Tuesday, April 08, 2014

Categories of data which were required to be retained under the data retention directive

The data retention directive, DIRECTIVE 2006/24/EC, thanks to the efforts of a small number of digital rights activists in Ireland and a slightly larger group from Austria has been declared unlawful - a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights - by the European Court of Justice today.

I'm hoping to blog about the decision soon but it is worth pointing out the categories of data that this directive required service providers to retain and facilitate crime fighting authorities access to. They are specified exhaustively in article 5 of the directive:
Article 5
Categories of data to be retained
1. Member States shall ensure that the following categories of
data are retained under this Directive:
(a) data necessary to trace and identify the source of a
communication:
(1) concerning fixed network telephony and mobile
telephony:
(i) the calling telephone number;
(ii) the name and address of the subscriber or registered
user;
(2) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any
communication entering the public telephone
network;
(iii) the name and address of the subscriber or registered
user to whom an Internet Protocol (IP) address, user
ID or telephone number was allocated at the time of
the communication;
(b) data necessary to identify the destination of a
communication:
(1) concerning fixed network telephony and mobile
telephony:
(i) the number(s) dialled (the telephone number(s)
called), and, in cases involving supplementary services
such as call forwarding or call transfer, the
number or numbers to which the call is routed;
(ii) the name(s) and address(es) of the subscriber(s) or
registered user(s);
13.4.2006 EN Official Journal of the European Union L 105/57
(2) concerning Internet e-mail and Internet telephony:
(i) the user ID or telephone number of the intended
recipient(s) of an Internet telephony call;
(ii) the name(s) and address(es) of the subscriber(s) or
registered user(s) and user ID of the intended recipient
of the communication;
(c) data necessary to identify the date, time and duration of a
communication:
(1) concerning fixed network telephony and mobile telephony,
the date and time of the start and end of the
communication;
(2) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the date and time of the log-in and log-off of the
Internet access service, based on a certain time zone,
together with the IP address, whether dynamic or
static, allocated by the Internet access service provider
to a communication, and the user ID of the
subscriber or registered user;
(ii) the date and time of the log-in and log-off of the
Internet e-mail service or Internet telephony service,
based on a certain time zone;
(d) data necessary to identify the type of communication:
(1) concerning fixed network telephony and mobile telephony:
the telephone service used;
(2) concerning Internet e-mail and Internet telephony: the
Internet service used;
(e) data necessary to identify users’ communication equipment
or what purports to be their equipment:
(1) concerning fixed network telephony, the calling
and called telephone numbers;
(2) concerning mobile telephony:
(i) the calling and called telephone numbers;
(ii) the International Mobile Subscriber Identity (IMSI)
of the calling party;
(iii) the International Mobile Equipment Identity (IMEI)
of the calling party;
(iv) the IMSI of the called party;
(v) the IMEI of the called party;
(vi) in the case of pre-paid anonymous services, the date
and time of the initial activation of the service and
the location label (Cell ID) from which the service
was activated;
(3) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the calling telephone number for dial-up access;
(ii) the digital subscriber line (DSL) or other end point
of the originator of the communication;
(f) data necessary to identify the location of mobile communication
equipment:
(1) the location label (Cell ID) at the start of the
communication;
(2) data identifying the geographic location of cells by reference
to their location labels (Cell ID) during the period
for which communications data are retained.
2. No data revealing the content of the communication may be
retained pursuant to this Directive.
Blanket retention of this data is theoretically now invalid in the EU but it remains astonishing that it was ever lawful in the first place. Seriously. Take a look at that list of metadata and think about what it can tell you about an individual.

No comments: