Recent terrorist attacks have accelerated the debate on security versus citizens’ privacy rights, in particular as regards the retention of telephone and electronic data. Following the recently renewed proposal of the UK government urging the approval of EU rules on data retention in telecom and internet sectors, European institutions are evaluating whether and how to impose Europe-wide antiterrorism measures. The purpose of the envisaged EU legislation would be the guarantee of more data retention for phone calls (up to 3 years) as well as the introduction of an obligation to retain internet data.
The adoption of such measures would require serious investment for Internet Service Providers (ISP) and for telecoms operators. This is the main objection to the envisaged legislation: it has been estimated that this project will cost large ISPs and telecoms operators up to €180 million each to set up the system and €50 million per year each to run it (so jeopardising the business of small operators).
There is also no evidence that such data would be readily usable; articles suggest that research on such a huge amount of data (using existing technologies, without additional investment) would take from 50 to 100 years.
Last, but not least, such proposals meet opposition from privacy groups. The doubts raised by the privacy supporters are: will the storage of such data be secure? Will improper and unlawful use of the data be prevented?
Without waiting for the EU guidelines, the Italian government recently passed urgent domestic legislation (Law decree 27 July 2005, no. 144 converted in Law 31 July 2005, no. 155) to counteract international terrorism. The aim was to strengthen legislation already in force and to allow for more effective means of investigation.
Electronic data retention in Italy: how has it changed?
For internet operators there is a new obligation to retain - from now on - all data concerning electronic communications in order to guarantee full traceability of email use and internet access, e.g. internet access logs, sender and receiver of e-mails or telephone calls and their location, but not content. The content of communications are excluded from this rule and cannot be recorded unless in compliance with interception legislation (also under revision).
Such data must be retained – under normal conditions – for 6 months and be available to criminal authorities for investigation. The retention period is increased to 12 months, i.e. an additional period of 6 months, in the case of investigation of serious crimes, e.g. terrorism, mafia, homicide, computer crime.
b) Telecoms Operators
According to the Italian legislation already in force (Italian Data Protection Code) telecoms operators are required to retain telecom traffic data for police investigation purposes for a period of up to 24 months. The new antiterrorist legislation has now imposed an additional obligation on telecoms operators: the retention of data concerning unanswered phone calls. Again, the content of communications is excluded and cannot be recorded unless in compliance with interception legislation.
c) Urgent measures
The above rules will apply only from 1 January 2008.
But in fact, until 31 December 2007 (!), both internet and telecoms operators are forbidden to delete any data concerning electronic communications (including phone communications) and must retain such data for investigations carried out by the competent authorities: rules providing for the deletion of data during that period are suspended.
d) Additional measures
New practical rules have been set forth also in the case of:
Pre-paid phone cards (SIM): copy of the buyer’s ID, as well as the registration of the data contained in the ID card must be obtained and retained by the seller before the activation of the SIM card, or at the time the SIM card is made available to the buyer;
Internet points and public access hot spots: owners (or directors) of commercial concerns or private clubs where terminals are available to the public, to clients, or to their members, must obtain prior authorisation of the police and comply with new strict measures on users’ identification, on monitoring of the users’ activities, and on data retention.
As a result, at least from a theoretical point of view, today each phone/internet user – as well as his/her phone or internet activity (via cable or wi-fi) – should be easily identifiable and traceable.
Needless to say, even though new rules may threaten the freedom of people and weaken their data protection, the obligations to lawfully process data and to prevent unauthorised access to that data are still in force.