The "moment of truth" for the Data Retention Directive: EDPS demands clear evidence of necessity
In a speech today at the European Commission conference in Brussels on "Taking on the Data Retention Directive", Peter Hustinx, the European Data Protection Supervisor (EDPS), strongly argued in favour of seizing the opportunity of the ongoing evaluation process to clearly demonstrate the necessity and justification for the Data Retention Directive.
The EDPS emphasised once again that the retention of traffic and location data of all persons in the European Union (EU), whenever they use the telephone or the Internet, is a huge interference with the right to privacy of all citizens. As such, the EDPS regards the Directive as the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.
Such a massive invasion of privacy needs profound justification. The EDPS therefore called on the European Commission to use the evaluation exercise to actually prove the necessity of the Directive. Concrete facts and figures should also make it possible to assess whether the results presented in the evaluation could have been achieved with other less privacy invasive means.
"The evaluation we are currently waiting for is the moment of truth for the Data Retention Directive", said Peter Hustinx. "Evidence is required that it constitutes a necessary and proportionate measure. Without such proof, the Directive should be withdrawn or replaced by a less privacy invasive instrument which meets the requirements of necessity and proportionality."
The EDPS further insisted on the fact that the Data Retention Directive clearly failed to harmonise national legislation. Significant discrepancies between the implementing laws of the EU Member States have led to legal uncertainty for citizens. It has also resulted in a situation where the use of the retained data is not strictly limited to the combat of really serious crimes.
According to the EDPS, a new or modified EU instrument on data retention should be clear about its scope and create legal certainty for citizens. This means that it should also regulate the possibilities for access and further use by law enforcement authorities and leave no room for the Member States to use the data for additional purposes.
Background information
The Data Retention Directive (Directive 2006/24/EC) requires public electronic communications providers (telephone companies, mobile telecoms, Internet service providers) to retain traffic, location and subscriber data for the purpose of the investigation, detection and prosecution of serious crime.
The Directive is currently undergoing an evaluation process that seeks to assess its application by Member states, and its impact on businesses and consumers. The aim is also to establish whether the Directive is proportionate in relation to the law enforcement benefits it yields, the costs for the market, and the impact on fundamental rights, in particular the rights to privacy and the protection of personal data. The outcome of the evaluation will assist the Commission in determining whether a revision of the Directive is necessary.