The European Union's data protection watchdog has called the Data Retention Directive the most privacy invasive instrument ever adopted by the EU.
On Friday the European Data Protection Supervisor (EDPS) Peter Hustinx demanded that the European Commission demonstrate the necessity and justification for the directive with concrete facts and figures. "Without such proof, the directive should be withdrawn or replaced by a less privacy invasive instrument which meets the requirements of necessity and proportionality," he added.
Under the Data Retention Directive, fixed and mobile telephone companies and ISPs must retain traffic, location and subscriber information of all their customers. In terms of the number of citizens affected, the scale of the data collected is huge.
However, there remain differences between member states and the EDPS is concerned about 'mission-creep'. A new or modified EU instrument on data retention should be clear about its scope and should leave no room for the member states to use the data for additional purposes, he said.
Shortening retention span
The directive, which was established in 1995 and is currently under review, is more widely unpopular. In October, the Electronic Frontier Foundation (EFF) said the directive was "disproportionate" and called for it to be abolished.
Member of the European Parliament Alexander Alvaro, recently described it as "absurd." And the European Commission's own Article 29 Working Party (WP29) criticised the directive in July saying that more harmonisation is needed and that the period for retaining data should be shortened.
Also speaking on Friday, Home Affairs Commissioner Cecilia Malmström seemed to give way on the latter issue saying that shorter retention periods may need to be considered. However she reiterated that "data retention is here to stay."
According to Commission figures there are an average of 148,000 requests per year in each of the 20 member states that have implemented the directive. The vast majority of these requests (90 percent) were for data less than six months old.
"If the data were not helpful, law enforcement authorities would presumably not spend human and financial resources on requesting them in those numbers," said Malmström.
An impact assessment and legislative proposals will be presented in 2011.