The EU's rules on data retention, forged to combat terrorism, are in trouble in several member states. In an interview with EurActiv Germany, the bloc's Data Protection Supervisor, Peter Hustinx, debunks European Commission claims and admits there are serious problems with "the most privacy-invasive instrument ever".
Peter Hustinx is the European Data Protection Supervisor (EDPS), an independent position set up to vet the EU's work on privacy and data protection.
He was speaking to EurActiv Germany's Daniel Tost.
The European Commission recently adopted its evaluation report on the Data Retention Directive. Has the Commission delivered sufficient proof of the necessity of such a directive, which you called for in December?
I stand by the statements I made. What we see now is that the report is definitely more balanced than drafts we have seen. It is quite clear in stating that there are a lot of problems.
As for the key question of necessity and proportionality, it seems that the Commission is taking a middle ground. It is saying data retention is valuable, many states think it is necessary but it is not proportionate as it is. This basically is code for 'there are very serious problems'.
We are going to analyse the report and the Commission will conduct an impact assessment. This is part of the preparation of the revision of the Directive. Then they will see to it that there is 'end-to-end' proportionality.
There is no proof that the Directive is necessary as it is. It seems that there are strong signs that it has an important role to play. But it needs to be revised, reduced and clarified. That's a mixed message.
I am grateful that the report with all its problems now at least is on the table so we can take a careful look.
You regard the Directive as the most privacy-invasive instrument ever adopted by the EU in terms of scale and the number of people it affects. Why is such an instrument necessary at all?
The first is still true. The Council and the Parliament felt it was necessary after the terror attacks in London and Madrid. We have to see what their position will look like now. I see some evidence that it plays an important role. At the same time I see embarrassment that this has led to such diversity in some countries – six months in some to two years in others.
So this instrument – as it was developed – does not seem to be necessary. The Commission is also going to look at an alternative: quick freeze. They speak about this as a complementary solution.
We will be seeing a much more informed debate. If in the end the conclusion is that some of this is necessary, it will be presented with many more safeguards and much more balanced than at present. I am not going to speak in favour of the Directive as it was adopted in the past. My view was negative and it still is.
The report has been received with much criticism in Germany, where it is stated that the Commission is ignoring constitutional court verdicts from Bulgaria, the Czech Republic, Cyprus, Germany and Romania…
To speak of ignoring is certainly overstated. The report describes this and deals with the constitutional complications. The German Constitutional Court has criticised the German implementation. It did not criticise the Directive. We need to be fair.
The report does not ignore this at all. It states that it is a very intrusive and very sensitive measure. The conclusion is that we now need to make sure that the Directive is revised in ways so that it can be applied in a more appropriate way. That is an important message.
You are also quoted in the report, calling on the EU to create 'legal certainty for citizens'. Is the report going in the right direction?
This is exactly the case. But if this is felt necessary then my position is that we need better safeguards, better limits, more precision, etc. The report sums up what [Home Affairs] Commissioner [Cecilia] Malmström is likely to do. I would agree with most of these things. They are absolutely necessary to fix the shortcomings.
We will be carefully analysing the proposal when it comes. It is not here yet. This is an evaluation report with quite a lot of substance. I also intend to issue an opinion on the basis of this report. We intend to react within a few weeks and help the Commission stay on track. I still think this is a very intrusive measure. It cannot be taken lightly.
The evaluation report identifies 'serious shortcomings'. Malmström spoke of the retention period being too long and the parameters in which prosecutors can get access to data of being too broad. What is your assessment of these shortcomings?
I agree with these points. They are among the big issues. Considering the retention period, there was an option and much flexibility. The report states that the member states have implemented this in widely diverse ways.
Considering the access safeguards we can benefit from the Lisbon Treaty. Before Lisbon in December 2009 there was – briefly put – a difference between the first and the third pillar of the European Union. That is now the past.
Therefore I very much welcome that if this goes forward we will have strong provisions on access and use. The Commission also mentioned who should decide on access. I agree with the shortcomings and it is urgent to fix them if this is seen as necessary.
Do you also consider EU wide harmonisation necessary?
Yes, under the same conditions. If there is an agreement on the necessity, then we do need harmonisation. This is in the interest of all parties. These are business operators who are now – plainly put – working in an environment that is very challenging.
It's also necessary from the point of view of citizens. We all move, we all use mobile phones in various countries but the rules are divergent.
Obviously it's also an interest of law enforcement. In trans border situations they are now faced with diversity and complexity. This is not good for data protection, cost or effectiveness.
Germany's Minister of Justice said it would be 'ludicrous' for Germany to have to implement the Directive seeing as it has to be revised. Is Germany steering towards infringement proceedings?
It's a complicated situation. The report reflects the fact that Germany's Constitutional Court has annulled the national law and mentions that Germany is working on this. There still is a legal obligation. I can see how the Minister of Justice is approaching this and I have some sympathy. Calling it ludicrous is a bit overstated. I do hope that it is implemented in a way that is acceptable. Perhaps Germany will wait for the next train to depart.
German criminal law experts have pointed out that data retention is not essential at all – naming the examples of the USA and Canada as well as six EU member states whose rate of solved cases is in no way less successful, even though there is no obligation of retention. Are they mistaken?
There are some relevant differences between Europe and the USA. We have legal rules, which oblige telephone operators to delete data. The Data Retention Directive is an exception to this. In the US they don't have this. This makes the two rather incomparable.
What the report also says – and this is interesting – is that most data collected by police and justice is recent data. From three months to less than six months. So the report states that retention would serve a minority of cases and only in very important ones.
We have a difficult balance to manage here: Is it acceptable to impose far-reaching retention schemes with view to a limited number of cases? Whether it makes sense in these cases needs to be analysed.
But again: My position is that this is very invasive and so we need to insist on clarity and safeguards to make it acceptable.
You mentioned quick freeze. The German Data Protection Supervisor stated that Commissioner Reding supports his so-called quick-freeze-plus as an alternative to data retention..
The Commission is going to consider this and see to what extent it can be additional to or replace data retention.
What is your impression as to what is preferred?
The report is quite fair concerning the pros and cons. It's right as that quick freeze by nature has a starting point and is future-oriented. You need to target. This will not cover things that have happened in the past, the need of which arises at a later stage. The question is then again: is it necessary for these cases to provide such a far-reaching measure?
It's now all on the table and there is no doubt that there will be a very heated debate. I hope that this leads to a better proposal in the future, which we can then discuss as to the extent of which it is necessary.
Considering PNR, a majority of EU member states are rallying behind a UK-led campaign to extend a proposal on collecting air passenger data to people travelling within Europe. Is this in line with EU laws on free movement?
This is a quite recent piece of news. The Council is in the middle of the discussion. It may well be that a majority would like to extend the scope. This does not change the nature of the measure. EU PNR is also quite problematic. It is a standard collection of data to monitor, to screen and to evaluate all passengers.
If we keep this limited to traffic to third countries it is still a big thing. If we are going to extend it to intra-EU flights, it makes it worse.
All points made before apply here as well. It is crucial that we are clear as to why we would need to do this.
But it's too early to draw conclusions. Those who are skeptical should by all means speak up and feed the discussion in the Council. The Parliament is co-deciding and we are in the middle of the debate.