The European Union has passed a contentious data-retention directive that requires all telephone and Internet traffic to be logged and stored for between six months and two years in order to help combat organized crime and terrorism.
The EU Parliament adopted the directive—originally put forward by England in June after the London terrorist bombings—last week, in a 378 to 197 vote.
The actual content of communications does not need to be tracked, but data that would allow law enforcement officials to find its senders does.
Data to be retained include both incoming and outgoing phone numbers, how long calls last, and the location of calls, for both successful calls and those that get dropped. Also covered are IP addresses for SMS and Internet activity, as well as login and logoff times.
Tracking dropped calls has been particularly controversial, since service providers dont currently register lost calls for billing purposes. In fact, the technology to track lost calls requires new, expensive technologies.
However, Spanish representatives strongly support tracking lost calls, since successful prosecution of those involved in the terrorist attacks in Madrid hinged on the investigation of specific lost calls from cell phones, according to a statement released by the EU Parliament.
Putting the plan into effect will entail additional, major costs, estimated at almost 200 million euros per company per year. Indeed, the question of who will foot this big bill has been a bone of contention in drafting the plan.
Thierry Dieu, spokesman for the European Telecommunications Networks Operators Association, was quoted in news reports as saying that the measure would require “a lot of investment for the industry to make,” while failing to cover most communications.
“There will be a significant burden on the European telecom industry, while only a fraction of the e-mail will be covered because most of the e-mail providers are based outside of the EU,” he was quoted as saying.
The bill is expected to go into effect next year, although it may well face legal challenges on the basis of whether it is compatible with the constitution.
The original draft of the plan had stipulated that Member States reimburse telecom companies for costs of retaining, storing and transmitting the data. EU member states had made a similar proposal that would have foisted those costs back onto service providers.
The final plan leaves it up to individual countries to determine whether they will reimburse service providers or require them to absorb the costs themselves. Compliance is required from service providers regardless of whether theyre located outside the EU, as long as they carry traffic to the region.
Meanwhile, privacy groups that have been fighting plans for mandatory data retention were appalled by the news.
The civil liberties group EDRI (European Digital Rights) posted a statement saying that it was “astonished” to see a law passed that would decree “very broad and long retention of telephony and Internet traffic data, with access granted for all sorts of undefined crimes.”
“EDRI is deeply concerned that this law will not create any security,” the statement read. “Instead it will erode the fundaments of our free and open society.”
EDRI, along with more than 100 other human rights and civil liberties groups, had backed a petition demanding the data retention plans be dropped.
“No research has been conducted anywhere in Europe that supports the need and necessity of creating such a large-scale database containing such sensitive data for the purpose of fighting crime and terrorism,” the petition said.
The final law wound up as a compromise that proposes limited access to data. Amendments included the restriction on use of retained data for detection, investigation and prosecution of terrorism and organized crime, as opposed to the mere prevention of a wide and nebulous variety of crimes.
“[Member States] feel that the concept of prevention is too vague and could lead to abuse of the system from national authorities,” according to the European Parliaments statement.
The directive stipulates that only the “competent authorities determined by Member States” will be granted access to the retained data. Each country will designate an independent authority responsible for monitoring the use of the data.
In addition, countries wont be allowed to access the entire database of retained data. Instead, they must limit their access to specific purposes and on a case-by-case basis, each time requesting data for a “concrete suspect” from a telecom company.