European data laws to face scrutiny

Data retention by ISPs, data protection law, and information sharing with the US will all be examined by the European Commission to see whether they are necessary
Written by Tom Espiner, Contributor

The European Commission is to review a number of data laws and regulations to gauge whether they are necessary and proportionate.

The series of reviews are part of an action plan that runs from 2010 to 2014. The plan, announced on Tuesday, was drawn up following the endorsement by European leaders of 170 initiatives known as the Stockholm Programme. The focus of the programme is EU work on justice and home affairs over the next five years.

The data retention directive, which compels ISPs to hold communications data for a minimum of six months, will be scrutinised, according to Justice, Fundamental Rights and Citizenship spokesman Matthew Newman, who spoke to ZDNet UK on Wednesday.

"The commission will look at whether the Data Retention Directive is proportionate or whether the length of time the data is held is too long," said Newman.

The directive compels internet service providers (ISP) to retain data such as date, destination and duration of communication, and was brought in as an anti-terrorist measure in 2006. ISPs must hold the data for a maximum period of two years. In the UK, ISPs must hold the data for 12 months, enabling law enforcement and other government agencies on request to map networks of who is talking to whom, when and where.

European data protection law may be outmoded and may not adequately protect the privacy of users of new technologies, said Newman. The 1995 Data Protection Directive will be reviewed, said Newman, as there is a danger that the law may now be out of date.

"This law came out before the internet took off, before emailing was as common [as today], and before social networking. It needs to be looked at," said Newman. "Maybe it doesn't adequately protect data."

The transfer of financial messaging data to the US will be reviewed, as it may contradict fundamental European rights, said Newman. The European information-sharing agreement with the US on the transfer of Swift banking data for counter-terrorism purposes was rejected by the European Parliament in February, who found that it contravened European data protection law.

The provision of Passenger Name Record (PNR) data to the US will also be scrutinised, said Newman. PNR data, which includes name, address and banking details of airline passengers, must be provided to the US by law. However, in 2004 the European Court of Justice found the sharing of PNR data by air carriers contravened EU law, in part due to the wholesale provision of data.

Newman said that in particular, the right to redress in US courts for improper collection and use of Swift and PNR data will be examined.

The commission said in a statement on Tuesday that it would also consider the criminalisation of identity theft and malicious software used to attack information systems. Under UK law, software created that could compromise a computing system has been outlawed, creating a potential problem over tools that can be used by security researchers to test systems.

Editorial standards