December 8, 2009


By Abu Bakar Munir

The European Union has established a comprehensive legislative privacy framework to protect individuals’ personal data. The regime applies to a wide range of data held by both the public and private entities. Privacy is recognized as the fundamental human rights by various legal instruments, including the Universal Declaration of Human Rights 1948 and the European Convention on Human Rights (ECHR) 1950. Based on the fundamental right of privacy guaranteed by article 8 of the ECHR, the EU Commission started working on the data protection legislation in the late 1980’s. In 1995, the EU enacted the Directive 95/46/EC on the Protection of Individual with regard to the Processing of Personal Data and on the Free Movement of Such Data (Data Protection Directive-DPD). Various national and international normative instruments based on a set of conditions or principles were incorporated into the Directive.

The Directive comprises of 34 articles and its provisions include the data quality, special categories of processing, rights of data subjects, confidentiality, security, liability and sanctions, codes of conduct and supervisory authorities. Article 1 sets out the objective of the Directive, which is to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data. Article 32 requires all Member States to bring into force the laws, regulations and administrative provisions to enforce and comply with the Directive. All the EU countries have adopted a legislation for this purpose.

The European Union supplemented its 1995 DPD with the 1997 Telecommunications Privacy Directive (TPD). Article 5 of the TPD protects the confidentiality of communications and prohibits listening, tapping and storage of communications. It states that all Member States shall ensure via national regulations the confidentiality of communications by means of a public telecommunications network and publicly available telecommunication services. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications. The TPD prescribes that all traffic data shall be erased or deleted if they are no longer needed for the purpose of the transmission of a communication. Such data may be further retained when it is necessary for billing purposes only up to the end of the period during which the bill may lawfully be challenged or payment pursued.

The events of September 11 have changed the legal and political landscapes not only in the U.S but also in the Europe and elsewhere. On September 20, the European Commission requested the Council of the European Union to submit the proposals “for ensuring that the law enforcement authorities are able to investigate criminal acts involving the use of electronic communications systems and to take legal measures against the perpetrators”. At a specifically called meeting of the EU’s Justice and Home Affairs, the Council adopted a series of ‘Conclusions’ which included requiring the service providers to retain traffic data and for legal enforcement authorities to have access to it.

The 1997 TPD was later replaced by the 2002 Electronic Privacy Directive 2002 (EPD). Article 15 of the EPD provides that the Member States may adopt legislative measures to restrict such rights “when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard the national security, defense, public security, and prevention, investigation, detection and prosecution of criminal offences or of authorized used of electronic communication system”. This Directive explicitly allows the EU countries to retain the communications data. It must be noted that the retention is only voluntary.

After the terrorist attacks of March in Madrid and July in London, the EU saw the need to create a framework in harmonizing the obligation to retain the communications data. On March 15, 2006, the European Parliament and Council of the European Union passed the Data Retention Directive (DRD). The Directive directs the Member States to pass a law in compelling each provider of telecommunications services to retain the communications data (traffic and location data) for at least the past six, and at most, the last 24 months. Thus, the data retention has moved from something which was voluntary to mandatory.

The DRD requires the telecoms and Internet providers to retain the communications data and make them available to the authorities for the purposes of investigation, detection and prosecution of serious crimes. The DRD lists out the types of data to be retained and specifies the retention period. The DRD faced the protestations by the Member European Parliaments (MEPs), resistance from the industry players and criticisms of the Data Protection Working Party and many other organizations. It was passed with 378 in favour, 197 against and 30 abstentions – a majority of 181. The European Telco and ISP industry association issued a press release on the day the DRD was passed which states, “This Directive will impose a significant burden on the European e-communications industry, impacting on its competitiveness. Beyond their economic consequences, the far reaching data retentions may also undermine the European’ confidence in the new technologies and thus slow further down the ICT take ups, putting at risk the Europe’s ICT sector competitiveness and hence the success of the Commission’s 2010 initiative.”

Meanwhile the Data Protection Working Party states that the decision to retain the communications data for the purpose of combating serious crimes is an unprecedented one with a historical dimension. Most importantly the Working Party is of the view that this encroaches into the daily life of every citizen and may endanger the fundamental values and freedoms that all European citizens enjoy and cherish. More fundamentally, the Privacy International argues that the indiscriminate collection of traffic data offends a core principle of the rule of law: that citizens should have a notice of the circumstances in which the State may conduct surveillance, so that they can regulate their behavior to avoid unwanted intrusions. Moreover, the data retention requirement would be so extensive as to be out of all proportion to the law enforcement objectives served.

In the U.K, in the debate on the Data Retention (EC Directive) Regulations to implement the DRD, Lord West of Spithead (Parliamentary Under-Secretary (Security and Counter-terrorism) acknowledges the benefits that law enforcement derives from the retained communications data. He argued that the Directive as implemented in the U.K has already saved many innocent lives. However, as the Earl of Northesk has argued, the problem lies in the fact that it applies to a “mandatory whole-of-population” scheme, namely, that detailed whole-of-life profiles of every single citizen of a member state are made available to their respective Governments.

No comments:

Post a Comment