News 2003-2008

9/11 has profoundly changed the political rhetoric. The battle against terrorism is morally, and thus politically, unobjectionable. Fighting terror overrides almost any argument. This is not only so in the US ; the 2004 Madrid train bombing and the London subway attacks have provided for a facilitated importing into Europe of this phenomenon. And it seems today that one more political act has fallen prey to this rhetorical shift : the adoption procedure, so far, of the data-retention directive.

On December 14th, after three rounds of revision and over 90 amendments, the proposal for a Directive on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC has gained approval, following the co-decision procedure of art. 251 EC, of the European Parliament, with a majority of 378 votes to 197. The Council, however, has not yet voted on the directive, which may thus be open to a number of changes until its final adoption-it may, under the co-decision procedure, have to go through two sessions of the Council, one further session of the Parliament, as well as a conciliatory session. Nevertheless, the following focuses on its current contents, which must be denounced vigorously before the final adoption of the directive.

Its goal is to help fight terrorism by making it mandatory for telecom operators and Internet services providers (ISPs) to keep a longer record of communications traveling through their networks, i.e. phone calls, emails, SMS, etc. Originally, access to this backlog was restricted to the proper authorities investigating charges of terrorism. But the entertainment industry’s powerful lobby, understanding that the information thus recorded could constitute a powerful instrument in their fight against copyright infringements, succeeded in having the language dropped that limited access to involve only terrorism charges. This significantly altered the nature of the projected directive.

It may currently be considered a projected piece of legislation flawed on three levels : politically, economically, and legally.

Politically, the projected directive has officially sold a severe intrusion into the average European citizen’s privacy in return for an indispensable means in the fight against terrorist activities. This intrusion of privacy is not to be taken lightly, as it concerns many electronic activities, including web browsing habits, emailing, incoming and outgoing phone calls and SMS, and travel patterns. Information relating to these activities must be backlogged, according to the projected directive, for fixed periods of minimally six to 12 months, depending on the type of data. The directive proposal does not, however, set a maximal time limit for storage. Poland has already announced its intention to store such data for up to 15 years. But, it was argued, safety from terrorism comes at this price. In effect, however, the projected directive rather seems to be the result of the Creative and Media Business Alliance (CMBA) having forced its way in. CMBA, a group of media companies including EMI, SonyBMG and TimeWarner, had been lobbying the EU to allow the information stored by telecoms and Internet providers to be used for investigation of almost any crime, not just of terrorism-related offences, with little prior evidence required. (The next step of the entertainment industry is to push the upcoming legislation that will make certain forms of copyright infringement a criminal offense.) Moreover, the approval itself of the projected directive was suspicious : despite its very controversial nature, it was one of the proposals for a directive to be the most quickly adopted by the parliament in the history of EU law-making, the time between the formal proposal and the approval of the proposal by the parliament having been of three months only. It was also approved after one round of voting, instead of the customary two rounds.

Economically, the projected directive creates a significant burden, in terms of storage costs, for telecoms and the Internet industry. This added burden will impact on the competitiveness of European telecom operators and ISPs, and will be passed on to either the consumer or the taxpayer, if such data storage programs are granted governmental subsidies.

Legally, two concerns are already frequently voiced : the adoption procedure followed for the directive, it is argued, is based on an improper legal basis (and possibly under the incorrect pillar) and it may violate the European Convention on Human Rights (ECHR). As to the first argument, the legal basis used so far for the projected directive has been art. 95 EC (internal market), which provides for majority vote decisions following the procedure of art. 251 EC. Subjecting such a directive to article 95 EC is, however, controversial. A similar case had been raised by the Agreement between the European Community and the USA on the processing and transfer of PNR data, which had also been adopted in a 9/11 spirit. In regard to this agreement, Advocate general Léger had claimed (§§126-162) that art. 95 EC is not the proper legal basis for security-related matters, because the agreement (just as the projected directive in question here) concerned the fight on terrorism, whilst art. 95 EC only concerns the functioning of the internal market of the EC, i.e. the argument is that fighting terror does not fit into the scope of application of art. 95 EC. This has been discussed in greater lengths in another column. It is strictly the same reasoning that applies in the present context. On this basis, several Member States, among which Ireland and Slovakia, as well as MEPs from the green group, argue that the projected directive does not fall under the first pillar at all, but under the third, where unanimous consent by all Member States is required. It may also be submitted that the projected directive has not been misattributed to the wrong pillar, but is merely based on the wrong legal basis pertaining to the first pillar. A more appropriate legal basis would seem to be art. 308 EC, which also requires unanimity. In any event, Ireland has already announced its intention to take this piece of legislation to the ECJ, if it were to be finally adopted. With regard to the ECHR, the argument is that the Convention forbids data to be retained for “more than necessary” and that 15 years of retention certainly exceeds this scope. It may be specified that the remainder of the adoption procedure may still lead to an amendment of the legal basis used for its adoption.

Reproduction autorisée avec indication de la source :
Thomas Schultz, www.unige.ch/ceje, actualité n°: 289 du 15 février 2006.