COUNCIL OF
THE EUROPEAN UNION

 Brussels, 28 April 2004





8958/04





CRIMORG 36
TELECOM 82


COVER NOTE


from : the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom
date of receipt :  28 April 2004
to:  Javier Solana, SecretaryGeneral/High Representative

Subject : Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism


Dear Sir,

Pursuant to Articles 31(1)(c) and 34(2)(b) of the Treaty on European Union, please find attached a proposal by the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom for the adoption by the Council of a Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism.

Pursuant to Article 17 of the Council's Rules of Procedure, we should be extremely grateful if you would ensure that this initiative is published in the Official Journal and forwarded to the European Parliament for an opinion.

(Complimentary close).


Signed:

 

Pierre SELLAL Anne ANDERSON
The Permanent Representative of France The Permanent Representative of Ireland


Sven Olof PETERSSON John GRANT
The Permanent Representative of Sweden The Permanent Representative of the United Kingdom



Draft Framework Decision

Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism.


THE COUNCIL OF THE EUROPEAN UNION

Having regard to the Treaty on European Union, and in particular Article 31(1)(c) and Article 34 (2)(b) thereof,

Having regard to the initiative of the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom,

Having regard to the Opinion of the European Parliament,


Whereas:

  1. Offering a high level of protection in an area of liberty, security and justice requires that the prevention, investigation, detection and prosecution of crime and criminal offences be carried out in an adequate manner.

  2. The plan of action of the Council and the Commission on the best ways to implement the provisions of the Treaty of Amsterdam on the establishment of an area of liberty, security and justice, the conclusions of the European Council at Tampere on 1516 October 1999, the European Council at Santa Maria da Feira on 1920 June 2000, the European Commission in its scoreboard and the European Parliament in its resolution of 19 May 2000 call for an intervention in the area of high tech crime.

  3. The conclusions of the Council of 20 September 2001 call for care to be taken to ensure that the forces of law and order are able to investigate criminal acts which involve the use of electronic communications systems and to take measures against the perpetrators of these crimes, while maintaining a balance between the protection of personal data and the needs of the law and order authorities to have access to data for criminal investigation purposes. It is noted in the conclusions of the Council of 19 December 2002 that, because of the significant growth in the possibilities afforded by electronic communications, data relating to the use of electronic communications is now a particularly important and valuable tool in the prevention, investigation, detection and prosecution of crime and criminal offences, in particular organised crime and terrorism.

  4. The Declaration on Combating Terrorism adopted by the European Council on 25 March 2004 instructed the Council to examine measures for establishing rules on the retention of communications traffic data by service providers with a view to adoption by June 2005.

  5. It is essential to retain data existing on public communications networks, generated in consequence of a communication, hereafter referred to as data, for the prevention, investigation, detection and prosecution of crimes and criminal offences involving the use of electronic communications systems. This proposal relates only to data generated as a consequence of a communication and does not relate to data that is the content of the information communicated. In particular, it is necessary to retain data in order to trace the source of illegal content such as child pornography and racist and xenophobic material; the source of attacks against information systems; and to identify those involved in using electronic communications networks for the purpose of organised crime and terrorism.

  6. Preservation of specific data relating to specified individuals in specific cases is not sufficient to meet these requirements. In investigations, it may not be possible to identify the data required or the individual involved until many months or years after the original communication. It is therefore necessary to retain certain types of data, which are already processed and stored for billing, commercial or any other legitimate purposes, for a certain additional period of time in anticipation that they might be required for a future criminal investigation or judicial proceedings. This framework decision therefore concerns the retention of data and does not relate to the preservation of data.

  7. In recognition of the importance of the need to retain data, Article 15 of Directive 2002/58/EC permits the adoption of legislative measures allowing, under certain conditions, retention of data for the purposes of the prevention, investigation, detection or prosecution of crime and criminal offences. This framework decision is not related to other objectives set out in Article 15 of this Directive and therefore does not provide for rules on data retention for the purpose of safeguarding national security (i.e. State Security), defence, public security. Nor is it related to the unauthorised use of the electronic communication system when such use does not constitute a criminal offence.

  8. Many Member States have passed legislation concerning a priori retention of data for the purposes of prevention, investigation, detection or prosecution of crime and criminal offences. Work in this area is under way in other Member States. The content of this legislation varies considerably between Member States.

  9. The differences between the legislation in Member States is prejudicial to cooperation between the competent authorities in the prevention, investigation, detection and prosecution of crime and criminal offences. To ensure effective police and judicial cooperation in criminal matters, it is therefore necessary to ensure that all Member States take the necessary steps to retain certain types of data for a length of time within set parameters for the purposes of preventing, investigating, detecting and prosecuting crime and criminal offences including terrorism. Such data should be available to other member states in accordance with the instruments on judicial cooperation in criminal matters adopted under Title VI of the Treaty on European Union. This should also include instruments which were not adopted under this Title but which has been acceded to by the member states and to which reference are made in the instruments on judicial cooperation in criminal matters adopted under Title VI of the Treaty on European Union.

  10. Such a priori retention of data and access to this data may constitute an interference in the private life of the individual. However, such an interference does not violate the international rules applicable with regard to the right to respect to privacy and the handling of personal data contained, in particular, in the European Convention on the Protection of Human Rights of 4 November 1950, the Convention of the Council of Europe no.108 on the protection of persons in respect of the automated handling of personal data of 28 January 1981, and the Directives 95/46/EC, 97/66/EC and 2002/58 EC where such interference is provided for by law and where it is appropriate, strictly proportionate to the intended purpose and necessary within a democratic society, and subject to adequate safeguards for the prevention, investigation, detection and prosecution of crime and criminal offences including terrorism.

  11. Taking into account both the need to ensure that data is retained a priori in an efficient and harmonised way and the need to allow Member States ample room to make their own individual assessments given the differences that exist between criminal justice systems, it is appropriate to establish parameters for the a priori retention of data.

  12. Data may be a priori retained for different periods of time depending on its type. The retention periods for each type of data will be dependant on the usefulness of the data in relation to the prevention, investigation, detection, and prosecution of crime and criminal offences and the cost of retaining the data. The retention periods shall be proportionate in view of the needs for such data for the purposes of preventing, investigating, detecting and prosecuting crime and criminal offences as against the intrusion into privacy that such retention will entail from disclosure of that retained data.

  13. The drawing up of any lists of the types of data to be retained must reflect a balance between the benefit to the prevention, investigation, detection, and prosecution of crime and criminal offences of keeping each type of data against the level of invasion of privacy which will result.

  14. The framework decision does not apply to access to data at the time of transmission, that is by the monitoring, interception or recording of telecommunications.

  15. Member states must ensure that access to retained data takes account of privacy rules as defined in international law applicable to the protection of personal data.

  16. Member States shall ensure that implementation of the Framework Decision involves appropriate consultation with the Industry.


HAS ADOPTED THE PRESENT DECISION:


Article1

Scope and Aim

  1. This Framework Decision aims to facilitate judicial cooperation in criminal matters by approximating Member States' legislation on the retention of data processed and stored by providers of a publicly available electronic communications service or a public communications network, for the purpose of prevention, investigation, detection and prosecution of crime or criminal offences including terrorism.

  2. This Framework Decision shall not apply to the content of exchanged communications, including information consulted using an electronic communications network where that is defined in national law.

  3. A Member State may decide not to apply paragraph 1 of this Article, with regard to prevention of crime or criminal offences as purposes for retaining data which is processed and stored, should the Member State not find such purposes acceptable following any national procedural or consultative processes. A Member State deciding to make use of this derogation at any time must give notice of this decision to the Council and to the Commission.

  4. This framework decision is without prejudice to:

Article2

Definitions

    1. For the purpose of this Framework Decision :

    a) The definition of the term "data" in this framework decision includes traffic data and location data as set out in Article 2 of the Directive 2002/58/EC, and is inclusive of subscriber data and user data related to these data.

    b) User data means data relating to any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to the service.

    c) Subscriber data means data relating to any natural person using a publicly available electronic communications service for, private or business purposes, without necessarily having used the service.

    2. Data shall for the purpose of the Framework Decision include:

    a) Data necessary to trace and identify the source of a communication which includes personal details, contact information and information identifying services subscribed to.

    b) Data necessary to identify the routing and destination of a communication.

    c) Data necessary to identify the time and date and duration of a communication.

    d) Data necessary to identify the telecommunication.

    e) Data necessary to identify the communication device or what purports to be the device.

    f) Data necessary to identify the location at the start and throughout the duration of the communication.

    3. These data include data generated by services provided within the following communication infrastructures, architectures and protocols:

    a) Telephony excluding Short Message Services, Electronic Media Services and Multi Media Messaging Services.

    b) Short Message Services, Electronic Media Services and Multi Media Messaging Services provided as part of any telephony service.

    c) Internet Protocols including Email, Voice over Internet Protocols, world wide web, file transfer protocols, network transfer protocols, hyper text transfer protocols, voice over broadband and subsets of Internet Protocols numbers network address translation data.

    4. Future technological developments that facilitate the transmission of communications shall be within the scope of this Framework Decision.

Article3

Retention of data

Each Member State shall take the necessary measures to ensure that, for the purpose of providing judicial cooperation in criminal matters, retained data processed and stored by providers of a public communications network or publicly available electronic communications services inclusive of subscriber data and user data related to these data, is retained in accordance with the provisions of this framework decision, with a view to facilitating judicial cooperation in criminal matters.


Article4

Time periods for retention of data

  1. Each Member State shall take the necessary measures to ensure that data shall be retained for a period of at least 12 months and not more than 36 months following its generation. Member States may have longer periods for retention of data dependent upon national criteria when such retention constitutes a necessary, appropriate and proportionate measure within a democratic society.

  2. A Member State may decide to derogate from paragraph 1 of this Article, with regard to data types covered by paragraph 2 of Article 2 in relation to the methods of communication identified in paragraph 3(b) and 3 (c) of Article 2, should the Member State not find acceptable, following national procedural or consultative processes, the retention periods set out in paragraph 1 of this Article. A Member State deciding to make use of this derogation at any time must give notice to the Council and to the Commission stating the alternative time scales being adopted for the data types affected. Any such derogation must be reviewed annually.

    Article5

    Access to data for the purpose of judicial cooperation in criminal matters

    A request made by a Member State to another Member State, for access to data referred to in Article 2, shall be made and responded to in accordance with the instruments on judicial cooperation in criminal matters adopted under Title VI of the Treaty on European Union. The requested Member State may make its consent to such a request for access to data subject to any conditions which would have to be observed in a similar national case.

    Data Protection

    Each Member State shall ensure that data retained under this Framework Decision shall be subject, as a minimum, to the following data protection principles and shall establish judicial remedies in line with the provisions of Chapter III on 'Judicial remedies, liability and sanctions' of Directive 95/46/EC:

    (a) data shall be accessed for specified, explicit and legitimate purposes by competent authorities on a case by case basis in accordance with national law and not further processed in a way incompatible with those purposes;

    (b) the data shall be adequate, relevant and not excessive in relation to the purposes for which they are accessed. Data shall be processed fairly and lawfully;

    (c) data accessed by competent authorities shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the data were collected or for which they are further processed;

    (d) the confidentiality and integrity of the data shall be ensured.

    (e) data accessed shall be accurate and, every reasonable step must be taken to ensure that personal data which are inaccurate , having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;


    Article7

    Data Security

    Each Member State shall ensure that data retained under this Framework Decision shall be subject, as a minimum, to the following data security principles and regard shall be given to the provisions of Article 4 of the Directive:

    (a) the retained data shall be of the same quality as those data on the network;

    (b) the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing;

    (c) all data shall be destroyed at the end of the period for retention except those data which have been accessed and preserved;

    (d) the process to be followed in order to get access to retained data and to preserve accessed data shall be defined by each Member State in national law.


Article8

Implementation

    Member States shall take the necessary measures to comply with this Framework Decision by […..June 2007] within two years following the date of adoption.

    By the same date Member States shall transmit the General Secretariat of theCouncil and to the Commission the text of the provisions transposing into their national law the obligations imposed on them under this Framework Decision. The General Secretariat of the Council shall communicate to the Member States the information received pursuant to this Article.

    The Commission shall by [ ….1st January 2008] submit a report to the Council assessing the extent to which the Member States have taken necessary measures in order to comply with this Framework Decision.

    Entry into force

    This Framework Decision shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.

    Done at Brussels,