Mandatory Retention of Traffic Data: What is next? Prof. Dr. Henrik W.K.Kaspersen Computer/Law...

Mandatory Retention of Traffic Data: What is next?

Prof. Dr. Henrik W.K.KaspersenComputer/Law Institute

Vrije Universiteit Amsterdam- The Netherlands

IFIP SEC 2006 Karlstad May 24, 2006

The program

Historical background of data retention law

Actions within the European Union, influence of European Bodies

Emergence, content, implementation of Directive 2006/24/EC

Evaluation


Disclaimer Avoiding details Personal view Not all questions may or can yet be

answered


Historical background (I) Terrorist attacks Anti terrorist law

Council of Europe: Warshaw Convention 2005 European Union instruments

Proposal to sign CoE Warshaw Convention 2005 Critical infrastructure 2004/2005 Exchange of information 2004 Adoption Schengen System 2002 Financing Europol 2002 Framework decision on combating terrorism 2001


Historical background (II): availability of traffic data Traffic data is indispensable means Cyber Cime Convention

Debate 1999-2000 Aspects concerning feasability retention:

Different situation EU-other Parties Stronger need in Europe? (Directive 1998/66/EC)

Privacy concerns, proportionality Disproportional Burden for industry Societal costs Industry should not take over tasks of LEA


Historical background (III) Compromise in the Cybercrime

Convention Art. 20: real time collection of traffic data

(Telephony and internet), public/non-public- for the future

Art. 18: production order: traffic data as is; production order: subscriber data

Art. 16: freezing of vulnarable data


EU-initiatives (I)

Isolated drafts/initiatives within third pillar.

Communication of Joint Data Registrars in September 2002: mandatory retention in principle should be rejected.


EU-initiatives (II) After Madrid 2004: European Council

stresses the need for retention, priority for third pillar

April 2004: Joint proposal by France, UK, Sweden, Ireland

Elaboration of several drafts: high level of disagreement, not on the principle but on the details


EU-initiatives (III) Intervention (questions) of the European

Parliament Framework decision formally rejected in

September 2005 First pillar and third pillar

Initiative Directive by the European Commission in May 2005

Proposal for a Directive October 21, 2005 Involvement of the European Parliament The ‘royal way’: amend 2002/58/EC


EU-initiatives (IV) Influence of art. 29 Group (Advice 1868/04/EN

WP 113): very critical but accepting “without precedent” “Intervention of the Commission will lead to shorter

terms of preservation” Terms of preservation should be maximum terms Access conditions? Serious Crime? Periodical assessment Precise definition of traffic data Separation from content Data mining not allowed Data security


EU-initiatives (V)

Position of e-Communications Industry

Mainly opposition from Euroispa and individual providers

Research reports on the feasability and efficacy of retention of internet traffic data

Rejection of administrative and financial burden


EU-initiatives (VII) Euroispa (consultation document and Position

September 2005) Recognition of responsibility of industry: offering

technological advice about ever-changing technology No evidence provided for the necessity of the

measure Costs reduce speed of development and undermine

competiviness of European industry Doubt about feasability and effectiviness Regulation is disproportionally burdensome and

difficult to comply with Financial compensation?


The Emergence of Directive 2006/24/EC Key dates

Adoption by the Council: 21 February 2006 Agreement with European Parliament: 15

March 2006 Publication: OJ April 13 , 2006 In force: May 3, 2006 Ultimate date of implementation September

15, 2007, or March 15, 2009


Overview of Directive 2006/24/EC Scope Obligation to retain:

What? How? How long? How secure?

Use Enforcement of Directive


Directive 2006/24/EC: Scope Includes traffic data and subscriber/user

data (art. 5) Also cell-identification of cell phone,

voicemail, conferencing, call forwarding etc SMS, enhanced (multi)media services Unanswered calls

Public e-communication services


Directive 2006/24/EC: what? Art. 3: Obligation of providers to retain

traffic data, in derogation of art. 5,6,9 Directive 2002/58/EC

Art. 5: Categories of data to be retained Functional description with regard to type of

e-communication ID of source ID of destination

….followed by specification Specification of data necessary to identify


Directive 2006/24/EC: how? Period of retention: 6 month up to 2

years, except particular circumstances of art. 12

No specification, except art. 7 security principles

No structure and principles of retrieval, except art. 8 ‘without undue delay’


Directive 2006/24/EC: use Use: domestic law Purpose of retention:

Recital 9: in particular organised crime and terrorism on behalf of law enforcement

Recital 7: reference to JHA: prevention, investigation, detection and prosecution of criminal offences

Previously: serious crime (to be defined by domestic law)


Directive 2006/24/EC: other Art. 10: Yearly provision of statistics to EC

Number of cases Time gap Cases where no data was available

Art. 12: particular circumstances: market view, further art. 15 of 2002/58/EC?

Evaluation 15 September 2010 by the European Commission


Implementation of the Directive Adoption Council: Februari 21, 2006 Agreement with EP, March 15, 2006 Publication OJ: April 13, 2006 In force: May 3, 2006 Ultimate date of implementation:

September 15, 2007 or March 115, 2009


International Co-operation Dissemination to other States

EU Member States EU Members of Council of Europe Other States

Treaty based In absence of treaties

US?


Evaluation Directive

Form Reach Relation with 2002/58/EC

Regulated Limitative specification of data Periodical assessment

Limitations, meaning, follow-up Not regulated

Access, technical organisation, costs Impact What is next?


In conclusion

Data retention: a dramatic step that opens the door for other measuresdirect threat for fundamental rightsnecessity is not and cannot be not demonstratedmeasure hard to challenge regulation is only partial

Mandatory Retention of Traffic Data: What is next? Prof. Dr. Henrik W.K.Kaspersen Computer/Law...

Documents

Transcript of Mandatory Retention of Traffic Data: What is next? Prof. Dr. Henrik W.K.Kaspersen Computer/Law...