The European Commission is considering stricter controls on who can access communications data stored for law-enforcement and anti-terrorist purposes.
On Monday, the Commission published a report (PDF) evaluating the implementation so far of the Data Retention Directive, which came into force in 2006, and is now set to be revised. The report said most member states still see the directive, formulated after the 2004 Madrid bombings, as necessary.
The European Commission is considering stricter controls on who can access communications data stored for law-enforcement purposes.
It also said there was a great amount of variation in the way the directive is being transposed into national law, although this is to be expected as the directive was designed to allow a certain amount of leeway.
However, the report also noted that the idea of data retention remains a "significant limitation on the right to privacy", and the Commission said it may therefore strengthen safeguards to stop citizens' data being used inappropriately.
"Whilst there are no concrete examples of serious breaches of privacy, the risk of data security breaches will remain unless further safeguards are put in place," the Commission said in a statement. "The Commission will therefore consider more stringent regulation of storage, access to and use of the retained data."
The directive orders communications providers to store their records of customers' interactions for between six and 24 months — the UK chose one year — so law enforcement officials can access that data if necessary. The data includes details of who contacted whom when, rather than the contents of communications.
The Commission's report is based on member states' experiences of data retention, as gauged for more than a year through conferences, meetings and a stakeholder questionnaire.
On Monday, the Commission said it will revise the directive "in consultation with the police and the judiciary, industry, data-protection authorities and civil society, with a view to proposing an improved legal framework".
The Open Rights Group (ORG), which has campaigned against the directive alongside other digital rights groups, said on Monday that the report's analysis of human rights concerns is a "whitewash".
We think the report's a whitewash and the Data Retention Directive is almost certainly illegal. – Jim Killock, Open Rights Group
Indeed, several countries are yet to transpose the directive into law. Two — Sweden and Austria — have already been chastised by the Commission for dragging their heels. However, courts in Romania, the Czech Republic and Germany have all struck down proposed national laws — which would have been drawn from the directive — for being unconstitutional.
"We think the report's a whitewash and the Data Retention Directive is almost certainly illegal," ORG chief executive Jim Killock told ZDNet UK. "The fact that three constitutional courts have chucked it out ought to tell the Commission something."
The Commission insisted on Monday that "in no case did the courts rule that the Data Retention Directive is unconstitutional". It argued that the German law was unconstitutional because it "did not sufficiently limit the circumstances in which law-enforcement authorities could access the data"; the Romanian law had been "ambiguous in its scope and purpose, with insufficient safeguards"; and the Czech law had been "insufficiently precise and clear in its formulation".
Digital Rights Ireland, the Irish equivalent of the ORG, has initiated a court case there questioning the legality of the directive as a whole, saying the indiscriminate retention of data unlawfully restricts fundamental rights. The Commission said in its statement on Monday that it expects the case to be referred to the European Court of Justice (ECJ).