EU Data Retention Directive: For a limited time period, but with option to be extended?

As the preventive retention of telecommunication data is illegal throughout the EU, the retention of data from individual countries or regions might be an option. This is discussed by the EU member states, documents from the Council and the German Federal Government reveal. A “renewable arrest warrant” could be created for this purpose.

The EU member states are currently discussing a possible new version of the Data Retention Directive. The Bulgarian Presidency of the Council has proposed the adoption of “renewable retention warrants” in the responsible Council Working Party on Information Exchange and Data Protection. The Estonian Presidency had already touched on this issue in the second half of 2017, albeit offering scant detail at the time. According to the German Federal Ministry of Justice, these “still very preliminary considerations” are also being examined by the German Government.

What constitutes a “serious crime”?

The European Court of Justice (ECJ) declared the EU’s Data Retention Directive, adopted in 2006, to be invalid eight years later. In its judgement of December 2016, the court made the storage obligation on the part of telecommunications companies subject to strict conditions. A general and indiscriminate retention of data introduced by a number of member states is thus incompatible with Union law. Such practices are only permitted as national derogations, which must be limited to what is strictly necessary. The ECJ ruled that only the objective of fighting serious crime was capable of justifying such a measure.

However, the term “serious crime” is not defined in the EU in a consistent way. One category here is undoubtedly the threat of terrorism, although this is cited too often by the Council of Ministers (an abstract “terrorist threat”, for example, is being used to justify the renewed extension of internal border controls in the Schengen area now that the original justification, “exceptional migratory movements”, no longer applies). The Bulgarian Council document also states that cybercrime, crimes committed on the internet and cases of life-threatening or urgent situations could also be regarded as “serious crime” within the framework of “renewable retention warrants”.

Preventive storage of data in entire “regions”

According to the proposals, the ban on indiscriminate preventive data retention could be circumvented if it is not the entire EU, but individual member states or entire “regions”. The two papers do not provide any information regarding the size of a “region”. Such an order would be limited in time but could be extended if necessary, according to the proposed concept. The Council has only made vague statements on this time-wise issue so far; such a regulation might be based on measures like the temporarily suspension of Schengen border controls, which are pallned to extend them successively to a maximum of two years.

The adoption of a regional preventive data retention could be preceded by threat analyses in which the risk of “serious crimes” for certain member states is defined. The annual situation reports on organised crime and terrorism drawn up by the police agency Europol are to be used for this purpose.

Europol creates “matrix”

According to the proposal, “renewable retention warrants” would cover all telecommunications operators and all forms of electronic communications, including fixed and mobile communications, the internet, internet telephony and email. Smaller firms or those providing only specific services may apply for exemptions, however.

The Bulgarian paper also refers to the option of “restrictive” data storage in the course of which the data to be stored is limited to specific categories. However, it stays vague as to which “absolutely and objectively necessary” data this should include. The police agency Europol was therefore instructed by the Council to clarify which data falls under content data, traffic data, geodata and inventory data. While the result is not known, according to the Federal Ministry of the Interior, Europol’s “matrix” meets the criteria of the Council of Europe and the Electronic Telecommunications Standards Institute (ETSI).

This text was first published here.

Image: 123net, 123Net Data Center (DC2), CC BY-SA 3.0