21.3.2006   

EN

Official Journal of the European Union

C 69/16

1.1

The Committee is very surprised and concerned by the submission of such a legislative proposal: its provisions are disproportionate and infringe fundamental rights.

1.2

The proposal's approach to fundamental rights, particularly the right to privacy, is inappropriate and could clash on certain aspects.

1.3

It runs the risk of undermining the confidence of users of electronic communications and discouraging them from using ICTs. This loss of consumer confidence could hinder the future development of the information society in the long term and thus jeopardise the Lisbon Strategy.

1.4

The Committee doubts that the proposal fully complies with the principles of subsidiarity and proportionality, due to the absence of reasons for concluding that a Community objective can be better achieved at Community level.

1.5

The additional costs incurred by operators from the storage and transmission of the data referred to in the proposal should be considered as a charge that ought to be borne by the providers simply as a part of being on the market, rather than by the public purse and thus all citizens.

1.6

For all the above reasons, the Commission should substantially revise this proposal. As a whole it does not, in the Committee's opinion, comply with either fundamental rights or the rules of access, use and exchange of data.

2.1.1

There are currently various Community provisions on the obligations of service providers. The data in question here are those referred to in Article 1, in conjunction with Article 2a of Directive 95/46/EC of 24 October 1995 (1). This directive deals with the general obligations of Member States and is aimed at ensuring protection of the privacy of individuals with regard to the processing of personal data.

2.1.2

In addition, Directive 2002/58/EC of 12 July 2002 (2) specifically addresses the processing of personal data and the protection of privacy in the electronic communications sector. The Committee issued an opinion (3) on the proposal at the time.

2.1.3

The principle underpinning the two directives is that stored data should be deleted once their retention can no longer be justified. Directive 2002/58/EC ensures that providers of publicly available electronic communications services take appropriate measures to safeguard the security of their services; the Member States must ensure the confidentiality of electronic communications, and in particular prohibit listening, tapping and storage by persons other than the users, with the exception of providers for billing purposes, and then only for as long as needed. Traffic and location data may only be processed when they are made anonymous or with the consent of the users.

2.1.4

Article 15 of Directive 2002/58/EC enables Member States to retain data in exceptional cases, where it is deemed necessary, appropriate and proportionate to the prosecution of criminal offences. Member States were unable to agree on a time limit for such retention in the negotiations on the Directive on data protection in electronic communications and had to abandon attempts to fix a limit.

2.1.5

On 25 March 2004, the European Council considered the possibility of establishing rules on the retention of data generated by providers of electronic communications services. In response, four Member States (France, Ireland, Sweden and the United Kingdom) presented a draft initiative with a view to adoption of a Council Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism.

2.1.6

This proposal was rejected by the European Parliament, which harboured doubts over its legal basis, the proportionality of the measures and the possible contravention of Article 8 of the European Convention on Human Rights (4).

2.2.1

The Commission has submitted a Proposal for a Directive of the European Parliament and of the Council, on the basis of Article 95 of the Treaty establishing the European Community, on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC.

2.2.2

This is a regulatory instrument designed to harmonise the legislation of the Member States. In order to prevent, investigate, detect and prosecute certain crimes (especially terrorism and organised crime), it establishes the obligations of providers of electronic communications services regarding the storage and processing of data (Article 1(1)).

2.2.3

The proposal applies to the traffic and location data of legal and private persons who send or receive these communications. However, it does not apply to the content of these communications (Article 1(2)).

2.2.4

To this end, the proposal requires the Member States to adopt measures to ensure that operators of these services retain the data in question and send them only to the national authorities responsible for preventing and combating crime, in accordance with the objectives of the proposal (Article 3).

2.2.5

Furthermore, the proposal specifies the categories of data to be retained. Data needed to identify the source and destination of the communication, the time and duration of the communication, the type of communication, the location of users, etc. (Article 4 and Annex).

2.2.6

It also states that data are to be retained for a period of one year for fixed or mobile telephone communications, and six months for Internet communications (Article 7).

2.2.7

It also establishes the operator's duty to transmit the data retained, at the request of the competent national authorities (Article 8), and the Member States' duty to provide the European Commission annually with certain statistical data regarding this (Article 9).

2.2.8

Finally, it establishes the national authorities' duty to reimburse communications operators for all additional costs incurred from the storage and transmission of the data in question (Article 10).

2.3.1

The Committee is very surprised and concerned by the submission of such a legislative proposal: its provisions seem disproportionate and infringe fundamental rights.

2.3.2

In its proposal, the Commission turns current national public security measures into ‘measures having equivalent effect’ (obstacles to the internal telecommunications market) that should be removed in accordance with Article 14 of the EC Treaty.

2.3.3

This proposal will have far-reaching implications for the protection of all users of electronic communications services. It runs the risk of undermining consumer confidence and discouraging them from using both ICTs in general and, more specifically, new electronic services. This loss of consumer confidence could hinder the future development of the information society in the long term and thus jeopardise the Lisbon Strategy.

2.3.4

It is difficult to understand the proposal's approach to fundamental rights, particularly the right to privacy. The Commission uses two different parameters of legality and applies its own particular test, after which it concludes that the proposal does not infringe fundamental rights.

2.3.5

Firstly, it uses Article 15.1(1) which, although it appears in Directive 2002/58/EC, reproduces, almost word for word, provisions from the International Pact on Civil and Political Rights (Article 4 and 12) and of the European Convention on Human Rights (Articles 9, 10 and 11). These provisions have been subject to much exhaustive interpretation by the competent bodies and authorities; it is therefore unacceptable that the Commission claims to give ex novo interpretations of the issue.

2.3.6

Secondly, this test of legality is dependent on various provisions of the Charter of Fundamental Rights, a regulatory instrument which, although supported by the broadest possible European consensus, is still not in force and cannot be invoked in law as a guarantee of justice.

2.3.7

Incomprehensibly, this already flimsy test is revealed to be further flawed by the fact that the Commission only takes into consideration Articles 7 (respect for private and family life) and 8 (protection of personal data) of the Charter, ignoring other rules, such as Articles 36 (access to services of general interest), 38 (consumer protection), 47 (the right an effective remedy) or 48 (presumption of innocence).

2.3.8

The Commission should think and act more meticulously and scrupulously with regard to fundamental rights, to avoid a future declaration of the unconstitutionality (5) of the proposed rules by the Member States' constitutional courts.

2.3.9

With regard to the principle of subsidiarity, it is surprising that the Commission explains that to date neither the Council nor the Parliament have been able to agree on a solution to the problems in question and hence calls for supranational action in the field of the internal market as a way of proceeding with its regulation.

2.3.10

This form of reasoning would be logical if security problems were comparable to others that affect the functioning of the internal market (for example, those to do with trade, tax or labour), if there were final deadlines for the adoption of rules (established in the Treaties or in secondary legislation), or finally, if it were possible and necessary to create a uniform legal area in this matter.

2.3.11

However, security of the State is not provided for in Community law, in contrast to the concepts of public order and security set out in the Treaties to justify, if applicable, the adoption of exceptional security measures by Member States.

2.3.12

There is no clear basis in the Treaties for action, nor any deadline that necessitates immediate of their action. Finally, the security threats facing Member States cannot be subsumed in a harmonisation instrument that aims to take an identical (for want of a common) approach to different situations.

2.3.13

With regard to the principle of proportionality, any rule restricting fundamental rights requires by law the participation, by means of a law, of national parliaments, as well as legislative guarantees of (ex ante or ex post) judicial control. It is difficult to imagine how the disappearance of a few ‘invisible barriers’ that obstruct the provision of electronic services communications throughout the internal market can bring about a succession of changes to national laws that guarantee fundamental rights, as well as the national systems that safeguard them.

2.3.14

Therefore, the Committee doubts that the proposal complies with the principles of subsidiarity and proportionality, due to the absence of reasons for concluding that a Community objective can be better achieved at Community level.

2.3.15

Furthermore, it is surprising that the Commission proposal only refers to the needs and legitimate rights of communications operators, completely overlooking those of consumers and forgetting that the Community is expected to contribute ‘to the strengthening of consumer protection’(Article 3t, TEC), ‘ensure a high level of consumer protection’ and ‘contribute to protecting the…economic interests of consumers’ (Article 153, TEC).

2.4.1

The proposal is based on Article 95(1) of the TEC. In this context, the Committee recommends taking into consideration the possible impact on the pillar of police and judicial cooperation in criminal matters, particularly in the case of non-Community operators of electronic communications, where the states of origin require specific agreements with Member States to establish reciprocal conditions for provision of services for reasons of national security.

2.4.2

In its draft directive, specifically Article 1, the Commission seems to overlook the fact that, although data within its area of application is apparently ‘neutral’ (the identity of the source and destination of communications, duration of communications, location, frequency, etc.), this information constitutes an invasion of privacy and in many cases can also encroach on other rights such as professional secrecy or the right to legal assistance.

2.4.3

Under the current approach to European public order, established by the European Convention on Human Rights and Member States' constitutional traditions, the right to privacy is defined not only passively but also, albeit with less force, actively.

2.4.4

That is to say, individuals, EU citizens or not, have the right to know who is intercepting their communications, why and how often, as well as the right to access any database, public or private, where this type of information is kept (6).

2.4.5

The proposal affects fundamental rights, specifically Article 8 of the ECHR, and can have a considerable impact on civil liberties and fundamental rights. Therefore the Committee believes that, as with any exception to the general rule, its content should be limited to laying down provisions that affect these rights as little as possible.

2.4.6

The categories of data to be retained, enumerated in Article 4 and in the Annex, constitute an initial list that can be revised using the comitology procedure. However, the Committee considers it inappropriate that, as this concerns a fundamental right, the Parliament would not be involved in any extension of the categories of data to be retained. This is a methodology much more appropriate to neutral technical standards than the rules on the retention of data that are addressed in the proposal.

2.4.7

The amount of data to be retained seems excessive if the aim is simply to find information useful to an investigation; therefore the quantity of data to be retained should be limited and commensurate with what is required to achieve the proposal's aim. Access to the data must not be possible without judicial authorisation. Hence, the aim set out in the proposal of preventing certain criminal activities is difficult to understand, although the retention of traffic data may be useful to an investigation and to other aims set out in the proposal.

2.4.8

The period of retention is too long, since the Commission does not justify the need to retain data for this length of time. The Committee believes that a standard six months would be a reasonable amount of time, with appropriate security and confidentiality measures.

2.4.9

The directive does not lay down rules that prevent possible access to retained data by the providers and other interested parties; therefore it must be stipulated that this data may only be accessed in specific cases and under judicial supervision. Regrettably, the proposal does not explain how retained data would be protected during the required time periods.

2.4.10

The proposal's reference to data being transmitted to the ‘competent national authorities’ is excessively general and it should be expressly stated that the retained data may only be sent to authorities that can guarantee the quality, confidentiality and security of the data obtained. The Committee believes that there are certain concepts in the proposal, such as the above, that merit some definition to avoid different interpretations.

2.4.11

It is surprising that Article 10 of the proposal provides for so-called ‘additional costs’ incurred by operators in fulfilling the duties of storing and transmitting data, and that, according to the Commission, they should be reimbursed from public funds because, as stated in Recital 13 of the proposal, ‘the benefits in terms of public security impact on society in general’.

2.4.12

The Committee completely disagrees with the Commission on this point and believes that this statement is, to say the least, inaccurate. Each Member State is free to establish the amount and formula of compensation for these costs, in line with their own criteria, circumstances and security needs, although as recognised by the Commission (Recital 5), many Member States have not even established any such legislation.

2.4.13

The Commission's criterion raises the following questions:

2.4.14

Therefore, and assuming that the proposal for a Directive is successful, these costs should be considered as a charge that is to be borne by the providers, not by the public purse and thus all citizens, simply as part of being able to operate in the market. The Committee believes that this proposal to reimburse additional costs is inappropriate and should be removed.

2.4.15

For all the above reasons, the Commission, as the guardian of the Treaties and of their core principles as stated in Articles 6(1) (7) and 6(2) (8) of the TEU, should substantially revise this proposal. As a whole it does not, in the Committee's opinion, respect either fundamental rights or the rules of access, use and exchange of data.