Documents considered by the Committee on 26 January 2011 - European Scrutiny Committee Contents

12   Information management in the area of freedom, security and justice



COM(10) 385

Commission Communication: Overview of information management in the area of freedom, security and justice

Legal base
Document originated20 July 2010
Deposited in Parliament27 July 2010
DepartmentHome Office
Basis of considerationMinister's letter of 12 January 2011
Previous Committee ReportHC 428-v (2010-11), chapter 7 (27 October 2010) and HC 428-ii (2010-11), chapter 12 (15 September 2010)
Committee's assessmentPolitically important
Committee's decisionCleared; further information requested

Background and previous scrutiny

12.1  The Communication provides, for the first time, a comprehensive overview of EU instruments in the area of freedom, security and justice which regulate the collection, storage and exchange of personal data for law enforcement or migration purposes. The Commission's analysis leads it to make a number of observations about the features common to most EU information management systems and to suggest a "core set of principles" which it believes should serve as a benchmark for evaluating existing systems and developing new ones. The need to safeguard the right to privacy and to ensure effective protection of personal data features prominently in the core principles.

12.2  When we first considered the Communication in September, we welcomed the Commission's elaboration of a set of core principles for future policy development and the emphasis placed on the right to privacy and personal data protection as well as respect for the principles of subsidiarity and proportionality. We invited further comment from the Minister on a number of issues, most of which he responded to in a letter dated 13 October 2010. His response, however, did not address the question we raised about the implications that an adverse judgment in the Romanian Constitutional Court on the EU Data Retention Directive might have for the legality of the EU data retention regime established by that Directive.[62] The Directive requires Member States to implement measures to ensure that internet and telecommunications service providers retain various data concerning their customers, including the telephone number or user ID of those originating and receiving calls or e-mails and the date, time and duration of any communication, for a minimum of 6 months and a maximum of two years. During this period, the data must be made available to the competent national authorities if required, in specific cases, for the "investigation, detection and prosecution of serious crime, as defined by each Member State in its national law."[63] The Directive expressly excludes the retention of data revealing the content of a phone call or e-mail.

The Minister's letter of 12 January 2011

12.3  The Parliamentary Under-Secretary of State for Crime Prevention (James Brokenshire) explains the purpose of the Data Retention Directive:

"The European Data Retention Directive (2006/24/EC) (DRD) places an obligation on communication service providers to retain certain data that is generated or processed in connection with the provision of a publicly available electronic communication service for the purpose of serious crime. The DRD is necessary because the e-Privacy Directive (2002/58/EC) would otherwise require the data to be destroyed or retained in an anonymised form. Thus the DRD enables traffic data, location data and the related data necessary to identify the user to be retained in a usable form. It provides details of categories of data to be retained and allows Member States to choose a retention period from between 6 and 24 months. The DRD requires Member States to ensure that access to retained data is only provided to competent national authorities in accordance with national law."

12.4  He says that the Romanian Constitutional Court declared the national law implementing the Directive to be unconstitutional because it breached individuals' right to privacy. He continues:

"In the summary the judgment does not seem to distinguish between communication service providers retaining business data as required by the Directive and access to that data, and it suggests that once the communications data had been retained it could be freely accessed by 'secret services'.

"The DRD requires that communications data retained under the Directive should only be provided to competent national authorities in accordance with national law. Therefore the issue seems to be the extent to which Romania's national laws provide adequate safeguards and protections to ensure that the retained data is only accessed by competent national authorities when it is necessary and proportionate to do so."

12.5  The Minister explains that access to communications data retained under the Directive in the UK is regulated primarily through the Regulation of Investigatory Powers Act 2000. The Act "sets out which public authorities can access the data and for what purposes. It also ensures that proper consideration is given to necessity and proportionality in the authorisation. There are robust safeguards in place, including independent oversight by the Interception of Communications Commissioner."

12.6  The Minister concludes that "there is no read across in the Romanian Constitutional Court's decision to the UK as we have the necessary safeguards in place to ensure that access to data is in accordance with national and European law."


12.7  We accept that one of the concerns expressed by the Romanian Constitutional Court was that the law implementing the Directive did not identify with sufficient precision the national competent authorities which would be entitled to have access to the retained data. However, as we indicated in our last Report, the Court's principal concern appeared to be the broad scope of the obligation, created by the Directive, to retain certain data relating to all telephone and internet users, not merely those suspected of the commission of a criminal offence.

12.8  We note that the European Data Protection Supervisor, Peter Hustinx, stated last December that "retaining communication and location data of all persons in the EU, whenever they use the telephone or the internet, constitutes a huge interference with the right to privacy of all citizens. The Directive is without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects. It goes without saying that such a massive invasion of privacy needs profound justification."[64]

12.9  We understand that the Commission is likely to produce an evaluation of the Directive shortly which may propose a number of changes. We think that the Directive may provide an interesting testing-bed for the application of the core set of principles set out in the Commission Communication and trust that the emphasis placed on the right to privacy and personal data protection, as well as respect for the principles of subsidiarity and proportionality, will inform both the Commission's evaluation of the Directive and the Government's response to it. While we are content to clear the Communication from scrutiny, we ask the Minister to keep us informed of developments concerning the evaluation and possible revision of the Data Retention Directive, not least so that we can see whether, and how, the principles outlined in the Communication are being applied in practice.

62   Directive 2006/24/EC of 15 March 2006, OJ L 105, 13.04.2006, p.54.  Back

63   Article 1(2) and 4 of the Directive.  Back

64   Part of a speech at a conference on the Data Retention Directive in Brussels on 3 December 2010. Back

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2011
Prepared 10 February 2011