Draft Joint Position on the revision of the EU Data Retention Directive 2006/24/EC

The EU Data Retention Directive 2006/24 requires telecommunications companies to store data about all of their customers' communications. Although ostensibly to reduce barriers to the single market, the Directive was proposed as a measure aimed at facilitating criminal investigations. The Directive creates a process for recording details of who communicated with whom via various electronic communications systems. In the case of mobile phone calls and SMS messages, the respective location of the users is also recorded. In combination with other data, Internet usage is also to be made traceable.
We believe that such invasive surveillance of the entire population is unacceptable. With a data retention regime in place, sensitive information about social contacts (including business contacts), movements and the private lives (e.g. contacts with physicians, lawyers, workers councils, psychologists, helplines, etc) of 500 million Europeans is collected in the absence of any suspicion. Telecommunications data retention undermines professional confidentiality, creates the permanent risk of data losses and data abuses and deters citizens from making confidential communications via electronic communication networks. It undermines the protection of journalistic sources and thus compromises the freedom of the press. Overall it damages preconditions of our open and democratic society. In the absence of a financial compensation scheme in most countries, the enormous costs of a telecommunications data retention regime must be borne by the thousands of affected telecommunications providers. This leads to price increases as well as the discontinuation of services, and indirectly burdens consumers.
Studies prove that the communications data available without data retention are generally sufficient for effective criminal investigations. Blanket data retention has proven to be superfluous, harmful or even unconstitutional in many states across Europe, such as Austria, Germany, Romania and Sweden. These states prosecute crime just as effectively using targeted instruments, such as the data preservation regime agreed in the Council of Europe Convention on Cybercrime. There is no proof that indiscriminate and blanket telecommunications data retention improves our protection against crime in any statistically significant measure. On the other hand, we can see that it costs billions of euros, puts the privacy of innocent people at risk, disrupts confidential communications and paves the way for an ever-increasing mass accumulation of information about the entire population.
Legal experts expect the European Court of Justice to follow the Constitutional Court of Romania as well as the European Court of Human Rights's Marper judgement and declare the retention of telecommunications data in the absence of any suspicion incompatible with the EU Charter of Fundamental Rights.
As representatives of the citizens, the media, professionals and industry we collectively reject the Directive on telecommunications data retention.
We urge the EU to outlaw national blanket communications data retention legislation and encourage the implementation of systems of expedited preservation and targeted collection of traffic data needed for a specific criminal investigation as agreed in the Council of Europe's Convention on Cybercrime. A data preservation system could be defined by an EU instrument but does not necessarily need to be.
If an EU-wide ban on blanket communications data retention legislation turns out to be impossible to achieve, the Data Retention Directive, at the very least, would need to be amended as follows:
1) The Directive shall set upper limits on national data retention legislation only, thus allowing national Parliaments and Constitutional Courts to decide against blanket communications data retention and for a system of expedited preservation and targeted collection of traffic data needed for a specific investigation as agreed in the Council of Europe's Convention on Cybercrime.
2) Where Member States decide to enact or maintain blanket retention legislation, the Directive needs to make sure that such legislation shall
- not cover Internet access, Internet e-mail, Internet telephony or location data but fixed line and mobile telephony call records only;
- exempt communications which rely on particular confidentiality (e.g. with physicians, lawyers, workers councils, psychologists, helplines, journalists) from storage;
- not impose retention periods of more than 3 months;
- exempt small and medium size communications providers from retention obligations;
- provide for full reimbursement of providers' investment and operating cost including personnel cost;
- make compulsory decentralized data storage separate from business data, asymmetric encryption of retained data, application of the two-man rule in conjunction with advanced authentication procedures for access to the data, audit-proof recording of access to and deletion of data.
Article 15 of directive 2002/58 shall be deleted in order to prohibit Member States from requiring data retention for service providers, types of data or purposes other than those covered by the Data Retention Directive.