Protokoll des Expertentreffens zu Implementierungsfragen der Vorratsdatenspeicherung vom 2. April 2008
Aus Freiheit statt Angst!
Englische Version
The third meeting of the informal data retention experts group took place on 2 April 2008 under the joint chairmanship of the Commission's Directorates General Justice, Freedom and Security and Information Society and Media. Representatives of all the stakeholders referred to in Recital 14 of Directive 2006/24/EC were invited to participate at the experts meeting, namely associations of the electronic communications industry, Member State law enforcement authorities, representatives of the European Parliament and data protection authorities, including the European Data Protection Supervisor. The Agenda is at Annex I; the list of invitees is at Annex II.
OPENING REMARKS
Mme. Cecilia Verkleij Head of Sector – DG Justice Freedom and Security reminded that the main focus of this meeting will be discussion of a number of Industry Association papers addressing a series of scoping and other issues under the Data Retention Directive. In addition to the data security and centralised data storage papers, the Agenda lists all the Industry papers which are currently envisaged by Industry Associations. These papers will be further progressed between now and the next expert group meeting (likely to take place in June 08) when they should be in final or near final form. At an appropriate time we may publish the papers as the output of the experts group. This will help promote a common EU orientation to some of the complex scoping and other issues raised by the Directive.
On 25 March 08 the Commission adopted its decision on the setting up of the formal data retention experts group. The next meeting should therefore be the first meeting of the formal data retention experts group. In terms of the work of the group, we do not envisage any significant change – the group will continue to encourage and facilitate a common orientation on the application of the Directive. Over time its focus is likely to move from industry issues to law enforcement issue and address questions about whether the Directive is achieving its objectives, particularly in the light of developing technologies. The formal Data Retention experts group will adopt the expert group papers so that these can be published in the name of the experts group. Over time the formal experts group will contribute information and experience necessary for the Commission's assessment of the effectiveness of the Directive and whether to present new proposals on data retention, including addressing difficulties in the technical and practical implementation of the Directive.
Presentation of preliminary ruling of German Constitutional Court on data retention instrument – Kirsten Schwerin, Justice Ministry, Germany
On 1 January 08 the instrument transposing the Data Retention Directive came into effect in Germany. In response some 30.000 people have submitted a complaint to the Constitutional Court to have the instrument annulled. The preliminary ruling does not contest the obligation on providers to retain traffic data for a six month period. However pending a final ruling of the Court (possibly end 2008), law enforcement authorities have only a reduced possibility to access retained data. If data are stored by virtue of the data retention law, providers may only transmit requested data if an existing criminal proceeding is based on so called "heavy crime" (which are crimes punishable by up to five years imprisonment and are a higher level than "serious crime"). If not "heavy crime", access is limited to traffic data which are stored for billing purposes (and may therefore be accessible for only a very short period). Providers must nevertheless continue to retain data which may become accessible to law enforcement for a broader range of crime types subject to the final ruling.
Cost recovery in France – Christian Aghroum, Direction Centrale de la Police Judiciaire, France
The French Justice Ministry has produced a secure web site accessible to police and judicial authorities which includes a standardised glossary of electronic communications terms and services. This has been undertaken both for training and budgetary purposes. The site defines different types of request, what the response should consist of and the price which a provider can request. It allows police to work more efficiently and to receive precise answers to precise questions. The appropriate cost for differing services was achieved through negotiation with the sector. The more complex the question, the higher the permitted price. Work is underway to produce an equivalent glossary for IP data requests.
Industry associations queried the ability of a standardised cost approach to address differing cost bases from one provider to another, particularly bearing in mind the most costs here are fixed so cost basis will diverge widely between a provider receiving 100 requests per week or a provider having to deal with only one request per year.
Centralised Data Storage within EU – data protection and related issues – Philippos Mitletton, European Commission
The Data Retention Directive does not contain a specific provision on the "territoriality" of storage of data (i.e. the location where the data are stored). The question is if there is an obligation for the provider to store the relevant data within their territory (i.e. the place of establishment).
Any obligation imposed by a MS for the data to be retained within its own territory, could be considered as a restriction to the principle of free flow of data within EU, which is fundamental under the Data Protection Directive 95/46/EC. Article 4 of Directive 95/46/EC provides that each MS shall apply its national provisions to the processing of personal data, where the processing is carried out in the context of the activities of an establishment of the controller (provider) on the territory of the MS. When the same controller is established on the territory of several MS, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable. The issue of centralised data storage is illustrated through case studies:
- (a) If the provider is storing data in another MS, without being established as an ECS in its territory, then only the data retention legislation of the originating MS should apply.
- (b) If the provider is established as an ECS in the MS where the data are stored, the data retention legislation of this MS shall apply. Whether the storage is ensured either by an affiliated company of the provider or by an independent company that provides storage services,the storage company is considered as a processor on behalf of the provider and data protection legislation of the storage MS applies as well.
In example (b) problems arise where different retention periods exist in the originating MS and the storage MS and in particular if the storage MS requires a shorter retention period than the originating one. Accordingly, if data retention laws are not compatible, this needs to be borne in mind when deciding where or whether to centralise retained data within the EU.
The Chair invited members of the experts group to submit written comments by end April.
Data Security Issues under Directive 2006/24/EC – Nicholas Kaye, European Commission
Both the Data Protection and e-privacy Directives make clear that data security is a function of the risk associated with the processing of the data in question.
(Fußnote: Article 17 of Directive 95/46/EC states: "Member States shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or unlawful loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other forms of unlawful processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected." Article 4 of Directive 2002/58/EC contains equivalent provisions regarding the risk associated with the data in question.)
The obligation to retain these data for periods of between 6 and 24 months (which in most cases is likely significantly to exceed the period for which such data would be retained for normal commercial purposes) and the fact that they are retained under the Directive with a view to their being used to fight serious crime, mean that retained traffic and location data should be seen as having an exceptional risk potential. The intelligence and evidential value of communications traffic and location data means that these data may become a target for criminal organisations with a view to compromising those data. This is a further factor in favour of stricter security controls than could apply in the case of data processed for ordinary business purposes. Due to this exceptional risk potential, stronger technical and organisational data security measures are needed than might be the case for normal commercial data.
Euro ISPA and Cable Europe agreed that data retained by virtue of the Directive are high risk – although the data already exist, the fact that they are kept for longer heightens the risk. While the risk factor might change, the standard remains the same. The paper should not include a list of possible data security measures since it could not be known which measures providers may already have adopted. The paper should not include reference to "high level encryption" since Recital 23 says that the Directive is not intended to harmonise the technology for retaining data. The UK delegate preferred that reference to encryption be excluded due to risk that data could be excluded on cross examination if not possible to show that data have not been altered in any way due to encryption process.
The Chair invited expert group members to submit written comments by end April.
Internet Telephony within Directive 2006/24/EC, Gert Wabeke on behalf of ETNO
VoIP is becoming the de-facto technology for delivering telephony services. VoIP is a technology unlike traditional TDM-based PSTN. With circuit switched telephony, the number of technological standards is limited and so are the choices that need to be made when putting this technology into use. With VoIP, there are many more decisions to be made before applying the technology, both in a technological / architectural area and in a number of business areas. These choices influence the need for operators and service providers to retain data for their own business purposes and hence influence the environments for data retention. Based on the technical and business differences for VoIP based telephony services, data retention environments will not be uniform over:
- Operators: Operators have the freedom to make different architectural choices and support different business models, stimulating competition.
- Services: Telephony services within an operator may have different data retention capabilities, e.g. a post-paid minutes based offering versus a flat-fee or prepaid offering.
- Time: Responsive to the competitive voice market and fast technology developments operators will regularly change their business model or architecture, which may lead to different data retention environments over time.
- Network access: A service provider may partly deliver its service via own access, via 3rd party access and via the Internet, leading to various data retention environments depending on where the customer is connected to the service provider.
Accordingly VOIP introduces a greater complexity as regards retention of data – compared to PSTN – due to multitude of different technology and business models. This means that data retention requirements for VoIP should be carefully analyzed and discussed with the operators and service operators.
The Chair invited ETNO in conjunction wit the other industry representatives to take this paper forward so that it attempts to find solutions to the problems identified by the paper. The paper should be in the same form as the SPAM and TRANSIT papers by end April. Some of these questions had been addressed by the Internet Service Providers' Association representing the UK VOIP industry whose input could be sought on the draft paper. It was noted that the Directive talks about "Internet telephony" rather than "VOIP".
UK, Swedish, Slovenian and German delegates said that their legislation did not differentiate between different technologies regarding fixed or mobile services. So if a VOIP service comes within the notion of fixed or mobile services, it would be covered.
Hosted Services and Outsourcing, Simon Kang, Cable Europe
Cable Europe will lead on producing a draft paper by end April which will scope the problem surrounding application of the Directive to hosted or outsourced services. The key issue is to understand who is responsible to retain what data in these circumstances.
The Chair said that where an organisation such as the European Commission which is not an ECS provider or network, contracts with another entity to operate a communications system, the non-ECS entity is not caught. Even an ECS provider or network would be outside the scope to the extent that the system which it operates is a private system. When the system breaks out onto the PSTN, it would be caught as regards the public provider which may or may not be the provider of the public service.
Virtual Network Operators, Hakan Hjelmestan on behalf of ETNO
The range of business VNO models is highly complex. It was agreed that ETNO would lead on a paper to scope the relevant issues for circulation to the group by end April. In the case of a virtual service provider with no network, it was likely that the network operator would have to retain relevant data with the exception of subscriber data that should be retained by the service provider.
Web Mail and scoping issues, Malcolm Hutty, Euro ISPA
- A webmail provider will only fall within the scope of the Directive if a provider of a publicly available electronic communications service or of a public communications network.
- The various classes of webmail and other web-based messaging functionality need close analysis to determine whether they constitute a publicly available electronic communications service.
- Use of a web browser as an interface to Internet e-mail (which is capable in some circumstances of falling within the scope of the Directive) needs to be carefully distinguished from web based messaging (which lies outside the scope).
- Web based Internet e-mail services can also be used in a wholly private environment, such as within a corporate office network. Accordingly, the provider must be considered individually to determine if it is a provider that falls within the legal limitation of scope enshrined in the Directive.
The Chair invited members of the experts group to submit comments on the web mail paper to the Secretariat of the group by end April.
Role of Internet transit providers under Directive 2006/24/EC, Malcolm Hutty, Euro ISPA
In respect of data relating to Internet access, the provider that needs to retain data is the Internet access provider. In respect of e-mail data, the provider that needs to retain data is the provider of the e-mail server (where this is a provider of publicly available electronic communications networks or services). Entities that simply carry Internet data across networks but that neither provide access to the Internet, nor to e-mail or VoIP services (“transit providers”), are not required to retain data under the Directive, since they do not have the data necessary to correlate logs to a specific user.
The Chair invited members of the experts group to submit comments on the web mail paper to the Secretariat of the group by end April.
Spam e-mail – data retention obligations, Malcolm Hutty, Euro ISPA
Spam e-mails are neither requested nor wanted by the recipient and are not therefore of value to law enforcement in the investigation of offences for which data is to be retained in accordance with Directive 2004/24/EC. The retention of huge quantities of spam E-mails may negatively impact the ability of service providers to retain and – when requested – retrieve data for law enforcement authorities. Nonetheless, Directive 2006/24/EC does not distinguish between E-mails to be retained. It is necessary to consider therefore to what extent E-mail service providers that would normally be obliged under the Directive to retain records of all E-mail addressed to their customers may avoid the retention obligation in relation to spam E-mails.
Where an E-mail marked as spam by the mail service provider is nonetheless delivered to the user, the provider should retain records of that E-mail in accordance with the Directive; If a spam E-mail is filtered out by a mail service provider, so that the transmission of the communication to the intended recipient has never been completed, the provider should not retain records of that E-mail in accordance with the Directive; If the mail server operator makes the E-mail available to the end-user (for example, so that it may be “collected” by the user), the mail server operator will be expected to treat the E-mail as subject to the retention requirement.
The Chair invited members of the experts group to submit comments on the web mail paper to the Secretariat of the group by end April.
AOBs
Industry groups were concerned that the output of the experts group should be given appropriate status to ensure that they carry weight within the Member States. The Chair considered that the most likely outcome is that the expert group papers, once approved by the formal group, would be published on the Commission web site. The level of detail in the papers is such as to make it inappropriate to consider formal adoption of the papers by the Commission. Further thought should bee given as to how best to publicise the output of the experts group, including the possibility that output could be published in physical form and distributed as appropriate. Later this year another meeting of the EU 27 would take place, as in November 07, where the group's output would be presented and discussed.
A short discussion took place on statistics on data retention pursuant to Article 10 of the Directive. Statistics provided by MS to the Commission should focus on police and judicial authorities rather than intelligence services. A template for statistics had been discussed at the November 07 meeting with MS. A revised draft would be produced in due course.
The Chair anticipated that the next meeting of the experts group would take place in June.
Annex I
Informal Data Retention Experts Group Meeting of 2 April 2008 Albert Borschette Conference Centre, Rue Froissart 36, 1040 Brussels, Room 0D DRAFT AGENDA 10.00 Welcome and update – Mme. Cecilia VERKLEIJ, Head of Sector DG Justice Freedom and Security Preliminary Ruling of Constitutional Court on German data retention instrument – Kirsten Schwerin, Justice Ministry, Germany Cost recovery in France – Christian Aghroum, Interior Ministry, France 10.30 Presentation of Discussion papers on: 1. Centralised Data Storage within EU – data protection and related issues 2. Data Security Issues under Directive 2006/24/EC 3. Internet Telephony within Directive 2006/24/EC. 4. Hosted Services and Outsourcing * 5. Virtual Network Operators * 6. Web Mail and scoping issues 7 Role of Internet transit providers under Directive 2006/24/EC (Revised final draft) 8. Spam e-mail – data retention obligations (Revised final draft); 17.00 Topics for future discussion Participants are invited to suggest issues for discussion at the next meeting of the Data Retention Experts Group. 17.15 AOB - date of next meeting 17.30 Meeting close
Annex II
List of invitees Country: ORGANISATION Denmark: Danish Ministry of Justice France: Office Central de Lutte contre la Criminalité liée aux Technologies de l'Information et de la Communication Germany: Federal Ministry of Justice Portugal: Permanent Representation Slovenia: Ministry of Economy Sweden: Department of Justice UK: Home Office Article 29 WP, Cable Europe, Independent Internet Expert, Cyber Security Industry Alliance, ECTA, GSM Europe, ETNO, ETIS, ETSI, Europol, EDPS, EuroISPA, European Parliament, European Commission
