Deal on EU data retention law

The European Parliament adopted today by 378 votes in favour, 197
against and 30 abstentions a directive on data retention in first
reading. The final text negotiated beforehand with the Council aims to
facilitate judicial co-operation in criminal matters by approximating
Member States' legislation on the retention of data processed by
telecommunications companies.

The directive covers traffic and location data generated by telephony,
SMS and internet, but not the content of the information communicated.

The new EU law will help national authorities to track down possible
criminals and terrorists by granting them access to a list of all
telephone calls, SMS or Internet connections made by suspects during the
previous few months.  The amendments finally adopted were a compromise
between the PES and EPP groups with the Council and differed in some key
points to the draft directive adopted initially by the Civil Liberties
Committee.  The GUE, Greens and UEN groups and some members from the
ALDE group voted against the directive in the final vote.  Alexander
Nuno ALVARO (ALDE, DE) was unhappy with the result of the compromise
adopted and withdrew his name as rapporteur.

Limited access to data

In the final text adopted, Parliament is proposing a number of
amendments to the Commission text to restrict the use of retained data
and ensure that the future law fully respects the privacy of the
telephone and internet users.

On the aim of the directive, MEPs agree with the need to retain data for
the detection, investigation and prosecution of crime, but only for
“specified forms” of serious criminal offences (terrorism and organised
crime), and not for the mere “prevention” of all kinds of crime.  MEPs
feel that the concept of prevention is too vague and could lead to abuse
of the system from national authorities.

The directive will provide for data to be retained by the
telecommunications companies for a minimum of six months and a maximum
of 24.  MEPs also added a provision for “effective, proportionate and
dissuasive” penal sanctions for companies who fail to store the data or
misuse the retained information.

Only the competent authorities determined by Member States should have
access to the retained data from phone or internet providers.
Furthermore, each national government will designate an independent
authority responsible for monitoring the use of the data.

MEPs also establish that access to retained data should be limited to
specific purpose and on a case by case basis (push system): each time,
the authorities would need to request to the telecom company that the
data related to a concrete suspect, instead of having granted access to
the whole database.

As for the type of data to be retained, MEPs finally supported the
registration of location data on calls, SMS and internet use, including
unsuccessful calls.  This point was controversial due to the fact that
telecom companies do not currently register lost calls for billing
purposes and so to do this using new technologies would be expensive.
Spanish MEPs strongly supported the Council position to include the
retention of unsuccessful calls, since the terrorist attacks in Madrid
were prosecuted thanks to the investigation of specific lost calls from
mobile phones.

Who foots the bill?

Finally, MEPs decided to delete the paragraph in which it was mandatory
for Member States to reimburse telecom companies for all additional
costs of retention, storage and transmission of data.  In the draft
directive adopted by the Civil Liberties Committee, MEPs had initially
called for the full reimbursement of costs.

Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe

Tel. +49 721 255171-304, Fax +49 721 255171-100
[EMAIL PROTECTED], http://www.secorvo.de/
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to