MEPs to dust off data protection proposal

Wired on Friday: A re-drafted bill being brought before the EU raises fresh concerns about privacy of information.

Wired on Friday: A re-drafted bill being brought before the EU raises fresh concerns about privacy of information.

Earlier this year, the Government passed an amendment to the Criminal Justice (Terrorist Offences) Act that would require telecoms and internet companies to store reams of private data on their customers' activities for three years. The data - which would include the websites you visit, the sender and recipients of e-mail, and the location of your mobile phone - would be there for law enforcement to pick over at a later date. You wouldn't need to be a suspect to be placed under this observation: everyone would be recorded automatically. The Garda could skim the files of anyone who might help them in the "prevention of crime".

The general opinion, as voiced in this newspaper at least, was that this new law was rather sneaked into the books. It was debated in a virtually empty Dáil, for instance. But then the whole issue of Government-mandated retention of data has a history of sneakiness. The law was hurried through partly because it had been uncovered that the telecommunication companies had already been doing this voluntarily

for the Government; an act that, as the Data Protection Commissioner forcibly pointed out at the time, was illegal.

READ MORE

After many years of trying to push the same data retention practices on the rest of the European nations, those who want greater surveillance powers in the EU - including the US government, which has lobbied hard for the EU to relax its laws protecting personal data

- are to make another attempt at EU-wide retention.

Next month, there will be a two-pronged attack at the very highest levels of the EU. On the one hand, Ireland, France, the UK and Sweden will re-present a framework proposal to the Council of Ministers that every state should freeze and store the kind of data already recorded by Ireland as a minimum.

This framework has been pushed before, and was heartily slapped down earlier this year by the European parliament. Their reasons were comprehensive: the enormous cost to companies; the unproven effectiveness of the data; the presumption of guilt implicit in recording the movement and social networks of every citizen in the EU; the risks of misuse. But perhaps the most pertinent objection, for the MEPs at least, was that the new framework itself was illegal.

Obliging businesses to keep expensive records on their customers was an economic issue, which is why it was of concern to the commission and the MEPs. So now, there's a new compromise; a gentler bill is being proposed to the MEPs as an economic "harmonisation" of data retention across Europe. There's only one problem: only Ireland and Italy actually enforce mandatory data retention. Everyone else refuses to touch it with a barge-pole.

Is it really harmonisation when you're arbitrarily changing the policies of almost every country in the EU? And what kind of economic advantage can come from shackling every communication company with the same burden?

The US, which was so enthusiastic in encouraging the EU to relax its personal data destruction laws after 9/11, doesn't force its ISPs and phone companies to keep data. When Minister for Justice Michael McDowell spoke of the need for data retention in order to combat terrorism, it's worth noting that the governments of Spain and the UK, the most obvious victims of recent bombings in Europe, have not implemented anything like the same laws.

The new suggested draft, as leaked to the European pressure group European Digital Rights, certainly looks softer than the Council of Ministers' older proposal. There's a more sensible looking retention period of just a year - but with no set maximum. There is a humble looking list of data to be collected, but only humble compared to the original proposals. Somebody somewhere will still have a record of everywhere your mobile phone went in the last year, and the details of every e-mail you sent, and every website you visited.

The commission can change the parameters at any time, although it has an obligation to consult with a toothless committee of data protection commissioners, business representatives, MEPs and other groups.

I hope the MEPs, entrusted as they are with protecting our civil liberties and our economic wellbeing at a European level, see through the thin layer of promises provided in the new proposal. Their objections are still valid. It will still be hellaciously expensive to collect, and will become more so as broadband and new applications spread on the net. And it still represents a sea-change in our freedoms, with little consideration for the consequences.

If law-makers suggested that a file be opened on every EU citizen, and postal workers were asked to keep a record of every citizen's movements, and the recipient of every letter sent, there would be uproar.

Just because we live in a world of new technology doesn't mean we should surrender our convictions about guilt and innocence, and about privacy and proportionality. Technology should change the possibilities of lawful society, not its priorities.