Umbra

Aus Freiheit statt Angst!

Version vom 05:48, 2. Apr. 2011

Draft report

Summary

Introduction

The Commission recently published a report evaluating the controversial Data Retention Directive 2006/24/EC, which is to be revised later this year.

The EU data retention directive 2006/24 requires telecommunications companies to store data about all of their customers' communications. Although ostensibly to reduce barriers to the single market, the Directive was proposed as a measure aimed at facilitating criminal investigations. The Directive creates a process for recording details of who communicated with whom via various electronic communications systems. In the case of mobile phone calls and SMS messages, the respective location of the users is also recorded. In combination with other data, Internet usage is also to be made traceable.

In 2010, the average European had his traffic and location data logged in a telecommunications database once every six minutes. According to official Danish statistics, every citizen is logged 225 times a day.^[1]

This blanket and indiscriminate bulk recording of telecommunications data of all 500 mio. EU citizens is, according to the European Data Protection Supervisor, "the most privacy invasive instrument ever adopted by the EU".^[2] It is also possibly the most highly controversial EU surveillance instruments and has ensued protest throughout the EU.

We welcome the legislator's intention to have the "data retention experiment" and its impact evaluated. The European Data Protection Supervisor called the current evaluation "the moment of truth" for the "notorious" directive. Unfortunately the Commission's evaluation methods have turned out to be fundamentally flawed. Rather than procuring an independent assessment that satisfies scientific standards, the Commission has produced a political document. This is why we have decided to publish this shadow evaluation report.

Blanket and indiscriminate telecommunications data retention has proven to be harmful

The Commission argues that the Directive protects (or should protect) personal data and fundamental rights by setting standards concerning purpose limitation, retention periods and procedures for access to retained data. It is true that the Directive were a data protection instrument if it set limits on pre-existing national retention schemes and imposed safeguards only. In actual fact, however, the Directive allows Member States to go beyond its limits in most respects (e.g. types of data to be retained, purpose of retention) and does not address access to retained data at all.^[3] Most importantly, in imposing a blanket and indiscriminate telecommunications data retention scheme on all Member States, the Directive does the opposite of protecting data from being processed without consent. If the purpose of the Directive truly were to protect human rights, it would ban national data retention laws or impose limits on pre-existing laws rather than itself mandating such blanket and indiscriminate telecommunications data retention.

With a blanket and indiscriminate telecommunications data retention regime in place, sensitive information about social contacts (including business contacts), movements and the private lives (e.g. contacts with physicians, lawyers, workers councils, psychologists, helplines, etc) of 500 million Europeans is collected in the absence of any suspicion. Telecommunications data retention undermines professional confidentiality, creating the permanent risk of data losses and data abuses and deters citizens from making confidential communications via electronic communication networks. Blanket retention has a major impact on consumers in that they can no longer use telecommunications in situations that legitimately require non-traceability.

• A poll^[4] of 1,000 Germans found in 2008 that indiscriminate bulk data retention is acting as a serious deterrent to the use of telephones, mobile phones, e-mail and Internet. The survey conducted by research institute Forsa found that with communications data retention in place, one in two Germans would refrain from contacting a marriage counsellor, a psychotherapist or a drug abuse counsellor by telephone, mobile phone or e-mail if they needed their help. One in thirteen people said they had already refrained from using telephone, mobile phone or e-mail at least once because of data retention, which extrapolates to 6.5 mio. Germans in total. There can be no doubt that obstructing confidential access to help facilities poses a danger to the physical and mental health of people in need as well as of the people around them.

• The German Working Group on Data Retention has received ample reports on negative effects of data retention, which have been summarised in its response to the Commission's evaluation questionnaire.^[5] The indiscriminate retention of all communications data turned out to disrupt confidential communications in many areas, affecting victims of sexual abuse, political activists, journalists, accountants, lawyers, businessmen, psychotherapists, drugs advisers and crisis line operators.

Citizens who refuse to use retracable communications channels act rationally as there have been concrete examples of abuse of communications data:

• In 2006, 17 million sets of mobile phone subscriber data were sold by employees of T-Mobile, among them secret telephone numbers of ministers, politicians, former German heads of state, economic leaders, billionaires and church officials.
• In Ireland, a female detective sergeant in the Irish police's intelligence division is being investigated over claims that she used her position to check her former lover's phone records.^[6] In Germany an intelligence officer was alleged in 2007 to have used his powers to spy on his wive's lover.^[7]

Although these abuse cases cannot always be directly linked to the data retention directive, it is clear that the directive removes the only truly effective way to prevent such data abuse by not storing the sensitive data in the first place.

More wide-spread than cases of abuse are cases of communications data leading to falsely suspect an innocent person of an offence not committed by them or not committed at all. Communications data are particularly prone to such errors as it is easy to make mistakes in the process of identifying a subscriber (e.g. transposed digits, mismatching time zones) and because communications data relate to an account only which can have been used by anyone (e.g. public wifi hotspot). Communications data have again and again lead to innocent citizens being put under surveillance, having their houses searched, being arrested or being publicly accused of abhorrent offences. Also location data is often used to investigate a large number of law-abiding citizens simply for having been close to a scene of crime.

Blanket and indiscriminate telecommunications data retention undermines the protection of journalistic sources and thus compromises the freedom of the press. Overall it damages preconditions of our open and democratic society.

• In a poll of 1,489 German journalists commissioned in 2008, one in fourteen journalists reported that the awareness of all communications data being retained had at least once had a negative effect on contacts with their sources.^[8] The inability to electronically receive information through untraceable channels with blanket data retention in place affects not only the press, but all watchdogs including government authorities.

• German telecommunications giant Deutsche Telekom illegally used telecommunications traffic and location data to spy on about 60 individuals including critical journalists, managers and union leaders in order to try to find leaks. The company used its own data pool as well as that of a domestic competitor and of a foreign company.^[9]

• In Poland retained telecommunications traffic and subscriber data was used in 2005-2007 by two major intelligence agencies to illegally disclose journalistic sources without any judicial control.^[10]

• In the Netherlands, retained data was used to reveal anonymous sources of a journalist that had nothing to do with the investigation. Also telecommunications data of non-suspects were accessed merely they had the same first name as the suspect.^[11]

The Article 29 Group has stressed that risks of breaches of confidentiality are inherent in the storage of any traffic data. Only erased data is safe data. That is why the ePrivacy directive 2002/58/EC established the principle that traffic data must be deleted as soon as no longer needed for the purpose of the transmission of a communication.

A poll of 2,176 Germans found in 2009 that 69.3% oppose data retention, making it the most strongly rejected surveillance scheme of all, including biometric passports, access to bank data, remote computer searches or PNR retention.^[12] A 2008 Eurobarometer poll found that a large majority of 69-81% of EU citizens rejected the idea of "monitoring" the Internet use or phone calls of non-suspects even in light of the fight against international terrorism.^[13]

Blanket and indiscriminate telecommunications data retention has proven to be superfluous and counter-productive for removing market distorsions

The data retention directive is based on article 114 (1) TFEU which allows the EU to approximate national laws "with the aim of establishing or ensuring the functioning of the internal market". The EU argues that differing national data retention requirements "may involve substantial investment and operating costs" for service providers^[14], "may constitute obstacles to the free movement of electronic communications services" and "give rise to distortions in competition between undertakings operating on the electronic communications market".^[15]

When the data retention directive was adopted in 2005/2006, only 5 of the then 25 Member States required communications service providers to retain certain communications data without cause, typically requiring the retention of less data for shorter periods of time than the Directive does. Another 5 Member States had legislation in place that would have allowed them to impose data retention requirements in the future.^[16] 15 of the then 25 Member States had not enacted any data retention legislation.^[17]

Today, the Directive being in force, 21 of 27 Member States are requiring service providers to retain communications data without cause^[18] with national obligations varying widely as to

1. the categories of service providers affected (the Directive imposes minimum requirements only),^[19]
2. the types of communications data to be retained (the Directive imposes minimum requirements only),
3. the retention period for each type of data (the Directive imposes a period of 6-24 months for certain types of data and certain purposes, otherwise not harmonised by the Directive),
4. the data safety requirements (not harmonised by the Directive),
5. the purposes for which retained data can be used (the Directive imposes minimum requirements only),
6. the conditions and procedure for access to and use of the data (not harmonised by the Directive),
7. the reimbursement of costs (not harmonised by the Directive).

It is apparent from these facts that by requiring all Member States to enact blanket retention legislation, the Directive has ensued much higher "investment and operating costs" for service providers in the EU than they would have been faced with without the Directive, and has resulted in a far larger patchwork of national blanket retention legislation than would have existed without the Directive. The Directive thus itself constitutes an "obstacle to the free movement of electronic communications services" and "gives rise to distortions in competition between undertakings operating on the electronic communications market".

From an internal market perspective, several options exist to really remove "obstacles to the internal market for electronic communications" without imposing the concept of blanket and indiscriminate telecommunications data retention on all Member States and citizens:

1. The EU could prohibit national legislation mandating blanket data retention without cause in favour of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime.
2. The EU could require Member States with (optional) national retention legislation in place to fully compensate the providers affected.
3. The EU could require Member States without (optional) national retention legislation in place to impose a levy on their communications service providers, thus eliminating any competitive advantage they might have as a result of not having to retain data indiscriminately.
4. The EU could amend the Directive so as to impose limits on (optional) national retention legislation only, rather than impose the concept of blanket communications data on all Member States, and still create a more harmonised market than exists at present. For example, a blanket retention period of 0 or 6 months would create a far more harmonised situation than imposing a retention period of 6-24 months.

When proposing the data retention directive, the Commission itself considered compulsory compensation the key element to prevent market distortions: "The cost reimbursement principle will allow creating a level playing field for the electronic communication providers in the internal market."^[20] When the Directive was adopted, however, the one element that would have contributed to creating a more level playing field - cost reimbursement - was removed from the Directive. Yet this element is a simple and far less invasive way of preventing market distortions than trying - and failing - to establish a harmonised data retention scheme throughout the EU.

Interestingly, the Commission is now citing a study according to which the retention costs of an ISP with half a million subscribers is around 0.75 Euro per subscriber in the first year and 0.24 Euro in subsequent years, with data retrieval costs of about 0.70 Euro per subscriber and year. The Commission concludes that blanket retention requirements have "no significant impact" on competition or investment. If that is so, then there is no justification for the EU to harmonise such national legislation at all. The European Court of Justice has repeatedly held that the EU may rely on article 114 TFEU with a view to "eliminating appreciable distortions of competition" only.^[21] If national data retention requirements result in costs of no more than 1 or 2 Euros per customer and year, they cannot seriously be claimed to appreciably distort cross-border competition.

Besides we remain unconvinced by the EU Court of Justice's decision that national legislation mandating the retention of data for law enforcement purposes "have as their object the establishment and functioning of the internal market" within the meaning of Article 114 TFEU. If the Court's reasoning was correct, the EU would be competent to harmonise all national information keeping or other requirements imposed on companies (e.g. for law enforcement, taxation, national defense or educational purposes). For example the EU could harmonise tax record keeping requirements or national standards for manufacturing police weapons or military equipment, all in the name of internal market harmonisation. This by far exceeds the scope of article 114 TFEU.^[22]

In conclusion, the Directive has not only failed its purpose of creating a more level playing field for service providers but has proven to be counter-productive in this respect, creating a far more patchworked situation than had existed before. Several alternative approaches "consistent with the objective"^[23] of removing market distortions "while at the same time causing less interference"^[24] exist, other than imposing the concept of blanket communications data on all Member States and citizens.

Blanket and indiscriminate telecommunications data retention has proven to be superfluous for law enforcement

Studies prove that the communications data available without data retention are generally sufficient for effective criminal investigations. Blanket data retention has proven to be superfluous, harmful or even unconstitutional in many states across Europe, such as Austria, Belgium, Germany, Greece, Romania and Sweden. These states prosecute crime just as effectively using targeted instruments, such as the data preservation regime agreed in the Council of Europe Convention on Cybercrime. There is no proof that telecommunications data retention provides for better protection against crime.

This statement firstly relies on the experience of states around the world whose law enforcement agencies operate successfully without relying on blanket data retention. Among these states are Germany, Austria, Belgium, Greece, Romania, Sweden, Canada and EU member states with data retention legislation that is not yet being applied. The absence of data retention legislation does not lead to a rise in crime in those states, or to a decrease in crime clearance rates, not even in regard to Internet crime. Nor did the coming into force of data retention legislation have any statistically significant effect on crime or crime clearance.

This is exemplified by statistics published by the German Federal Crime Agency (BKA):

This picture is confirmed by statistics published by the Ministry of the Interior of the Czech Republic and by the Police of the Czech Republic:

Statistics published by the Austrian Ministry of the Interior show that the absence of blanket data retention legislation does not result in a rise in crime or a drop in crime clearance:

An independent study commissioned by the German government found that among a sample set of 1.257 law enforcement requests for traffic data made in 2005, only 4% of requests could not be (fully) served for a lack of retained data.^[25] Taking into account the total number of criminal investigation procedures in 2005, only 0.01% of investigations were affected by a lack of traffic data.^[26] About one third of the suspects in those procedures were still taken to court on the basis of other evidence.^[27] Moreover 72% of investigations with fully successful requests for traffic data did not result in an indictment.^[28] All in all, blanket data retention would have made a difference to only 0.002% of criminal investigations.^[29] This number does not change significantly when taking into account that in the absence of a blanket data retention scheme, less requests are made in the first place.^[30]

Similarly a dutch study of 65 case files found that requests for traffic data could "nearly always" be served even in the absence of compulsory data retention.^[31] The cases studied were almost all solved or helped using traffic data that was available without compulsory data retention.^[32]

The German Federal Crime Agency (BKA) counted only 381 criminal investigation procedures in which traffic data was lacking in 2005.^[33] In view of a total of 6 million procedures in 2005, no more than 0.01% of criminal investigation procedures were potentially affected. In the absence of a blanket traffic data retention regime, German law enforcement agencies have consistently cleared more than 70% of all reported Internet offences, significantly outperforming the average crime clearance rate of about 50%. The coming into force of data retention legislation did not have any statistically significant effect on crime rates or crime clearance rates.

Notwithstanding this comprehensive evidence, we would like to recall that we cannot be expected to prove that blanket data retention is superfluous. The onus of proof regarding the alleged necessity of blanket data retention is clearly on its proponents. In our response^[34] to your evaluation questionnaire we have explained why access statistics, anecdotal evidence or perceived utility^[35] do not prove a need for blanket data retention: Successful requests for traffic data retained under directive 2006/24 do not prove that data would otherwise have been lacking, despite the commercial billing data stored under directive 2002/58 and extra data stored in compliance with specific judicial orders. Even where extra data is disclosed under data retention schemes, it often has no influence on the outcome of investigation procedures.

The possible occasional utility of access to communications data by law enforcement agencies does not mean that there was a need to retain such data indiscriminately. The European Court of Human Rights has consistently held that mere usefulness does not satisfy the test of necessity.^[36] As there is a danger that the Commission might rely on inconclusive data provided by member states, we would like to cite the European Court of Human Rights' critical comments on similar data regarding the retention of biometric data: “It is true, as pointed out by the applicants, that the figures do not reveal the extent to which this 'link' with crime scenes resulted in convictions of the persons concerned or the number of convictions that were contingent on the retention of the samples of unconvicted persons. Nor do they demonstrate that the high number of successful matches with crime-scene stains was only made possible through indefinite retention of DNA records of all such persons.”.^[37]

(Note: Incomplete as of here...)

The evaluation is, by definition, inadequate as it fails to address countries which have not transposed this allegedly "necessary" Directive

Access statistics and examples of usefulness fail to demonstrate necessity because it is not shown that the necessary data would not otherwise have been available

Where assessing the value of retained data in criminal investigations and prosecutions, it is extremely important to distinguish between the value of communications data that would be stored for commercial purposes in compliance with Directive 2002/58 anyway and the value of any extra communications data that must be stored under Directive 2006/24. For example, the communications data used to investigate the Madrid bombings were available despite the absence of a blanket retention scheme. The evaluation report fails to demonstrate that any benefits of communications data depend specifically on blanket retention schemes and cannot likewise be achieved under targeted data preservation schemes. After all, according to German and Czech statistics, the coming into force of data retention legislation did not lead to a rise of clearance rates.

An assessment needs to be made of whether serious crime as a whole is prosecuted more effectively in Member States with blanket retention schemes in place as compared to Member States that employ targeted and privacy-compatible approaches. The evaluation report fails to assess the effectiveness of law enforcement in Member States (e.g. Germany, Sweden, Romania, Greece) and non-Member States (e.g. Canada, Norway) that do not have a blanket retention scheme in place. The report does not even make the missing evidence transparent but pretends to be able to assess adequately the effectiveness of blanket retention on the basis of the data that is available.

Where retained data have led to specific results, has the introduction of a blanket retention scheme led to an increase in the number of condemnations, acquittals, the closure or discontinuation of cases, or the prevention of crimes? Did States operating with targeted instruments achieve a similar number of condemnations, acquittals, the closure or discontinuation of cases, and the prevention of crimes as States operating with blanket retention?

the European Court of Human Rights, in its Marper judgement, criticised similar data provided by the UK government for not being conclusive: „Nor do they [Home Office statistics] demonstrate that the high number of successful matches with crime-scene stains was only made possible through indefinite retention of DNA records of all such persons. […] Yet such matches could have been made even in the absence of the present scheme […].“

Access statistics and examples of usefulness fail to demonstrate necessity because it is not shown that they outweigh the counterproductive effects of data retention on law enforcement

Any assessment of effectiveness needs to have regard to the counter-productive effects of blanket retention on the prosecution of serious crime by furthering the use of circumvention techniques and other communication channels. According to a German poll, implementing a data retention regime makes citizens employ Internet cafés, wireless Internet access points, anonymisation services, public telephones, unregistered mobile telephone cards, non-electronic communications channels and similar approaches more often. This avoidance behaviour can not only render retained data meaningless but also frustrate more targeted investigation techniques that would otherwise have been available to law enforcement. Overall, blanket data retention can thus be counterproductive to criminal investigations, facilitating some, but rendering many more futile. Therefore a meaningful assessment of net effectiveness of blanket retention schemes needs to look at whether, in a given country, serious crime as a whole is prosecuted more effectively under a blanket retention scheme than under a targeted investigation scheme. The evaluation report fails to do so.

Blanket and indiscriminate telecommunications data retention has no statistically significant impact on crime or the investigation of crime

In accordance with this legal basis, it is not and may not legally be the purpose of directive 2006/24 to facilitate the prosecution of crime, but only to safeguard "the proper functioning of the internal market" in light of "the various national rules adopted on the retention of data relating to electronic communications".^[38]

The data retention directive states that "[t]he legal and technical differences between national provisions concerning the retention of data [...] present obstacles to the internal market for electronic communications, since service providers are faced with different requirements regarding the types of traffic and location data to be retained and the conditions and periods of retention."

The objective of the data retention Directive is internal market harmonisation rather than facilitating law enforcement. Under Article 114 TFEU the purpose of the Directive is removing market barriers only. A level playing field can be created without requiring all providers to retain data, simply by requiring full compensation of providers that come under such obligation. Where not necessary for internal market purposes, the EU has no right under article 114 TFEU to interfere with national law enforcement policies. It is not possible to place the Directive in the former "third pillar", either, as it is not specifically about police cooperation.

A quick freeze procedure does in fact allow the tracing of communications and movements prior to the data freeze order where such data has been stored for commercial purposes. There is a wealth of evidence in countries like Sweden, Austria, Greece, Romania, Germany or Canada that have been happily living without the Directive and still prosecuted serious crime no less effectively.

„Retention makes more data available to law enforcement“ - Much data is available without data retention. Does more data make a difference?

„Retained data is used to prosecute crime etc.“ - In 33% of criminal investigations, a lack of traffic data can be compensated. In total, blanket retention can make a difference to 0.002% of criminal investigations at most. Data retention disrupts the prosecution of crime: 46.4% used or planned to use an anonymization service.

"Access to telecommunications data is, at least in some cases, the only way of detecting and prosecuting serious crime."

• telecommunications data are available even without DR for commercial purposes under Article 5 of directive 2002/58/EC
• this statement may not be sufficient to install oder keep any directive. data retention implies a general suspicion of every european citizen and it is contrary to the principle of data economy.
• if we would follow every "only way" to detect and prosecute serious crime, we would end in a totalitarian system.

"if the data were not helpful, law enforcement authorities would presumably not spend human and financial resources on requesting them in those numbers." (Malmström)

• Number of requests says nothing about effectiveness or counterproductive effects
• This is just an assumption. Where are the concrete and detailed data from the countries, which tell us something like this?

"The information we received needs more analysis, but it does show that many criminal investigations would not have been successful, had it not been for data retention. One Member State informed us that its law enforcement agencies use retained data in more than 86% of cases resulting in criminal prosecutions. Several Member States pointed to the difficulty of dealing with cybercrime, an ever increasing threat to security, without data retention." (Malmström)

• Asking only MS that have implemented DR will never give a picture of whether the same results could not be achieved without DR.
• That 86% figure says nothing about a causal link between the use of DR and the success of the case. Not even in statistical terms. What if DR was used in 95% of the cases that did not result in prosecutions? (Do we know the source for this figure and any more detail on the way it uses that statistic as an argument?)

"Data freeze will never bring back deleted data." (Malmström)

• Yet it avoids the counterproductive and adverse side-effects of DR and actually appears to be the more effective policy overall.
• It's like real life: criminal prosecution in real world, as it works today, is nothing else than "quick freeze" for the digital communication data. Do you like to direct a new directive in order to chronicle every letter being sent, every rendezvous and every meeting of people in europe, that happen in "real life"?

   * Nützlichkeit ist nicht gleich Sicherheit. Mehr Daten mögen in Einzelfällen nützlich sein. Im Ergebnis ist in Staaten mit Vorratsdatenspeicherung jedoch keine geringere Kriminalitätsrate zu verzeichnen als in Staaten ohne Vorratsdatenspeicherung. Insgesamt gesehen gibt es mit Vorratsdatenspeicherung nicht weniger Kindesmissbrauch, Vergewaltigungen, Körperverletzungen oder sonstige Straftaten als ohne Vorratsdatenspeicherung.
   * Aufklärung ist nicht gleich Schutz. Es ist nicht nachweisbar, dass eine erleichterte Aufklärung von Straftaten irgend einen Einfluss auf die Kriminalitätsrate hat.
   * Arbeitserleichterung ist nicht gleich Erforderlichkeit. Weltweit werden Straftaten auch ohne Vorratsdatenspeicherung erfolgreich aufgeklärt, gerade im Internet. Außer in Deutschland werden auch in Belgien, Griechenland, Österreich, Schweden und Rumänien Straftaten erfolgreich ohne Vorratsdatenspeicherung verfolgt, ebenso etwa in Kanada und den USA. In Deutschland wurden wurden 2007 ohne Vorratsdatenspeicherung 84,4% aller in Deutschland registrierten Internetdelikte einschließlich der Verbreitung von Kinderpornografie erfolgreich aufgeklärt – von den sonstigen Straftaten nur 55%.[2] Die Einführung der Vorratsdatenspeicherung am 01.01.2008 hat die Aufklärungsrate nicht erhöht (2007: 55,0%, 2008: 54,8%).[3]
   * Einzelfallbetrachtung ist nicht gleich Verhältnismäßigkeit. Aus einer Studie des Max-Planck-Instituts ergibt sich, dass die Vorratsdatenspeicherung im besten Fall bei 0,01% aller Straftaten von Nutzen sein kann[4] – zu 99,99% wird sinnlos aufgezeichnet.
   * Massenverfolgung ist nicht gleich Effizienz. Mithilfe von Telekommunikationsdaten werden hauptsächlich Betrügereien und Tauschbörsennutzer ermittelt.[5] Diese massenhafte Verfolgung von Kleinkriminalität kostet die Polizei Ressourcen, die bei der Ermittlung schwerer Straftäter und der Hintermänner fehlen. In den letzten Jahren sind bei der Polizei 17.000 Stellen gestrichen worden.[6]
   * Betriebsblindheit ist nicht gleich Klugheit. In ihrer Jagd auf 0,01% der Straftäter verlieren die Befürworter der Vorratsdatenspeicherung aus den Augen, dass eine unprotokollierte Kommunikation Leben, Gesundheit und Freiheit von weit mehr Unschuldigen schützt, etwa wo Beratungsstellen gewalttätige Familienväter oder Pädophile überzeugen können, sich einer Therapie zu unterziehen. Im Jahr 2007 konnte beispielsweise ein bei der Telefonseelsorge tätiger Pfarrer einen Jugendlichen überzeugen, einen geplanten Amoklauf zu unterlassen. Wäre der Anruf rückverfolgbar gewesen, hätte der Jugendliche wohl nie über sein Vorhaben gesprochen. Einer Forsa-Umfrage vom Juni 2008 zufolge hielt die Vorratsdatenspeicherung jeden zweiten Deutschen davon ab, sich telefonisch beraten zu lassen,[7] was unsere Sicherheit gefährdete.
   * Telekommunikation ist nicht gleich Straftat. Telefon, Handy und Internet werden zu 99,9% vollkommen legal eingesetzt. Gespräche müssen am Telefon ebenso wenig registriert werden wie sonstige Gespräche. Briefe müssen im Internet ebenso wenig registriert werden wie sonstige Briefe. Bewegungen müssen mit einem Handy ebenso wenig registriert werden wie sonstige Bewegungen.
   * Gefährdung ist nicht gleich Kriminalität. Was Straftaten anbelangt, ist Deutschland eines der sichersten Länder der Welt. Tod, Krankheit oder Behinderung beruhen bei uns nur zu 0,2% auf Gewalt und Straftaten.[8] Dagegen kosten Tabak, Alkohol, Cholesterin, Übergewicht, Fehlernäherung, Bewegungsmangel, Suizid, Stürze und der Straßenverkehr ein Vielfaches an Menschenleben – obwohl sie sehr viel leichter zu reduzieren wären.
   * Überwachung ist nicht gleich Sicherheit. Umgekehrt ermöglichen Datenhalden erst Missbrauch wie bei der Deutschen Telekom AG und Betrug wie im Fall der Bankdaten. Nur nicht gespeicherte Daten sind sichere Daten. Die Vorratsdatenspeicherung stellt diese Erkenntnis auf den Kopf.
   * EU-Recht ist nicht gleich Notwendigkeit. Die Nichtumsetzung der EU-Richtlinie zur Vorratsdatenspeicherung wird nur ein weiteres neben den zurzeit 68 anhängigen Vertragsverletzungsverfahren gegen Deutschland[9] sein. Auch vier Jahre nach dem tragischen Beschluss der Richtlinie zur Vorratsdatenspeicherung hat keines der Länder, die sich der Umsetzung verweigern, auch nur einen Euro Strafe zahlen müssen. Der Rumänische Verfassungsgerichtshof hat festgestellt, dass eine Vorratsdatenspeicherung gegen die Europäische Menschenrechtskonvention verstößt. Die Einhaltung der Menschenrechtskonvention muss Vorrang vor der Umsetzung Brüsseler Richtlinien haben.
   * Verfolgungswahn ist nicht gleich der Wille des Volkes: 70% der Bundesbürger lehnen die Vorratsdatenspeicherung ab[10] - ebenso wie 50 Berufs- und Wirtschaftsverbände.[11]
   * Freiheit ist nicht gleich Unsicherheit. Es ist kein Zufall, dass wir in Deutschland mit vergleichsweise wenig Überwachung und starkem Grundrechtsschutz sicherer leben als Kontrollstaaten wie Großbritannien. Sicherheit braucht in erster Linie Vertrauen und Achtung vor dem Recht – auch vor den Menschenrechten. 

Usefulness does not demonstrate effectiveness:

• Where communications data is accessed, would it have been available without blanket retention (e.g. data preservation)? Mostly.
• Where communications data would not have been available without blanket retention, did it ultimately make a difference to the outcome of the investigation?
  • Was the investigation unsuccessful despite access to extra communications data?
  • Would the investigation have been just as successful on the basis of other evidence?
• To the outcome of how many criminal investigations did communications data retained under a blanket scheme make a positive difference?
• Is this benefit offset by counter-productive effects of blanket data retention on law enforcement?

Blanket and indiscriminate telecommunications data retention has proven to be unconstitutional

Legal experts expect the European Court of Justice to follow the Constitutional Court of Romania as well as the European Court of Human Rights's Marper judgement and declare the retention of telecommunications data in the absence of any suspicion incompatible with the EU Charter of Fundamental Rights.

Last year the Romanian Constitutional Court found that data retention per se breached Article 8 of the European Convention on Human Rights: “[Data retention] equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes. Law 298/2008 [applies] practically to all physical and legal persons users of electronic communication services or public communication networks – so, it cannot be considered to be in agreement with the provisions in the Constitution and Convention for the defence of human rights and fundamental freedoms regarding the guaranteeing of the rights to private life, secrecy of the correspondence and freedom of expression.”^[39]

Earlier this year the Federal Constitutional Court of Germany ruled the German data retention requirements unconstitutional and void for being disproportionate in their concrete form.^[40] Although the Court considered that data retention did not per se breach the German constitution, it did not assess the compatibility of data retention with the European Convention on Human Rights or with the EU Charter of Fundamental Rights. However it made clear that surveillance programs may not exceed an absolute overall constitutional threshold that exists for the collection of personal data by governments, and that telecommunications data retention would bring the surveillance situation in Germany very close to this barrier. Future surveillance measures might be found unconstitutional not even for being disproportionate in themselves, but for passing this absolute overall surveillance barrier. Therefore, maintaining blanket and superfluous data retention jeopardises the constitutionality of more effective and targeted future measures.

There are further complaints pending before the Hungarian Constitutional Court^[41] and before the Irish High Court. Recently, the Irish High Court ruled in favour of a request to challenge the Data Retention Directive at the EU Court of Justice.^[42] The Court found that data retention had the potential to be of “importance to the whole nature of our society”. “[I]t is clear that where surveillance is undertaken it must be justified and generally should be targeted”. The Court ruled that civil liberties campaign group Digital Rights Ireland had the right to contest “whether the impugned provisions violate citizen's rights to privacy and communications” under the EU treaties, the European Convention on Human Rights and the EU Charter of Fundamental Rights. The reference to the EU Court of Justice is expected in the next weeks.

The Court of Justice can be expected to follow the previous rulings and annul directive 2006/24, having regard to the jurisprudence of the European Court of Human Rights. The Grand Chamber of the latter Court found in 2008 that the retention of biometrics on mere suspects breached Article 8 of the European Convention on Human Rights: “In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society.”^[43] This assessment of the collection of identification data on 5 million citizens^[44] must, a fortiori, apply to the much larger collection of information on the daily communications of 500 million citizens throughout the EU.

It is of great importance that the evaluation report reflects the judgement of the Constitutional Court of Romania correctly. This ruling held that any blanket retention of telecommunications data violates Article 8 of the European Convention on Human Rights. The Court did not only question the compatibility of blanket retention with human rights, it definitively ruled that it is incompatible. In its decision the Court relied not only on the Romanian Constitution, but also on case-law of the European Court of Human Rights, in deeming data retention a particularly intrusive measure which is in breach of Art. 8 of the ECHR.

Regarding the judgement of the German Constitutional Court, the evaluation report should mention the fact that the Directive's provisions regarding data security were found insufficient and that any retention period of more than six months was considered disproportionate by the Court.

Pending court actions with the Hungarian and Czech constitutional courts should also be mentioned.

We remain concerned that DG Home's understanding of European fundamental rights jurisprudence is flawed. For instance, in its S. and Marper v. The United Kingdom judgement, the Court did not only require safeguards or insist on limited retention periods in this judgement, but ruled: “In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard.” This finding does not rely on retention periods, but on the fact that personal data of persons not convicted of offences were being retained indiscriminately, as is the case with Directive 2006/24.

Furthermore, the EU Court's recent ground-breaking Schecke ruling annulled an EU Regulation requiring the blanket publication of personal data for being disproportionate, arguing that alternative, targeted measures were available “which would be consistent with the objective of such publication while at the same time causing less interference with those beneficiaries’ right to respect for their private life”. The EDPS said at the data retention conference that he finds it “highly doubtful whether the systematic retention of communication data on such a wide scale constitutes a strictly necessary measure”.

The Romanian constitutional court found in 2009 that data retention per se breaches Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights). The German Constitutional Courts also declared national implementing legislation to be unconstitutional earlier this year. In May, the Irish High Court decided to ask the European Court of Justice to rule whether EU communications data retention rules violate the EU Charter of Fundamental Rights.

"the legislator has stated in Recital 22 of the Data Retention Directive(2) that the directive respects the fundamental rights" (Malmström)

• The fundamental rights charter was not in force then.
• Anyway courts have ruled differently. (Germany, Romania, Ireland? Links?)
• The Commission will have to make its own assessment rather than just quote a political statement that is 5 years old.

"In the Marper jurisprudence the European Court of Human Rights ruled that indefinite retention of certain sensitive personal data constitutes "a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society". The Data Retention Directive, however, requires that data are retained for a definitive amount of time (6 to 24 months), obliges to delete data after that period and forbids the retention of information about the content of communications." (Malmström)

• "In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society." Is there anything about the storage period in that statement?

“It is untenable for the European Commission to be negotiating ratification of the European Convention on Human Rights and simultaneously taking Member States to court for failing to implement a Directive which they patently do not consider to be “necessary”. When Constitutional Courts of Member States have ruled a particular piece of legislation to be 'not necessary in a democratic society', it is profoundly dangerous for the European Commission to take legal action to force the adoption of that legislation. Dangerous for fundamental rights, but also dangerous for the credibility of the European Union itself.”

The German court ruled that data retention created a perception of surveillance which could limit the free exercise of fundamental rights but acknowledged explicitly that retention for sufficiently limited uses and enough security would not necessarily breach the Basic Law. Data should only be requested when there is a suspicion of a serious criminal offence or evidence of a danger to the public. Retrieval should be prohibited for certain communications that require confidentiality.

Principle of data retention in breach of article 8 ECHR - “continuous limitation of privacy [...] makes the essence of the right disappear.” - passive subject in communications: “the called person can become, without his will, suspect.” http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/romanian-constitutional-court-decision-regarding-data-retention.html The Commissions assessment of the ruling is outright false: The Romanian court accepted that interference with fundamental rights may be permitted when it respects certain rules, and provides adequate and sufficient safeguards [comment: did anyone ever dispute this?]. The court ruled that the transposing law was ambiguous in scope and purpose, lacked the necessary safeguards and questioned whether a continuous obligation to retain data for six months was compatible with the rights to privacy and freedom of expression.

"the question arises whether the Directive meets accepted and established standards for the justifications and objectives subject to which it is possible to interfere with the right to privacy. In connection with the extensive requirements as to the volume of retained information and the considerable length of the retention period which the contested Directive requires, it is also questionable whether such a-far-reaching interference with the rights protected by Article 8 of the European Convention on Human Rights may legitimately be justified and considered proportionate on the basis of justifications and objectives which are essentially economic (removing barriers to the internal market and distortion of competition). It is also disputable to say the very least whether interest in the better fiinctioning of the internal market may be considered of such importance that it balances or even outweighs the negative consequences of the significant interference in privacy caused by the Directive. That is even more relevant since the economic benefits which the Directive brings are disputable since the Community legislature has only performed a partial harmonisation of selected aspects of the retention of data by providers of electronic communications services" https://www.vorratsdatenspeicherung.de/images/slovak_2007-04-19.pdf

Blanket and indiscriminate telecommunications data retention must be abandoned in favour of a system of expedited preservation and targeted collection of traffic data

Considering legal developments since 2005, the scale of the damage done to fundamental rights by the Directive and the questionable and unproven effectiveness of data retention for prosecuting serious crime, we urge the Commission to propose outlawing blanket data retention throughout the EU in favour of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime, thus targeting supects of serious crime instead of surveilling 500 million Europeans without cause.

At the very least, the EU data retention directive should in the future offer to Member States the possibility to opt-out of indiscriminate retention. Member States should be given the option to stick with directive 2002/58 and the Council of Europe's Convention on Cybercrime that sets an international standard for a system of expedited preservation and targeted collection of traffic data.

While it is true that making data retention optional does not provide for total harmonisation, neither does the current directive. A choice in retention periods of 0 or 6 months, for example, would be more harmonised than the current directive. Making data retention optional at the EU level would also remove the legal risk of directive 2006/24 being annulled. Furthermore it would take into account the situation of member states that are legally unable (Romania) or politically unwilling (Germany) to introduce blanket data retention legislation. Differences in legal traditions, constitutions and political preferences in member states are too great to impose data retention on all member states. The evaluation report should suggest opening the directive to such alternative approaches.

We believe that such invasive surveillance of the entire population is unacceptable.

Based on the current situation, there is no measurable and significant damage to the single market as a result of some countries opting out of the Directive. Therefore the Directive's legal basis is fundamentally flawed and the Directive is illegal and subject to successful challenge.

As representatives of the citizens, the media, professionals and industry we collectively reject the Directive on telecommunications data retention. We urge you to propose the repeal of the EU requirements regarding data retention in favour of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime.

The EDPS said at the data retention conference that without convincing evidence, "the Data Retention Directive should be withdrawn or replaced by a more targeted and less intrusive instrument which does meet the requirement of necessity and proportionality."

It is necessary to look beyond harmonization and re-using the existing failed approach. Conclusions must be drawn from the experiences of countries that have not implemented the Directive.

a) The directive should set upper limits on retention obligations only, thus allowing Member States to opt out of blanket retention entirely in favour of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime. [Germany wants this, Romania needs this, and other Member States could want this, too.] b) The current upper limits set by the Directive should be lowered as much as possible, without raising any of the minimum requirements: -- retention periods as short as politically possible (suggestion of 3 months); -- categories of retained data as limited as politically possible (suggestion that Internet data should be excluded, only telephony data should be encompassed); -- compulsory and full reimbursement of investment and operating cost including personnel; -- decentralized storage and no direct government access.

Draft press release

Show why the Commission fails to demonstrate effectiveness and proportionality, and present our own proposal.

despite lack of evidence of necessity Commission believes that more of the same is needed.