This piece was posted on the Bits of Freedom blog on 8 December 2010. I still think it is a quite accurate and informative take on the Data Retention Directive evaluation.
The evaluation of the controversial Data Retention Directive takes an unexpected turn, for the worse. At a crucial one-day conference in Brussels, aimed at gathering input for the evaluation, long-term critic of the Directive Commissioner Malmström (Home Affairs) surprisingly announced that ‘data retention is here to stay’. The statement not only disregards legal developments since 2005, the damage done by telecommunications data retention to 500 million Europeans and lack of evidence that such a measure is necessary and proportionate. On top of that, the Commissioner undermines the entire evaluation process and evidence-based decision making itself. To great risk, because our fundamental freedoms and the very nature of our free and open societies are at stake.
Data retention controversial and deemed unconstitutional
The Data Retention Directive obligates the storage of telecommunications data on every communication (phone calls, sms, e-mail, etc.) made by each and every European, to guarantee its availability for the investigation of ‘serious crimes’. The measure is highly controversial, because the telecommunication traffic and location data of every citizen is logged before crimes are committed and regardless of suspicion. And the necessity of this surveillance was never proven before the measure was taken. Five years later, data retention proponents still fail to prove this necessity, while constitutional courts in Germany and Romania respectively deemed data retention in breach of the German constitution and even article 8 of the European Convention of Human Rights – in which our right to privacy is enshrined.
Evaluation ‘moment of truth’ for data retention
Realizing the evaluation report was due in 15 September 2010 and in search of wisdom, the European Commission took the excellent initiative to organise a conference on 3 December 2010 that brought together experts from police forces, national ministries, data protection authorities, industry, civil society and the scientific community. At the crowded event, Dutch European Digital Rights member Bits of Freedom gave one of the opening speeches: ‘What the European Commission owes 500 million Europeans’ (PDF). Our speech concludes that the Commission cannot maintain the principle of data retention, summing up the overwhelming evidence against this measure, including essential changes in EU Treaty law, European Courts of Human Rights (ECtHR) and European Court of Justice (ECJ) case-law and the collateral damage done by the invasive surveillance measure. The passionate speech of Mr. Lewis Benjamin, the British National Coordinator on Serious Organised Crime, did not add any new arguments to the day, while the European Data Protection Supervisor Mr. Peter Hustinx, inferred (PDF) in a powerful delivery that data retention is ‘the most privacy invasive instrument ever adopted by the EU’ and called the current evaluation ‘the moment of truth’ for this ‘notorious’ Directive.
Commissioner Malmström undermines evaluation process and resonates fairy tales
This moment of truth was not seized at all by Commissioner Malmström. On the contrary, the Commissioner exposed that ‘we need to recognize that data retention is here to stay’. Her statements contrasted with the sole purpose of the entire day, which was to have an open debate on the evaluation of the measure and the failing evidence that caused the delay of the evaluation.
Apart from that, the Commissioner added to have ‘good reasons’ for maintaining the measure. Her reasoning was not close to the truth, but far from it. The fairy tale that cybercrime would be difficult to investigate without data retention, had been deconstructed months ago by civil society in a 3 September 2010 letter (PDF) to the Commissioner. The letter refers to official German statistics, that point out that the investigation of cybercrime was more successful in the absence of data retention, than after its implementation in German law. This illustrates that the investigation of serious crime depends on expertise and capacity of law enforcement agencies, not on the blanket data retention of each communication of every citizen in the European Union.
A second argument, the fact that law enforcement agencies in one particular Member State use these sensitive data in an overwhelming 86% of all criminal proceedings, does not prove that their retention is necessary. In stead, it reveals that this particular Member State has a rather wide definition of ‘serious crimes’ and proves the Directive fails at restricting the use of the sensitive data.
Disturbingly, the Commissioner reported ‘no evidence that it (data retention) has led to serious abuse in any concrete cases’, while civil society has been sending reports of abuse repeatedly to the Commissioner. But Bits of Freedom had named several in its lecture and during the Q&A after the speech of the Commissioner, our Polish colleagues of Panoptykon Foundation reminded the Commissioner of their letter on targeted surveillance of journalists by Polish intelligence agencies (PDF). (UPDATE 16.02.11: The German Working Group on Data Retention, ‘AK Vorrat’, recently published a folder on abuse cases in the EU: ‘There is no such thing as secure data’ [PDF])
EU will force Member States to adopt data retention, according to Commissioner
After all these years, no independent and solid proof that data retention substantially contributes to the law enforcement effort has been brought forward. Meanwhile, data retention clearly violates our right to privacy and erodes the confidentiality of communications in unprecedented ways, as it is the first time that every citizen is affected, not just those under suspicion of a severe and serious crime. As such, data retention harms the very nature of free and open societies that respect the fundamental freedoms of its citizens.
But if a country believes or its constitutional court judged data retention to be unnecessary and unconstitutional, the Commissioner clarified that it should be taken to the European Court of Justice for failing to implement an EU Directive. This implies that countries such as Germany, Romania, Austria and Sweden will be forced to adopt data retention. This is merely the wrong way for the EU, it is downright dangerous for the Commission to force a Member States to adopt laws that violate their constitution.
No moment of truth, but a momentary lapse of reason
Rather than a moment of truth, the current phase of the evaluation turns out to be a – hopefully only momentary – lapse of reason. For now, we must draw the unsatisfactory conclusion that support for fundamental rights, thorough legal analysis, evidence-based decision making and moral courage are absent. We had expected otherwise from this Commissioner. In 2005, then a Member of European Parliament, Ms. Malmström sharply criticised the adoption of data retention in the 2006 Directive, saying:
“I have so far not been convinced by the arguments for developing extensive systems for storing data, telephone conversations, e-mails and text messages. Developing these would be a very major encroachment on privacy, with a high risk of the systems being abused in many ways. The fact is that most of us, after all, are not criminals.”
She could have maintained this position at the conference, as the overwhelming evidence against data retention mounts up. In any case, she should have awaited the publication of the report before claiming that data retention is here to stay. By doing so, our faith in her determination to stand up evidence-based decision making and for fundamental freedoms of 500 million Europeans is fading.
Momentary – depending on what the entire Commission stands for
Nevertheless, the unexpected statements of the Commissioner could turn out to be momentary. Each member of the Commission swore, for the first time in history, a legally binding oath before the European Court of Justice to respect the Fundamental Rights Charter on 3 May of this year. In 2011, the same European Court of Justice will rule on the constitutionality of the principle of data retention, after a referral of this question by the Irish High Court. The Commission might realize in time that it will lose its credibility, once the Court – taking note of the ECJ Schecke (§86) and ECtHR Marper (§119-125) judgements – rules data retention in breach of our fundamental rights to privacy. Better stand up for the rights of 500 million citizens now, then feeling sorry afterwards.
‘We shouldn’t put the privacy of all citizens at risk’, Commissioner Reding (Justice, Fundamental Rights and Citizenship) told Dutch newspaper NRC Handelsblad recently. So the Commission is divided on this controversial issue. In the evaluation report, to be published in the first quarter of 2011, the entire Commission will have its say. Is data retention here to stay? We might as well expect the unexpected.
UPDATE (11.03.11): Yesterday, DG Home sent its own “REPORT on the DATA RETENTION CONFERENCE: TAKING ON THE DATA RETENTION DIRECTIVE” (PDF) to all attendees.