On 9 and 10 November 2010 the representatives of the EDRi-member Panoptykon Foundation met with the representatives of the European Commission in order to discuss the evaluation of the Data Retention Directive (DRD) and the rationale behind the regime of blanket data retention. The meetings were held with representatives from Reding Cabinet first and secondly with members of the Directorate General for Home Affairs - DG Home. The following is a summary of the main issues that were discussed according to Panoptykon's point of view.
It seems that the Commissioner Reding remains very critical about the current data protection regime. The following might be identified as the main problems with the Directive: (i) there is too much room for interpretation for Member States as to what "serious crime" means; (ii) retention periods are too long; (iii) the scope of data to be retained remains undefined (especially with regard to the Internet); (iv) there should be an obligatory judicial control mechanism provided in the DRD itself.
On the next day with DG Home there were discussed three main problems: (i) the evaluation process and their plans for the near future; (ii) the implementation of DRD and its planned revision; (iii) the proportionality of the data retention regime in principle.
Regarding the evaluation process, DG Home admitted that they were still working on the report and 3 March 2011 remains their internal deadline for publishing it. The delay in the process is due to the lack of response from the Member States - only 13 responded, sending rather low quality data (e.g. no statistical information on how the retained data was used and with what effect for law enforcement). Only the UK made an effort to give more insight into how the retained data was used in investigations.
There might be nine key issues in the evaluation report: purpose, period, scope, modalities, authorities, operators, costs, crime and data security. Later on, DG Home will probably move on to make an impact assessment, which is officially treated as a second stage of the whole process. This will include public consultation and the invitation to voice concerns. The third stage will be the drafting of a proposal for DRD revision. The important thing is that there will be a proposal for review and not just re-casting of the DRD.
As far as the implementation and considered revision of DRD is concerned, from the discussion with DG Home it appears that not a single Member State has implemented the directive as it was intended by the Commission. However, it seems that the evaluation report will not mention particular states.
While discussing the shortening of the retention period, DG Home quoted a survey saying that while the retained data is requested within the first 3-6 months in investigating minor crimes or offences, in the case of most serious crimes (like terrorism) data is requested even 2 years after the crime occurred. So the argument is that if someone wants to fulfill the original goal of the DRD, a long retention period might be a necessity.
It was our understanding that DG Home seems convinced that the amount of data stored byoperators under DRD remains the same as it was under the e-Privacy Directive (Art.15). Also that DRD remains an alternative legal basis for implementing the data retention regime to Art.15 of the e-Privacy Directive . That would mean that DRD was not seen as lege specialis (!).
Finally, on the point of the adaptation of the data retention regime to "technological change", there were possibilities of increasing the scope of DRD to cover Information Society Service providers like Google or Facebook. This is because the data retention in the current shape might be seen as not efficient and easy to circumvent.
A long discussion related with the proportionality issue. One opinion was that the reasoning applied by the European Court of Justice in the Marper case can be used to legitimise the blanket data retention regime. This might be understand as the Court criticised "indiscriminate and blanket" retention of data only on the grounds of the time factor (i.e. that DNA profiles were supposed to be stored forever) and not to the scope of the data collected (i.e. that UK wanted to collect and store data of everyone who has ever been suspected of committing an offence). Therefore blanket data retention might remain, in some views, legitimate and proportional as long as it is limited in time (e.g. the maximum period of 2 years).
The article was originaly published in EDRi-gram newsletter - Number 8.22, 17 November 2010.