Industry has doubts over Data Retention Directive
As part of the political reaction to the Madrid train bombings in 2004 and the terror attacks in London last summer, the controversial Data Retention Directive was approved, in record time, by the European Parliament on 14 December 2005. It has been heralded as a necessary tool in the war against terror and organised crime - but not everyone is happy, most significantly the communications industry itself.
Relevant data will now have to be retained for between six months and two years. EU member states will decide for what periods within that range data will have to be stored. Longer periods may be introduced for a limited period in particular circumstances.
The directive requires companies to keep a wide range of data such as incoming and outgoing phone numbers, the duration of phone calls, IP addresses that identify log-in and log-off times and e-mail activity details. It does not require retention of the content of a communications session - in fact this is positively prohibited. However, it does include archiving of details of connected, but unanswered, calls.
Retained data will be made available to law enforcement agencies for the investigation, detection and prosecution of "serious crime", although the definition of serious crime has also been left up to each country.
The stored information will be disclosed in specific circumstances and will be subject to strict data protection rules. Sanctions will apply to those who abuse access to it.
The UK communications industry is currently regulated by the Anti-Terrorism Crime and Security Act 2001. However, the scheme is voluntary and only provides for retention of subscriber information and telephony data for 12 months. So, although data retention is not new to UK operators, the directive has prompted hostility on several fronts.
First, leaving it to each state to determine the precise period of retention will lead to inconsistency across Europe and cause a headache for those operating multi-jurisdictional services.
The directive also broadly defines both "telephone services" (which extends to SMS and new services) and "internet communication" (including both e-mail and voice over IP calls) - making the directive far-reaching.
The extension of Article 3 to unsuccessful call attempts that are "generated or processed and stored by providers" is also controversial. The government says these so-called "lost" calls are crucial because they can be used to direct accomplices or even to detonate bombs.
However, telecoms operators do not currently register these calls because they are not billed. Systems must now be adapted to capture and retain a new category of calls, which is likely to be expensive.
Businesses in the communications industry will have to increase storage, develop security systems and add staff to deal with access requests. The Internet Service Providers Association quotes one large UK-based ISP as saying it would cost £26m to set up a compliant system and a further £9m a year to run.
The directive leaves national governments to determine whether operators will be compensated for these costs. If the UK government decides against cost reimbursement, operators and service providers here could be at a big competitive disadvantage if other states do compensate their providers. Could this lead to a migration of UK-based providers to more industry-friendly countries?
The police say retention of communications data is essential for public security, but others say savvy would-be terrorists could easily circumvent these measures. Are criminals really going to sign up for an ADSL account when they know they are being monitored? Given the pace users and internet sites change address, will e-mail data dating back two years simply be obsolete?
Only time will tell whether the directive will be effective in fighting terrorism. What is certain is that its effects will be felt by business almost immediately.
Agreement between the European Council and the European Parliament is required before the directive becomes law. Member states will have 18 months to implement it for telephone services, but 36 months for internet access, voice over IP and e-mail.
Sara Dethridge is a senior associate in the IT/C department at law firm Baker & McKenzie