Comms traffic snooping breaks EU laws

The Home Office wants internet service providers (ISPs) and telcos to store customers' communications traffic data on a voluntary basis, but by doing this companies could be breaking the law.

The UK has already tried to get telecoms traffic data retained for up to two years under the European Union Communications Data Protection Directive, but has met with stiff opposition from other countries.

This data would include lists of websites visited, records of email recipients, lists of telephone numbers dialled and the geographical location of mobile phones.

But after a meeting in Cardiff earlier this month, data protection commissioners from various European countries backtracked on mandatory measures, and blocked the UK proposals.

The commissioners explained that they had "grave doubt as to the legitimacy and legality" of the measures, and said that the costs of such mandatory legislation would place too much of a burden on telcos and ISPs.

The Home Office now wants to circumvent the EU and bring in data retention laws under the UK Anti-Terrorism, Crime and Security Act 2001, but using a voluntary code of practice to which it wants ISPs and telcos to adhere.

But because it is not statutory, companies could find themselves breaking other European laws.

Dave Clancy, strategic policy officer at the Office of the Information Commissioner, said: "This is a potential breach of human rights.

"The argument that the data needs to be retained simply on the basis that it may be required is not a legitimate reason."

The EU has indicated that, if traffic data is to be retained in specific cases, the practice must be clearly regulated by law.

A demonstrable need to retain data has also to be shown and the period of retention must be as short as possible.

Any systematic retention of all kinds of traffic data for a period of one year or more, which is what the UK is asking for, would be clearly disproportionate and therefore unacceptable in any case, even under a legal framework.

Clancy added that the commissioners were also concerned about how the data would be used.

"If the country that suffered the most after 11 September [the US] does not have data retention, why do we have to? Who is going to have access to this data?" he asked.