Industry has doubts over Data Retention
Directive
As part of the political reaction to the Madrid train bombings
in 2004 and the terror attacks in London last summer, the
controversial Data Retention Directive was approved, in record
time, by the European Parliament on 14 December 2005. It has been
heralded as a necessary tool in the war against terror and
organised crime - but not everyone is happy, most significantly the
communications industry itself.
Relevant data will now have to be retained for between six
months and two years. EU member states will decide for what periods
within that range data will have to be stored. Longer periods may
be introduced for a limited period in particular circumstances.
The directive requires companies to keep a wide range of data
such as incoming and outgoing phone numbers, the duration of phone
calls, IP addresses that identify log-in and log-off times and
e-mail activity details. It does not require retention of the
content of a communications session - in fact this is positively
prohibited. However, it does include archiving of details of
connected, but unanswered, calls.
Serious crime
Retained data will be made available to law enforcement agencies
for the investigation, detection and prosecution of "serious
crime", although the definition of serious crime has also been left
up to each country.
The stored information will be disclosed in specific
circumstances and will be subject to strict data protection rules.
Sanctions will apply to those who abuse access to it.
The UK communications industry is currently regulated by the
Anti-Terrorism Crime and Security Act 2001. However, the scheme is
voluntary and only provides for retention of subscriber information
and telephony data for 12 months. So, although data retention is
not new to UK operators, the directive has prompted hostility on
several fronts.
First, leaving it to each state to determine the precise period
of retention will lead to inconsistency across Europe and cause a
headache for those operating multi-jurisdictional services.
The directive also broadly defines both "telephone services"
(which extends to SMS and new services) and "internet
communication" (including both e-mail and voice over IP calls) -
making the directive far-reaching.
The extension of Article 3 to unsuccessful call attempts that
are "generated or processed and stored by providers" is also
controversial. The government says these so-called "lost" calls are
crucial because they can be used to direct accomplices or even to
detonate bombs.
However, telecoms operators do not currently register these
calls because they are not billed. Systems must now be adapted to
capture and retain a new category of calls, which is likely to be
expensive.
Cost reimbursement
Businesses in the communications industry will have to increase
storage, develop security systems and add staff to deal with access
requests. The Internet Service Providers Association quotes one
large UK-based ISP as saying it would cost £26m to set up a
compliant system and a further £9m a year to run.
The directive leaves national governments to determine whether
operators will be compensated for these costs. If the UK government
decides against cost reimbursement, operators and service providers
here could be at a big competitive disadvantage if other states do
compensate their providers. Could this lead to a migration of
UK-based providers to more industry-friendly countries?
The police say retention of communications data is essential for
public security, but others say savvy would-be terrorists could
easily circumvent these measures. Are criminals really going to
sign up for an ADSL account when they know they are being
monitored? Given the pace users and internet sites change address,
will e-mail data dating back two years simply be obsolete?
Only time will tell whether the directive will be effective in
fighting terrorism. What is certain is that its effects will be
felt by business almost immediately.
Agreement between the European Council and the European
Parliament is required before the directive becomes law. Member
states will have 18 months to implement it for telephone services,
but 36 months for internet access, voice over IP and e-mail.
Sara Dethridge is a senior associate in the IT/C department
at law firm Baker & McKenzie