EU commission defends telecoms surveillance law

She recalled that the law was agreed upon somewhat hastily, in 2005, following the Madrid and London bombings, this being the first evaluation of how member states are applying the directive, five years after it came into force.

Under current provisions, internet and mobile phone providers are required to store - between six months and two years - details on who makes a call or sends an email, when and where, with police and intelligence services being then able to 'track calls back' and email traffic of serious crime suspects.

But in practice, as the European Commission admits in its report, the use of data retention varies greatly across the bloc. The law is not being applied in Germany, Romania, Sweden, Austria or the Czech Republic as it was blocked either by the respective constitutional courts or the parliament. In Poland conversely, data is stored the longest, police make the most inquiries to telecom providers and the country's national law does not specify that it should be used only for serious crimes, leaving room for journalists to be spied on to determine their sources, or for civil cases such as divorces.

Malmstrom insisted that the information provided by EU governments - despite being patchy and different from country to country - "indicates that data retention subject to EU regulation is indeed a necessary measure," so that investigators, telecom companies and citizens can have clear rules on the scope, duration and data privacy provisions.

She cited three success stories: fraudsters being caught by police after they called elderly people in Hungary and Poland pretending to be a relative in need of money; a gangster boss convicted in 2009 in connection with the seizure of heroin smuggled from Afghanistan to the UK valued at almost €40 million; and the dismantling of an international paedophile network of 70,000 members.

"If we didn't have EU rules on this, data retention would not disappear. Member states would almost certainly maintain their rules on compulsory retention and operators would retain data for commercial purposes," Malmstrom said.

Infringement procedures

That may be true for Poland, but it also means that the five countries where data retention has not been enacted are forced to do so, despite hostile public opinion and - in the case of Germany, the Czech Republic and Romania - constitutional court rulings. Infringement procedures have already started against Germany and Sweden.

In the case of Sweden, Malmstrom's home country, a court verdict is due in the coming year and could impose penalties of more than €40,000 for each day of delayed implementation, which would amount to several million euros.

Even if the commission admits that the law needs improvements, especially since it does not cover data protection at all, leaving it up to member states to attach such provisions, Malmstrom said the amendments could take several years, and in the meantime, member states need to apply the current law.

"The European Commission did not invent this directive, it was asked for by member states and applies to all 27 countries. We can't be arbitrary in its application. We can't make any exceptions. The law has to be followed," she insisted.

The commission's report sent shock waves through the data protection community and MEPs dealing with this dossier.

"It is difficult to explain why the commission continues to ignore some fundamental facts about data retention. There is still no evidence that this limitation of privacy is necessary in order to fight serious crime effectively. On the contrary, the experience of the member states that live without blanket data retention proves the opposite," Katarzyna Szymielewicz from Panoptykon, a Polish data protection NGO told this website.

The Polish activist is also "puzzled" about the commission's claims that there are "no concrete examples of serious breaches of privacy."

"In Poland, we have witnessed a few loud scandals with the use of billing and geo-location data for tracking journalistic sources or 'reconstructing' political affairs," she said.

German NGOs also reacted forcefully.

"The EU must no longer force blanket and indiscriminate telecommunications data retention on its member states, but prohibit such laws in favour of expedited preservation and targeted collection of traffic data that is needed for a specific investigation," AK Vorrat, a German working group on data retention, recommends.

EU citizens have gained nothing

European Digital Rights (EDRi), an umbrella organisation for digital civil rights, also ran its parallel assessment of the data retention law and concluded that EU citizens have gained nothing from it, but lost their privacy.

"In 2010, the average European had their traffic and location data logged in a telecommunications database once every six minutes," EDRi flags up.

And according to the European Data Protection Supervisor, data retention is "the most privacy-invasive instrument ever adopted by the European Union."

The only logical consequence, following the publication of the report, would be to repeal the law, German Green MEP Jan Phillip Albrecht said.

"This evaluation makes clear that the EU data retention directive is completely disproportionate, allowing for the far-reaching retention of telecommunications data with no real justification," he added.

"The data retention directive was and remains an excessive knee-jerk response to terrorist attacks in Europe. There is no evidence that the far-reaching retention of data has led to any concrete results beyond compromising civil liberties," he continued.

But commission officials are very far from such a view. "The EU data retention directive is here to stay," one official told journalists on Monday, under condition of anonymity.