DRletter

Aus Freiheit statt Angst!

Version vom 18:32, 29. Aug. 2010

Recipients

1. Cecilia Malmström, European Commissioner for Home Affairs, BE-1049 Brussels, Belgium
2. Viviane Reding, European Commission Vice-President with responsibility for Justice, Fundamental Rights and Citizenship, BE-1049 Brussels, Belgium
3. Neelie Kroes, European Commission Vice-President with responsibility for the Digital Agenda

Draft text

Cecilia Malmström

European Commissioner for Home Affairs

BE-1049 Brussels

Dear Ms Malmström,

Thank you for your reply of 12 July to the joint letter of more than 100 organisations from 23 European countries asking you to “propose the repeal of the EU requirements regarding data retention in favour of a system of expedited preservation and targeted collection of traffic data”.

I welcome your intention to assess the proportionality of directive 2006/24, and I support the opinion you gave in this regard as a Member of European Parliament: “I have so far not been convinced by the arguments for developing extensive systems for storing data, telephone conversations, e-mails and text messages. Developing these would be a very major encroachment on privacy, with a high risk of the systems being abused in many ways. The fact is that most of us, after all, are not criminals.”^[1]

In your reply of 12 July you ask for more information regarding two statements in our letter: “Studies prove that the communications data available without data retention are generally sufficient for effective criminal investigations. Blanket data retention has proven to be superfluous, harmful or even unconstitutional in many states across Europe, such as Austria, Belgium, Germany, Greece, Romania and Sweden.”

1) Blanket data retention has proven to be superfluous

This statement firstly relies on the experience of states around the world whose law enforcement agencies operate successfully without relying on blanket data retention. Among these states are Germany, Austria, Belgium, Greece, Romania, Sweden, Canada and EU member states with data retention legislation that is not yet being applied. The absence of data retention legislation does not lead to a rise in crime in those states, or to a decrease in crime clearance rates, not even in regard to Internet crime. Nor did the coming into force of data retention legislation have any statistically significant effect on crime or crime clearance.

This is exemplified by statistics published by the German Federal Crime Agency (BKA) and the State Crime Agency (LKA) of North Rhine-Westphalia:

Notwithstanding this comprehensive evidence, I would like to recall that we cannot be expected to prove that blanket data retention is superfluous. The onus of proof regarding the alleged necessity of blanket data retention is clearly on its proponents. In our response^[2] to your evaluation questionnaire we have explained why access statistics, anecdotal evidence or perceived utility^[3] do not prove a need for blanket data retention: Successful requests for traffic data retained under directive 2006/24 do not prove that data would otherwise have been lacking, despite the commercial billing data stored under directive 2002/58 and extra data stored in compliance with specific judicial orders. Even where extra data is disclosed under data retention schemes, it often has no influence on the outcome of investigation procedures.

The utility of access to communications data by law enforcement agencies does not mean that there was a need to retain such data indiscriminately. The European Court of Human Rights has consistently held that mere usefulness does not satisfy the test of necessity.^[4] As there is a danger that the Commission might rely on inconclusive data provided by member states, I would like to cite the European Court of Human Rights' critical comments on similar data regarding the retention of biometric data: “It is true, as pointed out by the applicants, that the figures do not reveal the extent to which this 'link' with crime scenes resulted in convictions of the persons concerned or the number of convictions that were contingent on the retention of the samples of unconvicted persons. Nor do they demonstrate that the high number of successful matches with crime-scene stains was only made possible through indefinite retention of DNA records of all such persons. At the same time, in the majority of the specific cases quoted by the Government (see paragraph 93 above), the DNA records taken from the suspects produced successful matches only with earlier crime-scene stains retained on the data base. Yet such matches could have been made even in the absence of the present scheme”.^[5]

An independent study commissioned by the German government found that among a sample set of 1.257 law enforcement requests for traffic data made in 2005, only 4% of requests could not be (fully) served for a lack of retained data.^[6] Taking into account the total number of criminal investigation procedures in 2005, only 0.01% of investigations were affected by a lack of traffic data.^[7] About one third of the suspects in those procedures were still taken to court on the basis of other evidence.^[8] Moreover 72% of investigations with fully successful requests for traffic data did not result in an indictment.^[9] All in all, blanket data retention would have made a difference to only 0.002% of criminal investigations.^[10] This number does not change significantly when taking into account that in the absence of a blanket data retention scheme, less requests are made in the first place.^[11]

The German Federal Crime Agency (BKA) counted only 381 criminal investigation procedures in which traffic data was lacking in 2005.^[12] In view of a total of 6 million procedures in 2005, no more than 0.01% of criminal investigation procedures were potentially affected. In the absence of a blanket traffic data retention regime, German law enforcement agencies have consistently cleared more than 70% of all reported Internet offences, significantly outperforming the average crime clearance rate of about 50%. The coming into force of data retention legislation did not have any statistically significant effect on crime rates or crime clearance rates.

2) Blanket data retention has proven to be harmful

A poll^[13] of 1,000 Germans found in 2008 that indiscriminate bulk data retention is acting as a serious deterrent to the use of telephones, mobile phones, e-mail and Internet. The survey conducted by research institute Forsa found that with communications data retention in place, one in two Germans would refrain from contacting a marriage counsellor, a psychotherapist or a drug abuse counsellor by telephone, mobile phone or e-mail if they needed their help. One in thirteen people said they had already refrained from using telephone, mobile phone or e-mail at least once because of data retention, which extrapolates to 6.5 mio. Germans in total. There can be no doubt that obstructing confidential access to help facilities poses a danger to the physical and mental health of people in need as well as of the people around them.

In a poll of 1,489 German journalists commissioned in 2008, one in fourteen journalists reported that the awareness of all communications data being retained had at least once had a negative effect on contacts with their sources.^[14] The inability to electronically receive information through untraceable channels with blanket data retention in place affects not only the press, but all watchdogs including government authorities.

Apart from this statistical evidence the German Working Group on Data Retention has received ample reports on negative effects of data retention, which have been summarised in our response to your evaluation questionnaire.^[15] The indiscriminate retention of all communications data turned out to disrupt confidential communications in many areas, affecting victims of sexual abuse, political activists, journalists, accountants, lawyers, businessmen, psychotherapists, drugs advisers and crisis line operators.

A poll of 2,176 Germans found in 2009 that 69.3% oppose data retention, making it the most strongly rejected surveillance scheme of all, including biometric passports, access to bank data, remote computer searches or PNR retention.^[16] It appears the public opinion has not yet been tested on a European scale. We would be happy to assist in preparing a Eurobarometer poll on the matter though. A 2008 Eurobarometer poll found that a large majority of 69-81% of EU citizens rejected the idea of “monitoring” the Internet use or phone calls of non-suspects even in light of the fight against international terrorism.^[17]

3) Blanket data retention has proven to be unconstitutional

Last year the Romanian Constitutional Court found that data retention per se breached Article 8 of the European Convention on Human Rights: “[Data retention] equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes. Law 298/2008 [applies] practically to all physical and legal persons users of electronic communication services or public communication networks – so, it cannot be considered to be in agreement with the provisions in the Constitution and Convention for the defence of human rights and fundamental freedoms regarding the guaranteeing of the rights to private life, secrecy of the correspondence and freedom of expression.”^[18]

The Federal Constitutional Court of Germany then ruled the German data retention requirements unconstitutional and void for being disproportionate in their concrete form.^[19] Although the Court considered that data retention did not per se breach the German constitution, it did not assess the compatibility of data retention with the European Convention on Human Rights, or with the EU Charter of Fundamental Rights.

There are further complaints pending before the Hungarian Constitutional Court^[20] and before the Irish High Court. Recently, the Irish High Court ruled in favour of a request to challenge the Data Retention Directive at the EU Court of Justice.^[21] The Court found that data retention had the potential to be of “importance to the whole nature of our society”. “[I]t is clear that where surveillance is undertaken it must be justified and generally should be targeted”. The Court ruled that civil liberties campaign group Digital Rights Ireland had the right to contest “whether the impugned provisions violate citizen's rights to privacy and communications” under the EU treaties, the European Convention on Human Rights and the EU Charter of Fundamental Rights. The reference to the EU Court of Justice is expected in the next weeks.

The Court of Justice can be expected to follow the previous rulings and annul directive 2006/24, having regard to the jurisprudence of the European Court of Human Rights. The Grand Chamber of the latter Court found in 2008 that the retention of biometrics on mere suspects breached Article 8 of the European Convention on Human Rights: “In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society.”^[22] This assessment of the collection of identification data on 5 million citizens^[23] must, a fortiori, apply to the much larger collection of information on the daily communications of 500 million citizens throughout the EU.

4) Proposal

Repealing directive 2006/24 would not prevent member states from maintaining data retention schemes and would remove the upper limits the directive sets. We are therefore currently discussing, both in our coalition and with industry, a joint proposal to limit the application of directive 2006/24 to Member States that decide to impose data retention nationally. According to this proposal, directive 2006/24 should be amended to give Member States a choice: First the option of sticking with directive 2002/58 and the Council of Europe's Convention on Cybercrime that sets an international standard for a system of expedited preservation and targeted collection of traffic data. Second the option of a harmonised and minimised data retention scheme with compulsory cost reimbursement for providers. There are many advantages to such a two-pronged proposal in comparison to a mere repetition, more or less, of the initial proposal that was put forward by the Commission in 2005.^[24] I am setting out some of those advantages in a separate document attached to this letter.

We would welcome very much your embracing of this concept in the upcoming evaluation report, and in a subsequent legislative proposal. Please be assured of our full support in removing the compulsory EU requirements regarding blanket communications data retention.

Yours sincerely,

...

cc.

• Ms Viviane Reding, Vice President
• Ms Neelie Kroes, Vice President

Draft Proposal regarding Telecommunications Data Retention

The EU data retention directive, adopted in 2006, currently requires all 27 EU Member States to compel telecommunications and Internet companies to indiscriminately collect data about all of their customers' communications. “The majority of Member States do not reimburse costs incurred by operators to retain and retrieve data”, the Commission reports. Industry has so far been lobbying for replacing the current directive with a harmonised data retention regime that includes a cost reimbursement provision.

Why should the Commission not solely propose a harmonised data retention regime with compulsory cost reimbursement?

A proposal to this effect is unlikely to succeed and may result in no changes to the data retention directive at all. This would mean that all providers in the EU would continue to be compelled to retain and hand over varying types of data, mostly at their own expense.

The Commission's initial proposal for the data retention directive (COM/2005/0438) already once suggested a uniform data retention regime with compulsory cost reimbursement. This proposal was clearly rejected by Member States due to differing legal traditions and due to the high cost of blanket data retention. This situation persists in 2010. It is unlikely a voting majority of the 27 EU Member States would be prepared to accept a uniform data retention regime with compulsory cost reimbursement.

In addition, even where some cost reimbursement is in place, it generally covers only a share of the total cost of retrieving, storing and handing over of bulk data. Data retention is never profitable but always troublesome and distracts providers from their business. The constant risk of a theft, loss or abuse of sensitive communications data puts providers' reputation at risk. Customers generally dislike a blanket retention of their communications data in the absence of any suspicion.

What proposal should the Commission make instead?

The EU data retention directive should offer two alternatives to member states: First the option of a modest and harmonised data retention scheme with compulsory cost reimbursement. Second the option of no national data retention scheme at all (but instead a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime).

What are the advantages of an optional approach?

National data retention provisions need to be harmonised only where they are in place. In other member states directive 2002/58 is achieving an even better harmonization. With a choice of a harmonised regime or no data retention scheme at all, the legal situation would become much more harmonised than under directive 2006/24. Making data retention optional at the EU level would also remove the legal risk of directive 2006/24 being annulled. Furthermore it would take into account the situation of Member States that are legally unable (Romania) or politically unwilling to introduce blanket data retention legislation.

For industry, optional data retention is the only feasible way to prevent Member States from adopting or maintaining costly and uncompensated data retention requirements. Member States are more likely to accept a harmonised data retention regime with compulsory cost reimbursement if they are given the alternative to opt out. Some Member States would be happy not to introduce data retention requirements at all for political, constitutional of financial reasons. The German liberal party has already decided not to re-introduce data retention legislation if given a choice by the EU. Romania has been ordered not to re-introduce data retention legislation by its Constitutional Court. At present several states across Europe do not have data retention requirements in place (e.g. Austria, Belgium, Germany, Greece, Romania, Sweden). Whereas the current data retention directive will ultimately force thousands of providers in these countries to retain data at their own cost, an optional directive would take that burden off those providers entirely. Other Member States would still insist on having data retained, but could be convinced to accept having to compensate providers by at least reimbursing a fair share of their costs.

For citizens, making data retention optional would finally give national parliaments, the citizens (in referendums) and Constitutional Courts the opportunity to opt for a targeted approach instead of indiscriminately having the entire population's communications data retained.

The Commission, industry and civil society jointly pushing for an optional directive as set out above could create political majorities that would otherwise not be possible to achieve. Civil society is a major political factor and has a strong interest in making the data retention directive optional. In June, more than 100 organisations from 23 European countries spoke out against data retention, including major NGOs such as EDRi, FFII and Human Rights Watch.

1. ↑ Debate of 7 September 2005, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+CRE+20050907+ITEM-002+DOC+XML+V0//EN&query=INTERV&detail=3-044.
2. ↑ Antworten auf den Fragebogen der Europäischen Kommission vom 30.09.2009 zur Vorratsdatenspeicherung, http://www.vorratsdatenspeicherung.de/images/antworten_kommission_vds_2009-11-13.pdf, p. 29.
3. ↑ Such as cited in the “Overview of information management in the area of freedom, security and justice”, COM(2010)385, p. 36, as well as in a “Room Document”, http://www.vorratsdatenspeicherung.de/images/RoomDocumentEvaluationDirective200624EC.pdf.
4. ↑ Silver v. UK (1983) 5 EHRR 347, § 97.
5. ↑ Marper v United Kingdom (2009) 48 EHRR 50, § 116.
6. ↑ Max Planck Institute for Foreign and International Criminal Law, The Right of Discovery Concerning Telecommunication Traffic Data According to §§ 100g, 100h of the German Code of Criminal Procedure, March 2008, http://dip21.bundestag.de/dip21/btd/16/084/1608434.pdf, p. 150.
7. ↑ Starostik, Pleadings of 17 March 2008, http://www.vorratsdatenspeicherung.de/images/schriftsatz_2008-03-17.pdf, p. 2.
8. ↑ Starostik, Pleadings of 17 March 2008, p. 2.
9. ↑ Starostik, Pleadings of 17 March 2008, p. 2.
10. ↑ Starostik, Pleadings of 17 March 2008, p. 2.
11. ↑ Starostik, Pleadings of 17 March 2008, p. 2.
12. ↑ Starostik, Pleadings of 17 March 2008, p. 2.
13. ↑ Forsa, Opinions of citizens on data retention, 2 June 2008, http://www.eco.de/dokumente/20080602_Forsa_VDS_Umfrage.pdf or http://www.webcitation.org/5sLeT8Goj.
14. ↑ Meyen/Springer/Pfaff-Rüdiger, Free Journalists in Germany, 20 May 2008, http://www.dfjv.de/fileadmin/user_upload/pdf/DFJV_Studie_Freie_Journalisten.pdf or http://www.webcitation.org/5sLdXIt55, p. 22.
15. ↑ Antworten auf den Fragebogen der Europäischen Kommission vom 30.09.2009 zur Vorratsdatenspeicherung, http://www.vorratsdatenspeicherung.de/images/antworten_kommission_vds_2009-11-13.pdf, p. 2.
16. ↑ Infas poll, http://www.vorratsdatenspeicherung.de/images/infas-umfrage.pdf.
17. ↑ Flash Eurobarometer, Data Protection in the European Union, February 2008,http://ec.europa.eu/public_opinion/flash/fl_225_en.pdf, p. 48 (32+18+19=69%, 35+21+25=81%).
18. ↑ Constitutional Court of Romania, decision of 8 October 2009, http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/romanian-constitutional-court-decision-regarding-data-retention.html.
19. ↑ Federal Constitutional Court of Germany, decision of 2 March 2010, http://www.bverfg.de/en/press/bvg10-011en.html.
20. ↑ Hungarian Civil Liberties Union, Constitutional Complaint Filed by HCLU Against Hungarian Telecom Data Retention Regulations, 2 June 2008, http://tasz.hu/en/data-protection/constitutional-complaint-filed-hclu-against-hungarian-telecom-data-retention-regulat.
21. ↑ High Court of Ireland, decision of ..., http://www.scribd.com/doc/30950035/Data-Retention-Challenge-Judgment-re-Preliminary-Reference-Standing-Security-for-Costs.
22. ↑ European Court of Human Rights, decision of 4 December 2008, http://www.webcitation.org/5g6FzdBr4, § 125.
23. ↑ Human Genetics Commission, Nothing to hide, nothing to Fear?, November 2009, http://www.hgc.gov.uk/UploadDocs/DocPub/Document/Nothing%20to%20hide,%20nothing%20to%20fear%20-%20online%20version.pdf, p. 4.
24. ↑ COM(2005)438.