Europe’s data retention story not clear cut

analysis Over the past several weeks Attorney-General Nicola Roxon has publicly compared the Federal Government’s controversial data retention proposal to a similar system enacted in Europe. But the truth is that Europe’s data protection bureaucrat has heavily criticised the scheme, and a number of countries have struck it down as being unconstitutional.

The Federal Attorney-General’s Department is currently promulgating a package of reforms which would see a number of wide-ranging changes made to make it easier for law enforcement and intelligence agencies to monitor what Australians are doing on the Internet. For example, one new power is a data retention protocol which would require ISPs to retain data on their customers’ Internet and telephone activities for up to two years, and changes which would empower agencies to source data on users’ activities on social networking sites.

In several interviews and communications over the past several weeks, Roxon, who is the main Gillard Government minister pushing the reforms, has compared them with the European Union’s 2004 Convention on Cybercrime and the 2006 Data Retention Directive. Together, the pair of legislative instruments aimed to implement a similar data retention system as the Federal Government is proposing, alongside other measures to track suspected terrorists and criminals online, in the wake of the September 2001 terrorist attacks and other events.

“So look, the proposal if you like has been modelled on what is the European system,” Roxon said on the ABC’s Capital Hill program on 14 September. “There’s 29 countries in Europe who already do this.” And then, in a separate letter issued this week to the parliamentary committee inquiring into the reforms, Roxon wrote:

“Australia is not alone in being forced to consider answers to these challenges. In recognition of the impact the lack of access and retention of telecommunications data is having on investigations, the European Union adopted the EU Directive 2006/24/EC on data retention on 15 March 2006. The Directive has been implemented by the majority of the 25 Member States of the EU with the remaining Member states at various stages of implementation.”

“The EU Directive imposes an obligation for providers of publicly available electronic communications services and public communication networks to retain communications data for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in national law. The Directive only requires the retention of subscriber and traffic data. No data revealing the content of the communication may be retained under the Directive.”

However, the truth with regard to the European instruments highlighted by Roxon is that they have proven extremely controversial in Europe and have not been adopted universally.

In April 2011, the European Commission produced a report into the data retention scheme (PDF), presenting it to the European Parliament. In general, the report found that data retention was “a valuable tool for criminal justice systems and for law enforcement in the EU”. However, if you dig further into the report, a somewhat more nuanced picture emerges of Europe’s implementation of data retention.

For example, the report details the fact that the Romanian Constitutional Court in October 2009, the German Federal Constitutional Court in March 2010 and the Czech Constitutional Court in March 2011 annulled the laws transposing the Directive into their respective jurisdictions on the basis that they were unconstitutional.

The Romanian Court drew on case law of the European Court of Human Rights to find that the implementation of the data retention directive in that country was ambiguous in its scope and purpose with insufficient safeguards, and held that a ‘continuous legal obligation’ to retain all traffic data for six months was incompatible with the rights to privacy and freedom of expression in Article 8 of the European Convention on Human Rights.

The German Constitutional Court said that data retention generated a perception of surveillance which could impair the free exercise of fundamental rights.

The Czech Constitutional Court annulled the data retention legislation in its country, on the basis that, as a measure which interfered with fundamental rights, the transposing legislation was insufficiently precise and clear in its formulation. The Court criticised the purpose limitation as insufficiently narrow given the scale and scope of the data retention requirement. It held that the definition authorities competent to access and use retained data and the procedures for such access and use were not sufficiently clear in the transposing legislation to ensure integrity and confidentiality of the data. The individual citizen, therefore, had insufficient guarantees and safeguards against possible abuses of power by public authorities.

All of this is detailed in the European Commission’s report; in fact, I am almost quoting verbatim in the paragraphs above.

These and other issues detailed in the report led the European Data Protection Supervisor, which is the primary bureaucratic guardian of personal data in the European legislative system, to heavily criticise the data retention scheme in a detailed opinion paper (PDF). In a statement in May, the office of the EDPS wrote:

“After careful analysis of the Evaluation Report, the EDPS takes the view that the Directive does not meet the requirements imposed by the fundamental rights to privacy and data protection, mainly for the following reasons:

• The necessity for data retention as provided in the Directive has not been sufficiently demonstrated;
• Data retention could have been regulated in a less privacy-intrusive way;
• The Directive leaves too much scope for Member States to decide on the purposes for which the data might be used, and also for establishing who can access the data and under which conditions.”

Peter Hustinx, the EDPS, said: “Although the Commission has clearly put much effort into collecting information from the Member States, the quantitative and qualitative information provided by the Member States is not sufficient to draw a positive conclusion on the need for data retention as it has been developed in the Directive. Further investigation of necessity and proportionality is therefore required, and in particular the examination of alternative, less privacy-intrusive means”.

The global Electronic Frontiers Foundation issued a statement, noting: “Mandatory data retention creates huge potential for abuse and should be rejected as a serious infringement on the rights and freedoms of individuals. These laws support pervasive surveillance of every ordinary citizen and should not be tolerated in countries where freedom is valued. Courts in Romania, Germany, and the Czech Republic have ruled that national data retention laws based on the 2006 European Data Retention Directive, are unconstitutional. A court in Ireland has referred a data retention case to the European Court of Justice and questioned the legality of the entire EU Data Retention Directive.”

Roxon has not referred to any of these criticisms of the European Data Retention Directive in her speeches and comments on the matter, but Australian organisations opposed to the implementation of a similar data retention scheme locally are clearly aware of the international reception of the European scheme.

In a note appended to its publication of comments by Roxon on the matter, for example, the Pirate Party of Australia this week wrote: “EU Data Retention Directive was declared unconstitutional in the Czech Republic. Sweden implemented it, but for only 6 months. Germany’s Federal Constitutional Court declared it unconstitutional. Romania also declared it unconstitutional. Serbia implemented 6 month retention.”

Background
In general, the Government’s data retention and surveillance package has attracted a significant degree of criticism from the wider community over the past few months since it was first mooted. Digital rights lobby group Electronic Frontiers Australia has described the new powers as being akin to those applied in restrictive countries such as China and Iran, while the Greens have described the package as “a systematic erosion of privacy”.

In separate submissions to the Parliamentary Joint Committee on Intelligence and Security inquiry into the reforms, a number of major telecommunications companies including iiNet and Macquarie Telecom, as well as telco and ISP representative industry groups, have expressed sharp concern over aspects of the reform package, stating that “insufficient evidence” had been presented to justify them. And Victoria’s Acting Privacy Commissioner has labelled some of the included reforms as “being characteristic of a police state”.

The Institute of Public Affairs, a conservative and free market-focused think tank, wrote in its submission to the parliamentary inquiry on the matter that many of the proposals of the Government were “unnecessary and excessive. “The proposal … is onerous and represents a significant incursion on the civil liberties of all Australians,” wrote the IPA in its submission, arguing that the data retention policy should be “rejected outright”. And one Liberal backbencher, Steve Ciobo, has described the new proposal as being akin to “Gestapo” tactics.

In addition, last week The Australian newspaper reported that about a dozen Coalition MPs had bitterly complained about the data retention proposals in a passionate party room meeting, with Opposition Leader Tony Abbott being urged to directly pressure the Government on the issue.

Roxon and agencies such as the Australian Federal Police have attempted to justify the need for a data retention scheme by stating that the increasing use of the Internet by criminals has made traditional telecommunications interception powers less useful.

“The need to consider a data retention scheme has come about because of changes in technology that have affected the behaviour of criminal and national security suspects,” said Roxon this week. “Targets of interest now utilise the wide range of telecommunications services available to them to communicate, coordinate, manage and carry out their activities. The ability to lawfully access telecommunications data held by the telecommunications industry enables investigators to identify and build a picture of a suspect, provides vital leads of inquiry and creates evidence for alibis and prosecutions.”