REPORT on the initiative by the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom for a Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism

31.5.2005 - (8958/2004 – C6-0198/2004 – 2004/0813(CNS)) - *

Committee on Civil Liberties, Justice and Home Affairs
Rapporteur: Alexander Nuno Alvaro

Procedure : 2004/0813(CNS)
Document stages in plenary
Document selected :  
A6-0174/2005
Texts tabled :
A6-0174/2005
Texts adopted :

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the initiative by the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom for a Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism

(8958/2004 – C6-0198/2004 – 2004/0813(CNS))

(Consultation procedure)

The European Parliament,

–   having regard to the initiative by the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom (8958/2004)[1],

–   having regard to Article 34(2)(b) of the EU Treaty,

–   having regard to Article 39(1) of the EU Treaty, pursuant to which the Council consulted Parliament (C6-0198/2004),

–   having regard to the opinion of the Committee on Legal Affairs on the proposed legal basis,

–   having regard to Rules 93, 51 and 35 of its Rules of Procedure,

–   having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs (A6-0174/2005),

1.  Rejects the initiative by the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom;

2.  Calls on the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom to withdraw their initiative;

3.  Instructs its President to forward its position to the Council and Commission, and the governments of the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom.

  • [1]  Not yet published in OJ.

EXPLANATORY STATEMENT

I.    Aim of the proposal

At the Justice and Home Affairs Council of 29 and 30 April 2004, France, the United Kingdom, Ireland and Sweden submitted a joint proposal[1] for a framework decision on the retention of communications data. The background to the initiative was a declaration on combating terrorism[2] adopted by the European Council on 25 March 2004, in which the Council was instructed to examine measures for establishing rules on the retention of communications traffic data by service providers.

The aim of the proposal is to facilitate judicial cooperation in criminal matters by approximating Member States' legislation on the retention of data processed and stored by providers of a publicly available electronic communications service for the purpose of prevention, investigation, detection and prosecution of crime or criminal offences including terrorism.

This would cover traffic and location data, including subscriber and user data, generated by telephony, Short Message Services and Internet protocols, including e-mails, but would not apply to the content of the information communicated. The proposal provides for data to be retained in principle for a minimum of 12 and a maximum of 36 months. In the case of the latter two communication methods, the Member States may decide to derogate from the stipulated retention period. When requesting mutual legal assistance, Member States would be able to gain access to data stored in other Member States. The proposal contains no reimbursement rules for costs incurred.

II.  Assessment of the proposal

There are sizeable doubts concerning the choice of legal basis and the proportionality of the measures. It is also possible that the proposal contravenes Article 8 of the European Convention on Human Rights.

1.  Legal basis

The legal basis chosen by the Council does not, in the rapporteur's opinion, tally with European legislation. Instead, the proposal consists of various measures that come under both the third and the first pillars of the Union.

The Council, making use of its sole legislative power in accordance with Title VI of the Treaty on European Union (TEU), cites Article 31(1)(c) in conjunction with Article 34(2)(b) TEU.

The rapporteur, however, takes the view that the proposed measures affect two separate areas. On the one hand, the Council's proposal attempts inter alia to establish the obligation for service providers to retain data, the definition of data and the retention period, all of which comes under the area of Community law. On the other hand, the proposal mentions access to and the exchange of data stored in the Member States, which is classed as common action in the area of judicial cooperation in criminal matters, meaning it comes under the third pillar.

Community legislation on the obligations of service providers already exists. The data in question is covered by Articles 1 and 2 of Directive 95/46/EC of 24 October 1995. The directive addresses the general obligations of Member States to guarantee the protection of the right to privacy of natural persons with respect to the processing of personal data. Furthermore, Directive 2002/58/EC of 12 July 2002 contains specific provisions on the processing of personal data and protection of the right to privacy in electronic communication. The principle behind both these directives is that the stored data is to be deleted once its retention is longer justifiable. Article 15 of Directive 2002/58/EC allows Member States to retain data in exceptional circumstances, provided that this constitutes a necessary, appropriate and proportionate measure to tackle crime. In the course of the negotiations on the Directive on privacy and electronic communications, the Member States were unable to agree on a retention period and no provisions were laid down in this regard.

The legal basis chosen by the Council is, therefore, contrary to Article 47 TEU, which states that the TEU should make no changes to the Treaties establishing the European Communities (TEC). According to this article, no provision of the TEU may affect those of the TEC. In this case, the failure to observe the existing legislative framework constitutes a contravention of the above. For this reason, service providers' obligation to retain data, the definition of the data to be retained and the retention period fall under the scope of the TEC.

The measures proposed must logically have the same legal basis as the existing legislation. Article 95 TEC, which provides for the codecision procedure, should, therefore, again be used as a basis.

This viewpoint is backed by the European Parliament's Committee on Legal Affairs. The rapporteur was also informed that both the Commission's and the Council's Legal Service agree with this legal interpretation.

2.  Proportionality of the measure

The rapporteur also has doubts as to the proportionality of the individual measures. The ends do not justify the means, as the measures are neither appropriate nor necessary and are unreasonably harsh towards those concerned.

Given the volume of data to be retained, particularly Internet data, it is unlikely that an appropriate analysis of the data will be at all possible.

Individuals involved in organised crime and terrorism will easily find a way to prevent their data from being traced. Possible ways of doing so include using 'front men' to buy telephone cards or switching between mobile phones from foreign providers, using public telephones, changing the IP or e-mail address when using an e-mail service or simply using Internet service providers outside Europe not subject to data retention obligations.

If all the traffic data covered by the proposal did indeed have to be stored, the network of a large Internet provider would, even at today's traffic levels, accumulate a data volume of

20 - 40 000 terabytes. This is the equivalent of roughly four million kilometres' worth of full files, which, in turn, is equivalent to 10 stacks of files each reaching from Earth to the moon. With a data volume this huge, one search using existing technology, without additional investment, would take 50 to 100 years. The rapid availability of the data required seems, therefore, to be in doubt.

In comparison with the present proposal for 'blanket' data retention, storage for a specific purpose, a model laid down inter alia by the Council of Europe's Convention on Cybercrime[3], could be a suitable and milder option.

Looking at the Council's reasons for rejecting this alternative[4], the question arises as to the extent to which the proposed data retention arrangements are compatible with the principle of presumption of innocence.

The proposal also fails to address the possible strains on those concerned. Aside from the infringement of the protection of personal data of individuals, there is a danger that enormous burdens would be placed on the European telecommunications industry, particularly on small and medium-sized telecom companies.

Costs would result primarily from:

-     technical changes to systems for data generation and storage,

-     changes to firms' in-house processes for secure data archiving, and

-     the processing and analysis of security authorities' inquiries.

According to estimates by a variety of large firms in the Member States, this would require investment in traditional circuit-switched telephony amounting to around EUR 180m a year for each firm, with annual operating costs of up to EUR 50m. In the case of small and medium-sized businesses, their ability to operate would no doubt be in jeopardy. According to estimates, the Internet-related burden would exceed that within traditional circuit-switched telephony many times over. For this reason, the Article 36 Committee proposes that only the data currently accumulated should be covered[5].

The Council's proposal contains no Europe-wide harmonised arrangements for spreading the cost burden it would create. Distortions of competition would arise that could jeopardise competition structures that are viable in the long term, thereby preventing the completion of a single European internal market.

3.  Compatibility with Article 8 of the European Convention on Human Rights

The proposal is also incompatible with Article 8 of the European Convention on Human Rights.

The monitoring and storage of data must be rejected if the measures do not comply with three basic criteria in line with the European Court of Human Rights' interpretation of Article 8(2) of the European Convention on Human Rights: they must be laid down by law, necessary in a democratic society and serve one of the legitimate purposes specified in the Convention.[6]. As has already been illustrated, it is debatable, to say the least, whether the proposal fulfils all the necessary criteria[7].

III. Conclusion

For the reasons outlined above, the rapporteur rejects the proposal for a framework decision and calls on the four Member States to withdraw their initiative.

The rapporteur expects the Member States to produce a study proving the unquestionable need for the proposed data retention arrangements. In addition to this, the data retention obligation, the definition of the data to be retained and the retention period should be dealt with separately from the other aspects of the proposal as the subject of a directive. The Commission should draft an appropriate proposal. It should be pointed out that the proposal's objectives could be achieved simply by implementing the Council of Europe's Convention on Cybercrime and improving crossborder cooperation in the area in question. Before a final decision can be taken on new measures, the results of the requested study must be considered. Should the Council's proposal unexpectedly obtain a majority, the requirement for a review of the measures in the form of an evaluation after three years in force should be incorporated into the text, so that the actual effectiveness of the measures can be established and the act of data retention justified.

  • [1]  Council document 8958/04 of 28 April 2004.
  • [2]  Council document 7764/04 of 28 March 2004.
  • [3]  ETS No 185, 8 November 2001; the Convention has not yet been transposed in all the Member States.
  • [4]  Council document 8958/04 ADD 1. The explanatory note on the framework decision on data retention simply states that storage for a specified purpose 'will never aid in the investigation of a person who is not already suspected of involvement with a criminal or terrorist organisation'. It 'is therefore not sufficient to meet the needs of the security, intelligence and law enforcement agencies in the fight against modern criminals including terrorists.'
  • [5]  Council document 15098/04 of 23 November 2004.
  • [6]  Article 29 Data Protection Working Party, Council document 11885/04 of 9 November 2004.
  • [7]  The European Court of Human Rights has stressed that the contracting states do not have unlimited discretion to subject individuals within their territory to clandestine surveillance. Given that corresponding powers, conferred on the ground that the intention is to defend democracy, threaten to undermine or destroy democracy, the Court stresses that contracting states are not allowed to adopt any measure they deem appropriate in order to combat espionage or terrorism.

OPINION OF THE COMMITTEE ON LEGAL AFFAIRS

Mr Jean-Marie Cavada

Chairman

Committee on Civil Liberties, Justice and Home Affairs

BRUSSELS

Subject:           Legal basis of the proposal by the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom for the adoption by the Council of a Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism (8958/2004 – C6-0198/2004 – 2004/0813(CNS))[1]

Dear Mr Chairman,

By letter of 18 January 2005 your predecessor, Mr Jean-Louis Bourlanges, asked the Committee on Legal Affairs pursuant to Rule 35(2) to consider whether the legal basis of the above proposal was valid and appropriate. The proposal is based on Articles 31 paragraph 1(c) and 34 paragraph 2(b) of the EU Treaty. In this case, by application of Article 39 of the EU Treaty, Parliament need only be consulted.

The Committee considered the above question at its meetings of 3 February and 31 March 2005.

On 25 March 2004 the Council had called for rules to be established on the retention of data generated by service providers, in view of the fact that modern telecommunications opened up new avenues for international crime and terrorism in particular.

In response to the Council's request and to remedy the legal disparities between the Member States, four Member States (France, Ireland, the United Kingdom and Sweden) proposed providing an efficient and harmonised system for retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism.

It is clear from Court of Justice case-law that the choice of the legal basis is not left to the discretion of the Community legislator, but that it must be based on objective factors which are amenable to judicial review. Those factors include in particular the aim and content of the measure[2].

Article 1 of the draft framework decision sets out the aim of the proposal, which is to facilitate judicial cooperation in criminal matters.

The content of the proposal specifies the means to achieve the declared aim: harmonising the categories of electronic communications data to be covered and determining how long such data must be retained; it also sets out the conditions of access to such data between Member States via the mutual assistance instruments on criminal matters that have already been adopted.

It should be noted that for a definition of traffic data and location data and data protection, the measure refers to Community instruments, Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)[3] and Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data[4].

The Community legislation referred to above, based on Article 95 of the EC Treaty, thus already governs issues concerning the processing of data, while the proposal in question aims to harmonise the categories of data to be retained by service providers during a fixed period and to fix the length of this period.

It should be noted that Article 47 of the EU Treaty states:

Subject to the provisions amending the Treaty establishing the European Economic Community with a view to establishing the European Community, the Treaty establishing the European Coal and Steel Community and the Treaty establishing the European Atomic Energy Community, and to these final provisions, nothing in this Treaty shall affect the Treaties establishing the European Communities or the subsequent Treaties and Acts modifying or supplementing them.

Thus under Article 47 of the EU Treaty it is not permissible for an act based on the EU Treaty to affect the acquis communautaire. Therefore the question arises whether the measures envisaged by the proposal ‘affect’ Community law as expressed in particular by the provisions of Directive 2002/58/EC.

In this connection, it should be noted that Directive 2002/58/EC has already established a whole series of obligations with regard to the categories of data to be retained by economic operators and how long they must be retained. It follows that any change in this area, as is intended by the draft framework decision, cannot be made by an instrument based on the EU Treaty. Therefore it could be maintained that adoption of the measure in question could constitute an infringement of Article 47 of the EU Treaty.

At its meeting of 31 March 2005 the Committee on Legal Affairs accordingly decided, by 11 votes with two abstentions[5], that:

· harmonisation of the categories of data and the length of time such data must be retained by service providers is part of the acquis communautaire arising from Directive 2002/58/EC;

· a framework decision based on Title VI of the EU Treaty aiming to modify these elements would affect the provisions of that directive and could in consequence constitute an infringement of Article 47 of the EU Treaty;

· with regard to the harmonisation of categories of data and the length of time they must be retained by service providers, the appropriate legal basis is that established by the pre-existing Community framework, Article 95 of the EC Treaty;

· in the light of these considerations, two separate measures could be envisaged: one based on the first pillar (ECT) on harmonisation of categories of data and the length of time such data must be retained, and the other based on the third pillar (TEU) on aspects relating to cooperation on criminal matters, in particular on the subject of access to and exchange of such data.

Yours sincerely,

Giuseppe Gargani

  • [1]  Not yet published in OJ .
  • [2]  See in particular ECJ, Case C-42/97, Parliament v. Council, paragraph 36
  • [3]  OJ L 201, 31.7.2002, p.37
  • [4]  OJ L 281, 23.11.1995, p.31
  • [5]  The following were present for the vote: Andrzej Jan Szejna (acting chairman), Manuel Medina Ortega (draftsman, and for Nicola Zingaretti), Alexander Nuno Alvaro (for Antonio Di Pietro), Maria Berger, Marek Aleksander Czarnecki, Bert Doorn, Piia-Noora Kauppi, Kurt Lechner (for Antonio López-Istúriz White), Klaus-Heiner Lehne, Alain Lipietz, Antonio Masip Hidalgo, Aloyzas Sakalas and Jaroslav Zvěřina.

PROCEDURE

Title

Initiative by the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom for a Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism.

References

8958/2004 – C6-0198/2004 – 2004/0813(CNS)

Legal basis

Article 39 (1) EU

Basis in Rules of Procedure

Article 93, 51 and 35

Date of consulting Parliament

16.11.2004

Committee responsible
  Date announced in plenary

LIBE
01.12.2004

Committee(s) asked for opinion(s)
  Date announced in plenary

ITRE
01.12.2004

 

 

 

 

Not delivering opinion(s)
  Date of decision

ITRE
27.4.2005

 

 

 

 

Enhanced cooperation
  Date announced in plenary

 

 

 

 

 

Rapporteur(s)
  Date appointed

Alexander Nuno Alvaro
25.11.2004

 

Previous rapporteur(s)

 

 

Simplified procedure
  Date of decision

 

Legal basis disputed
  Date of JURI opinion

JURI
31.3.2005

/

 

Financial endowment amended
  Date of BUDG opinion

 

/

 

European Economic and Social Committee consulted
  Date of decision in plenary



0.0.0000

Committee of the Regions consulted
  Date of decision in plenary


0.0.0000

Discussed in committee

01.2.2005

28.4.2005

26.5.2005

 

 

Date adopted

26.5.2005

Result of final vote

for:

against:

abstentions:

28

1

0

Members present for the final vote

Alexander Nuno Alvaro, Edit Bauer, Johannes Blokland, Mihael Brejc, Michael Cashman, Giusto Catania, Charlotte Cederschiöld, Carlos Coelho, Antoine Duquesne, Patrick Gaubert, Lilli Gruber, Magda Kósáné Kovács, Wolfgang Kreissl-Dörfler, Barbara Kudrycka, Stavros Lambrinidis, Romano Maria La Russa, Henrik Lax, Edith Mastenbroek, Claude Moraes, Martine Roure, Ioannis Varvitsiotis, Stefano Zappalà

Substitutes present for the final vote

Ignasi Guardans Cambó, Luis Francisco Herrero-Tejedor, Sophia in 't Veld, Jean Lambert, Siiri Oviir, Vincent Peillon, Kyriacos Triantaphyllides

Substitutes under Rule 178(2) present for the final vote

 

Date tabled – A6

31.5.2005

A6-0174/2005

Comments

...