Opinion of the European Data Protection Supervisor on the Evaluation report from the
Commission to the Council and the European Parliament on the Directive 2006/24/EC (Data Retention Directive).
The EDPS recalls that on 18 April 2011, the Commission presented its evaluation report on the Data Retention Directive, and sent the report to the EDPS on the same day. The Data Retention Directive constituted an EU response to urgent security challenges, following the major terrorist attacks in Madrid in 2004 and in London in 2005. Despite the legitimate purpose for setting up a data retention scheme, criticism was voiced in relation to the huge impact the measure had on the privacy of citizens. The EDPS considers that importance of the Evaluation report and the evaluation process cannot be overstated. The Data Retention Directive constitutes a prominent example of an EU measure aiming at ensuring availability of data generated and processed in the context of electronic communications for law enforcement activities. Now that the measure has been in place for several years, an evaluation of its practical application should actually demonstrate the necessity and proportionality of the measure in light of the rights to privacy and data protection. In this respect the EDPS has called the evaluation ‘the moment of truth’ for the Data Retention Directive.
The EDPS believes that the evaluation procedure should be used to set the standard for the evaluation of other EU instruments regulating information management, including the processing of huge amounts of personal data, in the area of freedom, security and justice. It should ensure that only those measures that are truly justified stay in place.
The EDPS analyses the content of the Evaluation report from a privacy and data protection point of view, focusing on whether the current Data Retention Directive meets the requirements set out by these two fundamental rights. This includes an analysis of whether the necessity of data retention as regulated in the Directive has sufficiently been demonstrated. The report sets out the main content of the Data Retention Directive, and its relationship with Directive 2002/58/EC (‘the ePrivacy Directive’), the changes brought about by the Lisbon Treaty, and an analysis on the validity of the Data Retention Directive in light of the rights to privacy and data protection.
Directive does not meet requirements: the evaluation report shows that the Directive has failed to meet its main purpose, namely to harmonise national legislation concerning data retention. Such a lack of harmonisation is detrimental to all parties involved: citizens, business operators, as well as law enforcement authorities.
The EDPS’ analysis states that the Data Retention Directive does not meet the requirements set out by the rights to privacy and data protection, for the following reasons:
- the necessity of data retention as provided for in the Data Retention Directive has not been sufficiently demonstrated;
- data retention could have been regulated in a less privacy-intrusive way;
- -the Data Retention Directive lacks foreseeability.
It is therefore clear that the Data Retention Directive cannot continue to exist in its present form. In that respect, the Commission rightly proposes a revision of the current data retention framework. .
Necessity: the EDPS states that the Commission should have insisted that Member States provide sufficient evidence that demonstrates the necessity of the measure since political statements by some Member States on the need for such a measure cannot alone justify EU action. Before proposing a revised version of the Directive, the EDPS feels that:
- the Commission should, during the impact assessment, invest in collecting further practical evidence from the Member States in order to demonstrate the necessity of data retention as a measure under EU law;
- if a majority of Member States considers data retention to be necessary, these Member States should all provide the Commission with quantitative and qualitative evidence demonstrating it;
- Member States that oppose such a measure of data retention should provide the Commission with information to enable a broader assessment of the matter.
The EDPS underlines that an assessment of the necessity and the examination of alternative, less privacy-intrusive means can only be conducted in a fair way if all options for the future of the Directive are left open. In that respect, the Commission seems to exclude the possibility of repealing the Directive, either per se or combined with a proposal for an alternative, more targeted EU measure. The EDPS therefore calls upon the Commission to seriously consider these options in the impact assessment as well. Only if there is agreement on the need for EU rules from the perspective of the internal market and police and judicial cooperation in criminal matters and if, during the impact assessment, the necessity of data retention, supported and regulated by the EU, can be sufficiently demonstrated, which includes a careful consideration of alternative measures, a future Data Retention Directive can be considered.
The EDPS does not disagree that a well-defined obligation to retain telecommunications data may be justified under certain very strict conditions.
E-Privacy Directive: Article 15(1) of the ePrivacy Directive enables Member States to adopt legislative measures to restrict the scope of their obligations regarding the confidentiality of communications and data retention, and it has been used by several Member States. The EDPS has referred to this as a ‘legal loophole’ in the legal framework, which hampers the purpose of the Data Retention Directive, namely to create a level-playing field for industry.
Data retention goes beyond what is necessary: the Evaluation report does permit the conclusion that the Data Retention Directive has regulated data retention in a way which goes beyond what is necessary, or, at least, has not ensured that data retention has not been applied in such a way. The EDPS highlights four elements:
- the unclear purpose of the measure and the wide notion of ‘competent national authorities’ has led to the use of retained data for far too wide a range of purposes and by far too many authorities, and there is no consistency in the safeguards and conditions for access to the data;
- the maximum retention period of two years appears to go beyond what is necessary, and the lack of a fixed single retention period for all Member States has created a variety of diverging national laws which may trigger complications, because it is not always evident what national law is applicable;
- the level of security is not sufficiently, and a broader consultation and more concrete investigation into instances of abuse is needed;
- it is not clear from the report whether all categories of retained data have proven to be necessary. Only some general distinctions are made between telephone and Internet data.
Basic requirements for future instrument: any future EU instrument on data retention should therefore meet the following basic requirements:
- it should be comprehensive and genuinely harmonise rules on the obligation to retain data, as well as on the access and further use of the data by competent authorities;
- it should be exhaustive, which means that it has a clear and precise purpose and that the legal loophole which exists with Article 15(1) of the ePrivacy Directive is closed;
- it should be proportionate and not go beyond what is necessary.