Data retention beyond six months delivers no safety or security gains. It is just a gross imposition on privacy
GETTING RID of data retention – the mandatory storage of every citizen’s telephony and internet usage information – will have absolutely no effect on the successful prosecution of criminal cases.
We now know this to be fact, thanks to Germany, whose courts threw out mandatory data retention a year ago after ruling that the mass retention of data in this way was unconstitutional on privacy grounds. Despite the police having no access to such records after the March 2010 ruling, the latest German crime statistics show that registered crime continued to decline, and that the crime clearance rate in 2010 was the highest recorded.
The German Working Group on Data Retention notes: “Even without such a policy of blanket data retention, the German police achieved a clearance rate of nearly three out of four internet offences (71 per cent) in 2010, exceeding by far the average clearance rate for crimes committed without any use of the internet (55 per cent).”
Even in the area of online child pornography – one of the serious crimes most frequently cited as a justification for bringing in data retention within Ireland as well as across the EU – 79 per cent of cases were resolved in Germany in a year in which the police had no access to retained data.
To give some perspective, only a tiny fraction of crime committed in Germany in 2010 involved the internet at all.
Just 0.1 per cent of crime, for example, concerned illegal pornography on the net, while 23 per cent involved some sort of crime committed on the street and 3.3 per cent, violent crime.
Such figures refute the insistence of states and law enforcement agencies, including those in Ireland, that they require long periods of data retention, well over the six months maximum recommended by the European Data Protection Commissioners’ Article 29 working group.
Indeed, it suggests that mandatory data retention or the addition, in the EU directive, of retaining internet data as well as telephony data, has little effect on the outcome of criminal cases, full stop.
As Michael Ebeling of the German Working Group on Data Retention says: “The truth is that with targeted investigations of suspects, we live just as safely as we would with a policy of indiscriminate retention of all communications data.
“The endless exaggeration and emotionally charged descriptions of isolated cases, combined with a massive media campaign, is both misleading and unethical. In my view this is nothing less than a populist defence of the most privacy invasive and unpopular surveillance measure ever adopted by the EU.”
In Ireland, the Department of Justice, law enforcement agencies and misinformed TDs argued for long periods of data retention, using similar tactics – citing emotive cases like Veronica Guerin’s murder or the Omagh bombing, where call data helped to achieve convictions. Yet the data used in these cases was all less than six months old.
The Government went ahead and introduced some of the longest retention periods in Europe – and internationally – for both telephony records (two years, but initially three) and now, internet records (one year). Most of our European friends chose much shorter periods.
Ireland, to its shame, also was one of the countries which led the way to introduce mandatory data retention across the rest of the European Union.
Business organisations as well as individual companies (and especially the technology industry) have raised concerns over the serious damage that could be caused to the development of digital business – for example, the Government’s current push to make Ireland a centre for internet and cloud computing – if we have these potentially burdensome and costly (and, as we can now see, generally useless and pointless) data-retention laws.
Our laws have been challenged on a constitutional basis thanks to lobby group Digital Rights Ireland in a case awaiting examination by the European Court of Justice.
This is an important case and undoubtedly helped to accelerate the European Commission’s own examination of the controversial directive, which has now been rejected as a violation of citizen privacy in three member states – Germany, the Czech Republic, and Romania.
In the commission’s report, released in April, EU home affairs commissioner Cecilia Malmström at last accepted that there was a number of “serious shortcomings” with the directive and that a “more proportionate, common approach across the EU to this issue” was needed.
The report, which tabulates the number of requests made within certain time periods by law enforcement agencies on a country-by-country basis, offers its own evidence that Ireland’s long retention periods are ridiculous and bear little relation to how the Garda uses retained data.
According to statistics from 2008, 10,997 requests for data less than six months old were made by Irish law enforcement groups. Another 2,791 requests were made for data between six and 12 months old. Only 307 requests were made for data older than one year.
Across the EU, 86 per cent of requests by law enforcement agencies for retained data were made for data under six months old. Only 2 per cent of requests were for data more than a year old. By any measure, retaining call data in Ireland for two (and back then, three) years is vastly disproportionate to need.
We now have hard evidence from Germany to show that the justification for anything other than a six-month, carefully limited data retention regime is unnecessary and delivers no safety or security gains in exchange for burdensome costs on internet and telecommunications companies and a gross imposition on citizen privacy.
