Yesterday, on April 1st 2012, the European Union’s “Directive 2006/24/EC” (also known as the “Data Retention Directive”) entered into force in Austria. Under this directive, telecommunication providers are obliged to store information about phone calls, text messages and Internet communication for a period of 6 to 24 months. This information does not include the actual content, but it includes detailed metadata such as phone numbers, IP addresses, e-mail addresses, time and location.
Proponents argue that in an increasingly connected world, the state’s ability to request access to such data is necessary for law enforcement and the fight against terrorism, and that sufficient safeguards are in place to prevent abuse. However, in the countries that have adopted the directive in the form of national laws, the powers it grants, the storage duration, and also the safeguards vary greatly. For example, depending on the concrete implementation, access to the data may or may not require that an individual is suspected of a severe crime, that a court has explicitly granted permission, and that the targeted individual has to be informed that such access has taken place.
Critics argue that the law establishes a surveillance system which places all citizens under general suspicion, and that therefore the freedom of civil society as a counterbalance to state power is no longer guaranteed. The amount and nature of the collected data is certainly sufficient to create a detailed profile about a person’s private life. In Europe, the last century has seen authoritarian regimes of various extreme ideologies that had founded their power to a large part on the surveillance of their citizens. As a consequence, the sensitivity today to intrusions into the private sphere is high. Besides such political considerations, the potential for commercial abuse also seems extensive, for example, a corrupt employee of an Internet service provider might be tempted to simply sell the highly valuable data.
Sometimes, to illustrate their point, critics draw a comparison with the postal service, where it would seem ridiculous to record the sender, recipient, time and location of every letter. Criticism has also increased in connection with the Anti-Counterfeiting Trade Agreement (ACTA), which is a treaty that among other things targets copyright infringement on the Internet. Also, the actual usefulness of the law for combatting crime is questionable, since there are still many ways of communicating privately.
The introduction of the law has sparked online petitions as well as street protests under the motto “Farewell Privacy” in Vienna and other cities, although they were smaller than anticipated. The Austrian instantiation of the Anonymous collective had announced a counter-surveillance campaign (“Operation Pitdog”), during which it would publish thousands of e-mails related to political corruption, which later however turned out to be a hoax. Several organizations, including the Austrian Green Party and a human rights institute, announced that they would challenge the new law at the Austrian Constitutional Court – a move that had already succeeded in several other countries. For example, courts in the Czech Republic, Germany and Romania have ruled the law to be in violation of peoples’ rights, including the rights to privacy, to confidentiality in communications, and to freedom of speech.
On the European level, there has been much discussion whether the Data Retention Directive is compatible with the union’s treaties, with the Charter of Fundamental Rights, and with traditionally strong data protection policies. Even among policy makers, there seems to be an increasing sense nowadays that the directive is characterized by low effectiveness and potential negative effects, and that it is therefore not proportionate and not in the best interest of society. In 2010, the question of legality of the directive was referred to the European Court of Justice, which is expected to decide on the matter during the course of this year.
The Data Retention Directive is basically Europe’s version of the global question about freedom vs. security on the Internet. In other words, how much control of a state over its citizens’ communication is healthy for a democratic society? This is a political and legal question that is not easily answered. What is certain however is that both the amount and the value of personal data will continue to increase. At PDEC, we believe that an ecosystem around this personal data should on one hand provide the tools and rights for individuals to control their own data, and on the other hand also enable new business models around this asset.