Data retention: Council barks but cannot bite
Charles Clarke from the UK Home Office uttered some incredibly harsh threats to the European Parliament committee on civil liberties (LIBE) on 13 October, the day after the Council meeting, but his barking could not conceal the fact the ministers of Justice and Home Affairs did not have any teeth to bite with. Several national parliaments (Germany, Austria, the Netherlands) have not given their ministers the go-ahead on the framework decision on data retention. But according to Council conclusions, "The Council agreed to revert to this issue at its next meeting with a view to a final decision before the end of the year."
Clarke obviously thought it was a good strategy to try to intimidate the MEPs. If they didn't agree before December in first (and last!) reading on introducing data retention, he said, the ministers would pull out the framework decision anyway in the last formal JHA Council under UK Presidency, on 1 December 2005. Besides, if parliament failed, he would make sure the European Parliament would no longer have a say anymore on any JHA matters.
In fact, the Council suddenly took the advice from its own legal service into account (dating back to April 2005), according to a last minute note from the UK Presidency from 5 October 2005. This advice warns the ministers that if they would proceed, any ISP could take the Council to court once the measure was introduced and would most likely get full cost reimbursement for having to implement an illegal measure.
But in spite of the strong legal position of the European Parliament, the presidents of the political groups meeting in the European Parliament today (20 October) have just decided to let this time pressure prevail above the content of the directive. To ensure smooth negotiations, they propose to withdraw the mandate of rapporteur Alexander Alvaro and give it to the chairman of LIBE (the EP committee on civil liberties), the French centre-right Jean-Marie Cavada. The LIBE committee will have to vote on this proposal in their meeting of 24 October and the outcome is unclear. However, the proposal from the group presidents makes it very clear their main cause for concern was not getting formal co-decision power, not in the gross undermining of fundamental civil rights by the systematic surveillance of all innocent citizens.
The LIBE committee has until 26 October 2005 to enter amendments on the proposal from the European Commission and on the proposal from Alexander Alvaro. The secondary committee on Industry (ITRE) already had to file amendments before 18 October 2005. With regards to the content of the Commission proposal, the JHA Council made it clear they will not accept the maximum terms proposed by the Commission. They can live with the minimum of 6 months for internet data and 12 months for telephony, but wish to reserve the freedom to extend this period to 2 years, or as long as the member states have already seen fit. This is a specific gesture to Italy and Ireland, who have introduced data retention for 4 and 3 years respectively. Secondly, the Council does not want a general cost reimbursement for the industry, but wants to leave it to member states. Thirdly, the Council still insists on the inclusion of failed call attempts.
But on another crucial point about the scope of the obligation, Commission and Council seem to agree. According to sources around the Commission, all data mentioned in the Annex must be captured by all parties that can possibly detect them, both by network operators and by service operators. This means the term "data generated or processed by providers" includes any data transported on any network. This causes great concern when it comes to internet data, that can only be captured successfully by the party that actually provides the services, not by operators that merely let the data pass through their pipelines. If Commission and European Parliament agree on this very wide margin of interpretation, in reality all providers will have to create full wiretaps on all their networks to capture every byte and select the appropriate traffic data from this immense data mountain.
After the JHA Council the Danish minister of Justice, conservative Lene Espersen, made the headlines again with a brutal quote. After the previous informal JHA Council of 8 and 9 September she served off the telecom industry. "They should stop all their whining," she told reporters. "When you know these people are making money making their systems available to criminals, then maybe they should have a more humble attitude." This time, according to the BBC, she said: "We have to decide who we are most afraid of - the European Parliament or terrorists."
The evening before the JHA Council, the European Internet Foundation organised a special dinner debate on the matter, with representatives from the European Parliament, European Commission, industry and police. EDRI was also present (the editor) and was given the chance to explain its objections against mandatory data retention. At the very last minute the representatives from the Council and from the European Commission DG Justice cancelled their presence. The representative from the Belgian police, Chief Commissioner Luc Beirens of the Federal Computer Crime Unit, explained how useful traffic data were. An example he gave was the possibility of having your free webmail account hacked. This could result in blackmail "worth as much maybe as 200 euro" to get the account back or having child pornography spread in your name to your friends and colleagues.
His speech was warmly welcomed by representatives from the music and film-industry, the IFPI and the MPA. They both claimed data retention did not change anything at all, since member states already had the possibility to introduce mandatory data retention. Obviously, they did not bother to explain that an option is completely different from a binding European obligation. The IFPI representative insisted piracy was a form of organised crime that should be fought with all legal means, including tracing back the exact internet behaviour of all suspects for a substantial amount of time.
Mr. Beirens claimed Belgium had also introduced mandatory data retention for telephony traffic data. This could not be confirmed to EDRI-gram by either the Federal Privacy Commission or by the Belgian ISPA. In fact, Belgium has re-introduced the possibility of data retention on 13 June 2005 with the introduction of a new telecommunication law, but like before with the law on computer crime established in 2001, the actual royal decree stipulating what kind of data should be stored by which market parties for what period of time was and is never issued. Therefore, any traffic data stored by market parties beyond the direct purposes of transmission or billing, are plainly illegal.
There are still only 2 countries in the EU with actual and legal data retention legislation, Italy and Ireland, but both only for telephony, not for internet data.
Justice and Home Affairs Council Conclusions (12-13.10.2005)
BBC: EU states agree phone record law (12.10.2005)
Last JHA Council version (10.10.2005)
UK Presidency letter to Council (05.10.2005)