What future for the Data Retention Directive

Transcription

1 What future for the Data Retention Directive EU Council Working Party on Data Protection and Information Exchange (DAPIX Data Protection) Brussels, 4 May 2011 Discussion on the Commission Evaluation report Giovanni Buttarelli Assistant European Data Protection Supervisor General remarks Dear Chairman, dear Members of the DAPIX Working Party, I would like to express our gratitude to the Hungarian Presidency for inviting the EDPS to attend this meeting and to participate in this first discussion on the Commission s evaluation report on the Data Retention Directive. We have been closely following the creation, implementation and evaluation of the Directive since 2005, in different ways. From the very beginning we questioned the necessity of the measure that we consider, as stated by the EDPS at the 2010

2 Conference organised by the Commission, "the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects". According to the existing Directive, a huge amount of data concerning several millions of individuals that should in principle be erased or made anonymous when no longer needed for operational or billing purposes is to be retained on a massive scale. This is a remarkable derogation to the purpose limitation principle, which is a cornerstone of the EU data protection legal framework reinforced by the Lisbon Treaty. Similar measures on traffic data trigger an enormous invasion of privacy. They are not in force in many other modern democracies all over the world and now need profound justification in the new EU legal framework relevant to data protection. This is why we called the evaluation of the Directive "the moment of truth" as the Commission as well as other EU institutions should use the opportunity to provide sufficient evidence of the necessity of the instrument. Now that the report has been published we can see whether the Commission has indeed provided sufficient evidence. The straightforward conclusion is: no. The report does not contain sufficient proof that the retention of data on such a large scale constitutes a necessary measure. The Commission and other EU institutions have not been able to provide sufficient evidence to draw any firm conclusions about the necessity of the measure. This is confirmed by the Commission in the report itself and also in the letter you all received from Commissioner Malmström to the EU Ministers of JHA where data retention is considered 'a valuable instrument', where it is stated that 'retained data plays a central role', in crimes that 'might' never have been solved, but where there 2

3 is no sufficient evidence about the required necessity of the measure, to testify that it is indispensable. We agree that data are or could constitute useful evidence in contributing to the solving of some criminal cases, not only for possible convictions but for acquittals of innocent suspects. This cannot necessarily be said for data retention as a massive practice. We are not in the position to say on a general basis that without data retention various cases could never have been solved. On the basis of the report we cannot say that all retained data on such a massive scale have played a central role in the fight against serious crime. Perhaps data retention is not at all essential or is not essential in all relevant cases which are now within the scope of application of the Data Retention Directive. Although we are still not convinced that a system of data retention actually constitutes a necessary measure, we are pleased to finally have the report on the table. The EDPS has been informally consulted before its adoption and we appreciate that the final version now contains a lot of substance which will fuel the debate and is definitely more balanced than drafts we saw. We appreciated the method used by the Commission in organising various conferences and workshops, sending questionnaires and involving various stakeholders at different stages. We also welcome the initiative of the Commission to organise, in the months to come, consultations with the different stakeholders involved. 3

4 We intend to adopt an Opinion on the basis of the report in the weeks to come. Today, we note that the publication of the report constitutes the kick off for what will hopefully be a broad discussion on the necessity of the measure, and subsequently on the proportionality of an alternative or revised measure. The report is quite clear in stating that there are a lot of problems with the current Directive. It highlights the need to revise the Directive not only for data protection obligations, but also due to a considerable lack of harmonisation. Such a lack of harmonisation is detrimental to all parties involved: citizens, business operators as well as law enforcement authorities. Any future Directive should lead to harmonised and clear rules. Benefit should be taken from the situation which emerged after the Lisbon Treaty, which strengthened the position of fundamental rights in the EU, and the right of data protection in particular. Here, I also refer to the EU competences in the area of judicial cooperation in criminal matters, which allow the Commission to propose rules on access to the data by law enforcement authorities. Two specific comments among the various items on the table We are grateful for the invitation to join your further discussions this morning where we might provide you with more detailed comments on specific elements. At this stage, I would only highlight two items: 1) possible alternative measures to data retention and 2) the statement in the report that there are no concrete examples of serious breaches of privacy. 4

5 As to the first element: the possible alternative measures. The Commission discusses the possibility of data preservation as an alternative measure. Such a measure would be more targeted and less privacy intrusive in terms of time and number of people it affects. The Commission refers to the fact that Member States disagree that any of the variations of data preservation could adequately replace data retention (p. 5). The Commission states in the conclusion (8.5) whether and if so how an EU approach to data preservation 'might complement', i.e. not substitute, data retention. The Commission, therefore, seems to support Member States that are opposed to data preservation as an alternative. The EDPS finds this analysis too limited. The Commission only looks at whether the alternative measure of data preservation would result in the same data available for law enforcement authorities. And then, indeed, with data preservation less data will be available for law enforcement authorities. However, this fact does not disqualify data preservation as a reasonable alternative for a system of data retention. The matter should be considered more broadly in the light of the different impact both alternatives have on the privacy of EU citizens. In other words, does the added value of data retention (in comparison with data preservation) weigh up to the additional intrusive impact it has on the privacy of EU citizens? In light of these remarks, the EDPS sincerely hopes that the Commission will commit itself to putting the issue of possible alternative measures on the agenda of the different meetings in the months to come. We furthermore hope that Member States will actively participate in this debate and share possible experiences they have in the use of alternative measures. I now come to the second specific point: the statement in the report that "there are no concrete examples of serious breaches of privacy" in relation to data retention (see p. 30). This remark was also made by the Commission during the earlier 5

6 mentioned conference of December last year. This statement raises several questions: who did the Commission ask to report on data breaches? Data protection authorities, NGO's, or only law enforcement authorities? what actually constitutes a serious breach? what conclusions does the Commission intend to draw from this statement? That the current security rules are sufficient? It goes without saying that the security of the retained data is of crucial importance to the system of data retention as such. It ensures respect for all other safeguards. Obviously we should not await a serious privacy breach before acting. Harm is then already done. Even if no specific instances of security breaches are mentioned in the context of the report, data security breaches and scandals in the area of traffic data and electronic communications in some Member States might serves as illustrative warnings, as well as is the case for the recent attack to electronic platforms or networks involving unlawful access to the personal data of million of users. The recently introduced obligation on operators to notify security breaches will surely bring to light more instances. In order to evaluate the suitability of present security rules and measures, further investigation into instances of abuse is needed. We would like to invite the Commission and Council to work on this together. It should be emphasised that robust security rules enhance the trustworthiness of any data processing system. 6

7 Conclusion Let me conclude by saying that there is still no proof that the Directive is necessary as it is. We appreciate the commitment of the Commission to revise the Directive with a view to respond to some concerns of various stakeholders including DPAs. We encourage the Commission when developing the impact assessment, to give an adequate answer to the necessity issue. If after careful analysis the necessity of a EU Directive on data retention for law enforcement and criminal justice systems in the EU is demonstrated, compared to alternative and less intrusive measures of expeditious data preservation (for instance, collection of traffic data in real time such as the 'quick freeze' and the 'quick freeze plus', taking into account the experience achieved in the implementation of the Cybercrime Convention), we expect the Commission to bring greater clarity on scope, purpose and duration of the retention and to also focus on new types of safeguards to be applied to data storage and use of data, taking into account new technologies and trends in criminal behaviour as well the other specific items I have mentioned. We will follow all further developments and I thank you for your attention. 7