George Newstrom
Chairman
September 15, 2004
DRAFT
Hon. Fabio Colasanti
Director-General for Information Society
Directorate B.1: Communication services
Email: [email protected]
Hon. Jonathan Faull
Director-General for Justice and Home Affairs
Directorate D.2: Internal Security and Criminal Justice
Email: [email protected]
European Commission
B-1049 Bruxelles / Europese Commissie - Belgium
Dear Messrs Colasanti and Faull:
In response to the 30 July 2004 Consultation Document on Traffic Data Retention (the
“Consultation”) from the Directorates-General for Information Society and Justice and
Home Affairs, WITSA is pleased to submit these comments for your consideration. The
comments are preliminary by necessity, given that the relatively short timeframe between
the release of your request on July 30 and September 15 did not allow time for full
consultation among our members. However, we expect that this is the beginning of a
longer and more in-depth dialogue on the subject. WITSA will provide additional
comments once our consultation is completed.
The World Information Technology and Services Alliance (WITSA) is a consortium of 60
information technology (IT) industry associations from economies around the world. As
the global voice of the IT industry, WITSA is dedicated to advocating policies that advance
the industry's growth and development; facilitating international trade and investment in IT
products and services; strengthening WITSA's national industry associations through the
sharing of knowledge, experience, and critical information; providing members with a vast
network of contacts in nearly every geographic region of the world; and hosting the
World Information Technology and Services Alliance
1401 Wilson Blvd., Suite 1100, Arlington, VA 22209-2318, USA – Phone: +1 703 522 5055 Fax: +1 703 525 2279
biennial World Congress on Information Technology, the premier industry sponsored
global IT policy event, and the Global Public Policy Summit. Founded in 1978 and
originally known as the World Computing Services Industry Association, WITSA has
increasingly assumed an active advocacy role in international public policy issues affecting
the creation of a robust global information infrastructure. For additional information about
WITSA and its activities, go to http://www.witsa.org.
Being unable to fully consult our membership, our comments are based on past policy and
Statements of the organization. There are two relevant documents.
In August of 1998, WITSA issued a Statement on Government and Law Enforcement
Access to Transmitted Information in the Digital Environment. That Statement contained a
number of Principles applicable to the proposed Framework Directive which should serve
to guide Commission action on the issue:
1. Legal access by any jurisdiction shall only be to information actually stored in
that jurisdiction at the time of proper judicial notification.
2. A business shall have no obligation to maintain the means to provide the clear
text of transmitted information, including e-mail, unless the information is
stored on the business’s facilities in a non-transitory manner at the time the
information is properly requested and during the period of the proper legal
request, and is accessible in clear text by the business.
3. Legal access requests should be specific, and limited in scope and duration.
4. In order to protect personal privacy, all personal information that is accessed for
any reason must be protected by the accessing agency.
In May of 2002, WITSA issued a Statement on Information Security. That document also
included some applicable Principles:
1. The Internet and electronic commerce are inherently global in nature; therefore,
information security will require collaboration among international bodies and a
ecognition by government of the challenges faced by industry in these areas.
2. Industry and government share an interest in the proliferation of a free and open
Internet, electronic commerce, and other value-added networks, and an
efficient, effective information infrastructure generally.
3. Positive interaction between government and industry is essential. Among
issues that will require on-going communication and assessment is the need to
balance an individual’s right to privacy with national security concerns.
In conjunction with the last Principle above, WITSA appreciates the outreach associated
with this Consultation and the questions raised. The following sections respond to the
questions asked in the context of the Principles stated above.
World Information Technology and Services Alliance
1401 Wilson Blvd., Suite 1100, Arlington, VA 22209-2318, USA – Phone: +1 703 522 5055 Fax: +1 703 525 2279

What are the financial implications and technical feasibility of
specific data retention requirements, and what do LEAs already
request?
Requirements to keep records for 12 months and greater durations, in the view of WITSA,
are not consistent with our Principle that requests be limited in duration. In addition, such
requirements would appear to violate Article 15(1) of the Directive on Privacy in
Electronic Communications (2002/58/EC and the “2002 Directive”) and Article 8 of the
European Convention of Human Rights. Proposed retention requirements of such a
duration neither “constitute an appropriate and proportionate measure within a democratic
society,” nor are they “necessary to safeguard” the national and public security-related
interests articulated in the 2002 Directive.
The amount of data being requested to be retained also conflicts with the Principle that the
information requested be limited in scope, leading to very high storage costs. More
significantly, however, may be the costs of retrieval and presentation. Not only must
massive files be searched for relevant information, but often that information would need
to be re-formatted for the requesting agency. The latter requirement conflicts with the
WITSA Principle that information be provided in the form in which it is stored.

Is a common traffic data retention regime at EU level for law
enforcement purposes needed?
A common data retention regime at the EU level is definitely a need. As indicated by the
first Principle of the May 2002 WITSA Statement, the issue is global in nature, and
international collaboration is required. Not only should legislation at the EU level seek to
harmonize on the retention rules among the 25 Member States, but it should also
harmonize on applicable privacy rules. The latter would be in agreement with the WITSA
Principal to protect personal privacy. The starting point for any legislation on retention for
investigatory measures is the need for a harmonized approach to prevent a patchwork of
laws that will balkanize global communications networks. Lack of harmonization is
already an increasing problem in the EU. Existing EU law delegates authority regarding
scope and duration of data retained to the Member States. Conflicting definitions of traffic
data (and relevant services) are evidenced not only between Directives, but also among
very different definitions at the Member State level.

What types of data should be retained, and what time period should
apply?
Any proposal should define traffic data such that it both reflects the current global state of
communications networks and services and is flexible enough to assimilate the next
generation of services. This is consistent with the WITSA Principle that requests be limited
in scope. Current EU and Member State legislation generally use the concept of “traffic
data” without adding clarity to which data are precisely covered by the term. Among
emerging national rules, the “traffic data” definition typically includes information that is
personally identifiable to a party engaging in electronic communications − whether voice,
data or other value-added services − on a dynamic network. One caution, however, is that
World Information Technology and Services Alliance
1401 Wilson Blvd., Suite 1100, Arlington, VA 22209-2318, USA – Phone: +1 703 522 5055 Fax: +1 703 525 2279
the distinction between content and signalling or billing data in the modern network
environment is increasingly blurred.
Any duration requirement should be appropriately addressed with industry to determine
whether it is “proportionate” given the limited retention of current industry practice. A
maximum requirement would likely be 6 months. Further, data “preservation” – the
retention of data for a specific case and for a finite period, as practiced in several Member
States – should remain the preferred method for investigative cooperation, and Member
States should be permitted to favor preservation over retention. A process of drafting and
deliberation would ensure an EU framework that is not only consistent with existing laws
and related privacy requirements, but also, defines a duration that has been justified by
“demonstrable need,” “proportionality” and industry practice.
WITSA is concerned that the costs and technical difficulties associated with the retention
and subsequent access to data mandated by the draft Framework Decision and similar
proposals will damage user confidences. Mandatory data retention remains one of the key
business-affecting issues faced by our Members in Europe.
Please feel free to contact me or our Public Policy Chairman David Olive at
[email protected] should you wish to discuss this matter further.
Sincerely,
Allen Z. Miller
Executive Director
World Information Technology and Services Alliance
1401 Wilson Blvd., Suite 1100, Arlington, VA 22209-2318, USA – Phone: +1 703 522 5055 Fax: +1 703 525 2279