12 Information management in the
area of freedom, security and justice
| (31838)
12579/10
COM(10) 385
| Commission Communication: Overview of information management in the area of freedom, security and justice
|
| Legal base | —
|
| Document originated | 20 July 2010
|
| Deposited in Parliament | 27 July 2010
|
| Department | Home Office
|
| Basis of consideration | Minister's letter of 12 January 2011
|
| Previous Committee Report | HC 428-v (2010-11), chapter 7 (27 October 2010) and HC 428-ii (2010-11), chapter 12 (15 September 2010)
|
| Committee's assessment | Politically important
|
| Committee's decision | Cleared; further information requested
|
Background and previous scrutiny
12.1 The Communication provides, for the first time, a comprehensive
overview of EU instruments in the area of freedom, security and
justice which regulate the collection, storage and exchange of
personal data for law enforcement or migration purposes. The Commission's
analysis leads it to make a number of observations about the features
common to most EU information management systems and to suggest
a "core set of principles" which it believes should
serve as a benchmark for evaluating existing systems and developing
new ones. The need to safeguard the right to privacy and to ensure
effective protection of personal data features prominently in
the core principles.
12.2 When we first considered the Communication
in September, we welcomed the Commission's elaboration of a set
of core principles for future policy development and the emphasis
placed on the right to privacy and personal data protection as
well as respect for the principles of subsidiarity and proportionality.
We invited further comment from the Minister on a number of issues,
most of which he responded to in a letter dated 13 October 2010.
His response, however, did not address the question we raised
about the implications that an adverse judgment in the Romanian
Constitutional Court on the EU Data Retention Directive might
have for the legality of the EU data retention regime established
by that Directive.[62]
The Directive requires Member States to implement measures to
ensure that internet and telecommunications service providers
retain various data concerning their customers, including the
telephone number or user ID of those originating and receiving
calls or e-mails and the date, time and duration of any communication,
for a minimum of 6 months and a maximum of two years. During this
period, the data must be made available to the competent national
authorities if required, in specific cases, for the "investigation,
detection and prosecution of serious crime, as defined by each
Member State in its national law."[63]
The Directive expressly excludes the retention of data revealing
the content of a phone call or e-mail.
The Minister's letter of 12 January 2011
12.3 The Parliamentary Under-Secretary of State
for Crime Prevention (James Brokenshire) explains the purpose
of the Data Retention Directive:
"The European Data Retention Directive (2006/24/EC)
(DRD) places an obligation on communication service providers
to retain certain data that is generated or processed in connection
with the provision of a publicly available electronic communication
service for the purpose of serious crime. The DRD is necessary
because the e-Privacy Directive (2002/58/EC) would otherwise require
the data to be destroyed or retained in an anonymised form. Thus
the DRD enables traffic data, location data and the related data
necessary to identify the user to be retained in a usable form.
It provides details of categories of data to be retained and allows
Member States to choose a retention period from between 6 and
24 months. The DRD requires Member States to ensure that access
to retained data is only provided to competent national authorities
in accordance with national law."
12.4 He says that the Romanian Constitutional
Court declared the national law implementing the Directive to
be unconstitutional because it breached individuals' right to
privacy. He continues:
"In the summary the judgment does not seem to
distinguish between communication service providers retaining
business data as required by the Directive and access to that
data, and it suggests that once the communications data had been
retained it could be freely accessed by 'secret services'.
"The DRD requires that communications data retained
under the Directive should only be provided to competent national
authorities in accordance with national law. Therefore the issue
seems to be the extent to which Romania's national laws provide
adequate safeguards and protections to ensure that the retained
data is only accessed by competent national authorities when it
is necessary and proportionate to do so."
12.5 The Minister explains that access to communications
data retained under the Directive in the UK is regulated primarily
through the Regulation of Investigatory Powers Act 2000. The Act
"sets out which public authorities can access the data and
for what purposes. It also ensures that proper consideration is
given to necessity and proportionality in the authorisation. There
are robust safeguards in place, including independent oversight
by the Interception of Communications Commissioner."
12.6 The Minister concludes that "there
is no read across in the Romanian Constitutional Court's decision
to the UK as we have the necessary safeguards in place to ensure
that access to data is in accordance with national and European
law."
Conclusion
12.7 We accept that one of the concerns expressed
by the Romanian Constitutional Court was that the law implementing
the Directive did not identify with sufficient precision the national
competent authorities which would be entitled to have access to
the retained data. However, as we indicated in our last Report,
the Court's principal concern appeared to be the broad scope of
the obligation, created by the Directive, to retain certain data
relating to all telephone and internet users, not merely those
suspected of the commission of a criminal offence.
12.8 We note that the European Data Protection
Supervisor, Peter Hustinx, stated last December that "retaining
communication and location data of all persons in the EU, whenever
they use the telephone or the internet, constitutes a huge interference
with the right to privacy of all citizens. The Directive is without
doubt the most privacy invasive instrument ever adopted by the
EU in terms of scale and the number of people it affects. It goes
without saying that such a massive invasion of privacy needs profound
justification."[64]
12.9 We understand that the Commission is
likely to produce an evaluation of the Directive shortly which
may propose a number of changes. We think that the Directive may
provide an interesting testing-bed for the application of the
core set of principles set out in the Commission Communication
and trust that the emphasis placed on the right to privacy and
personal data protection, as well as respect for the principles
of subsidiarity and proportionality, will inform both the Commission's
evaluation of the Directive and the Government's response to it.
While we are content to clear the Communication from scrutiny,
we ask the Minister to keep us informed of developments concerning
the evaluation and possible revision of the Data Retention Directive,
not least so that we can see whether, and how, the principles
outlined in the Communication are being applied in practice.
62 Directive 2006/24/EC of 15 March 2006, OJ L 105,
13.04.2006, p.54. Back
63
Article 1(2) and 4 of the Directive. Back
64
Part of a speech at a conference on the Data Retention Directive
in Brussels on 3 December 2010. Back
| 
