ABSTRACT

The images of the 9/11 terrorist attacks put “security” back on the political agenda with both a vengeance and a new accentuation. At the end of 2001 there was no doubt among the public or in political circles that 9/11 would trigger immediate legislative action. Legislative activism, expressed through regulations like the US Patriot Act or the European Union Data Retention Directive, was fuelled by the assumption that-despite the existence of information which might have thwarted the terrorists-the intelligence and law-enforcement agencies were unable to “connect the dots” to prevent the attacks (Taipale, 2004/ 2005). Added to this assumption was the widely shared belief that the existing legal framework contained considerable security deficiencies (Lepsius, 2004). In the wake of a series of attacks in North America and Europe, security

officials reintroduced proposals that had previously had “no chance to be accepted” (Hoffman-Riem, 2002: 498) or had been rejected on the grounds that they encroached too far upon civil rights and liberties (Levi and Wall, 2004). Threats were seen as arising from a qualitatively new and intangible terror network, which changed the geometry of freedom and security. Consequently, as Lepsius (2004) notes, “Whether a need for legislative regulation existed was never in doubt; the question of the ‘if’ had been answered by the evidence and needed no justification” (Lepsius, 2004:438). This perception reflects a disregard for fundamental civil rights and liberties, which characterizes many of the new, security-oriented, legislative initiatives. The attacks in New York, Madrid, and London facilitated and accelerated

the move towards policing focused on collecting intelligence (Institute for Prospective Technological Studies 2003). Access to communications content is a common way of gathering information for criminal investigations and security purposes. However, in the emerging “information society” more

relationships and social interactions occur via electronic communications networks. It is not only the content of such information that is useful to the police and the security agencies; data on the use of communications systems are a valuable resource in preventing, investigating, detecting, and prosecuting threats and crimes. Communications data are used to trace and locate the source and route of information as well as to collect and secure evidence: “allowing investigators for example to establish links between suspected conspirators (itemized bill) or to ascertain the whereabouts of a given person at a given time, thereby confirming or disproving an alibi” (UK Home Office, 2002). In Europe, the debate over the retention of communication data did not

originate in recent terrorist attacks. Data-protection legislation now requires communication providers to erase traffic data, which includes information on source and recipient of the communication together with information on time, date, duration, location of devices, as soon as it is no longer needed for billing purposes. For several years, law-enforcement agencies in various European countries have urged governments to adopt retention requirements. As a compromise solution, the EU e-Privacy Directive (2002) provided that member states were allowed to adopt legislative measures to retain data for a limited period, if these are necessary to safeguard national security, defence, and public security, and prevent, investigate, detect and prosecute criminal offences, and so on. (Art. 15 § 1). The call for harmonized data-retention legislation arose as a result of the

Madrid train bombings in March 2004. Four years later, the permissive language of the e-Privacy Directive has been transformed into an obligation imposed on EU member states. Service and network providers situated in European Union member states are or will be legally mandated to indiscriminately retain all communication data of all subscribers. The Directive applies to electronic communication services offered via the internet, but it does not apply to the content of the communications. Data is to be retained for a period of six months to two years (depending on the member state) for the purpose of the potential investigation, detection, and prosecution of serious crime, and made available to the designated authorities, in the cases provided by domestic law. The “prevention” of crime was ultimately excluded from the scope of the Directive as a result of a privacy-enhancing approach adopted by the European Parliament and the critical voices of European dataprotection commissioners who opposed the wide ambit inherent in a “preventive” approach. National legislators have to specify the procedures to be followed and the conditions to be fulfilled in order to gain access to retained data “in accordance with necessity and proportionality requirements” (Art. 4 of Data Retention Directive). This regulatory development still raises significant concerns about the

respect for privacy and other fundamental rights and freedoms. To date, European critics have focused on the disproportionality of the adopted measures, in particular their impingement on existing rights and liberties of the

overwhelming majority of the population. This chapter, by focusing on the 2006 EUDataRetentionDirective, addresses the question of data retention as amethod of mass communications surveillance. It suggests that generalized and indiscriminate data retention reflects a shift from a constitutional state guarding against the threat of specific risks in concrete situations toward a security-oriented preventive, or even pre-emptive, state, which acts or is expected to act proactively. Retention of communications data is discussed as a security measure, one

which interferes with the right to privacy, freedom of communication, and freedom of expression. Privacy, in our approach, is not merely a residuum or a right “possessed” by individuals, but is a condition for making autonomous decisions, freely communicating with other persons, and participating in a democratic society, all of which are jeopardized by data-retention practices. There is a serious concern that data-retention policies may endanger open communication and affect democratic participation with further and considerable impacts on democracy.