 15, 2007)
- The Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act (SAFETY) of 2007, H.R. 837, was introduced in the House. The Act does not provide a specific data retention period, but requires the Attorney General to issue regulations governing the retention of records by Internet Service Providers. It has been referred to the Subcommittee on Crime, Terrorism, and Homeland Security (Feb. 6, 2007)
- The Dutch Data Protection Authority published an opinion advising against the draft Dutch data retention law purporting to implement the EU Directive on Mandatory Retention of Communications Traffic Data. The opinion states that a retention period of 18 months contemplated in the draft disregards the requirements of article 8 of the European Convention on Human Rights (pdf), which protects the fundamental right of respect for one’s private life. Because the government may only infringe on that right “to the extent that it is necessary in a democratic society,” the opinion questions the necessity of retaining data for a period of 18 months. Studies cited in the opinion indicate that relevance of data to law enforcement decreased significantly after a period ranging from 3 to 12 months. At the time when the EU Directive was drafted, only 2 countries (Ireland, whose law is currently being challenged; and Italy) had data retention laws with periods longer than 12 months; the final Directive included a retention period ranging from 6 to 24 months. (Jan. 22, 2007)
- Digital Rights Ireland filed a challenge to the Irish and EU governments on their respective data retention laws on July 6, 2006. The case challenges the legal basis for the EU Directive on Mandatory Retention of Communications Traffic Data, alleging that this was a matter relating to criminal justice and as such the appropriate measure would have been a framework decision under the third pillar. It also challenges the Irish data retention law, claiming that its three-year retention period violates the Irish Constitution, Irish (pdf) and EU data protection laws, the EU Charter on Fundamental Rights (pdf) and section 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (pdf). (Jan.12, 2007)
- The EU Directive on Mandatory Retention of Communications Traffic Data came into force as an EU law today. Member States have until September 16, 2007 to transpose the requirements of the Directive into national laws; however, a delay of 18 additional months, until March of 2009, is available. 16 of the 25 member states of the EU have declared that they will delay the implementation of data retention of Internet traffic data for the additional period. The 16 Member States are: Austria, Belgium, Cyprus, Czech Republic, Estonia, Finland, Germany, Hellenic Republic, Latvia, Lithuania, Luxembourg, Netherlands, Poland, Slovenia, Sweden, UK. (May 3, 2006)
- The Article 29 Working Party issued Recommendations (pdf) on the implementation of the EU Directive on Mandatory Retention of Communications Traffic Data. While it did not make a specific recommendation regarding retention periods, the Working Party did stress the importance of a uniform, Europe-wide implementation of the Directive, in order to guarantee a “harmonized application of the provisions of the Directive whilst respecting the highest level possible of protecting personal data.” Among other safeguards, the Working Party recommends only retaining data for specific purposes, only retaining the minimum amount of data necessary, and developing standard security measures. (Mar. 25, 2006)
- The European Union formally adopted Directive 2006/24/EC, on “The Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks”, amending Directive 2002/58/EC. Article 6 of the Directive requires Member States to ensure that communications providers retain, for a period of no less than 6 months and no more than 2 years, necessary data as specified in the Directive. The data is required to be available to competent national authorities in specific cases, “for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law”. (Mar. 15, 2006)
Advocacy Against Data Retention by Non-Governmental Organizations (NGOs)
Many among the civil society and human rights organizations, as well as the EU Working Party on the Protection of Individuals with regard to the processing of personal data, have consistently urged the European Commission, the European Parliament and EU governments to refrain from taking measures that would establish generalized and preventive regimes of surveillance of electronic communications. Although the data retention provision of the new Directive on Privacy and Electronic Communications is supposed to constitute an exception to the general regime of data protection established by the directive, the ability of governments to compel ISPs and telecommunications companies to store all data about all of their subscribers can hardly be construed as an exception to be narrowly interpreted. The practical result is that all users of new communications technologies (the Internet, e-mail, mobile phone, etc.) are now considered worthy of scrutiny and surveillance in a generalized and preventive fashion for periods of time that States’ legislatures or governments have the discretion to determine. Furthermore, because of the cross-border nature of Internet communications, this Directive is likely to have negative repercussions for citizens of other countries. There is a significant risk that non-European Union law enforcement agencies will seek data held in Europe that it can not obtain at home, either because it was not retained or because their national law would not permit this kind of access.
During the debates on the Directive, many members of the European Parliament and European Union privacy commissioners consistently opposed data retention, arguing that these policies are in contravention of the acceptable data protection practice of deleting data once it is no longer required for the purpose for which it was collected, and also in contravention of proportionality principles in accordance with constitutional laws and case law. Similarly, the Global Internet Liberty Campaign (GILC), a coalition of 60 civil liberties groups, organized a campaign against data retention. A letter was sent in May 2002 to all European Parliament members and heads of European Union institutions after more than 16,000 individuals from 73 countries endorsed it in a matter of days. The letter asserted that data retention (for reasons other than billing purposes) is contrary to well-established international human rights conventions and case law. (More information: Le droit au respect de la vie privée risque de perdre de sa substance (interview), Le Monde, May 29, 2002. [in Spanish)
Global Internet Liberty Campaign (GILC):
- November 2001:
Open letter to Prime Minister Guy Verhofstadt, President, EU Council of Ministers. November 12, 2001. [English] [français] (in response to US President George W. Bush’s October 16, 2001 letter to Mr. Romano Prodi, President of the Commission of the European Communities)
- April-May 2002 campaign against data retention:
Open letter to Pat Cox, President of the European Parliament. May 22, 2002. [English] [français] [español] [individual endorsements]
- MEP Elena Paciotti (PSE MEP Socialist Party)’s answer to GILC’s May 22 open letter.
- GILC Press Release, before EP vote, May 30, 2002
- European coalition press release: European Union: Cappato Promotes Cross-Party Initiative Against Electronic General Surveillance.
- Cappato Promotes Cross-Party Initiative Against Electronic General Surveillance. January 21, 2003.
- Conference: Democracy, Freedom and the Internet: How Digital Technologies Empower or Undermine Civil Liberties. Brussels, European Parliament (July 10, 2002). Recording of entire conference (RealAudio format).
- Speech by EPIC Executive Director Marc Rotenberg: Current developments and risks on privacy in Europe and in the US – the issue of data retention (RealAudio format).
- Open letter to all members of the European Parliament (Microsoft Word document) regarding Radical MEP Marco Cappato’s report “Privacy in the electronic communications,” May 28, 2002.
- Open letter of Marco Cappato to the President of the EU Council and the President of the EU Telecoms Council. December 5, 2001.
- Conference: Synthèse de l’intervention de Marco Cappato, Député européen et Rapporteur du Parlement Européen sur la protection de la vie privée dans les communications électroniques, XXIIIe Conférence internationale des Commissaires de la Protection des Données, Paris, September 24-26, 2001.
- Network Against Data Retention (initiative started in September 2002)
- Online petition against data retention – Used during the GILC campaign against data retention, April-May 2002
- Press release: Confidentiality of professional and personal communications under threat. May 30, 2002.
- Media release: IFJ Warns of Threats to Liberty if European Union Agrees to “Charter for Official Snooping.” May 27, 2002.
Foundation for Information Policy Research:
Telecommunications and ISP Industry Comments on Data Retention
The telecommunications and ISP industries have expressed strong concerns in regards to potential violations of fundamental rights, but more specifically regarding the high cost and management problems that long-term retention of communications data would entail. They have particularly pinpointed the lack of current evidence on the effectiveness of data retention for law enforcement investigative work.
- In August 2005, the general German industry association (BDI) and the two telecommunication associations (BITKOM and VATM) published a paper with demands for data retention legislation. “The industry mentions 5 more specific demands on both Commission and Council:
- Any period, if the necessity can be proven, must not exceed 6 months;
- Any obligation to retain data must not include data types currently not centrally processed and recorded within the networks;
- Any obligation can only address services provided directly by the provider of a customer;
- Full cost reimbursement for both infrastructure and operational costs, in stead of the vague wording of ‘additional costs’;
- No additional obligation on the industry to collect statistics. ” (September, 2005)
- EP rejects initiative on data retention (Sept. 27, 2005)
- Spanish ISP Association (AEPSI), AEPSI se pronuncia ante la enmienda a la LSSI sobre retencion de datos (PDF). June 12, 2002.
- EuroISPA, ETNO & ECPA, Joint Industry Memo (.doc format) in view of the 2nd Reading of the Cappato Report: The Implications of “Data Retention” in Article 15.1 of the Common Position on the Electronic Communications Data Protection Directive addressed to the Members of the Committee on Citizens’ Freedoms and Rights, Justice and Home Affairs. April 16, 2002.
- EuroISPA, Position Paper on draft new EU Data Protection Directive (Microsoft Word document), March 8, 2002.
- ISPA, Position Paper Data Retention, December 7, 2001.
- ISPA, Comments on EU Com (2000), personal data & protection of privacy (PDF), September 10, 2001.
Other Critiques of Data Retention
- All Party Internet Group report (PDF).
- Statement of the European Data Protection Commissioners on data retention. September 11, 2002.
- Working Party on the Protection of Individuals with regard to the processing of personal data (“Working Party Article 29”):
- Opinion 1/2003 (WP 69) on the storage of traffic data for billing purposes (January 29, 2003). PDF documents available: [English] [français]
- Opinion (July 2000) on the European Commission Proposal for a Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector of July 12, 2000 COM (2000) 385 (November 2, 2000). PDF documents available: [English – reprinted in M. Rotenberg, The Privacy Law Sourcebook, United States Law, International Law, and Recent Developments 437 (EPIC, 2001)] [français] [español]
- Recommendation (March 1999) on the preservation of traffic data by Internet Service Providers for law enforcement purposes (September 7, 1999). PDF documents available: [English] [français] [español]
- Stefano Rodota, Chairman of the Article 29 Working Party:
- Letter to Mr Göran Persson, Acting President of the Council of the European Union. June 7, 2001. PDF file: [English]
U.S. Government Statements on Data Preservation and Retention
- Comments of the United States Government (PDF) on the European Commission Communication on Combating Computer Crime.
- Prepared Statement of the United States of America, Presented at EU Forum on Cybercrime (Microsoft Word document). November 27, 2001.
- Frequently Asked Questions and Answers About the Council of Europe Convention on Cybercrime, U.S. Department of Justice (discussion of data retention).
- Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, U.S. Dept. of Justice Computer Crime and Intellectual Property Section (discussion of data retention).
Origins of the EU Directive 2002/58/EC
In 1997, the European Union supplemented the EU Data Protection Directive of 1995 (Dir. 1995/46/EC) by introducing the Telecommunications Privacy Directive (Dir. 97/66/EC). This directive established specific protections covering telephone, digital television, mobile networks and other telecommunications systems. It imposed wide-ranging obligations on carriers and service providers to ensure the privacy of users’ communications, including Internet-related activities. It covered areas that, until then, had fallen between the cracks of data protection laws. Access to billing data was severely restricted, as was marketing activity; information collected in the delivery of a particular communication was required to be purged upon completion of that call.
In July 2000, the European Commission issued a proposal for a new directive on privacy in the electronic communications sector (PDF). The proposal was introduced as a part of a larger package of telecommunications directives aimed at strengthening competition within the European electronic communications markets. As originally proposed, the new directive would have strengthened privacy rights for individuals by extending the protections that were already in place for telecommunications to a broader, more technology-neutral category of “electronic communications.” During the process, however, the Council of Ministers began to push for the inclusion of data retention provisions, requiring Internet service providers and telecommunications operators to store logs of all telephone calls, e-mails, faxes, and Internet activity for law enforcement purposes. These proposals were strongly opposed by most members of Parliament. In July 2001, the European Parliament’s Civil Liberties Committee approved the draft directive without data retention, stating:
The Civil Liberties Committee expressed itself in favour of a strict regulation of law enforcement authorities’ access to personal data of citizens, such as communication traffic and location data. This decision is fundamental because in this way the EP blocks European Union States’ efforts underway in the Council to put their citizens under generalised and pervasive surveillance, following the Echelon model.
Following the events of September 11, 2001, however, the political climate changed and the Parliament came under increasing pressure from member states to adopt the Council’s proposal for data retention. The United Kingdom and the Netherlands, in particular, questioned whether the proposed privacy rules still struck “the right balance between privacy and the needs of the law enforcement agencies in the light of the battle against terrorism.” The Parliament stood firm and up to a few weeks before the final vote on May 30, 2002, the majority of the Members of Parliament opposed any form of data retention. Finally, after much pressure by the European Council and European Union governments, and well-organized lobbying by two Spanish MEPs – respectively, MEPs Ana Palacio Vallelersundi and Elena Paciotti, members of the PPE (European Peoples’ Party/Christian Democrats) and PSE (Social Democrats) political parties – the two main political parties (PPE and PSE, the center-left and center-right parties) reached a deal to vote in favor of the Council’s position.
- Current Directive in force (to be implemented by all member states before October 2003):
Directive 2002/58/EC of the European Parliament and of the Council Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (“Directive on Privacy and Electronic Communications”). Available in PDF: [English] [français] [español] Outline: [français]
On June 25, 2002 the European Union Council adopted the new Directive on Privacy and Electronic Communications. Under the terms of the new Directive, member states may now pass laws mandating the retention of the traffic and location data of all communications taking place over mobile phones, SMS, landline telephones, faxes, e-mails, chat rooms, the Internet, or any other electronic communication device. The new Directive reverses the 1997 Telecommunications Privacy Directive by explicitly allowing EU countries to compel Internet service providers and telecommunications companies to record, index, and store their subscribers’ communications data (Art. 15 (1) of Dir. 2002/58/EC (PDF). The data that can be retained includes all data generated by the conveyance of communications on an electronic communications network (“traffic data”) as well as data indicating the geographic position of a mobile phone user (“location data”) (Art. 2 (b) and (c) of Dir. 2002/58/EC). The contents of communications are not covered by the data retention measures. These requirements can be implemented for purposes varying from national security to criminal investigations and prevention, and prosecution of criminal offences, all without specific judicial authorization.
- Previous Directive replaced by Dir. 2002/58/EC in July 2002:
- May 30 vote on Dir. proposal in the European Parliament:
- Unofficial version of the last version of the Proposal for a European Parliament and Council directive concerning the processing of personal data and the protection of privacy in the electronic communications sector
- Vote results, amendment by amendment
- The vote in the European Parliament to accept data retention and surveillance by the law enforcement agencies: an analysis. Analysis of the May 30 EP vote, by Statewatch.
- Legislative procedure of Dir. 2002/58/EC:
- Most important legislative documents:
European Parliament Committee on Citizens’ Freedoms and Rights, Justice and Home Affairs:
- Draft Recommendation for second reading on the Council common position for adopting a European Parliament and Council Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector, (Amendments 20-37) (April 10, 2002), PE 311.019/20-37. PDF documents available: [English] [français] [español]
- Draft Recommendation for second reading on the Council common position for adopting a European Parliament and Council Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (Amendments 1-19) (March 12, 2002), PE 311.019. PDF documents available: [English] [français] [español]
- Communication from the Commission to the European Parliament pursuant to the second subparagraph of Article 251 (2) of the EC Treaty concerning the common position of the Council on the adoption of a Directive of the European Parliament and of the Council on processing of personal data and the protection of privacy in the electronic communications sector (January 30, 2002), SEC/2002/0124 final – COD 2000/0189. [English] [français] [español]
- Proposal for a European Parliament and Council directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (August 25, 2000), COM(2000) 385 final – C5-0439/2000 – 2000/0189(COD). [English] [français] [español]
Council of the European Union:
- Note from the Presidency to the Committee of Permanent Representatives (“COREPER”), Proposal for a Directive of the European parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector – European parliament second reading (preparation for a possible informal trialogue. (May 16, 2002), 8657/02, ECO 146, CODEC 554, 2000/0189 (COD). PDF documents available: [English]
- Common Position (EC) No. 26/2002 adopted by the Council with a view to the adoption of a Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (January 28, 2002), 15396/2/01 REV 2 – C5-0035/2002 – 2000/0189(COD). PDF documents available: [English] [français] [español]
- G8 Justice and Interior Ministers’ Meeting (Canada 2002), “Principles on the Availability of Data Essential to Protecting Public Safety”: [English] [français]
- Data preservation checklists
International Conventions on Fundamental Rights:
- Article 8 of the Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms (1950). Explanations/summary also available.
- Article 12 of the Universal Declaration of Human Rights (1948): [English] [français] [español]
- Charter of Fundamental Rights of the European Union. PDF documents available: [English] [français]
Framework of data protection rules in the EU:
- Directive 95/46/EC of the European Parliament and the Council on the Protection of Individuals with regard to the processing of Personal Data and on the Free Movement of such Data.
Implementation of Dir. 2002/58 in EU Member States
While a few countries have already established data retention schemes (e.g., Belgium, France, Spain and the United Kingdom), the implementation phase of the Directive’s data retention provision may become bumpy in other Member States as the Directive could be considered as being in conflict with the constitutions of some EU countries, with respect to fundamental rights such as the presumption of innocence, the right to privacy, the confidentiality of communications, and freedom of expression. EU countries have until October 31, 2003 to implement the Directive.
- The directive for data retention in Bulgaria went in to effect on February 2, 2008. It requires Internet Service Providers and telecom companies to collect data from their clients and retain this data for 12 months (Grancharova 2008).
- In 2006, the data retention act was updated. Anonymous sources mention that the police used the data routinely for investigation in 2007, but there are no statistics about this (Pospipil & Tichy 2008).
- In 2008, the Minister of Industry and Trade proposed to enhance the access for secret service and military intelligence, but this has not been implemented yet (Pospipil & Tichy 2008).
- IuRe, the Czech privacy activist group, has proposed an amendment about access the retained data being constrained to the police only. The majority of the parliament voted for this amendment (Svatosova 2008).
- Denmark has released a draft proposal on the August 10, 2006. This proposal also foresees in the collection of Internet session data. It includes a detailed description about which data to retain. The data to be collected is not limited to data that ISPs or telcos already generate for billing purposes. The retention period is one year (Joergensen 2006).
- The draft proposal was implemented on September 15, 2007 after being approved on September 28, 2007. It goes further than the EU directive in that it also includes session logging. However, it applies only to commercial ISPs. The act details the data to be retained (Joergensen 2008).
- In French: Forum on traffic data and Forum “Cybercrime et démocratie”
- Loi relative à la sécurité quotidienne – extracts
- The draft decree for telecommunication data retention was made public on March 26, 2006. Collected data should be retained for one year. The data to be retained is defined as: “[T]he user and its terminal equipment – the recipients of the communication – the date, time and duration of the communication – the additional services used and their suppliers – the origin and the location of the communication (for telephony services).” The decree foresees in reimbursement of the costs for law enforcement agencies, but not for ISPs. Everyone providing access to the Internet for others should retain data (Marzouki 2006).
- In April 2007, the government issued a new draft decree for the retention of data by web masters, hosting companies, mobile and fixed telcos and Internet service providers to retain all data concerning communication of their customers. The data retention period is one year. It is unclear from the proposal what the nature of the data is the telcos should retain. After the police obtains the data, it can keep the records for another period of three years.
- On May 2, 2007, the French Ministry of Interior operated a new system, designed to intercept communication data related to text messages, mobile or Internet. Uclat, the coordinating center for antiterrorism, operates it.
- A new proposal for data retention, based on the Sarkozy law adopted on January 23, 2006, states that Internet providers, Internet cafes, hosting providers and operators must communicate traffic data the authorized government agencies.
- The French Justice system is said to be working on an own system to monitor SMS and phone calls.
- German opposition filed a motion to join Slovakia and Ireland in the appeal at the European Court of Justice, but this was however not supported by parliament. This German motion stated that “[T]he data retention decision should have been made in the ‘Third Pillar’ of the European Union structure, as the sole purpose of retention of the data is law enforcement. Therefore, the proper legislative procedure should have been a framework directive, which gives more power to national Parliaments and requires an unanimous vote on the EU Council of Ministers.” (Bendrath 2006).
- The law concerning data retention was adopted on November 9, 2007, as amendment to the current wiretapping legislation. The data should be retained for 6 months. Providers of anonimyzation services are also obliged to retain. The police, court and state prosecutors need court orders to access the retained data, intelligence services have access without restriction. There is no mention of special requirements in the case of confidential relationships in professional contexts.
- The German data retention law entered into force on January 1, 2008. The German working group on data retention challenged the law at the Federal German Constitutional Court on January 6. They claim it is unconstitutional, because it is treating every citizen as a potential delinquent. They also state that the law would severely disrupt free communication.
- The regional court of Darmstadt ruled that Internet access providers are in principle no longer allowed to store their flat-rate customers’ IP addresses. The Federal German Constitutional Court in preliminary decision limited the use of the retained data. It can only be transferred to law enforcement authorities in cases of serious crimes and with a judicial warrant. Also, it asked for a government report on practical effects of data retention (Article 29 Data Protection Working Party 2007).
- The Hungarian data Retention Law is challenged at the constitutional court by the Hungarian Civil Liberties Union. Their case is based on the omission in the law of the legal purposes of data processing. The purpose for collecting the data is wider than just for serious crime. The Hungarian Constitutional Court in 1991 prohibited data processing without previously defined purposes (Foldes 2008).
- Ireland voted against the Directive in the final decision in February 2006. Furthermore, it challenged the Directive before the European Court of Justice. The Irish government challenged the validity of the law. They argue it should have been a Framework Directive under the third pillar, the ‘Police and Judicial [Cooperation] in Criminal Matters’ (Bendrath 2006).
- Irish NGOs litigate against the act. They state the act breaches the right of privacy (Irish law and EU Convention), has chilling effect on freedom of expression, and interferes with the right to travel by retaining the mobile phone location of citizens (McIntyre 2008).
- The Lithuanian Constitutional Court ruled that the retaining of data by telcos and ISPs should be strictly limited to data that is already retained for ISPs ordinary business activities. The data retention measures that the Law on Telecommunications proposed therefore never came into effect. Resolution number 290 of March 5, 2003, requires hosting providers to retain data related to and the content of their hosting services. This is also limited to data already retained for regular business purposes, because of the ruling of the Constitutional Court.
- A draft proposal for the law on data retention was made public on December 21, 2006. The Dutch Data Protection Agency (DPA) stated that this proposal disregards the requirements of article 8 of the European Convention on Human Rights, the fundamental right to respect of one’s private life (Van Hoboken 2007). The Dutch Data Protection Authority advised negatively on this draft, because it requires location data of mobile phones to be collected during the call, while the EU Directive only mentions data to be collected during the initiation of the call. Also, the proposal doesn’t contain the specific description of the data to be retained (Article 29 Data Protection Working Party 2007). The proposed retention period is 18 months. The proposal also mentions retaining mobile telephone location data during the call, which goes further than EU directive. The DPA proposed limitations on access to retained data and reports on the statistics about the usage of data by law enforcement (Van Hoboken 2007).
- The retention period of the law to be implemented is 12 months. The law doesn’t mention that for e-mail or telephone data only the destination has to be retained, as the EU Directive does. The general costs that ISPs and telcos make will not be reimbursed. The data should be stored by the providers. Government agencies can claim complete parts of the collection to be retained. From now on, the Senate still has to approve the law (Van Hoboken 2008).
- A draft of the data retention law was presented in April 2007 by the Ministry of Communications and Information Technology. It mentions that the data should not be retained by operators. Only electronic communication operators that have notified the Regulatory Authority should retain data.
- The retained data can be accessed by prosecutors only in the penal cases related to organized crimes and terrorism. In case of a threat for national security, specific bodies, as explained in the laws on national security, are also allowed to access the retained data.
- The government adopted the draft law on data retention on February 20, 2008. The proposed retention period in this law is one year. The law was not adopted as Emergency Ordinance, as proposed in December 2007. Access to the data is only for prosecutors in penal cases related to organized crime and terrorism. They should have a proper judge-approved access authorization. There is still public confusion regarding the access for the security services to the retained data. In criticism on the law, the responsible Minister says however that obtaining data for email will not increase the chances of discovering the crimes.
- Slovakia voted, together with Ireland, against the directive in the final decision in February 2006. Both countries hold a case before the European Court of Justice. They argue it should have been a Framework Directive under the third pillar, the ‘Police and Judicial [Cooperation] in Criminal Matters’ (Bendrath 2006).
- Slovenia implemented the data retention act as an amendment to the Electronic Communications Act. This amendment required Slovenian providers of communication servers to retain all traffic data created through their customers’ activities for two years (Article 29 Data Protection Working Party 2007).
- Spanish law allowing data retention (“LSSICE“):
- Campaign launched by Kriptopolis against the Spanish law (includes press coverage)
- The Swedish Minister of Justice assigned a Commission of Inquiry with the task of reviewing the national legislation to propose the amendments required (Article 29 Data Protection Working Party 2007).
- In the United Kingdom, the voluntary code in which ISPs guarantee to retain data, is transferred into a binding law. The retained data can be requested by government agencies and be used for any crime. The data can be obtained without existing court proceedings and can be available to anyone who can convince the court they have a right to access them. The government proposes to compensate for the compliance costs and litigants should pay for the disclosure of documents they request.
- The law to retain telephone data is approved on July 24, 2007. It binds telcos to retention of phone call logs. The retention period of this data is one year. Access to this data is guaranteed for security services.
- In 2008, Gordon Brown has proposed to store all traffic, itemized phone bills, mobile phone records and Internet traffic logs. This data is to be collected and stored in a central government database. The UK Regulation and Investigatory Powers Act enables public officials of 702 to obtain traffic data from service providers (Anderson 2008).
The EDRI and XS4ALL petition against data retention attracted almost 42,000 signatures, of which over 16,000 were from the Netherlands (where the campaign was launched) and over 5,000 from Germany and Finland. Runners-up in the daily country count are Sweden and Bulgaria (almost 2,000 each), followed by Austria (almost 1,500) and Italy (well over 1,000). Belgium, Slovenia and France have each almost reached 1,000 signatures.
66 organizations and companies signed in support of the petition. The petition was available in 17 languages.
The campaign attracted signatures and support throughout November 21, 2005.
Petition WIKI: http://wiki.dataretentionisnosolution.com
- Most recent version of the Council framework decision (Oct. 3, 2005)
- EP rejects initiative on data retention (Sept. 27, 2005)
- PI and EDRI letter to the European Parliament against data retention (Sept. 26, 2005)
- Opinion Peter Hustinx (Sept. 26, 2005)
- UK Presidency paper on data retention (9/6/2005)
- Analysis of the paper in EDRI-gram (08.09.2005)
- European Commission draft proposal for data retention (July 20, 2005)
- JHA working document on data retention (29.06.2005)
- Analysis of the two proposals in EDRI-gram (7/27/2005)
- The Council of the European Union will continue with a proposal (pdf) for an EU-wide regime of data retention, despite its rejection by the European Parliament. The proposal is intended to ease judicial cooperation in criminal matters relating to the retention of data processed and stored by ISPs and telcos. But Parliament members rejected the proposal in light of a report that highlights problems (pdf) with the proposal’s scope and legal basis. Last week, a group of European NGOs, including EDRI, Privacy International and Statewatch, wrote to Parliament members urging a rejection of the proposal. The letter stated that retaining personal data on everyone is an illegal practice in violation of Article 8 of the European Convention on Human Rights because it is disproportionate, security gained from retention may be illusory, and the means through which this policy is being pursued is illegitimate. (June 17, 2005)
- Memorandum of laws concerning the legality of data retention with regard to the rights guaranteed by the European Convention on Human Rights, prepared by Covington & Burling for Privacy International (October 10, 2003)
- The Austrian Federal Constitutional Court held in a decision rendered on February 27, 2003 that the Austrian statute that compels telecommunication service providers to implement wiretapping measures at their own expense is unconstitutional. From now on, the Austrian government will have to bear wiretapping implementation expenses unless it can show that expenses on the private sector can be justified for exceptional reasons. See EPIC’s outline and comments on the decision.
- Data Protection Working Party, Opinion 1/2003 (WP 69) on the storage of traffic data for billing purposes (Jan. 29, 2003) (pdf). This EU data protection authority document recommends that electronic communications traffic data, collected in connection with services that have been paid for, be kept for a maximum of 3-6 months in order to comply with EU privacy rules.
- EU Member States’ answers to the data retention questionnaire: final version – released 11/22/2002; alternate HTML version; first verson (PDF), 9/16/2002 – released 10/8/2002.
- Former Belgian presidency of the EU Council’s Draft Framework Decision on data retention and access by the law enforcement agencies (2nd semester 2001). Document disclosed by Statewatch on August 21, 2002. The Danish presidency of the EU immediately refuted the importance of the document, stating that there was no such proposal currently being examined. Instead, they referred to a June proposal for Council conclusions, that although calls for binding rules on the approximation of Member States’ rules on the obligation of telecommunications service providers to retain traffic and location data, emphasizes that such regulation must be established in compliance with European privacy conventions and the EU data protection directive. See http://www.eu2002.dk/news/news_read.asp?iInformationID=21663. However, the presidency has not explained whether Member States might be working, at their own level, on specific proposals on data retention, or whether the EU Council could later decide to table the issue.
- EU Council’s questionnaire on traffic data retention (PDF): On August 14, 2002, the Danish Presidency of the EU sent to all Member States’ governments a “Questionnaire on traffic data retention” to be completed and returned by September 9, 2002. The document intends to gather comments with respect to the regulation, practice and experiences of traffic data retention in EU countries. The answers will be examined at an EU Council expert group (the Multidisciplinary Group on Organized Crime) meeting on September 16, 2002.
- This meeting report (PDF) reveals that EU government officials (EUROPOL law enforcement experts) (EUROPOL – explanation) have come up with a wish list for the type of communications traffic and localization data that they want European law enforcement authorities and police to obtain from ISPs and telephone companies. This document comes to light just after the European Parliament voted on May 30 to approve an amendment on preventive data retention and general surveillance of electronic communications to the Directive on telecommunications privacy. More explanations: Statewatch, Europol document confirms that the EU plans a “common EU law enforcement viewpoint on data retention.”
- UK stands firm on snooping laws. BBC News, January 30, 2003.
- MPs urge changes to net snooping laws. BBC News, January 28, 2003.
- MPs probe how ISPs store data. Financial Times, November 19, 2002.
- MPs probe impact of data retention laws. The Register, November 18, 2002.
- Internet intelligence plans hit hurdle. BBC News. October 22, 2002.
- UK ISPs oppose data retention. The Register, October 22, 2002.
- Internet providers say no to Blunkett. The Guardian, October 22, 2002.
- Privacy fear over plan to store email. The Guardian, August 20, 2002.
- Privacy fears over EU snooping plans. BBC News, August 20, 2002.
- RIPA surveillance may break human rights laws. ZDNet, July 31, 2002.
- ISPs face data interception deadline. ZDNet, July 10, 2002.
- RIPA demands push up ISP costs. ZDNet, July 9, 2002.
- Blunkett shelves access to data plans (analysis). The Guardian, June 19, 2002.
- Blunkett: we blundered over data access plan. The Guardian, June 18, 2002.
- Britain backs down from Net snooping plan. USA Today, June 18, 2002.
- England Halts “Big Brother” Regs. Wired News (Reuters), June 18, 2002.
- Plans for ‘snoopers’ charter’ delayed. The Guardian, June 17, 2002.
- Government sweeps aside privacy rights. The Guardian, June 11, 2002.
- British liberty, RIP. The Guardian, June 11, 2002.
- Don’t believe State on data retention. Irish Times, March 14, 2003.
- State secretly retaining phone data. Irish Times, February 25, 2003.
- Department to store data on citizens for four years. Irish Times, Nov. 28, 2002.
- Entra en vigor la ley que regula el comercio en Internet. El País, October 13, 2002.
- Kriptópolis inicia una campaña que persigue la declaración de inconstitucionalidad de la LSSI. El País, July 4, 2002.
- La ‘loi de l’Internet’ espagnole est-elle conforme à la constitution?Juriscom.net, July 2, 2002
- La loi sur la société de l’information adoptée… en Espagne.Le Forum des droits sur l’Internet, July 2, 2002.
- Foes vow to challenge Spanish Internet law. CNN.com, July 1, 2002.
- Campaña por la declaración de inconstitucionalidad de la LSSICE. Kriptopolis, June-July 2002
- Aprobada la ley de Internet con críticas a la obligación de guardar los datos del usuario. La Vanguardia Digital, June 28, 2002.
- En adoptant sa “loi internet”, l’Espagne prône un an de rétention des données. ZDNet France, June 28, 2002.
- Kriptópolis impulsa una campaña para declarar inconstitucional la ‘Ley de Internet’. La Vanguardia Digital, June 28, 2002.
- El Congreso aprueba la ‘Ley de Internet’ con el voto en contra de PSOE, IU y PNV. El País, June 27, 2002.
- Spain passes law to regulate Internet content. SiliconValley.com (Reuters), June 27, 2002.
- El Senado aprueba la LSSI. La Vanguardia Digital, June 21, 2002.
- Spain may force ISPs to keep tabs. Wired News, June 14, 2002.
- Spanish Web Law Sparks Debate. Wired News, May 1, 2002.
- Swiss surveillance catches up with e-mail. SwissInfo, July 21, 2002.
- Bush’s Cyber-Security Plan Targets E-Mail. eWeek, August 23, 2002.
- Beware the Cyber Cops (Op-Ed). Forbes, July 8, 2002.
- US cyber security may draft ISPs in spy game. The Register, June 19, 2002.
- Delft University of Technology paper on Data Retention in the European Union and the United States of America. July 7, 2008.
- European Union: Cappato Promotes Cross-Party Initiative Against Electronic General Surveillance. European coalition press release, January 21, 2003.
- Majority of governments introducing data retention of communications. Statewatch, January 12, 2003.
- Don’t play Big Brother’ ICC says to governments. Europemedia.net, Nov. 29, 2002.
- Germany, Austria take stand against EU ISP data retention laws. The Register, November 21, 2002.
- Telecommunication Council Wants New Investigation Into Privacy Rules. Heise Online, October 17, 2001.
- Reluctant snoops: For Internet services, war against terror means flood of subpoenas. Seattle Times, September 30, 2002.
- The End User Rights at Risk. International Herald Tribune, September 30, 2002.
- EU data protection chiefs oppose data retention moves. The Register, September 19, 2002.
- European Data Protection Commissioners oppose data retention. Statewatch, September 11, 2002.
- L’Europe veut allonger le délai de conservation des données de connexion. Le Monde Interactif. August 28, 2002.
- EU denies plans to store private telecoms data. Reuters, August 23, 2002.
- EU Denies Plans to Hold Private Data. PC Advisor (UK), August 21, 2002.
- Plan to store e-mail and phone data for two years. Financial Times, August 21, 2002.
- EU plans to enforce electronic data storage. NewScientist.com, August 20, 2002.
- La UE, a favor de retener los datos de las comunicaciones durante un año. El Mundo, August 20, 2002.
- EU to force ISPs and telcos to retain data for one year. The Register, August 20, 2002.
- Privacy fear over plan to store email. The Guardian, August 20, 2002.
- Privacy fears over EU snooping plans. BBC News, August 20, 2002.
- Privacy Villain of the Week: Europol Data Snoops. National Consumer Coalition. June 20, 2002.
- El PP limita el acceso a los datos tras recibir presiones de periodistas, usuarios y empresas. El Mundo, June 13, 2002.
- The End User Privacy Undone: The EU’s Internet plan takes liberties with personal rights. International Herald-Tribune, June 10, 2002.
- Police to spy on all emails: fury over Europe’s secret plan to access computer and phone data. The Observer, June 9, 2002.
- A new blow to our privacy. The Guardian, June 6, 2002.
- Vous avez un message et l’Etat garde l’adresse. Libération, June 4, 2002.
- EU deal agreed on Internet privacy. Financial Times, May 31, 2002.
- Le Parlement européen échange mémoire contre spamming et cookies. Le Monde, May 31, 2002.
- La directiva aprobada prohíbe el envío de correo no deseado sin consentimiento previo: Los Estados podrán obligar a las empresas a retener los datos de los internautas por razones de seguridad. El País, May 31, 2002.
- EU to give anti-terror units power to eavesdrop. The Independent, May 31, 2002.
- EU vote relaxes e-privacy rules. Reuters, May 31, 2002.
- EU body pushes spam guidelines. CNet, May 31, 2002.
- Europe votes to end data privacy: law will allow police to spy on phone and net traffic. The Guardian, May 31, 2002.
- MEPs vote for Big Brother. The Register, May 30, 2002.
- European ‘spying’ laws savaged. BBC News, May 30, 2002.
- EU set to weaken Net privacy regime. New York Times, May 30, 2002.
- European Parliament accepts privacy law. EuropeMedia.net, May 30, 2002.
- Pas de surprise à Bruxelles: les eurodéputés votent pour la rétention des données. ZDNet France, May 30, 2002.
- Europe Passes Snoop Measure. Wired News, May 30, 2002.
- Every detail of European Internet use to be tracked. O’Reilly Network, May 30, 2002.
- Euro Parliament data retention vote upsets ISPs, telcos. IDG News Service, May 29, 2002.
- EU Law Turns ISPs Into Spies? Wired News, May 29, 2002.
- Europe Police Likely to Get Longer Access to Records. New York Times, May 29, 2002.
- Privacy worries with EU online policing bill. Reuters, May 29, 2002.
- Le droit au respect de la vie privée risque de perdre de sa substance. Le Monde, May 29, 2002. (Interview) [in Spanish]
- EU Internet Bill Seen Hampering Electronic Privacy. Reuters, May 29, 2002.
- European Parliament to cave in on data retention? Statewatch, May 23, 2002 – updated on May 29 with responses to socialist MEP Elena Paciotti’s comments.
- Coalition asks European Parliament to vote against data retention. Statewatch, May 23, 2002.
- European Parliament Committee chair tries to reach a “deal” with the Council on the surveillance of communications. Statewatch, May 20, 2002.
- World leaders use terror card to watch all of us. The Register, May 16, 2002.
- EU governments are secretly drafting a binding Framework Decision to introduce the universal surveillance of telecommunications. Statewatch, May 9, 2002.
- Narrow vote in European Parliament on data retention. Statewatch, April 19, 2002.
- European Commission sells-out, European Parliament vote due in May. Statewatch, April 2002.
- Spam out, cookies tolerated, data retention remains: EU. The Register, December 7, 2001.
- Europe told to rethink e-privacy directive. The Register, December 6, 2001.
- Green light for Euro data retention plans. The Register, June 29, 2001.
Also, check for updates on the Statewatch website and on “S.O.S. Europe – Statewatch Observatory on Surveillance in Europe” for a summary of the developments in the field of surveillance of telecommunications in Europe.