COUNCIL
OF
THE EUROPEAN UNION |
|
Brussels, 28 April 2004
|
|
|
|
|
|
8958/04 |
|
|
|
|
|
CRIMORG 36
TELECOM 82
|
COVER NOTE
from : |
the French Republic,
Ireland, the Kingdom of Sweden and the United Kingdom |
date of
receipt : |
28 April 2004 |
to: |
Javier Solana,
SecretaryGeneral/High Representative |
|
Subject : |
Draft Framework Decision on the
retention of data
processed and stored in connection with the provision of publicly
available electronic communications services or data on public
communications networks for the purpose of prevention, investigation,
detection and prosecution of crime and criminal offences including
terrorism |
|
Dear Sir,
Pursuant to Articles 31(1)(c) and 34(2)(b) of the Treaty on European
Union, please find attached a proposal by the French Republic, Ireland,
the Kingdom of Sweden and the United Kingdom for the adoption by the
Council of a Draft Framework Decision on the retention of data
processed and stored in connection with the provision of publicly
available electronic communications services or data on public
communications networks for the purpose of prevention, investigation,
detection and prosecution of crime and criminal offences including
terrorism.
Pursuant to Article 17 of the Council's Rules of Procedure, we should be extremely
grateful if you would ensure that this initiative is published in the Official
Journal and forwarded to the European Parliament for an opinion.
(Complimentary close).
Signed:
Pierre
SELLAL |
Anne ANDERSON |
The Permanent
Representative of France |
The Permanent
Representative of Ireland |
|
|
Sven Olof PETERSSON |
John GRANT |
The Permanent Representative of Sweden |
The Permanent
Representative of the United Kingdom |
Draft Framework Decision
Framework Decision on the retention
of data processed and stored in connection with the provision of publicly available
electronic communications services or data on public communications networks
for the purpose of prevention, investigation, detection and prosecution of crime
and criminal offences including terrorism.
THE COUNCIL OF THE EUROPEAN UNION
Having regard to the Treaty on European Union, and in particular
Article 31(1)(c) and Article 34 (2)(b) thereof,
Having regard to the initiative of the French Republic, Ireland, the
Kingdom of Sweden and the United Kingdom,
Having regard to the Opinion of the European Parliament,
Whereas:
- Offering
a high level of protection in an area of liberty, security and justice
requires that the prevention, investigation, detection and prosecution
of crime and criminal offences be carried out in an adequate manner.
- The plan of action of the Council and the Commission on the best
ways to implement the provisions of the Treaty of Amsterdam on the
establishment of an area of liberty, security and justice, the
conclusions of the European Council at Tampere on 1516 October 1999,
the European Council at Santa Maria da Feira on 1920 June 2000, the
European Commission in its scoreboard and the European Parliament in
its resolution of 19 May 2000 call for an intervention in the area of
high tech crime.
- The conclusions of the Council of 20 September 2001 call for care
to be taken to ensure that the forces of law and order are able to
investigate criminal acts which involve the use of electronic
communications systems and to take measures against the perpetrators of
these crimes, while maintaining a balance between the protection of
personal data and the needs of the law and order authorities to have
access to data for criminal investigation purposes. It is noted in the
conclusions of the Council of 19 December 2002 that, because of the
significant growth in the possibilities afforded by electronic
communications, data relating to the use of electronic communications
is now a particularly important and valuable tool in the prevention,
investigation, detection and prosecution of crime and criminal
offences, in particular organised crime and terrorism.
- The Declaration on Combating Terrorism adopted by the European
Council on 25 March 2004 instructed the Council to examine measures for
establishing rules on the retention of communications traffic data by
service providers with a view to adoption by June 2005.
- It is essential to retain data existing on public communications
networks, generated in consequence of a communication, hereafter
referred to as data, for the prevention, investigation, detection and
prosecution of crimes and criminal offences involving the use of
electronic communications systems. This proposal relates only to data
generated as a consequence of a communication and does not relate to
data that is the content of the information communicated. In
particular, it is necessary to retain data in order to trace the source
of illegal content such as child pornography and racist and xenophobic
material; the source of attacks against information systems; and to
identify those involved in using electronic communications networks for
the purpose of organised crime and terrorism.
- Preservation of specific data relating to specified individuals
in specific cases is not sufficient to meet these requirements. In
investigations, it may not be possible to identify the data required or
the individual involved until many months or years after the original
communication. It is therefore necessary to retain certain types of
data, which are already processed and stored for billing, commercial or
any other legitimate purposes, for a certain additional period of time
in anticipation that they might be required for a future criminal
investigation or judicial proceedings. This framework decision
therefore concerns the retention of data and does not relate to the
preservation of data.
- In recognition of the importance of the need to retain data,
Article 15 of Directive 2002/58/EC permits the adoption of legislative
measures allowing, under certain conditions, retention of data for the
purposes of the prevention, investigation, detection or prosecution of
crime and criminal offences. This framework decision is not related to
other objectives set out in Article 15 of this Directive and therefore
does not provide for rules on data retention for the purpose of
safeguarding national security (i.e. State Security), defence, public
security. Nor is it related to the unauthorised use of the electronic
communication system when such use does not constitute a criminal
offence.
- Many Member States have passed legislation concerning a priori
retention of data for the purposes of prevention, investigation,
detection or prosecution of crime and criminal offences. Work in this
area is under way in other Member States. The content of this
legislation varies considerably between Member States.
- The differences between the legislation in Member States is
prejudicial to cooperation between the competent authorities in the
prevention, investigation, detection and prosecution of crime and
criminal offences. To ensure effective police and judicial cooperation
in criminal matters, it is therefore necessary to ensure that all
Member States take the necessary steps to retain certain types of data
for a length of time within set parameters for the purposes of
preventing, investigating, detecting and prosecuting crime and criminal
offences including terrorism. Such data should be available to other
member states in accordance with the instruments on judicial
cooperation in criminal matters adopted under Title VI of the Treaty on
European Union. This should also include instruments which were not
adopted under this Title but which has been acceded to by the member
states and to which reference are made in the instruments on judicial
cooperation in criminal matters adopted under Title VI of the Treaty on
European Union.
- Such a priori retention of data and access to this data may
constitute an interference in the private life of the individual.
However, such an interference does not violate the international rules
applicable with regard to the right to respect to privacy and the
handling of personal data contained, in particular, in the European
Convention on the Protection of Human Rights of 4 November 1950, the
Convention of the Council of Europe no.108 on the protection of persons
in respect of the automated handling of personal data of 28 January
1981, and the Directives 95/46/EC, 97/66/EC and 2002/58 EC where such
interference is provided for by law and where it is appropriate,
strictly proportionate to the intended purpose and necessary within a
democratic society, and subject to adequate safeguards for the
prevention, investigation, detection and prosecution of crime and
criminal offences including terrorism.
- Taking into account both the need to ensure that data is
retained a priori in an efficient and harmonised way and the need to
allow Member States ample room to make their own individual assessments
given the differences that exist between criminal justice systems, it
is appropriate to establish parameters for the a priori retention of
data.
- Data may be a priori retained for different periods of time
depending on its type. The retention periods for each type of data will
be dependant on the usefulness of the data in relation to the
prevention, investigation, detection, and prosecution of crime and
criminal offences and the cost of retaining the data. The retention
periods shall be proportionate in view of the needs for such data for
the purposes of preventing, investigating, detecting and prosecuting
crime and criminal offences as against the intrusion into privacy that
such retention will entail from disclosure of that retained data.
- The drawing up of any lists of the types of data to be retained
must reflect a balance between the benefit to the prevention,
investigation, detection, and prosecution of crime and criminal
offences of keeping each type of data against the level of invasion of
privacy which will result.
- The framework decision does not apply to access to data at the
time of transmission, that is by the monitoring, interception or
recording of telecommunications.
- Member states must ensure that access to retained data takes
account of privacy rules as defined in international law applicable to
the protection of personal data.
- Member States shall ensure that implementation of the Framework
Decision involves appropriate consultation with the Industry.
HAS
ADOPTED THE PRESENT DECISION:
Article1
Scope and Aim
- This
Framework Decision aims to facilitate judicial cooperation in criminal
matters by approximating Member States' legislation on the retention of
data processed and stored by providers of a publicly available
electronic communications service or a public communications network,
for the purpose of prevention, investigation, detection and prosecution
of crime or criminal offences including terrorism.
- This Framework Decision shall not apply to the content of
exchanged communications, including information consulted using an
electronic communications network where that is defined in national law.
- A Member State may decide not to apply paragraph 1 of this
Article, with regard to prevention of crime or criminal offences as
purposes for retaining data which is processed and stored, should the
Member State not find such purposes acceptable following any national
procedural or consultative processes. A Member State deciding to make
use of this derogation at any time must give notice of this decision to
the Council and to the Commission.
- This framework decision is without prejudice to:
- the
rules applicable to judicial cooperation in criminal matters with
regard to the interception and recording of
telecommunications;
- activities concerning public security, defence and
national security (i.e. State security);
- national rules relating to the
retention of data types which are not held by communication service
providers for business purposes.
Article2
Definitions
1. For the purpose of this Framework Decision :
a) The definition of the term "data" in this framework decision includes
traffic data and location data as set out in Article 2 of the Directive
2002/58/EC, and is inclusive of subscriber data and user data related
to these data.
b) User data means data relating to any natural person using a publicly
available electronic communications service, for private or business purposes,
without necessarily having subscribed to the service.
c) Subscriber data means data relating to any natural person using a
publicly available electronic communications service for, private or business
purposes, without necessarily having used the service.
2. Data shall for the purpose of the Framework Decision include:
a) Data necessary to trace and identify the source of a communication
which includes personal details, contact information and information identifying
services subscribed to.
b) Data necessary to identify the routing and destination of a communication.
c) Data necessary to identify the time and date and duration of a communication.
d) Data necessary to identify the telecommunication.
e) Data necessary to identify the communication device or what purports
to be the device.
f) Data necessary to identify the location at the start and throughout
the duration of the communication.
3. These data include data generated by services provided within the following
communication infrastructures, architectures and protocols:
a) Telephony excluding Short Message Services, Electronic Media Services
and Multi Media Messaging Services.
b) Short Message Services, Electronic Media Services and Multi Media
Messaging Services provided as part of any telephony service.
c) Internet Protocols including Email, Voice over Internet Protocols,
world wide web, file transfer protocols, network transfer protocols, hyper
text transfer protocols, voice over broadband and subsets of Internet
Protocols numbers network address translation data.
4. Future technological developments that facilitate the transmission of communications
shall be within the scope of this Framework Decision.
Article3
Retention of data
Each
Member State shall take the necessary measures to ensure that, for the
purpose of providing judicial cooperation in criminal matters, retained
data processed and stored by providers of a public communications
network or publicly available electronic communications services
inclusive of subscriber data and user data related to these data, is
retained in accordance with the provisions of this framework decision,
with a view to facilitating judicial cooperation in criminal matters.
Article4
Time periods for retention of data
- Each
Member State shall take the necessary measures to ensure that data
shall be retained for a period of at least 12 months and not more than
36 months following its generation. Member States may have longer
periods for retention of data dependent upon national criteria when
such retention constitutes a necessary, appropriate and proportionate
measure within a democratic society.
- A Member State may decide to derogate from paragraph 1 of this
Article, with regard to data types covered by paragraph 2 of Article 2
in relation to the methods of communication identified in paragraph
3(b) and 3 (c) of Article 2, should the Member State not find
acceptable, following national procedural or consultative processes,
the retention periods set out in paragraph 1 of this Article. A Member
State deciding to make use of this derogation at any time must give
notice to the Council and to the Commission stating the alternative
time scales being adopted for the data types affected. Any such
derogation must be reviewed annually.
Article5
Access to data for the purpose of judicial
cooperation
in criminal matters
A
request made by a Member State to another Member State, for access to
data referred to in Article 2, shall be made and responded to in
accordance with the instruments on judicial cooperation in criminal
matters adopted under Title VI of the Treaty on European Union. The
requested Member State may make its consent to such a request for
access to data subject to any conditions which would have to be
observed in a similar national case.
Data Protection
Each
Member State shall ensure that data retained under this Framework
Decision shall be subject, as a minimum, to the following data
protection principles and shall establish judicial remedies in line
with the provisions of Chapter III on 'Judicial remedies, liability and
sanctions' of Directive 95/46/EC:
(a)
data shall be accessed for specified, explicit and legitimate purposes
by competent authorities on a case by case basis in accordance with
national law and not further processed in a way incompatible with those
purposes;
(b)
the data shall be adequate, relevant and not excessive in relation to
the purposes for which they are accessed. Data shall be processed
fairly and lawfully;
(c)
data accessed by competent authorities shall be kept in a form which
permits identification of data subjects for no longer than is necessary
for the purpose for which the data were collected or for which they are
further processed;
(d)
the confidentiality and integrity of the data shall be ensured.
(e)
data accessed shall be accurate and, every reasonable step must be
taken to ensure that personal data which are inaccurate , having regard
to the purposes for which they were collected or for which they are
further processed, are erased or rectified;
Article7
Data Security
Each
Member State shall ensure that data retained under this Framework
Decision shall be subject, as a minimum, to the following data security
principles and regard shall be given to the provisions of Article 4 of
the Directive:
(a)
the retained data shall be of the same quality as those data on the
network;
(b) the data shall be subject to appropriate technical and organisational
measures to protect the data against accidental or unlawful destruction or
accidental loss, alteration, unauthorised disclosure or access, and against
all other unlawful forms of processing;
(c) all data shall be destroyed at the end of the period for retention except
those data which have been accessed and preserved;
(d) the process to be followed in order to get access to retained data and
to preserve accessed data shall be defined by each Member State in national
law.
Article8
Implementation
Member States shall take the necessary measures to comply with this Framework
Decision by […..June 2007] within two years following the date of adoption.
By the same date Member States shall transmit the General Secretariat of
theCouncil and to the Commission the text of the provisions transposing into
their national law the obligations imposed on them under this Framework Decision.
The General Secretariat of the Council shall communicate to the Member States
the information received pursuant to this Article.
The Commission shall by [ ….1st January 2008] submit a report to the
Council assessing the extent to which the Member States have taken necessary
measures in order to comply with this Framework Decision.
Entry into force
This Framework Decision shall enter into force on the twentieth
day following its publication in the Official Journal of the European Union.
Done at Brussels,