Select Committee on European Scrutiny Twenty-Second Report


14 Retention of communications data

(25593)

8958/04

Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism

Legal baseArticles 31(1)(c ) and 34(2)(b)EU; consultation; unanimity
Deposited in Parliament30 April 2004
DepartmentHome Office
Basis of considerationEM of 24 May 2004
Previous Committee ReportNone
To be discussed in CouncilNo date set
Committee's assessmentLegally and politically important
Committee's decisionNot cleared; further information requested

Background

14.1 In its Declaration on combating terrorism, adopted on 25 March 2004, the European Council instructed the Council to examine measures for establishing rules on the retention by service providers of communications traffic data. Communications traffic data is information about communications, such as who called whom and when, and includes telephone and internet subscriber information, itemised telephone call records and mobile phone location data. Such data does not include the content of any communication.

14.2 Following the March European Council, France, Ireland, Sweden and the United Kingdom have made a proposal for a Framework Decision to harmonise the rules in Member States on the retention of communications data for the purpose of preventing, investigating, detecting and prosecuting crime, including terrorism.

The draft Framework Decision

14.3 The recitals to the proposal explain that data relating to the use of electronic communications is now a particularly important and valuable tool in the prevention, investigation, detection and prosecution of crime, particularly organised crime and terrorism. Although the proposal relates only to data generated as a consequence of a communication, rather than to its content, the data may be used to trace the source of illegal content as well as to identify those involved in the use of electronic communications networks for the purpose of organised crime and terrorism.

14.4 The recitals assert that preserving specific data relating to particular individuals may not be sufficient for these purposes, because it may not be possible to identify the data required or the individual involved for many months or years after the original communication. The conclusion drawn is that it is necessary to retain certain types of data, which are already processed and stored for billing and other commercial purposes, for an additional period of time "in anticipation that they might be required for future criminal investigation or judicial proceedings".

14.5 Article 1 defines the scope and aim of the proposal. The aim is to facilitate judicial cooperation in criminal matters by approximating the law of Member States on the retention of data processed by providers of a publicly available electronic communications service or a public communications network, for the purpose of preventing, investigating, detecting and prosecuting crime. Article 1(2) makes clear that the Framework Decision does not apply to the content of communications. Article 1(3) provides that a Member State may decide not to apply Article 1(1) with regard to the prevention of crime "should the Member State not find such purposes acceptable following any national procedural or consultative processes".

14.6 Article 2 defines the material scope of the proposal. The term "data" is to include traffic data and location data, as defined in Article 2 of Directive 2002/58/EC[34] (i.e. data which is processed for the purpose of conveying a message on a communications network or for billing, and data which indicates the geographical position of a user of a publicly available electronic communications service). "User data" and "subscriber data" are also within the scope of the Framework Decision, the former being data relating to any natural person using a publicly available electronic communications service, and the latter being data which relates to a subscriber to such a service.

14.7 The relevant kinds of data for the purposes of the Framework Decision are those which are necessary to trace and identify the source, routing and destination of a communication as well as its time, date and duration. Also included is data which identifies the communications device used and its location at the start and throughout the duration of the communication. Article 2(3) describes a number of kinds of services which generate relevant data, and Article 2(4) provides that "future technological developments that facilitate the transmission of communications shall be within the scope of this Framework Decision".

14.8 Article 3 requires Member States to take the measures necessary to ensure that retained data processed and stored by providers of a communications network or service is retained in accordance with the Framework Decision.

14.9 Article 4(1) requires Member States to take the measures necessary to ensure that data is retained for at least 12 months and not more than 36 months following its generation. Article 4(1) also provides that Member States "may have longer periods for retention of data dependent upon national criteria when such retention constitutes a necessary, appropriate and proportionate measure within a democratic society". Under Article 4(2) a Member State may "decide to derogate" from Article 4(1) in relation to methods of communication referred to in Article 2(3)(b) and (c) (i.e. Short Message Services, Electronic Media Services and Multi Media Messaging Services provided as part of any telephone service and Internet Protocols including Email, Voice over Internet Protocols, world wide web, file, network and hypertext transfer protocols) should the Member State not find this acceptable following national procedural or consultative processes. In such a case, the Member State must notify the Council and the Commission of the alternative timescales it will use for such data.

14.10 Article 5 provides that any request by a Member State for access to data retained in another Member State "shall be made and responded to in accordance with the instruments on judicial co-operation in criminal matters adopted under Title VI of the Treaty on European Union". Nevertheless, the requested Member State may make its consent to the request "subject to any conditions which would have to be observed in a similar national case".

14.11 By virtue of Article 6, Member States are required to ensure that data retained under the Framework Decision is subject to a number of data protection principles, and that judicial remedies are made available in line with the provisions of Directive 95/46/EC (the Data Protection Directive). The data protection principles require that access be given for "specified, explicit and legitimate" purposes by competent authorities on a case-by-case basis in accordance with national law and not further processed in a way incompatible with those purposes, that data should be "adequate, relevant and not excessive" and should be processed fairly and lawfully. The principles also require that the confidentiality and integrity of the data should be ensured and that the data accessed should be accurate and erased or rectified if not accurate.

14.12 Article 7 requires Member States to ensure that data which is retained is held subject to data security principles. These require the data which is retained to be of the same quality as that on the network, and for measures to be taken to prevent destruction or accidental loss, alteration, unauthorised disclosure and all other unlawful forms of processing, and for the data to be destroyed at the end of the period of retention (except for data which has been accessed and preserved).

The Government's view

14.13 In her Explanatory Memorandum of 24 May 2004 the Parliamentary Under-Secretary of State at the Home Office (Caroline Flint) explains that the aim of the proposal is to ensure that communications data which has already been generated in the provision of communications services and retained by service providers for business purposes continues to be retained by them when it might otherwise have been destroyed. The Minister adds that the retention of data "supports lawful, necessary and proportionate disclosure of data to the relevant public authorities engaged in preventing, detecting, investigating and prosecuting crime and criminal offences including terrorism".

14.14 In relation to the policy implications of the proposal, the Minister comments that it had been the Government's intention that the Anti-Terrorism, Crime and Security Act 2001 should provide for the retention of data for the purpose of fighting terrorism and crime in general, but that this intention was "thwarted" during the passage of the Bill "where some in Parliament objected to such a provision in emergency anti-terrorist legislation". Part 11 of the 2001 Act accordingly provides for the retention of communications data only for the purpose of safeguarding national security and "any crime directly or indirectly related to that".

14.15 The Minister refers to the review of the Anti-Terrorism, Crime and Security Act 2001 conducted by the Privy Counsellor Review Committee under the chairmanship of Lord Newton of Braintree and, in particular, to paragraph 51 of its report, which stated as follows:

"We can see the case in principle for requiring communications data to be retained for a minimum period (which would vary with the type of data) for a defined range of public interest purposes such as helping in the prevention and detection of terrorism and other serious crimes. These provisions should, therefore, be part of mainstream legislation and not special terrorism legislation."

14.16 The Minister adds that the Government "agreed with the Newton Committee that there is a need for data retention for the purposes of fighting crime[35] in addition to the purpose of safeguarding national security" and that "the draft Framework Decision is consistent with that objective and why the Government has co-sponsored the initiative".

14.17 The Minister adds these further comments in support of the proposal:

"Sophisticated international criminal and terrorist organisations, aware of variations in Member States' legislative requirements for data retention will inevitably use communications services with shorter data retention periods. This would be done in order to frustrate the efforts of any investigators attempting to follow their communication 'footprints' either in order to place them at the scene of the crime, to disprove an alibi or to identify associates and co-conspirators. Approximation of retention rules will diminish the risk of such 'data havens' (or, more accurately 'data holes' ) within the EU, and, more importantly, ensure that communications data is available for lawful disclosure to law enforcement authorities but only in accordance with the law, and only then to the extent necessary in a democratic society.

"In addition to these objectives, approximation of rules for retention of data will ensure, so far as possible, a level playing field for international communications service providers that operate within the EU."

14.18 The Minister also points out that the communications service industry is a "fiercely competitive" sector and that service providers are under commercial pressure to reduce the time period for which they store data. The Minister explains that some data is more likely to be destroyed because its commercial value has diminished, although its potential value in detecting crime and protecting the public remains. The Minister makes this further comment:

"In addition, new services are creating pressures to reduce the periods for which data is retained. For example, the development of 'pay as you go' and subscription services is one of the major drivers contributing to reduction in the time that communications data is retained for business purposes. As pre-paid calls need not be billed there is no requirement to keep data for billing purposes.

"It is therefore crucial that legislation is introduced compelling all Member States to develop binding data retention provisions within set parameters if specific communications data is not to be destroyed before its value to the prevention and detection of crime and protection of the public is established. The overwhelming majority of data retained will have no such value whatsoever."

14.19 By way of a Regulatory Impact Assessment, the Minister offers the comment that "as drafted, the Framework Decision will have an impact on the communications service industry". This impact is not further quantified, but the Minister comments that "experience of the current voluntary regime under the 2001 Act is helping establish the retention of communications data that meets the requirements of law enforcement in advance of any future mandatory regime for the retention of the same data".

Conclusion

14.20 As this proposal is one which the United Kingdom is co-sponsoring, we would have expected a more detailed and rigorous Regulatory Impact Assessment. These proposals will clearly impose costs on service providers which they would not otherwise have chosen to incur. Indeed, it is apparent from the Minister's explanations that competitive pressures are leading to less data being retained and that the majority of the data which would have to be retained under the proposal would have no value even for the prevention and detection of crime.

14.21 We ask the Minister to comment in more detail on the likely costs of the proposal for service providers and on whether it is the Government's intention that these additional costs should be met from EU or other public funds.

14.22 We also ask the Minister to explain how the proposal would apply (if at all) to the substantial volume of communications data relating to UK residents which is held by US service providers on servers in the United States, where there are no comparable retention requirements.

14.23 We note that the Minister refers to the report of the Privy Counsellor Review Committee, but that the present proposal appears to diverge from the recommendations of that Committee in two ways. First, the proposal would require retention of data for the purpose of preventing or detecting and prosecuting crimes of all kinds, and not just terrorism and other serious crime. Secondly, the Review Committee recommended that the longest retention period which the Government should be able to impose was one year, whereas the present proposal would provide for retention for up to three years. We ask the Minister to explain why the Government has sponsored a measure at EU level which departs so significantly from the Review Committee's recommendations.

14.24 We shall hold the document under scrutiny pending the Minister's reply.





34   OJ No. L 201, 31.7.02, p.37. Back

35   As is evident from the passage cited, the Newton Committee referred to terrorism and serious crime, not to crime in general. Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2004
Prepared 24 June 2004