Tuesday 31 January 2012

Another day, another data protection referral to the European Court

I do hope that Commissioner Reding will be taking notice of the chaos and confusion that is capable of being created when ill-thought through Euro-legislation makes its way through the Parliamentary processes and finally arrives on the Statute Book.

What’s the story behind this one? Well, it’s all about discussions that went on behind the scenes a decade ago as representatives from each EC Member State argued about what rules should be put in place to permit phone and internet records to be available for law enforcement investigations into serious crime, but in a way that protected the human rights of the phone and internet users.

The issue could be reduced, following long tedious arguments, to one of ensuring that the most serious law enforcement investigations should not be compromised because the communications records were no longer available. While that seemed a fine principle to agree about in theory, the principle couldn’t be implemented very easily. Why? Simply because the law enforcement agencies operating in the different Member States had different practices when it came to investigating crime using traffic records. In some Member States, the common practice was to rely on 6 months of records. In other Member States, the practice was to use up to 4 years of records. So given the disparity on investigation practices, lots of people got upset when the new rules prohibited the retention of records for more than 2 years, and ever since they’ve been devising new legal challenges to postpone the enforcement of these rules.

If my memory serves me right, the Irish were unhappy because they wanted records to be retained for 3 years, while the Italians wanted a 4 year limit. On the other hand, the Germans didn’t care so long as it could get hold of 6 months of records. Other Member States didn’t really seem to care as, at that time, the law enforcement agencies in that country didn’t seem to rely on phone or internet records at all.

And, if my memory serves me right, there was general acceptance that the words used in the draft legislation about the retention of internet records didn’t make any sense – but the point was that the statute had to be approved at that time because the Chairman of the relevant Committee of the Council of Ministers was completing his term of office and if the legislation wasn’t accepted, then the discussions would have to start again from the beginning of the tenure of the next Chairman. I won’t embarrass the Chairman of that Committee by naming him, nor will I point out which Member State had the honour of chairing the discussions and forcing the key decisions. (Well, not until someone asks me nicely.)

Does this approach to drafting legislation sound familiar?

The upshot of this unholy mess has been another appeal to the European Court on the basis that some people don’t like what’s going on, and they consider that their human rights have been abused.

And why am I writing about this now?

Because the more I read the European Commission’s proposals for a General Data Protection Regulation, the more convinced I am that the target that the Commission set itself was one focussed on the calendar, rather than common sense. I’m convinced that the Commission was so keen to launch “something” on 25 January that the “thing” was, to a large extent, immaterial.

Perhaps that was what was meant by Commisisoner Reding’s introductory remarks last week: “Ladies and Gentlemen, we have done it”.

We will now send the following months and years working out in detail what really is appropriate to meet the changing needs of our times.

I only trust we have time to undo the stupid bits and get it right before some other parliamentary timetable forces the pace, and we are left with a text that so many of us know is still not fit for purpose.