230 likes | 365 Views
Mandatory Retention of Traffic Data : What is next?. Prof. Dr. Henrik W.K.Kaspersen Computer/Law Institute Vrije Universiteit Amsterdam- The Netherlands. The program. Historical background of data retention law Actions within the European Union, influence of European Bodies
E N D
Mandatory Retention of Traffic Data: What is next? Prof. Dr. Henrik W.K.Kaspersen Computer/Law Institute Vrije Universiteit Amsterdam- The Netherlands
The program • Historical background of data retention law • Actions within the European Union, influence of European Bodies • Emergence, content, implementation of Directive 2006/24/EC • Evaluation IFIP SEC 2006 Karlstad May 24, 2006
Disclaimer • Avoiding details • Personal view • Not all questions may or can yet be answered IFIP SEC 2006 Karlstad May 24, 2006
Historical background (I) • Terrorist attacks • Anti terrorist law • Council of Europe: Warshaw Convention 2005 • European Union instruments • Proposal to sign CoE Warshaw Convention 2005 • Critical infrastructure 2004/2005 • Exchange of information 2004 • Adoption Schengen System 2002 • Financing Europol 2002 • Framework decision on combating terrorism 2001 IFIP SEC 2006 Karlstad May 24, 2006
Historical background (II): availability of traffic data • Traffic data is indispensable means • Cyber Cime Convention • Debate 1999-2000 • Aspects concerning feasability retention: • Different situation EU-other Parties • Stronger need in Europe? (Directive 1998/66/EC) • Privacy concerns, proportionality • Disproportional Burden for industry • Societal costs • Industry should not take over tasks of LEA IFIP SEC 2006 Karlstad May 24, 2006
Historical background (III) • Compromise in the Cybercrime Convention • Art. 20: real time collection of traffic data (Telephony and internet), public/non-public- for the future • Art. 18: production order: traffic data as is; production order: subscriber data • Art. 16: freezing of vulnarable data IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (I) • Isolated drafts/initiatives within third pillar. • Communication of Joint Data Registrars in September 2002: mandatory retention in principle should be rejected. IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (II) • After Madrid 2004: European Council stresses the need for retention, priority for third pillar • April 2004: Joint proposal by France, UK, Sweden, Ireland • Elaboration of several drafts: high level of disagreement, not on the principle but on the details IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (III) • Intervention (questions) of the European Parliament • Framework decision formally rejected in September 2005 • First pillar and third pillar • Initiative Directive by the European Commission in May 2005 • Proposal for a Directive October 21, 2005 • Involvement of the European Parliament • The ‘royal way’: amend 2002/58/EC IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (IV) • Influence of art. 29 Group (Advice 1868/04/EN WP 113): very critical but accepting • “without precedent” • “Intervention of the Commission will lead to shorter terms of preservation” • Terms of preservation should be maximum terms • Access conditions? • Serious Crime? • Periodical assessment • Precise definition of traffic data • Separation from content • Data mining not allowed • Data security IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (V) Position of e-Communications Industry • Mainly opposition from Euroispa and individual providers • Research reports on the feasability and efficacy of retention of internet traffic data • Rejection of administrative and financial burden IFIP SEC 2006 Karlstad May 24, 2006
EU-initiatives (VII) • Euroispa (consultation document and Position September 2005) • Recognition of responsibility of industry: offering technological advice about ever-changing technology • No evidence provided for the necessity of the measure • Costs reduce speed of development and undermine competiviness of European industry • Doubt about feasability and effectiviness • Regulation is disproportionally burdensome and difficult to comply with • Financial compensation? IFIP SEC 2006 Karlstad May 24, 2006
The Emergence of Directive 2006/24/EC • Key dates • Adoption by the Council: 21 February 2006 • Agreement with European Parliament: 15 March 2006 • Publication: OJ April 13 , 2006 • In force: May 3, 2006 • Ultimate date of implementation September 15, 2007, or March 15, 2009 IFIP SEC 2006 Karlstad May 24, 2006
Overview of Directive 2006/24/EC • Scope • Obligation to retain: • What? • How? • How long? • How secure? • Use • Enforcement of Directive IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: Scope • Includes traffic data and subscriber/user data (art. 5) • Also cell-identification of cell phone, voicemail, conferencing, call forwarding etc • SMS, enhanced (multi)media services • Unanswered calls • Public e-communication services IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: what? • Art. 3: Obligation of providers to retain traffic data, in derogation of art. 5,6,9 Directive 2002/58/EC • Art. 5: Categories of data to be retained • Functional description with regard to type of e-communication • ID of source • ID of destination • ….followed by specification • Specification of data necessary to identify IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: how? • Period of retention: 6 month up to 2 years, except particular circumstances of art. 12 • No specification, except art. 7 security principles • No structure and principles of retrieval, except art. 8 ‘without undue delay’ IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: use • Use: domestic law • Purpose of retention: • Recital 9: in particular organised crime and terrorism on behalf of law enforcement • Recital 7: reference to JHA: prevention, investigation, detection and prosecution of criminal offences • Previously: serious crime (to be defined by domestic law) IFIP SEC 2006 Karlstad May 24, 2006
Directive 2006/24/EC: other • Art. 10: Yearly provision of statistics to EC • Number of cases • Time gap • Cases where no data was available • Art. 12: particular circumstances: market view, further art. 15 of 2002/58/EC? • Evaluation 15 September 2010 by the European Commission IFIP SEC 2006 Karlstad May 24, 2006
Implementation of the Directive • Adoption Council: Februari 21, 2006 • Agreement with EP, March 15, 2006 • Publication OJ: April 13, 2006 • In force: May 3, 2006 • Ultimate date of implementation: September 15, 2007 or March 115, 2009 IFIP SEC 2006 Karlstad May 24, 2006
International Co-operation • Dissemination to other States • EU Member States • EU Members of Council of Europe • Other States • Treaty based • In absence of treaties • US? IFIP SEC 2006 Karlstad May 24, 2006
Evaluation • Directive • Form • Reach • Relation with 2002/58/EC • Regulated • Limitative specification of data • Periodical assessment • Limitations, meaning, follow-up • Not regulated • Access, technical organisation, costs • Impact • What is next? IFIP SEC 2006 Karlstad May 24, 2006
In conclusion • Data retention: a dramatic step that opens the door for other measures direct threat for fundamental rights necessity is not and cannot be not demonstrated measure hard to challenge regulation is only partial IFIP SEC 2006 Karlstad May 24, 2006