EU Data Retention Directive provokes widespread condemnation

Privacy groups and legal experts have voiced serious concerns about the EU Data Retention Directive

UK internet service providers will have to all store communication information from customers for a full year starting on 15 March, as part of the controversial EU Data Retention Directive (PDF).

Under the directive, details of every email, phone call and text message sent or received, including information such as IP address and time of use, will have to be recorded.

Police and security experts will be able to request access to the information to help combat terrorism and cyber crime, but only with a court order. Nonetheless, the move has sparked serious concerns from privacy groups, IT security firms and legal experts.

Susan Hall, an ICT and media partner at law firm Cobbetts LLP, maintained that such a database is "the antithesis of what the whole internet is about".

"There have been regular and well known cases when the police criminals' record database has illegally been accessed by 'insiders', using it to vet employees and do favours for friends," she said.

The directive has provoked criticism from EU member states over the cost of the operation, which is estimated at £46m over an eight-year period, as well as fears of privacy violation.

"Given the numerous data breaches of late, it is hardly surprising that concern has been raised over these proposals," said Jamie Cowper, director of EMEA marketing at security firm PGP Corporation.

"With public confidence about data security at an all time low, it is absolutely essential that ISPs take their obligations seriously. If privacy violation is to be avoided, and the huge cost of this operation is to be justified, the security of the public's data must be watertight.

"If the EU plans to roll out similar legislation to other sectors, they are going to have to demonstrate to the public that every step is being taken to defend their data. If not, it is fair to say that we are just one data breach away from a major public backlash."

Hall went on to ask: "The government is trying to impose liabilities on service providers, and for what? The theoretical possibility that it will stop terrorists?

"People applying for access to the database will, on the basis of what we've already seen happen with the Regulation of Investigatory Powers Act, use a slippery slope argument: first arguing for using the information for sex offenders and other serious criminals, but ultimately using it to worry about parking tickets or whether children are entitled to be enrolled in the school they've applied to, as in the recent Poole Council case."

Hall also believes that these measures will have little discernable impact on the fight against terrorism, as the criminals involved will just find ways of bypassing the checks by using other people's unsecured Wi-Fi connections, hotspots or pay-as-you-go 3G modems.

"It is also very interesting to note that the European Court of Human Rights ruled in January that a similarly sweeping DNA database, which contained genetic samples from thousands of citizens who had not been convicted of any crime, violated privacy rights," she said.

"Looking at the comments made in this recent case, the ISP database will run the UK government foul of the European Convention on Human Rights, and on this basis alone should be reconsidered. "

Thus far, ISPs that have attempted to stop these laws being implemented, such as in Ireland and Slovakia, have been unsuccessful.

With the deadline looming, a spokesman for the Internet Service Providers' Association claimed that most firms are prepared for the directive's implementation.

"We have made our members aware of what is required and, as far as we know, they will all be compliant," he said.