Data Retention in Europe: The story so far

Political action in the European Union frequently appears to happen behind closed doors. But the breadth of the EU’s powers, and the fact that EU legislation will always take precedence over our own domestic law, even our Constitution, makes it important to keep an eye on.

Despite repeated public statements bemoaning the public’s disconnect from EU decision making, politicians across the continent have found it a useful vehicle for introducing unpopular measures. When the law they’ve been fighting for in Brussels is passed, to the dismay of their constituency, they can go home and blame faceless Eurocrats for forcing their hand.

Sadler's Battle of Waterloo

Our government is deeply involved with an attempt to impose a system of ‘data retention’ across Europe – tracking all telephone calls, internet usage, and even people’s everyday physical location (if they use a mobile) and leaving that huge mass of data for telecoms companies to look after, unless and until, any member state would like to rummage through it.

Reporting of events in the EU is sparse in Irish and British newspapers. So, to try to keep our readers up to date, we’ve compiled the story of the push to bring in data retention across the EU, up to now. It should serve as a useful mixture of background information, jargon explanation and opinion collation.

  1. Ireland has had a data retention regime since April 2002. The current regime is on foot of the Criminal Justice (Terrorist Offences) Act 2005. The previous regime had been brought in on foot of a ministerial order, by the Minister for Communications, at the request of the Minister for Justice. (see Karlin Lillington’s archive for more details)
  2. The Data Protection Commissioner challenged the Minister’s authority to bring in such a law. He cited legal advice that it contravened Art. 15.2.1 of the Constitution which says that only the Oireachtas has the power to make laws, and threatened legal action.
  3. The Minister for Justice, when introducing Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 as an amendment at the Seanad stage, said that he had hoped that a data retention law would be passed at a European level. As it hadn’t been, he couldn’t rely on it to give him cover for the previous regime and so he was putting the policy on a Statutory footing. (Wiki format of Part 7 of the above Act: here)
  4. At European level, on the 8th September, despite heavy promotion by the British European Presidency, the Council of Ministers could not reach agreement on the introduction of a Europe-wide Data Retention Order. This decision would have been made under Pillar 3 of the EU decision making process – which deals with security and justice matters – and therefore would have excluded the European Parliament from the decision making process. (RTE link)
  5. This failure appeared to be the end of the matter at European level for the time being. However, the Commission, acting (it is said) independently of the British presidency, introduced a draft Directive, on the 21st September, which allowed for a data retention scheme to be mandated Europe-wide. The European Parliament welcomed the opportunity to have their say, having rejected the attempt to shut them out of the decision making process by use of the Pillar 3 powers of the Council of Ministers. (see here)
  6. The terms of this draft Directive mandated shorter holding periods for the data (one year for phone records, six months for ISPs) than those envisioned by the Council of Ministers. The Directive sought to buy off objections from industry, on grounds of cost, by committing the governments to paying for the data storage and collection costs, whatever they might be. It was hailed in press reports, following the PR line from the Commission, as ‘Commission steps up personal data safeguards’ boards.ie link
  7. The Directive includes a comitology clause (see here), which allowed for the terms of the Directive to be varied through comitology. This EU procedure means that the Council of Ministers can delegate executive duties to the European Commission, while still maintaining some legislative control. Representatives of the member states form a special implementation committee. There are different types of implementation committee, which vary primarily in their degree of autonomy. In the case of data retention, the Commission has chosen the form of a ‘regulatory committee’.
    If a qualified majority of the regulatory committee agree, the Commission can adopt these proposals. If a qualified majority of the regulatory committee are not in agreement, the proposals get sent to the Council of Ministers. Provided that a qualified majority of the Council of Ministers do not reject the proposals within three months, the Commission can adopt these proposals. If a qualified majority of the Council of Ministers accept the proposals, or the Council do not make a decision within three months, the proposals can be adopted.

    This could be used, for example, to send a proposal for drastic expansion of the kinds of data, or the length of time it is held, to the Council. If a qualified majority cannot be found within three months, the Commission may adopt the proposed measures, even against the wishes of member states. National parliaments are completely excluded from this procedure, and the European Parliament has only the so-called “right of scrutiny”. Further, this procedure could be used as a method of bypassing opposition to the Data Retention plans at Council of Ministers level.

    Under the “right of scrutiny”, if the European Parliament feels a proposed measure “would exceed the implementing powers provided for in the basic instrument”, the Commission must re-examine its proposal. If the Commission feels the Parliament is mistaken, it is free to ignore the complaint of the elected representatives.

    In layman’s terms, a law with this kind of power represents a signed “blank cheque”. The House of Lords also believes that this system is undemocratic, if that’s of any comfort. (see here). Although Brian Crowley MEP believes that this is an exaggeration. (see here)

  8. The Minister for Justice has warned that he will not accept a reduction from three to two year storage, as proposed by the Draft Directive as it now stands from the Commission.

    a. “But Irish Justice Minister Michael McDowell said according to Irish media, that the commission had no legal power to legislate on the issue of data retention. Dublin would consider legal action if new EU rules threatened Ireland’s own data retention law, he said according to The Irish Times.” EUObserver

  9. The British Home Secretary has told MEPs that if they do not accept the Commission’s Draft Directive before Christmas, he will return the matter to the Council of Ministers and have the previous, more stringent, proposals passed there.
  10. This is probably bluster. The British Presidency couldn’t get the Draft Directive passed on 8th September, and we see no reason to believe that matters have changed since then. The deadline of the end of the year is real, however. If the matter is not passed before then, the Presidency will pass to another member state (Austria, whose parliament has yet to give their ministers the power to agree a data retention policy, and who have suggested limitations to the proposals). Only four states have come out in favour of the UK plan – the UK, Ireland, France and the Netherlands. Of these, only Ireland has a legal and effective data retention policy in action.
  11. Despite these issues, the European Parliament has stepped up the pace of deliberations on this matter.
  12. On 24th September, the European Data Protection Supervisor issued his opinion of the Draft Directive. Amongst other things, he believes that “the Directive has a direct impact on the protection of privacy of EU citizens and it is crucial that it respects their fundamental rights, as settled by the case law of the European Court of Human Rights. A legislative measure that would weaken the protection is not only unacceptable but also illegal.” He implicitly rejects the UK’s Council of Ministers Order. Full report here
  13. On the 24th of October the EU Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) met to discuss the Data Retention proposals from the Commission.

    “If the leaders of the political groups don’t reach another kind of agreement in their secret negotiations this month with the Council, it looks like LIBE will support some of the most important changes proposed by rapporteur Alexander Alvaro. Alvaro wants to exclude internet and location data, and to introduce a sunset provision. In that case, the directive would be valid for 5 years. After that, Commission and Parliament would have to evaluate the usefulness and engage in a new legislative procedure or let the directive disappear.

    Alvaro wants to delete the purpose of ‘prevention’ from the scope of data retention. The comitology procedure must be deleted and the flexible ‘technical annex’ must be replaced by a limited list of data within the text of the directive itself. Replacing the vague category of ‘serious crimes’ proposed by the Commission, Alvaro sums up a limited list of serious crimes, including terrorism, sexual exploitation of children, environmental crime, hijacking, rape and arson.”

    cf European Data Rights (EDRI-gram)

  14. We haven’t yet seen if this proposal will be accepted by the LIBE committee. We don’t know if the Council of Ministers will find the emasculation of their plans unacceptable, even if it is accepted by the committee. If so, they may attempt to act on the plan to introduce the matter by an order from the Council of Ministers, as threatened. (see paragraph 9 above) And we don’t know if the LIBE plan, even if passed into legislation, would have any impact on our own Irish Data Retention system.
    It would only have such an effect if the terms represented the maximum permissible extent of data retention – rather than the minimum obligation for member states to introduce. And finally, we don’t know if our Minister for Justice, Michael McDowell, would act on his threat to shut the European Parliament out of the decision making, if he felt that his Irish laws were being circumscribed. (see paragraph 8 above)

All, as the cliche goes, is still to play for.

What can you do? Perhaps amazingly, writing to your MEP can be an effective method of having your opinions heard at European Parliament level. Interest in European Parliament issues is limited. So when your MEP gets a letter on an issue, they presume that it represents the tip of an iceberg – that for every person who writes a letter, there is a crowd of voters who didn’t bother to write, but who feel the same way.

Here’s a sample letter to get you started, but the more you use your own words, the more notice will be taken of your letter. (Sample letter) Don’t forget to be friendly, polite and to the point- it’s the best way to win a busy person over. You can find out who your MEPs are, and how to contact them, here.

As the Minister for Justice is still demanding that his three year data retention policy be endorsed and extended at a European level, it is also worth contacting your TDs about this matter. Let them know that it is something they need to learn about and pay attention to, if they are to keep your support.

If you’re really pressed for time, you could just sign this petition against Data Retention.

And please let us know that you’ve done these things. We’d like to build up a picture of which public representatives have been contacted, how often, and on which of our issues. Thank you.