What future for the Data Retention Directive

Similar documents
Do you have a private life at your workplace?

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

This letter is to provide you with our views on the minimum criteria for the impact assessment and subsequent legislative proposal.

Value of the EU Data Protection Reform against the Big Data challenges. Keynote address 5th European Data Protection Days Berlin, 4.5.

Honourable members of the National Parliaments of the EU member states and candidate countries,

16525/1/12 REV 1 GS/np 1 DG D 2B

How To Write A Report On A Recipe Card

EUROPEAN DATA PROTECTION SUPERVISOR

COMMISSION OF THE EUROPEAN COMMUNITIES GREEN PAPER

29 October 2015 Conference of the Independent Data Protection Authorities of the Federation and the Federal States

EUROPEAN UNION COMMON POSITION ON UNGASS 2016

Assise de la Justice Brussels, 21 & 22 November Presentation by Maura McGowan QC Chairman of the Bar Council of England and Wales

Privacy, data retention and terrorism

Council Conclusions on a Concerted Work Strategy and Practical Measures Against Cybercrime

RESPONSE TO FIRST PHASE SOCIAL PARTNER CONSULTATION REVIEWING THE WORKING TIME DIRECTIVE

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Work programme

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Council of the European Union Brussels, 24 November 2014 (OR. en)

Mr President, Ladies and Gentlemen Members of the Court, Mr Advocate. Thank you for inviting the European Data Protection Supervisor today.

Civil Rights, Security and Consumer Protection in the EU

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Minister Shatter presents Presidency priorities in the JHA area to European Parliament

BCS, The Chartered Institute for IT Consultation Response to:

Prior checking opinion on the European Surveillance System ("TESSy") notified by the European Centre for Disease Prevention and Control ("ECDC

Having regard to the Charter of Fundamental Rights of the European Union, and in particular Articles 7 and 8 thereof,

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Accession to Convention 108: Benefits and Commitments. Marc Rotenberg, President Electronic Privacy Information Center Washington, DC

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

Statement on the general concept of the European Union towards Data Protection by Aktion Freiheit statt Angst e.v.; EU Register ID

J O I N T D E C L A R A T I O N

Solvency II implementation - beyond compliance

Concerning the remarks made during the meetings the Presidency wishes to clarify the following

10 DOWNING STREET LONDON SWtA 2AA A NEW SETTLEMENT FOR THE UNITED KINGDOM IN A REFORMED EUROPEAN UNION

on the Proposal for a Regulation of the European Parliament and of the Council laying

PUBLIC COUNCIL OF THE EUROPEAN UNION. Brussels, 8 July /05 LIMITE CRIMORG 67 ENFOPOL 88

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 3 February /12 LIMITE JAI 53 USA 2 DATAPROTECT 13 RELEX 76

Opinion Statement of the CFE. on the proposed Directive. on the fight against fraud to the EU s financial interests. by means of criminal law

Second Meeting of States on Strengthening Compliance with International Humanitarian Law, Geneva, June Chairs' Conclusions

The European Response to the rising Cyber Threat

EUROPEAN DATA PROTECTION SUPERVISOR

Data retention current state of UK and EU legislation. Dr. Ian Brown, UCL

Implications of the Private pension scheme legislation

Data protection at the cost of economic growth?

Planning application process improvements

EUROPEAN DATA PROTECTION SUPERVISOR. Inventory A strategic approach to legislative consultation

REPUBLIC OF PORTUGAL. MINISTRY OF PUBLIC WORKS, TRANSPORT AND COMMUNICATIONS The Minister's Office

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 February /05 LIMITE COPEN 35 TELECOM 10

ENFORCEMENT OF IP RIGHTS IN THE DIGITAL ENVIRONMENT CONCERNS, CHALLENGES AND ACTIONS REQUIRED FOR THE PROTECTION OF THE SINGLE MARKET.

Technical Questions on Data Retention

Council of the European Union Brussels, 10 November 2015 (OR. en)

JAMAL EL-HINDI DEPUTY DIRECTOR FINANCIAL CRIMES ENFORCEMENT NETWORK

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

How To Discuss Cybersecurity In European Parliament

THE FORTY RECOMMENDATIONS OF THE FINANCIAL ACTION TASK FORCE ON MONEY LAUNDERING

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL RECOMMENDATION

Mobile Privacy Principles

MOTION FOR A RESOLUTION

Deliverable 1. Input on the EU's role in fighting match-fixing. Expert Group "Good Governance. EU Work Plan for Sport

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

7 August I. Introduction

Regulation of Investigatory Powers Act 2000

JUSTICE and HOME AFFAIRS COUNCIL Thursday 29 and Friday 30 January in Riga

The new European directive on the rights to interpretation and translation in criminal proceedings

GARANTE PER LA PROTEZIONE DEI DATI PERSONALI WHEREAS

WHISTLE BLOWING POLICY

Cybercrime & Cybersecurity

Implementation of Solvency II: The dos and the don ts

Thank you for the opportunity to join you here today.

RESTREINT UE/EU RESTRICTED

Cases COMP/AT Google Google s revised proposed commitments BEUC response to the questionnaire

Online Security, Traffic Data and IP Addresses. Review of the Regulatory Framework for Electronic Communications

Trading Forum 2013 Geneva, 12 th March 2013 Financial market regulation and commodity markets

CONSULTATION PAPER ON A CODE OF PRACTICE FOR VOLUNTARY RETENTION OF COMMUNICATIONS DATA

Cyber Crime and Data Retention

(3) Future of the Company Law and Corporate Governance Action Plan: public consultation

USER VOICE. Why We Exist

Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity

Council of Europe Project on Cybercrime in Georgia Report by Virgil Spiridon and Nigel Jones. Tbilisi 28-29, September 2009

COMMISSION REGULATION (EU) No /.. of XXX

Strategic Priorities for the Cooperation against Cybercrime in the Eastern Partnership Region

64/ A/CONF.213/RPM.1/1, A/CONF.213/RPM.2/1, A/CONF.213/RPM.3/1 and

Council of the European Union Brussels, 12 September 2014 (OR. en)

Cyber Security Trends Market trends from leading security analysts and consultants at TÜV Rheinland, OpenSky, and OpenSky UK

Notification of data security breaches to the Information Commissioner s

5957/1/10 REV 1 GS/np 1 DG H 2 B LIMITE EN

(DRAFT)( 2 ) MOTION FOR A RESOLUTION

Committee of Ministers - The promotion of Internet and online media services a...

CEAS ANALYSIS. of the Law on Amendments of the Law on the Security Intelligence Agency

23/1/15 Version 1.0 (final)

ESSA Q INTEGRITY REPORT

OUTCOME OF PROCEEDINGS Customs Cooperation Working Party (Experts meeting and Plenary meeting) on: December 2012 Subject: Summary of discussions

EDRi s. January European Digital Rights Rue Belliard 20, 1040 Brussels tel. +32 (0)

IESE Business School & School of Communication of the University of Navarra. Centre for Media Studies, Madrid 15/2/2005

Comments and proposals on the Chapter II of the General Data Protection Regulation

005ASubmission to the Serious Data Breach Notification Consultation

Discussion paper criminal law

EURODAC Central Unit. Inspection Report

Transcription:

What future for the Data Retention Directive EU Council Working Party on Data Protection and Information Exchange (DAPIX Data Protection) Brussels, 4 May 2011 Discussion on the Commission Evaluation report Giovanni Buttarelli Assistant European Data Protection Supervisor General remarks Dear Chairman, dear Members of the DAPIX Working Party, I would like to express our gratitude to the Hungarian Presidency for inviting the EDPS to attend this meeting and to participate in this first discussion on the Commission s evaluation report on the Data Retention Directive. We have been closely following the creation, implementation and evaluation of the Directive since 2005, in different ways. From the very beginning we questioned the necessity of the measure that we consider, as stated by the EDPS at the 2010

Conference organised by the Commission, "the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects". According to the existing Directive, a huge amount of data concerning several millions of individuals that should in principle be erased or made anonymous when no longer needed for operational or billing purposes is to be retained on a massive scale. This is a remarkable derogation to the purpose limitation principle, which is a cornerstone of the EU data protection legal framework reinforced by the Lisbon Treaty. Similar measures on traffic data trigger an enormous invasion of privacy. They are not in force in many other modern democracies all over the world and now need profound justification in the new EU legal framework relevant to data protection. This is why we called the evaluation of the Directive "the moment of truth" as the Commission as well as other EU institutions should use the opportunity to provide sufficient evidence of the necessity of the instrument. Now that the report has been published we can see whether the Commission has indeed provided sufficient evidence. The straightforward conclusion is: no. The report does not contain sufficient proof that the retention of data on such a large scale constitutes a necessary measure. The Commission and other EU institutions have not been able to provide sufficient evidence to draw any firm conclusions about the necessity of the measure. This is confirmed by the Commission in the report itself and also in the letter you all received from Commissioner Malmström to the EU Ministers of JHA where data retention is considered 'a valuable instrument', where it is stated that 'retained data plays a central role', in crimes that 'might' never have been solved, but where there 2

is no sufficient evidence about the required necessity of the measure, to testify that it is indispensable. We agree that data are or could constitute useful evidence in contributing to the solving of some criminal cases, not only for possible convictions but for acquittals of innocent suspects. This cannot necessarily be said for data retention as a massive practice. We are not in the position to say on a general basis that without data retention various cases could never have been solved. On the basis of the report we cannot say that all retained data on such a massive scale have played a central role in the fight against serious crime. Perhaps data retention is not at all essential or is not essential in all relevant cases which are now within the scope of application of the Data Retention Directive. Although we are still not convinced that a system of data retention actually constitutes a necessary measure, we are pleased to finally have the report on the table. The EDPS has been informally consulted before its adoption and we appreciate that the final version now contains a lot of substance which will fuel the debate and is definitely more balanced than drafts we saw. We appreciated the method used by the Commission in organising various conferences and workshops, sending questionnaires and involving various stakeholders at different stages. We also welcome the initiative of the Commission to organise, in the months to come, consultations with the different stakeholders involved. 3

We intend to adopt an Opinion on the basis of the report in the weeks to come. Today, we note that the publication of the report constitutes the kick off for what will hopefully be a broad discussion on the necessity of the measure, and subsequently on the proportionality of an alternative or revised measure. The report is quite clear in stating that there are a lot of problems with the current Directive. It highlights the need to revise the Directive not only for data protection obligations, but also due to a considerable lack of harmonisation. Such a lack of harmonisation is detrimental to all parties involved: citizens, business operators as well as law enforcement authorities. Any future Directive should lead to harmonised and clear rules. Benefit should be taken from the situation which emerged after the Lisbon Treaty, which strengthened the position of fundamental rights in the EU, and the right of data protection in particular. Here, I also refer to the EU competences in the area of judicial cooperation in criminal matters, which allow the Commission to propose rules on access to the data by law enforcement authorities. Two specific comments among the various items on the table We are grateful for the invitation to join your further discussions this morning where we might provide you with more detailed comments on specific elements. At this stage, I would only highlight two items: 1) possible alternative measures to data retention and 2) the statement in the report that there are no concrete examples of serious breaches of privacy. 4

As to the first element: the possible alternative measures. The Commission discusses the possibility of data preservation as an alternative measure. Such a measure would be more targeted and less privacy intrusive in terms of time and number of people it affects. The Commission refers to the fact that Member States disagree that any of the variations of data preservation could adequately replace data retention (p. 5). The Commission states in the conclusion (8.5) whether and if so how an EU approach to data preservation 'might complement', i.e. not substitute, data retention. The Commission, therefore, seems to support Member States that are opposed to data preservation as an alternative. The EDPS finds this analysis too limited. The Commission only looks at whether the alternative measure of data preservation would result in the same data available for law enforcement authorities. And then, indeed, with data preservation less data will be available for law enforcement authorities. However, this fact does not disqualify data preservation as a reasonable alternative for a system of data retention. The matter should be considered more broadly in the light of the different impact both alternatives have on the privacy of EU citizens. In other words, does the added value of data retention (in comparison with data preservation) weigh up to the additional intrusive impact it has on the privacy of EU citizens? In light of these remarks, the EDPS sincerely hopes that the Commission will commit itself to putting the issue of possible alternative measures on the agenda of the different meetings in the months to come. We furthermore hope that Member States will actively participate in this debate and share possible experiences they have in the use of alternative measures. I now come to the second specific point: the statement in the report that "there are no concrete examples of serious breaches of privacy" in relation to data retention (see p. 30). This remark was also made by the Commission during the earlier 5

mentioned conference of December last year. This statement raises several questions: who did the Commission ask to report on data breaches? Data protection authorities, NGO's, or only law enforcement authorities? what actually constitutes a serious breach? what conclusions does the Commission intend to draw from this statement? That the current security rules are sufficient? It goes without saying that the security of the retained data is of crucial importance to the system of data retention as such. It ensures respect for all other safeguards. Obviously we should not await a serious privacy breach before acting. Harm is then already done. Even if no specific instances of security breaches are mentioned in the context of the report, data security breaches and scandals in the area of traffic data and electronic communications in some Member States might serves as illustrative warnings, as well as is the case for the recent attack to electronic platforms or networks involving unlawful access to the personal data of million of users. The recently introduced obligation on operators to notify security breaches will surely bring to light more instances. In order to evaluate the suitability of present security rules and measures, further investigation into instances of abuse is needed. We would like to invite the Commission and Council to work on this together. It should be emphasised that robust security rules enhance the trustworthiness of any data processing system. 6

Conclusion Let me conclude by saying that there is still no proof that the Directive is necessary as it is. We appreciate the commitment of the Commission to revise the Directive with a view to respond to some concerns of various stakeholders including DPAs. We encourage the Commission when developing the impact assessment, to give an adequate answer to the necessity issue. If after careful analysis the necessity of a EU Directive on data retention for law enforcement and criminal justice systems in the EU is demonstrated, compared to alternative and less intrusive measures of expeditious data preservation (for instance, collection of traffic data in real time such as the 'quick freeze' and the 'quick freeze plus', taking into account the experience achieved in the implementation of the Cybercrime Convention), we expect the Commission to bring greater clarity on scope, purpose and duration of the retention and to also focus on new types of safeguards to be applied to data storage and use of data, taking into account new technologies and trends in criminal behaviour as well the other specific items I have mentioned. We will follow all further developments and I thank you for your attention. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information