EU finds privacy flaws in data retention regime

Powered by SC Magazine
 

Data used for more than serious crime.

The European Commission will consider creating a data retention hierarchy, after finding that the 2005 EU data retention directive lacked privacy protections and often went beyond its intent.

In a report (pdf) released Monday, the Commission revealed that eight of the 19 member nations implementing the directive went beyond its intent of providing data to combat "serious" crime.

Belgium, Denmark, France, Italy, Latvia, Poland, Slovakia, Slovenia permitted the use of retained data to investigate all criminal offences, while the UK failed to define what "serious crime" was. 

The Commission found there to have been at least 2.9 million access requests from 2008 to 2009 -- equal to two requests for every European police officer a year, or about 11 requests for every 100 recorded crimes.

It said it would consider creating a retention hierarchy based on different data types or categories of serious crime, to ensure data is only accessed for serious criminal offences.

The commission's announcement followed European data protection supervisor Peter Hustinx's call late last year for use of the directive to be reined in by regulating how member states used the data for law enforcement.

EU commissioner for home affairs Cecilia Malmström noted that the directive was introduced in the aftermath of the Madrid and London bombings -- when Europe was on high alert.

"There was enourmous pressure on governments to ensure that the police and prosecutor had all the tools necessary for tracking terrorism and other security threats," she said at Monday's release of the report.

“In short, the report shows that data retention proved useful in criminal investigations, but there is need for improvement as regards the design of the directive so that there is a better response to the privacy and security of our citizens."

The report also highlighted a lack of harmony between implementations which has posed a challenge for companies that process or store data across national borders. 

Meanwhile, although 25 nations had been required to transpose the directive before 15 September 2007, five nations did not have the directive transposed onto their legal systems.

Romania, Germany and the Czech Republic have repealed their retention laws, while Sweden and Austria have yet to graft it to theirs.

Germany’s constitutional challenge resulted in a 6 month cap on retention and a ruling that data could only be accessed where there was already a suspicion of serious criminal offence. 

The data retention directive was introduced in 2005, came into effect in 2006, and was thought to support the 2004 Council of Europe Convention on Cybercrime to which Australia planned to accede.

Copyright © iTnews.com.au . All rights reserved.


EU finds privacy flaws in data retention regime
 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 745

Vote