The Lives of Others

Manijeh Khan looks at what is happening to Data Retention rules in the EU

Image: Photo by Michael Pujals CC BY-NC-SA 2.0

The Lives of Others is a poignant, Oscar-winning film by Florian Henckel von Donnersmarck, released in 2006, showing the extensive surveillance to which numerous East Germans were subjected at the hands of the Stasi. It is a chilling reminder of the terrible consequences of living in a police state. 

Ironically, in the same year, Europe passed a new law which has had a significant adverse impact on our right to privacy – namely the Data Retention Directive (the “Directive”). Despite such cautionary tales, the European Union has spent the last few years pushing ahead with implementation of the Directive.

Earlier this year, the EU Commission published an evaluation report on the Directive. The Commission conceded that the law required considerable fine-tuning, in terms of better harmonisation across the EU and the implementation of stronger safeguards to prevent misuse of data, but concluded that overall, data retention has proved to be a “valuable tool” in the fight against crime. That position has been strongly disputed by both European Data Rights (“EDRI”) and the European Data Protection Supervisor (“EDPS”).

Background to the Data Retention Directive

The Directive requires telephone and internet service providers (“telecoms providers”) to retain traffic, location and subscriber data from between six months and two years for the purpose of investigation, detection and prosecution of serious crime.

Data retention by telecoms providers existed well before the enactment of the Directive, except that it was voluntary and circumscribed by the E-Privacy law. Telecoms providers retained our mobile and internet traffic data for commercial reasons, such as billing, interconnection payments or marketing, but the information had to be deleted or made anonymous once it was no longer necessary as set out under the E-Privacy Directive (2002).

The limitations of this approach were that, since data retention was voluntary, there was no consistency in the manner in which information was retained. Web logs could have been kept anywhere from a few days to several months or not at all, depending on the particular policy of the ISP concerned. Moreover, the provisions of the E-privacy law meant that generally data could never be held for long durations. In a nutshell, under these circumstances, law enforcement authorities could not depend on the data being available for any substantial length of time or at all. 

In the wake of the London and Madrid bombings, stronger investigative measures were seen as essential to combat terrorism and the UK government led the charge for a system of mandatory data retention to be imposed on telecoms providers throughout the EU, with data being held on to for longer than the providers might otherwise have considered necessary for business purposes. The Data Retention Directive was implemented, despite fears that it would facilitate mass surveillance.


Criticism

The disquiet surrounding the Data Retention Directive has continued and not been quelled by the EU Commission’s evaluation report.

EDRi (the European Digital Rights group of which the Open Rights Group is a member) issued a shadow report sharply critical of the Commission’s stance in the evaluation. EDRi condemned the EU Commission for failing to produce sufficient evidence demonstrating that data retention is necessary for the investigation of crime. In picking apart the statistics and arguments relied on by the Commission to support data retention, EDRI made the following observations:

• The Commission relied exclusively on information provided by Member States and failed to conduct any independent research into the need for mandatory data retention.

• The Commission failed to procure relevant and reliable data from Member States; for example, nine out of ten court judgements submitted by the Dutch Ministry of Justice to the Commission relate to crimes committed long before the Directive was implemented.

• The Commission failed to seek any information from those Member States that had not implemented the Directive.

• Data used to investigate the Madrid bombings was available in the absence of any data retention legislation.

• An independent study commissioned by the German government found that in 2005, only 4% of requests could not be (fully) served for a lack of retained data (Max Planck Institute for Foreign and International Criminal Law). The German Federal Crime Agency (BKA) found that in 2010 only 0.01% of criminal investigation procedures were potentially affected by a lack of traffic data.

• On the other hand, where traffic and location data was retained, a recent study, the Scientific Services of the German Parliament shows that: “[i]n most states crime clearance rates have not changed significantly between 2005 and 2010. Only in Latvia did the crime clearance rate rise significantly in 2007. This is related to a new Criminal Procedure Law though and is not reported to be connected to the transposition of the EU Data Retention Directive.”

• The efficacy of data retention was also disputed on the basis that circumvention is possible through the following means: anonymisation tools (such as proxy servers or VPN), prepaid anonymous SIM cards, telecom providers that are not subject to the Directive and cyber cafes.

Peter Hustinx, the European Data Protection Supervisor (“EDPS”) has also criticised the Commission’s report for the lack of credible evidence supporting the need for data retention: “Interesting examples of its use have been provided, however, there are simply too many shortcomings in the information presented in the report to allow general conclusions on the necessity of the instrument [i.e. the Data Retention Directive].”

What’s the risk?

It is essential that we remain vigilant in protecting our data and ensuring that our privacy is breached only in extreme circumstances, where it is absolutely necessary.  The dangers have been highlighted by EDRI, who refer to a booklet entitled “There is No Secure Data” prepared by the German Working Group on Data Retention, which describes several alarming cases of misuse of data, as follows:

• German telecommunications giant, Deutsche Telekom, illegally used telecommunications traffic and location data to spy on about 60 individuals including critical journalists, managers and union leaders in an attempt to track down leaks. The company used its own data pool, as well as that belonging to a domestic competitor and a foreign company, respectively.

• In Poland, retained telecommunications traffic and subscriber data was used in 2005-2007 by two major intelligence agencies to illegally disclose journalistic sources without any judicial oversight.

There are other well-known examples of how data in the wrong hands can be abused and many of these, like The Lives of Others, have been important enough to be captured on celluloid.  The McCarthy trials and the Watergate affair have already been made into acclaimed films; the recent phone hacking scandal at the News of the World may be next.  We must learn from these cautionary tales.  As argued passionately at the end of Good Night and Good Luck, if “this instrument is good for nothing but to entertain, amuse and insulate… it is merely wires and lights in a box.”


Unconstitutional

The implementing legislation for the Data Retention Directive has been held to be unconstitutional in many states across Europe, including Austria, Belgium, Germany, Greece Romania and Sweden. However, out of these only Romania has ruled that blanket data retention per se is indefensible. Others have focused on issues such as use, access and the length of data retention. In Germany for example, 6 months was held to be the upper limit of what could be deemed an acceptable period of retention.

Merits of Data Retention

In the evaluation report, the EU Commission referred to several incidents in which traffic or location data had apparently proved valuable to an investigation: in Belgium location data was used to show complicity in a tiger kidnapping; in Hungary and Poland traffic data was used to investigate a fraud against elderly persons conducted over the telephone; in Germany it was used to identify the murderer of a police officer - when the assailant escaped in the victim’s car, which he then abandoned, he telephoned for alternative means of transport; Czech “Operation Vilma” into a network exchanging child abuse content would allegedly have been “impossible” without traffic data. 

The EDPS also appeared to accept that there may be some possible value in data retention in specific cases and under very strict conditions (para 80 of the Opinion). However, he urged the EU Commission to obtain further, more robust evidence and to examine all the options including repeal of the Directive or replacement by a more targeted law.

Alternatives

There is an alternative to mandatory data retention as a method of investigation, namely data preservation - also known as “Quick Freeze”. This is where once an individual suspect is identified their data is preserved as from the date of the court order. Recently, a species of data preservation, known as “Quick Freeze Plus”, has been developed. This model goes beyond Quick Freeze in that a judge may also grant access to any data voluntarily retained prior to the order and which has not yet been deleted by the operators. It may additionally include a limited obligation on telecom companies to retain data in respect of users who have a flat-rate subscription (where there is usually no need to store data for billing purposes).

In the EU, countries such as Germany, Austria, Belgium and Sweden are using data preservation and other targeted methods in investigating crime. It is the only method envisaged under the Cybercrime Convention.


Consistency

Assuming that the EU listens to reason and carries out a more thorough evaluation of data retention, this should generate more sensible evidence which should in turn dictate which investigative tool we ultimately opt for. However, any solution will need to be applied consistently.  The Data Retention Directive for example only applies to telecom providers, to the exclusion of other internet companies such as search engines. At the moment, voluntary retention by such internet companies has been left largely unhindered.

Search engines and social media websites retain much more meaningful data (i.e. content data, as opposed to mere traffic, location or subscription data) and for relatively longer periods of time; in addition, they willingly comply with requests for information from law enforcement authorities, without any judicial oversight or legal guidelines. If we are worried about data retention we need consistent regulations and practices across the board – covering not only telcos, but other internet and data gathering companies.

By the same token, if the evidence strongly suggests that there is significant value in retaining data, we should adopt a coherent strategy. For example, we may wish to stay away from Quick Freeze Plus, which may be an unsatisfactory halfway house with a contradictory outcome, as on the one hand it concedes value in data retention, but on the other hand implies that such retention would be entirely voluntary, with the result that any records retained by telecoms providers might be entirely ad hoc and patchy. Under this option, if investigators needed to dig into past records, it would be something of a lottery whether the data was there or not.  If data retention really is essential (and that must be demonstrated by clear and cogent evidence), it should be made mandatory, but with strict limits on the period of retention, access and use in order to safeguard privacy.

The way forward

We will have to see how things shape up over the next few months. Currently, the Commission is in consultation with law enforcement authorities, the judiciary, industry and consumer groups, data protection bodies and civil society organisations to discuss the way forward. A proposal for a revised Directive is expected by the end of this year. The hope is for clear evidence that can stand up to scrutiny and a rational approach built on such evidence.  If we favour retention without justification, monitoring without limits and disclosure without cause, then we have failed to learn the lessons told to us by von Donnersmarck, Woodward, Bernstein, Clooney et al.

Manijeh Khan is a Commercial, IT & IP lawyer