ISPs aghast at passing of EU data directive

15 Dec 2005

UPDATE: Despite protests from civil liberties groups, telecoms providers and internet service providers (ISPs), the European Parliament yesterday voted overwhelmingly in favour of the EU’s Data Retention Directive, which ISPs warned is technically unwieldy and assumes every European citizen is already guilty of a crime.

Yesterday, European MEPs voted 378 in favour and 197 against the new directive, which gives each EU member state the powers to store all phone, SMS, internet, fax and email data for a minimum of six months. The directive allows member states the discretion of deciding the upper limit of the retention period. The directive has been deployed as a means to protect European citizens against terrorism and crime, but various industry and civil rights groups argue that it makes the case that not only does this infringe on privacy rights but makes the assumption that all citizens are already guilty.

Telecoms and internet firms typically store data for up to six months for billing purposes. However, various European states engaged in the fight against terrorism are pressing for these firms to store the data for longer with suggested time frames ranging between 24 months to six years. Poland, for example, is pressing for the retention of data for 15 years

Ireland already has a law (amendment to the Criminal Justice [Terrorist Offences] Act 2005) that applies to fixed and mobile telephony requiring a three-year retention period for telephone calls. At present there is no obligation to retain internet data.

After justice ministers across Europe approved the text, it only required a single reading and vote in the European Parliament for it to be adopted as a directive and become binding on all EU member states. While it has yet to be ratified by the Council of Ministers, this is a mere formality.

Last week reported on how the Internet Service Providers Association (ISPAI) in conjunction with the European Internet Service Providers Association (EISPA) wrote to MEPs warning that the directive erodes the fundamental principles of privacy and freedom of communications of law-abiding EU citizens. The ISPAI also warned MEPs that complying with the directive would be technically unfeasible and expressed grave misgivings about its true technical effectiveness for the prevention, investigation, detection and prosecution of criminal offences, including terrorism.

It is also feared that voluntary community initiatives such as the Group Broadband Scheme in Ireland could crumble under the weight of storing and backing up large amounts of data on customers’ private communications.

Reacting to the European Parliament’s decision, ISPAI chief executive Paul Durrant stated: “ISPAI is particularly concerned about the imbalances this legislation will produce in the EU market for hosting of e-commerce and other internet service businesses and the negative impact this could have on Ireland Inc where our recent economic success has been interwoven with international ICT businesses locating here.”

He added: “The industry knows the technology underlying its networks better than anyone. Collectively we are saying, we have always facilitated the police (within the procedures and protections built into current law) to investigate where communications have been used in crime and terrorist activities. We agree that the law can be harmonised and improved but data retention is the wrong way to go about it. There are much more efficient methods that do not require long-term storage of information on every electronic communication of every man, woman and child in the EU. The EU telco/ISP industry want to help law enforcement work smarter, not harder, to gather the evidence needed to prosecute serious crime.”

In a statement reacting to the news, the EISPA said: “This directive will impose a significant burden on the European e-communications industry, impacting on its competitiveness. However, only a fraction of the email services used today would be covered by the EU directive as the world’s largest email providers are not in Europe, allowing criminals to easily circumvent the rules.

“The industry is also dismayed by the flexibility given to member states to increase requirements beyond those of the directive at a national level as regards the categories of data to be retained, the retention periods to be applied and the types of crimes for which law enforcement authorities may request data,” EISPA warned.

The news also attracted the ire of the newly established online civil rights body Digital Rights Ireland. In a statement it said: “Digital Rights Ireland deplores the decision of the large parties in the European Parliament to collude with the Council of Ministers in a back-room deal, by-passing the compromise proposal proposed by the Parliament Rapporteur from the Committee for Civil Liberties, Mr. Alexander Alvaro.

“The Directive, as passed, mandates that EU member states, including Ireland, are to track the location of all mobile phones, all calls made from land lines and mobile phones, as well as all information on individuals’ internet and email usage. This will include keeping records of all web sites visited, the senders and recipients of all emails (possibly including the subject lines of same) and the use of any other Internet Protocol (IP) based communication such as the increasingly popular Voice over IP (VoIP) phone providers such as Skype or Blueface, in Ireland.

“Ireland has already had retention of this kind for mobile phone location data and citizens’ phone usage for some years. This regime was placed on a statutory basis this year by way of an amendment to the Criminal Justice (Terrorist Offences) Act 2005, introduced at the Seanad stage. However, the European law now extends such monitoring to internet use and to new emerging technologies such as VoIP. The Directive mandates a minimum of 6 months retention, but the Irish Government has already adopted a retention period of 3 years, the second longest in Europe, in this year’s legislation and may attempt to apply the same to these new areas,” Digital Rights Ireland said.

By John Kennedy