Why this petition?

From Drcampaign

Why are EDRI and XS4ALL organising this campaign right now?

Because European Digital Rights received a copy on 20 July 2005 of a (still secret) Directive proposal from the European Commission (http://www.edri.org/docs/EUcommissiondataretentionjuly2005.pdf) for mandatory data retention. The final version of this proposal will be presented sometime before 8 September 2005 to the European Parliament and to the ministers of Justice and Home Affairs.

On 8 September 2005 the council of ministers of Justice (JHA Council) will have an informal meeting in Newcastle, UK, to push ahead with their own proposal for mandatory data retention in Europe, with a so-called 'Framework Decision'. The JHA Council has made it clear it will not withdraw the proposed third pillar framework decision and wait for the Commission to reach agreement with the European Parliament on a directive proposal. The JHA Council has vowed to reach (unanimous) agreement in the formal meeting of 12 October 2005. In a third-pillar proposal, the ministers can ignore all democratically elected organs. The only set-back is that they have to reach unanimous agreement.

With this petition, EDRI and XS4ALL hope to convince the ministers of Justice to withdraw the proposal, hopefully helped by vetoes in several national parliaments. At the same time, this petition functions as support for the members of the European Parliament during their deliberations on the merits of the Commission proposal in the fall and winter of 2005. So far the European Parliament has strongly disapproved of general data retention. It has shown its teeth in the first vote on the issue, on 7 June 2005 and in the debate with Minister Clarke from the Home Office in the UK on 13 July 2005. But decision making in the European Parliament will become extremely hectic and many MEPs might be tempted to approve of the proposal in exchange for some other compromise on issues they feel they can easier defend to their electorate.

What does the European Commission propose?

According to the Commission proposal, all fixed and mobile telephony traffic and location data from all private and legal persons in the EU should be stored for 1 year. Data about communications 'using solely the internet protocol' should be stored for 6 months. The Commission does not provide any argument about the usefulness and necessity of data retention, but considers the directive to be proportionate if providers are reimbursed for 'demonstrated additional costs'.

What is the difference with the proposal from the ministers of Justice and Home Affairs?

The JHA Council always claimed much more room for member states to adopt longer periods, up to the 4 years already implemented for fixed telephony data in Italy. The last compromise achieved by the ministers of Justice and Home Affairs was to create a two-step approach, starting with telephony data and introducing internet data retention at a later stage, possibly 4 years later.

So why isn't EDRI satisfied with the Commission proposal for a directive?

For a number of reasons. First of all, there is not a single bit of evidence that systematic data retention will really help in the fight against terrorism or serious criminal offences. Quite the opposite in fact. Even the Commission acknowledges the weakness of the need for data retention by creating a new obligation for providers to keep statistics on the usage of traffic data and present them to the Commission on a yearly basis. "Today no verifiable statistics exist at the European level on the usage of traffic data.(...) This information, once aggregated, will provide the factual information necessary to evaluate the effectiveness of the Directive." The Commission does not promise any publication of these statistics.

Secondly, the scope of the proposal is extremely broad. The Commission claims it seeks a balance between law enforcement, human rights and competition aspects by defining the purpose, limiting the categories and time period. The purpose is derived from Article 15 of the E-Privacy directive of 2002 and is actually larger than what the JHA Council proposed. The Commission includes the prevention of criminal offences and safeguarding national security, defence and public security besides the JHA purpose of the investigation, detection and prosecution of criminal offences. The 'prevention' of any kind of criminal offence will allow largescale datamining by a myriad of law enforcement authorities, for offences as common as filesharing.

Thirdly, the Commission, like the JHA Council, seeks an extremely flexible mechanism to expand data retention to new categories of data. This is a road that inevitably leads to continuous expansion of systematic surveillance of all electronic behaviour. If the European parliament now agrees to a seemingly reasonable and limited list of data, everybody can be sure within a few years the list will include horrible items such as detailed surfing behaviour or location data of GSMs in stand-by mode.

The Commission proposal includes a "result-oriented" list of data that providers must be able to make available to the competent authorities. "Such a 'result-oriented' list provides a certain degree of flexibility to the Member States in deciding what obligations will need to be met and to the operators on how to meet these obligations." The specific data are summed up in the Annex (p. 15 and 16). At this point in time, the Commission does not mention a full IP logfile from every ISP to trace every incoming and outgoing communication, but limits the demands to IP-address, the Computer internal MAC address, username, e-mail addresses and a logfile of every sent and received e-mail. The operators of mobile telephony surely won't be pleased with the proposal to store SMS traffic data for 1 whole year, nor with the obligation to keep detailed location data for 1 year, including mapping Cell IDs to the geographical location of the caller.

Last but not least, the Commission proposal contains an outright mystification about the need to harmonise data retention on a European level. The Commission follows the draft framework decision from the Justice ministers very closely, even to the point of copying the completely misleading sentence "Many Member States have adopted legislation providing for the retention of data by service providers (...)". To the best of EDRI's knowledge, only 2 of the 25 Member States have actually implemented data retention legislation; Ireland (since April 2005, only for telephony) and Italy (only for fixed telephony). General data retention legislation has been adopted, but not implemented due to massive differences in opinion, in France, Denmark and Spain.