Euro-IR Project Main Index



EU Cybercrime Forum Plenary Session - 27 November 2001

Statement on the Retention of Traffic Data for Law Enforcement Purposes

David Smith, Assistant Information Commissioner, UK



Introduction

This statement is based on the presentation given by David Smith, Assistant Information Commissioner (UK) to the meeting of the EU Cybercrime Forum on 6 November 2001. It is intended to reflect the general concerns of all EU Data Protection supervisory authorities but it nevertheless can only be read as a statement on behalf of the UK Commissioner. It addresses the status of privacy as a fundamental human right, discusses the application of existing Data Protection law to the retention of traffic data for law enforcement purposes and raises some of the questions that need to be addressed in any debate about routine retention.



The Right to Privacy

Those making the case for wider collection and access to personal information often make a claim along the lines "only the guilty have anything to fear". This is to misunderstand the meaning of "privacy". Privacy is about the right of individuals to go about their lawful activity without interference. Individuals should not have to account for their movements or actions simply because they may have communicated at one time, however innocently, with someone who is suspected of links with criminal activity. Privacy is not just about a person's ability to keep information to him/herself but it is about maintaining control, dignity and the right to be left alone. In the context of the current debate traffic data potentially reveal a great deal about an individual's private life. For example such data disclose not only who a person is communicating with by e-mail but also the subject of the messages. Electronic communication is increasingly sophisticated and becoming a more and more integral part of everyone's day to day life.

However privacy is not an absolute right. Sometimes the needs of society as a whole must prevail. What is important though is that the benefits accruing from any intrusion on privacy must be worth the privacy cost.

In this context the European Convention on Human Rights is particularly relevant. Article 8 addresses the right to respect for private life and correspondence. Article 10 addresses the right to freedom of expression including the right to receive and impart information and ideas without interference by public authority. This is supported by the Charter of Fundamental Rights of the European Union which emphasises the position of privacy as a basic human right. Article 7 of the Charter confirms that everyone has the right to respect for his or her private and family life, home and communications. Article 8 specifically addresses the protection of personal data. It provides that personal data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.

These legal instruments do not treat privacy as an absolute right. The ECHR specifically provides that the exercise of the right to respect for private life can be interfered with when the interference is in accordance with the law and is necessary in a democratic society in the interest of matters such as national security or the prevention of disorder or crime. Case law has stressed that any interference must be necessary to meet a pressing social need and must be a proportionate response to that need. In the context of retention of traffic data the question must be not simply whether retention will assist law enforcement but whether it will assist law enforcement sufficiently to justify the loss of privacy that goes with it. The right balance must be struck.



Data Protection Law

Retention of traffic data necessarily involves the processing of personal data within the terms of EU general data protection directive (95/46/EC). Article 7 sets out criteria for making data processing legitimate. At least one of the criteria must be satisfied. One of these is where processing is necessary for compliance with a legal obligation. It is doubtful though whether a voluntary arrangement whereby service providers retain traffic data solely for law enforcement purposes but without legal compulsion to do so would satisfy any of the criteria.

Article 6 of the Directive sets out principles relating to data quality. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. The data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed and they must be kept in a form which permits identification of data subjects for no longer that is necessary. On the face of it the retention of traffic data by service providers for law enforcement purposes conflicts with these principles. The scope of their application can however be restricted where a member state adopts legislative measures that are necessary to safeguard national security, public security or the prevention, investigation, detection and prosecution of criminal offences.

The Telecommunications Data Protection Directive (97/66/EC) complements and particularises the general Directive. It is important to bear in mind that the specific provisions of Directive 97/66/EC add to rather than override the general provisions of Directive 95/46/EC. Article 5 of the Telecommunications Data Protection Directive protects the confidentiality of communications prohibiting interception or surveillance of communications except in limited circumstances. Article 6 specifically addresses traffic and billing data. Traffic data must be erased or made anonymous upon termination of a call. Billing data may be processed (a term which includes storage) only up to the end of the period during which the bill may lawfully be challenged or payment may be pursued. They can, in addition, be processed, with consent, by the service provider for marketing its own services. Member states can however, under the terms or Article 14, adopt legislative measures to restrict the scope of these obligations when the measures are necessary to safeguard national security, public security or the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the telecommunications system.

In summary the Data Protection Directives, do not prevent the retention of traffic data for billing purposes or for fraud prevention or to protect the security of the network by service providers so long as the laws of individual member states take advantage of the freedom they allow. This means that many service providers already legitimately retain traffic data to a significant extent for their own purposes. In limited circumstances these data are already, and will continue, to be accessible by law enforcement agencies. The new Directive on Privacy in Electronic Communications which is due to replace 97/66/EC will not change the position. It is likely to extend rather than restrict the ability of service providers to legitimately retain traffic data for their own purposes.

It should be clear though that the Data Protection Directives do not in themselves rule out the possibility of a member state introducing legislation requiring service providers to retain traffic data beyond their own needs solely for law enforcement purposes. However it is doubtful if voluntary retention for such purposes without legal compulsion can be achieved within the terms of the Data Protection Directives.



Position of Data Protection Authorities

In April 2000 the European Union Data Protection Authorities at their conference in Stockholm adopted a resolution emphasising that routine retention of traffic data would be an improper invasion of the fundamental rights established under Article 8 of the ECHR. They went on to indicate that where traffic data are to be retained in specific cases there must be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law. This view was reiterated by the Data Protection Authorities at their conference in Athens in May 2001.

It should be emphasised that although the Data Protection Authorities do not believe the case has yet been made for routine retention of traffic data they do not argue against the retention of data in specific cases where preservation is necessary for the prevention or detection of crime or the protection of national security. Nor do they argue against access to data which are held by service providers for their own purposes where a failure to provide access would prejudice law enforcement. The data protection authorities have not reviewed their position in the light of the increased terrorist threat. It is doubtful that were they to do so their position would change without clear evidence that routine retention of traffic data would have a real impact on the fight against terrorism.



Some Questions

There are several questions that need to be addressed in any debate about the routine retention of traffic data for law enforcement purposes. These include:

  • What is the basis of the case for retention?
  • Is the case made by law enforcement agencies based on crime detection where retention for a matter of months might be sufficient to meet their claims or is it based on the collection of intelligence where retention periods of up to 7 years have been suggested? If it is for intelligence do the law enforcement agencies have systems capable of handling the very large volumes of data involved?


  • What data are actually required?
  • Traffic data related to e-mail and internet access can be particularly revealing. In the case of e-mails they show not only who is communicating with who but the subject of the communication and the nature of any attachments to the message. In the case of internet access traffic data provide the addresses of all web pages accessed which indirectly reveals their content. Such traffic data will inevitably include some sensitive data, as defined in Directive 95/46/EC, such as those concerning health or sex life. These data require special protection. In addition location data associated with mobile phones, which is becoming more and more exact, reveals not only a person's communications but also their movements. Any case for retention requires an examination of traffic data item by item. It may be that those data items that are considered most valuable by the law enforcement authorities are not those that represent the greatest privacy intrusion.


  • How useful are the data?
  • Can traffic data be used in evidence? Are they sufficiently reliable? For example, mobile phone location data only reveal the location of the phone which may not be the location of the subscriber. Can the data be manipulated artificially?


  • What has changed?
  • Criminals have presumably always used the telephone system for communications and law enforcement authorities have relied on existing retention and access provisions. Why do they now need routine retention of traffic data? What is it about the new communication technologies that changes the balance of interests?


  • What is the management cost of retention?
  • The cost needs to be measured not just in terms of the financial cost of storage space but also in terms of the management cost of complying with data protection requirements. Any retained data must be kept securely and be properly managed. This may necessitate audit arrangements. Whoever retains traffic data must meet legal obligations to data subjects to allow them access to their data without excessive delay or expense. Who will pay for the retention of data? Who will meet the costs of subject access? There is an argument that if data are to be retained law enforcement agencies should pay a realistic charge for access on a case by case basis to ensure that access is only sought where there is a substantial need.


  • Who would store the traffic data?
  • Will the service provider store the data, will they be passed to the law enforcement authority for storage or will there be a trusted third party? If so who might this be? There are clearly risks if law enforcement agencies retain traffic data themselves without rigorous and transparent controls.


  • Do differing retention periods within the EU make sense?
  • The EU promotes the operation of a single market. If an UK consumer chooses to use a Spanish based ISP rather than a UK based ISP why should the retention of his/her traffic data be subject to different arrangements? Not only does this run counter to the single market but it will lead to confusion amongst consumers.



Summary

Some of the points referred to above address the question of what should the arrangements be if there is to be routine retention of traffic data for law enforcement purposes rather than whether there should be routine retention in the first place. Nevertheless the UK Information Commissioner, and we are sure many other Data Protection Authorities, are not yet convinced that there is a case for routine retention. It must be emphasised that this does not mean that Data Protection Authorities are opposed to preservation of data in particular cases where there is genuine suspicion of criminal activity or are opposed to access to data in appropriate circumstances where the data are held by service providers for their own purposes. However, traffic data can be extremely revealing about an individuals private life and as technology develops are likely to become even more so. Proposals for their routine retention raise serious privacy concerns which must be addressed.



David Smith
November 2001
Version 1.0





Euro-IR Project Main Index