Hearing by Greens/EFA Group on "Big Brother" data retention directive

-> [ News, position papers on and analysis of the content of the directive | FFII position | EU introducing "Big Brother" anti-privacy law | EU law-making process cracking under pressure ]

December 7th, 2005 -- Transcription of the hearing led by the Greens/EFA Group concerning "Big Brother" data retention directive.

Transcriptions in process, help is very welcome.

Please have patience with the possibility that different persons may work in parallel.

(at the very begining of the hearing an association of women from Israel/Palestine came to talk, please start from the end of the hearing (e.g. track 9))

Overview

Organiser: Kathalijne BUITENWEG opened the debate. Monika FRASSONI continued the second half. Speakers: Mrs Fiona TAYLOR, Senior Advisor European Telecommunications Networks Operators' Association, ETNO Mr Joaquin BAYO DELGADO, Assistant European Data Protection Supervisor (EDPS) Mrs Sjoera NAS, EDRI Guest speaker:
Alexander ALVARO, Germany ALDE, Rapporteur, member of LIBE-committee Questions from:
Tatjana DANOKA, Latvia Greens/EFA (see: http://tinyurl.com/8og6n )
Daniel COHN BENDIT, Greens/EFA
Eva LICHTENBERGER, Austria Greens/EFA
Carl SCHLYTER, Sweden Greens/EFA
Zepp KOSTATJA (name ???)
Erik Josefsson, FFII

First track (almost empty)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track001.ogg

Kathalijne BUITENWEG says "The decision at all"

Second track (very short)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track002.ogg

Kathalijne BUITENWEG (start - 00:17)

Parliament then fell for that and decided to have a very fast-track procedure and to try to come to an agreement with the Council in one reading only. That's what we are going to see next week. Next week we have only the first reading...

Third track (15 minutes)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track003.ogg Kathalijne BUITENWEG (start - 5:12) - palestinian/israeli womens orgnisation intervention - Kathalijne BUITENWEG (11:40 11:57) Fiona TAYLOR (11:57 end)

Kathalijne BUITENWEG (start - 5:10)

But at the same time there seems to be already an agreement with the Council. I say "it seems to be" because my group and also the liberal group was not involved, it was only the bigger groups who made a deal with the Council. I mean, that in itself is already prettry undemocratic. So what we are going to see next week is that we are going to vote already on the deal with the Council. And personally I really believe that institutionally speaking also it is a real mistake from the EU Parliament not to have a proper reading, not to first establish it's own position, but to immediately come to an agreement based only on a negotiation with the British presidency, and I really think that you weaken yourself unnecessary. So I was pretty upset by the big groups, that they tried to make a deal behind the backs of the smaller groups only to please the British presidency. Well it doesn't mean that any deal necessarily
is a bad deal, but I can say that in my eyes this particular deal is a bad deal, so then I now go into the content. From the position from the Greens, I think, there is quite a lot of data which is being collected. As you know they want to preserve the data, like from emails, telephony, faxes, SMS, etc. for up to two years. That is quite a lot of information, it also has a lot of costs, of course. I think that later also the industry will say something more about that. Why am I so worried about the cost? Well, in itself I don't have such a problem with putting the industry at high costs, I am very happy to also do that also for environmental reasons, but in this case I think you can actually spend the money in a much better way. I really believe that the money you invest now in this big surveyance of everybody can be much better invested in very targeted investigation. So as the Greens, I mean, we are not against all infringements of privacy as such, but we think always it should be proportionate and effective and that you should really focus on the people whose privacy you infringe and not try to have a surveillance on all the citizens. There is also a lot of information which in my eyes is completely useless, but maybe some others can shed a light on that: it is like that they also want to collect the timing that you are on internet, so not which websites you visit, but log on and log off, how much time are you on the internet? And I still seriously don't understand what that means, what does it bring, this kind of information. So there's still a lot of reasons why I can be against, but I'm sure that you're not only interested in hearing my position on this, but you're also very interested to hear the position from other people from their specific expertise, and that's why we invited some other people here. The people we invited for the meeting today, is, to start completely at my left: Mme. Fiona Taylor: she is a senior advisor for the European Telecommunications Networks Operators Association, it's called ETNO, and she is..
goes on in French, then German (3:43 - 3:57)
.. at the same time, I always doubt whether the amounts you mention for the huge investment is needed, whether that is really true. So I always have my natural doubts, but still I think it is very good to hear also the side from the industry and maybe you can then be very honest about if it is really so hugely expensive as it's always clamed. Then on my left: Mme. Sjoera Nas, she is a member of the board of European Digital Rights, and in the Netherlands that's Bits of Freedom, very welcome and she is mainly going to deal with the privacy aspects. Then on my right, Mr. Joaquin Bayo Delgado, he is, I think since two years, the deputy European Data Protection Supervisor. So you work very closely with Peter Hustings and we are very pleased that also you can come here to explain a little bit, like how does the deal relate to all the legislation we have in the field of data protection. I am going to give you all ten minutes to explain also your different positions.

International Women's Commission for a just and sustainable Palestinian and Israeli peace (5:10-11:40)

But first I would like to welcome also - I saw there was a whole group of people who were coming in by Mme. Morgantini (?) - and that is the International Women's Commission for a just and sustainable Palestinian and Israeli peace. [...]

Kathalijne BUITENWEG (11:40-11:57)

Then we go over to the panel, the people we invited. As I said I start with Fiona Taylor, to give the position of the industry, with honest data.

Fiona TAYLOR (11:57 end)

Well thank you very much. Well first of all I would like to start by thanking you for organizing this hearing. As you've mentioned, this is crucial timing, maybe one of the last opportunities to try to set the record straight at least maybe from our perspective, including the others. And as you have said jokingly, it is probably not very often that industry and civil liberties have very very common concerns vis-a-vis the proposal that has been tabled. It's a good sign, and I would like to say about environmental issues: the telecom industry does help a lot in protecting the environment and we also do a lot of work on environmental charters, so, but that is on the side. I would like to start off by saying that first of all this data retention issue is not a new issue. It is an issue that has come and gone. It has been on the table over the last five years, if not more. Every sort of unfortunate terrorist attack has been another justification - if I can use this term loosely - to reintroduce the issue on the table. I would like to start of by maybe setting the scene as to what is in place today between industry and law enforcement, which maybe will raise more questions as to why we are moving forward to this more intrusive measure that has been tabled. It is not a dataless society, or at least industry, for law enforcement. There has been good fruitful cooperation that has existed between law enforcement authority and the telecommunications industry over the years. It has been widely recognized by law enforcement authorities, including during the Newcastle informal ministerial, where industry was invited to present its views, the only time I would like to stress, that industry was invited to present its views to the Council. I think this fruitful cooperation has also been illustrated following the Madrid and London attackes, where even though no data retention instrument was in place, the industry was capable of giving the available data that is there for legitimate business purposes, to law enforcement and we have been able to help catch, or at least target, the suspects. And maybe another element that I'd like to add about the Madrid attacks is that the Spanish members of ETNO have never been asked for data that was older than three months following the Madrid attacks, I think that's an important point for further discussions. Having set the scene as to what is in place today, we have so far received no justification for a need to change the existing system, be it from the Council, be it from law enforcement. The concerned ...

Fourth track (15 minutes)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track004.ogg Fiona TAYLOR (start-14:51) Kathalijne BUITENWEG (14:52-end)

Fiona TAYLOR (start-14:51)

.. obviously because these measures are far-reaching measures that go far beyond what we currently do today. So why is industry concerned about these issues? There are several impacts on industry, as you mentioned there is a costs issue, but I'll come to that in more details further down, because I think it's a very pertinent point you've raised and I would like to answer that since we haven't been often allowed to - not by you obviously - and also we have a lot of concerns vis-a-vis the technical feasibility of the issue. First of all I would like to maybe situate the industry within the political arena at EU level and at global level. We are under pressure from our telecom ministers and from our governments to build the information society and deliver the Lisbon goals. We are an innovative industry, which also has to compete within the EU and on a global level. One of the key elements for the industry, in order to build the information society, is also to ensure trust and confidence of our users. We are also, with regards to trust and confidence, the only industry sector to have its own data protection directive in place. There's the framework directive, but the E-communications sector also has strict data protection measures that we comply to. And obviously the elements that I'll go more in depth into in the proposal also have severe cost implications on the investing side, i.e. the reconfiguration of the network side, on the operational side - storage, retrieval - and also on security side. And, last but not least, in the generalities of our concerns is also having such huge amounts of data available is also an increased security risk. So maybe, not to take too much time, I'll run in the specific aspects of the proposal on the table. There are four keypoints I would say for industry, there is a lot more that can be raised, but I don't think this is nor the time nor the place. But the first one is obviously about the scope of the proposal. We are very concerned about (I think in the Council proposal it's Art 1, in the Parliament text it's Art. 3) the use of the terms "generated" or "processed". In the telecoms industry, there are two types of data that go over a network and I am simplifying it and I am not a network engineer. But we have what we call "raw signalling data" which is purely operational data to allow the network to operate, and then we have data that is translated into call data records, which is the data we keep. So when you say "generated" or "processed", the fear for us in the misunderstanding and the interpretation of the term, is that it can mean anything that passes on our network. So you can imagine the implications of "whatever passes on our network". Even more so for ISP's, which have larger volume of data passing over its networks. But I'll come to the ISP aspects later on, I am just focusing on several articles. The other problem we do have vis-a-vis the scope of the proposal is also limiting it to the services that we are offering. Particularly in the IP world, it is more or less impossible for a provider to store or retain the data of another service provider, but as I said I'll go more in depth in the IP world. Maybe a last point on this scope is that we believe that the amendment that has been put forward and has been adopted by the LIBE committee last week or two weeks ago does heal a little bit of our concerns by changing the words "generated" and "processed", because it means the data that is available and that has already been translated into call data records, and it limited it also to the services provided by the operator. So I'll move on maybe to the types of data. An important point to be raised, and I think it's probably your concern too, when we talk about the types of data, there is two types. There is what we call (i) traditional telephony, which is fixed and mobile and (ii) IP. Technically speaking, both sides are completely different. As we know, the internet is global, there are a large number of players, there are a large number of services that are being offered and also access that is being offered, so there is no sort of one size fits all. It's a web of players and services that is tangled together. So I'll start off maybe by looking at the concerns we have on the types of data with regards to traditional telephony. Our main concerns were obviously - I think some of you have heard a lot about it - it's the unsuccessful call question. Unsuccessful calls because they represent 40 percent of calls for fixed and for mobile; also because the traditional fixed network is a network that has been built over the years, that doesn't have all the capacity to do so. It's a complicated technical structure of different generations put one on the other, and the vast majority of operators don't keep that data. Precisely because you don't need unsuccessful calls for billing purposes. Having to reconfigure your networks just to be able to catch that information and to retain it is what would have been the most expensive part for the fixed and the mobile industry vis-a-vis this proposal. The second point that is of key importance and key concernt for the traditional telephony is the mobile sector. The mobil sector being mainly cell ID and specifically what the original text proposed was throughout the call and at the end of the call. For the same reasons as for the unsuccessful calls, it would also imply a reconfiguration of the network, which is the most costly item out of the items that I've outlined, but it's not the only item. I have to say that the draft text that we've seen from the Council is more reassuring vis-a-vis on unsuccessful calls and cell ID than the opt-in option that has been tabled by the EU Parliament. But I am not here to reopen that debate. Now we move on to the IP sector. The IP sector, as I said before, first of all is an evergroing sector of the industry. There is a large amount of data available on the IP network, we have numerous different players, and it is a global service. We are concerned that the proposal for the moment go beyond IP access. The vote in the LIBE committee had recognized the importance of separating IP access and IP access, i.e. internet voice and internet email. So far, in our discussions and our debates with law enforcement authorities, they have always recognized access data as being the golden thread (?), the key data in order to identify a user. This was also underlined in the UK Presidency document that was distributed to the EU Parliament in September, if my memory serves me right. The reason why we are concerned is that, against this background, it is still included in the Council draft text: email data as we all know through spam is not a reliable data for investigations. It is easily changed and falsified. Most providers of email services are not based in Europe, therefore the proposal can be easily circumvented. I think not more than 20 percent of email providers or webmail providers are based in the EU, plus I am told by my experts that it also depends on where the service is provided from, because even an EU based service provider can provide a service from a server that is outside of the EU. So therefore the coverage of email and voice is not the same. And, I think, lastly but most importantly, when we start entering the IP discussios, the distinction between what is pure traffic data and what is content data becomes increasingly blurred as you grow up the layers of services that are being provided, so you have sort of a transport provider, which is the IP access, and on top you've got the services, the services can be software. It's a tangle of complex technical issues linked to software, technology, networks, operators, services, it's not as simple as traditional telephony. Plus an IP transporter, who is just supplying a pipe and has if you want lorries going down its motoryway, they will have to enter into the content of what is in the lorry in order to know what is in it, plus a message that leaves is separated in different parts and then is reassembled at the end. So you can even not know the whole message, plus obviously entering the content debate. The third concern we have vis-a-vis the proposal is obviously the retention period. So obviously the LIBE committee has gone for retention period from six to twelve months, whereas the Council seems to believe that 6-24 months is required. The harmonisation issue is another question, because I think apart from the minimum of six months, harmonisation has been discussed yesterday, there is not much harmonisation in the proposal. But we believe that (a) it is far too long (b) an important point, particularly following the few words I have said about the IP sections, is that twelve months or more for IP is impossible, because of the amounts of data that are available. If you have to store even 12 months of IP data, you would need databases of a size that is just unheard of today. It is technically very questionable. So that's for the retention period and now on to the costs. I will not use any figures on the costs, precisely because of the argument you've used. (a) because within our discussions with the Council, the costs that have been put forward bravely by one industry operator - I am not citing any names - have been discredited in the Council discussion. Have been discredited in a way that has been very interesting to us, because we have heard e.g. the Swedish home office minister (?), addressed this EU Parliament using figures that went to I think it was 1 million Euros, when we know from all the Swedish industry, e-communications sites, so fixed, mobile and ISPs, that they have never been consulted by their ministers on this proposal and the figures the minister used was referring to what is currently in place today. So it is very easy to discredit a figure by another figure which has not been substantiated. Secondly, I think when we talk about figures we have to remember that there is no one-size-fits-all in the e-communications industry. You've got different operators, some operators only offering only fixed, some only mobile, some offering fixed mobile and IP, and that obviously comparing the cost of an operator that just does IP compared to an operator that does all cannot be compared. Plus size of the country, customer base is different, so it is very dangerous to compare and contrast facts and figures. Based on that, I would say that, as a matter of principle, the cost reimbursement (?) should not be placed on the industry. Regardless of whether the cost is high, or low. We know that the cost is high. We know that the cost will cover - as we've discussed - network reconfiguration, which means digging up, going into your switches, making sure that the technology is updated and the software is updated. Making sure that once you've done that your network is still capable of (a) catching the data, sending it to the central database, but to continue to operate and to function when that is being done. And that is only the investment side of the equation. Then you have obviously the operational cost, which is human resources, which is storage, which is retrieval, which is requests, security, data protection, and the list continues. I think also when I say it is a matter of principle, the system currently in place today, most of the operators, if they get reimbursed, they get reimbursed on a request basis and I would say a majority do not get reimbursed. So if the cost would be the principle issue for industry, it would already be today. So I think it is not fair, generally in the debate, to say that industry is only concerned about the cost. [...] shows the level of priority. I'll finish, so I would just like to say that the text that has been voted by the LIBE committee on the 24th November is a balanced text. We are clearly concerned about the unsuccessful call aspect and the periods of retention, particularly for the IP world, but we believe that we should not hastily adopt a measure for the sake of adopting it in time, but we have to make sure also that the technical feasibility is there. And the last point is: there has been a cruel lack of industry consultation in the process. Thank you.

Kathalijne BUITENWEG (14:52-end)

Well thank you. I think it's for some people difficult to follow. I think by now...

Fifth track (15 minutes)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track005.ogg Kathalijne BUITENWEG (start 0:39) Fiona TAYLOR (0:39 1:19) Kathalijne BUITENWEG (1:20 2:06) Joaquin BAYO DELGADO (2:06 end) (Topics: data retentions no new business machine, privacy and data leak problem)

Kathalijne BUITENWEG (start - 0:39)

..many weeks or months now in the topic. I can understand what you say, but I know that if I would have heard this in the beginning, I would have been lost. But I think it's very clear that you also say that it's quite easy also to circumvent, also because there are a lot of providers somewhere else, and also that it's technically still very difficult because at the moment you simply don't have these big databases which would be necessary. At the same time that would be also an enormous chance for you for new investments of course, because you have to develop the technology to store all the ....

Fiona TAYLOR (0:39 - 1:19)

..I'm not quite sure that is... first of all, our investments are mainly focused on ensuring that we can keep on being competitive at European and global level, which means that most of our investments are going into developing our next generation networks. Secondly, first the technology: we don't develop the technology, we buy the technology. So we would not be making a lot of money out of the warehouses. Plus if we were to develop such kind of warehouses, it would be only for law enforcement access and not for ours, so we would be housekeeping for them, but we would not have any profit out of it.

Kathalijne BUITENWEG (1:20 - 2:06)

One of the issues which was raised, is that when you store so much information, there is also a clear security risk. And I remember that some people in the Council said "Okay, we can try to lower also the amount of money which is needed for the investments also for industry", and then I believe Peter Hustings (?) said "Yes, but if you lower that amount, then no doubt also the privacy protection is going to be less, because then the data is less protected." I would like to invite you also to say some words about the data retention proposals from the position of the Data Protection Supervisor and the privacy rules which are currently at place.

Joaquin BAYO DELGADO (2:06 - end)

Thank you. Thank you Mrs. Buitenweg for inviting me to give the opinion of the European Supervisor on these issues. I think that the first thing we have to say is that we are talking about fundamental rights. That's the first idea that I want to make clear. So we are talking about Art. 8 of the European Convention for Human Rights, we are talking about Art. 6 of the Treaty of the EU, so that is the context in which we'll have to analyse all these issues. As to the first point, just to go very quickly. The first point of necessity of data protection. Well there has been a lot of debate between retention, reservation, etc. From the point in which we gave our opinion on the proposal, I think that no new evidence has been put forward to make a case of the need of this retention. And our feeling is that at most, and not for all data of course, 1 year is the maximum that you can think of, and I repeat: not for all data, but in extreme cases. And that brings me to the point of proportionality. There is something which also has to be said very very clearly: we cannot turn around the - what we in judicial wall say - burden of proof. If someone is proposing something, it's up to him to prove that this is needed and it is proportional. It is not to the others to prove that it is not. So that's the first thing that we should say about proportionality. Those that propose a specific piece of legislation in this case have to prove that it is needed and it is proportional, that is the first idea. And of course this proportionality affects time limits, types of data and adequate safeguards. I will concentrate on this last aspect. Because, this retention by itself, and we have also said this in our opinion, increases the possibilities of demands of access, and we have already had some curious demands of access to those data that would be stored if the proposal is finally approved. We have also pointed out in our opinion the problems with those data been stored as they will be accessible by intelligence services. We have made a point on this and I only mention it. Also, we have clearly stated that if you rule the storage of such an amount of data, then you have to regulate the access to that data. And this is an important point that I'll come back to. And of course, also within the context of safeguards, we have the costs, which has been mentioned. The costs from a data retention perspective is a question of security. You cannot just cut on costs because a cheaper system will be an insecure system. And then you'll have to make sure that the security measures are be in place before the whole system is started. Then the last general concept of harmonisation. That's curious. Of course, "harmonisation" means that you have to have common timelimits, and common types of data, otherwise there is no harmonisation. It is a void concept if you just make sure that those two things are the same altogether. And this is even more important because we are talking about a context, a legal context, in which the Commission has approved a proposal for the availability of principle in the exchange of data between police forces. So the harmonisation is fundamental. You cannot pretend that they will exchange things which are not harmonised, because it would be quite curious that a police of one country would get data from another police that in its own country it would not get, because it is out of the limit. So that's something. And of course, there is another thing, which is clear, is that you have a lot of trans-border communication, and how are we going to deal with this complicated Art. 4 of the directive, which is going to be the law applicable to any given trans-border communication? So that is also something that we are worried about. And therefore, we are also worried about. And therefore, we are also worried about this flexibility in the drafting or the redrafting, the amendment, of Art. 15 of the directive 2002-58, because it leaves also a lot of place for not harmonising the field in other areas which are not covered by the proposal. So we'll have quite a strange harmonisation process in which nothing is harmonised, I would say, if we are so flexible in this respect. Then let me concentrate on something which has worried us, is the access to those data. And there we can come back to the debate that has also been mentioned about the 1st Pillar, 3rd Pillar instrument. Well I don't want to go into detail, but I think, at least I want to think, that the debate is
almost over, and I underline almost over, by the fact that in the Council text there is an article, Art. 3, in which is introduced the concept of access to those data. And it gives some guidelines to this access. That is something which is a step forward. We have defended it in our opinion, but then, I just have to say, that this is not enough, what is in the Council proposal. It is not enough because there are not alternatives, and I will go in more detail immediately. We could think that "Okay, let's leave access elements out of the proposal, and then concentrate on this proposal for a 3rd Pillar data protection instrument, which is on the table, and that we are considering." That could be an alternative and so it is good to consider whether it is better to put those safeguards for access in the directive or leave it to another legal instrument. The first thing I want to say to this respect is the timing. When the system goes into place, for sure the framework decision on data protection and the 3rd Pillar won't be in vigor (???), that's clear. So it would not apply, because it would not have been approved of yet. So we'll have a time in which we don't have these warranties, that's important. Secondly, so the idea of a package would work in this respect. But if there is not a package, if the two instruments are not approved, if the two instruments are not approved, if they are not dealt with jointly, then we'll have this gap. Second thing is that, as to now, we don't have any warranty that this legal instrument, the 3rd Pillar legal instrument, will be as it is, or worse as it is. So it would lessen the level of protection, so that's also a worry. There is a proposal, but who knows how we will get this proposal through the legislative process. Thirdly, it would be interesting to compare what is in the different instruments to see that, as a result, the safeguards should go into the directive which is being discussed and not leave it for the legal instrument in the 3rd Pillar. Let's compare it quickly: if we take article 3a and 3b of the text as it is in the report of LIBE, and if we compare it with the draft proposal for data protection in the 3rd Pillar, we come to the conclusion that there are three points which are not really in the 3rd Pillar instrument, and that we cannot imagine that they will be, because there will be something strange within the scope of this general instrument, namely the need for judicial authorization in the access, case by case, judicial or other independent authority permission, that's one point. Second point, that it has to be stated that providers will not be allowed to process data for their own purposes, and linked with this is something that Art. 29 in working party in its opinion has also pointed out, that it should be a separate system of storage for data which are for the purpose of police and for law enforcement authorities and for their own purposes. That would be unthinkable, to have it in a general instrument, as the 3rd Pillar data protection instrument. So those three points which are in the LIBE text, are crucial, and they should be kept, because it's fundamental to warranty this. Then there are other points that are in the LIBE text that could go into a more general instrument, as the 3rd Pillar framework decision, like access to data by other public authorities or private parties being forbidden; the exclusion of data mining as we have mentioned; the loggin of the access to those databases; and, this is a very crucial point, the transfer of those data to third countries. Here we risked to have a lot of circumventions of the rules. Let's put an example. As the draft instrument is at this point, I mean the 3rd Pillar instrument, we can imagine that police can send data to a third country and this third country will resend those data to another member state, in a situation in which the police of the member state could not send those data - the same data - to another member state. So, using the third country, it could be possible. Because, as it is now, the draft 3rd Pillar instrument is meant only when there is exchange of data between police of different states. So that is something that we have to think about. Then, almost finished. Then, just to refer to the Council, I have already said that in that Council draft, there is Art. 3bis which is dealing with access in a very light way: only necessity and proportionality, and only subject to relevant prohibitions of Union law, that could be the 3rd pillar instrument for example, and public international law. It specifically mentions the EU convention, but I miss the convention 108 that should be mentioned there, because it's the one that would apply specifically, but, well, still isn't (?) there. And of course, we also have in the Council text a prohibition in Art. 7bis...

Sixth track (15 minutes)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track006.ogg Joaquin BAYO DELGADO (start 0:50) Kathalijne BUITENWEG (0:51 1:58) Joaquin BAYO DELGADO (1:58 2:09) Kathalijne BUITENWEG (2:10 2:30) Sjoera NAS (2:31 - 6:02) Kathalijne BUITENWEG (6:02 - 6:03) Sjoera NAS (6:03 - end)

Joaquin BAYO DELGADO (start 0:50)

.. in which access is refer (?) only possible for specialed authorized personnel. This is positive, so I also want to underline this is positive. And the destruction of data, when the period has ended, so that is positive. But only all in all, as a conclusion, I think that for timing reasons and for substantive reasons, I think that again, and this has also been said, the LIBE proposal is much more balanced than the other text, agreed by Council. And we should not delay those safeguards to this 3rd Pillar instrument, because we don't know what will happen with this instrument. Thank you.

Kathalijne BUITENWEG (0:51 1:58)

Thank you very much. Well you might have your hopes on the LIBE text, but it might not even be voted, the LIBE text, because as I explained in the beginning: we are going to vote first on a vague compromise that the big groups made with the Council, and unless that has been voted down, we don't even come to the LIBE position and thereby all the guarantees which are in the LIBE position and which could be used in a normal negotiation with the Council are then already lost. But I know that in the beginning there was a whole talk to try to link the two instruments like having and one on data retention and one on privacy and that the idea was that they would go hand in hand and that the parliament then also in return as a kind of part of the blackmail could have a say in the privacy directive, which at least was worthwile to discuss, but I think by now somewhere during the last few months the Council forgot that part of the deal and the parliament also didn't insist on having that part of the deal and went ahead anyway with the data retention without the privacy legislation. It's a pity.

Joaquin BAYO DELGADO (1:58 2:09)

This is why I had mentioned these three elements which are fundamental. I believe these three elements. The others we can handle in another instrument. But those three elements are there and have to be there.

Kathalijne BUITENWEG (2:10 2:30)

Then Sjoera Nas, I think you are going to complement the pictures which have been forward here by Data Protection Supervisor and by the industry and maybe you have a lot of points yourself from the privacy organisation point of view.

Sjoera NAS (2:31 - 6:02) (full speech: mp3, ogg)

Yes, thank you. I'm very pleased to be here just one week before this crucial vote. I am a board member of European Digital Rights, which not all of you might kwow. It is an umbrella organisation of 14 digital rights NGO's, or 21 organisations from 14 European countries and we have 5 more observers from an additional 5 European countries, so we are quite broadly covered in Europe. And in all of these countries we are so deeply concerned about this specific proposal. We've been battling this proposal for five years. I would like to ... previous speaker said: this proposal is not new. It's been tabled in the year 2000, even before the attacks on New York as part of the negotiations on the cybercrime convention, and was rejected emphatically as a way too invasive measure, and everybody agreed on another measure, called "data preservation", otherwise known as "the quick freeze" of data on specific subjects. And in the year 2002 the argument resurfaced when the EU Parliament debated the E-communications Privacy Directive, and then, it was a very difficult compromise brought by the same parties that are now tabling compromise amendments to say "okay, well if individual member states wish to introduce data retention - that's article 15.1 of the E-privacy directive - they may, you know, given all the protections of the European Convention on Human Rights article 8, they may, if it's absolutely necessary." But of course this wasn't enough. Because none of the national parliaments agreed. None of them agreed. There was this possibility created in article 15.1 and nobody agreed, and now they are playing the European card. And this is one of the four arguments I am going to try to argue with you today: it's the argument
that calls this whole process illegitimate. And the other three arguments that I am going to explain are that this measure is extremely invasive, it is extremely illusory as to the results it will produce, and the whole process is illegal. So, illegitimate (I hope you are still with me when I come to illegal actually). Illegitimate: like I said, you know, just every occasion is used to retable this argument and none of the national parliaments agreed and among them, most prominently is the UK where they failed to introduce legal data retention in the Lower House because the Lower House thought it was disproportionate. And now they have this sort of voluntary agreement to which less than half of the ISP's actually participate, because it is unfeasible to do what government voluntarily wants. So much about illegitimate. I'll return to that in my conclusion. I just want to also mention that this is an extremely difficult technical issue. Data retention, just the word, in all these European languages, sounds like something extremely difficult and complex and, you know,

Kathalijne BUITENWEG (6:02 - 6:03)

You mean we have no clue of what we are talking about?

Sjoera Nas (6:03 - end) (full speech: mp3, ogg)

No, less than one percent of the electorate, No! the electorate, the voters, don't forget the voters! Nobody understands what this is about, but once it is introduced in national legislation, this will backfire on the European Parliament and on the national parliaments, secondary, in an immense way: it will cause such a huge loss of trust in the European parliamentary process. Because, you know, all of you know what will happen: all these promotors of this proposal will go home, like the UK will go home, like France will go home to their electorate and say "Ho, you know, we didn't want this! This is Europe! You see how bad Europe is?" This is a really dangerous process. So, invasive: it concerns everybody. All 415 million European citizens use telephony and/or mobile telephony and/or internet. And it does mean you, as an individual, will have to keep your own electronic diary of where you were with your mobile phone every minute of the day. Because that's what this is about: your location profile, your movement, and I mean - just checking for yourself: just take 10 seconds now and try to think where you were just two weeks ago, at this hour. Where were you, two weeks ago? You don't remember, you know. You need to look it up, and maybe with some trouble you can remember. But what if now you are being asked by the police to prove that you weren't somewhere where they think your mobile phone was two years ago? Who can remember this? Nobody keeps such detailed electronic diaries about their own behaviour. And this is not just a what-if example: this has actually happened less than three months ago in Germany, when the German police sought witnesses of a serious crime, and they used the location data to find out everybody who was in a circle of six kilometres of this incident. And they actually told the press that people who didn't voluntarily to the police, were to be considered suspects. So this is not a myth... this is one of the serious results of storing such extensive location data on everybody. A third example of invasiveness: 80 percent of all incoming e-mail in an average European inbox is spam. So 80 percent is something you have not desired or demanded. And it is quite likely that a lot of this spam comes from criminal sources. And this is dangerous, because you can be connected through such an electronic data file to some criminal sources that you have never been actively in touch with. But you have received spam. And maybe, you know, there is a pattern: you receive a lot of spam from Pakistan, you travelled to Egypt, maybe to just take a diving trip, and maybe another good example is you don't have a habit of closing a travel insurance, which is also a sign of possible terrorism. You know, such patterns are extremely dangerous and are enabled by creating these digital records. Illusory: I hope you still bear with me. The results of data retention are illusory. It means, like the previous speaker said, first of all it is really easy to circumvent data retention, especially when it comes to internet. And
I would like to remind you that even the chairman of EuroCop, an important European association of police offices, said that data retention is not only useless, it is dangerous to the practice of law enforcement. Why? Because serious criminals and terrorists with really evil intentions, will use all means to circumvent this data retention. So you end up with this database filled with data on innocent people that don't care about circumventing data retention and the serious criminals will be much more aware of this way of law enforcement, making it much harder actually to track their networks and communications. Illegal, my last point, the heaviest point. Fortunately, Mr. Delgado (?) from the EDPS already addressed this very eloquently: it's article 8 of the European Convention of Human Rights, and I don't have to say a lot more than the summary created by the European Court of Human Rights. It's this one single question that brings you to the essence of article 8: is a measure really absolutely necessary in a democratic society? This is the question you, as legislators, both from the Parliament and the Commission, have to always ask yourselves. Is it proven? Well, no, we haven't heard any proof for this necessity. And will this continue to uphold our democratic society? Well, I'm afraid not. There are three immense dangers luring. And we have just created this open letter in a dramatic last attempt, European Digital Rights, Privacy International, and a large number of supporting national organisations saying that promises are not enough. You are being promised that Europe will be a lot more secure with data retention. But where is the evidence? And don't forget: all the things that are not being discussed, and those three are (i) mission creep (it's a terrible word from the US army and I don't usually use words from the US army), which means that the given purpose will be exceeded very rapidly, and the two demands that will follow within one year will be: complete identity registration for everybody who uses e.g. prepaid mobile telephony, for everybody who enters a cyber cafe, and the second demand that will follow immediately, is a ban on the use of non-EU services, like GMail from Google, a ban on Hotmail
from MicroSoft, because they don't comply with European data retention legislation. And as we heard before: less than 20 percent of the email providers is actually based in the EU. So will we get a ban on these services? And the second thing, again already really eloquently expressed by the European Data Protection Supervisor, is access by data mining services. In the Netherlands, my country, and in France, and in Denmark, currently legislation is tabled by the governments to allow secret services unlimited accesses without any suspicion, without any sort of warrant, to any sort of data gathered on any citizen. Creating these databases, like I said before e.g. with the mobile location data, and creating no limits on any access is extremely dangerous, because it will involve all of us. And many people tell me, when I talk about these things, like "Well, I've got nothing to hide! And it's not about content data, it's just traffic data, metadata, so why bother? Why be so concered if it's good for the security of Europe?" Well, think again: where were you, two years ago, with your mobile phone? Exactly. And you don't have anything to hide today, but will you repeat that same argument two years from now if the police thinks, or the secret services think, you certainly were there. So, conclusion: are times really changing? Are we all ready to throw away the old and worn coat of human rights? Are, like Mr. Clark from the UK Presidency told the EU Parliament on 7th September, are the circumstances very different now, from those ....

Seventh track (15 minutes)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track007.ogg Sjoera NAS (start - 1:11) Kathalijne BUITENWEG (1:12 2:27) Alexander ALVARO (2:28 9:12) Daniel COHN BENDIT (9:14 9:34) Alexander ALVARO (9:35 9:45) Daniel COHN BENDIT (9:47 - Alexander ALVARO (9:49 9:50) Daniel COHN BENDIT (9:50 9:54) Alexander ALVARO (9:54 12:40) Monika FRASSONI (12:40 13:39) Zepp KOSTATJA (name ???) (translated) (13:40 14:39) Eva LICHTENBERGER (translated) (14:40 end)

Sjoera NAS (start - 1:11)

..faced by the founding fathers of the European Convention on Human Rights. Human rights framework sets essential boundaries to what Governments may and may not do. We've all learned this essential historical lesson only 50 years ago. And it's not just the EU that learned this historical lesson, it was a worldwide lesson and the conclusions were written down in the Universal Declaration of Human Rights. And are we now ready, like Mr Clarke suggested, to throw away e.g. Article 1 of this Universal Declaration "We are born free and equal"? And this is the most important lesson towards governments, because we know they will make terrible mistakes. This is a key moment. We can only urge all members of the European Parliament to use their individual conscience and make sure that the EU society will remain a free and open society.

Kathalijne BUITENWEG (1:12 - 2:27)

Okay well thank you for these three introductions. I will also invite Monica to take over the chair as the co-president of the Green Group. Before, I think she should start to try to direct the debate here, because I'm sure a lot of you have questions. I would like to first give the word shortly to Alexander Alvaro, the rapporteur for data retention. I hope that you're not offended that I leave during your talk. I'm very curious to hear your position on the compromise which have been made by the big groups, because Alexander [I'm just talking to you, as always you never listen to me]... No, I mean, it was a very difficult exercise to make the report, but we are most likely not even going to vote on your report, because there is a compromise made by the big groups, and I'm very curious to hear your position on it and how you think that the vote will go next week.

Alexander ALVARO (2:28 - 9:12)

Thank you very much, Kathelijne. I don't think that I have to mention here that I usually do listen to you, because our cooperation within the committee is very good, and I think your group has quite a good representative with you in the committee. But, to make it quite short: they ripped us off. I mean, that's it. Because, as you already said, there is now... Okay, I must admit: I don't agree 100 percent that we saw all the points which have been mentioned, because some things are a little bit different and it is in the end not sure that you will have every bit of location data, every cell ID which you move in or whatever. But I think we are beyond the stage at a certain point, because, as Kathelijne said, there has been an agreement between the PPE and the PSE, which, we all know, have - if they would have all their people in the plenary -
We need approximately 370 for some amendments, so technically, and just by arithmetics, I know where I am standing. But, the point is: they have both agreed on - I mean, Council delivered something which they call "Well, this is our text, this is what we want. And this is what you take or we won't have a deal." By some convincing arguments which I don't understand and I don't know, Mr. Pöttering and Mr. Schulz were very convinced by what Charles Clark said. I wasn't attending that meeting, I wasn't there, I don't know what he offered and what he said. But it must have been very convincing, because now, both two groups are willing to amend the Commission's directive 100% the way that Council demands it, from the text we have, i.e. the version of 2 December. And I must admit: I don't understand at all, why. Because, if you have the text, the original framework decision which Council once proposed, from the 18th April last year, and you put beside the text they now put as a compromise text: where is the development? Where have they changed? There are certainly some inclusions concerning data protection, data security and whatever, but they are just referring to national laws. And, for Council it is like "this" to refer to national law. It's nothing like compromise, they just say "Okay, leave it to the member states, who pay all this stuff." Who checks about data retention? Who does the access? Who does the question like "what about criminal sanctions?" What about administrative sanctions? It is all referred back to the member states. The main points on duration - retention periods, on what is to be stored - data types, on who pays it, on whatever... has not changed. It has, in a sence, become worse. Council always said "We want 6 to 24 months of retention period". Now they say it again, but there is a clause, because there is a so-called new article X - who knows what it is - but it is called future measurements. Which means that a member state, by notification of the Commission and giving a reason that it is important for national security, whatever national purpose, as long as they can justify it. And we know that Commission will never touch the souvereignity of the state, which says "I need it". You can extend the retention period to whatever you want, literally speaking. And that's why we have press releases by Poland saying "Well, we would like to do 15 years." I mean, they can try, no problem! I don't know where they want to store that data - Poland is big, but not that big. And I don't know how they want to pay it, I don't know how they want to search 15 years of data. I mean, just imagine it: even it's reduced to a minimum: check 15 years of phone calls! I mean, whatever, but okay, it is Poland; if they want to do it, it's not my problem. The other thing he said: there's a quite extreme change also concerning, ehm we had the discussion of the article 15.1 of the 2002 directive, which was once designed to leave it within the member state's competence to choose if they want data retention or not. Now, and that was in general my purpose to say: okay, if we are doing a data retention directive, then it finalizes 15.1. Which means: outside of the scope of the data retention directive, you cannot retain data. That was in fact the purpose to get out this exemption of 15.1. Now it is like saying - Council says in fact - well, outside of the data retention directive, you can do whatever you want under 15.1, concerning data types and purposes. So I think it is again an extremising or maximising of what generally was the idea. So I do not understand why, in any case, the two big groups are going like what they're doing right now, and saying "okay, we're going to amend the Commission's proposal, the ways the Council wants it, and we're going to vote en block on it". That's it. I mean, by that case, I really don't understand it. Maybe I'm a little bit naive, but I don't understand it. And this is where we will have problems, because personally the speaker has said it this way: "Of course I was not absolutely happy with which came out in the committee, but in spite of what was going on - I know your group's position on this - but in spite of what was going on, it was the best possible compromise to achieve, and we got a lot of things in. Even though it was difficult, but we had all the time discussions with all 5 major groups in this house - I consider there to be five." So, we had the discussions, and we agreed on certain points. Of course, if you don't necessarily have to agree as a group, I understand that you take yourself out, and it's completely right. Because if I could have decided alone, we wouldn't have this tool. But since it's on the track, it was my job to see we make it as proportionate as possible, and it's not very easy if you have quite a thorough majority against yourself. But now, immediately after committee decided, immediately after Parliament made a position on this, the two big groups came in and said "Okay, we're going to compromise on this and this and this, and we're going to compromise on that, and then we're going to present it to Council", which was politically, in my point of view, one of the biggest mistakes you could ever make. I mean, it was a beginner's mistake. Saying, like, before I even know what Council wants, I am going to step back from my compromise and give a new compromise. I mean, it's like in a bazaar: I say 5 euro's, I don't even know if the guy would say 7, but I say 8. Okay? No problem. And that is what I don't understand on that point. But anyway, now we are facing the situation: we are doing our work trying to change majorities, but again to be realistic, you need 370, roundabout, if you would estimate that all 732 of us are in the house. Which means: your group, maybe a lot of people out of my group, maybe the GUE/NGL

Daniel COHN BENDIT (9:15 - 9:34)

What I want know. Who made the compromise? The people of the Libe committee of the two groups or were it the presidents of the two groups. This I did'nt understood. Because there were talks between Schulz and Pöttering (intervention) while both not in the Libel Committee So I want to know how it works.

Alexander ALVARO (9:35 - 9:45)

Ah, okay. Well, in general, I just suppose, because I was not attending, it was not within the LIBE committee. That was not there. I suppose, because I know it was Schulze and Poettering ...

Daniel COHN BENDIT (9:47 - )

.. proposition in the LIBE committee? (alvaro: No) As whom they went to the Council? As what?

Alexander ALVARO (9:53 - )

No,Council. Council approached them as group leaders. Saying "you're the group leader of one big group, and you're the group leader of another big group". And Council also knows how it goes. So, they said "Okay this is what we want", and as I said, I don't know what happened, because I was not attending. But suddenly, both said "okay, we're going to go in that direction" and then they informed the coordinators of the LIBE committee, Mrs. Clampte (?) and Mrs. Wool (?) "Go down that road". And that was sort of, like, 5 or 4 people's agreement, I don't know how. I just was informed as a rapporteur by e-mail on Wednesday saying "We would like to inform you that we had a compromise on this and this and this." I said "Okay, very nice". But no, it was Schulz and Poettering. And in fact, I mean, we are losing such a piece of credibility. I don't know why everybody was going "Oh cool, we got codecision procedure
..". It is an article 95 proposal: it's a directive. Of course it is codecision! It's nothing you really, like, fight for, you win, or whatever: it is legally the right way to do it. It is nothing what we call a victory. We would have a victory if we would work on the content. But, I don't know, it's been completely excluded by peoples minds to work on content on this topic, I don't know. But in any case, I mean, just calculating: 732 people in the house, they're not all there but anyway, roundabout 370 majority... I know how big my group is and how big your group is, how big the GUE/NGL. Taking out some people who go... roundabout 150 votes, we need. And this is quite difficult. It's not impossible, never. But it is difficult. And it means a lot of work in the next 5 days. But, in any case, I don't understand what happened, why it happened. I just know that if it goes through, on block, it's not my name being on the report. Because I cannot stand up for what is being then decided. I could take the committee's proposal, but I cannot take what Council wants now. So, no big message, because it is politically not really changing the world, but I mean, I would have to justify as a rapporteur and I could not justify that position. So, once again, I mean: which means, either you, or we, I suppose we, would have to become one of the biggest groups. Then we can change certain things. But it would be naive to think that it would have not gone that way. But at least, one can try. And we will still, until the final vote, try. And whatever happens, we got a 18 months implementation phase, and it's still - you got constitutional courts at your home - and they still can test this in any case. But, as I said, I'm not happy, but well it's about not giving up. You know how it works. Sorry for talking a little bit longer, but thanks for the attention.

Monika FRASSONI (12:40 13:39)

Okay I think that one thing that we have to check is whether the ?????????? went through the presidents of the other group, whether there is a point of commending this in the conference of presidents which is going to take place tommorow, because it is something that is very unusual, to say the least. So I am sure that Mr. Watson (?) will also want to mention this point and will certainly do that tommorow in the conference of presidents. I'm not sure this will be very ??????, because normally when these things happen, the two presidents of the big groups look at you, smile and don't speak. But you know, it's something that we can try anyway, formally I mean. So now we have some space for questions and the first person who will ask a question is Zepp Kostazev (????).

Zepp KOSTATJA (name ???) (translated) (13:40 14:39)

Nach all dem, was ich gehoert hab, habe ich zwei grundsaetzliche Fragen. Ich habe nicht verstanden, wer eigentlich dahinter steht. [My translation: After all that I've heard, I've got two fundamental questions. I have not understood, who is really behind this.]
translator takes over It cannot be that Baroso is behind it, or Poettering, or Schulz. I cannot believe that they have personal interests. It is interesting, it is important for the specialists to tell us who is really behind this. Fighting terrorism cannot be the sole course for all of this. The second question is: are there formal reasons, or formal possibilities to pursue this compromise between the two big groups and with the Council. Is it possible to stop that comprimise in fact? Progressing, that is important for me too. If we can do it formally, it's always easier. The two groups of course have the majority. Once they voted on that, there may be some form of possibility of stopping that on its tracks. That's a question to Monika.

Eva LICHTENBERGER (translated) (14:40 end)

Yes, I am just wondering how many representatives there are in the EU Parliament from the member states, who will vote in favour of it in a straightforward manner. Now I tried to get some information back in Austria, and one of the main ...

Eigth track (15 minutes)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track008.ogg Eva LICHTENBERGER (translation) (start-2:01) Monika FRASSONI (2:05-) Joaquin BAYO DELGADO (2:15- Sjoera NAS (4:00- Fiona TAYLOR (7:05- Monika FRASSONI (8:38- Carl SCHLYTER (8:45- Tatjana DANOKA (10:35- Eva LICHTENBERGER (translation) (11:25- Monika FRASSONI (12:35- Fiona TAYLOR (13:45- Carl SCHLYTER (14:25- Fiona TAYLOR (14:45-end)

Eva LICHTENBERGER (translation) (start-2:01)

.. arguments which I heard, in favour of voting in favour, was that in a national area we have all sorts of opportunities to be stricter, less strict, or whatever. So we can vote in favour quite calmly and with firm reassurance. The Austrian Minister told me this, he said "It's not so bad, because in Austria we protect everything we want to protect through national laws. So don't be scared. It's all down to me". Now, as far as I am concerned, that's a strategy which will be very important in the future, because it will influence other directives. Again and again we are being told we are handing over a lot of policies to subsidiarity. The member states are pleased and say "Oh great, we can sort that out for ourselves again!" But, of course, that has a knock-on effect in the protection of data: that is lost in the whole discourse. My main misgivings are based on the question of the very similar levels of protection in the member states and what impact will that have? At least that is what I gain from my research: the ones which are more strict, will have to ........ (???) bit by bit because of the influence of cooperation with the other member states. So the whole thing will be softened and watered down, step by step. But, am I right in assuming that, I think there's a kind of a strategy for the member states to reassure the member states. Will that mean that MEP's with less information are likely to vote in favour? If that's true, then we have to pursue our information policy in that direction.

Monika FRASSONI (2:05-)

Okay, any further questions to the floor? If not I'll the floor to the panel again.

Joaquin BAYO DELGADO (2:15-

I want do address the parliamentary issues which of course I ..... (?) But in any case, right relating to the technical aspects of what has been pointed out in the last intervention. I've to recognize as a fact that in many countries, directives of data protection have been implemented. ........ (?) also covering these areas of police data etc. But let me just say, that this is in general terms not enough. First because it is not mandatory in the fact that the scope of the directive is what it is and then any country can change the scope of it's own implementation of those rules, because it is as I said not mandatory. Second, as I had pointed out already, the specificity of the access, the questions, for example there's also a question that has come slightly also up: the quality of the data that police would get from private parties is also something which we would have to analyze. All those issues deserve a common approach and a mandatory approach from the EU level, if the mandate is also to retain. So that's the point I wanted to make. Thank you.

Sjoera NAS (4:00-

So about the first question: who's in the background, you know, pushing for this data retention. I'm afraid it has gotten a logic of it's own, and there are surprisingly few convincing arguments why this is necessary. And I personally followed this debate for five years and I've heard the same stories from law enforcement all over again why this is necessary. And when really pushed by the LIBE committee, and thanks to rapporteur Alvaro, the UK presidency published a paper with "convincing" arguments for data retention, they mentioned four examples. I hope you have seen this paper, because it is the only bit of supposedly scientific research into the necessity of data retention. And the four examples mention four cases which were solved within three days. So, these were cases of intimidation and taking hostage. Police doesn't wait for two years to investigate a hostage case: they do it the very same day that a child is lost. Kidnap case, sorry that's the proper word. So I don't know, and I can only say I deeply regret that nobody has come up with a convincing reason. And the second one, are there formal grounds for rejection now? Because that would be the easiest way. Well, I'm terribly afraid I don't see any formal grounds, but maybe the Greens can come up with a trick here. And just really briefly, the other question from the Austrian delegate, or I'm not sure if you are an Austrian delegate [she's a MEP elected in Austria, Eva] all right thanks. This argument that national parliaments can always choose their own level so we don't have to be concerned. Well, article 15 was already adopted to allow these national parliaments to choose whatever level of data retention they wished. And I know there is no data retention in Austria, because of the same reason why there is no data retention in Germany, because due to some unfortunate historic accident both Germany and Austria have very strong constitutions that just forbid governments to introduce complete surveillance of all innocent citizens. And yes, I think your concern is most true, that access possible limits set by national governments will be lowered down very quickly, because of course the negotiations in the Council will continue, and maybe Austria will choose for let's say six months of data retention. Well I promise you, within a year there will be an agreement in the Council, to extend this, "harmonize" this all over Europe to 24 months. Thanks.

Fiona TAYLOR (7:05-

I don't know what I can add after everything that has been covered. I think obviously to come to the points of political issues, I think as industry I should not get involved, apart from saying that we find it extremely regrettable and I think from an observer's perspective, trying to follow the file and the developments in the file since the UK presidency took over or even before ... (?) when it was 3d pillar has been an extremely difficult exercise. As I said at the beginning during my introduction, we have had very very little industry consultation vis-a-vis the effectiveness of this proposal, regardless of industry's concerns whether it is effective or not and whether the end goal will be reached. We had one consultation organized with the Commission, but after the directive had been tabled, and we had one consultation with the Council at the occasion of the informal ministerial in Newcastle. And I have to say we haven't had any feedback on the supposed launch of dialogue that took place in these two occasions. So I think, to conclude, all I can say is that we are concerned that we are now talking about putting in place measures that go far beyond what is done today, that are extremely intrusive, and that no other countries in the world have dared to implement and put in place, and I think that is where the questions should lie. Thank you.

Monika FRASSONI (8:38-

Good, I think that unless, ...... go ahead.

Carl SCHLYTER (8:45-

Yeah, I have one question for Taylor and that is: are you going to be able to ensure that nobody has a legal access to the data that the companies have in their hands? And what are the possibilities for that. And you mention in your speech that it is going to be difficult to collect all these data and store them. So how will it actually work if an agency of the government wants to look at the data, how will it actually work? And who will control how much information they actually access? Will they just open your archives and get everything, or how will it work? Will there be a log of which data they have accessed? Will it be afterwards possible to confirm which files they have accessed? That's a question. And then I would like to ask Mme. Nas for: you mentioned this interesting example of the German police. Is it written somewhere? Can I have the actual data there? And I have another question: the version of the 2nd of December, and the compromise that Pattering (?) and so on made: where are the differences between this paper and their compromise? The most important differences. And I have another question, and that is on article X (it's a good name for it, isn't it?), and that is - well, where is it now? - I don't see, for me it's bizarre, because it says, like "the Commission shall within six months check this". And what are the grounds? The grounds are functioning of the internal market. Where is the human rights grounds and those controls there? Is there no such provision for the Commission to say no, in that article? Thank you.

Tatjana DANOKA (10:35-

As a member of LIBE committee, I am following the events. So, I have one little question or remark to Miss Nas. I am representing Latvia, and I see that under those signaturies there are very few from new member states. And I am now in my human rights ... (?) undertaking some steps to raise awareness. But I hope very much that your network will also do something to extend your activities to these. Thank you.

Eva LICHTENBERGER (translation) (11:25-

One question I forgot to ask: it's not clear to me, because I know we were discussing the technical aspects, what sort of level is this being stored at? Sometimes I talked to service providers and they always ask for technical details. But it is hard to access information as to where the data is stored and how it is acccessed. It is essential in terms of the necessary storage capacity and the search programs developed in a huge cemetery of information. That's going to be the decisive question. If there are answers to this already, how is this capacity going to be developed, who is going to do it and how will small providers solve these technical questions? Isn't this a matter of clearing the smaller operators off the market in favour of the larger operators? Isn't that one of the side effects: that's something I am particularly keen to know about.

Monika FRASSONI (12:35-

One addition: Alexander asked about the procedural issue. We are going to see, as I said before, in the conference of presidents tomorrow, although this is more of a political thing, but we will see this question of the obligation to vote on block, how we can deal with that. And I also believe that it will be possible to send around some kind of note to the members of the different groups, because I am not very sure that they are aware that this thing happened and of the implications that this thing has. So, this are the usual thing that we use in emergency situations. We will have to see whether we will have to do it only alone, or if there is anybody else, notably the rapporteur, who can participate in that. But this is of course up to him to answer. So I will just give the floor to the three of you to answer to the questions that have been added, and then I will give the floor to Alexander.

Fiona TAYLOR (13:45-

Thank you very much. I think there were two questions, because they are quite similar, I will regroup. To answer your question about legal access, who will have access to it, what can be stored, what cannot be stored, I should ask
you the question, because it is not up to us to decide in terms of who has access is something that is regulated by member states, not by industry. Clearly, for us it is simpler if we have clearly identified representatives for the requests. But it is not up to us, it is imposed on us, to decide.

Carl SCHLYTER (14:25-

I think it's a misunderstanding there. Your company has the information. How will you as a company protect people inside the company to spy on their neighbours and search the database, and will you, as a company, be able to log when somebody accesses the information, either it's a government or an internal employee.

Fiona TAYLOR (14:45-end)

Within our companies, we have very strict obligations. As I said in my presentation, we are the only sector to be covered by a specific directive for data protection purposes. So the privacy obligations on the ....

Ninth track (15 minutes)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track009.ogg Fiona TAYLOR (start 01:40) Sjoera NAS (1:42 - 6:43) Joaquin BAYO DELGADO (6:44 - 9:10) Sjoera NAS (9:11 - 9:42) Carl SCHLYTER (9:50 - 10:15) Erik JOSEFSSON (10:20 - 12:10) Monica FRASSONI (12:10 - 12:16) Alexander ALVARO (12:17 - 14:01) Erik JOSEFSSON (14:02 - 14:29) Alexander ALVARO (14:29 - end)

Fiona TAYLOR (start - 01:40):

.. on the e-communications industry is extremely high. The people in charge of databases even for our own legitimate purposes, i.e. billing data, are under very strict guidelines and legal obligations with regards to safeguards and lack of misuse. With regards to law enforcement: from the way it is written in terms of monitoring what is happening on the access level: from the directive, or from the draft Council text, it is not clear who will do the monitoring and who will do the statistics. Obviously, the results of the statistics will depend on who carries out the statistics. When you ask me about the large data that needs to be collected and how we will manage to do it, I think in my presentation I tried to explain that there are, if you will, three categories of data for us in terms of technical feasibility and what is possible and what is not possible: (a) they are available data that we can keep (b) they are data that exist, but are technically extremely difficult to catch and therefore extremely expensive to catch - it's like asking someone if you can go and live on the moon - yes, if you have the investment to do so, you can do it. Is that reasonable, is that proportionate? That's another question. (c) Mainly IP-related data, which is impossible for us to catch. I don't know if I have answered the questions. Maybe one last point I would like to raise is the lack of legal certainty in the proposals as to how this will be interpreted once we have to work on implementation. So I hope I have answered the questions. Thank you.

Sjoera NAS (1:42-6:43)

I had an additional comment on the two questions about access and technical storage requirements. I am afraid the Netherlands are providing a really bad example that is very important to mention here. We have a system called SEOT (?), I won't give you the translation in Dutch, but it means a double-blind request system for data about people at the telephone companies yet, and it will be implemented within six months for ISP's as well. And this means that government has decided on one, unfortunately Windows, standard, in which all telecom providers and ISP's have to provide data to a double-blind system, which we call a police warehouse. And police and security servicess can blindly access this pile of data, currently only for name and address data. So, they have a telephone number; we have six telephony providers and about 200 ISP's in a small country like the Netherlands, so this is a very competitive market. You have a telephone number, as a police officer, you type in the telephone number, and the system queries all the existing databases to whom it belongs and the right address data will come out. And the telephone companies, and within six months the internet providers for email addresses, this will happen as well, will not know how often the system is queried by whom. Now, fortunately the formal incumbant (?) in the Netherlands leaked the amount of requests by this secret services, and the Ministry of Justice pays I think 1 EUR per request to the telco's, so we were able to do the calculation how many requests they did in 2004. So this is just talking about telephone numbers in The Netherlands: 16 million inhabitants, 900.000 requests for name and address data belonging to telephone numbers in 2004, and 300.000 requests from the secret services, so 1.2 million requests in one year. That's one in every ten inhabitants, right? Now this same system will have to be used for internet data, and our Minister of Justice Donner has announced that he is very happy to promote this system to the rest of Europe, to give his policy more legitimacy of course. Because this is a unique system in the world and it would be much better for the Netherlands if other, bigger countries would use the same system. And there is no supervision, no control, no guarantees on the amount of data accessed for what purpose, there are no results published about the effectivity of using this. And we only have this one telling example - and then I will shut up, sorry for taking this much time - of what actually happens in practice. We have this famous football player in Rotterdam, a city in the Netherlands, who was accused of raping somebody. 300 police officers thought this was very juicy information and tried to access the file about this football player, maybe to sell this information to some boulevard magazines. Fortunately, the police of Rotterdam just had a system in place controlling the access to this very sensitive file, and all 300 police officers received a letter at home from the police chief commissioner, like "Why are you actually interested? You are not involved in this case! Why are you looking at this file?" And now this is just one example. Imagine what happens if you are a police officer and you try to but something on the internet, like very regular people happen to do all the time. Well, you just sit behind your computer and you are typing the name, the email address, of the person trying to sell you something. And you do it for friends and family as well. So this leads to mega-abuse of these kinds of data. And now it seems innocent: as always, it's just the name corresponding to a telephone number, it's just the name corresponding to an IP number, it's just the name corresponding to an email address? But what happens when we keep on adding to this database? Sorry about giving you a very long answer. And thank you very much for the question about Latvia: we would really love to have more digital right activists in Latvia, Estonia and Litouania. We do have activists in Romania, in Bulgaria, in Poland, in Slowenia, in Serbia, in Croatia: in all of these countries we have members within our group, but I think we still need to work a lot in the East, in Estonia, Litouania and we hope we can find more support there as well. Thank you.

Joaquin BAYO DELGADO (6:44-9:10)

I'll try to answer some of the worries that have been expressed here from a legal, technical perspective. Imagine that the text of 2 December of Council is the final text. The only thing that we can do, as jurists will always do, is to try to interpret the text as strictly as possible. And then, we have to rely on article 3bis, whatever will be the final number, and there the only things that are pointed out as to access to data, are necessity and proportionality, so then we'll have to apply strict criteria on these two concepts. Then there is the reference to relevant prohibitions (?) of Union law. There I again mention the 3rd Pillar instrument, that we have to work hard so this instrument is the best possible instrument. Always bear in mind that there are some things which would inevitably escape off the scope of this instrument, because it wouldn't be feasible to include there, and then public national law. And let's remember that convention 108 also applies. So we should use this instrument, this legal instrument, to make sure that the access conditions and requirements are as strictly as possible. But that's reality if this is going to be a text proof (?). And then we have article 7bis, that relates to data protection and data security, there are some things which we have to really be conscious and point out that they have to be implemented, like - what I already said - this specially authorized personnel, so that has to go into the national law. So that would be the legal framework in which we'll have to move ourselves and that's it if we take into account this text.

Sjoera NAS (9:11-9:42)

I forgot to answer your specific question about the German police example. This was given a so-called "Big Brother Award", a prize for the person or institution excelling in violations of privacy in Germany, just a month ago, and it is extensively documented on the website of European Digital Rights, let me just commercialize a bit here: edri.org. Thank you.

Carl SCHLYTER (9:50-10:15)

Just a very short question: what I want to know is, in any of the old directives, or in this directive, because there is actually one data retention I would like to have, and that is: which police officer accessed all the other 450 millions people's dossiers that are stored? Is that data retention explicitly there, somewhere in any other regulations concerned?

Erik JOSEFSSON (10:20-12:10)

Thank you, I have a feeling here that we are preaching to the choire. I am Erik Josefsson from FFII, I am very happy that our organisation has been involved also in this data retention directive, since we mostly worked with the software patents directive last year. But now, from this experience, I would like to ask: how is it then voting-technically possible to do anything at all right now? I would like to ask if there is a rejection amendment tabled which I understand will be voted on as the first vote in just one week's time. And I also would like to very deeply congratulate the rapporteur, Mr. Alvaro, for publicly saying that he'll withdraw his name from what then will be called the Poettering and Schulz report. I hope that you all realize that there is only one week to go and we must trust that politicians are still single (singular?) individuals with responsibility to their voters, and I think that this is a call for... we have all now heard about ill-conceived this directive is, and maybe there is just one chance to stop it, and that is with a rejection. So this rejection has been tabled, the deadline for tabling amendments is actually tonight, well this evening at six o'clock, so that is my question.

Monica FRASSONI (12:10-12:16)

Would you like to say something on this possibility? And on the rest, the procedure?

Alexander ALVARO (12:17-14:01)

Okay. Thanks Monica. Well, as far as I know there are amendments tabled concerning the rejection of the proposal, of course. I know that there will be certain voting lists also indicating that if the Council's proposal goes through one-to-one, that there would be a minus in the end concerning the voting of the amended (???) legislation or the legislative proposal.
intervention: "I don't understand this one." Okay. Nevertheless it is going to be rejected in the beginning, because this would be the most fargoing amendment, in the end we'll have to vote on the amended proposal anyway. And I know that there will be certain voting lists within the house where you have a minus on that, saying "No", which means rejection. So, either in the beginning or in the end. But, concerning majorities in the house, I mean one has to be realistic. I mean if this is really being achieved, and I mean my purpose is even - although I know we have a different interest in that - is not even to reject the whole thing completely. I would just want to like to stick to the compromise Parliament found, because I am not fundamentally opposing it. But anyway, of course we are aware we got a week. Definately. And be sure, we are working. Although I am sitting here - it's working. And I calculated it, I mean, you know you need roundabout 370 just to be sure. And this is quite a huge amount. Imagine from which group the most of us are coming. I mean, we are not the major ones. But it is no excuse, it just would force us to fight harder, that's it.

Erik JOSEFSSON (14:02-14:29)

When you have a rejection amendment, and a, as it is called, a roll-call vote, that every MEP will be identified as whether it is a clear yes or a clear no, I think this is the only message that we can hope that will penetrate this extremely complex voting procedures to the public, that there is one chance to say "yes" or "no" to this directive.

Alexander ALVARO (14:29-end)

I think it's maybe better to make it easier for people to have a roll-call vote on the Council's proposal on this vote on block. I think if one has different approaches, I don't think it's a problem. And anyway, I am sure that there will be certainly roll-call votes called for. But, in any case, on the procedure, because Zepp also asked this [interference] okay, it was about the procedure, where is it going, und so weiter.

Tenth track (15 minutes)

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track010.ogg Alexander ALVARO (start - 5:09) Joaquin BAYO DELGADO (5:13 6:14) Monika FRASSONI (6:15 - end)

Alexander ALVARO (start - 5:09)

I mean, I am just a member of this parliament since June this year. I don't, just by feeling, without having the experience, I've the feeling it is going very wrong on a legislative procedure. Very wrong, even if you consider things like better regulation and whatever. You got two guys from two big groups muttering (?) around saying "Okay, this is what we want. Okay, let us make a deal on it and push our groups to go for that." Maybe that's the way this is done in politics, but I would not be sitting here if I think that the ways which they're done are always the right ways. So it's time to change things. But okay, as I said, it's difficult, and you will have to finding ? confidence of presidency as why are you doing this and whatever is going on, but it is not a normal procedure I believe, on this point. I mean, we had a proposal in the committee, which went through, I know, industry didn't really like it, but it was also saying [correction: law enforcement didn't really like it] "you will have to log who had access to the data". Because we want to know in a case of abuse who had access to data of police authorities, and this is not harressing them. I think it's a normal procedure to see who logged on (?). But as far as I know as in the directive which is now proposed or in the amendments, it's not explicitly in, there's a reference to national law, and some national laws have it and some don't - I don't know, actually I don't 25 national laws. And this is Lichtenberger concerning the data: we don't know if it's an HTTP protocol, an FTPS protocol, an HTTPS protocol, if it's proxy, whatever...we don't know. Because Council never discussed internet: they never, ever, discussed the technical aspects in a working group. Maybe bilaterally, maybe some did, but they never had it as intense as telephony.
remarks "But that's absurd!" Of course it's absurd! I mean, that is why, I mean, we agreed to say "okay, you want a fast track procedure? We are gonna even do a super fast track! We are gonna work really really quick and very very committed to this to find a compromise." But - and this is what I do not understand - why, President, if they see that there is still necessity of clarification, why we don't take the time? I mean we survived for years without this tool. Member states who wanted it, implemented it, member states who didn't want it, didn't implement it. There was never an absolute need for European legislation on this one. There was always the wish, since 2002 when the discussions were on Art. 15.1 (?). But, where would be the problem just to take 3 months, 4 months, a second reading, maybe even a third reading, just to clarify certain points, because, I mean, it's also a bad credibility of being politician is like "what laws do you make?". I mean, I don't want to be responsible for law which is contested in about every court and every member state because we did it wrong, we forgot a lot of things, we didn't think about enough of things, and so on. And you have to take your time, I mean good law making is also about taking your time and doing it good. If it's easy, if it's very very... no problem, okay then you can do it fast. But at the moment there are quite difficult questions. There is no impact assessment on what technical impact will this have. How much will this affect IP industry in general? We don't know. How much will it affect the interior market? We don't know. How much influence will it have on labour markets? We don't know. What will it cost to SME's? We don't know. Because we didn't have the time to do it. And this is in fact what I have as the biggest problem concerning the way we are doing it. And even on technical level, we are receiving for everybody's interests and stuff like that. We are receiving IPv6 e.g.. This, what is being proposed, has no idea what technically is coming at all. And there is also ridiculous stuff, as it has been said. Okay, I agree on a certain point on which EDRI is talking about, like e-mail. 80% is spam. Yes, we are collecting trash. I'm throwing trash away at home. If I would collect all the stuff from the dust bin: even if 20% would have real interesting information, the other 80% would just flood my house. And for example that one: on internet telephony, we got no idea how to manage it technically. Because, the problem is: for example, whatever system, if it is via computer to another computer, we cannot even identify this telephony, because it's just by certain IP's. We only know it's telephony if it leaves the computer network. And so on, and so on and so on. And this is what worries me. But, member states will receive what they want, and people have elected them, so they have a chance to change it sometime. But it is definately a problem and just to inform you that we'll have fundings you too (???) because there is a regulation on the payment procedure of transfer of funds, which is in fact data retention for the financial services. Just to make aware that this will go on.... not with telco's and ISP's, but anyway. Sorry for extending it so much. As I see, there are right now a little bit more questions and answers.

Joaquin BAYO DELGADO (5:13 6:14)

Yes, let me say, of course I am not naive and I know the differences that not only technically, but also from a political perspective, the difference between the possibilities to regulate things in a framework decision or in a directive: it's different. But as to the points that we were talking about: logging, the access to those databases, and also as to the quality of the data that we have to story by private parties - as the companies are - we can imagine and we should work on that direction if necessary, that those issues are introduced in the future framework decision. That's something that we have to bear in mind and we have to work in that direction. That's the only solution as I can see it.

Monika FRASSONI (6:15 - end)

Okay, thank you very much for this meeting. I think this was quite lightening, even if, as far as I am concerned, I only came to the last part: I know what to do tomorrow in the conference of presidents and I think that we will have the chance of discussing prehaps on some lobby that we can still do till the votes and I think that we can ask some difficult questions to our colleagues in the other groups. Thank you so much for coming and for being so clear and let's see what happens next week. Thank you so much.

Last track: <name of speaker>

Source : http://media.ffii.org/DataRetentionGreenConf20051207/DataRetentionGreenEFA20051207Track011.ogg
- This one is empty.