Dissociative Identity Disorder: Europe's Split Personality On Data Retention

Dissociative Identity Disorder 1

Dissociative Identity Disorder: Europe’s Split Personality on Data Retention Matthew D. Hamilton LI820XA: International Information Policy Emporia State University November 28, 2008

Dissociative Identity Disorder 2 Dissociative Identity Disorder: Europe’s Split Personality on Data Retention

Recently, the issue of privacy has been much discussed in information policy debates, the professional literature, and in the news media at large. Other authors have made much of the European emphasis on privacy rights in contrast to American attitudes (Heisenberg and Fandel, 2004; Salbu, 2002). However, despite an alleged de-emphasis of privacy rights versus the need to combat terrorism, recent electoral changes suggest that Americans are less willing to trade a “little freedom for a little security” after all. Even as Americans seem ready to push back against the most drastic of measures adopted during the Bush Administration, the European Union is taking steps that can potentially undermine its own earlier efforts to protect the privacy rights of its citizens in the form of Directive 2006/24/EC, “on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC”. The first section of this article will describe Directive 2006/24/EC as adopted by the European Council and currently being enacted by the EU member states. The second section will then discuss some of the objections to this directive, including how the retention directive conflicts with the previously established European emphasis on the protection of privacy rights of its citizens. On Data Retention Nettleton and Watts (2006) write that after the attacks of September 11, 2001, EU member nations began to enact legislation requiring that communications providers retain communication data for the purposes of assisting law enforcement in the investigation and

Dissociative Identity Disorder 3 prevention of criminal acts. They cite as an example the U.K.’s “Anti-Terrorism, Crime, and Security Act 2001”, which allowed for the voluntary retention of usage data by service providers that would have previously been prohibited by data protection legislation. However, after the Madrid bombing on March 11, 2004, calls for harmonization of data retention policies across the member states gained political favor and earnest efforts were made on the part of the Commission to enact a directive establishing consistent regulations across the differing member nations. On February 21, 2006, the European Council adopted Directive 2006/24/EC after months of contentious negotiations between the Council, the Commission, the Parliament, and various interest groups. The directive: 1. States its aim is to, “retain certain data and to ensure that those data are available for the purpose of the investigation, detection and prosecution of serious crime”. 2. Establishes a period of retention for data of not less than six months and not more than two years for all providers of “publically available” communications services. 3. Applies to traffic and location data on both legal entities and persons. It does not apply to the content of the messages. 4. Specifies the types of information to be retained, including: the source and destination of the communication—which includes the phone numbers and/or user identity as well as the “machine address” of the equipment; the time, date, length of the communication; and the type and location of the equipment being used. 5. Establishes that communications providers must also utilize an interface which provides this data “without delay”, when requested by “competent national authorities”.

Dissociative Identity Disorder 4 Problems with the Directive There are a number of criticisms made of the directive. The first is that it appears to be in violation of earlier norms of data protection established with EU Directives 95/46/EC and 2002/58/EC. The European Data Protection Commissioners were so concerned about the implications of the directive that prior to its adoption they released a statement expressing that they “have grave doubt as to the legitimacy and legality of such broad measures. They also want to draw attention to the excessive costs that would be involved for the telecommunication and internet industry” (FIPR, 2002). At first glance, one can certainly argue that the new directive violates the spirit of previously enacted European privacy legislation, which Salbu (2001) categorizes as “broad and comprehensive, applying to both public and private sectors” as opposed to American solutions which tend to be reactive and focused on specific issues areas (such as credit reporting, education, financial privacy, telephony, cable, and video). Traditionally, European Privacy protection measures have recognized the “threat to privacy if information relating to any individual is allowed to accumulate as the years go by” (Warner, 2005). Critics also claim that the law violates Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). Breyer (2005) argues that it violates this article because it does not distinguish between suspects and purely innocent individuals; that the pervasiveness of electronic communications would effectively remove any means of private, unmonitored communications; and that the data is too easily manipulated and or abused by government officials. To know that all communications are monitored would have a chilling effect in a democratic society.

Dissociative Identity Disorder 5 However, Bignami (2007) disagrees with this assertion, claiming that privacy as defined by Article 8 of the ECHR is adequately protected. His argument is that previous data protection measures were designed to protect the misuse of data by private entities or government agencies—but not by national governments exercising their “core sovereignty powers: domestic policing and protecting national security”. Bignami’s assertion does not tend to be supported by other writers. Salbu (2001) and Heisenberg and Fandel (2004) argue that Europe’s emphasis on privacy rights partially stems from the Third Reich’s use of data collection technologies—suggesting a fear of the state itself. Indeed, Article 17 of the ECHR specifically prohibits the abuse of any of its protections by the State (Council, 1950). Breyer (2005) writes, “Experience shows that the risk of powers being abused, especially where they are exercised in secret, must not be underestimated, even in Europe.” Another criticism of the directive is that while at first glance, it may appear that storing context data, rather than content data, helps alleviate privacy concerns. However, as Kotzanikolaou and Douligeris (2007) point out—disclosure of context reveals the identity of the parties involved, the time and location of the communication, and also reveals something about the content of the communication. For instance, it is easy enough to follow the IP address of a site visited to access the information on the web site stored on the server. Church and Kon (2007), illustrate how search engine data, which includes the identifying IP address of the searcher, also reveals much about the content of an individuals’ queries. While anyone can support the prevention of visits to a site specializing in child pornography, it becomes much more problematic when dealing with issues that are less clear-cut. What if someone is researching terrorism rather than supporting it? Such visits would draw the

Dissociative Identity Disorder 6 same scrutiny to the individual involved. The presumption of innocence, as guaranteed by Article 6 of the ECHR, will have been compromised in this situation. Regardless of one’s thoughts on privacy, there are other criticisms of the directive as well. The directive’s language is riddled with ambiguities. While it states that it is intended to fight “serious crime”, it does not define what crimes qualify as “serious” nor does it prohibit member states from enacting laws that allow access to the data for investigations into civil, rather than criminal, matters. Already Germany has moved to enact laws that allow the use of retained data in cases involving violation of intellectual property laws (Horns, 2007). Another criticism of the directive is that despite the stated intent to “harmonize” the data retention policies across member states, many communication service providers are frustrated that the directive leaves such a wide range of possible retention periods open for differing national policies. Thus, even if a multinational company is retaining customer data for the legally proscribed period in say, France for two years—they may be compelled by Germany and the preexisted data protection laws to delete their records after 6 months (Nettleton and Watts, 2006). A final criticism of the directive is the added cost to service providers and the corresponding burden on the consumer. One area where costs rise is in the requirement that “competent national authorities” be given access “without undue delay” to this stored data when requested. As Taylor (2006) highlights, the technical specification of storing and transmitting this data in a secure and portable format is left unaddressed. This leaves a difficult technological problem for service providers to solve at their own cost or face legal sanction as the means of storing and accessing the data are likely to vary widely among service provider systems. Additionally, the cost of storage itself was left unaddressed by the directive, leaving member nations to decide for themselves whether to reimburse service providers for this added expense.

Dissociative Identity Disorder 7 The Future of the Directive While the importance of stopping terrorism is not to be discounted, it does seem that the directive leaves a financial and technological burden at the feet of service providers that may leave them at a competitive disadvantage in the world market. Even more alarming is the dramatic turn this indicates in the EU’s attitude towards privacy rights for its citizens. While the EU acted quickly and decisively to prevent private entities from exploiting the data of its citizenry, it has acted just as hastily to essentially remove those protections entirely where law enforcement is concerned. It is not surprising to see a backlash among concerned policymakers and advocacy groups rearing its head. This is a saga unfolding as we speak, with the “extended adoption period” ending in March 2009. As of this writing, 16 of 25 member nations had chosen to take advantage of this extra time—seemingly indicative of the difficulty of gaining internal acceptance for the directive’s requirements. Given the many problems with both the technical and philosophical aspects of the directive, as well as the potential added costs of storage and compliance to service providers, it is likely that the directive will be challenged in the courts of EU member nations as they attempt to bring their national laws in line with its mandates.

Dissociative Identity Disorder 8 Works Cited 2006/24/EC. (European Union Directive 2006/24/EC of March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communication networks and amending Directive 2002/58/EC). Official Journal of the European Union, L 105, 56-63. Bignami, F. (2007). Protecting privacy against the police in the European Union: the data retention directive. Chicago Journal of International Law. Duke Science, Technology & Innovation Paper No. 13. Retrieved November 29, 2008, from SSRN: http://ssrn.com/abstract=955261 Breyer, P. (2005). “Telecommunications data retention and human rights: the compatibility of blanket traffic data retention with the ECHR” European Law Journal 11, 365. Retrieved November 29, 2008, from http://www.tkgverfassungsbeschwerde.de/data_retention_and_human_rights_essay.pdf Council of Europe. (1950) Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). Retrieved November 29, 2008, from http://conventions.coe.int/Treaty/en/Treaties/Html/005.htm. Church, P. and G. Kon. (2007). Google at the heart of a data protection storm. Computer Law & Security Report, 23(5), 461-465. Foundation for information policy research (FIPR). (2002). Statement of the European Data Protection Commissioners. Retrieved November 29, 2008, from http://www.fipr.org/press/020911DataCommissioners.html Heisenberg, D. and M. Fandel. (2004). Projecting EU regimes abroad: The EU data protection directive as global standard. In S. Braman (Ed.), The emergent global information policy regime (pp. 109). New York: Palgrave Macmillan. Horns, A. German government passes "bill for improving the enforcement of intellectual property rights". Patentanwalt, Axel H. Horns' blog on intellectual property law - patent, trade mark & design. Retrieved November 29, 2008, from http://www.ipjur.com/2007/01/germangovernment-passes-bill-for.php3 Kotzanikolaou, P. and C. Douligeris. (2007). "Privacy threats of data retention in Internet communications," IEEE 18th international symposium on personal, indoor and mobile radio communications, 1-7. Retrieved November 29, 2008, from http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4394199&isnumber=4393983 Nettleton, E. and M.Watts. (2006). The data retention directive. Journal of Database Marketing & Customer Strategy Management, 14(1), 74-77. Retrieved November 28, 2008, from ABI/INFORM Global database. (Document ID: 1204693091). Salbu, S. (2002). The European Union data privacy directive and international relations. Vanderbilt Journal of Transnational Law, 35, 655. Taylor, M. (2006). The EU data retention directive. Computer Law & Security Report, 22(4), 309-312. Warner, J. (2005). The right to oblivion: Data retention from Canada to Europe in three backward steps. University of Ottawa Law & Technology Journal, 2(1), 75.