Dissociative Identity Disorder 1

Dissociative Identity Disorder:

Europe’s Split Personality on Data Retention

Matthew D. Hamilton

LI820XA: International Information Policy

Emporia State University

November 28, 2008

 Dissociative Identity Disorder 2
Dissociative Identity Disorder:

Europe’s Split Personality on Data Retention

Recently, the issue of privacy has been much discussed in information policy debates, the

professional literature, and in the news media at large. Other authors have made much of the

European emphasis on privacy rights in contrast to American attitudes (Heisenberg and Fandel,

2004; Salbu, 2002). However, despite an alleged de-emphasis of privacy rights versus the need

to combat terrorism, recent electoral changes suggest that Americans are less willing to trade a

“little freedom for a little security” after all. Even as Americans seem ready to push back against

the most drastic of measures adopted during the Bush Administration, the European Union is

taking steps that can potentially undermine its own earlier efforts to protect the privacy rights of

its citizens in the form of Directive 2006/24/EC, “on the retention of data generated or processed

in connection with the provision of publicly available electronic communications services or of

public communications networks and amending Directive 2002/58/EC”.

The first section of this article will describe Directive 2006/24/EC as adopted by the

European Council and currently being enacted by the EU member states. The second section

will then discuss some of the objections to this directive, including how the retention directive

conflicts with the previously established European emphasis on the protection of privacy rights

of its citizens.

On Data Retention

Nettleton and Watts (2006) write that after the attacks of September 11, 2001, EU

member nations began to enact legislation requiring that communications providers retain

communication data for the purposes of assisting law enforcement in the investigation and
 Dissociative Identity Disorder 3
prevention of criminal acts. They cite as an example the U.K.’s “Anti-Terrorism, Crime, and

Security Act 2001”, which allowed for the voluntary retention of usage data by service providers

that would have previously been prohibited by data protection legislation.

However, after the Madrid bombing on March 11, 2004, calls for harmonization of data

retention policies across the member states gained political favor and earnest efforts were made

on the part of the Commission to enact a directive establishing consistent regulations across the

differing member nations. On February 21, 2006, the European Council adopted Directive

2006/24/EC after months of contentious negotiations between the Council, the Commission, the

Parliament, and various interest groups.

The directive:

1. States its aim is to, “retain certain data and to ensure that those data are available for

the purpose of the investigation, detection and prosecution of serious crime”.

2. Establishes a period of retention for data of not less than six months and not more

than two years for all providers of “publically available” communications services.

3. Applies to traffic and location data on both legal entities and persons. It does not

apply to the content of the messages.

4. Specifies the types of information to be retained, including: the source and destination

of the communication—which includes the phone numbers and/or user identity as

well as the “machine address” of the equipment; the time, date, length of the

communication; and the type and location of the equipment being used.

5. Establishes that communications providers must also utilize an interface which

provides this data “without delay”, when requested by “competent national

authorities”.
 Dissociative Identity Disorder 4
Problems with the Directive

There are a number of criticisms made of the directive. The first is that it appears to be in

violation of earlier norms of data protection established with EU Directives 95/46/EC and

2002/58/EC. The European Data Protection Commissioners were so concerned about the

implications of the directive that prior to its adoption they released a statement expressing that

they “have grave doubt as to the legitimacy and legality of such broad measures. They also want

to draw attention to the excessive costs that would be involved for the telecommunication and

internet industry” (FIPR, 2002).

At first glance, one can certainly argue that the new directive violates the spirit of

previously enacted European privacy legislation, which Salbu (2001) categorizes as “broad and

comprehensive, applying to both public and private sectors” as opposed to American solutions

which tend to be reactive and focused on specific issues areas (such as credit reporting,

education, financial privacy, telephony, cable, and video). Traditionally, European Privacy

protection measures have recognized the “threat to privacy if information relating to any

individual is allowed to accumulate as the years go by” (Warner, 2005).

Critics also claim that the law violates Article 8 of the European Convention for the

Protection of Human Rights and Fundamental Freedoms (ECHR). Breyer (2005) argues that it

violates this article because it does not distinguish between suspects and purely innocent

individuals; that the pervasiveness of electronic communications would effectively remove any

means of private, unmonitored communications; and that the data is too easily manipulated and

or abused by government officials. To know that all communications are monitored would have

a chilling effect in a democratic society.

 Dissociative Identity Disorder 5
However, Bignami (2007) disagrees with this assertion, claiming that privacy as defined

by Article 8 of the ECHR is adequately protected. His argument is that previous data protection

measures were designed to protect the misuse of data by private entities or government

agencies—but not by national governments exercising their “core sovereignty powers: domestic

policing and protecting national security”.

Bignami’s assertion does not tend to be supported by other writers. Salbu (2001) and

Heisenberg and Fandel (2004) argue that Europe’s emphasis on privacy rights partially stems

from the Third Reich’s use of data collection technologies—suggesting a fear of the state itself.

Indeed, Article 17 of the ECHR specifically prohibits the abuse of any of its protections by the

State (Council, 1950). Breyer (2005) writes, “Experience shows that the risk of powers being

abused, especially where they are exercised in secret, must not be underestimated, even in

Europe.”

Another criticism of the directive is that while at first glance, it may appear that storing

context data, rather than content data, helps alleviate privacy concerns. However, as

Kotzanikolaou and Douligeris (2007) point out—disclosure of context reveals the identity of the

parties involved, the time and location of the communication, and also reveals something about

the content of the communication. For instance, it is easy enough to follow the IP address of a

site visited to access the information on the web site stored on the server. Church and Kon

(2007), illustrate how search engine data, which includes the identifying IP address of the

searcher, also reveals much about the content of an individuals’ queries.

While anyone can support the prevention of visits to a site specializing in child

pornography, it becomes much more problematic when dealing with issues that are less clear-cut.

What if someone is researching terrorism rather than supporting it? Such visits would draw the
 Dissociative Identity Disorder 6
same scrutiny to the individual involved. The presumption of innocence, as guaranteed by

Article 6 of the ECHR, will have been compromised in this situation.

Regardless of one’s thoughts on privacy, there are other criticisms of the directive as

well. The directive’s language is riddled with ambiguities. While it states that it is intended to

fight “serious crime”, it does not define what crimes qualify as “serious” nor does it prohibit

member states from enacting laws that allow access to the data for investigations into civil, rather

than criminal, matters. Already Germany has moved to enact laws that allow the use of retained

data in cases involving violation of intellectual property laws (Horns, 2007).

Another criticism of the directive is that despite the stated intent to “harmonize” the data

retention policies across member states, many communication service providers are frustrated

that the directive leaves such a wide range of possible retention periods open for differing

national policies. Thus, even if a multinational company is retaining customer data for the legally

proscribed period in say, France for two years—they may be compelled by Germany and the pre-

existed data protection laws to delete their records after 6 months (Nettleton and Watts, 2006).

A final criticism of the directive is the added cost to service providers and the

corresponding burden on the consumer. One area where costs rise is in the requirement that

“competent national authorities” be given access “without undue delay” to this stored data when

requested. As Taylor (2006) highlights, the technical specification of storing and transmitting

this data in a secure and portable format is left unaddressed. This leaves a difficult technological

problem for service providers to solve at their own cost or face legal sanction as the means of

storing and accessing the data are likely to vary widely among service provider systems.

Additionally, the cost of storage itself was left unaddressed by the directive, leaving member

nations to decide for themselves whether to reimburse service providers for this added expense.
 Dissociative Identity Disorder 7
The Future of the Directive

While the importance of stopping terrorism is not to be discounted, it does seem that the

directive leaves a financial and technological burden at the feet of service providers that may

leave them at a competitive disadvantage in the world market. Even more alarming is the

dramatic turn this indicates in the EU’s attitude towards privacy rights for its citizens. While the

EU acted quickly and decisively to prevent private entities from exploiting the data of its

citizenry, it has acted just as hastily to essentially remove those protections entirely where law

enforcement is concerned. It is not surprising to see a backlash among concerned policymakers

and advocacy groups rearing its head.

This is a saga unfolding as we speak, with the “extended adoption period” ending in

March 2009. As of this writing, 16 of 25 member nations had chosen to take advantage of this

extra time—seemingly indicative of the difficulty of gaining internal acceptance for the

directive’s requirements. Given the many problems with both the technical and philosophical

aspects of the directive, as well as the potential added costs of storage and compliance to service

providers, it is likely that the directive will be challenged in the courts of EU member nations as

they attempt to bring their national laws in line with its mandates.
 Dissociative Identity Disorder 8
Works Cited

2006/24/EC. (European Union Directive 2006/24/EC of March 2006 on the retention of data
generated or processed in connection with the provision of publicly available electronic
communications services or of public communication networks and amending Directive
2002/58/EC). Official Journal of the European Union, L 105, 56-63.
Bignami, F. (2007). Protecting privacy against the police in the European Union: the data
retention directive. Chicago Journal of International Law. Duke Science, Technology &
Innovation Paper No. 13. Retrieved November 29, 2008, from SSRN:
http://ssrn.com/abstract=955261
Breyer, P. (2005). “Telecommunications data retention and human rights: the compatibility
of blanket traffic data retention with the ECHR” European Law Journal 11, 365. Retrieved
November 29, 2008, from http://www.tkg-
verfassungsbeschwerde.de/data_retention_and_human_rights_essay.pdf
Council of Europe. (1950) Convention for the Protection of Human Rights and Fundamental Freedoms
(ECHR). Retrieved November 29, 2008, from
http://conventions.coe.int/Treaty/en/Treaties/Html/005.htm.
Church, P. and G. Kon. (2007). Google at the heart of a data protection storm. Computer Law &
Security Report, 23(5), 461-465.
Foundation for information policy research (FIPR). (2002). Statement of the European Data
Protection Commissioners. Retrieved November 29, 2008, from
http://www.fipr.org/press/020911DataCommissioners.html
Heisenberg, D. and M. Fandel. (2004). Projecting EU regimes abroad: The EU data protection
directive as global standard. In S. Braman (Ed.), The emergent global information policy regime
(pp. 109). New York: Palgrave Macmillan.
Horns, A. German government passes "bill for improving the enforcement of intellectual
property rights". Patentanwalt, Axel H. Horns' blog on intellectual property law - patent, trade
mark & design. Retrieved November 29, 2008, from http://www.ipjur.com/2007/01/german-
government-passes-bill-for.php3
Kotzanikolaou, P. and C. Douligeris. (2007). "Privacy threats of data retention in Internet
communications," IEEE 18th international symposium on personal, indoor and mobile radio
communications, 1-7. Retrieved November 29, 2008, from
http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4394199&isnumber=4393983
Nettleton, E. and M.Watts. (2006). The data retention directive. Journal of Database
Marketing & Customer Strategy Management, 14(1), 74-77. Retrieved November 28, 2008, from
ABI/INFORM Global database. (Document ID: 1204693091).
Salbu, S. (2002). The European Union data privacy directive and international relations.
Vanderbilt Journal of Transnational Law, 35, 655.
Taylor, M. (2006). The EU data retention directive. Computer Law & Security Report, 22(4),
309-312.
Warner, J. (2005). The right to oblivion: Data retention from Canada to Europe in three
backward steps. University of Ottawa Law & Technology Journal, 2(1), 75.