EU Proposals for email/telecoms monitoring

Written by LDEG on Thu 1st Jun 2000

"EU Governments to give law enforcement agencies access to all communications data. " Statewatch article 16/05

"Alarm at European data surveillance plan" Guardian 18/05

Two relevant Commission proposals referred to are;

Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating computer-related Crime - (Cederschiold report)

Directive concerning the processing of personal data and the protection of privacy in the electronics communication sector - (Cappato report)

The Statewatch article is somewhat of an overreaction, as it argues that the Council is going to back retention and archiving of all "communications" and provide that law enforcement agencies will have full access to telecommunications data in all future Community legislation and re-examine existing laws.

The current situation is as follows:

Interception of telecommunications

Under current EU legislation interceptions are illegal unless they are authorised by law, when necessary in specific cases for limited purposes. (Article 8 ECHR referred to in Article 6 TEU regarding fundamental rights and in the two data protection directives from 1995 "General Data Protection Directive" 95/46/EC and 1997 " Telecommunications Directive" 97/66/EC - now under review)

In addition, the Mutual Assistance Convention of May 2000 has provisions regarding interception of communications but these must be done through a "competent authority" - judicial or equivalent and does not provide for the situation where a law enforcement agency / police force automatically has access to the data.

Retention of traffic data

As regards retention of traffic data the law enforcement agencies in the EU Member States are concerned that with new price rate and billing techniques there will no longer be a need to store traffic data. They therefore advocate that service providers keep traffic data for a minimum period.

It is important to note that this would include all criminal investigations not just those related to computers or computer networks just where data could be used to solve crime. Under existing legislation, 1995 "General Data Protection Directive" 95/46/EC and 1997 " Telecommunications Directive" 97/66/EC - now under review, traffic data must be erased or made anonymous immediately after the telecommunications service is provided, unless they are necessary for billing services.

Regard must also be had to the Council of Europe Cyber Crime Convention of 1981 regarding personal data protection. In principle service providers are not allowed to preserve data. Member States can restrict this obligation to erase traffic data when this constitutes a necessary measure for prevention, investigation, detection and prosecution of a crime. However they must be appropriate, necessary and proportionate. Immediate access for law enforcement authorities for data concerning any crime cannot be considered to fit into the justification that it is appropriate, necessary and proportionate.

The information given (BBC News Online) that some EU Members have submitted proposals to keep traffic data for seven years is incorrect. According to the Commission proposals electronic data should be deleted or made anonymous by networks or inter-service providers as soon as billing process is complete. No length of time has been specified and the reference to seven years comes from a UK report sent by the National Criminal Intelligence Service (NCIS) to the Home Office 21 August 2000. This in itself however is far reaching as at present preserving traffic data for bill verification purposes is about 30 days. However it is also important to note that the EP has taken a stance that is more favourable towards protection of personal data protection. In the EP Legislative Resolution embodying Parliament's opinion on the draft Joint Action regarding combating child pornography on the Internet (OJ C 219 30.7.1999) the EP favoured a general obligation to preserve traffic data for a period of three months.

The Commission Cyber Crime proposal makes some sensible and rational comments about balancing the need to have law enforcement and effectively police the Internet and bearing in mind the cost to industry of such measures. The Council, through its Working Party on Police Co-operation has issued some Council Conclusions regarding taking law enforcement needs into consideration when working out Community law.

This is a key EU policy area where the correct balance must be struck between the protection of fundamental rights and the fight against crime.