Saturday, 17 July 2010

Hello Hello Hello - (Why) have you still got it?

Woops – it appears that the Article 29 Working Party have opined on another “unlawful” activity – but I’m not at all convinced that the British cops will be doing much about it.

This time, I’m referring to an opinion, freshly minted from their latest meeting, which was held in Brussels earlier in the week. The data retention practices of communication service providers are at fault, as there appears to widespread non compliance with some of the provisions in an EU Directive which obliges them to retain telecom and internet traffic records for various periods, in order that they could be passed to law enforcement agencies for the purposes set out in the Directive.

The 21 page opinion is helpfully accompanied by a 45 page annex, which sets out the responses to the questions that were posed by the report’s authors.

Actually, I could probably have saved them the effort. Had they asked me for my opinion, I might have been able to set the issue of compliance with the relevant statutes in its rightful context.

Before I spill the beans, let me first just summarise the main findings of the enquiry, by plagiarising (and editing) the high level findings:

Service providers were found to retain and hand over data in ways contrary to the provisions of the directive. The provisions of the data retention directive are not respected and the lack of available sensible statistics hinders the assessment of whether the directive has achieved its objectives. The European Data Protection Authorities therefore call on the European Commission to take into account the findings of the report when taking the decision on whether or not to amend or repeal the Directive.

The joint inquiry focused on security measures and preventions of abuse, compliance with storage limit obligations and the type of retained information. It showed that the directive has not been implemented in a harmonized way. Significant discrepancies were found between the member states, especially regarding the retention periods which vary from six months to up to ten years which largely exceeds the allowed maximum of 24 months.

Another important finding is that more data are being retained than is allowed. The data retention directive provides a limited list of data to be retained, all relating to traffic data.

The retention of data relating to the content of communication is explicitly prohibited. However, it appears from the inquiry that some of these data are nevertheless retained. As to the internet traffic data several service providers were found to retain URL’s of websites, headers of e-mail messages as well as recipients of e-mail messages in “CC”- mode at the destination mail server. Regarding phone traffic data it was established that not only the location of the caller is retained at the start of the call, but that his location is being monitored continuously.

Member states have scarcely provided statistics on the use of data retained under the Directive, which limits the possibilities to verify the usefulness of data retention.

The report [makes] several recommendations for changes to be made to the directive:
• Increased harmonization, more secure data transmission and standardized handover procedures.
• No additional data retention obligations for the providers may be imposed by national laws.
• A reduction of the maximum retention period to a single, shorter term,
• Reconsideration of the overall security of traffic data by the Commission,
• Clarification of the concept of “serious crime” at member state level and
• [Improved] disclosure protocols to all the relevant stakeholders of the list of the entities authorized to access the data.

Ok, let’s cut to the chase. It should not come as a surprise to anyone to realise that the Directive has been implemented in different ways in different Member States. After all, that’s a hallmark of virtually every piece of data protection legislation that has ever come out of the EU.

But it also should not really come as much of a surprise to anyone to realise that, in all honesty, no-one in the room actually understood the meaning of the final text of the Communications Data Retention Directive [2006/24/EC] when the politicians were asked to vote to adopt it. I wasn’t in the room at the time, but I do know a few of the flies who were on the wall. The dirty deeds, so to speak, were done during the dying days of the UK’s Presidency of the Council of Ministers. In those days, each Member State got to chair the relevant committees for six months, and they all tried hard to let history mark their chairmanship with a few pieces of noteworthy legislation.

From what I remember, however, there wasn’t much noteworthy legislation that was adopted during “that” British Presidency. Tony Blair was the Prime Minister, and it fell to Home Secretary Charles Clarke to be responsible for this initiative. I remember the time running out , with the end of the Presidency just a couple of weeks away, and Home Office officials wondering whether they should really recommend to Charles Clarke that the Council of Ministers be asked to approve a "semi finished" measure that made some sort of sense for the retention of telephone and SMS records, but used technical terms that could not easily be applied to internet records. In a masterstroke, some Commission official then took it upon himself to quickly rewrite the text in a way that basically no-one could understand how it would apply to internet records, and it was this text that was presented to European Home Office Ministers with a request that they approve it.

Which they did.

Which is why we've ended up with a piece of legislation which is incredibly hard to comprehend and which, as far as its treatment of IP records is concerned, does not appear to have been warmly welcomed by investigators as being fit for purpose.

So, if the Article 29 Working Party want to get their teeth into anyone, they could start with the people who created the words that no-one could really understand. And they could ask themselves why politicians should be allowed to pass laws that neither they nor any of the so-called experts in the room can properly comprehend.

Hey ho – we could be hearing from the Working Party soon on possible tweaks to the main Data Protection Directive – again an instrument that contains some provisions that very few experts can properly comprehend.

Note for the brave – the Working Party’s report can be found on the internet by Googling its snappy title of “Report 01/2010 on the second joint enforcement action: Compliance at national level of Telecom Providers and ISPs with the obligations required from national traffic data retention legislation on the legal basis of articles 6 and 9 of the e-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC amending the e-Privacy Directive.”

Failing that, point your browser to