Data protection reform, passenger name record and telecommunications data retention

Dans l’article, l’auteur s’interroge sur l’impact d’une reforme proposée du cadre légal européen règlementant la protection des données au niveau européen qui n’assurerait qu’une protection réduite des données à caractère personnel utilisées dans les domaines policier et judiciaire. L'article conclue sur une brève réflexion quant à la valeur sociale et politique des droits à la protection des données et à la vie privée, pour enfin aborder les potentiels effets néfastes du profilage à grande échelle et plaider ainsi pour le développement progressif d'un cadre juridique européen en matière de protection des données qui soit transparent, équilibré et complet couvrant toutes les manipulations des données par les acteurs de sécurité intérieure.

for data protection and privacy are also evident in the European Council's Stockholm Programme, which commits to ensuring the respect of core data protection principles,2 both by evaluating the functioning of existing instruments3 and by building "a comprehensive protection scheme."4Anchored in a new Information Management Strategy for EU internal security,5 the new EU approach to personal data promises to be mindful both of law enforcement "business needs" and data protection.
Article 8 of the ECHR provides that "everyone has the right to respect for his private and family life, his home and his correspondence".Data protection has been developed by the ECtHR as an aspect of privacy protection in its considerable jurisprudence on Article 8.For example in M.S. v. Sweden, the Strasbourg court stated that "the protection of personal data […] is of fundamental importance to a person's enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention". 6nother Article 8, that of the EU Charter of Fundamental Rights, establishes data protection as a fundamental right, providing that personal data may however "be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law". 7et European legislation on data protection in the Area of Freedom, Security and Justice is fragmented, presenting a complex patchwork of regulation.Police and judicial cooperation in criminal matters are excluded from the scope of the 1995 Data Protection Directive. 8A Framework Decision, adopted in 2008, does not apply to domestic processing of data for law enforcement and security matters and features wide exemptions to the main principles of data protection consolidated in the 1995 Directive. 9Additio-nally, sector-or agency-specific rules exist in relation to the Schengen Information System (SIS), Europol, Eurojust and the Prüm Decision. 10he Lisbon Treaty extended the ordinary legislative procedure to Justice and Home Affairs, laid down a new single legal basis for data protection rules at EU level 11 and endowed the Charter of Fundamental Rights with the same legal value as the Treaties, thereby formally elevating data protection to fundamental right status. 12 The Stockholm Programme and the Commission's Internal Security Strategy reiterated the political will to protect fundamental rights as a vital premise of the AFSJ, marking a departure from a former tendency to treat fundamental rights as brakes on efficiency, requiring to be balanced against security.Taken together, these developments would seem to provide fertile ground for insisting on the rigorous (re-)evaluation of the necessity and proportionality of both existing and envisaged measures touching on the use of personal data in law enforcement.

A comprehensive new data protection package?
A package for reforming the EU rules on data protection was adopted by the Commission on 25 January 2012.The package contains a proposal for a Regulation 13 containing general rules on data protection and a proposal for a standalone Directive on data pro-

II.
10 These rules generally refer to national legislation or to international legal instruments such as the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108).11 Article 16 TFEU (ex Article 286 TEC) 1. Everyone has the right to the protection of personal data concerning them.
2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.Compliance with these rules shall be subject to the control of independent authorities.The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.12 See Article 8. Protection of personal data: 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.13 European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 25.1.2012,COM(2012) 11 final.
tection in the law enforcement sector, 14 preserving in a sense the old First/Third Pillar division in post-Lisbon European data protection law.

The decision to opt for a package
The European Data Protection Supervisor, in his 7th March 2012 Opinion on the package, welcomed the Regulation as a "huge step forward" but expressed "serious disappointment" that the legal framework at EU level looks set to remain fragmented despite the availability of a single legal basis in Article 16 TFEU. 15t a conference in November 2012, the Director of the Internal Security unit at the European Commission DG Home Affairs, Reinhard Priebe, insisted that a single-measure outcome had proved unattainable in practice, and that the dual-instrument package proposed represented the best that the Commission was able to secure.First, according to Priebe, the rather general terms of Article 16 TFEU limit what can be done with the provision.The substance of Article 16 TFEU, calling for the introduction of "rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law", undoubtedly contrasts with the greater depth, detail and programmatic nature of the core Treaty provisions on judicial cooperation in criminal matters (Articles 82 and 83 TFEU), calibrating the mutual recognition principle and the approximation of criminal laws and regulations.Moreover, Declaration 21 annexed to the Lisbon Treaty envisages the creation of specific rules on data protection and the free movement of such data in the fields of police and judicial cooperation in criminal matters should separate regulation prove necessary due to the specific nature of these fields. 16Priebe stressed that the goal of the proposed Directive is not to harmonise data protection in the law enforcement sector, and that the terseness of the legislative building blocks reflected the Member States' divergences on the matter.Across the Member States, there exist a number of different data protection cultures, and the same or perhaps an even greater number of different law enforcement cultures (going down to basic structural differences such as which body is a police body, and which is a judicial body).Priebe emphasised that, at the negotiating table, a number of Member States start from the position that data gathering, processing and exchange 1. in the law enforcement sector should not be subject to any legal constraints, let alone to rules enshrined in a directly-applicable Union-wide Regulation.17Important stakeholders at Member State level have divergent views on the matter.The Association of Chief Police Officers ("ACPO", United Kingdom) told the House of Commons Justice Committee in November 2012 that it was "rather surprised that the [2008 Framework Decision on data protection in the former Third Pillar] is going to be changed so soon after implementation", considering that the processes in place following the Third Pillar measure work "relatively well". 18In contrast, Intellect, the UK trade association for the IT, telecoms and electronics industries, stated its preference for a single piece of regulation to facilitate implementation at a business level, and also voiced fears that the differing levels of data protection provided by the Regulation and the Directive19 could lead to a staggered implementation of separate aspects of the Regulation in separate pieces of legislation, creating confusion for market actors. 20The Justice Committee itself was clear that there should be "consistency between the two instruments from the outset". 21ould this entail a scaling up of protection levels found in the proposed Directive, or a scaling down of those found in the proposed Regulation?In oral evidence given to the UK House of Commons Justice Committee in September 2012, Françoise Le Bail (Director General, DG Justice at the European Commission) argued that the same principles were reflected by both instruments, and that the package applied both Article 16 of the TFEU and Declaration 21 to the Lisbon Treaty, "which says that for this particular field, which is police and judicial co-operation in criminal matters, of course specific provision should be taken". 22

Level of protection
Whilst the new draft Directive does, unlike the 2008 Framework Decision, apply to domestic processing of data, it will essentially provide for a lower standard of protection for data used for law enforcement purposes.The EDPS, in his 7 th March 2012 Opinion on the package took the view that "compared to the proposed Regulation, many provisions in the proposed Directive are weak, without any evident justification,"23 and recommended changes inter alia to tighten up derogations to the purpose limitation prin-

a)
ciple, to include non-suspected persons as a separate data category, to strengthen data subject rights to notification and rectification of personal data, as well as to bolster the powers of supervisory authorities, limited by the terms of the proposed Directive. 24nterestingly, the UK's Justice Committee, reporting to the European Scrutiny Committee, recently accepted that the Directive "does not sufficiently protect personal data",25 yet also cited subsidiarity concerns in order to argue in favour of an exemption for domestic processing from even these -admittedly sub-standard -provisions.26

Scope: activities covered
Representatives from the UK Ministry of Justice, in evidence to the Justice Committee, recently reaffirmed the UK government's intention to attempt to remove domestic processing from the face of the Directive. 27The Justice Committee's report agreed, considering that the "huge costs and burdens" connected to such a scheme would be unwarranted in the absence of any evidence that a lack of EU-level rules is obstructing inter-Member State cooperation or harming data protection,28 and that a "carve-out for policing and security" is necessary in order to meet the specific needs of law enforcement authorities. 29If the United Kingdom succeeds on this count at the negotiating table, what has often been criticised as a key flaw in the 2008 Framework Decision may well remain in the new generation of EU data protection legislation: a common framework of standards would only be applicable to data transferred between Member States, with variable levels of national data protection applicable to domestic processing despite the unavoidable twists and vagaries of investigations making it difficult in practice to operate a strict division between "domestic data" and data which may at some point require transfer to another Member State.
An innovative aspect of the draft Directive concerns its approach to the automated processing of personal data, including for the creation of personal profiles.Chapter II of the proposal ('Principles') lays down, alongside a general ban on the processing of b) so-called "sensitive" personal data 30 in article 8(1), quite novel provisions in article 9 ('Measures based on profiling and automated processing').Article 9(1) reads: "Member States shall provide that measures which produce an adverse legal effect for the data subject or significantly affect them and which are based solely on automated processing of personal data intended to evaluate certain personal aspects relating to the data subject shall be prohibited unless authorised by a law which also lays down measures to safeguard the data subject's legitimate interests".Article 9(2), meanwhile, provides that " [a]utomated processing of personal data intended to evaluate certain personal aspects relating to the data subject shall not be based solely on special categories of personal data referred to in Article 8".The Meijers Standing Committee of experts on international immigration, refugee and criminal law did recently take issue with the draft Directive's wording, insisting that the risk of discrimination would only be effectively reduced by adapting the provisions in order to forbid automated processing based "solely or decisively on the special categories of personal data referred to in Article 8," 31 but the overall balanced tone must be welcomed.

Horizontal scope
Moving on from the substance of the draft Directive's data protection provisions, more broadly the EDPS bemoaned the envisaged package's lack of "horizontal" comprehensiveness, leaving as it does unaffected the data protection rules for EU institutions and bodies, but also all specific instruments adopted in the area of police and judicial cooperation in criminal matters such as the Prüm Decision and the rules applying to Europol, Eurojust and the Schengen Information System. 32More specifically, the EDPS saw the choice for a self-standing instrument as "a missed opportunity to clarify and ensure the consistent application of rules applicable to situations in which activities of the private sector and of the law enforcement sector interact with each other and borderlines are becoming increasingly blurred". 33he transfer of PNR data, telecommunications and financial data to law enforcement bodies provide prime examples of such interplay.As a British data protection consultancy points out, lower standards in law enforcement matters create an "inverse data protection effect": the more controversial the processing (eg.for law enforcement), the weaker the protection; the less controversial the processing (eg.processing for a seat booking), the stronger the level of protection. 34Yet even the tentative first few steps c) towards regulating profiling at the EU level taken by the draft Directive 35 would, as the text stands, not apply to a future EU-PNR system were the latter system to be finalised before the new data protection framework. 36As we shall see, the proposed EU-PNR Directive is itself completely silent on the matter of data mining and profiling.Once more, the comprehensiveness of the new EU data protection framework appears open to question.

Passenger name record: Jumping the data protection gun?
PNR is a record of each passenger's travel requirements which contains all information necessary to enable reservations to be processed and controlled by air carriers, including name, dates of travel and travel itinerary, ticket information, address and phone numbers, means of payment used, credit card number, travel agent, seat number and baggage information.PNR data are supposed to constitute an effective tool in order to "identify and track criminal and terrorist activity", 37 warranting its systematic transmission by air carriers to law enforcement bodies.PNR is not to be confused with Advanced Passenger Information (API) limited to biographical information from the machine-readable part of a passport, for which a scheme, providing not for systematic access by law enforcement but for access by request, is already live in relation to flights inside the Union. 38egotiations with the USA on a fourth EU-US PNR agreement continued throughout 2011.The latest agreement, intended to have a higher degree of permanency than previous deals, was concluded in early December 2011.In a plenary vote on the 19th April 2012, the European Parliament adopted the latest EU-US PNR agreement with 409 votes in favour, 226 against and 33 abstentions, reflecting the contentious nature of the issue.The Opinion of the European Data Protection Supervisor, published on 13 December 2011, welcomed safeguards on data security and oversight. 39However, the Union overseer repeated doubts as to the necessity and proportionality of the scheme.Indeed, if one takes the successive EU-US PNR agreements from 2004, 2007 and 2011, one can observe a "slackening" evolution in terms of purpose limitation, retention period (from 4 years to 15 years including "anonymised" time), the transmission of sensitive information (medical and religious data), push/pull systems, onward transfer, and judicial

III.
35 See above discussion of articles 8 and 9, draft Directive on data protection in the law enforcement sector.36 See Article 59, Proposal for a Directive: "The specific provisions for the protection of personal data with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in acts of the Union adopted prior to the date of adoption of this Directive regulating the processing of personal data between Member States and the access of designated authorities of Member States to information systems established pursuant to the Treaties within the scope of this Directive remain unaffected.redress. 40The EDPS also voiced serious reservations as to the real enforceability of US concessions such as the right to redress. 41A central problem in the international context is that intended 'guarantees' negotiated for EU citizens (eg.ban on processing of sensitive data, right to redress), as hard-won as they may have been, may be practically unenforceable in third states, particularly the United States.This state of affairs leads some observers to consider that in order to prevent established levels of protection from being "hollowed out by global security networks", in the long-term a transnational data protection authority may be necessary. 42However, this idea will not be developed further in this contribution, which will focus rather on the ongoing project of creating an internal EU-PNR surveillance system.A Commission proposal for a Directive establishing an internal EU-PNR scheme was made in February 2011. 43Subsequently, the United Kingdom gained support from 15 other Member States to extend the scope of the instrument to include the option of covering selected flights inside the European Union.The EU scheme, for a time, was passing through the European Parliament in parallel with the EU-US scheme until the latter was finally adopted in April 2012.The Parliament's Rapporteur on the internal measure (Timothy Kirkhope MEP) showed greater support for the necessity of travel surveillance generally than the Rapporteur on the transatlantic set-up (Sophie In'T Veld MEP), and in his draft report of 14th February 2012 advocated no major changes to the Commission's proposal, voicing support for an extension to intra-EU flights and the use of PNR data in the context of terrorism and "serious crime". 44On the 23rd April 2012, the Presidency presented a compromise text, providing for the optional coverage of intra-EU flights, to the Council with a view to opening negotiations with the European Parliament. 4540 See Hornung, G. and Boehm, F. (2012) Highly critical opinions from the European Data Protection Supervisor, 46 the Article 29 Working Party47 and the Fundamental Rights Agency48 followed publication of the draft EU-PNR Directive.Citing violations of the rights to protection of personal data, 49 respect for private and family life 50 and to be free from discrimination, 51 each opinion concluded that the necessity and proportionality of the scheme have not been sufficiently established.
Article 52(1) of the EU Charter provides that "any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms.Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others." 52rticle 52(1): 'Objectives of general interest/to protect rights and freedoms of others' National security and/or the prevention of crime have been accepted as a "legitimate aim" (the ECHR wording) by the European Court of Human Rights in Convention Article 8 case law, 53 and the Fundamental Rights Agency seems to be in no doubt that EU-PNR clears this hurdle.It may be useful, however, to reflect on whether the workings of the PNR set-up fit the scenario of crime prevention.Now, PNR is raw data fed into security practices related to profiling and data mining, marked by a trend towards prevention that in some cases "appears to slide towards anticipation", playing less a preemptive role than a preparatory one, collecting, processing and sharing data "just in case" a crime is committed.54 It is possible to argue that, on a strict reading of "objectives of general interest", interferences with fundamental rights such as those made inevitable by EU-PNR require clear demonstrable links to crime prevention in order to be considered Charter-compliant.

Article 52(1): 'Provided for by law' (ECHR wording: 'in accordance with the law')
In its reading of the EU-PNR Proposal, the FRA points up concerns over the "quality" of the law, meaning essentially its accessibility and foreseeability.Firstly, the Annex to the Proposal provides air carriers with a "general remarks" category of information, potentially opening the door to unlimited information gathering. 55The Proposal also purports to limit the use of PNR data to fighting "serious crime", 56 yet the definition of "serious crime" in article 2(h) of the Proposal is not watertight.Indeed, that sub-article refers to the offences listed in article 2(2) of the Framework Decision on the European Arrest Warrant -a provision which incidentally does not itself feature the term "serious crime".Article 2(h) of the Proposal further allows Member States to exclude from the scope of the scheme "those minor offences for which, taking into account their respective criminal justice system, the processing of PNR data pursuant to this directive would not be in line with the principle of proportionality", thereby impliedly acknowledging that the term "serious crime" encompasses minor offences.This creative manner of legislating may remind the reader of the much-maligned purpose (un)limitation provisions in the 2008 Framework Decision on 3 rd pillar data protection, 57 and sits uneasily with the Commission's claim that an EU-PNR system would increase legal certainty for passengers. 58For this to be so, as the FRA points out, surely the margin of discretion on such a central factor of the proposal should not be left to the Member States. 59inally, article 4(2)(b) permits Passenger Information Units to compare PNR data against "relevant databases, including international or national databases or national mirrors of Union databases, where they are established on the basis of Union law, on persons or objects sought or under alert". 60

Article 52(1): 'Necessity and proportionality'
The Strasbourg Court established in the Handyside case 62 that "while the adjective 'necessary' […] is not synonymous with 'indispensable', neither has it the flexibility of such expressions as 'admissible', 'ordinary', 'useful', 'reasonable' or 'desirable'." 63A "pressing social need" was the term preferred by the Court in the Olsson case. 64Proportionality, meanwhile, "puts the reason for the limitation and the scope of the limitation into relation with each other." 65n the Explanatory Memorandum attached to the EU-PNR Proposal, the Commission forwards evidence of the necessity of PNR in combating serious transnational crime, particularly drugs and human trafficking. 66Also in the Commission's 2010 Communication on information management in the AFSJ, numerous examples demonstrated the necessity of PNR to the investigation of child trafficking, trafficking in human beings, credit card fraud and drug trafficking, but the source of this evidence was not disclosed. 67In relation to PNR agreements with the USA, the UK House of Lords European Union Select Committee, initially unsure, 68 subsequently received confidential evidence from the Home Office which convinced the Lords that PNR data, when used in conjunction with data from other sources, could significantly assist in the identification of terrorists. 69In 2011, the Committee gave its blessing to the UK's opt-in to the latest agreement. 70Thus, it remains the case that there has been no evidence made publicly available of the necessity of PNR in the fight against terrorism or the other "serious crimes" covered in art 2(h) of the Proposal. 71n other words, the Commission has only ever provided examples demonstrating the necessity of PNR data in the context of combating "serious transnational crime" whereas the proposed Directive refers in numerous contexts to "serious crime" 72 -defined as the offences listed by Article 2(2) of the Council Framework Decision 2002/584/JHA on the European Arrest Warrant. 73he necessity and proportionality of systems such as EU-PNR are particularly sensitive not only because systematic surveillance seems contrary to the essence of Treaty aspirations to a single Area of Freedom, Security and Justice without internal border controls,74 but especially since data collection and analysis are foreseen for all air passengers, instead of being applied in a more targeted manner. 75From a technical point of view, one might maintain that blanket data collection simply comes with the territory of proactive risk profiling, a technique involving tests performed on the basis of "constantly evolving and non-transparent criteria". 76Nonetheless, in accepting this reality the Fundamental Rights Agency argues for the addition to the proposal of an "explicit obligation […] to make every reasonable effort to define assessment criteria in a manner which ensures that as few innocent people as possible are flagged by the system". 77he need for specific safeguards in the EU-PNR instrument itself becomes clearer when one recalls that the future Directive on data protection in the law enforcement sector, as currently drafted, will not apply to previous acts. 78The tentative provisions therein regulating profiling 79 will therefore not apply to what is set to be one of the most significant developments yet in the profiling of European citizens, should the EU-PNR Directive enter into force before the new data protection instrument.Negotiations are ongoing at the time of writing, yet the relative urgency of the EU-PNR does seem doubtful considering that a number of the Member States in favour of an internal EU-PNR scheme have already begun using their own PNR systems, tempering somewhat the immediate need for rolling out the European set-up.Speaking at a November 2012 conference, Emilio de Capitani (former head of Civil Liberties, Justice and Home Affairs Secretariat at the European Parliament) also questioned the need to move quickly on this issue given that this time, and in contrast to the negotiations which led to the EU-US agreements, there is no external diplomatic pressure on the Union. 80hat being said, proportionality testing of the future EU-PNR system may in the medium to long-term find other outlets than the legislative process.The reactions of a series of national Constitutional Courts to the Data Retention Directive could be interpreted as preparing the ground for future judicial control of the proportionality of initiatives such as the EU-PNR system.Indeed, as the Fundamental Rights Agency underlines, the same reasoning -the condemnation of data retention as unconstitutional inter alia since the scheme affects all citizens who are in principle to be considered as innocent -could also be applied to the proposed EU PNR system. 81Accordingly, it is to the current state of play regarding the Data Retention Directive that we now turn.

Data retention: Judicial control post-Lisbon
The European Parliament and the Court of Justice look set to have pivotal roles to play in the relationship between personal data and law enforcement over the next few years, not only concerning new measures such as the EU-PNR scheme, but also in respect of the evaluation and judicial control of existing measures -most notably, from a data protection point of view, the fabled Data Retention Directive. 82Briefly revisiting the background to the agreement of such a measure in the pre-Lisbon EU set-up may prove instructive in this regard.

Directive 2006/24: origins
Four years prior to the introduction of the Directive, in 2002 the e-privacy Directive had applied data protection principles found in the 1995 Data Protection Directive to the telecommunications sector, mandating the erasure of traffic data once no longer needed in order to transmit a communication. 83Although at that time the JHA Council expressed a desire to carve an "appropriate and proportionate" exception to the e-privacy Directive's erasure provisions, ensuring the retention of electronic communications data for "a limited time" for law enforcement purposes, 84 high-level calls for legislative action did not resurface until after the Madrid bombings on 11 th March 2004.Within a fortnight, the European Council presented a slew of proposed measures intended to combat terrorism including the transfer of Passenger Name Record data, the introduction of bio-

IV.
1. On a domestic level, the law enforcement community in the UK had been pushing for more extensive data retention for some years.The Anti-Terrorism, Crime and Security Act, which entered into force less than two months after the September 11th attacks, had indeed already lain down a legislative basis for an extensive data retention scheme, but on a voluntary basis (in the form of a 'Code of Practice'). 88However, besides the 7/7 attacks, by the time the UK Presidency of the EU came around in the second half of 2005, technical developments and political opportunity also seem to have contributed to making the Directive the most hastily-passed piece of legislation in the history of the EU.
Internet Service Providers (ISPs) resisted most strongly the pressure to divulge customer data.As previously mentioned, provisions in the 2002 e-privacy Directive forced Communications Service Providers ('CSPs') to delete user data as soon as such data was no longer required for commercial purposes.For telephone service providers, call data remained essential to accurate billing, however due to the rapid proliferation of "always-on" broadband services available at a flat monthly rate, the same no longer held for ISPs.Unwilling to pay for any such scheme, and concerned that widespread retention might expose market actors to subsequent legal action for breaches of UK data protection law, many ISPs intimated to the UK government their preparedness to relocate abroad. 89Faced not only with possible damage to the British economy but with the prospect of further reduced data flows to the law enforcement community, the UK government privileged the EU law route.Efforts were perhaps further focused on speedy progress due to the fact that the rotating EU presidency was set to pass from the UK at the turn of the year to Austria, known opponents of the proposed data retention scheme.The initial proposal for a third pillar Framework Decision was re-worked as a first pillar Directive and presented by the Commission on the 21 st September 2005. 90This meant qualified majority voting instead of unanimity, but also engaged the European Parliament's co-decision powers.
After the UK Presidency had failed to reach an agreement with the LIBE Committee at the European Parliament, the British delegation directly approached the leaders of the two largest Parliamentary Groupings, the PSE and the PPE.Those leaders, both German MEPs, agreed privately to support the Council's position on the Directive in an apparent "demonstration of power" by members of the new "grand coalition" between Germany's two largest domestic political parties. 91Victory for the UK Presidency in the face of opposition from industry, civil rights organisations and fellow Member States was assured when the Parliament voted through the Council's compromise text on 14 th December 2005, performing a considerable climb-down from its repeated stance that any form of mass surveillance is unjustified. 92

Directive 2006/24: a difficult transposition
The Data Retention Directive finally came into force on 3 rd May 2006, mandating the collection of traffic and location data, as well as data necessary to identify subscribers, on the part of the providers of publicly available electronic communications networks or of public communications networks in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime. 93Article 6 of the Directive provides for a minimum retention period of six months, and a maximum period of two years from the date of the communication, giving some leeway to Member States in this respect.
Indeed, the Directive offers less scope for detailed critical analysis than the other measures mentioned since, as its title indicates, it mandates the retention of telecommunications data and does not regulate the access, processing or transfer of those data by law enforcement at Member State level.This regulatory division invariably makes it difficult to assess the justifiability of the data retention obligation alone -conditions of access and use are simply crucial to any such appraisal. 94In leaving such matters to the national level, one commentator argues that "the Directive has placed a bomb in the privacy of European citizens and has allowed the Member States alone to take measures to prevent it from exploding." 952.

Data protection reform, passenger name record and telecommunications data retention
Whilst the relative social value of privacy is eminently debateable, it is surely worth reflecting on the real impact of EU legislation "harmonising the exception" to e-privacy and possible implications for the citizen-State relationship.In a number of Member States, constitutional arrangements have been directly affected.Cyprus, for instance, revised its constitution in order to accommodate data retention, extending to all citizens permitted derogations to the right to privacy that had previously applied only to prisoners. 96oreover, certain national provisions have tended to mirror the separation of communications data retention and the use and processing of those data in domestic legislation.In the United Kingdom, for example, whilst the retention of data is regulated by secondary legislation, 97 access is regulated by the Regulation of Investigatory Powers Act 2000 ('RIPA'), the convoluted drafting of which has resulted in access to communications data for more than 800 public bodies, including all councils. 98The British media has for a number of years been awash with reports of councils using RIPA in order to monitor citizens for comparatively trivial matters such as ensuring parents reside in school catchment areas or to detect littering, with the expression "dustbin Stasi" even making it as far as Parliament. 99t Member State level, implementing laws have been successfully challenged as unconstitutional in Germany, 100 Cyprus, 101 Bulgaria 102 and the Czech Republic. 103In Austria and Sweden, resistance from civil society ensured that transposition took over six years. 104Most recently, in October 2012 a group of Slovak MPs filed a complaint against the Slovakian transposition at that country's Constitutional Court.Prepared by the European Information Society Institute ('EISi', which is based in Slovakia), the complaint argues that national laws both implementing the provisions of the Directive and arranging for access by police 105 are incompatible with constitutional provisions on proportionality as well as the rights to privacy, data protection and freedom of expression as enshrined in Slovakian human rights law, the ECHR and the CFREU. 106mongst the decisions of national jurisdictions, that of the Romanian Constitutional Court features perhaps the most virulent rejection in principle of data retention. 107The Court judged not only the Romanian implementing law unconstitutional due to violations of the rights to secrecy of communication, to move freely, to freedom of speech and the right to privacy, but also ruled that blanket data retention as embodied by Directive 2006/24 was a disproportionate intrusion into private lives.Such intrusion could only be justified, said the Court, were it "made in a clear, predictable and unambiguous manner, so that the possibility of the arbitrariness or abuse from authorities in this field may be avoided, as much as possible". 108Yet it is the judgment of the German Constitutional Court (Bundesverfassungsgericht) which may prove the most influential of all.The Karlsruhe judges annulled the German implementing law as a disproportionate intrusion into constitutional rights to privacy and "informational self-determination," 109 as well as the right to the integrity of telecommunications. 110The criteria of purpose limitation, data security, transparency and safeguards against abuse of data were judged not to have been met by the implementing law, but importantly -and in contrast to the approach of the Romanian judges -the Court clearly stated that data retention in principle is not "absolutely incompatible with article 10 of the German Constitution," 111 paving the way for revamped domestic legislation respecting these criteria to eventually surface.Following the Bundesverfassungsgericht judgment on 2 nd March 2010 annulling the domestic German implementing law, over two years passed before the Commission announced on 31 st May 2012 that it was referring Germany to the CJEU, requesting that the Court impose financial penalties. 112t seems that more interesting times are ahead, since wrangling over (non)transposition has continued in parallel with a new direct challenge to Directive 2006/24, currently working its way through the Court's systems.The Court of Justice of the EU has already passed judgment once on the Directive, rejecting an action for annulment in early 2009 brought by the Republic of Ireland (with the support of Slovakia), who argued that the Directive should have been adopted on a Third Pillar legal basis, as opposed to its Article 95 EC internal market foundation. 113Over three years on, a fresh challenge is pending at the Luxembourg court, this time on a reference for a preliminary ruling from the High Court of Ireland. 114Digital Rights Ireland, a member of the European digital civil rights group EDRi, was granted standing by the domestic court which in turn referred its questions as to whether the Directive is "disproportionate, unnecessary or inappropriate to achieve the legitimate aims of: Ensuring that certain data are available for the purposes of investigation, detection and prosecution of serious crime?and/or Ensuring the proper functioning of the internal market of the European Union," as well as its compatibility with Convention/Charter rights to free movement, privacy, the protection of personal data, freedom of expression and good administration". 115t remains, however, difficult to see how the CJEU would be able to assess the compatibility of Directive 2006/24 with Charter rights inter alia to data protection and privacy since the instrument itself deals only with retention, and not with access to and use of the data in question.Ultimately, it may be that a future revision of the legislation itself will provide the opportunity to rein in some of its most problematic excesses.
What is the added-value of the Directive from a criminal justice perspective?It is instructive to note from the outset that circumvention of the provisions is quite possible (for example by anonymisation) and, notably, German police statistics in 2011 showed that Data Retention had not reduced crime rates. 116The Commission's own 2011 evaluation of the Directive failed to enlighten, with the Commission extolling the virtues of the measure 117 and laying any blame for the evaluation's lack of empirical clout at the door of reticent Member States. 118NGOs such as European Digital Rights, AK Vorrat and Panoptykon highlight the potential for abuse of data, data loss, false positives and false negatives (especially where commercial databases are used) as well as the possible generation of new forms of cyber-criminality. 119urther to the British controversy over access to retained telecommunications data by local councils, other possible uses of information gathered pursuant to Directive 2006/24 have led to litigation before the CJEU.In the recent Bonnier 120 case, article 8 of Directive 2004/48/EC (concerning the enforcement of intellectual property rights) formed the basis for a Swedish law providing the possibility to order an ISP in civil proceedings to disclose the name and address of subscribers alleged to have violated copyright to private parties intent on enforcing their IP rights.The ISP, ePhone, appealed to the Stockholm Court of Appeal, arguing inter alia that the injunction sought was contrary to Directive 2006/24/EC since it would entail "disclosure to persons other than the authorities referred to in the directive of information relating to a subscriber to whom an IP address has been allocated." 121he Court begins its judgment by establishing that Directive 2006/24 deals exclusively with the handling and retention of data generated or processed by the providers of publicly available electronic communications services or public communications networks for the purpose of the investigation, detection and prosecution of serious crime and their communication to the competent national authorities. 122 Data protection reform, passenger name record and telecommunications data retention into account, the Court concludes that Directive 2006/24 "constitutes a special and restricted set of rules", 126 the material scope of which does not cover the Swedish copyright legislation at issue since the latter pursues an objective different from that pursued by Directive 2006/24. 127No provision of the 2006 Directive could therefore preclude the application of national legislation of the sort in question in the form of an order served on the ISP to identify suspected copyright violators to copyright holders. 128n Member States such as Sweden, where communications data were already being retained under national provisions, the 2006 Directive may merely have enshrined data retention in the form of an obligation.Indeed, in Bonnier at the time the reference for a preliminary ruling was made, Directive 2006/24 had still not been implemented in Sweden.However, for other Member States which had chosen not to take advantage of Article 15(1) of the e-privacy Directive, the 2006 instrument harmonised the retention of data ostensibly to be used for investigating, detecting and prosecuting serious crime, and the Bonnier judgment indicated how such data may be used in civil proceedings relating to intellectual property rights.It is for the Member States "to ensure that they rely on an interpretation of those directives which allows a fair balance to be struck between the various fundamental rights protected by the European Union legal order", 129 whilst it is for the national court to ascertain that the data at issue have been retained in accordance with national legislation, in compliance with the conditions laid down in Article 15(1) of Directive 2002/58. 130The potentially serious questions of proportionality raised by this interpretation must however be read in conjunction with the earlier decision of the CJEU in Scarlet Extended. 131Here, the Court decided that the ordering of an injunction forcing an ISP to install a general filtering system infringes the ISP's freedom to conduct business, but also internet users' right to data protection 132 and freedom to receive and impart information.
The anticipated revision of Directive 2006/24 may provide the opportunity to close the Bonnier loophole described above, however the reform timetable is less than clear.In December 2011 a Commission communication to the EU Council Working Party on Information Exchange and Data Protection ("DAPIX") indicated that a further Impact Assessment on the Data Retention Directive was due to be completed in May 2012, leading to a new Commission proposal in July 2012.However, in July 2012 the Commission sent an email to the members of EuroISPA, a pan European association of European Internet Services Providers Associations (ISPAs), intimating that the Directive would not be revised in 2012.This was so that the revision of Directive 2006/24 could be handled in parallel with that of the closely-related e-Privacy Directive, the nature of that revision being dependent in turn on progress made on the general Data Protection Regulation. 133The reasoning behind this delay was recently criticised at a November 2012 conference by representatives of the European Data Protection Supervisor, who insisted that the despite a strong opposition of views between stakeholders, it would be preferable to revise the Directive as soon as possible. 134

Conclusion: The need for a comprehensive data handling framework
Whilst the identification of citizens is a crucial part of the state's basic function -private legal interactions would not be juridically possible without a regulation of individuals' identity 135 -mass surveillance is perceived as more worrisome due to its potential "chilling effect" and grave implications for data protection and privacy, anchored in human dignity.Privacy also has instrumental social value in protecting other, more obviously political rights such as freedom of expression, freedom of association, or freedom of religion: "[b]y ensuring that there is a limit on what the state can reasonably expect to know about us, privacy not only helps to protect individual autonomy, but also censures that we are free to use that autonomy in the exercise of other fundamental rights". 136ata mining and profiling techniques allow essentially banal data, whether those data be telecommunications, airline bookings or financial records, to be processed in order to reveal sensitive information and build detailed profiles of individuals.The process might be likened to alchemy, transforming the potential of information in such a way as to nullify certain prohibitive data protection rules, since those rules are formulated in terms of types of individual pieces of data.Beyond privacy and data protection, profiling -defined as an attempt to give specific content to what particular persons or classes of persons are like: their preferences, their practices, their personal histories, and so on, in order to anticipate future behaviour 137 -would also appear to risk undermining the normative foundations of the presumption of innocence.This last principle is born of a deeper assumption built into our legal systems that each of us is free to choose to act differently in the future than we did in the past. 138A high price should be exacted in return for its weakening, in the form of demonstrable crime prevention benefits, proportionate restrictions to fundamental rights, and legal certainty for individuals.For this to be so, the European Parliament and the Court of Justice will have increasingly important roles to play in the development of a truly comprehensive EU-level framework for the handling of personal data in the law enforcement sector, addressing not only the V.

14
European Commission, Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, Brussels, 25.1.2012,COM(2012) 10 final.15 European Data Protection Supervisor, Opinion on the data protection reform package, Brussels, 7 March 2012, para 11. 16 Declaration 21, Declarations Annexed to the Final Act of the Intergovernmental Conference which adopted the Treaty of Lisbon: "The Conference acknowledges that specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 of the Treaty on the Functioning of the European Union may prove necessary because of the specific nature of these fields.".
30 Defined as data revealing race or ethnic origin, political opinions, religion or beliefs, tradeunion membership, of genetic data or of data concerning health of sex life; see article 8(1). 31 Letter from Meijers Committee to the European Parliament, Note on the proposal for a Ge- neral Data Protection Regulation and the protection of personal data in the area of judicial co-operation in criminal matters and police co-operation, 23 rd November 2012, available at http://statewatch.org/news/2012/nov/eu-meijers-committee-dp.pdf.32 EDPS Opinion, para 443.33 EDPS Opinion, para 443.34 See Pounder, C. N. M. (2011), 'A data protection critique of the proposed Passenger Name Record Directive (COM(2011) 32 text)', Amberhawk Training Ltd.
, 'Comparative Study on the 2011 draft Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security', Study for the Greens / European Free Alliance in the European Parliament.Available at http:// www.greens-efa.eu/fileadmin/dam/Documents/Studies/PNR_Study_final.pdf.41 Op cit.n.39, paras 23-24.42 Nickel, R. (2010), 'Data Mining and "Renegade" Aircrafts: The States as Agents of a Global Militant Security Governance Network -The German Example', Emory International Law Review, 24: p.650.43 European Commission, Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, COM(2011) 32 final, Brussels, 2 February 2011.44 European Parliament, Draft Report on the proposal of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (COM(2011)0032 -C7-0039/2011 -2011/0023(COD)), Committee on Civil Liberties, Justice and Home Affairs, Rapporteur: Timothy Kirkhope, 14 th February 2012, see Explanatory Statement pp.30-32.45 Council of the European Union, Note from Presidency to Council, 'Proposal for a Directive of the Council and the European Parliament on the use of Passenger Name Record for the prevention, detection, investigation and prosecution of terrorist offences and serious crime', Interinstitutional File: 2011/0023 (COD) (Brussels, 23 April 2012).
Both the EDPS and the Article 29 Working Party criticised the low level of foreseeability afforded by this provision. 6155 FRA Report, p.13. 56 EU-PNR Proposal, Article 1(2).57 2008 Framework Decision, Article 3 (emphasis added) 1.Personal data may be collected by the competent authorities only for specified, explicit and legitimate purposes in the framework of their tasks and may be processed only for the same purpose for which data were collected.[…] 2. Further processing for another purpose shall be permitted in so far as: (a) it is not incompatible with the purposes for which the data were collected; (b) the competent authorities are authorised to process such data for such other purpose in accordance with the applicable legal provisions; and (c) processing is necessary and proportionate to that other purpose.See also Article 11 (emphasis added) Processing of personal data received from or made available by another Member State Personal data received from or made available by the competent authority of another Member State may, in accordance with the requirements of Article 3(2), be further processed only for the following purposes other than those for which they were transmitted or made available: […] (d) any other purpose only with the prior consent of the transmitting Member State or with the consent of the data subject, given in accordance with national law.58 COM(2011) 32 final, p.4. 59 FRA Report, p.14. 60 EU-PNR Proposal, article 4(2)(b).61 EDPS Opinion on EU-PNR Proposal, p.5; Article 29 Working Party Opinion, p.5.
82 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, Official Journal L 105, 13/4/2006 P. 0054 -0063.83 Article 6(1) of the e-privacy Directive: 'Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication […].'.84 See paragraph 7, Conclusions on Information technologies and the investigation and prosecution of organised crime, Justice and Home Affairs Council Meeting, Brussels, 19 December 2002, doc 15691/02 (Presse 404): [The Council of the European Union] AGREES that the adoption of rules on the approximation of Member States' legislation on the obligation of electronic communication services providers to retain specific traffic data concerning elec-Data protection reform, passenger name record and telecommunications data retention metric IDs and the retention of telecommunications data. 85Just over a month later, a group of four Member States tabled a joint proposal for a third pillar Framework Decision taking up this last policy recommendation, 86 but the requirement of unanimity hindered negotiations.The London bombings on 7 th July 2005 spurred the JHA Council, presided over by the then-UK Home Secretary Charles Clarke, to state that a Framework Decision would be agreed by October that same year. 87 tronic communications for a limited time should take into account the dialogue between interested parties.If it is found necessary to establish such rules, they should at any rate ensure that such traffic data is available insofar as it is necessary according to the standards of a democratic society and existing provisions of a constitutional nature of each Member State, appropriate and proportionate for the prevention, detection, investigation and prosecution of criminal offences.".
85 European Council, Declaration on Combating Terrorism, Brussels, 24 March 2004, available at http://www.consilium.europa.eu/uedocs/cmsUpload/DECL-25.3.pdf,p 4: "The European Council, with a view to the further development of the legislative framework set out above, instructs the Council to examine measures in the following areas: -proposals for establishing rules on the retention of communications traffic data by service providers; […]".86 The Member States were France, the United Kingdom, Ireland and Sweden.See Council of the European Union, Draft Framework Decision on the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offence including terrorism, Council doc.8958/04, Brussels, 28 April 2004.87 Extraordinary Justice and Home Affairs Council meeting of 13 July 2005, Council Declaration on the EU Response to the London Bombings (Council doc 11116/05, Presse 187), para 4. 88 For a detailed discussion of the UK law before the Directive, see Milford, P. (2008), 'The Data Retention Directive: too fast, too furious a response?',Southampton Business School.Available at http://www.petermilford.com/downloads/Data_Retention_PMilford.pdf,pp.19-35.89 Ibid, p.35.
Indeed, Article 11 of the 2006 Directive amends the e-privacy Directive, effectively disapplying Article 15 (1) 123 of the latter instrument in respect of data specifically requiring retention for the purposes of Article 1(1) of the 2006 Directive.Thus the possible exceptions to erasure included in the e-privacy Directive, naturally open to interpretation by courts, were transformed into an obligation, or "harmonised" across the Union by the very terms of the 2006 Directive in respect of that instrument's purposes. 124However, Recital 12 of Directive 2006/24/EC states that "Article 15(1) of Directive 2002/58/EC continues to apply […] to retention for purposes, including judicial purposes, other than those covered by this Directive." 125Taking these provisions Article 11: "The following paragraph shall be inserted in Article 15 of Directive 2002/58/EC: '1 a. Paragraph 1 shall not apply to data specifically required by Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks to be retained for the purposes referred to in Article 1(1) of that Directive.'.125 Emphasis added.