EU Cybercrime Forum Plenary Session - 27 November 2001
Statement on the Retention of Traffic Data for Law Enforcement Purposes
David Smith, Assistant Information Commissioner, UK
IntroductionThis statement is based on the presentation given by David Smith, Assistant Information Commissioner (UK) to the meeting of the EU Cybercrime Forum on 6 November 2001. It is intended to reflect the general concerns of all EU Data Protection supervisory authorities but it nevertheless can only be read as a statement on behalf of the UK Commissioner. It addresses the status of privacy as a fundamental human right, discusses the application of existing Data Protection law to the retention of traffic data for law enforcement purposes and raises some of the questions that need to be addressed in any debate about routine retention.
The Right to PrivacyThose making the case for wider collection and access to personal information often make a claim along the lines "only the guilty have anything to fear". This is to misunderstand the meaning of "privacy". Privacy is about the right of individuals to go about their lawful activity without interference. Individuals should not have to account for their movements or actions simply because they may have communicated at one time, however innocently, with someone who is suspected of links with criminal activity. Privacy is not just about a person's ability to keep information to him/herself but it is about maintaining control, dignity and the right to be left alone. In the context of the current debate traffic data potentially reveal a great deal about an individual's private life. For example such data disclose not only who a person is communicating with by e-mail but also the subject of the messages. Electronic communication is increasingly sophisticated and becoming a more and more integral part of everyone's day to day life.
However privacy is not an absolute right. Sometimes the needs of society as a whole must prevail. What is important though is that the benefits accruing from any intrusion on privacy must be worth the privacy cost.
In this context the European Convention on Human Rights is particularly relevant. Article 8 addresses the right to respect for private life and correspondence. Article 10 addresses the right to freedom of expression including the right to receive and impart information and ideas without interference by public authority. This is supported by the Charter of Fundamental Rights of the European Union which emphasises the position of privacy as a basic human right. Article 7 of the Charter confirms that everyone has the right to respect for his or her private and family life, home and communications. Article 8 specifically addresses the protection of personal data. It provides that personal data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.
These legal instruments do not treat privacy as an absolute right. The ECHR specifically provides that the exercise of the right to respect for private life can be interfered with when the interference is in accordance with the law and is necessary in a democratic society in the interest of matters such as national security or the prevention of disorder or crime. Case law has stressed that any interference must be necessary to meet a pressing social need and must be a proportionate response to that need. In the context of retention of traffic data the question must be not simply whether retention will assist law enforcement but whether it will assist law enforcement sufficiently to justify the loss of privacy that goes with it. The right balance must be struck.
Data Protection LawRetention of traffic data necessarily involves the processing of personal data within the terms of EU general data protection directive (95/46/EC). Article 7 sets out criteria for making data processing legitimate. At least one of the criteria must be satisfied. One of these is where processing is necessary for compliance with a legal obligation. It is doubtful though whether a voluntary arrangement whereby service providers retain traffic data solely for law enforcement purposes but without legal compulsion to do so would satisfy any of the criteria.
Article 6 of the Directive sets out principles relating to data quality. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. The data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed and they must be kept in a form which permits identification of data subjects for no longer that is necessary. On the face of it the retention of traffic data by service providers for law enforcement purposes conflicts with these principles. The scope of their application can however be restricted where a member state adopts legislative measures that are necessary to safeguard national security, public security or the prevention, investigation, detection and prosecution of criminal offences.
The Telecommunications Data Protection Directive (97/66/EC) complements and particularises the general Directive. It is important to bear in mind that the specific provisions of Directive 97/66/EC add to rather than override the general provisions of Directive 95/46/EC. Article 5 of the Telecommunications Data Protection Directive protects the confidentiality of communications prohibiting interception or surveillance of communications except in limited circumstances. Article 6 specifically addresses traffic and billing data. Traffic data must be erased or made anonymous upon termination of a call. Billing data may be processed (a term which includes storage) only up to the end of the period during which the bill may lawfully be challenged or payment may be pursued. They can, in addition, be processed, with consent, by the service provider for marketing its own services. Member states can however, under the terms or Article 14, adopt legislative measures to restrict the scope of these obligations when the measures are necessary to safeguard national security, public security or the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the telecommunications system.
In summary the Data Protection Directives, do not prevent the retention of traffic data for billing purposes or for fraud prevention or to protect the security of the network by service providers so long as the laws of individual member states take advantage of the freedom they allow. This means that many service providers already legitimately retain traffic data to a significant extent for their own purposes. In limited circumstances these data are already, and will continue, to be accessible by law enforcement agencies. The new Directive on Privacy in Electronic Communications which is due to replace 97/66/EC will not change the position. It is likely to extend rather than restrict the ability of service providers to legitimately retain traffic data for their own purposes.
It should be clear though that the Data Protection Directives do not in themselves rule out the possibility of a member state introducing legislation requiring service providers to retain traffic data beyond their own needs solely for law enforcement purposes. However it is doubtful if voluntary retention for such purposes without legal compulsion can be achieved within the terms of the Data Protection Directives.
Position of Data Protection AuthoritiesIn April 2000 the European Union Data Protection Authorities at their conference in Stockholm adopted a resolution emphasising that routine retention of traffic data would be an improper invasion of the fundamental rights established under Article 8 of the ECHR. They went on to indicate that where traffic data are to be retained in specific cases there must be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law. This view was reiterated by the Data Protection Authorities at their conference in Athens in May 2001.
It should be emphasised that although the Data Protection Authorities do not believe the case has yet been made for routine retention of traffic data they do not argue against the retention of data in specific cases where preservation is necessary for the prevention or detection of crime or the protection of national security. Nor do they argue against access to data which are held by service providers for their own purposes where a failure to provide access would prejudice law enforcement. The data protection authorities have not reviewed their position in the light of the increased terrorist threat. It is doubtful that were they to do so their position would change without clear evidence that routine retention of traffic data would have a real impact on the fight against terrorism.
Some QuestionsThere are several questions that need to be addressed in any debate about the routine retention of traffic data for law enforcement purposes. These include:
SummarySome of the points referred to above address the question of what should the arrangements be if there is to be routine retention of traffic data for law enforcement purposes rather than whether there should be routine retention in the first place. Nevertheless the UK Information Commissioner, and we are sure many other Data Protection Authorities, are not yet convinced that there is a case for routine retention. It must be emphasised that this does not mean that Data Protection Authorities are opposed to preservation of data in particular cases where there is genuine suspicion of criminal activity or are opposed to access to data in appropriate circumstances where the data are held by service providers for their own purposes. However, traffic data can be extremely revealing about an individuals private life and as technology develops are likely to become even more so. Proposals for their routine retention raise serious privacy concerns which must be addressed.