Toespraak eurocommissaris Malmström over richtlijn Gegevensopslag (en)

Met dank overgenomen van Europese Commissie (EC), gepubliceerd op maandag 18 april 2011.

Ladies and gentlemen,

One of my main objectives as Commissioner for Home Affairs is to ensure that people in Europe are and feel secure. Secure from terrorism and serious crime; but also secure from excessive state intrusion into their private life. Five years ago, the Data Retention Directive came into force, and the Commission adopted today an evaluation - not a legal assessment - of how it has operated in practice and how it needs to be amended.

In short, the report shows that data retention has proven useful in criminal investigations, but that there is need for improvement as regards the design of the Directive so that it better respects both the security and the privacy of our citizens.

Before going into the details of the findings, I think it is important to recall the circumstances in which this Directive was passed. It was in the aftermath of the bombings in Madrid and London, Europe was on a heightened state of alert. There was enormous pressure on governments to ensure that their police and prosecutors had all the tools that they need for tracking terrorism and other security threats.

Telecommunications traffic and location data is one of those tools, which is why the European Union took steps to guarantee that these data would be available if needed for criminal investigation.

Why we need an EU data retention law

For me, it is important that we have evidence that an EU approach is necessary. Therefore, the evaluation report that I present today brings together the contributions we have received from Member States, Members of the European Parliament, telecommunications and internet service providers, data protection authorities, experts and other stakeholders.

Overall, the information we have received indicates that data retention subject to EU regulation is indeed a necessary measure:

  • necessary because historic telecommunications data can be crucial in solving crimes and ensuring justice is served;
  • necessary because industry needs to know that data retention rules will be as consistent as possible throughout the internal market;
  • necessary because citizens are entitled to know that there are solid and consistent safeguards for protecting their personal data wherever it is stored or processed in the European Union.

If we didn't have EU rules on this, data retention would not disappear. Member States would almost certainly maintain their rules on compulsory retention and operators would retain data for commercial purposes.

The value of data retention to criminal justice and law enforcement

It is often impossible to isolate and weigh the value of a single type of evidence in the outcome of a criminal investigation or prosecution. But we have many examples of specific cases where traffic data retention was crucial. Let me mention only three of them:

  • In Hungary and Poland in 2009/2010 fraudsters would telephone elderly people pretending to be a relation in need of money. In some cases these vulnerable individuals were robbed of thousands of euro. Police could only identify the perpetrators through examining data generated by those phone calls.
  • The conviction in 2009 of a gangster boss connected with the seizure of heroin smuggled from Afghanistan to the UK valued at almost €40m - enough to supply the demand of 8000 users - was secured solely thanks to telephone evidence linking him to criminal networks.
  • And at the EU level, Europol facilitated Operation Rescue which targeted an international paedophile network of 70 000 members, uncovered the identities of 670 suspected members and helped protect more than 200 children from further abuse. Unfortunately, it was not possible to pursue these investigations in Member States which have not transposed the data retention directive.

Mixed results and insufficient harmonisation

But even though the directive aims to harmonise certain aspects of data retention, the results of this harmonisation are mixed. Law and practical application vary greatly from one Member State to another.

Some Member States have a clear, defined limitation of purpose for which traffic data may be retained and used. Others do not. Some Member States require the retention for 2 years, others for only 6 months. Provisions for data protection and authorisation of individual requests for data are also highly divergent.

The directive does not in itself guarantee that data are stored, retrieved and used in full compliance with the right to privacy and protection of personal data. That is up to the Member States, and that is why the constitutional courts in some Member States have annulled the legislation transposing the Directive.

In summary, there is considerable variation between Member States when it comes to purpose, retention periods, procedures and conditions for access, reimbursement of the costs of the operators and how often Member States access to data and what types of data are mostly used.

Areas for improvement

There is room for improvement in the current data retention directive, as the shortcomings are sources of considerable concern both for industry and our citizens.

What will we do now? We will work with Member States; we will work with the European Parliament, national parliaments, different stakeholders and NGOs, civil society etcetera to listen to them and to get their advice and opinions. We will also do an impact assessment and, based on that, hopefully later this year we will present amendments to the directive.

Thank you.