Lessons learned from Europe's data retention laws

Comment: Australia's Attorney General's Department might want to find a more successful international precedent to justify an introduction of data retention laws for telcos and ISPs than in Europe.

Late Friday, ZDNet reported that the Attorney General's department had cited the European Directive on Data Retention "to consider whether such a regime is appropriate within Australia's law enforcement and security context."

The proposal - which would see carriers and ISPs asked to store the browsing and calling logs of Australian subscribers for three months at a time, has been the talking point of the long weekend.

While law enforcement and government  believe the framework may bring a new era of responsibility to the internet, others fear it could become an Orwellian tool for a 'big brother' state. 

But if Australia did copy Europe's model to the letter, what would Australians face?

The EU example

The EU Directive aims to enable law enforcement authroities to ascertain the identity of a person using a public network to communicate by mobile, fixed line, email, or internet telephony.

The directive defines "data" to be collected as "traffic data and location data and the related data necessary to identify the subscriber or user".

Everything a customer would see on a typical phone bill - numbers called, time and duration of call, customer name - would have to be recorded and stored for between six months and two years and made available to law enforcement in "serious crime" investigations.

In the case of a mobile user, a record would be kept of where a call was made from and to whom it was intended to reach.

The directive extends data collection to internet communication, such as email and internet telephony, which in effect would enable the creation of a superficial image of an email account's inbox and sent folder (excluding contents).

In the case of internet telephony, a log is required to be kept of who was called, when, from where and for how long. But again, not the content of the call.

The directive also obliges carriers to retain the IP address, dynamic or static, and its allocation to a user account. Carriers would also be required to record user sessions, such as a record of when an account is logged-in and logged-out.   

In short, any data, except the content of a communication, would be required to be collected if it could help authorities identify individuals behind a thread of communications that was deemed worthy of investigation.

Checks, balances, limitations

For access to be granted to stored data under the EU directive, a request must meet requirements under Section 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

"Interference by public authorities with privacy rights must meet the requirements of necessity and proportionality and must therefore serve specified, explicit and legitimate purposes and be exercised in a manner that is adequate, relevant and not excessive in relation to the purpose of the interference," Section 8 states.

The EU directive allows only "competent authorities" to access data under national laws and also sets out clear boundaries on what and from which sources data can be collected.

"In particular, as regards the retention of data relating to Internet e-mail and Internet telephony, the obligation to retain data may apply only in respect of data from the providers' or the network providers' own services," the directive states. It would also be data "generated or processed in the process of supplying their communications services." 

In other words, the EU directive stakes claim to information generated in the process of facilitating a call, text, email or other internet-based communication, but not information that has been generated on the end-user's device. 

It also explicitly excludes search queries, page requests and the content of communications. "It shall not apply to the content of electronic communications, including information consulted using an electronic communications network."

Resistance and rejection

Despite these measures to ensure privacy is maintained, the directive has met resistance in Europe with just 17 of the 31 countries that should have implemented the directive having done so.

Those that have implemented it agreed to do so partially by 2007, but all were supposed to have implemented it in full by March 2009. 

Shortly after the early 2009 deadline, the EU was reported by Swedish national newspaper Svenska Dagbladet to have threatened Sweden with legal action for failing to implement thr directive. 

The directive, supported by the incumbent Social Democrat government in 2006, was unpopular with its new moderate government which came to power in October that year.

More recently, in March this year, Germany's 2007 implementation of the directive was repealed after it was successfully challenged in the Federal Constitutional Court as as unconstitutional. German carriers were asked to delete data they had collected as the nation now determines how to re-implement the law with amendments. 

Germanys's Arbeitskreis Vorratsdatenspeicherung (Working group on data retention) had argued that wholesale data collection infringed on the "secrecy of telecommunications and the right to informational self-determination", and that data could be used to create personality profiles and track people's movements.  

The court found that Germany's implementation failed to limit the "purposes of use of the data" and lacked transparency. Its statement noted that the storage required under its law "constitutes a particularly serious encroachment with an effect broader that anything in the legal system to date".

But it was not the collection of each piece of data that so concerned it; rather how each piece together could be used by law enforcement. 

"Even though the storage does not extend to the contents of the communications, these data may be used to draw content-related conclusions that extend into the users' private sphere."

The observation over time of recipient data, dates, times and the place of phone conversations, it continued, "permit detailed information to be obtained on social or political affiliations and on personal preferences, inclinations and weaknesses."

"It also increases the risk of citizens to be exposed to further investigations without themselves having given occasion for this."

The data retention divide

• Implemented (in part or fully): UK, France, Finland, Denmark, Bulgaria, Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Italy, Malta, Netherlands, Liechtenstein (non-EU), Poland, Portugal, Romania, Slovenia, Slovakia, Spain, Switzerland (non-EU)

• Not yet or no: Ireland, Germany, Sweden, Austria, Belgium, Greece, Ireland, Luxemburg, Norway (non-EU)
  
  source:  (the German data retention working group

 What do you think? Is Australia looking to improve on an already unpopular law?