Many states barely use data retention laws, while others make thousands of requests, writes KARLIN LILLINGTON
THE GARDA made more requests for phone-call traffic data in 2008 than police in Germany, which has 20 times the population of the Republic.
According to a leaked draft of a European Commission report, gardaí made more than 14,000 access requests for call data in 2008, a rate about 40 per cent higher than had been previously assumed by data privacy advocates, who had based an estimate of 10,000 on figures provided in the past by gardaí to the Office of the Data Protection Commissioner.
The information, supplied by the Government, is revealed in a draft report for the European Commission that will be issued later this year, but which was leaked to a German privacy advocacy organisation.
The report evaluates the application of data retention legislation across the EU, following a 2006 EU directive that required all states to bring in mandatory retention.
The report indicates that many member states make surprisingly little use of their data retention laws, while others have made hundreds of thousands of requests. France and the UK topped the 2008 tables, with 538,437 and 470,222 requests respectively.
The Czech Republic made 131,560 requests, Spain and Latvia made more than 70,000, Lithuania made more than 16,000, and Ireland made 14,095. Germany made 13,348. Denmark made fewer than 4,000 requests and many states only had several hundred applications for data records.
The report notes that call data requests tend to increase year on year in all member states.
Ireland had only 20 requests from agencies outside the State for data, which would seem to indicate a low level of interoperation between European law enforcement agencies.
Irish call traffic data is stored for three years under the State’s current data retention law, one of the longest retention periods in the world. That period would be reduced to two years under legislation currently before the Oireachtas. The average retention period in the EU is 12 months.
According to the report, the vast majority of data requests across the EU – 85 per cent – are made when the data is less than seven months old, with the bulk of requests, 70 per cent, filed for data held for less than three months.
Statistics gathered from member states “support the conclusion that the relevance of data decreases significantly” with age, the report says.
The report found no concrete evidence from any state to support longer retention periods. “No objective elements were found that could support the choice of the retention period: neither the prevalence of certain forms of crime, the geography of the [member state], or (in-)efficiencies of a law enforcement organisation seem to support the choice,” it says.
During a recent Dáil debate on the Data Retention Bill, the Government argued that Ireland needed to retain call data for two years rather than the six months proposed in amendments to the Bill. Labour TDs and Senators have argued for a reduction to six months’ retention, in accordance with recommendations from Europe’s data protection commissioners.
The report shows there are very few requests within any state, including Ireland, for data after 12 months. Only 109 requests in aggregate from eight EU countries including Ireland were made in 2008 for mobile data held longer than 18 months. Only 39 total requests from the same eight countries were made for fixed-line call data stored longer than 18 months.
“The report also shows that the overwhelming majority of requests relate to data which is less than three months old, undermining Irish government claims that it is necessary to store this information for a two-year period,” says TJ McIntyre, law lecturer at UCD and chairman of Digital Rights Ireland.
The report notes that all states found retained data is useful in investigations and in achieving convictions, and can help gain convictions in some areas of crime by providing key evidence that would not be available otherwise.
It also notes that many member states have implemented the EU data retention directive by widening its scope and retaining data that was not retained in the past, often allowing it to be used for more purposes than outlined in the directive, such as for civil litigation on copyright in the UK. Such expansion is referred to as “mission creep” by privacy advocates.
The language used by member states to define data that will be retained is often not the same as the language of the directive, “and even if it is, the interpretation seems to differ”, the report says, adding that this issue is being addressed by the expert group working on the report.
Among stakeholders providing information for the report – which include law enforcement, telecommunications providers, trade organisations, private industry, data protection commissioners, national governments and public representatives – the report indicates that some view the directive as “failed harmonisation” legislation due to its uneven implementation, with varied retention periods and safeguards across the EU.
In its effect on civil liberties, “the retention period is considered by respondents as failed harmonisation, and everything beyond one year ‘clearly disproportionate’. Data retention would bring an end to the right of anonymity for everyday transactions,” the report states.
It adds: “Respondents stressed that the directive failed to deliver on the harmonisation of national laws, and on redressing market distortions, which had been its main goal, but also on the reduction of crime or achieving higher rates of crime clarification. Having regard also to the serious impact on civil liberties, they recommend numerous actions at EU level.”
The report says some respondents feel that in states with lengthy retention periods, private industry is at a competitive disadvantage because of the burden and costs that retention may impose directly or indirectly.
Several network operators said the need to invest in retention infrastructure had caused them to delay or abandon improvements to national networks.
Deutsche Telekom claimed it had spent €5.2 million on implementation of retention infrastructure and €3.7 million a year to facilitate about 13,000 call data requests and 6,500 internet data requests. Other operators said they had spent in excess of €4 million setting up systems for providing access to stored data.
Requiring states to reimburse operators for data retention requests – currently done in very few EU states, according to the report – would reduce spurious requests and “remove some of the market distortions that put EU operators in a disadvantageous position compared to non-EU operators”, particularly internet providers, the report says.
In the Government’s response to a questionnaire on the State’s implementation of data retention, the Department of Justice noted it was considering ways to identify users of pre-paid SIM cards, an issue which was raised by several states.
A case taken by privacy advocate Digital Rights Ireland to overturn Ireland’s existing data retention laws and the EU data retention directive, which underpins the retention Bill currently being debated in the Oireachtas, was referred to the European Court of Justice by the High Court last week.
The draft report can be downloaded at: http://short.ie/xapy3n