Commission wants phone data to be stored for one year

The Commission will adopt a new plan on the issue of retaining phone, fax, mobile phone and internet data, with a one-year storage obligation for all non-internet data and a possibility of reimbursement to telecom operators.

The latest version of the Commission proposal for a directive and a framework decision has been leaked to EURACTIV. It contains a retention obligation of one year for all data except for “data related to electronic communications taking place using wholly or mainly the Internet Protocol”, which is to be retained only six months. According to the draft, which will be discussed at the 21 September 2005 Commission meeting, telecom operators and internet service providers have to be reimbursed for “demonstrated additional costs” resulting from the retention obligation. 

A draft framework decision by the UK, Ireland, Sweden and France has been effectively withdrawn after it was voted down  unanimously in the European Parliament and after UK Home Secretary Charles Clarke failed to convince  his colleagues from other EU countries of the benefits of a retention scheme which had in the meantime been considerably amended. 

In parallel, the Commission has  data retention plans of its own, which are composed of a draft directive and a draft framework decision. After the defeat of its own draft framework decision, the UK Presidency is now said to be ready to use the Commission proposal as the basis for its data retention plans. Until recently, the Presidency had ignored warnings from the Council’s own legal service as well as from the Commission’s that only the Commission had competence to propose this kind of legislation, and that the Parliament must have full co-decision rights. 

The Commission proposal differs from the Council’s draft Framework Decision in that it

  • proposes EU-wide identical retention periods of one year for fixed and mobile telephony data, and six months for IP based communication data. The Council FD sets a minimum  term of retention for all data categories of one year, but allows for possible exceptions to this for periods between 6 and 48 months;
  • obliges Member States to compensate service providers for additional costs resulting from the retention obligation;
  • facilitates the extension of demands for retained data by making it possible to add new types of data in a comitology procedure and without first consulting an advisory forum of data protection experts and industry representatives;
  • gives responsibility for providing statistics on demands for retained data to the member states (the Council wanted service providers to collect the data); 

In the EU, data retention has been disputed for about five years, when Article 15 was introduced into the e-privacy directive. This article introduced an exception explicitly allowing for data retention, which would otherwise have been outlawed by the directive. 

A spokesman for the British EU Presidency  said on 20 September 2005: "Genuinely the most important thing is to get this in place quickly. [...] The Commission will bring out its proposal on Wednesday and we will be able to look at them side-by-side and ministers will then take a view in October."

Speaking to the European Parliament on 7 January 2005, Charles Clarke, the UK Home Secretary, said: "Communications service providers already retain much information for business purposes. But data protection obligations in some countries pressure them to erase data that has no business purpose. That means that catching a murderer or stopping a terrorist attack may depend on which mobile telephone company a victim, suspect or witness uses or has used or which EU country they were in. [...] There is perhaps a more general concern that the proposal is an unnecessary invasion into privacy or that it is disproportionate. I do not believe that it is because in many cases, some of which I have set out in the document I am circulating, the victim’s right to justice was only achieved through the retention of telecommunications data."

Speaking to the Parliament on the same day, Franco Frattini, the Commissioner for Justice, Freedom and Security, recalled the principles of data protection: "The key concept is the assurance that only for specific objectives (the fight against terrorism and organised crime) and under the supervision of independent authorities, such as the judiciary, will data be processed for a definite period of time."

On May 31, 2005, Information Society Commissioner Viviane Reding commented: "This is a question of market regulation, it can't be subject to an agreement between governments under the Third Pillar. [...] We need an impact assessment for the industry. We need the right balance not only in terms of privacy and consumer protection, but also in terms of the market."

The Parliament's Rapporteur, Alexander Alvaro,  told EURACTIV: "To this date, there is no proof of evidence whether the information collected would give legal authorities an advantage in the fight against terrorism. On the one hand we risk infringing European citizens' right to privacy and on the other hand there is a danger of burdening the European telecommunications industry with the high storage costs that the proposal would invariably entail." Addressing the Parliament before the vote on the Council's draft Framework Decision, Mr. Alvaro said:  "I hope that the message we are sending out from here will be properly interpreted. We are willing to cooperate, but we also want the right procedure to be chosen. As the report shows, we believe, and the legal services believe, that this matter should be part of the first pillar of the EU Treaty, in other words one of the areas in which our Parliament engages in joint decision-making and is not merely consulted. Perhaps that can be taken on board, and perhaps we shall then be accorded the same level of respect that we give the other institutions in the course of our work."

Industry associations ECTAETNOEuroISPAGSM Europe  and ECCA  argued: "The proposed measures to impose mandatory data retention obligations would require operators to keep more types of data for longer periods than currently necessary for business purposes. Consequently significant additional investment will be needed to upgrade networks, set up systems for the collection, storage and retrieval of data, ensure the security of data, train staff, etc. The industry is also concerned over the effectiveness and technical feasibility of the proposed measures.

European Digital Rights and XS4all are united in the 'Data retention is no solution' campaign, which 47,500 people have already signed up to. They say: "Data retention is an invasive tool that interferes with the private lives of all 450 million people in the European Union. Data retention is a policy that expands powers of surveillance in an unprecedented manner. It simultaneously revokes many of the safeguards in European human rights instruments, such as the Data Protection Directives and the European Convention on Human Rights. Data retention means that governments may interfere with your private life and private communications regardless if you are suspected of a crime or not."

Data retention means the storage of traffic data resulting from electronic communication. 

Storage obligations discussed so far do not include the content of the communication. However, activities on the internet such as surfing the web, chatting or sending and receiving e-mails, as well as mobile telephony, create huge amounts of data from which detailed conclusions can be drawn on the private life of the persons communicating. 

The data is, according to current plans, to be stored not with law enforcement authorities themselves, but with communication companies, who must make it accessible for the purposes of law enforcement. Law enforcement officials, especially from Britain, Ireland, Sweden and France, say they need this data in order to track down terrorists using modern communication technology. Civil society groups argue data retention would result in a disproportionate interference into the privacy of innocent citizens, while not yielding the proclaimed results. Telecommunication operators and internet service providers  say the additional costs would considerably raise the cost of electronic communication, distort the whole sector and put many smaller companies out of business. 

Up until now, phone and internet providers have been allowed to store only the data needed for billing purposes - a tiny fraction of what is to be stored according to the retention plans - and only as long as needed for this purpose. This usually results in retention periods of no more than three months. 

  • The Commission adopted the proposal at its 21 September 2005 meeting. 
  • At the EU's justice and home affairs ministers meeting on 12-13 October in Luxembourg, the UK Presidency will try to reach a conclusion on whether to prioritise the Council's draft framework decision or whether to put its hopes on the Commission package to introduce mandatory data retention. The Council proposal has already failed once to rach unanimity with member states; the Commission's proposal would require only a majority of Member States' votes, but also the agreement of the Parliament. 

Subscribe to our newsletters