Regulatory Review: Data Retention–Saving Those Records
by Gerry Oberst
Recently, the European Union published the new data protection directive for electronic communications services. This document applies to satellite operators just as much as it does to any telecommunications network providing public service. The rules could lead to substantial new record keeping obligations that have offended the data privacy groups. At the same time, telecom operators are alarmed by the costs involved.
Mobile satellite operators, and probably some fixed satellite service providers such as VSAT network operators, are already familiar with keeping records or making traffic data available for crime enforcement or national security requests. (We wrote about legal interception of satellite signals in the June 2000 issue of Via Satellite.) The new rules, however, could broaden those requests. New requirements that affect the satellite industry could also arise.
While the rules exclude broadcasting services, such as direct-to-home or broadcast satellite services, they would apply data retention standards to any service that allows an individual subscriber to be identified, with the prime example being video- on-demand.
The new Directive 2002/58/EC replaces an earlier version adopted in 1997 for the telecommunications field. Some of the main changes are to remove absolute requirements for telecom operators to delete traffic data after a short time; to set a framework for national security entities in the member states to develop rules on surveillance and data retention; and to set rules for cookies and spam.
This was a hard-fought compromise. As a result, adoption of the directive–which is part of the electronic communications package that covers all other aspects of European regulation–was delayed by several months until late July.
Data privacy groups fought bitterly to preserve provisions that require telecom operators to delete subscriber traffic data when no longer needed. The new directive guts this provision by providing a generic exception that permits member states to take “necessary, appropriate and proportionate measure[s] within a democratic society to safeguard national security…, defense, public security, and the prevention, investigation, detection and prosecution of criminal offenses or unauthorized use of the electronic communications system…”
That same exception specifically states European countries can rely on those grounds to adopt laws providing for data retention for a “limited period.” Ironically, it was little more than a year ago when the European Parliament adopted a resolution expressing concern over an alleged global surveillance system, called “Echelon,” that was said to depend, in particular, upon worldwide interception of satellite communications. That resolution was adopted on September 5, 2001–the events of a week later made it superfluous, never to be heard of again.
The Parliament crafted the compromise in early 2002 that would allow more retention of traffic data, but giving EU countries flexibility to decide how long the retention period should be. However, the European data privacy group, Statewatch, said the Belgian government at the same time was circulating a proposed framework decision on data retention that would create a mandatory approach throughout the EU. Statewatch got hold of a leaked copy of this proposal and described its provisions, causing a tempest in the waning weeks of summer 2002.
Statewatch argues, “The draft Framework Decision says data should be retained for 12 to 24 months in order for law enforcement agencies to have access to it.” It notes that this draft “also carries a strong hint that another measure is in the pipeline, one to allow law enforcement agencies access to the content as well as the traffic data of communications.” Statewatch claims that basic rights of data protection, proper rules of procedure, scrutiny by supervisory bodies and judicial review are lacking in the draft framework.
The directive generally applies only to publicly available electronic communications networks and services. At the outset, it states it does not apply to information conveyed as part of a broadcasting service, “except to the extent that the information can be related to an identifiable subscriber or user receiving the information.”
This exception could be an open invitation to apply data retention requirements to a variety of satellite services. The directive gives video-on-demand services as an example of a service that creates information that can be tied to a specific subscriber. It would seem that the scope of this provision could expand as interactive pay TV allows more and more identification of subscriber choices.
Already some cable and satellite companies reportedly are examining the possibilities of using the interactive functions of their services (for set top boxes or personal video recorder devices) to gather data on subscribers. It would be a short leap for law enforcement agencies to seek to get their hands on the same data, or to require the operators to retain vast mountains of data for later data mining in case of emergency.
Legal interception of signals is familiar and widely justified. Legal data retention may prove troubling, depending on how long the data is kept and who keeps it.
Gerry Oberst is a partner in the Brussels office of the Hogan & Hartson law firm. His email address is email@example.com.