Peter Hustinx, European Data Protection Supervisor has released his opinion on the European Data Retention Directive (2006/24/EC) and it is scathing. Flatly, the director has stated that the directive does not meet privacy and data protection requirements. This is something we have reiterated to various inquiries and government departments, considering the Australian Attorney General has signalled an intention to implement data retention in Australia in line with the EU directive.
From a privacy and data protection perspective, the Evaluation report also justifies the conclusion that the Data Retention Directive does not meet the requirements imposed by the rights to privacy and data protection. There are several deficiencies: the necessity of data retention as provided for in the Data Retention Directive has not been sufficiently demonstrated, data retention could, in any event, have been regulated in a less privacy-intrusive way, and the Data Retention Directive lacks ‘foreseeability’
It is without doubt that the justifications for dragnet data retention are reactionary, without proportion and without necessity.
The report stipulates, that whilst there are interesting situations presented where data retention may be used or is ‘indispensible’ to the investigation, these do not constitute a necessity for data retention.
It interestingly also mentions the Commissions justification of the directive by attaching significant importance to retained data which was used to exclude subjects from crime scenes and to verify alibis.
Although these are interesting examples of how the data is used by law enforcement authorities, they cannot be put forward as demonstrating the need for data retention. This argument should be used with caution as it might be misunderstood implying that retention of data is necessary for proving the innocence of citizens, which would be difficult to reconcile with the presumption of innocence.
The report puts forward the use of data preservation as an alternative method for use by investigations of criminal activity, which is basically the securing or ‘freezing’ of metadata (locational and traffic data) relating to the suspect via a preservation order, which could then potentially be made available to law enforcement through judicial authorisation (i.e. a warrant). This something that would comply with the minimum requirements of the CoE Cybercrime Convention, however the Commission seems intent on persisting with wide-scale data retention because preservation…
…does not guarantee the ability to establish evidence trails prior to the preservation order, and does not allow investigations where a target is unknown, and does not allow for evidence to be gathered on movements of, for example, victims of or witnesses to a crime.
The report gives four principle reasons as to why the wide-scale retention of traffic data as regulated by the EU directive goes beyond what is necessary and is disproportionate.
1. The notion of ‘competent national authority’ is understood differently, and in some cases have led to widespread use of the retained data by too many authorities. The consistency of safeguards across different nations has also led varying degrees of judicial oversight and conditions for access.
2. Two years is far too long, and the majority of requests (86%) have been for data within six months. The majority of EU states have also elected to retain data for no longer than 1 year, suggesting that the maximum period of two years far exceeds what is required or necessary.
3. Security of data is a huge issue. One only has to look to the crippling breaches in the security of private data in the last month to see how vulnerable data can be. In the EU, there seems to have been a ‘patchwork’ of security measures implemented, and although there apparently have been no concrete examples of serious breaches, this does not eliminate the potential for serious breaches.
This issue cannot be taken lightly, as the security of the retained data is of crucial importance to a system of data retention as such, as it ensures respect for all other safeguards.
4. The Directive demands a wide array of telecommunications data is retained, however there is very little information on whether it is necessary to retain all this data, and for the same length of time, thus preventing any meaningful conclusion being arrived at.
In reality, the only thing that can be deduced is that the directive is eroding the fundamental right to privacy, this insidious directive is leading to a situation where the populace is under perpetual surveillance. This report is just one of many, that reiterates that the only way to move forward is to dispense with the directive — repeal. It is an unjustified interference into the privacy of all citizens.