The Data Retention Directive (Directive 2006/24/EC) requires public electronic communications providers (telephone companies, mobile telecoms, Internet service providers) to retain traffic, location and subscriber data for the purpose of the investigation, detection and prosecution of serious crime. The Directive has been undergoing an evaluation process that seeks to assess its application by Member States, and its impact on businesses and consumers. The aim is also to establish whether the Directive is proportionate in relation to the law enforcement benefits it yields, the costs for the market, and the impact on fundamental rights, in particular the rights to privacy and the protection of personal data.
The Commission held a Conference on the Directive in Brussels on 3 December 2010. Cecilia Malmström, the Member of the Commission responsible for Home Affairs, made four points: (1) the retention of data is useful for fighting crime; (2) the Directive is implemented in different ways in the Member States, especially as regards retention periods; (3) clearer rules are needed, including in relation to compensation for costs; and (4) there is no evidence of serious abuse.
At the Conference Peter Hustinx, the European Data Protection Supervisor (EDPS), strongly argued in favour of seizing the opportunity of the ongoing evaluation process to demonstrate the necessity and justification for the Directive. The EDPS emphasised once again that the retention of traffic and location data of all persons in the EU, whenever they use the telephone or the Internet, is a huge interference with the right to privacy of all citizens. As such, the EDPS regards the Directive as the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects. Such a massive invasion of privacy needs profound justification. The EDPS therefore called on the Commission to use the evaluation exercise to prove the necessity for the Directive and its proportionality. The EDPS further insisted on the fact that the Directive clearly failed to harmonise national legislation. Significant discrepancies between the implementing laws of the EU Member States have led to legal uncertainty for citizens. It has also resulted in a situation where the use of the retained data is not strictly limited to the combat of really serious crimes. According to the EDPS, a new or modified EU instrument on data retention should be clear about its scope and create legal certainty for citizens. This means that it should also regulate the possibilities for access and further use by law enforcement authorities and leave no room for the Member States to use the data for additional purposes.
James Goudie QC