Data Retention Means You Are On The Record, Like It Or Not
from the it's-not-retention,-it's-surveillance dept
This week the advocate general of the Court of Justice of the EU (CJEU), Yves Bot, publishes an opinion on the extent to which the Data Retention Directive, one of the most controversial security measures introduced by the EU in the past decade, is compatible with human rights law. Although not a binding judgement (this will come later), the CJEU’s opinion is a significant intervention in the ongoing debate over how to balance human rights with states' perceived surveillance needs.
The security-related retention of communications by telecoms firms was on the European agenda well before 9/11, but privacy concerns had led to a limited approach. Telecoms companies in the EU were obliged to delete communications data as soon as all business needs had been met; the data could not be retained for security or criminal investigation purposes. Some states had attempted to adjust this and introduce a retention system in 2000, but this failed - again, largely because of privacy concerns. All this changed, however, after 9/11.
As early as May 2002, a “data retention amendment” had been made to existing EU privacy laws to allow for security-related data retention, and drafts of a provision that would require retention began to circulate. Those proposals attracted so much rights-based criticism that they were apparently abandoned; however, they quickly reappeared in the wake of the London and Madrid bombings, and in 2006, the Data Retention Directive was adopted.
It obliges all member states to introduce national data retention regimes, even where -— as in the UK —- there had already been significant resistance to such regimes when they were previously proposed at a national level. The directive requires telecommunications providers to retain data on the source, destination, time, date, duration and type of all communications by fixed and mobile telephone, fax and internet, and on the location and type of equipment used.
The data is to be retained for between six months and two years, with national law deciding on the duration, and can be accessed by state agencies investigating “serious crime” —- a term that has different definitions across the member states.
Blanket surveillance
The volume and extent of information retained under the directive is stunning; in effect, it has introduced a system of blanket surveillance across the entire EU. Although access to the information is regulated by law, state agencies can nonetheless access an enormous amount of information about our communications patterns and activities. This naturally raises serious human rights concerns, especially about privacy.
Security services insist that data retention is an indispensable tool for investigating serious crimes, such as terrorism and the production and distribution of child pornography. Yet different states make use of the Directive to wildly varying extents: in 2012, for example, Cyprus made 22 requests for access to data, while the UK made 725,467.
The question for the advocate general, the CJEU and the EU more broadly is whether or not the approach taken by the directive privileges perceived security needs over human rights. Data retention unquestionably constitutes a prima facie infringement on privacy; the real issue is whether this infringement is justified because it is necessary, effective, and limited. This question is at the core of all debates about “balance” in the security context: how far are we prepared to allow state power into our individual, family, social and democratic lives in order to “secure” us?
Answering this question requires us to decide on what we think “effectiveness” means in the context of security. If the directive helps to resolve a handful of serious crimes per year, or to prevent one terrorist attack, is it effective? Could a more limited approach -— such as requiring telecoms companies to collect data related to certain investigations but not to retain all data -— achieve the same security objectives while better protecting rights?
These are difficult questions, but they are ones we must resolve if we are to have a balanced security system. The advocate general’s opinion will be an important contribution to the debate, but it will not be the final word. Achieving a balanced approach to security requires critical scrutiny at practical, political, social and legal levels. This is all the more true given that, as the Data Retention Directive illustrates, security measures operate upon and have implications for the rights of all of us, all of the time.
Fiona de Londras is the Project Co-Ordinator of SECILE (Securing Europe through Counter-Terrorism: Impact, Legitimacy and Effectiveness), a project that has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement number 313195.
This article was originally published at The Conversation. Read the original article.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data retention, europe, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
This data collection will facilitate MORE crime
It won't be long until they get it. And soon enough, they'll start using it. (Please, everyone, spare me any assertion that it's held securely. It's not.)
So one of the incidental consequences with this, in addition to the massive invasion of privacy that it represents, is that it provides one-stop shopping for some of the worst people on the planet.
[ link to this | view in thread ]
Data retention
[ link to this | view in thread ]
Human rights
Is this the same directive that's been found unconstitutional by a number of European Union members? The same the European Union has kept pushing its member states into adopting despite their respective rejections of the directive?
[ link to this | view in thread ]
And tonite
I never thought Britain would end up with a Secret Police, who spy on Brits without warrants.
I knew it was getting bad, but I never knew just how bad it was getting.
[ link to this | view in thread ]
Holy crap.
The train is out of control.
Somebody pull the mother fucking cord.
Harder.
[ link to this | view in thread ]
Re: Data retention
Data retention. That was a portion of the point I think. How long is too long? And if never enough is insufficient then that leads me to believe that the logical conclusion is that only enough data for the system to continue need be retained. The question then becomes "What is the system?". The more data that authority has to farm then the more they will. It seems they could care less who has it as long as they get it. Boy, authority likes metatdata too don't they? Hm.. Bad enough to bomb cities? .. Damn it, since the files are in the control of authority I guess that leaves room for lots of things. Just focus, OK? Who is the more likely to be viewed as an enemy of the state? You or Google? Take your time.
[ link to this | view in thread ]
DRD=Fuck Off Feedom. My greatest hope now is that one of these fucktards pushing this shit gets nailed by it. Please Karma, bail us out.
[ link to this | view in thread ]
According to the law and precedent the directive actually has to correspond to "a pressing social need" and be "necessary in a democratic society". Some of these requirements are actually a bit stronger than the ones cited.
It will be interesting to see how this turns out.
Let's also not forget how this directive came to be. Since voting on it as a criminal cooperation between EU member countries would have required a qualified majority and the directive was very controversial what the politicians did was to say that: "reasonably most countries will want to have a system like this and if the burden on ISPs and other companies differ throughout the EU the market will be distorted. Hence we vote on this directive within the framework of harmonizing the market."
I hope the Court of Justice will weigh the proportionality of the privacy infringements against the effects on market harmonization. That would be the most fair thing to do.
[ link to this | view in thread ]
Re: And tonite
UK has an obscene amount of surveillance cameras, GCHQ appears to be pursuing information extremely agressively with little regard to consequences and the internet filter Cameron is pushing is highly censorious.
All of it falls worryingly close to Orwells over-the-top surveillance state.
[ link to this | view in thread ]
European Hypocricy
[ link to this | view in thread ]
Re: This data collection will facilitate MORE crime
I doubt anyone has addressed their poor securing of customer data, apparently there is little to no consequence. Maybe they were being paid to do so.
Anyway, I doubt the government is any better at having concern for the securing of peoples personal data.
[ link to this | view in thread ]
Data Planet
[ link to this | view in thread ]
All your data belongs to us
[ link to this | view in thread ]