Data directive expansion creates concern

For the London Free Press - May 4, 2009 Read this on Canoe

The new European Data Retention Directive requires Internet service providers in Europe to retain information about all e-mails and VOIP calls made by all customers for at least one year.

The directive also allows police and many other public bodies access to that data.

The European Parliament originally passed the directive in 2006 as an anti-terrorism measure in the wake of the 2005 London bombings.

Originally, the law required phone companies to maintain records detailing where and when phone calls were made. It has been expanded since to require providers to log all Internet-based communications.

Some critics of the law and its recent expansion suggest the directive was passed by preying on people's fear after the London attacks.

The British government has stated the new directive will allow it to, "mine the data to try and recognize patterns in relationships and contacts that will help them find terrorists and criminals."

The Home Office stated that, "communications data is the where and when of the communication and plays a vital part in a wide range of criminal investigations and prevention of terrorist attacks, as well as contributing to public safety more generally."

Not surprisingly, the directive has met a great deal of resistance from concerned citizens and groups who fear the new law could lead to dangerous misuse of people's personal information.

Security breaches are an obvious concern, since the information being retained by Internet service providers is personal and potentially confidential data, which means that any security breach or misuse of the data could be hazardous.

There is an obvious concern for a citizen's right to privacy and how this right may be compromised under the directive.

This concern is deepened by directive provisions allowing authorities access to stored records without a court order, by issuing a notice under section 22 of the Regulation of Investigatory Powers Act.

There's also concern that the directive's mandate will needlessly cost businesses time and money. The U.K. government had promised to reimburse Internet service providers for the expenses incurred in retaining the data, thus shifting the cost to taxpayers.

Its future is unclear. Sweden has refused to implement it. and it faces a court challenge in Germany.

The directive is an example of the ongoing struggle between individuals' right to privacy and the state's need to protect its citizens' safety.

Privacy laws generally require businesses to keep as little personal information as possible, for as short a time as possible. But such laws also require certain information be retained.

It's as if governments don't trust businesses to deal properly with personal information for business purposes, but do when the state feels it needs the information.

Though citizens may be required to accept a slight invasion of their privacy on certain occasions for security reasons, there is no evidence that this type of retention has led to positive results.