This week, EFF is taking part in the 32nd Annual Conference of Data Protection and Privacy Commissioners, where we urged the Privacy Authorities to call for the repeal of the European Union's 2006 Data Retention Directive, which requires Internet service providers operating in Europe to retain telecom and Internet traffic data about all of their customers' communications for a period of at least six months and up to two years, for possible use by law enforcement.
The Data Retention Directive is highly controversial, if not wildly unpopular throughout the European Union. The directive was strongly opposed by European privacy activists. For several years, mass protests have been held in cities across Europe under the banner of "Freedom Not Fear." As each country in the EU has implemented the Data Retention Directive in their own law, they have faced challenges in state courts. In 2007, the German Working Group on Data Retention (AK Vorrat) filed a class-action lawsuit representing 35,000 people challenging the German law. The court found the law was unconstitutional and ordered the immediate deletion of all the data stored since the law went into effect in 2008 and the suspension of data collection until a revised national law is proposed. In 2009, the Romanian Constitutional Court ruled that the Romanian implementation of the EU directive fundamentally violated Article 8 of the European Convention on Human Rights, which guarantees the right to respect for private life and correspondence. The Swedish government has so far refused to implement the Data Retention Directive at all, leading to a lawsuit from the European Commission.
As if the data retention obligations in the Data Retention Directive were not bad enough, European privacy Authorities have found that compliance at national level of Telecom and ISPs with the obligations required from national traffic data retention legislation was unlawful. Data retention periods were found to be as high as ten years, well in excess of the 24-month maximum set in the directive. While the directive itself is limited to the storage of traffic data, Privacy Authorities found that data relating to the contents of communications is also being stored. Several service providers were found to retain URLs of websites, headers of e-mail messages as well as recipients of e-mail messages in "CC"- mode at the destination mail server. And when monitoring phone traffic data, phone companies continuously track the location of the caller.
The experience in Europe makes clear that mandatory data retention regimes are disproportionate and unnecessary. We continue to believe that the legitimate needs of law enforcement can be met by a more targeted data preservation regime, without the collateral damage inflicted by the 2006 directive. Rather than fighting the privacy battle across Europe one state at a time, EFF urges European Privacy Authorities to call upon the European Commission to stand up for Internet users' fundamental rights, and repeal the 2006 Data Retention Directive outright.