Europe’s data retention story not clear cut


analysis Over the past several weeks Attorney-General Nicola Roxon has publicly compared the Federal Government’s controversial data retention proposal to a similar system enacted in Europe. But the truth is that Europe’s data protection bureaucrat has heavily criticised the scheme, and a number of countries have struck it down as being unconstitutional.

The Federal Attorney-General’s Department is currently promulgating a package of reforms which would see a number of wide-ranging changes made to make it easier for law enforcement and intelligence agencies to monitor what Australians are doing on the Internet. For example, one new power is a data retention protocol which would require ISPs to retain data on their customers’ Internet and telephone activities for up to two years, and changes which would empower agencies to source data on users’ activities on social networking sites.

In several interviews and communications over the past several weeks, Roxon, who is the main Gillard Government minister pushing the reforms, has compared them with the European Union’s 2004 Convention on Cybercrime and the 2006 Data Retention Directive. Together, the pair of legislative instruments aimed to implement a similar data retention system as the Federal Government is proposing, alongside other measures to track suspected terrorists and criminals online, in the wake of the September 2001 terrorist attacks and other events.

“So look, the proposal if you like has been modelled on what is the European system,” Roxon said on the ABC’s Capital Hill program on 14 September. “There’s 29 countries in Europe who already do this.” And then, in a separate letter issued this week to the parliamentary committee inquiring into the reforms, Roxon wrote:

“Australia is not alone in being forced to consider answers to these challenges. In recognition of the impact the lack of access and retention of telecommunications data is having on investigations, the European Union adopted the EU Directive 2006/24/EC on data retention on 15 March 2006. The Directive has been implemented by the majority of the 25 Member States of the EU with the remaining Member states at various stages of implementation.”

“The EU Directive imposes an obligation for providers of publicly available electronic communications services and public communication networks to retain communications data for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in national law. The Directive only requires the retention of subscriber and traffic data. No data revealing the content of the communication may be retained under the Directive.”

However, the truth with regard to the European instruments highlighted by Roxon is that they have proven extremely controversial in Europe and have not been adopted universally.

In April 2011, the European Commission produced a report into the data retention scheme (PDF), presenting it to the European Parliament. In general, the report found that data retention was “a valuable tool for criminal justice systems and for law enforcement in the EU”. However, if you dig further into the report, a somewhat more nuanced picture emerges of Europe’s implementation of data retention.

For example, the report details the fact that the Romanian Constitutional Court in October 2009, the German Federal Constitutional Court in March 2010 and the Czech Constitutional Court in March 2011 annulled the laws transposing the Directive into their respective jurisdictions on the basis that they were unconstitutional.

The Romanian Court drew on case law of the European Court of Human Rights to find that the implementation of the data retention directive in that country was ambiguous in its scope and purpose with insufficient safeguards, and held that a ‘continuous legal obligation’ to retain all traffic data for six months was incompatible with the rights to privacy and freedom of expression in Article 8 of the European Convention on Human Rights.

The German Constitutional Court said that data retention generated a perception of surveillance which could impair the free exercise of fundamental rights.

The Czech Constitutional Court annulled the data retention legislation in its country, on the basis that, as a measure which interfered with fundamental rights, the transposing legislation was insufficiently precise and clear in its formulation. The Court criticised the purpose limitation as insufficiently narrow given the scale and scope of the data retention requirement. It held that the definition authorities competent to access and use retained data and the procedures for such access and use were not sufficiently clear in the transposing legislation to ensure integrity and confidentiality of the data. The individual citizen, therefore, had insufficient guarantees and safeguards against possible abuses of power by public authorities.

All of this is detailed in the European Commission’s report; in fact, I am almost quoting verbatim in the paragraphs above.

These and other issues detailed in the report led the European Data Protection Supervisor, which is the primary bureaucratic guardian of personal data in the European legislative system, to heavily criticise the data retention scheme in a detailed opinion paper (PDF). In a statement in May, the office of the EDPS wrote:

“After careful analysis of the Evaluation Report, the EDPS takes the view that the Directive does not meet the requirements imposed by the fundamental rights to privacy and data protection, mainly for the following reasons:

  • The necessity for data retention as provided in the Directive has not been sufficiently demonstrated;
  • Data retention could have been regulated in a less privacy-intrusive way;
  • The Directive leaves too much scope for Member States to decide on the purposes for which the data might be used, and also for establishing who can access the data and under which conditions.”

Peter Hustinx, the EDPS, said: “Although the Commission has clearly put much effort into collecting information from the Member States, the quantitative and qualitative information provided by the Member States is not sufficient to draw a positive conclusion on the need for data retention as it has been developed in the Directive. Further investigation of necessity and proportionality is therefore required, and in particular the examination of alternative, less privacy-intrusive means”.

The global Electronic Frontiers Foundation issued a statement, noting: “Mandatory data retention creates huge potential for abuse and should be rejected as a serious infringement on the rights and freedoms of individuals. These laws support pervasive surveillance of every ordinary citizen and should not be tolerated in countries where freedom is valued. Courts in Romania, Germany, and the Czech Republic have ruled that national data retention laws based on the 2006 European Data Retention Directive, are unconstitutional. A court in Ireland has referred a data retention case to the European Court of Justice and questioned the legality of the entire EU Data Retention Directive.”

Roxon has not referred to any of these criticisms of the European Data Retention Directive in her speeches and comments on the matter, but Australian organisations opposed to the implementation of a similar data retention scheme locally are clearly aware of the international reception of the European scheme.

In a note appended to its publication of comments by Roxon on the matter, for example, the Pirate Party of Australia this week wrote: “EU Data Retention Directive was declared unconstitutional in the Czech Republic. Sweden implemented it, but for only 6 months. Germany’s Federal Constitutional Court declared it unconstitutional. Romania also declared it unconstitutional. Serbia implemented 6 month retention.”

In general, the Government’s data retention and surveillance package has attracted a significant degree of criticism from the wider community over the past few months since it was first mooted. Digital rights lobby group Electronic Frontiers Australia has described the new powers as being akin to those applied in restrictive countries such as China and Iran, while the Greens have described the package as “a systematic erosion of privacy”.

In separate submissions to the Parliamentary Joint Committee on Intelligence and Security inquiry into the reforms, a number of major telecommunications companies including iiNet and Macquarie Telecom, as well as telco and ISP representative industry groups, have expressed sharp concern over aspects of the reform package, stating that “insufficient evidence” had been presented to justify them. And Victoria’s Acting Privacy Commissioner has labelled some of the included reforms as “being characteristic of a police state”.

The Institute of Public Affairs, a conservative and free market-focused think tank, wrote in its submission to the parliamentary inquiry on the matter that many of the proposals of the Government were “unnecessary and excessive. “The proposal … is onerous and represents a significant incursion on the civil liberties of all Australians,” wrote the IPA in its submission, arguing that the data retention policy should be “rejected outright”. And one Liberal backbencher, Steve Ciobo, has described the new proposal as being akin to “Gestapo” tactics.

In addition, last week The Australian newspaper reported that about a dozen Coalition MPs had bitterly complained about the data retention proposals in a passionate party room meeting, with Opposition Leader Tony Abbott being urged to directly pressure the Government on the issue.

Roxon and agencies such as the Australian Federal Police have attempted to justify the need for a data retention scheme by stating that the increasing use of the Internet by criminals has made traditional telecommunications interception powers less useful.

“The need to consider a data retention scheme has come about because of changes in technology that have affected the behaviour of criminal and national security suspects,” said Roxon this week. “Targets of interest now utilise the wide range of telecommunications services available to them to communicate, coordinate, manage and carry out their activities. The ability to lawfully access telecommunications data held by the telecommunications industry enables investigators to identify and build a picture of a suspect, provides vital leads of inquiry and creates evidence for alibis and prosecutions.”


  1. Just because they go jump in the lake…?

    She may want to reconsider this line of argument – should someone point out that China also has laws on data retention?

  2. The EU’s data retention directive does not seem to include logging web browsing history (or does it?). Does this mean it is not part of what is being considered here, or does Roxon’s recent clarifications about what is being considered require further clarification? Back when Robert McClelland was the AG, I thought retention of web browsing history was mentioned explicitly?

    I don’t understand or agree with the whole idea of logging and retaining all activity when it is so simple for those who do not want to be tracked to avoid having their activities associated with them, but I sure would like to know exactly what the heck the government is actually considering (because it is like Roxon doesn’t even know).

    • >> The EU’s data retention directive does not seem to include logging web browsing history

      @WhatsNew – Yes, it does. You only have to read Roxon’s letter (For which Renai provided a link, above.) It describes –
      a) the source of a communication;
      b) the destination of a communication (read : IP Addresses)

      That applies for internet access as well as every other form of communication. Surfing websites being one of those forms.

      >> I sure would like to know exactly what the heck the government is actually considering

      Read Roxon’s letter – it’s all there.
      They are proposing to collect all data, for all communications events, for all Australians (yes, even the activities of children) and to store at least two years data on everybody.

      • Hello,

        I’m a european lawyer working in Brussels, mostly in the field of data protection and criminal justice. Actually, the EU Directive does not include logging of web browsing history. However, your IP address and times of connection are recorded. The “destination of a communication” is only recorded for emails and Internet telephony, but not for Internet browsing.

        Forms of communication concerned by the Directive are: Internet telephony, emails, fixed telephony and cell phones.

        Actually, in no way can the content of a communication be recorded. So, public authorities “only” keep info with regard to the origin of communication, destination, equipment, time and duration etc. Recording Internet browsing history would amount to recording content, which is prohibited.

        Nevertheless, the Directive is indeed highly controversial and is likely to be amended in a near future, so as to include more data protection safeguards and be narrowed.

        Read the Directive here:

Comments are closed.