14 Retention of communications data
(25593)
8958/04
| Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism
|
Legal base | Articles 31(1)(c ) and 34(2)(b)EU; consultation; unanimity
|
Deposited in Parliament | 30 April 2004
|
Department | Home Office |
Basis of consideration | EM of 24 May 2004
|
Previous Committee Report | None
|
To be discussed in Council | No date set
|
Committee's assessment | Legally and politically important
|
Committee's decision | Not cleared; further information requested
|
Background
14.1 In its Declaration on combating terrorism, adopted on 25
March 2004, the European Council instructed the Council to examine
measures for establishing rules on the retention by service providers
of communications traffic data. Communications traffic data is
information about communications, such as who called whom and
when, and includes telephone and internet subscriber information,
itemised telephone call records and mobile phone location data.
Such data does not include the content of any communication.
14.2 Following the March European Council, France,
Ireland, Sweden and the United Kingdom have made a proposal for
a Framework Decision to harmonise the rules in Member States on
the retention of communications data for the purpose of preventing,
investigating, detecting and prosecuting crime, including terrorism.
The draft Framework Decision
14.3 The recitals to the proposal explain that data
relating to the use of electronic communications is now a particularly
important and valuable tool in the prevention, investigation,
detection and prosecution of crime, particularly organised crime
and terrorism. Although the proposal relates only to data generated
as a consequence of a communication, rather than to its content,
the data may be used to trace the source of illegal content as
well as to identify those involved in the use of electronic communications
networks for the purpose of organised crime and terrorism.
14.4 The recitals assert that preserving specific
data relating to particular individuals may not be sufficient
for these purposes, because it may not be possible to identify
the data required or the individual involved for many months or
years after the original communication. The conclusion drawn
is that it is necessary to retain certain types of data, which
are already processed and stored for billing and other commercial
purposes, for an additional period of time "in anticipation
that they might be required for future criminal investigation
or judicial proceedings".
14.5 Article 1 defines the scope and aim of the proposal.
The aim is to facilitate judicial cooperation in criminal matters
by approximating the law of Member States on the retention of
data processed by providers of a publicly available electronic
communications service or a public communications network, for
the purpose of preventing, investigating, detecting and prosecuting
crime. Article 1(2) makes clear that the Framework Decision does
not apply to the content of communications. Article 1(3) provides
that a Member State may decide not to apply Article 1(1) with
regard to the prevention of crime "should the Member State
not find such purposes acceptable following any national procedural
or consultative processes".
14.6 Article 2 defines the material scope of the
proposal. The term "data" is to include traffic data
and location data, as defined in Article 2 of Directive 2002/58/EC[34]
(i.e. data which is processed for the purpose of conveying a message
on a communications network or for billing, and data which indicates
the geographical position of a user of a publicly available electronic
communications service). "User data" and "subscriber
data" are also within the scope of the Framework Decision,
the former being data relating to any natural person using a publicly
available electronic communications service, and the latter being
data which relates to a subscriber to such a service.
14.7 The relevant kinds of data for the purposes
of the Framework Decision are those which are necessary to trace
and identify the source, routing and destination of a communication
as well as its time, date and duration. Also included is data
which identifies the communications device used and its location
at the start and throughout the duration of the communication.
Article 2(3) describes a number of kinds of services which generate
relevant data, and Article 2(4) provides that "future technological
developments that facilitate the transmission of communications
shall be within the scope of this Framework Decision".
14.8 Article 3 requires Member States to take the
measures necessary to ensure that retained data processed and
stored by providers of a communications network or service is
retained in accordance with the Framework Decision.
14.9 Article 4(1) requires Member States to take
the measures necessary to ensure that data is retained for at
least 12 months and not more than 36 months following its generation.
Article 4(1) also provides that Member States "may have
longer periods for retention of data dependent upon national criteria
when such retention constitutes a necessary, appropriate and proportionate
measure within a democratic society". Under Article 4(2)
a Member State may "decide to derogate" from Article
4(1) in relation to methods of communication referred to in Article
2(3)(b) and (c) (i.e. Short Message Services, Electronic Media
Services and Multi Media Messaging Services provided as part of
any telephone service and Internet Protocols including Email,
Voice over Internet Protocols, world wide web, file, network and
hypertext transfer protocols) should the Member State not find
this acceptable following national procedural or consultative
processes. In such a case, the Member State must notify the Council
and the Commission of the alternative timescales it will use for
such data.
14.10 Article 5 provides that any request by a Member
State for access to data retained in another Member State "shall
be made and responded to in accordance with the instruments on
judicial co-operation in criminal matters adopted under Title
VI of the Treaty on European Union". Nevertheless, the requested
Member State may make its consent to the request "subject
to any conditions which would have to be observed in a similar
national case".
14.11 By virtue of Article 6, Member States are required
to ensure that data retained under the Framework Decision is subject
to a number of data protection principles, and that judicial remedies
are made available in line with the provisions of Directive 95/46/EC
(the Data Protection Directive). The data protection principles
require that access be given for "specified, explicit and
legitimate" purposes by competent authorities on a case-by-case
basis in accordance with national law and not further processed
in a way incompatible with those purposes, that data should be
"adequate, relevant and not excessive" and should be
processed fairly and lawfully. The principles also require that
the confidentiality and integrity of the data should be ensured
and that the data accessed should be accurate and erased or rectified
if not accurate.
14.12 Article 7 requires Member States to ensure
that data which is retained is held subject to data security principles.
These require the data which is retained to be of the same quality
as that on the network, and for measures to be taken to prevent
destruction or accidental loss, alteration, unauthorised disclosure
and all other unlawful forms of processing, and for the data to
be destroyed at the end of the period of retention (except for
data which has been accessed and preserved).
The Government's view
14.13 In her Explanatory Memorandum of 24 May 2004
the Parliamentary Under-Secretary of State at the Home Office
(Caroline Flint) explains that the aim of the proposal is to ensure
that communications data which has already been generated in the
provision of communications services and retained by service providers
for business purposes continues to be retained by them when it
might otherwise have been destroyed. The Minister adds that the
retention of data "supports lawful, necessary and proportionate
disclosure of data to the relevant public authorities engaged
in preventing, detecting, investigating and prosecuting crime
and criminal offences including terrorism".
14.14 In relation to the policy implications of the
proposal, the Minister comments that it had been the Government's
intention that the Anti-Terrorism, Crime and Security Act 2001
should provide for the retention of data for the purpose of fighting
terrorism and crime in general, but that this intention was "thwarted"
during the passage of the Bill "where some in Parliament
objected to such a provision in emergency anti-terrorist legislation".
Part 11 of the 2001 Act accordingly provides for the retention
of communications data only for the purpose of safeguarding national
security and "any crime directly or indirectly related to
that".
14.15 The Minister refers to the review of the Anti-Terrorism,
Crime and Security Act 2001 conducted by the Privy Counsellor
Review Committee under the chairmanship of Lord Newton of Braintree
and, in particular, to paragraph 51 of its report, which stated
as follows:
"We can see the case in principle for requiring
communications data to be retained for a minimum period (which
would vary with the type of data) for a defined range of public
interest purposes such as helping in the prevention and detection
of terrorism and other serious crimes. These provisions should,
therefore, be part of mainstream legislation and not special terrorism
legislation."
14.16 The Minister adds that the Government "agreed
with the Newton Committee that there is a need for data retention
for the purposes of fighting crime[35]
in addition to the purpose of safeguarding national security"
and that "the draft Framework Decision is consistent with
that objective and why the Government has co-sponsored the initiative".
14.17 The Minister adds these further comments in
support of the proposal:
"Sophisticated international criminal and terrorist
organisations, aware of variations in Member States' legislative
requirements for data retention will inevitably use communications
services with shorter data retention periods. This would be done
in order to frustrate the efforts of any investigators attempting
to follow their communication 'footprints' either in order to
place them at the scene of the crime, to disprove an alibi or
to identify associates and co-conspirators. Approximation of
retention rules will diminish the risk of such 'data havens' (or,
more accurately 'data holes' ) within the EU, and, more importantly,
ensure that communications data is available for lawful disclosure
to law enforcement authorities but only in accordance with the
law, and only then to the extent necessary in a democratic society.
"In addition to these objectives, approximation
of rules for retention of data will ensure, so far as possible,
a level playing field for international communications service
providers that operate within the EU."
14.18 The Minister also points out that the communications
service industry is a "fiercely competitive" sector
and that service providers are under commercial pressure to reduce
the time period for which they store data. The Minister explains
that some data is more likely to be destroyed because its commercial
value has diminished, although its potential value in detecting
crime and protecting the public remains. The Minister makes this
further comment:
"In addition, new services are creating pressures
to reduce the periods for which data is retained. For example,
the development of 'pay as you go' and subscription services is
one of the major drivers contributing to reduction in the time
that communications data is retained for business purposes. As
pre-paid calls need not be billed there is no requirement to keep
data for billing purposes.
"It is therefore crucial that legislation is
introduced compelling all Member States to develop binding data
retention provisions within set parameters if specific communications
data is not to be destroyed before its value to the prevention
and detection of crime and protection of the public is established.
The overwhelming majority of data retained will have no such
value whatsoever."
14.19 By way of a Regulatory Impact Assessment, the
Minister offers the comment that "as drafted, the Framework
Decision will have an impact on the communications service industry".
This impact is not further quantified, but the Minister comments
that "experience of the current voluntary regime under the
2001 Act is helping establish the retention of communications
data that meets the requirements of law enforcement in advance
of any future mandatory regime for the retention of the same data".
Conclusion
14.20 As this proposal is one which the United
Kingdom is co-sponsoring, we would have expected a more detailed
and rigorous Regulatory Impact Assessment. These proposals will
clearly impose costs on service providers which they would not
otherwise have chosen to incur. Indeed, it is apparent from the
Minister's explanations that competitive pressures are leading
to less data being retained and that the majority of the data
which would have to be retained under the proposal would have
no value even for the prevention and detection of crime.
14.21 We ask the Minister to comment in more detail
on the likely costs of the proposal for service providers and
on whether it is the Government's intention that these additional
costs should be met from EU or other public funds.
14.22 We also ask the Minister to explain how
the proposal would apply (if at all) to the substantial volume
of communications data relating to UK residents which is held
by US service providers on servers in the United States, where
there are no comparable retention requirements.
14.23 We note that the Minister refers to the
report of the Privy Counsellor Review Committee, but that the
present proposal appears to diverge from the recommendations of
that Committee in two ways. First, the proposal would require
retention of data for the purpose of preventing or detecting and
prosecuting crimes of all kinds, and not just terrorism and other
serious crime. Secondly, the Review Committee recommended that
the longest retention period which the Government should be able
to impose was one year, whereas the present proposal would provide
for retention for up to three years. We ask the Minister to explain
why the Government has sponsored a measure at EU level which departs
so significantly from the Review Committee's recommendations.
14.24 We shall hold the document under scrutiny
pending the Minister's reply.
34 OJ No. L 201, 31.7.02, p.37. Back
35
As is evident from the passage cited, the Newton Committee referred
to terrorism and serious crime, not to crime in general. Back
|