Tuesday, November 01, 2005

EU Data Protection Commissioners criticise data retention plans

The Article 29 Working Party, an EU body that advises on privacy issues, has released an opinion on EU plans for data retention legislation. ISPs and phone companies would forced to store information on their customers' communications for a year or more, which could be accessed by all manner of government agencies under laws such as the Regulation of Investigatory Powers Act in the UK.

The opinion is still sceptical about the need for data retention:

"The Working Party questions whether the justification for an obligatory and general data retention coming from the competent authorities in Member States is grounded on crystal-clear evidence. The Working Party also doubts whether the proposed data retention periods in the draft Directive are convincing."

The Working Party therefore suggests that the legislation should automatically expire three years after it is passed so that the evidence for such invasive requirements can be re-evaluated. The WP also sets out 20 safeguards that should be implemented before any data retention legislation is passed:

"1. Purposes

The data should only be retained for specific purposes of fighting terrorism and organised crime, rather than with regard to any other undetermined “serious crime”. This limited purpose should be also referred to in the title of the proposed Directive.

2. Recipients

The Directive should provide that the data be only available to specifically designated law enforcement authorities where necessary for the investigation, detection, prosecution and/or prevention of terrorism. A list of such designated law enforcement authorities should be publicly available.

3. Data Mining

Prevention of terrorism should not include large-scale data-mining based on the information referred to in the Directive in respect of the travel and communication patterns of people unsuspected by the law enforcement authorities. Access must be restricted to those data that are necessary in the context of specific investigation.

4. Further Processing

Any further processing of retained data by law enforcement authorities for other related proceedings should be ruled out or limited stringently on the basis of specific safeguards, and any access to the data by other government bodies should be prevented. The rules set out in previous European legal instruments concerning the electronic communications sector may not be applied in a manner that is inconsistent with this principle.

5. Access Logs

Any retrieval of the data should be recorded. The records should only be available, upon request, to the authority and/or body mentioned below in point 6 as well as to data protection authorities in case of control, and have to be deleted one year after being produced.

6. Judicial/Independent Scrutiny

Access to data should, in principle, be duly authorised on a case by case basis by a judicial authority without prejudice to countries where a specific possibility of access is authorised by law, subject to independent oversight. Where appropriate, the authorisations should specify the particular data required for the specific cases at hand.

7. Addressees

The Directive should clearly define which providers of publicly available communication services are concerned by the obligations. In the case of the Internet, a limitation on access provider and one-to-one communication (e-mail services, voice over IP) is necessary.

8. Identification

It is important to clarify also in this Directive that there is no obligation for identification in cases where the identification is not necessary for billing purposes or other purposes to fulfil the contract.

9. Public Order Purposes

Providers of public electronic communication services or networks should not be allowed to process data retained solely for public order purposes for their own purposes.

10. System Separation

In particular, the systems for storage of data for public order purposes should be logically separated from systems that are used for the business purposes of providers and protected by more stringent security measures (for instance by means of encryption) in order to prevent unauthorized access and use.

11. Security Measures

The Community measures should provide for minimum standards for technical and organisational security measures to be taken by the providers, specifying the general requirements regarding security measures established in Directive 2002/58/EC.

12. Third Parties

The Community measures should specify that access to retained data by any other third parties is illegitimate.

13. Definitions

There should be a clear definition of the data categories and a limitation on traffic data.

14. List of Data and Mechanisms for Its Revision

It is necessary for the Directive to directly specify the list of personal data to be retained. This is important in order to accurately gauge the impact on fundamental rights and freedoms of the citizens concerned, by having regard to the risks for their personal sphere and taking also account of the issues related to ensuring accuracy and updating of the retained data. Any proposals for changes to the list of the types of data to be retained should be subjected to a strict necessity test. In the light of the impact of these measures on fundamental rights and freedoms, the revision of the said list should be carried out only with the approval of the European Parliament and by involving data protection authorities. The participation of representatives from consumer and user associations, other relevant non-governmental bodies, and the European associations of the electronic communications industry should also be envisaged. In this perspective, it does not appear to be appropriate to carry out the revision of the said list merely according to the comitology procedure as envisaged in the Directive.

15. No Contents Data

Since the scope of the proposal is meant to exclude contents of communications, specific guarantees should be introduced in order to ensure a stringent, effective distinction between contents and traffic data – both for the Internet (i.e., only log-in/log-off data, or else any information, including mail server logs, web cache logs and IP flow logs) and for telephony (conference calls, fax, sms, voice).

16. Unsuccessful Communication Attempts

The different categories of traffic data related to unsuccessful communication attempts should not be included, failing an in-depth adequacy assessment in the light of the principles mentioned above.

17. Location Data

Storing location data should not go beyond the cellID at the start of a communication.

18. Effective Supervision

There should be effective controls on the original and on any further compatible use (including duplication), by judicial authorities within and for the purposes of a criminal procedure and, concerning data protection regardless of the existence of a judicial proceeding, by data protection authorities.

19. Publicity

The Directive should envisage the obligation to adequately inform all citizens with regard to any and all processing operations to be possibly performed further to the implementation of its measures.

20. Costs

The Article 29 Working Party notes that additional costs upon provider of public electronic communication services or networks are to be compensated by Member States. The Working Party would like to stress the importance of this issue exclusively with regard to the features that are directly related to data protection. Data retention measures should also involve both reimbursement for investments in the adaptation of the communication systems, for the disclosure of data to law enforcement authorities and about security measures. A comprehensive view is required in order to prevent any negative effects from being produced both on the data protection level and on the economic sphere of citizens, who might be charged some of the costs incurred by providers. In this context, it might also be considered whether a provider's entitlement to reimbursement for costs should be subject to fulfilment of the minimum standards and should take place on a case-by-case basis."

No comments: