The German Parliament said Tuesday that the European Commission's controversial Data Retention Directive may be illegal.
The directive requires European communications service providers to retain data for up to two years identifying the source, destination, date, time and duration of communications, along with the equipment used, and, for mobile telephony, the location of the equipment. The directive applies to phone calls and e-mail or text messages, although not their contents.
A report from the Bundestag's Working Group on data retention said that it would be impossible to rephrase the directive to make it compatible with the E.U. Charter of Fundamental Rights. The legal experts said that the law is disproportionate in the measures it requires to fight crime, as data retention increases the crime clearance rate only slightly.
"This marginal increase in the clearance rate by 0.006 percent could raise doubts about whether the provisions in their current form would stand their ground under a proportionality review," said the report.
European Data Protection Supervisor Peter Hustinx has described the directive, introduced in 2006, as "the most privacy invasive instrument ever adopted by the European Union."
The European Commission recently conducted its own review of the directive.
"Our evaluation shows the importance of stored telecommunications data for criminal justice systems and for law enforcement. But the evaluation report also identifies serious shortcomings. We need a more proportionate, common approach across the E.U. to this issue," said Home Affairs Commissioner Cecilia Malmström.
The Commission conceded that data retention represents a significant limitation on the right to privacy, and will consider more stringent regulation of storage, access to, and use of the retained data.
E.U. legislation is bound by the principle of proportionality, which limits any legal activity to that which is necessary or required to reach a certain aim. "It is clear from the Commission's evaluation report on the directive that there is no evidence of necessity and proportionality for data retention," said Joe McNamee of EDRi.
"The principle of proportionality is binding on any state governed by the rule of law," added Kai-Uwe Steffens of the Bundestag's Working Group. "Therefore the Federal Republic of Germany must work towards outlawing data retention within the E.U."
"The E.U. must abort this experiment immediately and replace the completely disproportionate blanket collection of the entire population's communications records with an instrument for preserving the data of suspects," said Uli Breuer of the Bundestag's Working Group.
Later this year, the European Court of Justice (ECJ) will rule on the constitutionality of the principle of data retention, after a referral from the Irish High Court.
Digital Rights Ireland, a member of European digital rights group EDRi, brought a case against the Data Retention Directive on the grounds that a state should not be allowed to impose a regime of mass surveillance on its entire population without any evidence of wrongdoing. The Irish High Court agreed that these issues needed to be considered by the ECJ.
Courts in Austria, Germany, Romania, Sweden and the Czech Republic have also ruled that the directive is unconstitutional and the German working group called on the governments of the five countries to request permission from the Commission and, if necessary, the ECJ, to be exempted from transposing the Data Retention Directive into national law and to defy certain aspects, even if fines are imposed.
The text of the Data Retention Directive does not in itself guarantee that data is stored, retrieved and used in line with the right to privacy and protection of personal data. This was the reason courts in Germany, the Czech Republic and Romania threw it out. The three countries are currently trying to work out how to comply with the directive while still maintaining privacy rights.
Austria and Sweden meanwhile have also delayed implementing the directive and have been brought before the European Court of Justice. Austrian authorities have recently drawn up drafts on implementing the law, but last month the Swedish Parliament deferred a vote on the proposed legislation for a further 12 months leading to further court action by the Commission.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.