Umbra

Aus Freiheit statt Angst!

Inhaltsverzeichnis 1 Draft report 1.1 Summary 1.2 Introduction 1.3 Blanket and indiscriminate telecommunications data retention has proven to be harmful 1.4 Blanket and indiscriminate telecommunications data retention has proven to be superfluous and counter-productive for removing market distorsions 1.5 Blanket and indiscriminate telecommunications data retention has proven to be superfluous for the detection, investigation and prosecution of serious crime 1.5.1 In how many cases does the investigation, detection and prosecution of serious crime lack communications data that are available under a blanket retention scheme? 1.5.2 To the prosecution of how many serious crimes did such extra communications data ultimately make a positive difference? 1.5.3 Is any such benefit offset by counter-productive side effects of blanket data retention? 1.5.4 Blanket and indiscriminate telecommunications data retention has no statistically significant impact on crime or the investigation of crime 1.5.5 Conclusions 1.6 Blanket and indiscriminate telecommunications data retention has proven to be disproportionate and unconstitutional 1.7 Blanket and indiscriminate telecommunications data retention must be abandoned in favour of a system of expedited preservation and targeted collection of traffic data 2 Draft press release

Draft report

Summary

Introduction

The Commission recently published a report evaluating the controversial Data Retention Directive 2006/24/EC, which is to be revised later this year.

The EU data retention directive 2006/24 requires telecommunications companies to store data about all of their customers' communications. Although ostensibly to reduce barriers to the single market, the Directive was proposed as a measure aimed at facilitating criminal investigations. The Directive creates a process for recording details of who communicated with whom via various electronic communications systems. In the case of mobile phone calls and SMS messages, the respective location of the users is also recorded. In combination with other data, Internet usage is also to be made traceable.

In 2010, the average European had his traffic and location data logged in a telecommunications database once every six minutes. According to official Danish statistics, every citizen is logged 225 times a day.^[1]

This blanket and indiscriminate bulk recording of telecommunications data of all 500 mio. EU citizens is, according to the European Data Protection Supervisor, "the most privacy invasive instrument ever adopted by the EU".^[2] It is also possibly the most highly controversial EU surveillance instruments and has ensued protest throughout the EU.

We welcome the legislator's intention to have the "data retention experiment" and its impact evaluated. The European Data Protection Supervisor called the current evaluation "the moment of truth" for the "notorious" directive. Unfortunately the Commission's evaluation methods have turned out to be fundamentally flawed. Rather than procuring an independent assessment that satisfies scientific standards, the Commission has produced a political document. This is why we have decided to publish this shadow evaluation report.

Blanket and indiscriminate telecommunications data retention has proven to be harmful

The Commission argues that the Directive protects (or should protect) personal data and fundamental rights by setting standards concerning purpose limitation, retention periods and procedures for access to retained data. It is true that the Directive were a data protection instrument if it set limits on pre-existing national retention schemes and imposed safeguards only. In actual fact, however, the Directive allows Member States to go beyond its limits in most respects (e.g. types of data to be retained, purpose of retention) and does not address access to retained data at all.^[3] Most importantly, in imposing a blanket and indiscriminate telecommunications data retention scheme on all Member States, the Directive does the opposite of protecting data from being processed without consent. If the purpose of the Directive truly were to protect human rights, it would ban national data retention laws or impose limits on pre-existing laws rather than itself mandating such blanket and indiscriminate telecommunications data retention.

With a blanket and indiscriminate telecommunications data retention regime in place, sensitive information about social contacts (including business contacts), movements and the private lives (e.g. contacts with physicians, lawyers, workers councils, psychologists, helplines, etc) of 500 million Europeans is collected in the absence of any suspicion. Telecommunications data retention undermines professional confidentiality, creating the permanent risk of data losses and data abuses and deters citizens from making confidential communications via electronic communication networks. Blanket retention has a major impact on consumers in that they can no longer use telecommunications in situations that legitimately require non-traceability.

• A poll^[4] of 1,000 Germans found in 2008 that indiscriminate bulk data retention is acting as a serious deterrent to the use of telephones, mobile phones, e-mail and Internet. The survey conducted by research institute Forsa found that with communications data retention in place, one in two Germans would refrain from contacting a marriage counsellor, a psychotherapist or a drug abuse counsellor by telephone, mobile phone or e-mail if they needed their help. One in thirteen people said they had already refrained from using telephone, mobile phone or e-mail at least once because of data retention, which extrapolates to 6.5 mio. Germans in total. There can be no doubt that obstructing confidential access to help facilities poses a danger to the physical and mental health of people in need as well as of the people around them.

• The German Working Group on Data Retention has received ample reports on negative effects of data retention, which have been summarised in its response to the Commission's evaluation questionnaire.^[5] The indiscriminate retention of all communications data turned out to disrupt confidential communications in many areas, affecting victims of sexual abuse, political activists, journalists, accountants, lawyers, businessmen, psychotherapists, drugs advisers and crisis line operators.

Citizens who refuse to use retracable communications channels act rationally as there have been concrete examples of abuse of communications data:

• In 2006, 17 million sets of mobile phone subscriber data were sold by employees of T-Mobile, among them secret telephone numbers of ministers, politicians, former German heads of state, economic leaders, billionaires and church officials.
• In Ireland, a female detective sergeant in the Irish police's intelligence division is being investigated over claims that she used her position to check her former lover's phone records.^[6] In Germany an intelligence officer was alleged in 2007 to have used his powers to spy on his wive's lover.^[7]

Although these abuse cases cannot always be directly linked to the data retention directive, it is clear that the directive removes the only truly effective way to prevent such data abuse by not storing the sensitive data in the first place.

More wide-spread than cases of abuse are cases of communications data leading to falsely suspect an innocent person of an offence not committed by them or not committed at all. Communications data are particularly prone to such errors as it is easy to make mistakes in the process of identifying a subscriber (e.g. transposed digits, mismatching time zones) and because communications data relate to an account only which can have been used by anyone (e.g. public wifi hotspot). Communications data have again and again lead to innocent citizens being put under surveillance, having their houses searched, being arrested or being publicly accused of abhorrent offences. Also location data is often used to investigate a large number of law-abiding citizens simply for having been close to a scene of crime.

Blanket and indiscriminate telecommunications data retention undermines the protection of journalistic sources and thus compromises the freedom of the press. Overall it damages preconditions of our open and democratic society.

• In a poll of 1,489 German journalists commissioned in 2008, one in fourteen journalists reported that the awareness of all communications data being retained had at least once had a negative effect on contacts with their sources.^[8] The inability to electronically receive information through untraceable channels with blanket data retention in place affects not only the press, but all watchdogs including government authorities.

• German telecommunications giant Deutsche Telekom illegally used telecommunications traffic and location data to spy on about 60 individuals including critical journalists, managers and union leaders in order to try to find leaks. The company used its own data pool as well as that of a domestic competitor and of a foreign company.^[9]

• In Poland retained telecommunications traffic and subscriber data was used in 2005-2007 by two major intelligence agencies to illegally disclose journalistic sources without any judicial control.^[10]

• In the Netherlands, retained data was used to reveal anonymous sources of a journalist that had nothing to do with the investigation. Also telecommunications data of non-suspects were accessed merely they had the same first name as the suspect.^[11]

The Article 29 Group has stressed that risks of breaches of confidentiality are inherent in the storage of any traffic data. Only erased data is safe data. That is why the ePrivacy directive 2002/58/EC established the principle that traffic data must be deleted as soon as no longer needed for the purpose of the transmission of a communication.

A poll of 2,176 Germans found in 2009 that 69.3% oppose data retention, making it the most strongly rejected surveillance scheme of all, including biometric passports, access to bank data, remote computer searches or PNR retention.^[12] A 2008 Eurobarometer poll found that a large majority of 69-81% of EU citizens rejected the idea of "monitoring" the Internet use or phone calls of non-suspects even in light of the fight against international terrorism.^[13]

Blanket and indiscriminate telecommunications data retention has proven to be superfluous and counter-productive for removing market distorsions

The data retention directive is based on article 114 (1) TFEU which allows the EU to approximate national laws "with the aim of establishing or ensuring the functioning of the internal market". The EU argues that differing national data retention requirements "may involve substantial investment and operating costs" for service providers^[14], "may constitute obstacles to the free movement of electronic communications services" and "give rise to distortions in competition between undertakings operating on the electronic communications market".^[15]

When the data retention directive was adopted in 2005/2006, only 5 of the then 25 Member States required communications service providers to retain certain communications data without cause, typically requiring the retention of less data for shorter periods of time than the Directive does. Another 5 Member States had legislation in place that would have allowed them to impose data retention requirements in the future.^[16] 15 of the then 25 Member States had not enacted any data retention legislation.^[17]

Today, the Directive being in force, 21 of 27 Member States are requiring service providers to retain communications data without cause^[18] with national obligations varying widely as to

1. the categories of service providers affected (the Directive imposes minimum requirements only),^[19]
2. the types of communications data to be retained (the Directive imposes minimum requirements only),
3. the retention period for each type of data (the Directive imposes a period of 6-24 months for certain types of data and certain purposes, otherwise not harmonised by the Directive),
4. the data safety requirements (not harmonised by the Directive),
5. the purposes for which retained data can be used (the Directive imposes minimum requirements only),
6. the conditions and procedure for access to and use of the data (not harmonised by the Directive),
7. the reimbursement of costs (not harmonised by the Directive).

It is apparent from these facts that by requiring all Member States to enact blanket retention legislation, the Directive has ensued much higher "investment and operating costs" for service providers in the EU than they would have been faced with without the Directive, and has resulted in a far larger patchwork of national blanket retention legislation than would have existed without the Directive. The Directive thus itself constitutes an "obstacle to the free movement of electronic communications services" and "gives rise to distortions in competition between undertakings operating on the electronic communications market".

From an internal market perspective, several options exist to really remove "obstacles to the internal market for electronic communications" without imposing the concept of blanket and indiscriminate telecommunications data retention on all Member States and citizens:

1. The EU could prohibit national legislation mandating blanket data retention without cause in favour of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime.
2. The EU could require Member States with (optional) national retention legislation in place to fully compensate the providers affected.
3. The EU could require Member States without (optional) national retention legislation in place to impose a levy on their communications service providers, thus eliminating any competitive advantage they might have as a result of not having to retain data indiscriminately.
4. The EU could amend the Directive so as to impose limits on (optional) national retention legislation only, rather than impose the concept of blanket communications data on all Member States, and still create a more harmonised market than exists at present. For example, a blanket retention period of 0 to 6 months would create a far more harmonised situation than imposing a retention period of 6-24 months.

When proposing the data retention directive, the Commission itself considered compulsory compensation the key element to prevent market distortions: "The cost reimbursement principle will allow creating a level playing field for the electronic communication providers in the internal market."^[20] When the Directive was adopted, however, the one element that would have contributed to creating a more level playing field - cost reimbursement - was removed from the Directive. Yet this element is a simple and far less invasive way of preventing market distortions than trying - and failing - to establish a harmonised data retention scheme throughout the EU.

Interestingly, the Commission is now citing a study according to which the retention costs of an ISP with half a million subscribers is around 0.75 Euro per subscriber in the first year and 0.24 Euro in subsequent years, with data retrieval costs of about 0.70 Euro per subscriber and year. The Commission concludes that blanket retention requirements have "no significant impact" on competition or investment. If that is so, then there is no justification for the EU to harmonise such national legislation at all. The European Court of Justice has repeatedly held that the EU may rely on article 114 TFEU with a view to "eliminating appreciable distortions of competition" only.^[21] If national data retention requirements result in costs of no more than 1 or 2 Euros per customer and year, they cannot seriously be claimed to appreciably distort cross-border competition.

Besides we remain unconvinced by the EU Court of Justice's decision that national legislation mandating the retention of data for law enforcement purposes "have as their object the establishment and functioning of the internal market" within the meaning of Article 114 TFEU. If the Court's reasoning was correct, the EU would be competent to harmonise all national information keeping or other requirements imposed on companies for purposes such as law enforcement, taxation, national defense and educational purposes. For example the EU could harmonise tax record keeping requirements or national standards for manufacturing police weapons, military equipment or school textbooks, all in the name of internal market harmonisation. This by far exceeds the scope of article 114 TFEU.^[22]

In conclusion, the Directive has not only failed its purpose of creating a more level playing field for service providers but has proven to be counter-productive in this respect, creating a far more patchworked situation than had existed before. Several alternative approaches "consistent with the objective"^[23] of removing market distortions "while at the same time causing less interference"^[24] exist, other than imposing the concept of blanket communications data on all Member States and citizens.

Blanket and indiscriminate telecommunications data retention has proven to be superfluous for the detection, investigation and prosecution of serious crime

The Commission tries to justify blanket and indiscriminate telecommunications data retention by claiming it necessary for prosecuting serious crime. As evidence for this claim the Commission cites statistics and examples provided by Member States concerning access to and subsequent use of retained communications data for purposes such as convictions for criminal offences and acquittals of innocent suspects. Without data retention, the Commission claims, such results "might" [sic!] not have been achieved.

First of all, law enforcement interests cannot justify the Directive because its purpose is not facilitating law enforcement. According to the settled case-law of the EU Court of Justice, the interference with fundamental rights an EU measure ensues needs to be justified by the "objectives pursued by the measure chosen".^[25] The predominant objective of the Data Retention Directive is ensuring the functioning of the internal market (Articles 114 and 26 TFEU).^[26] The EU has no competence in the area of law enforcement, except where specifically police co-operation, judicial co-operation or the approximation of criminal law is concerned, which is not the case with data retention.^[27] If the EU relies on internal market objectives for establishing its competence, it cannot rely on a completely different purpose (facilitating law enforcement) for establishing conformity with fundamental rights. If the proper functioning of the internal market is the "predominant" purpose of the Directive, the interference with fundamental rights that comes with it cannot be "predominantly" justified with a completely different purpose which the EU may not legally pursue on the basis of Article 114 TFEU.

Furthermore, even if law enforcement purposes were to be considered, the Commission has failed to prove the necessity of blanket and indiscriminate telecommunications data retention for that purpose. The methodology the Commission uses is unfit to demonstrate necessity. In order to establish the necessity of blanket and indiscriminate telecommunications data retention "for the purpose of the investigation, detection and prosecution of serious crime" in a scientifically valid way, three points would need to be assessed:

1. In how many cases does the investigation, detection and prosecution of serious crime lack communications data that are available under a blanket retention scheme?
2. To the prosecution of how many serious crimes did such extra communications data ultimately make a positive difference?
3. Is any such benefit offset by counter-productive side effects of blanket data retention?

In how many cases does the investigation, detection and prosecution of serious crime lack communications data that are available under a blanket retention scheme?

A wealth of communications data is available for law enforcement purposes even where providers are in principle obliged to erase such data upon the termination of each communication (see Article 6 of directive 2002/58/EC). Law enforcement authorities can request providers to preserve communications data that is available while a communication is ongoing (e.g. Internet access). Law enforcement authorities can request access to communications data providers retain for billing purposes (e.g. telephone records). Law enforcement authorities can order providers to preserve data relating to future communications of suspects.

The evidence presented by the Commission to justify blanket retention mostly concerns situations where "useful" communications data was available in Member States that have transposed the Directive. Access statistics and examples of usefulness fail to demonstrate necessity though because it is not shown that the data would have been lacking in the absence of a blanket retention scheme. Most of the evidence presented by the Commission is irrelevant because it fails to identify the reason for which "useful" communications data was retained (i.e. commercial purposes, request by law enforcement authorities or blanket retention requirements), thus failing to demonstrate that the data would have been lacking in the absence of a blanket retention scheme. For example, the communications data used to investigate the Madrid bombings were available in the absence of a blanket retention scheme. Even where law enforcement authorities access data specifically retained in accordance with retention obligations, the same data may have been available in the absence of such obligations. The evaluation report fails to demonstrate that any benefits communications data may have for prosecuting crime depend specifically on blanket retention schemes and cannot likewise be achieved under targeted data preservation schemes. The possible occasional utility of access to communications data by law enforcement agencies does not mean that there was a need to retain such data indiscriminately.

The European Court of Human Rights has consistently held that mere usefulness does not satisfy the test of necessity.^[28] In a case concerning the retention of biometric data, the European Court of Human Rights critizised data such as now presented by the Commission: "It is true, as pointed out by the applicants, that the figures do not reveal the extent to which this 'link' with crime scenes resulted in convictions of the persons concerned or the number of convictions that were contingent on the retention of the samples of unconvicted persons. Nor do they demonstrate that the high number of successful matches with crime-scene stains was only made possible through indefinite retention of DNA records of all such persons. […] Yet such matches could have been made even in the absence of the present scheme […]."^[29]

In order to examine in how many cases the investigation, detection and prosecution of serious crime lacks communications data, the situation in countries where no blanket retention requirements are or was in place needs to be analysed, which the Commission fails to do. An evaluation which fails to address countries which have not transposed the allegedly "necessary" Directive is, by definition, inadequate.

An independent study commissioned by the German government found that among a sample set of 1.257 law enforcement requests for traffic data made in 2005, only 4% of requests could not be (fully) served for a lack of retained data.^[30] The German Federal Crime Agency (BKA) counted only 381 criminal investigation procedures in which traffic data was lacking in 2005^[31] and 880 failed requests in 2010^[32] In view of a total of the total of about 6 million criminal investigations per year, no more than 0.01% of criminal investigation procedures were potentially affected by a lack of traffic data.^[33]

Similarly a dutch study of 65 case files found that requests for traffic data could "nearly always" be served even in the absence of compulsory data retention.^[34] The cases studied were almost all solved or helped using traffic data that was available without compulsory data retention.^[35]

It follows that in most cases, sufficient communications data for the investigation, detection and prosecution of serious crime is available without blanket retention obligations.

To the prosecution of how many serious crimes did such extra communications data ultimately make a positive difference?

Where otherwise unavailable communications data is accessed by law enforcement authorities under a blanket retention scheme, this data often makes no difference to the outcome of the criminal investigation. Often an investigation will be unsuccessful whether or not communiations data is available. For example, communications data can be without benefit to an investigation where they lead to a public telephone booth, a public Internet café, a public Internet access point, a VPN "anonymizing" service, a prepaid mobile telephone card not correctly registered by the subscriber or a device the user of which at the relevant time cannot be established. On the other hand, many criminal offences are successfully prosecuted in spite of the unavailability of communiations data by using other evidence. The making available of more data to law enforcement agencies does therefore not in itself demonstrate that this extra data was necessary for the prosecution of serious crime. Availability is not necessity.

Law enforcement authorities in states that require the deletion of communications data often present statistics on how many requests for communications data were not served due to a lack of communications data. This evidence is irrelevant because it fails to demonstrate any influence extra data would have had on the outcome of these investigations. Likewise, the number of cases in which retained data is used and which result in criminal prosecutions does not demonstrate that blanket retention ultimately made a difference to the outcome of these cases, i.e. to the prosecution of serious crime.

An independent study commissioned by the German government found that about one third of the suspects in procedures with unsuccessful requests for communications data were still taken to court on the basis of other evidence.^[36] Moreover 72% of the investigations with fully successful requests for traffic data did still not result in an indictment.^[37] All in all, blanket data retention would have made a difference to only 0.002% of criminal investigations.^[38] This number does not change significantly when taking into account that in the absence of a blanket data retention scheme, less requests for data are made in the first place.^[39]

Is any such benefit offset by counter-productive side effects of blanket data retention?

It has been shown that blanket retention obligations may make a positive difference to the prosecution of a small fraction of criminal offences. Even so, such obligations cannot be considered necessary for the prosecution of serious crime if benefits in some cases are offset by counter-productive side effects on the prosecution of serious crime in other cases.

The indiscriminate retention of communications data without cause has counter-productive effects on the prosecution of serious crime in that it furthers the use of circumvention techniques and other communication channels (e.g. Internet cafés, public wireless Internet access points, anonymisation services, public telephones, unregistered mobile telephone cards, non-electronic communications channels). According to a representative poll after the implementation of the Directive in Germany, 24.6% of Germans declared that they use or intend to use public Internet cafés, 59.8% said that they use or intend to use an Internet access provider that does not retain communications data without cause, and 46.4% of Germans declared that the use or intend to use Internet anonymization technology.^[40]

Such avoidance behaviour can not only render retained data meaningless but also frustrate more targeted investigation techniques that would otherwise have been available for the investigation and prosecution of serious crime. Overall, blanket data retention can thus be counterproductive to criminal investigations, facilitating a few, but rendering many more futile.

Blanket and indiscriminate telecommunications data retention has no statistically significant impact on crime or the investigation of crime

A meaningful assessment of net effectiveness of blanket retention schemes needs to look at whether, in a given country, serious crime as a whole is prosecuted more effectively under a blanket retention scheme than under a targeted investigation scheme. Has the introduction of a blanket retention scheme led to an increase in the number of condemnations, acquittals, the closure or discontinuation of cases, or the prevention of crimes? Did States operating with targeted instruments achieve a similar number of condemnations, acquittals, the closure or discontinuation of cases, and the prevention of crimes as States operating with blanket retention? The evaluation report fails to assess the effectiveness of law enforcement in Member States and non-Member States that do not have a blanket retention scheme in place.

Many law enforcement agencies around the world operate successfully without relying on blanket data retention. Among these states are Austria, Germany, Greece, Norway, Romania, Sweden and Canada. The absence of data retention legislation does not lead to a rise in crime in those states, or to a decrease in crime clearance rates, not even in regard to Internet crime. Nor did the coming into force of data retention legislation have any statistically significant effect on crime or crime clearance.

This is exemplified by statistics published by the German Federal Crime Agency (BKA):

This picture is confirmed by statistics published by the Ministry of the Interior of the Czech Republic and by the Police of the Czech Republic:

Statistics published by the Austrian Ministry of the Interior show that the absence of blanket data retention legislation does not result in a rise in crime or a drop in crime clearance:

In the absence of a blanket traffic data retention regime, German law enforcement agencies have consistently cleared more than 70% of all reported Internet offences, significantly outperforming the average crime clearance rate of about 50%. The coming into force of data retention legislation did not have any statistically significant effect on crime rates or crime clearance rates.

Notwithstanding the comprehensive evidence presented above, we would like to recall that it is not our task to prove blanket data retention superfluous. It is rather the proponents of this measure who bear the onus of proof regarding the alleged necessity of blanket data retention.

Conclusions

Facilitating law enforcement is not necessity. Access statistics, anecdotal evidence or perceived utility^[41] do not demonstrate a need for blanket data retention. Successful requests for traffic data retained under directive 2006/24 do not prove that data would otherwise have been lacking, despite the commercial billing data stored under directive 2002/58 and extra data stored in compliance with specific judicial orders. Even where extra data is disclosed under data retention schemes, it often has no influence on the outcome of investigation procedures or benefits are offset by avoidance behaviour among citizens. The quota of criminal investigations the outcome of which depends specifically on blanket communications data retention is exceedingly small (about 0.01%) and apparently offset by the counter-productive effects blanket retention has on the prosecution of serious crime.

Studies prove that the communications data available without data retention are generally sufficient for effective criminal investigations. According to crime statistics, serious crime is investigated and prosecuted just as effectively with targeted investigation techniques that do not rely on blanket retention. Blanket data retention has proven to be superfluous in many states across Europe, such as Austria, Belgium, Germany, Greece, Romania and Sweden. These states prosecute crime just as effectively using targeted instruments, such as the data preservation regime agreed in the Council of Europe Convention on Cybercrime.

Besides, facilitating the prosecution of crime is not safety. The prevalence of serious crimes is no lower in states or times where communications data are being retained indiscriminately than in other states. There is no proof that telecommunications data retention provides for better protection against crime.

Blanket and indiscriminate telecommunications data retention has proven to be disproportionate and unconstitutional

Legal experts expect the European Court of Justice to follow the Constitutional Court of Romania as well as the European Court of Human Rights's Marper judgement and declare the retention of telecommunications data in the absence of any suspicion incompatible with the EU Charter of Fundamental Rights.

Last year the Romanian Constitutional Court found that data retention per se breached Article 8 of the European Convention on Human Rights: “[Data retention] equally addresses all the law subjects, regardless of whether they have committed penal crimes or not or whether they are the subject of a penal investigation or not, which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people susceptible of committing terrorism crimes or other serious crimes. Law 298/2008 [applies] practically to all physical and legal persons users of electronic communication services or public communication networks – so, it cannot be considered to be in agreement with the provisions in the Constitution and Convention for the defence of human rights and fundamental freedoms regarding the guaranteeing of the rights to private life, secrecy of the correspondence and freedom of expression.”^[42]

Earlier this year the Federal Constitutional Court of Germany ruled the German data retention requirements unconstitutional and void for being disproportionate in their concrete form.^[43] Although the Court considered that data retention did not per se breach the German constitution, it did not assess the compatibility of data retention with the European Convention on Human Rights or with the EU Charter of Fundamental Rights. However it made clear that surveillance programs may not exceed an absolute overall constitutional threshold that exists for the collection of personal data by governments, and that telecommunications data retention would bring the surveillance situation in Germany very close to this barrier. Future surveillance measures might be found unconstitutional not even for being disproportionate in themselves, but for passing this absolute overall surveillance barrier. Therefore, maintaining blanket and superfluous data retention jeopardises the constitutionality of more effective and targeted future measures.

There are further complaints pending before the Hungarian Constitutional Court^[44] and before the Irish High Court. Recently, the Irish High Court ruled in favour of a request to challenge the Data Retention Directive at the EU Court of Justice.^[45] The Court found that data retention had the potential to be of “importance to the whole nature of our society”. “[I]t is clear that where surveillance is undertaken it must be justified and generally should be targeted”. The Court ruled that civil liberties campaign group Digital Rights Ireland had the right to contest “whether the impugned provisions violate citizen's rights to privacy and communications” under the EU treaties, the European Convention on Human Rights and the EU Charter of Fundamental Rights. The reference to the EU Court of Justice is expected in the next weeks.

The Court of Justice can be expected to follow the previous rulings and annul directive 2006/24, having regard to the jurisprudence of the European Court of Human Rights. The Grand Chamber of the latter Court found in 2008 that the retention of biometrics on mere suspects breached Article 8 of the European Convention on Human Rights: “In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society.”^[46] This assessment of the collection of identification data on 5 million citizens^[47] must, a fortiori, apply to the much larger collection of information on the daily communications of 500 million citizens throughout the EU.

It is of great importance that the evaluation report reflects the judgement of the Constitutional Court of Romania correctly. This ruling held that any blanket retention of telecommunications data violates Article 8 of the European Convention on Human Rights. The Court did not only question the compatibility of blanket retention with human rights, it definitively ruled that it is incompatible. In its decision the Court relied not only on the Romanian Constitution, but also on case-law of the European Court of Human Rights, in deeming data retention a particularly intrusive measure which is in breach of Art. 8 of the ECHR.

Regarding the judgement of the German Constitutional Court, the evaluation report should mention the fact that the Directive's provisions regarding data security were found insufficient and that any retention period of more than six months was considered disproportionate by the Court.

Pending court actions with the Hungarian and Czech constitutional courts should also be mentioned.

We remain concerned that DG Home's understanding of European fundamental rights jurisprudence is flawed. For instance, in its S. and Marper v. The United Kingdom judgement, the Court did not only require safeguards or insist on limited retention periods in this judgement, but ruled: “In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard.” This finding does not rely on retention periods, but on the fact that personal data of persons not convicted of offences were being retained indiscriminately, as is the case with Directive 2006/24.

Furthermore, the EU Court's recent ground-breaking Schecke ruling annulled an EU Regulation requiring the blanket publication of personal data for being disproportionate, arguing that alternative, targeted measures were available “which would be consistent with the objective of such publication while at the same time causing less interference with those beneficiaries’ right to respect for their private life”. The EDPS said at the data retention conference that he finds it “highly doubtful whether the systematic retention of communication data on such a wide scale constitutes a strictly necessary measure”.

The Romanian constitutional court found in 2009 that data retention per se breaches Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights). The German Constitutional Courts also declared national implementing legislation to be unconstitutional earlier this year. In May, the Irish High Court decided to ask the European Court of Justice to rule whether EU communications data retention rules violate the EU Charter of Fundamental Rights.

"the legislator has stated in Recital 22 of the Data Retention Directive(2) that the directive respects the fundamental rights" (Malmström)

• The fundamental rights charter was not in force then.
• Anyway courts have ruled differently. (Germany, Romania, Ireland? Links?)
• The Commission will have to make its own assessment rather than just quote a political statement that is 5 years old.

"In the Marper jurisprudence the European Court of Human Rights ruled that indefinite retention of certain sensitive personal data constitutes "a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society". The Data Retention Directive, however, requires that data are retained for a definitive amount of time (6 to 24 months), obliges to delete data after that period and forbids the retention of information about the content of communications." (Malmström)

• "In conclusion, the Court finds that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate interference with the applicants' right to respect for private life and cannot be regarded as necessary in a democratic society." Is there anything about the storage period in that statement?

“It is untenable for the European Commission to be negotiating ratification of the European Convention on Human Rights and simultaneously taking Member States to court for failing to implement a Directive which they patently do not consider to be “necessary”. When Constitutional Courts of Member States have ruled a particular piece of legislation to be 'not necessary in a democratic society', it is profoundly dangerous for the European Commission to take legal action to force the adoption of that legislation. Dangerous for fundamental rights, but also dangerous for the credibility of the European Union itself.”

The German court ruled that data retention created a perception of surveillance which could limit the free exercise of fundamental rights but acknowledged explicitly that retention for sufficiently limited uses and enough security would not necessarily breach the Basic Law. Data should only be requested when there is a suspicion of a serious criminal offence or evidence of a danger to the public. Retrieval should be prohibited for certain communications that require confidentiality.

Principle of data retention in breach of article 8 ECHR - “continuous limitation of privacy [...] makes the essence of the right disappear.” - passive subject in communications: “the called person can become, without his will, suspect.” http://www.legi-internet.ro/english/jurisprudenta-it-romania/decizii-it/romanian-constitutional-court-decision-regarding-data-retention.html The Commissions assessment of the ruling is outright false: The Romanian court accepted that interference with fundamental rights may be permitted when it respects certain rules, and provides adequate and sufficient safeguards [comment: did anyone ever dispute this?]. The court ruled that the transposing law was ambiguous in scope and purpose, lacked the necessary safeguards and questioned whether a continuous obligation to retain data for six months was compatible with the rights to privacy and freedom of expression.

"the question arises whether the Directive meets accepted and established standards for the justifications and objectives subject to which it is possible to interfere with the right to privacy. In connection with the extensive requirements as to the volume of retained information and the considerable length of the retention period which the contested Directive requires, it is also questionable whether such a-far-reaching interference with the rights protected by Article 8 of the European Convention on Human Rights may legitimately be justified and considered proportionate on the basis of justifications and objectives which are essentially economic (removing barriers to the internal market and distortion of competition). It is also disputable to say the very least whether interest in the better fiinctioning of the internal market may be considered of such importance that it balances or even outweighs the negative consequences of the significant interference in privacy caused by the Directive. That is even more relevant since the economic benefits which the Directive brings are disputable since the Community legislature has only performed a partial harmonisation of selected aspects of the retention of data by providers of electronic communications services" https://www.vorratsdatenspeicherung.de/images/slovak_2007-04-19.pdf

"Data freeze will never bring back deleted data." (Malmström)

• Yet it avoids the counterproductive and adverse side-effects of DR and actually appears to be the more effective policy overall.
• It's like real life: criminal prosecution in real world, as it works today, is nothing else than "quick freeze" for the digital communication data. Do you like to direct a new directive in order to chronicle every letter being sent, every rendezvous and every meeting of people in europe, that happen in "real life"?

   * Nützlichkeit ist nicht gleich Sicherheit. Mehr Daten mögen in Einzelfällen nützlich sein. Im Ergebnis ist in Staaten mit Vorratsdatenspeicherung jedoch keine geringere Kriminalitätsrate zu verzeichnen als in Staaten ohne Vorratsdatenspeicherung. Insgesamt gesehen gibt es mit Vorratsdatenspeicherung nicht weniger Kindesmissbrauch, Vergewaltigungen, Körperverletzungen oder sonstige Straftaten als ohne Vorratsdatenspeicherung.
   * Aufklärung ist nicht gleich Schutz. Es ist nicht nachweisbar, dass eine erleichterte Aufklärung von Straftaten irgend einen Einfluss auf die Kriminalitätsrate hat.
   * Arbeitserleichterung ist nicht gleich Erforderlichkeit. Weltweit werden Straftaten auch ohne Vorratsdatenspeicherung erfolgreich aufgeklärt, gerade im Internet. Außer in Deutschland werden auch in Belgien, Griechenland, Österreich, Schweden und Rumänien Straftaten erfolgreich ohne Vorratsdatenspeicherung verfolgt, ebenso etwa in Kanada und den USA. In Deutschland wurden wurden 2007 ohne Vorratsdatenspeicherung 84,4% aller in Deutschland registrierten Internetdelikte einschließlich der Verbreitung von Kinderpornografie erfolgreich aufgeklärt – von den sonstigen Straftaten nur 55%.[2] Die Einführung der Vorratsdatenspeicherung am 01.01.2008 hat die Aufklärungsrate nicht erhöht (2007: 55,0%, 2008: 54,8%).[3]
   * Einzelfallbetrachtung ist nicht gleich Verhältnismäßigkeit. Aus einer Studie des Max-Planck-Instituts ergibt sich, dass die Vorratsdatenspeicherung im besten Fall bei 0,01% aller Straftaten von Nutzen sein kann[4] – zu 99,99% wird sinnlos aufgezeichnet.
   * Massenverfolgung ist nicht gleich Effizienz. Mithilfe von Telekommunikationsdaten werden hauptsächlich Betrügereien und Tauschbörsennutzer ermittelt.[5] Diese massenhafte Verfolgung von Kleinkriminalität kostet die Polizei Ressourcen, die bei der Ermittlung schwerer Straftäter und der Hintermänner fehlen. In den letzten Jahren sind bei der Polizei 17.000 Stellen gestrichen worden.[6]
   * Betriebsblindheit ist nicht gleich Klugheit. In ihrer Jagd auf 0,01% der Straftäter verlieren die Befürworter der Vorratsdatenspeicherung aus den Augen, dass eine unprotokollierte Kommunikation Leben, Gesundheit und Freiheit von weit mehr Unschuldigen schützt, etwa wo Beratungsstellen gewalttätige Familienväter oder Pädophile überzeugen können, sich einer Therapie zu unterziehen. Im Jahr 2007 konnte beispielsweise ein bei der Telefonseelsorge tätiger Pfarrer einen Jugendlichen überzeugen, einen geplanten Amoklauf zu unterlassen. Wäre der Anruf rückverfolgbar gewesen, hätte der Jugendliche wohl nie über sein Vorhaben gesprochen. Einer Forsa-Umfrage vom Juni 2008 zufolge hielt die Vorratsdatenspeicherung jeden zweiten Deutschen davon ab, sich telefonisch beraten zu lassen,[7] was unsere Sicherheit gefährdete.
   * Telekommunikation ist nicht gleich Straftat. Telefon, Handy und Internet werden zu 99,9% vollkommen legal eingesetzt. Gespräche müssen am Telefon ebenso wenig registriert werden wie sonstige Gespräche. Briefe müssen im Internet ebenso wenig registriert werden wie sonstige Briefe. Bewegungen müssen mit einem Handy ebenso wenig registriert werden wie sonstige Bewegungen.
   * Gefährdung ist nicht gleich Kriminalität. Was Straftaten anbelangt, ist Deutschland eines der sichersten Länder der Welt. Tod, Krankheit oder Behinderung beruhen bei uns nur zu 0,2% auf Gewalt und Straftaten.[8] Dagegen kosten Tabak, Alkohol, Cholesterin, Übergewicht, Fehlernäherung, Bewegungsmangel, Suizid, Stürze und der Straßenverkehr ein Vielfaches an Menschenleben – obwohl sie sehr viel leichter zu reduzieren wären.
   * Überwachung ist nicht gleich Sicherheit. Umgekehrt ermöglichen Datenhalden erst Missbrauch wie bei der Deutschen Telekom AG und Betrug wie im Fall der Bankdaten. Nur nicht gespeicherte Daten sind sichere Daten. Die Vorratsdatenspeicherung stellt diese Erkenntnis auf den Kopf.
   * EU-Recht ist nicht gleich Notwendigkeit. Die Nichtumsetzung der EU-Richtlinie zur Vorratsdatenspeicherung wird nur ein weiteres neben den zurzeit 68 anhängigen Vertragsverletzungsverfahren gegen Deutschland[9] sein. Auch vier Jahre nach dem tragischen Beschluss der Richtlinie zur Vorratsdatenspeicherung hat keines der Länder, die sich der Umsetzung verweigern, auch nur einen Euro Strafe zahlen müssen. Der Rumänische Verfassungsgerichtshof hat festgestellt, dass eine Vorratsdatenspeicherung gegen die Europäische Menschenrechtskonvention verstößt. Die Einhaltung der Menschenrechtskonvention muss Vorrang vor der Umsetzung Brüsseler Richtlinien haben.
   * Verfolgungswahn ist nicht gleich der Wille des Volkes: 70% der Bundesbürger lehnen die Vorratsdatenspeicherung ab[10] - ebenso wie 50 Berufs- und Wirtschaftsverbände.[11]
   * Freiheit ist nicht gleich Unsicherheit. Es ist kein Zufall, dass wir in Deutschland mit vergleichsweise wenig Überwachung und starkem Grundrechtsschutz sicherer leben als Kontrollstaaten wie Großbritannien. Sicherheit braucht in erster Linie Vertrauen und Achtung vor dem Recht – auch vor den Menschenrechten. 

So the question arises whether it is proportionate for the EU to require all providers in the EU to indiscriminately retain confidential communications data without cause, merely to prevent competitive (dis)advantages that might exist in a "patchwork" situation where some Member States require providers to retain data and others require deletion.

The Slovak Republic has rightly contended before the ECJ that it is more than "questionable whether such a far-reaching interference with the rights protected by Article 8 of the European Convention on Human Rights may legitimately be justified and considered proportionate on the basis of justifications and objectives which are essentially economic (removing barriers to the internal market and distortion of competition). It is also disputable to say the very least whether interest in the better functioning of the internal market may be considered of such importance that it balances or even outweighs the negative consequences of the significant interference in privacy caused by the Directive. That is even more relevant since the economic benefits which the Directive brings are disputable since the Community legislature has only performed a partial harmonisation of selected aspects of the retention of data by providers of electronic communications services" https://www.vorratsdatenspeicherung.de/images/slovak_2007-04-19.pdf

In fact, there are much less invasive ways of preventing competitive advantages of providers that are under no national data retention obligation: For example, the EU could require full compensation of all provider under national data retention obligations. Or the EU could require the imposition of a levy on providers under no such obligation.

While the proper functioning of the internal market is but the "predominant" purpose of directive 2006/24/EC, the interference with fundamental rights that comes with it cannot be "predominantly" justified with a completely different purpose (law enforcement), but (at least) mostly needs to be justified for the objective which the EU may legally pursue on the basis of art. 114 TFEU, which is not the case.

Blanket and indiscriminate telecommunications data retention must be abandoned in favour of a system of expedited preservation and targeted collection of traffic data

Considering legal developments since 2005, the scale of the damage done to fundamental rights by the Directive and the questionable and unproven effectiveness of data retention for prosecuting serious crime, we urge the Commission to propose outlawing blanket data retention throughout the EU in favour of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime, thus targeting supects of serious crime instead of surveilling 500 million Europeans without cause.

At the very least, the EU data retention directive should in the future offer to Member States the possibility to opt-out of indiscriminate retention. Member States should be given the option to stick with directive 2002/58 and the Council of Europe's Convention on Cybercrime that sets an international standard for a system of expedited preservation and targeted collection of traffic data.

While it is true that making data retention optional does not provide for total harmonisation, neither does the current directive. A choice in retention periods of 0 or 6 months, for example, would be more harmonised than the current directive. Making data retention optional at the EU level would also remove the legal risk of directive 2006/24 being annulled. Furthermore it would take into account the situation of member states that are legally unable (Romania) or politically unwilling (Germany) to introduce blanket data retention legislation. Differences in legal traditions, constitutions and political preferences in member states are too great to impose data retention on all member states. The evaluation report should suggest opening the directive to such alternative approaches.

We believe that such invasive surveillance of the entire population is unacceptable.

Based on the current situation, there is no measurable and significant damage to the single market as a result of some countries opting out of the Directive. Therefore the Directive's legal basis is fundamentally flawed and the Directive is illegal and subject to successful challenge.

As representatives of the citizens, the media, professionals and industry we collectively reject the Directive on telecommunications data retention. We urge you to propose the repeal of the EU requirements regarding data retention in favour of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime.

The EDPS said at the data retention conference that without convincing evidence, "the Data Retention Directive should be withdrawn or replaced by a more targeted and less intrusive instrument which does meet the requirement of necessity and proportionality."

It is necessary to look beyond harmonization and re-using the existing failed approach. Conclusions must be drawn from the experiences of countries that have not implemented the Directive.

a) The directive should set upper limits on retention obligations only, thus allowing Member States to opt out of blanket retention entirely in favour of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime. [Germany wants this, Romania needs this, and other Member States could want this, too.] b) The current upper limits set by the Directive should be lowered as much as possible, without raising any of the minimum requirements: -- retention periods as short as politically possible (suggestion of 3 months); -- categories of retained data as limited as politically possible (suggestion that Internet data should be excluded, only telephony data should be encompassed); -- compulsory and full reimbursement of investment and operating cost including personnel; -- decentralized storage and no direct government access.

Draft press release

Show why the Commission fails to demonstrate effectiveness and proportionality, and present our own proposal.

despite lack of evidence of necessity Commission believes that more of the same is needed.