Professional Documents
Culture Documents
Matthew D. Hamilton
Recently, the issue of privacy has been much discussed in information policy debates, the
professional literature, and in the news media at large. Other authors have made much of the
European emphasis on privacy rights in contrast to American attitudes (Heisenberg and Fandel,
2004; Salbu, 2002). However, despite an alleged de-emphasis of privacy rights versus the need
to combat terrorism, recent electoral changes suggest that Americans are less willing to trade a
“little freedom for a little security” after all. Even as Americans seem ready to push back against
the most drastic of measures adopted during the Bush Administration, the European Union is
taking steps that can potentially undermine its own earlier efforts to protect the privacy rights of
its citizens in the form of Directive 2006/24/EC, “on the retention of data generated or processed
The first section of this article will describe Directive 2006/24/EC as adopted by the
European Council and currently being enacted by the EU member states. The second section
will then discuss some of the objections to this directive, including how the retention directive
conflicts with the previously established European emphasis on the protection of privacy rights
of its citizens.
On Data Retention
Nettleton and Watts (2006) write that after the attacks of September 11, 2001, EU
member nations began to enact legislation requiring that communications providers retain
communication data for the purposes of assisting law enforcement in the investigation and
Dissociative Identity Disorder 3
prevention of criminal acts. They cite as an example the U.K.’s “Anti-Terrorism, Crime, and
Security Act 2001”, which allowed for the voluntary retention of usage data by service providers
However, after the Madrid bombing on March 11, 2004, calls for harmonization of data
retention policies across the member states gained political favor and earnest efforts were made
on the part of the Commission to enact a directive establishing consistent regulations across the
differing member nations. On February 21, 2006, the European Council adopted Directive
2006/24/EC after months of contentious negotiations between the Council, the Commission, the
The directive:
1. States its aim is to, “retain certain data and to ensure that those data are available for
2. Establishes a period of retention for data of not less than six months and not more
than two years for all providers of “publically available” communications services.
3. Applies to traffic and location data on both legal entities and persons. It does not
4. Specifies the types of information to be retained, including: the source and destination
well as the “machine address” of the equipment; the time, date, length of the
communication; and the type and location of the equipment being used.
authorities”.
Dissociative Identity Disorder 4
Problems with the Directive
There are a number of criticisms made of the directive. The first is that it appears to be in
violation of earlier norms of data protection established with EU Directives 95/46/EC and
2002/58/EC. The European Data Protection Commissioners were so concerned about the
implications of the directive that prior to its adoption they released a statement expressing that
they “have grave doubt as to the legitimacy and legality of such broad measures. They also want
to draw attention to the excessive costs that would be involved for the telecommunication and
At first glance, one can certainly argue that the new directive violates the spirit of
previously enacted European privacy legislation, which Salbu (2001) categorizes as “broad and
comprehensive, applying to both public and private sectors” as opposed to American solutions
which tend to be reactive and focused on specific issues areas (such as credit reporting,
education, financial privacy, telephony, cable, and video). Traditionally, European Privacy
protection measures have recognized the “threat to privacy if information relating to any
Critics also claim that the law violates Article 8 of the European Convention for the
Protection of Human Rights and Fundamental Freedoms (ECHR). Breyer (2005) argues that it
violates this article because it does not distinguish between suspects and purely innocent
individuals; that the pervasiveness of electronic communications would effectively remove any
means of private, unmonitored communications; and that the data is too easily manipulated and
or abused by government officials. To know that all communications are monitored would have
by Article 8 of the ECHR is adequately protected. His argument is that previous data protection
measures were designed to protect the misuse of data by private entities or government
agencies—but not by national governments exercising their “core sovereignty powers: domestic
Bignami’s assertion does not tend to be supported by other writers. Salbu (2001) and
Heisenberg and Fandel (2004) argue that Europe’s emphasis on privacy rights partially stems
from the Third Reich’s use of data collection technologies—suggesting a fear of the state itself.
Indeed, Article 17 of the ECHR specifically prohibits the abuse of any of its protections by the
State (Council, 1950). Breyer (2005) writes, “Experience shows that the risk of powers being
abused, especially where they are exercised in secret, must not be underestimated, even in
Europe.”
Another criticism of the directive is that while at first glance, it may appear that storing
context data, rather than content data, helps alleviate privacy concerns. However, as
Kotzanikolaou and Douligeris (2007) point out—disclosure of context reveals the identity of the
parties involved, the time and location of the communication, and also reveals something about
the content of the communication. For instance, it is easy enough to follow the IP address of a
site visited to access the information on the web site stored on the server. Church and Kon
(2007), illustrate how search engine data, which includes the identifying IP address of the
While anyone can support the prevention of visits to a site specializing in child
pornography, it becomes much more problematic when dealing with issues that are less clear-cut.
What if someone is researching terrorism rather than supporting it? Such visits would draw the
Dissociative Identity Disorder 6
same scrutiny to the individual involved. The presumption of innocence, as guaranteed by
Regardless of one’s thoughts on privacy, there are other criticisms of the directive as
well. The directive’s language is riddled with ambiguities. While it states that it is intended to
fight “serious crime”, it does not define what crimes qualify as “serious” nor does it prohibit
member states from enacting laws that allow access to the data for investigations into civil, rather
than criminal, matters. Already Germany has moved to enact laws that allow the use of retained
Another criticism of the directive is that despite the stated intent to “harmonize” the data
retention policies across member states, many communication service providers are frustrated
that the directive leaves such a wide range of possible retention periods open for differing
national policies. Thus, even if a multinational company is retaining customer data for the legally
proscribed period in say, France for two years—they may be compelled by Germany and the pre-
existed data protection laws to delete their records after 6 months (Nettleton and Watts, 2006).
A final criticism of the directive is the added cost to service providers and the
corresponding burden on the consumer. One area where costs rise is in the requirement that
“competent national authorities” be given access “without undue delay” to this stored data when
requested. As Taylor (2006) highlights, the technical specification of storing and transmitting
this data in a secure and portable format is left unaddressed. This leaves a difficult technological
problem for service providers to solve at their own cost or face legal sanction as the means of
storing and accessing the data are likely to vary widely among service provider systems.
Additionally, the cost of storage itself was left unaddressed by the directive, leaving member
nations to decide for themselves whether to reimburse service providers for this added expense.
Dissociative Identity Disorder 7
The Future of the Directive
While the importance of stopping terrorism is not to be discounted, it does seem that the
directive leaves a financial and technological burden at the feet of service providers that may
leave them at a competitive disadvantage in the world market. Even more alarming is the
dramatic turn this indicates in the EU’s attitude towards privacy rights for its citizens. While the
EU acted quickly and decisively to prevent private entities from exploiting the data of its
citizenry, it has acted just as hastily to essentially remove those protections entirely where law
This is a saga unfolding as we speak, with the “extended adoption period” ending in
March 2009. As of this writing, 16 of 25 member nations had chosen to take advantage of this
extra time—seemingly indicative of the difficulty of gaining internal acceptance for the
directive’s requirements. Given the many problems with both the technical and philosophical
aspects of the directive, as well as the potential added costs of storage and compliance to service
providers, it is likely that the directive will be challenged in the courts of EU member nations as
they attempt to bring their national laws in line with its mandates.
Dissociative Identity Disorder 8
Works Cited
2006/24/EC. (European Union Directive 2006/24/EC of March 2006 on the retention of data
generated or processed in connection with the provision of publicly available electronic
communications services or of public communication networks and amending Directive
2002/58/EC). Official Journal of the European Union, L 105, 56-63.
Bignami, F. (2007). Protecting privacy against the police in the European Union: the data
retention directive. Chicago Journal of International Law. Duke Science, Technology &
Innovation Paper No. 13. Retrieved November 29, 2008, from SSRN:
http://ssrn.com/abstract=955261
Breyer, P. (2005). “Telecommunications data retention and human rights: the compatibility
of blanket traffic data retention with the ECHR” European Law Journal 11, 365. Retrieved
November 29, 2008, from http://www.tkg-
verfassungsbeschwerde.de/data_retention_and_human_rights_essay.pdf
Council of Europe. (1950) Convention for the Protection of Human Rights and Fundamental Freedoms
(ECHR). Retrieved November 29, 2008, from
http://conventions.coe.int/Treaty/en/Treaties/Html/005.htm.
Church, P. and G. Kon. (2007). Google at the heart of a data protection storm. Computer Law &
Security Report, 23(5), 461-465.
Foundation for information policy research (FIPR). (2002). Statement of the European Data
Protection Commissioners. Retrieved November 29, 2008, from
http://www.fipr.org/press/020911DataCommissioners.html
Heisenberg, D. and M. Fandel. (2004). Projecting EU regimes abroad: The EU data protection
directive as global standard. In S. Braman (Ed.), The emergent global information policy regime
(pp. 109). New York: Palgrave Macmillan.
Horns, A. German government passes "bill for improving the enforcement of intellectual
property rights". Patentanwalt, Axel H. Horns' blog on intellectual property law - patent, trade
mark & design. Retrieved November 29, 2008, from http://www.ipjur.com/2007/01/german-
government-passes-bill-for.php3
Kotzanikolaou, P. and C. Douligeris. (2007). "Privacy threats of data retention in Internet
communications," IEEE 18th international symposium on personal, indoor and mobile radio
communications, 1-7. Retrieved November 29, 2008, from
http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4394199&isnumber=4393983
Nettleton, E. and M.Watts. (2006). The data retention directive. Journal of Database
Marketing & Customer Strategy Management, 14(1), 74-77. Retrieved November 28, 2008, from
ABI/INFORM Global database. (Document ID: 1204693091).
Salbu, S. (2002). The European Union data privacy directive and international relations.
Vanderbilt Journal of Transnational Law, 35, 655.
Taylor, M. (2006). The EU data retention directive. Computer Law & Security Report, 22(4),
309-312.
Warner, J. (2005). The right to oblivion: Data retention from Canada to Europe in three
backward steps. University of Ottawa Law & Technology Journal, 2(1), 75.