Avenue des Arts 53, 1000 Brussels, Belgium Telephone 32-2-513 68 92 Fax 32-2-513 79 28 Email: amchameu@amchameu.be May 30th 2005 Position Paper on Data Retention (May 30th 2005 p. 1-5) and Supplementary Response to COM (2005) 438 Annex on Email Data Retention (November 9th 2005 p. 6-7) EXECUTIVE SUMMARY Subject Business Perspective AmCham EU Position AmCham EU does not advocate the implementation of mandatory data retention per se. AmCham EU recognises that some retention obligations already exist at national A multitude of inconsistent level and that the implementation of a pan- national retention obligations European framework for retention could Implementation of impose extra unnecessary potentially increase existing concerns. We Data Retention burdens on pan-European therefore support data retention rules that are operators. both proportionate and harmonised. AmCham EU also recommends that the Commission and Council consider complementing proportionate data retention obligations with data preservation. Retention obligations should be based upon demonstrable law enforcement needs and grounded in the experience gained to date in cooperating with the communications Retention should not be industry. Any proposals must reflect The need for mandated for longer than is technical and economic limitations. Any proportionate and generally needed by retention durations set at EU level should be responsible operators for harmonised set out clearly and carefully to balance the business purposes. investigative need for each data type against retention rules the cost of retention. The track record of service provider response to LEA requests suggests that where companies keep data for three months for billing purposes, the data have proved useful and the time period sufficient. May 30th 2005 Data Retention If measures are implemented that necessitate retention for longer than required for business purposes, reimbursement schemes Business is concerned that the and liability limits must be foreseen to off-set Impact current proposal would vastly costs and security risks for the establishment assessment and increase the amount of data that of the infrastructure to store and retrieve data. cost it must retain, which would be Member States should also be provided with extremely burdensome both at most minimal rights to deviate from EU reimbursement technically and financially. retention requirements as a basic necessity both to reduce implementation costs and to respect national data protection liabilities for pan-European operators. INTRODUCTION The American Chamber of Commerce to the European Union (AmCham EU) is pleased to offer the following comments on the issue of European mandatory data retention. Recent opinions issued by the Legal Services of the Commission and Council respectively have addressed the issue of appropriate jurisdiction for EU retention related proposals. These developments, in conjunction with expectations for new draft legislation, make AmCham EU’s comments very timely. (Please see Annex on page six for specific problems related to retaining email data contained in the Commission draft, COM (2005) 438 Annex, section (b) part (3). The American Chamber of Commerce to the European Union (AmCham EU) is the voice of companies of American parentage committed to Europe towards the institutions and governments of the European Union. As such, it represents some of the earliest and most committed business supporters of the European ideal and, in particular, of the single market concept. BACKGROUND The European Council Declaration on Combating Terrorism, adopted on March 25th 2004, after the Madrid attacks, states that proposals on data retention should be adopted by the end of June 2005. A Draft Framework Decision on Electronic Communications Data Retention, that compels service providers to store data for a period of at least 12 months and not more than 36 months following its generation, was proposed by four Member States on April 28th 2004 under their right of initiative in the third pillar. The European Commission subsequently engaged in a consultation during August and September 2004. It indicated in early March 2005 that it could not accept the legal basis proposed in the Council and that it would come forward with a proposal subject to co- decision. In addition, the Commission held that the first-pillar component to the legislation must be preceded by a full assessment of its business impact upon service providers. 2 May 30th 2005 Data Retention EXISTING PRACTICE The European Union Some Member States have already introduced mandatory retention periods. New rules will oblige operators to retain data for 12 months in France and Belgium, for instance, and 36 and 48 months respectively in Ireland and Italy. In Germany, the law concerning data protection rejects the principals of retention in favour of data preservation and compels operators to retain traffic data for no longer than six months. Multinational communications providers support and continue to assist law enforcement authority (LEA) efforts to fight crime and terrorism in a legally compliant way. Since the catastrophes of the US and Madrid terrorist attacks, industry has supported and cooperated with law enforcement, and remains committed to provide necessary assistance in the future. However, inconsistent and disproportionately heavy retention requirements will drain limited resources without strengthening either the cooperative bond between LEA and communication service providers or the investigative utility of information retrieved from such measures. The United States Even following 9/11 and the subsequent US legislative responses there is no mandatory data retention obligation in the US, although a system of data preservation (discussed below) is provided for in legislation. The suggestion is often made that mandatory retention is not needed in the US, because of the lack of data protection obligations requiring deletion of data. This is a misrepresentation of reality. US industry keeps data for its own commercial needs, notably billing and network security, but it does not keep such data indefinitely as that would be disproportionately costly. The sort of data needed by law enforcement is not therefore kept for as long as is needed for billing and network security purposes – in many instances, around three months. The situation is similar in the EU in Member States where no additional retention obligations are imposed. National and proposed EU data retention rules therefore result in more data being retained in Europe than in the US. As these obligations come at a considerable cost to industry, AmCham EU believes more attention needs to be given to the impact on operating communications services in Europe. THE NEED FOR PROPORTIONATE AND HARMONISED RETENTION RULES For reasons including our knowledge that responsible operators already retain data for business purposes in a manner sufficient for law enforcement, AmCham EU does not advocate the implementation of mandatory data retention per se. Some Member States favour data preservation. However, AmCham EU recognises that some retention obligations already exist at national level and that the implementation of a pan-European framework for retention could potentially increase existing concerns. We have serious concerns that a multitude of inconsistent national retention obligations would impose extra burdens on pan-European operators. We submit that data retention rules be both proportionate and harmonised, meaning that: 3 May 30th 2005 Data Retention - retention obligations should be based upon demonstrable law enforcement needs and grounded in the experience gained to date in cooperating with the communications industry. At the same time, any proposals must reflect technical and economic limitations; - any retention durations set at EU level should be set out clearly and carefully balance the investigative need for each data type against the cost of retention. Member States should also be provided with at most minimal rights to deviate from EU retention requirements. This is a basic necessity both to reduce implementation costs and to respect national data protection liabilities for pan-European operators. In our view, LEA officials, including the parties responsible for the draft Framework Decision, have failed to describe how their proposed retention obligations will or can increase investigative effectiveness, crime prevention or anti-terrorism efforts. AmCham EU does not believe that retention should be mandated for longer than is generally needed by responsible operators for business purposes. The track record of service provider response to LEA requests suggests that where companies keep data for billing purposes, the data have proved useful and the time period sufficient. In practice, this means a ceiling to any obligation of around three months. DATA PRESERVATION AmCham EU urges the Commission and Council to consider complementing proportionate data retention obligations with data preservation systems, modelling Germany’s example. In other words, preserving data on a single identifiable individual rather than retaining historical data on all users. This makes particular sense in the EU context, where one reason for obliging retention is the delay in accessing data from another Member State. EU procedures should enable cross-border requests for preservation to be passed immediately to communications providers, pending the completion of formalities for release. IMPACT ASSESSMENT – COST REIMBURSEMENT Business groups have great concerns with the current proposal as it would vastly increase the amount of data that they have to retain. Such an obligation to retain data and ensure its confidentiality would be extremely burdensome both technically and financially. The current draft EU legislation does not provide any estimate of its impact. With the Commission now preparing its own proposal, industry expects a full impact assessment to be made, in line with the Commission’s overall approach to better regulation unveiled on March 16th. If measures are implemented that necessitate retention for longer than required for business purposes, cost reimbursement schemes must be foreseen for both the establishment of the infrastructure to store data and for the retrieval. Reimbursement would also serve as the ultimate cost benefit analysis of mandatory retention rules as it forces government to internalise the costs it imposes on industry and to compare 4 May 30th 2005 Data Retention these with the benefits to law enforcement, which as noted above have never been publicly articulated. In addition, we propose that any such measures beyond business cases contain provisions exempting communications providers from liability for losses or harm caused by, for example, inadvertent security breaches involving retained data. CONCLUSION An open dialogue between governments and industry is paramount to ensure that LEAs get the support they need from communication providers while avoiding exorbitant technical and financial burdens on business. We realise that this discussion is only beginning – a proper impact assessment among experts is needed. Thus, we look forward toward a continuing dialogue on this issue toward a retention framework that addresses demonstrable needs of law enforcement with a proportionate safeguard of the communications industry and the rights of civil society. * * * 5 Annex I November 9th 2005 AmCham EU response to European Commission’s September 2005 draft, Annex, section (b) part (3) COM (2005) 438 on specific problems related to retaining email data. Many of the largest email services are provided via the Internet. While many email service providers are in the United States, these services are available from providers in any country in the world. The vast majority of such public services are subsidised by advertising, and therefore, there are few if any checks on the veracity of personal data provided by users when registering for such a service. In other words, it would be entirely trivial for a user to mask their identity or avoid services that would be subject to the proposed retention obligations. By contrast, large global companies with private email networks that are connected to the global Internet for business purposes may be deterred by the privacy implications of a retention scheme that targets retention of email traffic data. Enterprise email data centres such as for those for financial services or health-care related industries may be deterred by potential retention of data regarding their sensitive but otherwise law abiding correspondence. These industries may choose to locate data centres in regions that would not be subject to the proposed retention obligations, which would pose an obvious competitive disadvantage to the European single market. Irrespective of the implications for public or industry email traffic, it is without a doubt that for those EU-based services included in the proposed Directive, the costs of email traffic data retention would be astronomical. This is simply due to the huge volume of email correspondence daily on a global basis. One may be aware that email correspondence exceeds telephony usage for many users, and as each email can be sent or copied to multiple recipients simultaneously, including attachments, the volume of data that would be implied rapidly increases. However, an additional point regarding the utility of such a large volume of email traffic data needs to be made. A conservative current estimate is that 50% of global email traffic is spam, and traffic data for this percentage would be retained as well. There is no conceivable use for this traffic to law enforcement or industry, but it would be impossible to avoid its retention and attendant costs under the current proposal. Discussions as to the control of spam are a separate issue and ongoing in many fora, but current anti-spam measures will not impact the amount of attendant data that industry would be required to retain. At the same time, most providers do not see a business need to retain email data. Unlike telephony, emails are not billed on an individual basis. Some providers may retain small amounts of email-related data for anti-spam diagnostic or enforcement purposes but, given the huge volumes involved, the periods of retention are only up to a week. The proposals would therefore represent a dramatic (26-times) increase in the data to be retained for certain providers and are even more onerous for many more that do not engage in limited retention at all. In addition to knowing who called whom, another possible use for fixed telephony data is to attempt deductions regarding the presence of an individual at a location when the call was made. But even this is not possible with email, as it is a simple effort for a user to set up a computer to send an email at a particular time. In practice, the investigative scenario involving emails that does occur is that enforcement agencies search for a particular email or set of emails (e.g., on a computer that has been seized in a raid). While the email addresses from or to whom emails have been sent cannot be traced back to an individual, there is information in emails (that most users do not see when using all common email programmes) about the technical path of the email – i.e., the “IP address” of the originating email. It is this address that provides the best possible investigative clues towards a suspect. IP address data is generally retained by Internet providers for approximately three months. This reflects the commercial, as well as investigative, utility of the data and the fact that it is a less rapidly growing data set, incurring less significant costs. This IP address data is covered by the September 2005 draft EU Directive (Annex, section (a), part (3) (a)). Although AmCham EU does not agree with the proposal’s requirement for six month retention, we do recognise that this is the area on which the proposals may need to focus. Given some of the issues raised above, we sincerely hope that amendments deleting email traffic data from consideration will be supported. The American Chamber of Commerce to the European Union (AmCham EU) is the voice of companies of American parentage committed to Europe towards the institutions and governments of the European Union. It aims to ensure an optimum business and investment climate in Europe. AmCham EU facilitates the resolution of EU – US issues that impact business and plays a role in creating better understanding of EU and US positions on business matters. Total US investment in Europe amounts to $850 billion, and currently supports over 3.5 million jobs. * * * 7