Tuesday, June 07, 2011

EDPS recommends abolition of data retention directive

The EU Data Protection Supervisor, Peter Hustinix, has issued a strongly worded opinion saying the data retention directive is incompatible with the EU's privacy protections; and that the directive has failed to meet its primary objective of harmonising the laws of member states on data retention.
"VI. Conclusion
83. The EDPS is pleased that, although not strictly required by Article 14 of the Data
Retention Directive, the Commission also took into account in the Evaluation report
the implications of the Directive for fundamental rights. 
84. The Evaluation report shows that the Directive has failed to meet its main purpose, namely to harmonise national legislation concerning data retention. Such a lack of harmonisation is detrimental to all parties involved: citizens, business operators as well as law enforcement authorities.
85. On the basis of the Evaluation report it may be concluded that the Data Retention Directive does not meet the requirements set out by the rights to privacy and data protection, for the following reasons:
- the necessity of data retention as provided for in the Data Retention Directive has not been sufficiently demonstrated; - data retention could have been regulated in a less privacy-intrusive way; - the Data Retention Directive lacks foreseeability.
86. The EDPS calls upon the Commission to consider seriously all options in the impact assessment including the possibility of repealing the Directive, either per se or combined with a proposal for an alternative, more targeted EU measure.
87. A future Data Retention Directive could be considered only if there were agreement on the need for EU rules from the perspective of the internal market and police and judicial cooperation in criminal matters and if, during the impact assessment, the necessity of data retention, supported and regulated by the EU, could be sufficiently demonstrated, which includes a careful consideration of alternative measures. Such an instrument should fulfil the following basic requirements:
- It should be comprehensive and genuinely harmonise rules on the obligation to retain data, as well as on the access and further use of the data by competent authorities. - It should be exhaustive, which means that it has a clear and precise purpose and the legal loophole which exists with Article 15(1) of the ePrivacy Directive is closed. - It should be proportionate and not go beyond what is necessary."
 Just to be clear - 
1. the need for data retention has not been justified
2. data retention is incompatible with data protection and privacy regulations
3. the effects of data retention are unpredictable
4. the directive has failed in its aim to harmonise the laws of member states on data retention
5. the EU should abolish the data retention directive
6. having abolished it, if the EU are to consider data retention directive version 2.0 they'd better produce strong evidence in advance that it is necessary, proportionate and very clearly and narrowly focussed
That's a pretty succinct and damning assessment.

No comments: