File synopsis

STATE OF PLAY: Directive adopted (codecision procedure).

BACKGROUND

Law enforcement authorities investigating serious crime and terrorism increasingly need access to  'traffic data', i.e. data generated by electronic communications, including such details as the location of the caller, the number called, the time and duration of the call, etc. Several Member States already have legislative procedures in place on the retention of data by service providers with a view to the prevention and pursuit of criminal offences. However, these national measures vary considerably. The  terrorist bombings in Madrid in 2004 and in London in 2005 highlighted the need for rules at EU level that guarantee the availability of traffic data for anti-terrorism purposes across the 25 Member States.

• March 2004: in its Declaration on combating terrorism of 25 March 2004, the European Council instructed the Council to examine 'proposals for establishing rules on the retention of communications traffic data by service providers' with a view to their adoption in June 2005.
• April 2004: France, Sweden, Ireland and the UK proposed a Framework Decision on data retention based on Title VI of the Treaty of the European Union (judicial cooperation in criminal matters) – a third pillar legal basis (CNS/2004/0813).
• May 2005: the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs was opposed to the draft Framework Decision for a number of reasons: the legal basis chosen (which does not allow the Parliament full rights in the decision-making process), civil liberties issues and the risk of excessive costs for industry.
• July 2005: in its declaration condemning the attacks on London, the UK Presidency, supported by certain Member States, sought to adopt Community legislation on the retention of data before the end of the year.
• June - September 2005: in a report drafted by Alexander Nuno ALVARO (ALDE, DE), under the consultation procedure, the European Parliament unanimously rejected the draft Council Framework Decision at its part-sessions in June and September, on the grounds that the Council had chosen the wrong legal basis. In common with the Commission, Parliament took the view that Article 95 of the EC Treaty - Internal Market, first pillar - was the correct legal basis.  This change meant that the Parliament would be fully involved in the legislative process with the power of codecision.
• September 2005: the Commission submitted its own “rival” proposal for a Directive on data retention pursuant to Article 95 of the EC Treaty (first pillar), thus providing the basis for negotiations with the Council (COD/2005/0182). In terms of substance, the Commission’s proposed directive was broadly similar to the rejected draft framework decision. It called for internet data to be held for 6 months and phone data for 12 months, and internet service providers and telecoms companies to be compensated for compliance costs.
• November 2005: the Committee on Civil Liberties, Justice and Home Affairs approved, with a clear three-quarters’ majority in favour, the report by Alexander Nuno ALVARO (ALDE, DE), on the proposed Directive on data retention. 21 compromise amendments, replacing the 250 amendments initially tabled, were agreed. The committee's position differed from the views expressed within the Council on the following issues: Length of retention: The committee proposed 6-12 months (telephony and internet), while the Council called for 6 months for internet and 6-24 for telephony. Scope: The committee used the European Arrest Warrant definition of “serious crime” whereas the Council wanted to include all crimes. Transfer of data: national authorities wishing to access data should obtain legal authorisation, access should be on a case-by-case basis and with a specific aim. Cost reimbursement: the committee agreed that telephone companies should be fully reimbursed by the Member States for the costs incurred in holding, storing and transmission of data, whereas the Council was against this proposal. Unsuccessful calls: the committee requested an “opt-in” whereby Member States could decide whether to hold data for failed calls, whereas the Council called for the mandatory retention of data pertaining to all calls, including those which were unsuccessful. Lastly, on penal sanctions, the committee called for criminal sanctions on the misuse of data whereas the Council was against this. 
• 1-2 December 2005: the Council agreed to reach, by the end of 2005, an agreement with the European Parliament on the draft directive based on a compromise text.
• 14 December 2005: under pressure from the UK Presidency, the European Parliament approved the proposed directive, under the first reading of the codecision procedure, in terms comparable to the compromise reached in Council. Compromise amendments proposed by the EPP-ED and PES and approved in plenary differed in several key points from the proposal adopted in committee. The full Parliament accepted the Council’s proposal of 6-24 months for data retention, which is more than the one-year limit proposed by the Commission. It also agreed to grant access to data retained by telephony operators and internet providers to independent authorities designated by Member States, as well as the right for these authorities to retain data relating to unsuccessful calls. Lastly, the reimbursement of costs would be regulated at national level as opposed to being mandatory. The GUE/NGL, Greens/EFA and UEN groups and some members of the ALDE group, including the rapporteur, voted against the compromise, and the rapporteur subsequently took his name off the report in protest.
• February 2006: the Council adopted the Directive of the European Parliament and of the Council on data retention, amending Directive 2002/58/EC. The Irish and Slovak delegations voted against. The date set for transposition is 15 September 2007.

CONTROVERSIAL ISSUES

In rejecting the draft Council Framework Decision on the retention of data, submitted by France, Sweden, Ireland and the United Kingdom, the European Parliament (supported by the Commission) expressed strong reservations about the chosen legal basis (Title VI of the Treaty on the European Union – third pillar), which would not have allowed for Parliament to be involved under codecision.

Pointing out that the objectives of the proposal could be achieved simply by implementing the Council of Europe's Convention on Cybercrime, MEPs also expressed doubts about the proportionality of the proposed measures and called for a study to be carried out proving the absolute need for these new provisions. And they raised questions as to whether the draft Framework Decision contravened the fundamental rights guaranteed to individuals by Article 8 of the European Convention on Human Rights.

Following the Commission’s proposal, the UK Presidency led an intensive lobbying campaign for the rapid adoption of the draft directive. Under the codecision procedure, a compromise was forged by the EPP-ED and the Socialist groups. In essence, the European Parliament agreed to longer retention periods (6-24 months) and no mandatory reimbursement of costs in return for the tightening up of data protection provisions. This differed significantly from the position adopted by the committee, which had called for a retention period of 6 to 12 months and a mandatory reimbursement of all costs.

EUROPEAN PARLIAMENT’S ROLE

Throughout the interinstitutional discussion, the European Parliament’s main objective has been to protect individual rights and to ensure that it has equal powers of decision when it comes to policies which have great importance for both citizens and business. MEPs took the view that data must be conserved for the purposes of research and for the identification of and legal proceedings against serious criminal offences (terrorism and organised crime), but not for the prevention of all sorts of crimes. They insisted that only traffic and location data should be stored and that the content of communications should not be held.

They also introduced a provision whereby access would be granted to competent authorities on a case-by-case basis and with a specific objective, i.e. the authorities would have to ask the telecommunications operator to consult the data pertaining to a specific subject on each separate occasion, but would not be allowed access to the entire data base. And they included a clause that provides for "effective, proportionate and dissuasive” criminal sanctions for operators who fail to store or misuse the retained information.

In this context, it should be noted that, in May 2006, following legal action instituted by the European Parliament against the Commission, the European Court of Justice annulled an agreement between the European Community and the United States on the processing and transfer of passenger name records (PNR) data and the accompanying Adequacy Decision (which deemed that such information was adequately protected by the United States). The Parliament contended that adoption of the decision on adequacy was ultra vires, that Article 95 EC did not constitute an appropriate legal basis for the decision approving the conclusion of the agreement and that, in both cases, fundamental rights had been infringed. When the agreement is revised in 2007, MEPs will call on the Council to grant them full codecision rights so that they can ensure that future agreements respect data protection clauses (see INI/2006/2193).