Mandatory Retention of Traffic Data What is next?
Download
Report
Transcript Mandatory Retention of Traffic Data What is next?
Mandatory Retention of Traffic
Data: What is next?
Prof. Dr.
Henrik W.K.Kaspersen
Computer/Law Institute
Vrije Universiteit Amsterdam- The Netherlands
The program
Historical background of data retention
law
Actions within the European Union,
influence of European Bodies
Emergence, content, implementation of
Directive 2006/24/EC
Evaluation
IFIP SEC 2006 Karlstad
May 24, 2006
Disclaimer
Avoiding details
Personal view
Not all questions may or can yet be answered
IFIP SEC 2006 Karlstad
May 24, 2006
Historical background (I)
Terrorist attacks
Anti terrorist law
Council of Europe: Warshaw Convention 2005
European Union instruments
Proposal to sign CoE Warshaw Convention 2005
Critical infrastructure 2004/2005
Exchange of information 2004
Adoption Schengen System 2002
Financing Europol 2002
Framework decision on combating terrorism 2001
IFIP SEC 2006 Karlstad
May 24, 2006
Historical background (II):
availability of traffic data
Traffic data is indispensable means
Cyber Cime Convention
Debate 1999-2000
Aspects concerning feasability retention:
Different situation EU-other Parties
Stronger need in Europe? (Directive 1998/66/EC)
Privacy concerns, proportionality
Disproportional Burden for industry
Societal costs
Industry should not take over tasks of LEA
IFIP SEC 2006 Karlstad
May 24, 2006
Historical background (III)
Compromise in the Cybercrime Convention
Art. 20: real time collection of traffic data
(Telephony and internet), public/non-public- for
the future
Art. 18: production order: traffic data as is;
production order: subscriber data
Art. 16: freezing of vulnarable data
IFIP SEC 2006 Karlstad
May 24, 2006
EU-initiatives (I)
Isolated drafts/initiatives within third
pillar.
Communication of Joint Data Registrars
in September 2002: mandatory
retention in principle should be
rejected.
IFIP SEC 2006 Karlstad
May 24, 2006
EU-initiatives (II)
After Madrid 2004: European Council stresses
the need for retention, priority for third pillar
April 2004: Joint proposal by France, UK,
Sweden, Ireland
Elaboration of several drafts: high level of
disagreement, not on the principle but on the
details
IFIP SEC 2006 Karlstad
May 24, 2006
EU-initiatives (III)
Intervention (questions) of the European
Parliament
Framework decision formally rejected in
September 2005
First pillar and third pillar
Initiative Directive by the European Commission in
May 2005
Proposal for a Directive October 21, 2005
Involvement of the European Parliament
The ‘royal way’: amend 2002/58/EC
IFIP SEC 2006 Karlstad
May 24, 2006
EU-initiatives (IV)
Influence of art. 29 Group (Advice 1868/04/EN WP
113): very critical but accepting
“without precedent”
“Intervention of the Commission will lead to shorter terms of
preservation”
Terms of preservation should be maximum terms
Access conditions?
Serious Crime?
Periodical assessment
Precise definition of traffic data
Separation from content
Data mining not allowed
Data security
IFIP SEC 2006 Karlstad
May 24, 2006
EU-initiatives (V)
Position of e-Communications Industry
Mainly opposition from Euroispa and
individual providers
Research reports on the feasability and
efficacy of retention of internet traffic data
Rejection of administrative and financial
burden
IFIP SEC 2006 Karlstad
May 24, 2006
EU-initiatives (VII)
Euroispa (consultation document and Position
September 2005)
Recognition of responsibility of industry: offering
technological advice about ever-changing technology
No evidence provided for the necessity of the measure
Costs reduce speed of development and undermine
competiviness of European industry
Doubt about feasability and effectiviness
Regulation is disproportionally burdensome and difficult to
comply with
Financial compensation?
IFIP SEC 2006 Karlstad
May 24, 2006
The Emergence of Directive
2006/24/EC
Key dates
Adoption by the Council: 21 February 2006
Agreement with European Parliament: 15 March
2006
Publication: OJ April 13 , 2006
In force: May 3, 2006
Ultimate date of implementation September 15,
2007, or March 15, 2009
IFIP SEC 2006 Karlstad
May 24, 2006
Overview of Directive 2006/24/EC
Scope
Obligation to retain:
What?
How?
How long?
How secure?
Use
Enforcement of Directive
IFIP SEC 2006 Karlstad
May 24, 2006
Directive 2006/24/EC: Scope
Includes traffic data and subscriber/user data
(art. 5)
Also cell-identification of cell phone, voicemail,
conferencing, call forwarding etc
SMS, enhanced (multi)media services
Unanswered calls
Public e-communication services
IFIP SEC 2006 Karlstad
May 24, 2006
Directive 2006/24/EC: what?
Art. 3: Obligation of providers to retain
traffic data, in derogation of art. 5,6,9
Directive 2002/58/EC
Art. 5: Categories of data to be retained
Functional description with regard to type of ecommunication
ID of source
ID of destination
….followed by specification
Specification of data necessary to identify
IFIP SEC 2006 Karlstad
May 24, 2006
Directive 2006/24/EC: how?
Period of retention: 6 month up to 2 years,
except particular circumstances of art. 12
No specification, except art. 7 security
principles
No structure and principles of retrieval,
except art. 8 ‘without undue delay’
IFIP SEC 2006 Karlstad
May 24, 2006
Directive 2006/24/EC: use
Use: domestic law
Purpose of retention:
Recital 9: in particular organised crime and
terrorism on behalf of law enforcement
Recital 7: reference to JHA: prevention,
investigation, detection and prosecution of
criminal offences
Previously: serious crime (to be defined by
domestic law)
IFIP SEC 2006 Karlstad
May 24, 2006
Directive 2006/24/EC: other
Art. 10: Yearly provision of statistics to EC
Number of cases
Time gap
Cases where no data was available
Art. 12: particular circumstances: market
view, further art. 15 of 2002/58/EC?
Evaluation 15 September 2010 by the
European Commission
IFIP SEC 2006 Karlstad
May 24, 2006
Implementation of the Directive
Adoption Council: Februari 21, 2006
Agreement with EP, March 15, 2006
Publication OJ: April 13, 2006
In force: May 3, 2006
Ultimate date of implementation: September
15, 2007 or March 115, 2009
IFIP SEC 2006 Karlstad
May 24, 2006
International Co-operation
Dissemination to other States
EU Member States
EU Members of Council of Europe
Other States
Treaty based
In absence of treaties
US?
IFIP SEC 2006 Karlstad
May 24, 2006
Evaluation
Directive
Form
Reach
Relation with 2002/58/EC
Regulated
Limitative specification of data
Periodical assessment
Not regulated
Limitations, meaning, follow-up
Access, technical organisation, costs
Impact
What is next?
IFIP SEC 2006 Karlstad
May 24, 2006
In conclusion
Data retention:
a dramatic step that opens the door for other
measures
direct threat for fundamental rights
necessity is not and cannot be not demonstrated
measure hard to challenge
regulation is only partial
IFIP SEC 2006 Karlstad
May 24, 2006