Lessons learned from Europe's data retention laws

Powered by SC Magazine
 

Blocked in Sweden, repealed in Germany.

Comment: Australia's Attorney General's Department might want to find a more successful international precedent to justify an introduction of data retention laws for telcos and ISPs than in Europe.

Late Friday, ZDNet reported that the Attorney General's department had cited the European Directive on Data Retention "to consider whether such a regime is appropriate within Australia's law enforcement and security context."

The proposal - which would see carriers and ISPs asked to store the browsing and calling logs of Australian subscribers for three months at a time, has been the talking point of the long weekend.

While law enforcement and government  believe the framework may bring a new era of responsibility to the internet, others fear it could become an Orwellian tool for a 'big brother' state. 

But if Australia did copy Europe's model to the letter, what would Australians face?

The EU example

The EU Directive aims to enable law enforcement authroities to ascertain the identity of a person using a public network to communicate by mobile, fixed line, email, or internet telephony.

The directive defines "data" to be collected as "traffic data and location data and the related data necessary to identify the subscriber or user".

Everything a customer would see on a typical phone bill - numbers called, time and duration of call, customer name - would have to be recorded and stored for between six months and two years and made available to law enforcement in "serious crime" investigations.

In the case of a mobile user, a record would be kept of where a call was made from and to whom it was intended to reach.

The directive extends data collection to internet communication, such as email and internet telephony, which in effect would enable the creation of a superficial image of an email account's inbox and sent folder (excluding contents).

In the case of internet telephony, a log is required to be kept of who was called, when, from where and for how long. But again, not the content of the call.

The directive also obliges carriers to retain the IP address, dynamic or static, and its allocation to a user account. Carriers would also be required to record user sessions, such as a record of when an account is logged-in and logged-out.   

In short, any data, except the content of a communication, would be required to be collected if it could help authorities identify individuals behind a thread of communications that was deemed worthy of investigation.

Checks, balances, limitations

For access to be granted to stored data under the EU directive, a request must meet requirements under Section 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

"Interference by public authorities with privacy rights must meet the requirements of necessity and proportionality and must therefore serve specified, explicit and legitimate purposes and be exercised in a manner that is adequate, relevant and not excessive in relation to the purpose of the interference," Section 8 states.

The EU directive allows only "competent authorities" to access data under national laws and also sets out clear boundaries on what and from which sources data can be collected.

"In particular, as regards the retention of data relating to Internet e-mail and Internet telephony, the obligation to retain data may apply only in respect of data from the providers' or the network providers' own services," the directive states. It would also be data "generated or processed in the process of supplying their communications services." 

In other words, the EU directive stakes claim to information generated in the process of facilitating a call, text, email or other internet-based communication, but not information that has been generated on the end-user's device. 

It also explicitly excludes search queries, page requests and the content of communications. "It shall not apply to the content of electronic communications, including information consulted using an electronic communications network."

Resistance and rejection

Despite these measures to ensure privacy is maintained, the directive has met resistance in Europe with just 17 of the 31 countries that should have implemented the directive having done so.

Those that have implemented it agreed to do so partially by 2007, but all were supposed to have implemented it in full by March 2009. 

Shortly after the early 2009 deadline, the EU was reported by Swedish national newspaper Svenska Dagbladet to have threatened Sweden with legal action for failing to implement thr directive. 

The directive, supported by the incumbent Social Democrat government in 2006, was unpopular with its new moderate government which came to power in October that year.

More recently, in March this year, Germany's 2007 implementation of the directive was repealed after it was successfully challenged in the Federal Constitutional Court as as unconstitutional. German carriers were asked to delete data they had collected as the nation now determines how to re-implement the law with amendments. 

Germanys's Arbeitskreis Vorratsdatenspeicherung (Working group on data retention) had argued that wholesale data collection infringed on the "secrecy of telecommunications and the right to informational self-determination", and that data could be used to create personality profiles and track people's movements.  

The court found that Germany's implementation failed to limit the "purposes of use of the data" and lacked transparency. Its statement noted that the storage required under its law "constitutes a particularly serious encroachment with an effect broader that anything in the legal system to date".

But it was not the collection of each piece of data that so concerned it; rather how each piece together could be used by law enforcement. 

"Even though the storage does not extend to the contents of the communications, these data may be used to draw content-related conclusions that extend into the users' private sphere."

The observation over time of recipient data, dates, times and the place of phone conversations, it continued, "permit detailed information to be obtained on social or political affiliations and on personal preferences, inclinations and weaknesses."

"It also increases the risk of citizens to be exposed to further investigations without themselves having given occasion for this."

The data retention divide

  • Implemented (in part or fully): UK, France, Finland, Denmark, Bulgaria, Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Italy, Malta, Netherlands, Liechtenstein (non-EU), Poland, Portugal, Romania, Slovenia, Slovakia, Spain, Switzerland (non-EU)
  • Not yet or no: Ireland, Germany, Sweden, Austria, Belgium, Greece, Ireland, Luxemburg, Norway (non-EU)

    source:  (the German data retention working group

 What do you think? Is Australia looking to improve on an already unpopular law?


Lessons learned from Europe's data retention laws
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  20%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1496

Vote