Explanatory Memorandum to COM(2005)438 - Retention of data processed in connection with the provision of public electronic communication services

Please note

This page contains a limited version of this dossier in the EU Monitor.

1. CONTEXT OF THE PROPOSAL

- 110 Grounds for and objectives of the proposal

Citizens increasingly perform daily activities and transactions using electronic communications networks and services. These communications generate traffic data or location data which include for example details about the location of the caller, the number called, the time and duration of the call. When combined with data enabling the identification of the subscriber or user of the service, the availability of such traffic data is important for purposes related to law enforcement and security, such as the prevention, investigation, detection and prosecution of serious crime, such as terrorism and organised crime.

However, with changes in business models and service offerings, such as the growth of flat rate tariffs, pre-paid and free electronic communications services, traffic data may not always be stored by all operators to the same extent as they were in recent years, depending on the services they offer. This trend is reinforced by recent offerings of Voice over IP communication services, or even flat rate services for fixed telephone communications. Under such arrangements, the operators would no longer have the need to store traffic data for billing purposes. If traffic data are not stored for billing or other business purposes, they will not be available for public authorities whenever there is a legitimate case to access the data. In other words, these developments are making it much harder for public authorities to fulfil their duties in preventing and combating organised crime and terrorism, and easier for criminals to communicate with each other without the fear that their communications data can be used by law enforcement authorities to thwart them.

It has now become urgent to adopt harmonised provisions at EU level on this subject. A certain number of Member States have adopted, or plan to adopt, national measures requiring some or all operators to retain given types of data so that they can be used for the purposes identified above when necessary. Differences in the legal, regulatory, and technical provisions in Member States concerning the retention of traffic data present obstacles to the Internal Market for electronic communications as service providers are faced with different requirements regarding the types of data to be retained as well as the conditions of retention. These provisions should therefore be further harmonised in accordance with Article 14 of the EC-Treaty. 120

- General context

The necessity to have rules at EU level that guarantee the availability of traffic data for anti-terrorism purposes across the 25 Member States was confirmed by the European Council in its Declaration on combating terrorism of 25 March 2004. Following the Madrid terrorist bombings, the European Council instructed the Council to examine proposals for establishing rules on the retention of communications traffic data by service providers with a view to adoption in 2005. The priority attached to adopting an appropriate legal instrument on this subject was recently confirmed in the Conclusions of the European Council of 16 and 17 June, as well as at the special JHA Council meeting of 13 July 2005 following the London terrorist bombings.130

- Existing provisions in the area of the proposal

Directive 2002/58/EC on Privacy and Electronic Communications harmonises through its Articles 6 and 9 the personal data protection rules which are applicable to the processing of traffic and location data generated by the use of electronic communications services. Such data must be erased or made anonymous when no longer needed for the purpose of the transmission, except for the data necessary for billing or interconnection payments; subject to consent, certain data may also be processed for marketing purposes and the provision of value added services. Article 15 i stipulates that Member States may provide for restrictions of the scope of (amongst others) Articles 5, 6 and 9, when such restrictions constitute a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.140

- Consistency with the other policies and objectives of the Union

The proposal is in line with Community law and with the Charter on Fundamental Rights. Even though it is clear that the proposed Directive will have an effect on the privacy right of citizens as guaranteed under Article 7 of the Charter, as well as on the right to protection of personal data as guaranteed under Article 8 of the Charter, the interference with these rights is justified in accordance with of Article 52 of the Charter. Specifically, the limitations on these rights provided for by the proposal are proportionate and necessary to meet the generally recognised objectives of preventing and combating crime and terrorism.

Furthermore, the proposal limits its effects on the private life of citizens: firstly through clearly establishing the purpose for which the data which are retained can be used, secondly through limiting the categories of data which need to be retained, and thirdly through limiting the period of retention. A further important safeguard is that this Directive is not applicable to the content of communications - this would amount to interception of telecommunications, which falls outside the scope of this legal instrument.

The processing of the personal data retained by the service and network providers under the provisions of this Directive are covered by the general and specific data protection provisions established under Directives 95/46/EC and 2002/58/EC - which means in practice that specific additional provisions on general data protection principles and data security are not necessary. It also means that the processing of such data will be under the full supervisory powers of the data protection authorities established in all Member States.

3.

2. CONSULTATION OF INTERESTED PARTIES AND IMPACT ASSESSMENT


- Consultation of interested parties

Consultation methods, main sectors targeted and general profile of respondents

Starting in 2001 with the meetings of the Cybercrime Forum, the issue of traffic data retention has been the subject of consultation with representatives of law enforcement authorities, the electronic communications industry and data protection experts.

On 14 June 2004, an ad hoc roundtable meeting was organised under the auspices of the Forum for the Prevention of Organised crime, in which representatives from law enforcement, industry and data protection organisations took part. On 30 July 2004, a joint consultation document on traffic data retention was presented by DG INSFO and DG JLS, in preparation of a public workshop on the issue held on 21 September 2004. Contributions and reactions from various sides – in particular from industry and civil rights associations - were received in response to the joint consultation document. The public workshop of 21 September provided further input to the Commission.

In the preparation of the proposal, the Commission has also drawn on the wide-ranging public debate on this issue, including discussions at the European Parliament.

4.

Summary of responses and how they have been taken into account


The consultation process confirmed that retention of traffic communications data is an essential tool for law enforcement authorities to prevent and combat crime and terrorism. Law enforcement authorities indicated that for their purposes, retention periods should be as long as necessary, and comprise as much data as necessary. Especially in complex investigations into serious crimes, which can take up to a number of years to conclude, older traffic data is still regularly required. A number of examples were given of cases where such data had proven to be essential for criminal investigations, mostly into crimes such as bombings or murders.

Representatives of the European representative organisations of the telecommunications and internet industry, as well as individual electronic communications companies, argued that whilst they were willing to co-operate with law enforcement, and had been doing so, long retention periods would generate considerable costs and data preservation would be sufficient. They pleaded anyway for retention periods no longer than six months since a large amount of data requested by law enforcement authorities is not older than six months, and for mechanisms to compensate them for the additional costs incurred.

Representatives from data protection authorities and civil rights associations argued that data retention is an interference with the private life of citizens, which is why retention periods should be kept as short as possible. In general terms, they questioned whether periods of retention longer than six months can be considered to be proportional. They also expressed concerns about the finality and aims of the retention, which should be clearly specified.

The current proposal constitutes a balanced approach and rests on the enclosed impact assessment. The retention periods of 1 year for mobile and fixed telephony traffic data and six months for traffic data related to Internet usage will cover the main needs of law enforcement, whilst limiting the associated costs for industry and the intrusion into the private life of citizens. A retention period of six months for all data would have been too short, since even if a large part of the requests from law enforcement authorities relate to data not older than six months, data older than six months is generally requested in relation with the most serious offences, such as terrorism, organised crime or homicide.

- Collection and use of expertise

There was no need for external expertise.

- 230 Impact assessment

Various options have been considered. In 2002, the Council had explicitly called for a dialogue at national and EU level aimed at finding solutions to the issue of traffic data retention that satisfies both the need for effective tools for prevention, detection, investigation and prosecution of criminal offences and the protection of fundamental rights and freedoms of natural persons, and in particular their right to privacy, data protection and secrecy of correspondence. Although public consultation and debate on this issue has been wide-spread, including discussions at the European Parliament, no common solutions have emerged from this.

Not taking an initiative on data retention would leave the current patchwork of data retention provisions in place. Soft law has been discarded since it does not provide for the right level of legal certainty. A third pillar initiative on data retention obligations was discarded since it would have been incompatible with existing Community law. A legislative approach has also been called for by the European Council in its Declaration on combating terrorism.

The option of a proposal for a directive provides the harmonisation level needed in the internal market. Compared to a regulation, it leaves in a sensitive area some margin of manoeuvre to Member States on the implementation. A regulation would have been too stringent, notably in view of the different technical architectures used by the various operators in different countries. The directive will leave sufficient margin to Member States to adapt to national constraints. In any case, the status quo is no longer tenable in view of the obstacles to the free provision of services created by the diverging national provisions in this area. The choice for this legal instrument, and the specific legal basis of Article 95 EC, have also been indicated through the legal analysis laid down in Commission Staff Working Paper SEC(2005) 420 of 22 March 2005. The Commission carried out an impact assessment, available on europa.eu.int/comm/dgs/justice_home/evaluation

1.

LEGAL ELEMENTS OF THE PROPOSAL



- 305 Summary of the proposed action

The proposed Directive is intended to harmonise obligations for providers of publicly available electronic communications services or of a public communications network to retain certain traffic data, so that they may be provided to the competent authorities of the Member States for the purpose of the prevention, investigation, detection and prosecution of serious criminal offences, such as terrorism and organised crime. 310

- Legal basis

Article 95 of the EC-Treaty.

- 320 Subsidiarity principle

The subsidiarity principle applies insofar as the proposal does not fall under the exclusive competence of the Community.

The objectives of the proposal cannot be sufficiently achieved by the Member States for the following reason(s).

Harmonisation of retention periods for traffic data cannot be achieved by the Member States themselves. EU action – which was called for by the European Council - will ensure that traffic data will be retained across the European Union and can be made available to law enforcement authorities.

As the effectiveness of law enforcement investigations is heavily dependant on international co-operation, and different national choices have negative effects of different national choices on the electronic communications market, European wide harmonisation of traffic data retention schemes is the most appropriate policy choice. The cost reimbursement principle will allow creating a level playing field for the electronic communication providers in the internal market.

Community action will better achieve the objectives of the proposal for the following reason(s).

EU action will better achieve the objectives of the proposal through ensuring that traffic data will be retained across the European Union and can be made available to law enforcement authorities under the same conditions. This will also be of benefit to the electronic communications industry, especially those companies offering services in multiple Member States, since they can standardise their technology. 325

The qualitative indicators which demonstrate that the objective can better be achieved by the Union are the effectiveness of law enforcement authorities in preventing and combating crime and terrorism, in particular in cases like organised crime and terrorism which are often cross border. 327

The proposal is limited to what Member States cannot satisfactorily achieve and what the Union does better through its limitation to the scope of the retention obligations on providers of electronic communications services or of a publicly available communications network. The proposal leaves the choice to the Member States of which authorities should have access to data retained and under which conditions. Access to and exchange of information between relevant law enforcement authorities is a matter which falls outside the scope of the EC-Treaty.

In this context it is worth mentioning that the Commission is currently preparing draft legislative proposals under the Treaty on European Union relating to the principle of availability of information for law enforcement purposes and to the establishment of data protection principles for the Third Pillar. It should further be noted that no access should be granted to ‘retained data’ under this Directive for other than law enforcement purposes i.e. no access to retained data for service providers of electronic communications.

The proposal therefore complies with the subsidiarity principle.

- Proportionality principle

The proposal complies with the proportionality principle as its impact on citizens and industry has been limited to the maximum extent possible. It should be recalled that this instrument deals only with traffic data which is processed by the providers of electronic communications. The content of the electronic communications is excluded from the scope of this Directive.

The respect of fundamental rights and freedoms, and in particular the right to life, and the strict limitation of the invasion of privacy has been the key driver to find the most appropriate balance between all interests involved, such as the social, economical, security and privacy context.

Therefore this proposal for a Directive has taken account of the issues of proportionality, most notably in terms of the retention periods proposed, the distinction between telephone and internet data, the limitation in the categories of data to be retained, and the cost reimbursement scheme. In particular the proposal strictly limits the purposes for which the retained data may be provided to law enforcement authorities. Data protection legislation will be fully applicable to the retained data, whereas the impact on individual rights and economic operators is limited by choosing a limited set of traffic data that needs to be retained. Furthermore the shorter retention period for traffic data generated through use of the Internet, as opposed to traffic data generated by usage of standard mobile and fixed telephony takes into account current business practices by substantially reducing the volumes of data that needs to be retained.

The financial and administrative burden on national governments, economic operators and citizens has been minimised in a number of ways. Firstly, the Directive provides for harmonisation, which will mean reduced costs of compliance for providers of electronic communications services or of a public communications network. Secondly, costs have been minimised through strict limitations in the retention periods, as well as in the data sets to be retained. Given the importance of the measure in terms of preventing and combating crime and terrorism, the additional costs to be borne by the Member States through the provision on cost reimbursement are considered to be proportionate (see the impact assessment).

It should also be highlighted that this Directive does not prejudge the possibility of Member States to request for specific data preservation measures for instance in case a suspect or criminal organisation has already been identified or in the event of specific events such as terrorist attacks.

- Choice of instruments

Proposed instruments: directive.

Other means would not be adequate for the following reason(s).

This issue of the correct legal basis for a proposal on traffic data retention has recently been addressed in a Commission Staff Working Paper. In short, the position outlined in this document is that the issue of retention of traffic data has already been dealt with in previous legal instruments based on a first-pillar legal basis, such as Directives 2002/58/EC and 95/46/EC mentioned above. The analysis continues to state that it was only due to the fact that no political agreement on the actual length of retention could be reached that this issue was not harmonised more fully in Directive 2002/58/EC, and concludes that therefore any further legal instruments on retention of traffic data as such (as opposed to provision regulating the exchange of and access to such data by law enforcement) must also take place on a first pillar legal basis. This logic is in accordance with Article 47 of the Treaty on European Union, which regulates the relationship between the Treaty on European Union and the EC Treaty, stipulating that no legal instruments adopted under the Treaty on European Union may affect the legislative framework adopted under the EC Treaty.

2.

BUDGETARY IMPLICATION



The proposal has no implication for the Community budget.

5.

5. ADDITIONAL INFORMATION


- Review/revision/sunset clause

The proposal includes a review clause. To assist the Commission in its reviewing task the creation of a Platform on data retention is envisaged. Such a group could bring together technical experts on electronic communications, as well as representatives from law enforcement and data protection authorities.

- 550 Correlation table

The Member States are required to communicate to the Commission the text of national provisions transposing the Directive as well as a correlation table between those provisions and this Directive.