EU Data Retention Implementation Deemed Unlawful By EU Authorities Drew Wilson | July 16, 2010 Civil rights advocates have achieved a key victory in the fight against the European-wide data retention policy. A short report from EU authorities says, “European Data Protection Authorities find current implementation of data retention directive unlawful” Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes It’s been a while since we’ve heard much about the EU data retention policy. Even the group against data retention, “Data Retention is no Solution” seemed to have stopped reporting on news as of 2007 if the Wiki is anything to go by. That doesn’t mean the story is dead completely though. An announcement has been made (PDF) by EU authorities saying that the implementation of the data retention policy in Europe was unlawful. “The report that results from a joint inquiry carried out by the data protection authorities,” the announcement says, “concludes that the obligation to retain all telecom and internet traffic data resulting from the directive is not applied correctly in the EU member states.” “Most importantly,” the announcement continues, “service providers were found to retain and hand over data in ways contrary to the provisions of the directive. The provisions of the data retention directive are not respected and the lack of available sensible statistics hinders the assessment of whether the directive has achieved its objectives. The European Data Protection Authorities therefore call on the European Commission to take into account the findings of the report when taking the decision on whether or not to amend or repeal the Directive.” Katitza Rodriguez of the Electronic Frontier Foundation (EFF) calls this a “landmark announcement” and summarized the important findings: * “Service providers were found to retain and hand over data in ways contrary to the provisions of the [data retention] directive.” * “There are significant discrepancies regarding the retention periods, which vary from six months to up to ten years, which largely exceeds the allowed maximum of 24 months.” * “More data are being retained than is allowed. The data retention directive provides a limited list of data to be retained, all relating to traffic data. The retention of data relating to the content of communication is explicitly prohibited. However, it appears from the inquiry that some of these data are nevertheless retained.” * Regarding Internet traffic data: “Several service providers were found to retain URLs of websites, headers of e-mail messages as well as recipients of e-mail messages in “CC”- mode at the destination mail server. * Regarding phone traffic data: “it was established that not only the location of the caller is retained at the start of the call, but that his location is being monitored continuously.” * “Member states have scarcely provided statistics on the use of data retained under the Directive, which limits the possibilities to verify the usefulness of data retention.” * “The provisions of the data retention directive are not respected and the lack of available sensible statistics hinders the assessment of whether the directive has achieved its objectives.” European Data retention, or Directive 2006/24/EC, has been a hugely controversial policy that contains surveillance measures on internet users. According to the Wikipedia entry, “According to the directive, member states will have to store citizens’ telecommunications data for six to 24 months stipulating a maximum time period. Under the directive the police and security agencies will be able to request access to details such as IP address and time of use of every email, phone call and text message sent or received. A request to access the information will be able only with a court order.” Data retention was just one of many issues the Freedom, Not Fear campaigns targeted in their many European-wide protests. Where will things go from here? That’s difficult to say. If the announcement is anything to go by, anything from amending or even repealing the EU data retention directive could occur. Clearly, there are problems with data retention in its current form, one of the most obvious is the implications of basic civil liberties. Drew Wilson on Twitter: @icecube85 and Google+.