Data Retention: human rights vs. government demands through telecom market regulation? – WS 03 2012
14 June 2012 | 14:00-15:15
Programme overview 2012
- Rainer Stentzel, German Ministry of Interior
- Oliver Süme, EuroISPA and eco
- Katarzyna Szymielewicz, EDRi
- Giuseppe Vaciago, Academia
- Ludo Keizer, Bits of Freedom
- Wolf Ludwig, EURALO
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> WOLF LUDWIG: May I please ask the audience to get seated because we have a limited time scheduled for our workshop and I do not want to start much later? We want to have enough time for our discussion.
First of all, welcome to our first afternoon session. There are different workshops and you have chosen the option to join our Workshop 3 on data retention. I think this is an excellent follow-up from one touchy subject we had in the morning before the lunch break when we were talking about intellectual property rights in the environment. I think data retention is a subject what is at least as touchy for many people for many users concerned about privacy as IP rights and regulations are.
Let me first shortly introduce our panelists. I have the pleasure to introduce Katarzyna. I cannot pronounce her family name. All of the details – she’s representing EDRI. All of the details on the panelists, I would like to ask you, please, you can find them in the bios on the Web site.
I have the pleasure to welcome Rosa Barcelo representing the EU Commission. Oliver Sume, representing Eco and EuroISPA as a representative from the business sector. And to your far left we have Giuseppe Vaciago, who is a lawyer but a consultant for industry since many years. So he is more or less from the academia point of view and the business so he is related or connected to various fields. He also has a very broad background on the issue from Italy and I think from other countries.
This is Ludo Keizer, my Co-Moderator. And we have Sorina Teleanu as a focal point for this workshop that’s taking the role as the remote participation moderator. So she will be part of the moderation team. And as we did in previous sessions, whenever there is a remote participation question/comment coming in, we consider it immediately.
Let me before I give the floor to our panelists try to make a short and punchy introductory statement.
Data retention, the most famous set event many years ago. And afterwards, a lot of things in life have changed dramatically.
There is one Government who says we have the right for our internal domestic security concerns to observe and trace the rest of the world with our needs getting data from – communication data from whoever. And this will be stored not here in Europe. We have the right to do it under our own jurisdiction, et cetera.
My question from the very first beginning was as an Internet user, if any other Government would have ever dared to try something comparable like this. I think the scandal would have been obvious.
And most of the other governments would have said from the very beginning: No way.
So there is a kind of an improper balance of interests. And afterwards, the rest of the world, Europe included, had to follow the pattern which was not done in the European context but somewhere else. So we are more or less following up what was demanded from us.
This was more or less a basic outline of the conflict. Then a lot of other governments had to try to find some regulation on this.
Let me just mention one particular example for me. It’s a very interesting one. The example – I am a Germ citizen. I follow the debate in Germany with considerable interest. We have a conflict within the Government. It’s a governmental coalition where the two partners have different approaches on the subject. So we have more or less a consensus debate inside the Government. And the Government on the other hand towards a compact – perhaps we have another level of interests or conflict when the Commission is saying: You are now – it’s a directive. You are now forced to implement it, et cetera.
So on various levels it’s exciting – it’s an exciting issue.
So let me start with Oliver first. What is your approach from the business sector point of view to the debate?
>> OLIVER SUME: This is a perspective, we, first of all, have to see that data retention is very costly to operate. And it’s very challenging, also, from a technical and from a security point of view. And we are facing a situation currently where we have very different legal situations in the different Member States of Europe. Because the basic approach of the directive to harmonize data retention is something that never happened. This is due to some constitutional court verdict on the one hand it’s because of different implementations in the Member States of the other hand. And from a business perspective, this means that a provider that is a pan European provider providing his services in several countries has to deal with completely different legal frameworks than the Member States. You have different periods of storage.
You have different scope of data the provider has to store. And a very important point from a business perspective is that you also have different legal framework regarding the reimbursement of the costs because it’s us who have to run the technical systems and to have to pay for that. And the situation in Germany for example was that we had no reimbursement for these costs at all. We have a different situation in UK where the companies get at least a little bit of the reimbursement and where some companies, it depends on the size if you have to store or not there are exemptions for smaller companies that’s not the case in Germany and we have another regulation in Austria and so on and so on. That means as a company you are facing very different legal situations. That makes it very complicated. And it makes it very expensive.
That’s the business view. And of course we are not reduced to a business view. We also have a legal and a political view on this.
And the main question if you discuss about data retention is the question about proportionality. And that is something that from my view still has to be discussed. I know and you may know that the Commission is carrying out an impact study now. And all we know and all that everybody knows who is involved in this discussion is that currently we have an absolutely lack of data and there is absolutely no proof for – that we really need data retention. And that it serves law enforcement in an effective way. That’s the situation we’re facing as a business constituency.
>> WOLF LUDWIG: Okay. Thanks a lot for this first introduction and point of view from a business perspective. There is no proof or evidence whether this is really needed whether this is proportional.
On the other hand, if I am right, Germany was recently sued by the Commission for not implementing it according to the plans. On the other hand, the Commission is just on the way to revise the Directive. What is from your perspective and position? What do you think is needed?
>> ROSA BARCELO: Before I answer your question, just for the sake of – I would like to point out something. I work for the Commission. I work for the Information Society and my unit is competent for online privacy. So today personally I am responsible for the e-privacy directive so here I’m here representing not this position but my colleagues from the DG for the responsible for the DG directive couldn’t be here and this morning they asked if I would replace them I took the briefing and I will replace them but I would like this to be because my level of knowledge and approach might be different.
>> LUDO KEIZER: You are in a tablet centric situation.
>> ROSA BARCELO: Yes. So on the review, the Commission indeed has performed in the 12 months – the last 12 months some sort of assessment of the – whether the Directive should remain and if it should whether it should be amended if it does.
Now the reviews are still ongoing. This review has consisted mainly in one-day workshops, letters, meetings with different stakeholders, including Member States authorities. And it has not finished yet but it’s already shedding some light and contrary to I’m afraid to what you were saying before, the feeling is that the Directive is necessary. In particular this is – this comes from Member States it’s very clear. Police authorities are very clear in their – there is a question of how much evidence do we have. It might be –
>> It’s a question of who you are.
>> ROSA BARCELO: Yes. Those who are responsible for pursuing crime are telling us that is necessary.
>> Those who have interest in it.
>> ROSA BARCELO: Basically there is a need for historical data. And freezing would not do the job. So on the basis of that this being said this points out to the need of preserving the Directive. Now do we need to preserve it as it is now. And this is where we are working and we are engaging in some sort of fact-finding aspects that might require some to be – to make better.
Should I go to the 304 that we have identified or should I leave this for – should I go to the three or four we have identified or should I leave it until later.
>> WOLF LUDWIG: I leave it up for you. Do you think for the introduction it may be useful?
>> KATARZYNA SZYMIELEWICZ: Go on.
>> WOLF LUDWIG: Yes.
>> ROSA BARCELO: It goes along the same lines. No. 1 is that you might remember that the Data Retention Directive required the preservation for data for serious crime you take Article 15 for the e-privacy direction it allows Member State to delegate for a neighbor to require mandate of keeping data for purposes that are not serious crime for purposes that are lower. So Member States have taken the possibility that is allowed under the e-privacy directive to go much further to go beyond serious crime so I think one directive allows the other not.
So how do we close this loophole? That’s something that we are looking at is – and it will require changing not the retention but the e-privacy direction so another instrument. That’s one. Second is when you say cost reimbursement. We fully agree that there is a cost. And it’s not a monetized situation so that’s an area we are looking at should we require mandating cost reimbursement directive and you can imagine Member States in the current crisis situation we have right now are delighted to hear that but it’s something we are assessing and looking at. That would be the second point.
No. 3, period of time. So two years, six years. We are seeing that maybe two years might be too much. We could be exploring the possibility of shortening times.
And access. So to request access from the police to request access where this payment is coming from the requirement might be different so could we harmonize them so the requirements are the same throughout.
These are the ideas that we are exploring. Is there a position to do it now? No we are – there is a – is there a decision to do it now? No, we are still assessing whether yes, no, and we are in no decision at the moment. But these are a few additional options but these are the main big focus for exploration.
>> May I just reply regarding two aspects.
>> WOLF LUDWIG: Two short sentences, but very short.
>> Just because you refer to the financial situation of the Member States. My opinion is that the bill has to be paid by the ones who order it and it’s not the industry or companies that are – who order data retention it’s not our ideal and if politics want industry to carry out a system like that, I think they should – it should be mandatory cost reimbursement the first point. And the second point referring to the impact of the assessment you are carrying out of course if you ask the law enforcement agency if they consider data retention as useful they will say yes that’s not the question and that’s for me not the question when you talk about a lack of data. Data as an argument, as a proof for the need of data retention to me would mean that there is a proof that the storage of the data leads to a higher disclosure of criminal offenses.
And at least in Germany nobody could tell me until today that this is really the case. All you hear is: If we would have the IP address then we would be able to do this and that. Without thinking to the next step, without saying okay if I have the IP address that does not mean that the offender is the one who is the owner of the IP address.
>> WOLF LUDWIG: Okay. Thanks for this clarification, what is a very valuable one, because it’s one of the basic questions. If you should take over a role of a deputy sheriff, then you should be reimbursed. Nobody can expect from industries that you are doing this in your free time more or less. And you have some investment costs and at the technical level, as well.
Now from the EDRI point of view, let us know your opinion about this.
>> KATARZYNA SZYMIELEWICZ: Well, hello, everybody if you need my surname it’s in the notes just for clarification I represent an organisation working on surveillance issues which means data retention is exactly what we have been fighting with for the last three years here today I’m talking on behalf of EDRI which is the coalition of NGOs trying to fight for digital rights. From what was said I have nothing more to add but let me make this point more structured so in the first place from the Civil Society perspective the main issue really is whether data retention is a legitimate instrument in the society at all and indeed it’s not what is useful because usefulness goes without saying. We really have to consider the test of proportionality and necessity. We all have Constitutions in our legal orders. We have the charter of fundamental rights and on this basis it’s more than clear that any limitation of fundamental right for example the right to privacy is only allowed if it’s necessary and proportionate which goes far beyond the mere usefulness I’m also not surprised at all why law enforcement wants that instrument but I will touch on that point later.
What strikes me when the Directive was created in 2006 it was created on the assumption that it was a necessity and I think Alexander, who is here will be more to comment on this we had to believe the European Commission that the necessity will be proven and tested later on that’s why we have the revision process happening right now for the Directive that was adopted in 2006 what we see today is still no evidence to prove it’s necessity and proportionality. I know that process is spending but we have seen already the evidence being collected we have seen already the reports and I think it’s quite clear the Commission will not gather the evidence so the dilemma we see now is what we do in a very difficult political situation when an instrument was adopted under the heading of a common market which is not really fair because it was never about common market it was always about law enforcement it was given to law enforcement and now the Commission clearly says:
Well, we cannot take the toys from the boys. It’s obvious they will not give it back to us. And even if the emperor is naked even if there is no evidence the instrument is there I come from Poland the country that’s used all of the opportunities created by the Directive we overimplemented it we used all of the parameters to the detriment of the society we have the maximum retention period no control whatsoever on access to data very broad purposes going far beyond the Directive so it’s not just serious crime it’s general prevention of any crime at all. And that is not something that the Commission would argue against.
So my general point is that the Commission created or the European Union created the instrument which they gave to the Member States which was often used as an excuse to limit civil rights they didn’t provide safeguards what I would like to see this year if we cannot take the instrument back at least the Commission should go towards creating safeguards such as necessity to control access to this data with courts or at least persecution. I also agree that reimbursement would be a safeguard. Clearly if law enforcement would have to pay for this they would at least check whether they need it in Poland the number of requests is going to through – going through the roof we have 1 million 800 only last year 1 million 800,000 last year which is the maximum ever registered in the EU. So I do believe that more safeguards are needed.
And my second big point is that data retention as an instrument, legal instrument has to be seen in a broader context we have data retention as a practice which is here to stay I mean even if we remove obligations businesses will start data for commercial purposes and this data can be accessed by law enforcement and this data is accessed by law enforcement not only from our Member States also from the U.S., from other states because of the cloud services and this is a huge topic we have to address access to data no matter what legal grounds for storing it are there. Thank you.
>> WOLF LUDWIG: Thanks for this first introduction we will come back later. We have now the fourth introductory statement from Giuseppe and then we open the floor to the audience, please, Giuseppe.
>> GIUSEPPE VACIAGO: I have just two considerations, two practical considerations to say. And I totally agree that one of the big problems is also not only the Directive but the trust position of the direction to the national law because when we mention the issue of the serious crime that I think is the central issue and I touch it again with the other speakers on touch on it again the point is that the national law has implemented the Directive in the sense that now for example in Italy the most kind of crime where the law enforcement ask user data are privacy, defamation, IP – intellectual property violation and identity theft so I don’t know if you think that these are serious crimes. For me, they are not serious crime. But this is 90% of the requests that we receive are related to defamation a blogger that writes something on a blog on a Web site something like that.
And I don’t think that this is the idea of the Directive because when we mention we did – we – when the Directive started was for the terrorist attack.
And the second issue is also the problem that we have I think that that also who has to retain the data. Because the Directive for me is really clear and this access provider or main server or Voice over IP provider that is – that’s also an access provider. But for example, in Italy or other nations also the provider or Internet main service provider gave the information and take the – and retain the data so we have all this second issue.
I stop now and then I can make a conclusion after the debate.
>> LUDO KEIZER: We already have a reaction from here.
>> Well, two things to mention here. First my name is Michael Rotert from the German Trade Association of the ISP industry. The original version of the data retention – of the Data Retention Directive had in it huge statistical part from the Member States – which the Member States didn’t want to due to money reasons. They said it’s too expensive to provide all of the statistics.
For me it’s clearly maybe the data don’t represent any value for them. But the question which should be interested here not the history of the Data Retention Directive is how much freedom are you willing to give up for how much or how many security. That’s the question.
>> LUDO KEIZER: Are you asking somebody in particular.
>> All of them.
>> WOLF LUDWIG: Okay. We stay back we will go on with more comments.
>> Hi. Pat Walsh. Can I hold it? No?
>> I’ve been involved in this. I debated this in the Commission since it’s inception. And I’ve implemented the solution in two Member States. And I have yet to receive evidence that this is proportionate and justified. And I used to run a team of people that did the liaison was law enforcement in Government and had to disclose all of this data. And I’ve yet to find justification for this.
>> I see I’m also not allowed to hold it so this is quite an interesting panel. Let me put it this way: I was responsible in the European Parliament for the Data Retention Directive in 2005 I withdrew my name before the plenary vote because conservatives and socialists amended it in the way the way it is today and it’s a little bit unfair for the Commission to be present from the DG Information Society here because they have been writing at that time the Commission for the site was against the Data Retention Directive by the way I was also a first Rapporteur for e-privacy Directive so I know both quite well because the latter one at least I have written myself and then the first one, as well.
So what I actually wonder is why there’s such a reluctance in the Commission to examine the approach of quick freeze. The Commission is guardian of the treaty. Not the Council. And it is actually the duty of the Commission to put that forward especially because the expert group which I think is defined in Article 14 or 15 of the data retention group came to examine quick freeze as well additionally but it’s been ruled out by the Commission on that report so why is there such high reluctancy I don’t let the argument count Member States don’t want it because again there are two bodies of legislation and maybe just one final point on this whole issue is it’s a little bit sad to be proven right because I think seven years ago I said you will have legal problems, social problems, economic problems and technical problems and the evaluation report which was presented I believe in November last year actually showed that, that there are so many problems starting from access to data by coast guards in Malta to storage periods as we have it in Poland with requests of over a million a year.
So when we – will we actually see the review of the Data Retention Directive coming out of the Commission and don’t tell me it’s DG home.
>> WOLF LUDWIG: Just one question for clarification can you explain in a sentence quick freeze.
>> Quick freeze is basically the moment you have identified a person where there is the – what’s – suspicion of actually – that this person has undertaken criminal offense that at that moment you start storing only this person’s data and none of the other 499 million and 999 whatever thousand.
>> WOLF LUDWIG: Okay. Thanks.
>> Thank you very much. Benedek Wolfgang, University of Graz. I would also be interested in knowing a bit more about the evaluation. First I wanted to say that in Austria, the implementation was interesting. The competent ministry until the last moment tried to prevent the implementation. And only under pressure of the Commission it was finally implemented. So those industries interested in internal affairs, they – as you said the origin of the Data Retention Directive was – Data Retention Directive was fighting terrorism. Now in the – immediately when it came to the implementation, the issue was where to put the level. Justice wanted to go down as much as possible even to minor offenses. Finally the balance was struck as offenses which at least had at least one year of prison at least. Then the question was also who decides how to promote harmonization in that field.
Who decides about getting those data? Is it to be a judge? Or can it be the police?
It makes a lot of difference. Who controls also this practice? Again, we have a high standard in Austria in that – on that. But in my view, it could be higher.
Coming back to the review, what I would be interested is who was involved in this review? I mean, is it a review of the home affairs people of their baby so to say or is it a review in which a wider part of society in it’s kind of multi-stakeholder approach?
Also the human rights community, also other stakeholders fully involved? Because I think that would be necessary. Finished.
>> LUDO KEIZER: Thank you.
>> Thank you. And just a very short remark about quick freeze. I mean quick freeze is also part of the prime Convention which all of the – most of the Member States signed all of them in fact so we have to ask why it’s not implemented yet in the level of an EU direction and why we have to have some data retention instead.
>> WOLF LUDWIG: I think for the moment there are plenty of questions. And I hope that you have taken notes on it. Who wants to respond first? Katarzyna?
>> KATARZYNA SZYMIELEWICZ: I can. Thank you very much for the security versus freedom question. It’s my favorite one. And I really think this is the key issue with this Directive. Namely, we have no evidence in the first place that that causes any positive impact in terms of our security.
So I would say that that dilemma is flawed in general terms. Very, very rarely we have evidence proving that we have to agree on our freedom to be limited in order to gain some more security. Very often we are simply taught that that is well the premise we have to believe in it’s a matter of fate. And not a matter of evidence provided for the people for the citizens to really judge how much of one would trade for another.
So I would say that before we even face the dilemma in the first place we need evidence proving that certain limitations of our freedom are meaningful in terms of winning more security.
In terms of data retention there is no such evidence, at least for the reason that data is out there available for law enforcement. Even without the Directive. Even without the obligation to retain data for law enforcement purposes. A lot of data can be used when a given investigation is pending.
The quick freeze is one of the methods to achieve the same goal.
So even for that purpose, I would say that it’s much too early to ask the question how much freedom for how much security. We need evidence of security first.
On the question regarding the revision process, who was involved in this, I can admit that Civil Society was involved, as we were involved in many stages of this. It’s been two years of various discussions with the European Commission we have been sending papers and meeting officials so on the formal side we were involved on the merits I really don’t feel like our arguments are being heard because we made many, many times the arguments, serious arguments, against the Directive which were never responded seriously.
So on the merits I would say that the revision doesn’t really include the Civil Society voice. Thank you.
>> WOLF LUDWIG: Would you like to comment? Okay.
>> I don’t envy my colleage from the DG home. But one I have the feeling that the discussion here tends to forget how the EU legislative process goes. There’s a lot of questioning about the European Commission. And I’m very happy to see Alexander here because the Council the Member States voted in favor the European Parliament he may have a state but they voted in favor so we shouldn’t forget the Commission proposes but the Commission doesn’t vote the Parliament and the Council they are the ones. So I think I wanted to make this point because is the Commission the Commission. No the Commission is the Member States. And I think sometimes the feeling is that Member States are advocating something in Brussels they might not do it at home and they are using Brussels as an obscure.
>> WOLF LUDWIG: In the back we have a reaction first. Yes, please.
>> Hello, oops. I’m actually a member of this expert group doing a review of the Data Retention Directive. Let me tell you first of all that that review is not ready yet. We are still working with documents. And one of the reasons why we are still writing documents is because for example even within this expert group people cannot agree on what infinite e-mail is. And people cannot agree on – on what Internet e-mail is and Internet telephony is that’s a paper I’m currently writing we had a meeting last Friday when we tried to agree and it didn’t work.
That of course is not something that’s typical just for the expert group itself. It’s actually something that we see just has been mentioned on stage that the actual implementation in different countries are very different. So one can claim or question or look at whether the Directive actually did lead to harmonization or not because that’s of course maybe one of the overall goals.
The last thing which I completely agree with the lady from DG is we also have to remember that for example the Directive is one thing that talks about serious crime but sometimes what has happened in various Member States is that they have implemented something that goes further than the Directive and then the question is whether the Directive should be blamed. For example in Sweden the implementation Directive was leaning against implementation of the electronic communications directive that talked about requirement for the – requirement for the police to require data, the crime they were investigating would lead to prison. That was a change that later was made in the implementation of later on the electronic communication Director not with the Data Retention Directive but it had the implication that it can be questioned whether Sweden actually changed – removed the requirement of serious crime.
So those kind of I think looking at the implementation – actual implementation is very, very important. So I completely agree with you there.
The last thing has of course to do with the payment and the cost where the actual – where there’s absolutely no harmonization on how the money is flowing between the various involved parties. Thank you.
>> WOLF LUDWIG: Thanks, Patrik.
We now hear first from the remote participation. Sorina, please.
>> SORINA TELANU: Thank you we have a question from Eduoard from the Ukrainian hub can open rules and availability of information on governments and these agencies reduce the risk of disclosing private information about the users? Is it necessary to improve these rules? What do these participants think? Thank you.
>> Thank you very much for an interesting intervention. I would like to open up maybe to a bit of other fields here. Because I think we haven’t discussed the dimension of the protected groups. I mean we have legal protection, for example, lawyer, client privilege, journalist, its source and so forth. And this was something that was discussed quite a lot in my country.
Now I am not – my Government is not in the process of actually taking part of how EU directives are shaped as we are not in the European Union so I would be very interested to hear and if you collaborate a little bit on that dimension, as well. Thank you.
>> WOLF LUDWIG: Okay. Before we give back, there was one question. First here and then, Nigel, you.
>> My point is a very simple one. And I think Katarzyna basically mentioned but she’s more modest than I am in her criticism. In a free society putting people who are not suspected of any criminal offense or any illegal activity in the mass surveillance is fundamentally unacceptable. Can we draw a line under that and put 17 exclamations behind it. In a free society, suspicion masked surveillance is unacceptable. So not to talk about can we make it proportionate or is it necessary or unnecessary it’s unacceptable with free society on top of that do we make the fundamental distinction between data retention and data preservation what’s called deep freezing it? Ordering the preservation of data on people who are suspected of involvement in criminal offense is perfectly reasonable in the judicial control of subjecting to relevant safeguards but ordering the suspicion monitoring of everybody’s behavior is unacceptable and me as a human rights lawyer and other people like Katarzyna and other people in this room we are going to fight this tooth and nail we are not making it halfway acceptable we are talking about how you can make it proportionate you cannot make something that’s fundamentally unacceptable acceptable.
>> WOLF LUDWIG: Thanks a lot. This was a clear statement before we give back to the key participants, we have one more comment or question here.
>> Yes, can I – yeah. Thanks, Nigel Hickson, ICANN. I spoke this morning and said that I was fairly critical of governments when I spoke about intellectual property. On this issue I think we ought to put a few facts on the table. Because this Data Retention Directive was negotiated I recall I was a UK civil servant when it was negotiated we negotiated it in 2005 and 2006 Michael Rotert was involved as well from EuroISPA first of all it’s about communications data it has nothing to do with mass surveillance now I’m not suggesting that some – that some operators or some governments might not have bent the rules. But let’s, you know – let’s at least have credence of what the Directive says and what Member States signed up to and what the European Parliament signed up to. This was data retention. It had nothing to do with data content.
It was the communications traffic. It was the ability of – it was the ability of the law enforcement authorities to be able to access communications traffic or you know the records of communication traffics up to a certain period after that communication had taken place. It was predicated on the Spanish terrorist activity in Spain. And it was negotiated at a time where the Commission didn’t want to – as it was said the Commission didn’t particularly want to have the Directive but Member States felt very strongly about it. So I think we just need to have a few facts in the matter.
The Commission as I said, we’re a party to it, as well. But it was negotiated on that basis. It wasn’t – it had nothing to do with interception of data, interception of data was completely separate.
>> LUDO KEIZER: Reactions.
>> WOLF LUDWIG: Immediate response requested through your mic.
>> I must admit we were probably sitting on the opposite sides of the table I remember discussing with Charles Clark you were then around him and in these phases. And we did have – if we’re talking about facts, well, first of all, it was two political groups voting in favor so not the European Parliament then of course it was the majority of the European Parliament that’s areometrics you voters can change that, by the way on the other hand we had a lot of discussions that in certain cases and this has not been solved communication data is content data in case for SMS or other issues you cannot distinguish there between the communication data and content data so we had a lot of problems on that yes and there were a lot of discussions about the question how can you do communication profiles of people? How can you put that together?
And so I remember the whole discussion.
Also the heated atmosphere it was because understandably it was the UK presidency just coming in we had shortly before the London bombings there was a question of response from the political side so the opportunity was taken in this situation. It is certainly not all in black and white as it has been discussed in certain fora but there was already at that time the considerable concern about the introduction of this measure and what has been happening now different court rulings in Europe different high courts constitutional high court of Ireland putting it for to ECJ at the moment if it’s in line with the European human rights this actually shows that there is a serious problem with this Directive. And I hope in terms of the review that welcome to a point where actually the storage of the – the mass storage of communication of European citizens without any suspicion that this is a clear line we’re not going to cross anymore.
>> Yeah, I’m certainly not here to defend the Directive at all. I mean decisions were taken. And the situation of course was very different but I just think the factual basis for it was the intention was the concern that in the Spanish terrorist atrocity the law enforcement authorities at the time and one can dispute this or whatever said that they didn’t have the access to some of the mobile phone records that they would have done if there had been a requirement to store them. I mean that was one of the bases of it. And to say to Katarzyna –
>> Let’s keep it short.
>> Sorry a last point to say there was no evidence at all well I’m not a law enforcement expert but you know when I was in Government I went to numerous law enforcement briefings and the law enforcement agencies also gave briefings to the Commission the European Parliament and they did present considerable evidence. I don’t know whether the review is taken into account but there is – there was considerable evidence or there is considerable evidence that indeed data retention has averted to certain types of crime and it’s a shame that no law enforcement people are here.
>> LUDO KEIZER: We can bring it back to the States to get some questions and reactions maybe.
>> WOLF LUDWIG: Just a really short one.
>> LUDO KEIZER: Really short then.
>> From my knowledge it was a deal between the UK Government and the rest of the – of the European coalition, the Data Retention Directive. And it was a real deal where they gave away something else because that was the only outcome of the UK presidency in 2005.
>> It was short.
>> WOLF LUDWIG: This was a strong point. Okay. So now we give back to our key participants for further elaborations and comments please who would like to start?
>> KATARZYNA SZYMIELOWICZ: Well, I can. Many, many points, thank you for your point with 17 exclamation points. I forgot about them.
On the point Alexander made about crossing the line of suspicion, I’m afraid that we already crossed that line. And I really don’t see any perspective of moving backwards unless citizens very, very strongly disagree. What we observe is definitely the trend to extend data retention to new areas to new data and to use that kind of data not only for serious crimes but for example for IP law enforcement so we are in a dramatically difficult situation in these terms and we need an extremely strong campaign to solve that movement on the evidence point I must admit I haven’t seen the evidence presented in 2006 or earlier if there was any but I have seen all of the documents that were made public in the process of revision and clearly I mean the Commission itself waited one year and they repeatedly made questions for evidence because nothing was coming from the Member States.
I think the only country was UK that presented something that looked like statistics. Everybody else presented simply like stories like you know singled out stories from the experience of law enforcement. But that’s not proving the point. We are not talking about single cases where it turned out to be useful. We are talking about proportionate and necessary instrument as such.
I really appreciate the comment made in remote moderation about access to information. Yes, that in my opinion could be a very efficient instrument of limiting abusers if law enforcement agencies were forced to reveal more data about what they do with the data they obtain and what data they obtain in reality if the citizens were given the right to know that their data was examined, that would definitely make a change. But it’s extremely difficult. In fact we are fighting that fight in Poland right now. And well, I’m afraid we are losing it because nobody wants to reveal that kind of details even statistics but even more personal data.
On the point of journalistic activity and other exemptions it’s a very valid, very difficult discussion. I’m not a technical expert here. I think many other people can comment on this later. But to my knowledge, it’s absolutely not possible to verify at the point of making requests what – to whom the data belongs to. So we can – we have no ability to exclude journalists, lawyers or doctors at the point of requesting. But maybe if there are efficient control mechanisms later on for example court is needed to verify whether a request should be realised or not maybe at later stages that can be limited. Also the right to information might be very useful in that context.
If the lawyers and doctors and journalists knew that the data is being examined, they could maybe make civil claims or use other legal instruments to stop it. So it’s a difficult but very much-needed discussion. Thank you.
>> I also wanted to come back to the question regarding the protected groups and I can confirm what you say it’s also a technical challenge it’s not only a political question and a political debate. It’s also the questions. And it’s a question that has to be answered by ISPs who have to set up the technical solution for that. And this is – I don’t see a technical solution for that right now. I don’t know how we should deal with that and how we should do the differentiation between data that belongs to a priest, to a journalist, whatever, and other kinds of data.
And this technical discussion is something that is not discussed. You hear a lot of calls for data retention and you hear a lot of arguments for and against. The question how companies and how providers should be able to require with the things and the – that the Directive is calling for is not discussed at all and it’s something that’s missing in the debate. If the ones who were calling for data retention want to have this discussion, you have to also to discuss how you want to make the technical solutions possible. And by the way this is also very central point of the decision of the German constitutional court. You know that in Germany the data retention law was thrown down by the court. And the question of these protected groups was one of many arguments and I can only recommend to anybody to read this decision which is also available in English it’s very helpful for the discussion.
And there are a lot of other requirements in the verdict to ISPs in terms of data security and how they have to do the storage, how they have to make sure that there is no misuse of this data and so on and so on.
And there is no answer for that. How all of these things should be done and should be paid for.
>> It’s a strong argument against.
>> LUDO KEIZER: Maybe your neighbor has an answer for that you want to react as well.
>> Yes just to come back to the question about privacy and security and just to tell you that I totally agree with Katarzyna but I’m sorry; I have a practical consideration. If you ask me who will win between privacy and security my answer is security. Why? Because security has only to wait into a situation of emergency and we will have another law and everybody will forget all of the principle of proportionality and the other stuff so my view and my suggestion today, Commission, is to say we can amend also for example to – I was telling about who was to retain the data and now my question is who is entitled to request such data. Because the situation is not totally clear in some states the law enforcement could request this data. In other states the persecutor could request this data.
I am a criminal lawyer so I can tell you that the – they totally change the situation if you answer this question. Because if you say that only the judge could request this data and there is a validation of a judge there is more protection for all of the European citizens and this is a really practical issue that we can make in the discussion even if it’s really difficult to do at the EU level and we have to do also at the national level this is my conclusion.
>> Do you want to react?
>> Well, on the last point we – that’s one of the conclusions we have reached after engaging these – this 12 month assessment is that the condition for access are indeed very different and it might be a good idea also in terms of ISPs so that they have a secure and predictable environment to know exactly what are the conditions for access.
Now, this is also a matter of very much Member States sensitivity and feeling. So it’s a difficult area to harmonize and it’s something that one needs to take into account. Very, very close to national prerogatives.
On just a quick – there were quite a few questions on the possibility of data preservation and just that data preservation, the something that is being analyzed and is on the table. Again it doesn’t quite fit – it doesn’t provide the historical data but it’s not completely disregarded. And the Commission together with the Council of European Union has – Council of Europe has committed to study this and this Social Security s not finalized but it’s supposed to fit into this whole debate my understanding it will be ready some time soon but is not yet.
>> LUDO KEIZER: We have a reaction from here.
>> Can I not hold it?
>> LUDO KEIZER: No. If you take for like ten minutes, I can grab it away.
>> I will not take it for ten minutes but I would still like to hold it. Alexander Seger from Council of Europe. There are some excellent points here that we will certain – I can’t use the word retain but we will nevertheless retain these types of ideas when it comes to necessity proportionality condition for access to data and safeguards we have to put in place, I think some very good points here. It would have been great to have some of the free seats over there being occupied by law enforcement because this is a very one-sided panel. Sorry. Even from the Commission side.
>> Also you have the interdivided personality today. I think it’s very important we had a conference last week in Strasbourg we had a meeting of the cybercrime Convention committee at the beginning of last week and there were a number of law enforcement people who said: I just would like to have people like you spend one day in my office. I’ll show you the files and you’ll be convinced of the necessity and the proportionality. So I may not make a judgement on that but I think it’s an important point in the future please have a more balanced panel.
We had also a discussion we are currently evaluating at the level of the Council of Europe a crime Convention committee to look at the Budapest Convention Article 16, 17, 29 and 30 what came to sort of interim results we will find this in December, this evaluation. And then the – in during conclusion it’s clearly that data preservation is not the same as data retention one is not the substitute for the other preservation can be ordered by anybody not just by the service provider it can be asked for an individual to preserve data for a company to preserve data for a financial institution to preserve data it’s a very different tool it also comprises content data specified. You should be able to get content data to give you the time to go to the judge or depending on the type of data to get access – prosecutor to get access to the data.
It’s very clear. Indeed I can confirm we are cooperating with the European Commission to bring our experience of the data preservation of the data retention tools.
One thing I would also like to underline Budapest Convention we worked all over the world we worked with many countries around the world not just Europe not just interested in Europe as such. All – I would not say all. Most countries around the world. Most governments around the world are implementing or have implemented data retention obligations. This is not limited to Europe. Most countries have done so without any limitation for that, without also any purpose limitation but also without any limitation chance of time.
I believe that if as a result of this debate today but also the revision that is taking place within the European Union there comes about retention regulation with very clear conditions if data retention is retained with very clear rules of how data can be accessed what should be the minimum – what should be the minimum and maximum period maybe more limited than two years that will also have a benefit for the rest of the world because this may encourage – it will allow us and encourage other governments around the world to have a more limited data retention more clear regulated data retention in their countries. I also share my doubts that it can be put back into a bottle data retention can be abolished it’s not a very realistic expectation.
>> WOLF LUDWIG: Okay, thanks, Alexander, for these valuable remarks. Before I give back to the panelists, just one short explication. It was rather difficult when we designed the workshop when we started the composition of panelists please believe me we tried to find someone from the law enforcement side and I’m completely aware we had repeated mail exchanges on this issue whether this setup of this panel is balanced or biased, et cetera. And of course I agree. Law enforcement is missing here. But nobody raised his hand or was pushing or suggesting himself. We from the organizers side would have been glad to include somebody as you may have realised also from the governmental side which tried repeatedly to get governmental representatives on the panel. But we cannot force them.
So we are not enough law enforcing whatsoever to convince. just a short remark on this one.
I think Alexander said a lot of relevant points. Who would like to respond to his remarks or to his observations?
>> KATARZYNA SZYMIELEWICZ: Okay. I can start.
>> WOLF LUDWIG: Yeah, okay. Start.
>> KATARZYNA SZYMIELEWICZ: Thank you very much. On the point of law enforcement, I totally agree the dialogue with them would be extremely useful and I can also assure you that we are trying to do this in Poland and we have the same obstacles I mean for some reason law enforcement representatives are not very keen on having real conversations and I even spoke with some of the people in private and they acknowledge it’s very difficult for them to come out in public and have those kind of discussions just sharing my own experience on this, I have planned a meeting, a closed door meeting without any media anybody in September and we might be able to have some honest conversation there. So I might come back to you with some results.
But yes, indeed, that kind of evidence is simply not given to the public. So as I said before, we either have faith in this or we don’t have faith and we say we don’t believe you. But at the end of the day it’s like religion either we believe or we don’t. But we cannot really discuss that valid point on the grounds of evidence. I made the point earlier and I will repeat it that I do think access rules should be the key discussion right now one reason is that we have data retention in place and it would be difficult to withdraw that instrument but also we have a lot of data out there that’s used by law enforcement and it’s not stored for law enforcement but it’s used by law enforcement. So I would suggest having these two discussions separately. One of them whether we need the obligation of data retention and we should and we will carry out that fight of course as was said the fight is there and we will not stop it but separate that discussion from the discussion on access rules because that should be kept separately and it’s an extremely valid point if we get the access rules correct, it will be better.
>> WOLF LUDWIG: Okay. Yes.
>> Just I think Alexander asked the question is when the Commission will propose the review of the retention directive when just forsake of clarification the Commission is engaged in the assessment of Directive but the Commission has not decided whether the result of this assessment will be a review.
So it might well be.
>> KATARZYNA SZYMIELEWICZ: It has.
>> No, the decision that it will be reviewed is not made. It’s clear that it is not – it’s an ongoing assessment. But that, yes, we will open, that’s not true. So it might well be that as a result of this review we decide that we will leave it as it is. And maybe solutions might come. Maybe not by reopening the legislation but maybe by other tools that might not be legislative, might be non-legislative instruments, enforcement of the directive guidance and other tools so just to make that very clear.
>> What is the timeline for the impact assessment?
>> It has slipped a little bit, a few months.
>> WOLF LUDWIG: Unfortunately. Unfortunately end of year.
>> Yes, autumn. So autumn is long. So let’s leave with autumn.
>> We have two reactions from the crowd.
>> WOLF LUDWIG: Okay.
>> A very quick one on the point that traffic data is not intrusive. It is very intrusive. If somebody knows who I’m communicating with at any particular moment on top of that you can include location data in traffic data and then people know what – whether it’s a demonstration or not a demonstration and I would just like to recall the German folks on the census judgments saying if people have to think that the state knows where I was at a particular moment whether I participated in certain political activities that has a chilling effect from a mental right so let’s go back to principle.
The second thing I’ll put – I’ll put my academic hat on if you have data retention at the very least you need to – you need the strongest possible academic scrutiny of the evidence and if the law enforcement authorities are not capable of coming up with anything more than anecdotes in which statistics that are useless like in so many thousand cases having access to this data was useful in convicting the criminal, that’s the same as saying this is absolutely essential and we wouldn’t be able to find them either without access or data preservation wouldn’t have been enough.
We need to – we need the strongest possible academically verifiable and verified evidence. And maybe the response of the Commission if there isn’t such evidence should be let’s withdraw the Directive because they haven’t been able to come up with the evidence.
>> LUDO KEIZER: One more over here.
>> WOLF LUDWIG: Yes. And – let me suggest we now have to close we have only 7 minutes left over and the last intervention here from the audience and then I give back for final comments to the panelists. Okay.
>> Yeah so Baton from the International Diplomatic Academy. One point is I do understand that it is extremely difficult for law enforcement agencies to know that this data can be available, which is something that they never had in the past. There was no situation in the past where basically the activity on a daily basis almost on a minute-by-minute basis of people was able to be stored somewhere so there is a natural feeling that if this data were available and accessible, a lot of the issues would be solved.
I don’t get into the debate whether it is true or not. I understand the feeling. The problem is it raises concerns not only that have been mentioned before but it raises the concern about leaks. It raises the concern about if this data is actually getting out for whatever reason because the servers have been hacked or so, it is a massive danger for privacy and I was a conference in Hamburg a couple of months ago and there was a remarkable presentation of what you can do by combining data. It’s not about having access to one file. It’s the fact that you combine the data by your location of mobile phones then the kind of searches you can do on Google and so on and then you get the filing that’s tremendous so my final point is going in the direction of you from EDRI the key challenge is not one specific type of data that should be kept.
The key challenge is the rules under which access is being given to the tremendous amount of data that is stored on the behavior and attitude and activities of people online.
And here I would fully go in the direction that was mentioned earlier. If the European Union as a whole were to focus on the conditions under which law enforcement can have access to any type of data that is being stored regarding online activities, that would have an exemplary role and exemplary function to the rest of the world because it can set the parameters that a continent that is caring about human rights and protection of privacy does. But focusing on forcing certain actors to store – or certain type of data is actually from pure personal belief not solving the problem and not addressing the right problem. The other problem is a major one and a great one.
>> WOLF LUDWIG: Okay. Thanks a lot, for this comment. We have a last one now from here please try to be short and precise.
>> Okay. I have a philosophical question: What type of society should we get with this law? We have Democrats now. I will say with Democrats we don’t have this type of law. And do we want to live with this type of society? I don’t want.
>> WOLF LUDWIG: Okay.
>> I think we have to leave this behind us in history. But I’m not so sure I want to listen to people around. What do you think?
>> WOLF LUDWIG: Okay. This was a question back. I think there are different backgrounds in Europe we have to consider. There are the western societies and the so-called transition countries in southeastern Europe it’s completely different experience and sensibilities in regards of state control, et cetera. I think ours is a relevant consideration. For the final round of your comments, please try to be as short and precise in two minutes each is it possible?
>> I’ve got to stop right here.
>> WOLF LUDWIG: Okay. Please. At this time we start with the guys and end up with the girls.
>> Just I want to say something to the Council of Europe, I was present in Strasbourg last week and I really believe on the cooperation with law enforcement even if I’m a criminal lawyer. And so I understand also and agree on the point that it’s not really realistic now to say that we can abolish data retention I think we need to improve and to work together to improve and create all of the legal issues that we have to figure out in the future for this Directive. This is my opinion.
>> Well what is my conclusion? First of all, I’m very excited to see the results of the impact assessment. I think that is the basis for any further discussion. And all that we have right now on information about the impact for the Civil Society, the impact for data protection, the impact for the industry and so on and so on. Right now we don’t have enough information about that. And well I’m looking forward to seeing the results of the impact assessment. That’s the first point. And the second point is more a political question and Michael Rotor raised the question at the beginning of this discussion if we want more security or more freedom. And that is – I see this in connection with the question about proportionality. And that is a question for me that cannot be answered by any impact assessments or any data that you may raise.
It’s a basic question that we have to answer. And I think that the experiences shows us that once we implement a system like that, it will not take much time until different parties call for extension of the purpose of this – the systems that providers have to set up and we have the same discussions and experience regarding the discussion on blocking and filtering which is in the beginning was discussed in the context of child pornography but in Germany it took two days for the politicians to use this system for filtering illegal gambling and copyright infringement and so on I can guarantee you once we have set up data retention systems in Europe we will make the same experience it won’t take long until other parties will call to disclose the datas for other purposes that are not in connection with criminal offense or heavy criminal offense and that is something that politics should take into account.
>> WOLF LUDWIG: Thanks a lot this was a clear statement.
>> Just to say that I have heard today a lot of very interesting very valid arguments. The need to assess whether evidence is sufficient, not sufficient, is proportionate. I think that the Commission is doing a very honest exercise to look into this argument. I think it has – Katarzyna would say they don’t listen to her but I do believe the arguments are being listened are being analyzed remember the Commissioner in charge she revolted against the retention in the beginning so I think the DG even the Commission has a true desire to look into that. And I think all of these arguments will be weighted and I hope that the result – a good result will come soon.
>> WOLF LUDWIG: I think it fits well to EuroDIG that you have the last word.
>> OLIVER SUME: Thank you as my final point I will raise the point that storing traffic data is a huge privacy issue there’s no doubt that traffic data can tell us a lot about past behavior and future behavior there are cases like in Poland where traffic data were used to track journalistic resources you can do so much with this and you will only be able to do more with the growing amount of traffic data being available out there in the Internet. So that’s a huge issue and on a more philosophical note I do agree with Alexander that preservation is different than retention but the main difference is the first is line with democratic society and the second is not because it goes against the presumption of innocence against the very basis of the rule of law we would like to preserve so that’s why we fight so much for the first to be the legitimate instrument for law enforcement and against the latter.
>> WOLF LUDWIG: Okay. Thanks a lot for your clear and short final statements. This is not the end of the debate on this issue for today. This was more or less a warming up for a plenary. That will follow immediately after the coffee break where we continue with privacy issues. Because we really at the EuroDIG level consider them as crucial as essential regarding respecting civil rights. So I would like to thank Giuseppe, Oliver, Rosa and Katarzyna and my Co-Moderator for their contributions and –
>> LUDO KEIZER: And the audience.
>> WOLF LUDWIG: And the audience, yeah, for your vivid and critical inputs, et cetera. And I think we had a revolving debate. Thanks a lot. We have a coffee break now and we will meet afterwards in the big plenary again for the next – the coffee break is half an hour.