21st April 2007 37th CEPIS Spring Council - Prague

Presentation Title Here30pt Arial

Data retention

Draft statement for CEPIS By CEPIS LSI

24th November 2007 CEPIS Execom + Council

AGENDA

CEPIS LSIMotivation and Background:

Importance of the topicWhy a statement now?

The statementBackgroundIntroductionConcernsRecommendations

24th November 2007 CEPIS Execom + Council

CEPIS LSI

CEPIS Special Interest Network "Legal & Security Issues" Working field:

IT security aspects Legal issues (connected with IT security)

Goals: Rising IT security awareness Discussion of IT security issues (technical and non-technical viewpoint)

CEPIS Execom + Council

CEPIS LSI

Chair: Prof. Kai Rannenberg (GI, Germany) Secretary: Marko Hölbl (SSI, Slovenia) Members:

IT security experts Lawyers Other interested parties

24th November 2007 CEPIS Execom + Council

CEPIS LSI Development of statements:

Background and motivation Concerns Recommendations

Past and recently adopted statements: Governmental restrictions on encryption products put security at risk, 1996 E-commerce, 1999 Data retention has serious consequences, 2004 Authentication approaches for online banking, 2007

24th November 2007 CEPIS Execom + Council

CEPIS LSI

Statements in progress: Data Retention, 2008 Virtual World and social networking, 2008

MOTIVATION AND BACKGROUND – IMPORTANCE OF THE TOPIC

CEPIS has already taken position on the issue of data retention in its discussion paper dated 01.01.2004:

Some crucial issues needed to be taken into account when the EU regulated the issue of retention of traffic and location data

New issues have aroused since the adoption of the Directive

24th November 2007 CEPIS Execom + Council

MOTIVATION AND BACKGROUND – WHY THE STATEMENT NOW?

The final text of the data retention Directive wasadopted on the 15th of March 2006.

Article 14 of the Directive: “the Commission shall submit to the European

Parliament and the Council an evaluation of the application of this Directive and its impact on economic operators and consumers”

Deadline 15th September 2010

CEPIS Execom + Council

THE STATEMENT

Statement overview:1. Background2. Introduction3. Concerns4. Recommendations

24th November 2007 CEPIS Execom + Council

INTRODUCTION

24th November 2007 CEPIS Execom + Council

Several concerns regarding the Directive:1. Definition of serious crime2. Definition of “providers of publicly available

electronic communications services or of public communications networks”

3. Categories of data to be retained

CONCERNS

24th November 2007 CEPIS Execom + Council

CEPIS LSI SIN concerns:1. The time period of the retention of the data2. The way data has to be stored and secured3. Concerns regarding mutual cooperation between

service providers and the authorities4. Issue of reimbursement of the costs incurred by

the providers5. Different deadlines for implementation

RECOMMENDATIONS

24th November 2007 CEPIS Execom + Council

1. Definition of “serious crime” missing 2. Definition what data has to be retained missing3. Caution about how much communication content can

be revealed by traffic and location data4. Consideration of adopting a shorter retention period

than 2 years5. Secure data storage and data transfer6. Support of the ETSI initiative to standardise the

handover interface7. Reimbursement of the costs to the providers (by EU

Member States)8. The European Commission is urged to complete a

timely evaluation of the Directive