A public threat to protection of privacy? Data retention requirements in the European Union


José Luis Gómez Barroso


It is clear that protection of personal data and privacy, as part of the defence of inalienable rights, is a cornerstone of the democracies and that, above specific legal details, its regulation has to stem from an unalterable nucleus.

Nevertheless, accepting the above, the system of guarantees granted can and must give way to situations in which the protection of another legal right prevails: this is typically the case with public or national security. Generically, this principle seems easily admissible. However, in its practical application, the range of possible cases covers situations in which it is not, by any means, easy to decide which of the conflicting rights must be imposed.

No one doubts that communications networks based on information technology form a critical part of economic relationships and therefore, even if they are not already so, of social relations. If an increasing number of lawful activities use the networks, it is obvious that unlawful ones will do so too. The more common their use, the greater the potential they provide for carrying out criminal acts, either directly or through aiding traditional criminal behaviours.

When the network itself is the vehicle of the act, we are facing a ‘cyber-delinquency’, which covers a wide variety of activities such as exchange of or trafficking in prohibited materials (especially child pornography and documents with racist content), various computer frauds, assaults against confidentiality, integrity and availability of the information systems themselves or offences against intellectual and commercial property. When the network is merely an instrument of communication or source of information, it simplifies, facilitates and assists the committing of any offence.

In the first case, there is logically increased concern given the rate at which new threats arise. But sensitivity has grown especially in the second case following the terrorist attacks in the United States in September 2001, causing the strengthening of a current of opinion that reconsiders the flexibility of the limits established on data protection. The first result can be found in the new European Directive on the processing of personal data and the protection of privacy in the electronic communications sector. According article 15 Member States may adopt legislative measures to restrict the scope of the rights and obligations, inter alia, providing for the retention of data for a certain time period.

It is our opinion that under no circumstances should this article have reached the final draft. Whatever situation is claimed, a democratic society must not allow general surveillance or massive data storage. The principle of purpose cannot be violated: all information is always gathered with a concrete and legitimate intention.

This paper analyses the definition process of the new framework and the current situation in European countries (whether mandatory systematic retention of traffic data is required and the impact of this legislation).

In the second part, the very long list of practical difficulties to be overcome is analysed:

  • It is not clear what data would need to be kept, what is basic for network security, to undertake an investigation or to prevent fraud.
  • It is also difficult to determine what should be the period required before erasure of the data.
  • The economic cost of the storage, management and recovery of the data could be astronomical. These costs would also rise as broadband access becomes generalised, with each user generating ever more data and communications between devices becoming customary.
  • The alternative possibility of storage in large, publicly financed central equipment seems, at very least, worrying.
  • There is also an evident risk that the data may be improperly used by the organisation itself.
  • Similarly, they would be a preferred target for outside attackers. Custody responsibility needs suitable additional investment in security, possibly beyond the scope of small companies.
  • In some transborder communications, the efficiency of the system may be limited without transnational commitments.
    • Many companies have parts of their systems decentralised, using intermediaries and even fictitious head offices. These practices, intimately integrated within the technological infrastructure (therefore, not always voluntary), are difficult to handle a way that respects national legal variations.
    • The existing instruments for international cooperation in matters of criminal law, such as mutual legal assistance, may not be appropriate or sufficient.
  • At present, there are procedural problems. Difficulty in identification means information obtained from the network is highly questionable as evidence.
  • For the development of the information society, it is not very positive for citizens to perceive that one of the threats to their individual rights comes from a government gradually resorting to surveillance technology and the invasion of privacy, even though the intention is to promote public security.