EU Delay Revision of Internet Data Retention Directive to Boost Privacy

The European Commission (EC) appears to have quietly confirmed that it will not revise the controversial Data Retention Directive (DRD) this year, which could affect the UK’s draft Communications Data Bill that seeks to expand the country’s internet snooping power through big broadband ISPs.

The DRD is essentially a mirror for the UK’s existing Regulation of Investigatory Powers Act 2000 (RIPA), which gives the government, local authorities and security forces the power to request that an ISP or telephone operator be required to retain a very basic log of their customers phone and internet use.

But the DRD has historically had a “complex legal relationship” with its rival e-Privacy Directive, which isn’t helped by the fact that neither has been able to produce an effective definition of serious crime. This same problem also afflicts the UK’s newly proposed Comms Data Bill, which some fear could allow for requests about less serious offences.

Crucial to all this is the fact that the EC has been considering a repeal or amendment to article 15 of the e-Privacy Directive, which is the part that allows Member States (e.g. the UK) to, “restrict privacy rights and obligations, including through the retention of data for a limited period, where ‘necessary, appropriate and proportionate“. The last part is seen as contradicting the definition of serious crime.

Now a new email circulated by the European Internet Services Providers Association (EuroISPA), which has since been posted into the public domain, reveals that the EC intends to resolve this conundrum and potentially improve privacy, at least in one area, by delaying its DRD so that it can be revised at the same time as the e-Privacy Directive.

EuroISPA Mail Shot

“After discussions at cabinet level between Commissioners Kroes and Malmström, the decision has been taken to postpone the revision of the Data Retention Directive (DRD) to have it in parallel with the e-Privacy Directive.

This complex legal relationship between the Directive and the e-Privacy Directive, combined with the absence of a definition in either of the two directives of the notion of ‘serious crime’, makes it difficult to distinguish, on the one hand, measures taken by Member States to transpose the data retention obligations laid down in the Directive and, on the other, the more general practice in Member States of data retention permitted by Article 15(1) of the e-Privacy Directive.”

As a result both directives will now be delayed until 2013 or 2014, although this is contingent upon the European Parliament (EP) and Council being able to get their related General Data Protection Regulation (GDPR) ready first, which will help to inform both of the other directives.

At this stage it’s still too early to say whether or not any proposed changes will have a positive or more detrimental effect upon the privacy of individual citizens, although it’s fair to say that many in Europe feel the original directive went too far. But at the same time there are others whom, like the UK government, would like to see some aspects expanded to cover new internet systems and services. Other issues, such as the cost burden upon ISPs and the length of data storage, are also likely to be tackled.