Wednesday 23 April 2014

Botched EU communications data retention rules quashed

How many people really care about how long their communications data is retained for national security and law enforcement purposes?

Beyond the readership of this blog, probably not very many.

I remember first becoming involved in this issue some 15 years ago, when working for what was then known as the mobile company One2One. It was my job, amongst others, to understand just what the company needed to use these records for, and for how long they needed to be retained. I remember conferring with colleagues in the mobile (and fixed) telecoms field, exchanging ideas as to what retention standards ought to be appropriate.

I won’t list the (then) retention standards in this blog, as I would only be opening a can of worms - suffice to say that today’s retention standards differ greatly from that practiced by certain providers then.

I also remember working with the Home Office on the issue of mandating certain retention standards – really to ensure that data that was actually required for an investigation could readily be made available when it was proportionate and necessary to do so.

And finally, under the stewardship of the then Home Secretary Charles Clarke, I remember the UK Government being primarily responsible for the Communications Data Retention Directive (2006/24/EC), which broadly tried to set common retention standards throughout Europe. Why? Just in case communication records generated by, say, British customers in the UK, were to be held not in the UK but in a central European records database. Given that, back then, the parent companies of Orange, One2One, O2 & 3 were based respectively in France, Germany, Spain & China, there was a real possibility that Britain’s law enforcers might have lost out if British mobile phone records were to have been held outside the UK.

It can also be said that we all knew that the Communications Data Retention Directive, especially as it applied to IP records, really was not fully fit for purpose when the time came for the final note on approving the thing. But what was better – a botched job, or no agreement at all? The European parliamentary timetable was such that there was a real prospect that all work on the measure would have been wasted had a final vote not have been made by a particular date. 

The Governments of the Member States, and the members of the European Parliament, took the view that any agreement would be better than no agreement.

Now, some 8 years later, the European Court of Justice has taken the view that the original job was so botched that the Directive ought to be annulled.

In essence, the court has held that the retention limits (which allowed Member States to individually set periods of between 6 and 24 months for various types of data) were disproportionate. Why was this time period originally agreed? Principally because it was a timeframe that suited the requirements of a large majority of the European law enforcement bodies that were using significant volumes of communications records for investigative purposes back then. 

Readers with a keen sense of irony will know that one of the successful appellants in this case was Digital Rights Ireland. Yet, the Irish Government was originally opposed to the Directive because they wanted to keep communications records for 36 months, not the 24 months that was finally agreed. The Italian Government were even more opposed to the Directive, because they originally wanted to keep certain records for 48 months (and even longer in some of the cases that involved Mafia investigations).

The German Government was very opposed to the concept of keeping records even for as long as 6 months. Basically, this was because it knew it would come under considerable pressure to pay the providers in that country the costs that would be incurred in setting up the relevant records retention databases and, thanks to the recently disgraced former East German administration, it also had direct experience of state abuse of communications records.

Readers with a keen sense of irony will also know that the first four communications providers to announce that they have reduced their retention periods, in light of the judgment, hail from Sweden, which is one of the 4 Member States that originally sponsored the Directive.  And it was the same European Court of Justice that fined Sweden 3 million Euros in May 2013 for delaying implementation of the Directive in that country. Where’s the justice in that? (Presumably, though, the Swedish Government will now be able to appeal that fine.)

Anyway, what will happen in Blighty as a result of the judgement?

Probably, not a lot. Certainly not soon, anyway.

Given the speed with which the Home Office moves on such weighty issues, it could be some time before an official announcement will be made. Discrete calls have already been placed to the key UK providers, inquiring whether the judgement is likely to change their current retention plans. Such is the relationship between Home Office and said providers that it didn’t take long before the relevant reassurances were received. Home Office attention will now focus on the overseas providers (yes, the usual suspects) to better understand what steps they intend to take.