Mandatory Retention of Traffic Data: What is next? Prof. Dr. Henrik W.K.Kaspersen Computer/Law...
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Mandatory Retention of Traffic Data: What is next? Prof. Dr. Henrik W.K.Kaspersen Computer/Law...
Mandatory Retention of Traffic Data: What is next?
Prof. Dr. Henrik W.K.KaspersenComputer/Law Institute
Vrije Universiteit Amsterdam- The Netherlands
IFIP SEC 2006 Karlstad May 24, 2006
The program
Historical background of data retention law
Actions within the European Union, influence of European Bodies
Emergence, content, implementation of Directive 2006/24/EC
Evaluation
IFIP SEC 2006 Karlstad May 24, 2006
Disclaimer Avoiding details Personal view Not all questions may or can yet be
answered
IFIP SEC 2006 Karlstad May 24, 2006
Historical background (I) Terrorist attacks Anti terrorist law
Council of Europe: Warshaw Convention 2005 European Union instruments
Proposal to sign CoE Warshaw Convention 2005 Critical infrastructure 2004/2005 Exchange of information 2004 Adoption Schengen System 2002 Financing Europol 2002 Framework decision on combating terrorism 2001
IFIP SEC 2006 Karlstad May 24, 2006
Historical background (II): availability of traffic data Traffic data is indispensable means Cyber Cime Convention
Debate 1999-2000 Aspects concerning feasability retention:
Different situation EU-other Parties Stronger need in Europe? (Directive 1998/66/EC)
Privacy concerns, proportionality Disproportional Burden for industry Societal costs Industry should not take over tasks of LEA
IFIP SEC 2006 Karlstad May 24, 2006
Historical background (III) Compromise in the Cybercrime
Convention Art. 20: real time collection of traffic data
(Telephony and internet), public/non-public- for the future
Art. 18: production order: traffic data as is; production order: subscriber data
Art. 16: freezing of vulnarable data
IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (I)
Isolated drafts/initiatives within third pillar.
Communication of Joint Data Registrars in September 2002: mandatory retention in principle should be rejected.
IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (II) After Madrid 2004: European Council
stresses the need for retention, priority for third pillar
April 2004: Joint proposal by France, UK, Sweden, Ireland
Elaboration of several drafts: high level of disagreement, not on the principle but on the details
IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (III) Intervention (questions) of the European
Parliament Framework decision formally rejected in
September 2005 First pillar and third pillar
Initiative Directive by the European Commission in May 2005
Proposal for a Directive October 21, 2005 Involvement of the European Parliament The ‘royal way’: amend 2002/58/EC
IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (IV) Influence of art. 29 Group (Advice 1868/04/EN
WP 113): very critical but accepting “without precedent” “Intervention of the Commission will lead to shorter
terms of preservation” Terms of preservation should be maximum terms Access conditions? Serious Crime? Periodical assessment Precise definition of traffic data Separation from content Data mining not allowed Data security
IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (V)
Position of e-Communications Industry
Mainly opposition from Euroispa and individual providers
Research reports on the feasability and efficacy of retention of internet traffic data
Rejection of administrative and financial burden
IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (VII) Euroispa (consultation document and Position
September 2005) Recognition of responsibility of industry: offering
technological advice about ever-changing technology No evidence provided for the necessity of the
measure Costs reduce speed of development and undermine
competiviness of European industry Doubt about feasability and effectiviness Regulation is disproportionally burdensome and
difficult to comply with Financial compensation?
IFIP SEC 2006 Karlstad May 24, 2006
The Emergence of Directive 2006/24/EC Key dates
Adoption by the Council: 21 February 2006 Agreement with European Parliament: 15
March 2006 Publication: OJ April 13 , 2006 In force: May 3, 2006 Ultimate date of implementation September
15, 2007, or March 15, 2009
IFIP SEC 2006 Karlstad May 24, 2006
Overview of Directive 2006/24/EC Scope Obligation to retain:
What? How? How long? How secure?
Use Enforcement of Directive
IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: Scope Includes traffic data and subscriber/user
data (art. 5) Also cell-identification of cell phone,
voicemail, conferencing, call forwarding etc SMS, enhanced (multi)media services Unanswered calls
Public e-communication services
IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: what? Art. 3: Obligation of providers to retain
traffic data, in derogation of art. 5,6,9 Directive 2002/58/EC
Art. 5: Categories of data to be retained Functional description with regard to type of
e-communication ID of source ID of destination
….followed by specification Specification of data necessary to identify
IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: how? Period of retention: 6 month up to 2
years, except particular circumstances of art. 12
No specification, except art. 7 security principles
No structure and principles of retrieval, except art. 8 ‘without undue delay’
IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: use Use: domestic law Purpose of retention:
Recital 9: in particular organised crime and terrorism on behalf of law enforcement
Recital 7: reference to JHA: prevention, investigation, detection and prosecution of criminal offences
Previously: serious crime (to be defined by domestic law)
IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: other Art. 10: Yearly provision of statistics to EC
Number of cases Time gap Cases where no data was available
Art. 12: particular circumstances: market view, further art. 15 of 2002/58/EC?
Evaluation 15 September 2010 by the European Commission
IFIP SEC 2006 Karlstad May 24, 2006
Implementation of the Directive Adoption Council: Februari 21, 2006 Agreement with EP, March 15, 2006 Publication OJ: April 13, 2006 In force: May 3, 2006 Ultimate date of implementation:
September 15, 2007 or March 115, 2009
IFIP SEC 2006 Karlstad May 24, 2006
International Co-operation Dissemination to other States
EU Member States EU Members of Council of Europe Other States
Treaty based In absence of treaties
US?
IFIP SEC 2006 Karlstad May 24, 2006
Evaluation Directive
Form Reach Relation with 2002/58/EC
Regulated Limitative specification of data Periodical assessment
Limitations, meaning, follow-up Not regulated
Access, technical organisation, costs Impact What is next?
IFIP SEC 2006 Karlstad May 24, 2006
In conclusion
Data retention: a dramatic step that opens the door for other measuresdirect threat for fundamental rightsnecessity is not and cannot be not demonstratedmeasure hard to challenge regulation is only partial