Privacy and Security TidBits

Data Retention in the EU Five Years after the Directive

The European Commission is planning a review of the Data Retention Directive of 2006, which could include a harmonization and reduction of the periods when public authorities can access citizens’ private data held by telecommunication companies for security matters.

The directive allows for retention periods between 6 months and 24 months. Most member states have implementd the directive into their national law with retention periods varying from 6 months to 24 months.

Peter Hustinx, the European Data Protection Supervisor, declared recently that this directive is ” the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.”

Today was the last day of the sold out 27th Chaos Communication Congress (27C3), the annual four day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany.

One of the many interesting lectures, titled: “Data Retention in the EU five years after the Directive: Why the time is now to get active” dealt with the many flaws inherent in the Data Retention Directive.

The panel consisted of Ralf Bendrath, Patrick Breyer, Katarzyna Szymielewicz, and axel.

The entire presentation was recorded and posted on YouTube, and I posted it below. It is certainly worth watching.

Ralf Bendrath explained how the directive turns the idea of a free society on its head.

In a free society, people may expect not to be constantly monitored and identified. With the directive, monitoring becomes the norm for everyone, and suddenly you have 500,000 million suspects in Europe. A study in Denmark calculated that every EU citizen is recorded in some manner 225 times a day, or on average every 6 minutes. Each time one makes or receives a phone call, each time one sends or receives an email, one is on record.

This constant monitoring affects several basic rights, like freedom of information, freedom of expression, freedom of assembly and freedom of organization. Some people may be hesitant to exercise those rights out of fear of being blacklisted by the government. This kills the idea of a free society.

Germany’s Federal Constitutional Court (Bundesverfassungsgericht) has recently overturned the German implementation of the Data Retention Directive and has declared it to be unconstitutional.

Romania’s Constitutional Court has declared the directive in breach of article 8 of the European Convention of Human Rights (ECHR).

There are constitutional cases regarding the directive pending in Hungary and Ireland.

The directive has also become a source of abuse:

In Germany, a TMobile employee sold a list of 17 million subscribers’ addresses on the black market. In Poland, four jounalists were being tracked in order to trace back their sources.

The panel ended with a call for a anti-data retention campaign in all 27 EU member states, before the announced review by the Commission. This will be the last opportunity to attack the core principles of the directive.

More than a hundred NGOs are petitioning against the directive. One of them is EDRI, the organization for European Digital Rights.