In March 2006 the European Union adopted a directive on the retention of traffic and location data which aimed to put an end to a vigorous debate on this issue among European Union institutions, industry players and privacy advocates. In this paper we shall offer a critical analysis of the detailed provisions of the directive in the light of the implementation procedures in the various Member States.
The retention of traffic and location data has been at the centre of discussion for several years within the European Union. Notwithstanding the existence of major differences in the approaches to the issue among the bodies of the European Union, privacy advocates and industry players [1], the European Union adopted in March 2006 a directive[1] to regulate it. However the debate regarding telecommunications data retention did not appear to stop. Ireland has challenged the directive before the European Court of Justice[2], arguing that the legal basis chosen for its adoption was not correct and that the relevant legal instrument should have been taken under the Third Pillar. The directive should be transposed into national law by the 15[th] of September 2007,
- 55/56 -
but it appears that the majority of e Member States will not complete the implementation procedures before this date.
Although attempts to regulate the retention of traffic data for criminal investigation and prosecution purposes were introduced at least five years ago [2], the point of decision for the adoption of such a European legal instrument came with the terrorist attacks in Madrid. In fact, soon after the attacks took place, the Council in its declaration on combating terrorism of March 2004[3] considered the retention of communications traffic data by service providers as an adequate measure to combat terrorism and urged that proposals be made for establishing relevant rules, stressing that these proposals 'should be given priority with a view to adoption by June 2005'[4].
One month later, the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom prepared a proposal for the adoption by the Council of a 'Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism'[5]. This was the beginning of a very difficult period within the European Union. This was characterised by official but secret negotiations among the Council, the Commission and the European Parliament, as well as by serious opposition from civil liberties organisations[6] and industry actors, but it ended with the adoption of the recent Data Retention Directive.
The European Data Protection Supervisor (EDPS) issued an opinion on the Proposal for the Data Retention Directive[7] in which he stated that '[he] is as yet not convinced of the necessity of the retention of traffic and location data for law enforcement purposes, as established in the proposal'[8].
Moreover he gave his view that in order for the directive to be acceptable, the actual needs of law enforcement should be taken into consideration for the determination of the retention period or the data that are to be stored. Furthermore, he asked that the provisions of the directive respect the rights of the data subjects and general data protection principles.
However, the directive did not take into consideration all the recommendations and comments that were made by the EDPS. In fact, the aforementioned Opinion itself was not mentioned in the preamble to the Directive despite the fact that it was specified in the Opinion due to the mandatory character of Article 28 (2) of Regulation 2001/45/EC[9].
The scope of the Data Retention Directive is to ensure that traffic and location data, as well as data that are necessary to identify the subscriber or registered user, will be available for the purpose of 'investigation, detection and prosecution of serious crime, as defined by each Member State in its national law', Contrary to the initial plans of the Council, the directive does not include the prevention of crimes within its scope of application.
The directive does not include a definition of the term 'serious crime', a task which is left to the Member States to regulate in their national legislations. The Council urged Member States 'to have due regard to the crimes listed in article 2(2) of the Framework Decision on the European Arrest Warrant[10] and crime involving telecommunication'[11]. Nevertheless, due to the fact that each Member State is to define serious crime individually, deviations in the scope of application of the directive are to be expected. The demands already expressed in Germany illustrate how the definition of 'serious crime' can be stretched and provide a powerful argument to the effect that Member States should be very careful when they transpose the directive into their national legislation.
The Director of the German Chapter of the International Federation of Phonogram and Videogram Producers (IFPI) called for the rapid implementation of the Data Retention Directive so that data records could be made available for civil law disclosures and file-sharers could be traced. This demand produced a reaction from Hannes Federrath, Professor of Information Security Management at the University of Regensburg, who reminded the representatives of rights-holders that "what [they] are demanding here goes beyond what prosecutors of consumers of child pornography get".[12]
The directive aims at the harmonisation of the obligations of providers of publicly available communications services or public communication networks. The terms 'electronic communications network'[13] and 'electronic communications service'[14] are defined in article 2 (a) and (c) of the Framework Directive[15] respectively. The wording of the definitions can lead to a very broad interpretation of the term and so to a very broad group of providers who qualify as 'providers of public communications networks'. In any case, the directive missed the opportunity to define the term 'providers of publicly available communications services or public communication networks' in detail and avoid differing interpretations among Member States. The Article 29 Working Party has also identified the need for clarification of these two terms, stating explicitly that "both definitions 'electronic communications services and 'to provide an electronic communications network' are still not very clear and that both terms should be explained in more detail in order to allow for a clear and unambiguous interpretation by data controllers and users alike"[16]
A Jogkódex-előfizetéséhez tartozó felhasználónévvel és jelszóval is be tud jelentkezni.
Az ORAC Kiadó előfizetéses folyóiratainak „valós idejű” (a nyomtatott lapszámok megjelenésével egyidejű) eléréséhez kérjen ajánlatot a Szakcikk Adatbázis Plusz-ra!
Visszaugrás
