Protokoll des Expertentreffens zu Implementierungsfragen der Vorratsdatenspeicherung vom 2. April 2008: Unterschied zwischen den Versionen
Zeile 1: | Zeile 1: | ||
== Englische Version == | == Englische Version == | ||
− | + | The third meeting of the informal data retention experts group took place on 2 | |
− | + | April 2008 under the joint chairmanship of the Commission's Directorates General | |
− | + | Justice, Freedom and Security and Information Society and Media. Representatives | |
− | + | of all the stakeholders referred to in Recital 14 of Directive 2006/24/EC were invited | |
− | + | to participate at the experts meeting, namely associations of the electronic | |
− | + | communications industry, Member State law enforcement authorities, | |
− | + | representatives of the European Parliament and data protection authorities, | |
− | + | including the European Data Protection Supervisor. The Agenda is at Annex I; the | |
− | + | list of invitees is at Annex II. | |
+ | |||
=== OPENING REMARKS === | === OPENING REMARKS === | ||
− | + | Mme. Cecilia Verkleij Head of Sector – DG Justice Freedom and Security | |
− | + | reminded that the main focus of this meeting will be discussion of a number of | |
− | + | Industry Association papers addressing a series of scoping and other issues under | |
− | + | the Data Retention Directive. In addition to the data security and centralised data | |
− | + | storage papers, the Agenda lists all the Industry papers which are currently | |
− | + | envisaged by Industry Associations. These papers will be further progressed | |
− | + | between now and the next expert group meeting (likely to take place in June 08) | |
− | + | when they should be in final or near final form. At an appropriate time we may | |
− | + | publish the papers as the output of the experts group. This will help promote a | |
− | + | common EU orientation to some of the complex scoping and other issues raised by | |
− | + | the Directive. | |
− | + | On 25 March 08 the Commission adopted its decision on the setting up of the | |
− | + | formal data retention experts group. The next meeting should therefore be the first | |
− | + | meeting of the formal data retention experts group. In terms of the work of the | |
− | + | group, we do not envisage any significant change – the group will continue to | |
− | + | encourage and facilitate a common orientation on the application of the Directive. | |
− | + | Over time its focus is likely to move from industry issues to law enforcement issue | |
− | + | and address questions about whether the Directive is achieving its objectives, | |
− | + | particularly in the light of developing technologies. The formal Data Retention | |
− | + | experts group will adopt the expert group papers so that these can be published in | |
− | + | the name of the experts group. Over time the formal experts group will contribute | |
− | + | information and experience necessary for the Commission's assessment of the | |
− | + | effectiveness of the Directive and whether to present new proposals on data | |
− | + | retention, including addressing difficulties in the technical and practical | |
− | + | implementation of the Directive. | |
+ | |||
==== Presentation of preliminary ruling of German Constitutional Court on data retention instrument – Kirsten Schwerin, Justice Ministry, Germany ==== | ==== Presentation of preliminary ruling of German Constitutional Court on data retention instrument – Kirsten Schwerin, Justice Ministry, Germany ==== | ||
+ | On 1 January 08 the instrument transposing the Data Retention Directive came into | ||
+ | effect in Germany. In response some 30.000 people have submitted a complaint to | ||
+ | the Constitutional Court to have the instrument annulled. The preliminary ruling | ||
+ | does not contest the obligation on providers to retain traffic data for a six month | ||
+ | period. However pending a final ruling of the Court (possibly end 2008), law | ||
+ | enforcement authorities have only a reduced possibility to access retained data. If | ||
+ | data are stored by virtue of the data retention law, providers may only transmit | ||
+ | requested data if an existing criminal proceeding is based on so called "heavy | ||
+ | crime" (which are crimes punishable by up to five years imprisonment and are a | ||
+ | higher level than "serious crime"). If not "heavy crime", access is limited to traffic | ||
+ | data which are stored for billing purposes (and may therefore be accessible for only | ||
+ | a very short period). Providers must nevertheless continue to retain data which may | ||
+ | become accessible to law enforcement for a broader range of crime types subject to | ||
+ | the final ruling. | ||
+ | |||
+ | ==== Cost recovery in France – Christian Aghroum, Direction Centrale de la Police Judiciaire, France ==== | ||
+ | The French Justice Ministry has produced a secure web site accessible to police and | ||
+ | judicial authorities which includes a standardised glossary of electronic | ||
+ | communications terms and services. This has been undertaken both for training and | ||
+ | budgetary purposes. The site defines different types of request, what the response | ||
+ | should consist of and the price which a provider can request. It allows police to | ||
+ | work more efficiently and to receive precise answers to precise questions. The | ||
+ | appropriate cost for differing services was achieved through negotiation with the | ||
+ | sector. The more complex the question, the higher the permitted price. Work is | ||
+ | underway to produce an equivalent glossary for IP data requests. | ||
+ | |||
+ | Industry associations queried the ability of a standardised cost approach to address | ||
+ | differing cost bases from one provider to another, particularly bearing in mind the | ||
+ | most costs here are fixed so cost basis will diverge widely between a provider | ||
+ | receiving 100 requests per week or a provider having to deal with only one request | ||
+ | per year. | ||
+ | |||
+ | ==== Centralised Data Storage within EU – data protection and related issues – Philippos Mitletton, European Commission ==== | ||
+ | The Data Retention Directive does not contain a specific provision on the | ||
+ | "territoriality" of storage of data (i.e. the location where the data are stored). The | ||
+ | question is if there is an obligation for the provider to store the relevant data within | ||
+ | their territory (i.e. the place of establishment). | ||
+ | |||
+ | Any obligation imposed by a MS for the data to be retained within its own territory, | ||
+ | could be considered as a restriction to the principle of free flow of data within EU, | ||
+ | which is fundamental under the Data Protection Directive 95/46/EC. | ||
+ | Article 4 of Directive 95/46/EC provides that each MS shall apply its national | ||
+ | provisions to the processing of personal data, where the processing is carried out in the | ||
+ | context of the activities of an establishment of the controller (provider) on the territory of | ||
+ | the MS. When the same controller is established on the territory of several MS, he must | ||
+ | take the necessary measures to ensure that each of these establishments complies with the | ||
+ | obligations laid down by the national law applicable. The issue of centralised data | ||
+ | storage is illustrated through case studies: | ||
+ | |||
+ | #(a) If the provider is storing data in another MS, without being established as an ECS in its territory, then only the data retention legislation of the originating MS should apply. | ||
+ | #(b) If the provider is established as an ECS in the MS where the data are stored, the data retention legislation of this MS shall apply. Whether the storage is ensured either by an affiliated company of the provider or by an independent company that provides storage services,the storage company is considered as a processor on behalf of the provider and data protection legislation of the storage MS applies as well. | ||
+ | |||
+ | In example (b) problems arise where different retention periods exist in the | ||
+ | originating MS and the storage MS and in particular if the storage MS requires a | ||
+ | shorter retention period than the originating one. Accordingly, if data retention laws | ||
+ | are not compatible, this needs to be borne in mind when deciding where or whether | ||
+ | to centralise retained data within the EU. | ||
+ | |||
+ | The Chair invited members of the experts group to submit written comments by end April. | ||
+ | |||
+ | ==== Data Security Issues under Directive 2006/24/EC – Nicholas Kaye, European Commission ==== | ||
+ | Both the Data Protection and e-privacy Directives make clear that data security is a | ||
+ | function of the risk associated with the processing of the data in question. | ||
+ | |||
+ | (Fußnote: Article 17 of Directive 95/46/EC states: "Member States shall provide that the controller must implement | ||
+ | appropriate technical and organisational measures to protect personal data against accidental or | ||
+ | unlawful destruction or unlawful loss, alteration, unauthorised disclosure or access, in particular where | ||
+ | the processing involves the transmission of data over a network, and against all other forms of | ||
+ | unlawful processing. Having regard to the state of the art and the cost of their implementation, such | ||
+ | measures shall ensure a level of security appropriate to the risks represented by the processing and the | ||
+ | nature of the data to be protected." Article 4 of Directive 2002/58/EC contains equivalent provisions | ||
+ | regarding the risk associated with the data in question.) | ||
+ | |||
+ | The obligation to retain these data for periods of between 6 and 24 months (which in | ||
+ | most cases is likely significantly to exceed the period for which such data would be | ||
+ | retained for normal commercial purposes) and the fact that they are retained under | ||
+ | the Directive with a view to their being used to fight serious crime, mean that | ||
+ | retained traffic and location data should be seen as having an exceptional risk | ||
+ | potential. The intelligence and evidential value of communications traffic and | ||
+ | location data means that these data may become a target for criminal organisations | ||
+ | with a view to compromising those data. This is a further factor in favour of stricter | ||
+ | security controls than could apply in the case of data processed for ordinary | ||
+ | business purposes. Due to this exceptional risk potential, stronger technical and | ||
+ | organisational data security measures are needed than might be the case for normal | ||
+ | commercial data. | ||
+ | |||
+ | Euro ISPA and Cable Europe agreed that data retained by virtue of the Directive are | ||
+ | high risk – although the data already exist, the fact that they are kept for longer | ||
+ | heightens the risk. While the risk factor might change, the standard remains the | ||
+ | same. The paper should not include a list of possible data security measures since it | ||
+ | could not be known which measures providers may already have adopted. The paper | ||
+ | should not include reference to "high level encryption" since Recital 23 says that the | ||
+ | Directive is not intended to harmonise the technology for retaining data. | ||
+ | The UK delegate preferred that reference to encryption be excluded due to risk that | ||
+ | data could be excluded on cross examination if not possible to show that data have | ||
+ | not been altered in any way due to encryption process. | ||
+ | |||
+ | The Chair invited expert group members to submit written comments by end April. | ||
+ | |||
+ | ==== Internet Telephony within Directive 2006/24/EC, Gert Wabeke on behalf of ETNO ==== | ||
+ | VoIP is becoming the de-facto technology for delivering telephony services. VoIP is | ||
+ | a technology unlike traditional TDM-based PSTN. With circuit switched telephony, | ||
+ | the number of technological standards is limited and so are the choices that need to | ||
+ | be made when putting this technology into use. With VoIP, there are many more | ||
+ | decisions to be made before applying the technology, both in a technological / | ||
+ | architectural area and in a number of business areas. These choices influence the | ||
+ | need for operators and service providers to retain data for their own business | ||
+ | purposes and hence influence the environments for data retention. Based on the | ||
+ | technical and business differences for VoIP based telephony services, data retention | ||
+ | environments will not be uniform over: | ||
+ | |||
+ | * Operators: Operators have the freedom to make different architectural choices and support different business models, stimulating competition. | ||
+ | * Services: Telephony services within an operator may have different data retention capabilities, e.g. a post-paid minutes based offering versus a flat-fee or prepaid offering. | ||
+ | * Time: Responsive to the competitive voice market and fast technology developments operators will regularly change their business model or architecture, which may lead to different data retention environments over time. | ||
+ | * Network access: A service provider may partly deliver its service via own access, via 3rd party access and via the Internet, leading to various data retention environments depending on where the customer is connected to the service provider. | ||
+ | |||
+ | Accordingly VOIP introduces a greater complexity as regards retention of data – | ||
+ | compared to PSTN – due to multitude of different technology and business | ||
+ | models. This means that data retention requirements for VoIP should be carefully | ||
+ | analyzed and discussed with the operators and service operators. | ||
+ | |||
+ | The Chair invited ETNO in conjunction wit the other industry representatives to | ||
+ | take this paper forward so that it attempts to find solutions to the problems | ||
+ | identified by the paper. The paper should be in the same form as the SPAM and | ||
+ | TRANSIT papers by end April. Some of these questions had been addressed by | ||
+ | the Internet Service Providers' Association representing the UK VOIP industry | ||
+ | whose input could be sought on the draft paper. It was noted that the Directive | ||
+ | talks about "Internet telephony" rather than "VOIP". | ||
+ | |||
+ | UK, Swedish, Slovenian and German delegates said that their legislation did not | ||
+ | differentiate between different technologies regarding fixed or mobile services. | ||
+ | So if a VOIP service comes within the notion of fixed or mobile services, it | ||
+ | would be covered. |
Version vom 26. Januar 2009, 12:12 Uhr
Englische Version
The third meeting of the informal data retention experts group took place on 2 April 2008 under the joint chairmanship of the Commission's Directorates General Justice, Freedom and Security and Information Society and Media. Representatives of all the stakeholders referred to in Recital 14 of Directive 2006/24/EC were invited to participate at the experts meeting, namely associations of the electronic communications industry, Member State law enforcement authorities, representatives of the European Parliament and data protection authorities, including the European Data Protection Supervisor. The Agenda is at Annex I; the list of invitees is at Annex II.
OPENING REMARKS
Mme. Cecilia Verkleij Head of Sector – DG Justice Freedom and Security reminded that the main focus of this meeting will be discussion of a number of Industry Association papers addressing a series of scoping and other issues under the Data Retention Directive. In addition to the data security and centralised data storage papers, the Agenda lists all the Industry papers which are currently envisaged by Industry Associations. These papers will be further progressed between now and the next expert group meeting (likely to take place in June 08) when they should be in final or near final form. At an appropriate time we may publish the papers as the output of the experts group. This will help promote a common EU orientation to some of the complex scoping and other issues raised by the Directive.
On 25 March 08 the Commission adopted its decision on the setting up of the formal data retention experts group. The next meeting should therefore be the first meeting of the formal data retention experts group. In terms of the work of the group, we do not envisage any significant change – the group will continue to encourage and facilitate a common orientation on the application of the Directive. Over time its focus is likely to move from industry issues to law enforcement issue and address questions about whether the Directive is achieving its objectives, particularly in the light of developing technologies. The formal Data Retention experts group will adopt the expert group papers so that these can be published in the name of the experts group. Over time the formal experts group will contribute information and experience necessary for the Commission's assessment of the effectiveness of the Directive and whether to present new proposals on data retention, including addressing difficulties in the technical and practical implementation of the Directive.
Presentation of preliminary ruling of German Constitutional Court on data retention instrument – Kirsten Schwerin, Justice Ministry, Germany
On 1 January 08 the instrument transposing the Data Retention Directive came into effect in Germany. In response some 30.000 people have submitted a complaint to the Constitutional Court to have the instrument annulled. The preliminary ruling does not contest the obligation on providers to retain traffic data for a six month period. However pending a final ruling of the Court (possibly end 2008), law enforcement authorities have only a reduced possibility to access retained data. If data are stored by virtue of the data retention law, providers may only transmit requested data if an existing criminal proceeding is based on so called "heavy crime" (which are crimes punishable by up to five years imprisonment and are a higher level than "serious crime"). If not "heavy crime", access is limited to traffic data which are stored for billing purposes (and may therefore be accessible for only a very short period). Providers must nevertheless continue to retain data which may become accessible to law enforcement for a broader range of crime types subject to the final ruling.
Cost recovery in France – Christian Aghroum, Direction Centrale de la Police Judiciaire, France
The French Justice Ministry has produced a secure web site accessible to police and judicial authorities which includes a standardised glossary of electronic communications terms and services. This has been undertaken both for training and budgetary purposes. The site defines different types of request, what the response should consist of and the price which a provider can request. It allows police to work more efficiently and to receive precise answers to precise questions. The appropriate cost for differing services was achieved through negotiation with the sector. The more complex the question, the higher the permitted price. Work is underway to produce an equivalent glossary for IP data requests.
Industry associations queried the ability of a standardised cost approach to address differing cost bases from one provider to another, particularly bearing in mind the most costs here are fixed so cost basis will diverge widely between a provider receiving 100 requests per week or a provider having to deal with only one request per year.
The Data Retention Directive does not contain a specific provision on the "territoriality" of storage of data (i.e. the location where the data are stored). The question is if there is an obligation for the provider to store the relevant data within their territory (i.e. the place of establishment).
Any obligation imposed by a MS for the data to be retained within its own territory, could be considered as a restriction to the principle of free flow of data within EU, which is fundamental under the Data Protection Directive 95/46/EC. Article 4 of Directive 95/46/EC provides that each MS shall apply its national provisions to the processing of personal data, where the processing is carried out in the context of the activities of an establishment of the controller (provider) on the territory of the MS. When the same controller is established on the territory of several MS, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable. The issue of centralised data storage is illustrated through case studies:
- (a) If the provider is storing data in another MS, without being established as an ECS in its territory, then only the data retention legislation of the originating MS should apply.
- (b) If the provider is established as an ECS in the MS where the data are stored, the data retention legislation of this MS shall apply. Whether the storage is ensured either by an affiliated company of the provider or by an independent company that provides storage services,the storage company is considered as a processor on behalf of the provider and data protection legislation of the storage MS applies as well.
In example (b) problems arise where different retention periods exist in the originating MS and the storage MS and in particular if the storage MS requires a shorter retention period than the originating one. Accordingly, if data retention laws are not compatible, this needs to be borne in mind when deciding where or whether to centralise retained data within the EU.
The Chair invited members of the experts group to submit written comments by end April.
Data Security Issues under Directive 2006/24/EC – Nicholas Kaye, European Commission
Both the Data Protection and e-privacy Directives make clear that data security is a function of the risk associated with the processing of the data in question.
(Fußnote: Article 17 of Directive 95/46/EC states: "Member States shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or unlawful loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other forms of unlawful processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected." Article 4 of Directive 2002/58/EC contains equivalent provisions regarding the risk associated with the data in question.)
The obligation to retain these data for periods of between 6 and 24 months (which in most cases is likely significantly to exceed the period for which such data would be retained for normal commercial purposes) and the fact that they are retained under the Directive with a view to their being used to fight serious crime, mean that retained traffic and location data should be seen as having an exceptional risk potential. The intelligence and evidential value of communications traffic and location data means that these data may become a target for criminal organisations with a view to compromising those data. This is a further factor in favour of stricter security controls than could apply in the case of data processed for ordinary business purposes. Due to this exceptional risk potential, stronger technical and organisational data security measures are needed than might be the case for normal commercial data.
Euro ISPA and Cable Europe agreed that data retained by virtue of the Directive are high risk – although the data already exist, the fact that they are kept for longer heightens the risk. While the risk factor might change, the standard remains the same. The paper should not include a list of possible data security measures since it could not be known which measures providers may already have adopted. The paper should not include reference to "high level encryption" since Recital 23 says that the Directive is not intended to harmonise the technology for retaining data. The UK delegate preferred that reference to encryption be excluded due to risk that data could be excluded on cross examination if not possible to show that data have not been altered in any way due to encryption process.
The Chair invited expert group members to submit written comments by end April.
Internet Telephony within Directive 2006/24/EC, Gert Wabeke on behalf of ETNO
VoIP is becoming the de-facto technology for delivering telephony services. VoIP is a technology unlike traditional TDM-based PSTN. With circuit switched telephony, the number of technological standards is limited and so are the choices that need to be made when putting this technology into use. With VoIP, there are many more decisions to be made before applying the technology, both in a technological / architectural area and in a number of business areas. These choices influence the need for operators and service providers to retain data for their own business purposes and hence influence the environments for data retention. Based on the technical and business differences for VoIP based telephony services, data retention environments will not be uniform over:
- Operators: Operators have the freedom to make different architectural choices and support different business models, stimulating competition.
- Services: Telephony services within an operator may have different data retention capabilities, e.g. a post-paid minutes based offering versus a flat-fee or prepaid offering.
- Time: Responsive to the competitive voice market and fast technology developments operators will regularly change their business model or architecture, which may lead to different data retention environments over time.
- Network access: A service provider may partly deliver its service via own access, via 3rd party access and via the Internet, leading to various data retention environments depending on where the customer is connected to the service provider.
Accordingly VOIP introduces a greater complexity as regards retention of data – compared to PSTN – due to multitude of different technology and business models. This means that data retention requirements for VoIP should be carefully analyzed and discussed with the operators and service operators.
The Chair invited ETNO in conjunction wit the other industry representatives to take this paper forward so that it attempts to find solutions to the problems identified by the paper. The paper should be in the same form as the SPAM and TRANSIT papers by end April. Some of these questions had been addressed by the Internet Service Providers' Association representing the UK VOIP industry whose input could be sought on the draft paper. It was noted that the Directive talks about "Internet telephony" rather than "VOIP".
UK, Swedish, Slovenian and German delegates said that their legislation did not differentiate between different technologies regarding fixed or mobile services. So if a VOIP service comes within the notion of fixed or mobile services, it would be covered.