EU finds privacy flaws in data retention regime

The European Commission will consider creating a data retention hierarchy, after finding that the 2005 EU data retention directive lacked privacy protections and often went beyond its intent.

In a report (pdf) released Monday, the Commission revealed that eight of the 19 member nations implementing the directive went beyond its intent of providing data to combat "serious" crime.

Belgium, Denmark, France, Italy, Latvia, Poland, Slovakia, Slovenia permitted the use of retained data to investigate all criminal offences, while the UK failed to define what "serious crime" was. 

The Commission found there to have been at least 2.9 million access requests from 2008 to 2009 -- equal to two requests for every European police officer a year, or about 11 requests for every 100 recorded crimes.

It said it would consider creating a retention hierarchy based on different data types or categories of serious crime, to ensure data is only accessed for serious criminal offences.

The commission's announcement followed European data protection supervisor Peter Hustinx's call late last year for use of the directive to be reined in by regulating how member states used the data for law enforcement.

EU commissioner for home affairs Cecilia Malmström noted that the directive was introduced in the aftermath of the Madrid and London bombings -- when Europe was on high alert.

"There was enourmous pressure on governments to ensure that the police and prosecutor had all the tools necessary for tracking terrorism and other security threats," she said at Monday's release of the report.

“In short, the report shows that data retention proved useful in criminal investigations, but there is need for improvement as regards the design of the directive so that there is a better response to the privacy and security of our citizens."

The report also highlighted a lack of harmony between implementations which has posed a challenge for companies that process or store data across national borders. 

Meanwhile, although 25 nations had been required to transpose the directive before 15 September 2007, five nations did not have the directive transposed onto their legal systems.

Romania, Germany and the Czech Republic have repealed their retention laws, while Sweden and Austria have yet to graft it to theirs.

Germany’s constitutional challenge resulted in a 6 month cap on retention and a ruling that data could only be accessed where there was already a suspicion of serious criminal offence. 

The data retention directive was introduced in 2005, came into effect in 2006, and was thought to support the 2004 Council of Europe Convention on Cybercrime to which Australia planned to accede.