Data Retention Directive passed by EU Parliament

Tuesday, December 27, 2005

On December 14th, after a single reading, the EU Parliament passed the Data Retention directive. 378 parliamentarians voted in favour of the Directive, 30 abstained and 197 voted against.

The so-called "Big Brother" directive, highly controversial at least among those even aware of its existence, requires all internet and telecommunications service providers to log all traffic metadata (who called who, who visited what sites) in Europe for 6 to 24 months and turn the data over to police forces, secret services, and other organisations, as decided on by national governments. The law was drafted and passed in three months, an extraordinarily rapid process, and was heavily influenced by earlier UK legislation that failed to pass in Britain.


Significant aspects of this law are the lack of special measures for security and privacy of the collected data, lack of any rule as to how costs are to be reimbursed. Such measures had been proposed as amendments, but the block vote in Parliament (following a deal between the leaders of the two largest parties, the Christian democrat-conservative European People's Party and the Party of European Socialists, and the European Commission) rejected these amendments.

All mention of "terrorism" was removed from the original text, so the approved law specifies these measures for "serious crime" only. The definition of "serious crime" is not specified.

Partially, the law harmonises existing practice, allowing police forces to rely on retention of data for their investigations. In certain countries, privacy laws that mandated the destruction of such data after six months have hindered investigations. Poland, following one such case, wanted a 15 year data retention period.

However, other influences have made the law much broader than this. Specifically, the requirement to log all subscriber information for Internet communications has raised serious concerns amongst ISPs, and technical analysts. The reason: the term "communication" is defined vaguely, as "all emails and Internet telephony". There exists no technical means of logging subscriber information for such communications, short of recording every TCP and UDP packet that is carried across a network connection. This would create such huge volumes of data that small to medium ISPs would be unable to operate, and large ISPs would have to increase their prices considerably. All provisions in the law for reimbursement were removed - this is up to each country to decide.

Thus the Data Retention directive, while cracking down on anonymous public communications tools such as open wifi, cybercafes, pre-paid phone cards (and possibly even public phone booths), has ignored the use of web-based email, self-hosted mail servers, chat systems, VPNs, VoIP technologies, and so on. The premise that criminals will restrict themselves to the few simple protocols that can be monitored to extract "subscriber information" is weak at best.

The technical inadequacy of this law is extreme, and is probably due to its rushed progress through the legislative system. The main driver for this rushed process appears to be a number of national governments that are keen to increase surveillance of their own citizens, and wish EU "backing" for such acts. Note that the Commission and Council do not represent an elected body but are composed of the national governments and professional civil service, and there is considerable tension between these bodies and the elected Parliament. It is plausible that the Data Retention directive was just the first of several laws that will pass through this new "fast track" process.


The Foundation for a Free Information Infrastructure, a lobbying association, expects, early in 2006, to see a new attempt to "harmonise patent legislation", the so-called "Community Patent Directive", which will introduce software patents by the back door. Note that a previous attempt by the Commission and Council to impose software patents (the "Computer Implemented Inventions directive") was rejected by Parliament in June 2005.

Other commentators have noted that the EU produces vast numbers of directives, about ten per month, and most of these get passed into national law only very slowly. Ireland and Germany have stated that they will take this directive to the European Court of Justice. However, that will not prevent other countries from implementing it in a more or less severe form.

Italy has, in the last few months, been closing cybercafes that do not keep strict records of the identity of every user. It is such indicators that have convinced many privacy advocates that this law is not about terrorism at all, but about monitoring and controlling civil society.