is the data retention directive a proportionate measu - Springer Link

Eur J Law Econ (2012) 33:447–472 DOI 10.1007/s10657-011-9245-8

The economic costs and consequences of mass communications data retention: is the data retention directive a proportionate measure? Marie-Helen Maras

Published online: 12 April 2011  Springer Science+Business Media, LLC 2011

Abstract This article seeks to determine the economic costs and consequences of implementing the Data Retention Directive (Directive 2006/24/EC), an extraordinary counter terrorism measure that mandates the a priori retention of communications data on every European citizen, by drawing on the insights of economic analysis. It also explores the monetary costs of the Directive on subscribers and communications service providers of Member States within the EU. Furthermore, it examines the implications of the Directive on the economic sector of the European Union, by focusing on the Directive’s impact on EU competitiveness and other EU policies such as the Lisbon Strategy. This analysis is motivated by the following questions: what are the monetary costs of creating and maintaining the proposed database for data retention? What are the effects of these measures on individuals? What obstacles arise for the global competitiveness of EU telecommunications and electronic communications service providers as a result of these measures? Are other policies in the European Union affected by this measure? If so, which ones? Keywords Data retention
Counter terrorism
Cost-benefit analysis
Impact assessment
Proportionality
Competition
Internal market JEL Classification

K2
K42

It is the EU’s goal ‘to become the most competitive and dynamic knowledge-based economy in the world, capable of sustainable economic growth with more and better jobs and greater social cohesion’. M.-H. Maras (&) State University of New York, New York, NY, USA e-mail: [email protected]

123

448

Eur J Law Econ (2012) 33:447–472

1 Introduction One of the most important and most controversial measures proposed by the EU and its Member States in order to facilitate the tracking and prosecution of terrorists and to improve the coordination of availability of information and cooperation between those involved in fighting terrorism was the retention of communications data (i.e. data retention). Indeed, top on the list of the European Union’s counter terrorism plan was mandatory data retention. Both the Declaration on Combating Terrorism and the Declaration on the EU Response to the London Bombings called for the expedient creation and implementation of measures on data retention as part of their plan to combat terrorism in the EU (European Council 2004; Council of the European Union 2005). As a result, the Data Retention Directive (Directive 2006/24/EC),1 an unprecedented counter terrorism measure that requires the retention of data on all European citizens regardless of their links with serious crime (such as, terrorism and organised crime), was adopted. Counter terrorism measures are burdensome and costly. A question rarely asked by policy-makers in this field is whether counter terrorism spending is proportionate to the threat of terrorism. In Pfizer Animal Health SA v. Council of the European Union (Pfizer),2 the European Court of First Instance considered cost-benefit analysis as a particular expression of proportionality. Within the framework of a cost-benefit analysis, the European Court of First Instance considers a measure to be disproportionate if the disadvantages caused by the contested regulation are greater by comparison with the advantages which would otherwise result if no action were taken.3 This economic framework can provide a means for evaluating the impact of a counter terrorism measure, the Data Retention Directive, on the industry and consumers. Accordingly, it is used in this article to determine the economic costs and consequences of data retention. The economic costs and consequences of data retention are limited to those elements which are exclusively the outcome of the implementation of the Directive; that is, those that would not have occurred had the measure not been implemented. This article examines the methods used to determine the costs and consequences of the Directive, the direct monetary and non-monetary costs of data retention, and the measure’s indirect economic consequences. Finally, the disadvantages caused by the Directive are explored to determine if they are disproportionate by comparison with the advantages which would ensue if no action were taken.

1

Directive (2006/24/EC) of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive (2002/58/EC) [2006] OJ L105/54.

2

Case T-13/99 Pfizer Animal Health SA v. Council of the European Union [2002] ECR II-3305.

3

Ibid., para. 413.

123

Eur J Law Econ (2012) 33:447–472

449

2 Impact assessments: the costs and benefits of policies Economic analysis has considerable insights to offer to inform the development of counter terrorism measures. According to Becker (1968), criminals are rational agents whose behaviour is best understood as an optimal response to incentives set by the government through expenditures on law enforcement (Dilulio 1996: 3). Becker sought to demonstrate how different legislation aimed at combating illegal behaviour could serve as part of an optimal allocation of a government’s funds (or economic resources). He reasoned that ‘since economies have been developed to handle resource allocation, an economic framework becomes applicable to, and helps enrich, the analysis of illegal behaviour’ (Becker 1968: 170). Such an economic framework includes methods such as cost-benefit analysis (which is used to evaluate public policies) so that resources are best allocated to protect life, civil liberties, and property (Mitchell 2005: 220). The aim of cost-benefit analysis is to ensure that the EU efficiently allocates its economic resources. Governments allocate their economic resources to meet security needs and to combat terrorism. They not only decide on the level of funds devoted to fighting terrorism, they also must make allocation decisions between, for example, human intelligence and electronic surveillance (Ibid.). Counter terrorism expenditures ‘should be used in accordance with the principles of sound financial management, which includes aiming for the best relationship between resources employed and results achieved’ (Commission 2005b: 26). A fundamental assumption underlying cost-benefit analysis is that governments have scarce economic resources that need to be allocated to competing activities. If more money is invested in data retention this means that less will be available for other initiatives because of the finite number of resources available for competing projects. This is true for both telecommunications and electronic communications service providers and governments (wherever national data retention laws require service providers to be reimbursed for data retention costs). If governments in the EU invest more money in data retention, fewer funds will be available for other measures in the EU counter terrorism action plan. Money invested in data retention may divert funds from other projects (resources for technological development and innovation), if service providers are not compensated by their governments for complying with data retention requirements, which requires storing data beyond business needs for law enforcement purposes. What needs to be determined is whether data retention represents a more efficient allocation of resources (on a costbenefit basis) than if such resources were put to alternative use. Since there are an infinite number of risks and only a limited number of resources to spend on counter terrorism, priority should be given to those which provide the highest expected benefit at a low cost. As MEP Kathalijne Maria Buitenweg stated during the European Parliamentary debate on data retention, ‘money…can be spent only once. Funds are currently being channelled into large-scale surveillance… instead of…specific investigations’ (European Parliament 2005b). To her, this was a wrong allocation of resources. Given that data retention is a form of large-scale surveillance, the pressing question is whether this is also true of the Data Retention Directive.

123

450

Eur J Law Econ (2012) 33:447–472

Precautionary logic drives counter terrorism policies. Where there are threats or potential threats of irreversible grave harm, lack of full certainty should not be used as a reason for rejecting or postponing the implementation of measures. Cost-benefit analysis is required in order to ensure that a form of worst-case thinking is not at work when developing and implementing precautionary measures in response to terrorism. The threat of terrorism ‘so panics those who are confronted with it that they respond immediately to avert it, without consideration of whether even more fearful consequences will accrue thereby’ (Waldron 2004: 15). The accelerated passage of the Data Retention Directive4 allowed little time to measure either the need or its impact, including whether any other less intrusive policies might have achieved this measure’s objectives. During the European Parliament debate on data retention, MEP Kathalijne Maria Buitenweg claimed that although members of Parliament have stressed the need for better lawmaking, the data retention proposal was passed even though its impact (for example, financial) had not been worked out (European Parliament 2005b). Such worst-case thinking, however, exacts a high economic price from society (Furedi 2007: 173). As of 2003, the European Commission was required to conduct impact assessments on all major policy initiatives of the EU, including the Directive (Commission 2002a: 2). Impact assessments examine ‘whether the impact of major policy proposals is sustainable and conform to the principles of [b]etter [r]egulation’ (or better law-making) (Ibid.: 3). As the European Commission (2006: 7) argued, ‘an important part of making better laws is having a full picture of their economic, social and environmental impacts, including the international context’. In the interest of ‘better regulation’, the clear objective of the use of impact assessments is to make Commission officials think about the potential costs and consequences of proposed measures and to improve the quality of their proposals. Impact assessments determine, among other things, the main policy options available to achieve the objectives of the proposal and the impacts, both positive and negative, expected from the different options identified (Commission 2002a: Annex 2). The impact assessment breaks down the economic and social impacts of the proposal on data retention into costs and consequences ‘described in qualitative, quantitative and monetary terms as appropriate’ (Commission 2005a: 40). An extended impact assessment, which provides a more in-depth analysis of the potential impacts of proposals on the economy and on society, was conducted on the European Commission’s proposal for a directive on data retention.5 The impact assessment conducted on the proposal for this measure used cost-benefit analysis to determine, among other things, the cost of implementing data retention compared to the cost and consequences if no action were taken. As a result of significant changes made to this proposal, the final version of the Data Retention Directive is no longer reflective of the initial impact assessment. Changes of particular importance include the removal of the cost-reimbursement principle and the extension of the retention

4

The speed with which the Directive was passed is explored elsewhere (Maras, forthcoming-b).

5

Hereafter impact assessment. The European Commission’s proposal was the first proposal on a directive for data retention.

123

Eur J Law Econ (2012) 33:447–472

451

period from 1 year maximum in the proposal to 2 years maximum in the final version. As a consequence of the changes made, the Commission was required to conduct another impact assessment. According to an EU resolution, the Commission must produce an updated impact assessment after the Council has reached a common position after the first reading, if subsequent amendments made by the European Parliament or Council significantly altered the scope of the measure (see European Union Preparatory Acts 1997). The proposal on data retention was passed after the first reading and the European Commission refused to conduct another impact assessment despite several requests. The changes made to the Directive after the first reading, however, significantly altered the impact of this measure. For that reason, another impact assessment should have been conducted. A comprehensive evaluation of the Directive requires an examination of all the consequences of this measure. In the assessment of measures such as the Data Retention Directive, decision-makers weigh the high cost burden for the industry as well as the far-reaching economic, social, and political consequences of the proposed measure. This article explores the economic costs and consequences of the Data Retention Directive.6

3 Direct economic costs of retention Most policy analysis involves at least one economic criterion. The most common economic criteria are financial costs. The economic criteria in impact assessments consist of direct costs (directly attributed to the measure) and indirect costs (additional impacts not included in the measure’s goals). Here, the direct costs of this measure are not considered to be those that result from the current threat of terrorism, but those costs attributed to implementing the Data Retention Directive. The indirect costs of data retention will be analyzed in the next section. The direct costs of complying with the Directive were documented in its impact assessment. These were the capital costs (installation of storage and retrieval capabilities) and labour costs (the operation of retrieval systems to convey communication data to competent national authorities) (Commission 2007b: 6). More specifically, for data retention, direct costs include the costs of storage and support infrastructures, system technology for the processing and storage of data, changes in design of systems, more powerful and sophisticated platforms, security of archived data, costs for searching and retrieving archived data (making data available for law enforcement authorities), and human resources to handle that data. Cost-estimates provided on the implementation of the Directive have varied significantly. The different estimates provided by governments and service providers have caused uncertainty as to which costs are truly reflective of the financial impact of this measure. Governments’ estimates have been significantly

6

Due to the limited space, the social and political consequences of the Directive will be explored in Maras (forthcoming-a, forthcoming-b).

123

452

Eur J Law Econ (2012) 33:447–472

lower than those provided by the telecommunications and electronic communications industry. An explanation for this disparity is that the government is calculating the cost of the raw disk storage; whereas the industry is providing estimates on the basis of the need to build systems that can both process the data and provide highly reliable and secure storage and retrieval (APIG 2003: 22–23). What makes matters worse is that these estimates have significantly increased with time causing even further confusion as to the economic effect of data retention. There are two primary factors that drive the costs for retention and constitute the reasons why the costs of retention are still being measured. First, the cost to both store and search retained data increases exponentially over time (WITSA 2004: 4). To be precise, since the use of communications increases with time (due, for example, to the availability of more services developed and offered to users), the volume of data stored is enlarged and in consequence, so are the costs of retention. Second, service providers’ ability to search this database effectively decreases exponentially over the same period (WITSA 2004: 4). That is, the more data stored in the database, the more difficult (both in terms of time and effort) it is to search for specific information. The direct costs of data retention vary according to whether data retention laws are already operational or need to be implemented. Before the Directive was passed in December 2005, only a few Member States had operational data retention laws in place (Commission 2005c: 6). Member States which have experience in dealing with such schemes indicated that the associated costs with retention are relatively limited. In particular, while one Member State indicated that the costs for retaining fixed and mobile telephony data for 3 years amounted to approximately five million Euros, other Member States indicated similar costs, no greater than ten million Euros (Commission 2005c: 19). However, since the majority of Member States do not have data retention laws, the creation of new infrastructures for data collection and storage, new system technology for processing and storing data, and overall changes in system design are likely consequences of implementing the Data Retention Directive. In fact, in the United Kingdom evidence was provided that showed that many service providers would need to install entirely new systems to meet data retention requirements (APIG 2003: 22). As such, the costs of retention will be considerably higher than those cited by Member States that have data retention laws and infrastructures in place. Costs of retention also vary according to the type of data retained (telephony, mobile, or internet) and the size of the company (small, medium, large). For the traditional circuit-switched telephony, with respect to the type of data retained and the size of the company, the costs of data retention would be driven by the required storage capacities, and the costs for adapting system technology for the generation and storage of this data. Overall, estimates presented by representatives of the industry indicated investment costs for larger fixed network operators would amount to a three-digit million figure (Commission 2005c: 18; Craig and Bergman 2006).7 Even for small telecommunication companies the estimated costs for retaining data was approximately 100 million Euros (Retzer and Vanto 2007).

7

Similar estimates were presented for mobile network operators.

123

Eur J Law Econ (2012) 33:447–472

453

In contrast, research cited in the impact assessment suggests that the actual costs will be far below the estimates provided by the industry during the consultation process. Specifically, in the impact assessment, a study commissioned by the Dutch Ministry of Justice (published in November 2004) indicated that the cost for retaining data related to fixed and mobile telephony would amount to an investment and running costs in the order of hundreds of thousands of Euros (Commission 2005c: 19). However, this study acknowledged that its results ‘were already outdated when the report was finalized in November 2004 because they were based on an analysis of statistics from 2003’ (ITAA 2005: 10). According to the impact assessment, ‘the expected increase in the use of electronic communications will necessarily lead to a higher amount of data being kept in the future. This will reinforce the impacts of the measure over time’ (Commission 2005c: 21). Since 2003, the level of traffic has significantly increased and is expected to increase even further; so much so that the costs of retaining data from traditional circuit-switched and mobile telephony are instead likely to be in the three digit million figure, as originally estimated in 2005 and 2006 by service providers. In terms of internet data retention, according to the European Telecommunications Network Operators’ Association (ETNO),8 for larger internet service providers, the initial cost of retention would be higher than 150 million Euros (Commission 2005c: 18; Craig and Bergman 2006). This estimate has been cited by many different service providers in ETNO. This estimate, including a more recent one provided by the German internet industry, where total costs of retention were estimated at 332 million Euros (these costs only covered the acquisition costs of hardware and software for retention), illustrate how the costs of internet data retention will exceed those of traditional circuit-switched telephony many times over (Internet Data Retention 2007). The above mentioned costs for telephony, mobile and internet data, however, do not include the costs for adapting the operational processes for securing archived data, for handling and analyzing enquiries from law enforcement and intelligence agencies, the cost of maintaining the systems involved, and the human resources required. In terms of securing archived data, the Directive requires that appropriate technical and organizational measures be implemented in order to protect the data and to ensure that this data can be accessed by authorised personnel only (Article 7). It is argued that if additional (expensive) systems are required for the protection from unauthorised access to retained data then the forecast of costs indicated above would be exceeded many times over (Internet Data Retention 2007). In terms of managing, searching, and analyzing retained data, it is argued that even if a service provider already retains the data law enforcement agencies may require for a minimum period, they may not have the capacity or capabilities to search this information in a way that agencies may desire (ITAA 2005: 2). Specifically, consider Article 8 of the Directive which states that. Member States shall ensure that the data specified in Article 5 are retained in accordance with this Directive in such a way that the data retained and any 8

This association represents 41 telecommunications companies located in 34 countries in Europe.

123

454

Eur J Law Econ (2012) 33:447–472

other necessary information relating to such data can be transmitted upon request to the competent authorities without undue delay. The requirement to transfer retained data without undue delay to authorities will additionally burden service providers. The industry is additionally burdened because in order to meet this requirement providers would have to ‘develop or implement tools or interfaces to its systems to enable its data to be written in a variety of different formats and structures, or at least in a simple and readily accessible’ structure and/or format ‘which does not destroy any value in the data’ (Taylor 2006: 311). Moreover, service providers argue that trying to make sense of the different data formats and translate them into something that is of value to law enforcement authorities will be an extremely difficult task (Cederschio¨ld 2005: 4). The development of databases that can ‘cope with storing and retrieving the multiple and constantly evolving data formats and data types supported in different operator environments’ would be included in the price tag of retention (LogicaCMG 2007: 7). Evidently, this requirement is problematic because service providers store data in a limited fashion as raw data ‘in order to comply with business, privacy and security requirements at minimum cost’ (ITAA 2004: 2). This data therefore requires restoration before it can become identifiable and thus be of any use to competent authorities (Ibid.). Governments have argued that retention ‘costs can be kept low by using compression software to increase capacity/storage space’ (ERICA 2001). This data will be kept on storage tapes. The costs of the retrieval of data from these storage tapes, as the industry claims, are what are costly and the use of compression techniques will only increase these costs (Danezis 2007). In 2002, in the United Kingdom, Clive Feather, a member of the Internet Service Providers Association (ISPA) presented oral evidence to the All Party Parliamentary Internet Group’s (APIG) public inquiry into the retention of and access to communications data for law enforcement purposes. The evidence he presented revealed that data would not just be stored in raw format, which is not only advocated by governments but also required of service providers because the evidential integrity of the data depends on it being in its original state. In order for retained data to be transferred to authorities ‘without undue delay’, it would have to be organised so that service providers can find information about their customers relatively easy. To do so, they would have to invest time and effort in human resources. This, however, comes at a high price. Human resources costs thus also figure in the overall monetary costs of data retention. Employees of telecommunications and electronic communications service providers will have to be trained in the proper handling and use of data to ensure the admissibility of retained data in court (Libin 2006: 5). Service providers, therefore, in complying with data retention requirements, may have to incur the cost of hiring and training employees whose responsibility would be to conduct searches for and provide information to competent national authorities as defined by national legislation (Ibid.). The number of competent national authorities that have access to the data also affect the costs of retention. Specifically, ‘there is likely to be a direct correlation between the number of competent national authorities that may request access to the

123

Eur J Law Econ (2012) 33:447–472

455

data and the cost to service providers of providing data in response to such requests’ (Goodall 2007). The costs of data retention thus ‘grows linearly with the number of requests for retained data and includes, the processing request, retrieving the data, delivering the data and invoicing for the costs’ (Danezis 2007). Originally, only 9 bodies had access to retained data in the UK under the Regulation of Investigatory Powers Act 2000. Now, it is reported that nearly 800 bodies have access to retained data including 475 local authorities. If each of these authorities made only one request for retained data each day, there would be 292,000 annual requests for data. While this may seem like a large number of requests, available reports from 2005–2006 show that the annual number of requests for communications data was over 439,000 (Privacy International 2007). Data retention will, therefore, result in even higher costs than those mentioned above because it requires the redesigning of systems resulting from service providers’ lack of the hardware and software requirements necessary to process, store, search, retrieve, and analyze data. As such, what needs to be determined is whether or not the Directive includes provisions which limit the direct costs of retention. 3.1 Factors determining proportionality The main limiting principle is the requirement that measures be proportional. Proportionality also requires that measures do not result in unnecessary hardships for the affected individuals, businesses and/or sectors. These include data sets and retention periods which were unnecessarily expanded (i.e. these data sets or longer periods provide no added value for law enforcement) and the lack or partial reimbursement of service providers. This test of proportionality is explored by examining the impact assessment on data retention. European Community institutions (European Commission, Council, and Parliament) claimed that one of the main negative impacts of this measure is its burden on telecommunications and electronic communications service providers and eventually Member States. Maximum efforts were said to have been taken to minimize the costs of data retention. According to the European Commission’s proposal on data retention and the impact assessment, the issue of proportionality was taken into account because the costs and consequences of retaining data were limited through a number of different provisions included in the proposal; most notably those concerning the limitation in the data sets to be retained, the actual retention periods proposed, and the cost reimbursement scheme (Commission 2005c: 24). In what follows, the validity of this claim of proportionality is determined by evaluating these provisions in the final version of the Data Retention Directive. 3.1.1 Types of data retained Obviously, the actual types of data retained influence the overall costs of retention. In order to avoid disproportionate burdens on the industry, Community institutions have stressed that the only data to be retained should be those that provide added value for law enforcement and can be stored and processed with as little additional

123

456

Eur J Law Econ (2012) 33:447–472

effort for the industry as possible (by, for example, retaining data that is already supplied within their services). Therefore, some types of data retained (as required by Directive) will be analyzed in order to determine whether or not they in fact limit costs or unnecessarily burden service providers. The Data Retention Directive specifies that ‘data necessary to identify the type of communication’ should be retained.9 Consider Article 5(1)(d)(1) of the Data Retention Directive, which states that the necessary data to identify the type of communication used concerning fixed network telephony and mobile telephony is the telephone service used. Here, ‘telephone service’ means. calls (including voice, voicemail and conference and data calls), supplementary services (including call forwarding and call transfer) and messaging and multi-media services (including short message services, enhanced media services and multi-media services).10 Storage of data required to identify the type of communication is generally not necessary for billing purposes, except, for example, when a subscriber sends a short message service (SMS) (GSME 2005: 3). In cases where a connection was used for fax or voice transmission, this type of information is not retained for business purposes. This information is not stored because if a fixed line connection was used for fax or voice transmission, the cost of the transmission for billing purposes would be the same (BDI, BITKOM and VATM 2005: 5 and 14). As such, there is no reason to retain this data, and thus to distinguish between these types of information for billing purposes. Consequently, since this type of data is not already processed and stored for billing purposes, its retention would require technical upgrading consisting of substantial investments in hardware and software (GSME 2005: 3). Not only will this type of data significantly increase costs, but it is also argued that competent authorities have yet to demonstrate what corresponding added value this additional information has to offer in the fight against terrorism and serious and organised crime in light of these substantial costs (BDI, BITKOM and VATM 2005). It has to be noticed that the retention of this type of information unnecessarily burdens providers because it does not have any proven added value for law enforcement and intelligence agencies. However, proportionality requires that the amount of data retained is limited to that which is necessary and in this case should reflect the demonstrable needs of law enforcement. This type of information should not be retained unless a clear need is demonstrated. The Directive further requires the retention of data necessary to identify a user’s communication equipment.11 For mobile telephony, the Data Retention Directive requires the retention of the International Mobile Equipment Identity (IMEI)12 of the calling party and the IMEI of the called party (EDRI 2005: 1). An example of when an IMEI number may be requested is when a service provider wants to 9

Article 5(1)(d), Directive (2006/24/EC).

10

Article 2(c), ibid.

11

Article 5(1)(e), Directive (2006/24/EC).

12

A unique 15-digit serial number of the mobile device. This number is automatically transferred by the phone when the network asks for it.

123

Eur J Law Econ (2012) 33:447–472

457

determine if a mobile device is in ‘disrepair, stolen or to gather statistics on fraud or faults’(Ibid.). Service providers argue that the added value of retaining this type of information, in addition to the International Mobile Subscriber Identity (IMSI) number and the user’s telephone number, is questionable at best. Specifically, not only can IMEIs be easily manipulated by users, but manufacturers can assign these numbers multiple times thus making the accurate identification of mobile terminals and subscribers by these numbers extremely difficult (GSME 2005: 4). As a result, service providers do not use IMEI numbers to identify the mobile phone users, but instead use the IMSI number assigned by the provider and stored on the customer’s chip (SIM) card (ITAA 2006: 3). Since the Directive requires the retention of the IMSI number,13 there is no added value in retaining the IMEI number as well. Furthermore, service providers retain the telephone number in order to identify the user. Accordingly, retention of the IMEI in this case would also not provide any added value. Most service providers do not retain the IMEI number. Therefore, it can be argued that by requiring them to retain this information, not only will this type of data increase costs of retention but it will also unnecessarily burden providers by requiring them to retain data not usually supplied within their services. Recalling Community institutions’ claims (in the proposal and impact assessment) that the only data to be retained should be those that can be processed and stored with little additional effort for the industry, the Directive’s retention of the above mentioned data is clearly not in line with this requirement. Specifically, the impact assessment conducted on the proposal for data retention stated that the types of data retained had been limited to what was absolutely necessary. The above mentioned data not only significantly increases the cost of retention, but also unnecessarily burdens service providers. Instead of limiting the data sets retained, the Directive requires the processing and storage of data that was not previously kept for business purposes and does not have any proven added value for law enforcement. Accordingly, the inclusion of these types of data unnecessarily burdens service providers, making the Directive a disproportionate measure. Since the impact assessment further stated that longer retention periods and retention without or with partial reimbursement would also be disproportionate (because they unnecessarily burdens service providers), they are explored below. 3.1.2 Retention period and cost-reimbursement The European Commission’s proposal for data retention included a limited retention period (6 month minimum; 1 year maximum) and a cost-reimbursement principle in order to minimize the impact of this measure on individuals, businesses, and sectors. In the impact assessment, longer periods of retention were said to be disproportionate because they did not reflect the demonstrated needs of law enforcement (Commission 2005c: 15). Any extension of the period of retention would place an unnecessary burden on service providers by significantly increasing costs. And yet, the final version of the Data Retention Directive included a retention period of a minimum of 6 months to a maximum of 2 years (Article 6). No justifying rationale was given for 13

See Article 5(1)(e)(2)(ii), Directive (2006/24/EC).

123

458

Eur J Law Econ (2012) 33:447–472

the increase of the retention period to 2 years. What is known, however, is the study (included in the impact assessment) to which the European Commission, as well as the Presidency of the European Council, attached importance, demonstrated that overall, traffic data of up to 1 year was required by law enforcement agencies (UK Presidency Paper 2005: 4). Longer retention periods were found to provide little or no added value to law enforcement authorities. Accordingly, any retention period greater than 1 year was considered disproportionate. The types of data are not the only aspect of the Data Retention Directive that may increase the volume of data processed and stored. The length of retention period also affects the volume of data and consequently, the costs of retention. For instance, AOL claimed that prior to the mandate for EU-wide data retention, the norm for storing IP address data was approximately 3 months (APIG 2002). This period of time was found to suit the needs of the company, the customer (in terms of the security and privacy of his or her data) and law enforcement. They further argued that adding an additional 9 months to normal business practice would lead to enormous costs (Ibid.). Not only will the majority of States which did not already have data retention laws now store numerous types of data beyond business purposes but will also be required to do so for an extended period of time. As mentioned above, an unnecessary burden is placed on service providers because the retention period has been extended well beyond the needs of law enforcement. The implementation of the Directive will thus result in unnecessary costs because the majority (if not almost all) requests can be met within 1 year (as indicated in the impact assessment). It is also important to determine who bears the costs for retention. In respect of the cost-reimbursement principle, the European Commission’s proposal stated that. Member States shall ensure that providers of publicly available electronic communication services or of public communication network are reimbursed for demonstrated additional costs they have incurred in order to comply with obligations imposed on them as a consequence of this Directive (Article 10, Commission 2005e: 14). Reimbursement was required because data retention would result in high cost burdens for the industry and supplementary requirements (other than the processing and storing of data for billing and other legitimate purposes), such as including longer retention periods, would create extra costs. Given that the proposal of the directive included a cost-reimbursement principle, throughout the impact assessment it was argued that burdens to the industry resulting from data retention were minimized (Commission 2005c: 18). The final version of the Data Retention Directive, however, did not include this provision. Although reimbursement could be granted as a legitimate state aid, the Directive does not oblige Member States to reimburse service providers for the costs incurred by retention. The European Economic and Social Committee stated that ‘each Member State is free to establish the amount and formula of compensation for these costs, in line with their own criteria, circumstances and security needs’ (European Union Preparatory Acts 2006). In line with this argument, the Netherlands, for example, decided not to compensate providers for costs incurred by implementing surveillance

123

Eur J Law Econ (2012) 33:447–472

459

measures for law enforcement purposes. Consider Article 13.6 paragraph 1, of the Dutch Telecommunications Act (Telecommunicatiewet) 1998, which states that providers are required to pay for interceptability. Providers would pay because this Member State believed it would be more cost-effective. The argument was that if providers paid, they would look for the cheapest solution; whereas, this would not be the case if the government paid (Koops and Bekkers 2007: 50). The European Economic and Social Committee supported the removal of the principle by stating that. the additional costs incurred by operators from the storage and transmission of the data referred to in the proposal should be considered as a charge that ought to be borne by the providers simply as a part of being on the market, rather than by the public purse (European Union Preparatory Acts 2006). Likewise, Member States, such as Spain, have claimed that service providers should not be reimbursed, albeit for a different reason. In Spain, the data retention law (Ley 25/2007 de conservacio´n de datos relativos a las comunicaciones electro´nicas y a las redes pu´blicas de comunicaciones that came into force on 9 November 2007) does not provide for reimbursement on the grounds that profit levels within the telecommunications and electronic communications service sector are sufficiently high to absorb the additional costs posed by implementing the Directive (Commission 2007b: 7). Yet, in effect, citizens may end up paying for their data to be retained for law enforcement purposes through higher prices for services, if providers are not reimbursed. This was the case in the Netherlands, when the internet service providers industry had to invest 100 million Euros in surveillance technology in order to implement the Dutch Telecommunications Act (Telecommunicatiewet) 1998 (Baker 2002: 2). According to the remarks made by the chairman of the Netherlands Internet Providers at the Electronic Commerce Forum (ECO), these enormous costs were ‘passed onto the customers and partly explains the high telecommunications end-user prices in the Netherlands compared to other European countries’ (Ibid.). In Member States without full reimbursement or with partial reimbursement for data retention, similar effects are expected. It has been noted that data is retained solely for law enforcement purposes because service providers do not need to retain data for business purposes. Since the detection, investigation and prosecution of serious crime is a state responsibility, arguably it should be funded by the state. As such, Member States ought to bear the cost of data retention by compensating telecommunications and electronic communications service providers for retaining data beyond business purposes.14 The constitutionality of Member States requiring service providers to bear the costs of implementing law enforcement measures has been determined by the Austrian Federal Constitutional Court. In fact, in 2003, the Constitutional Court held that compelling telecommunication service providers to implement surveillance measures at their own expense was unconstitutional (Schro¨der and Laurant 2003). In 14 Regardless of whether or not EU Member States reimburse service providers, one thing remains certain—citizens will end up bearing the costs of this measure.

123

460

Eur J Law Econ (2012) 33:447–472

this case, the Austrian government argued that it not only had the right to require service providers to install the necessary surveillance equipment15 but it also had the right to require providers to bear the cost of implementing these measures.16 By contrast, according to Austrian constitutional interpretation, surveillance of telecommunications for law enforcement purposes is mainly the duty of the State (Schro¨der and Laurant 2003). It follows that the State should bear the cost of implementing surveillance measures. In 2004, the Austrian Federal Minister issued an ordinance, which requires the cost reimbursement of telecommunications and electronic communications service providers in their assistance in surveillance.17 Additionally, when discussing the transposition of the Data Retention Directive into national law, the French delegate referred to the practice of the costs of the request of communications data by competent authorities in serious crimes cases being met by the State in making their case for why service providers should be compensated (Commission 2007b: 6). Furthermore, service providers do not need this equipment for the provision of their services. This equipment is installed solely for law enforcement purposes. Here, service providers are required to provide a new service to law enforcement authorities for reasons of public benefit; namely, security (Hutty 2005: 2). Accordingly, it is reasonable to expect that the public purse bear the costs of implementing this measure and not service providers. Since reimbursement is not mandatory, the transposition of the Directive into national laws has seen differences in reimbursement plans between Member States (see Table 1 above). Finland and the United Kingdom, among others, will reimburse additional costs for complying with the Directive. Other States, such as Greece, Cyprus, Spain, Hungary, Ireland, Latvia, Lithuania, Poland, Slovakia, and Slovenia will not reimburse service providers for the costs incurred by retaining data. Furthermore, some States, such as the Netherlands, will only partially reimburse service providers. Consider again the Dutch Telecommunications Act (Telecommunicatiewet) 1998. Under Article 13.6(2) of this Act, the administrative and personnel costs that arise from service providers complying with law enforcement requests are borne by the government. Here, governments pay for law enforcement requests to retrieve archived data from service providers. On the other hand, the investment, operating, and maintenance costs for technical facilities must be borne by operators (Koops and Bekkers 2007: 50). Partial reimbursement is advocated for two reasons. One reason is that if the costs of retrieval fall on competent national authorities then they have economic incentives to keep the number of requests to those that are strictly necessary. The second reason is that if all costs are paid by the government then electronic communications service providers do not have ‘any 15 Section 89 (1) of the Telekommunikationsgesetz (Telecommunications Law) 2003, service providers are required to ‘install and provide for surveillance tools to enable Austrian law enforcement agencies to fulfil their obligations to conduct investigations’. 16 Section 89 (2) of the Telekommunikationsgesetz (Telecommunications Law) 2003 stipulates that service providers ‘receive an adequate refund for their expenses for State-ordered wiretappings, although’ service providers ‘do not get any refund for the significant costs to install the wiretapping equipment’. 17 Ordinance of the Federal Minister of Justice over the reimbursement of costs for the assistance in the ¨ berwachungskostenverordnung—U ¨ KVO) Federal Law Gazette II, Surveillance of Telecommunication (U No. 322/2004.

123

Eur J Law Econ (2012) 33:447–472 Table 1 Member states’ cost reimbursement plans for service providers

Member states

461

Cost reimbursement

Cyprus

No

Czech Republic

Partial

Finland

Yes

Germany

Partial

Greece

No

Hungary

No

Ireland

No

Latvia

No

Lithuania

No

Netherlands

Partial

Poland

No

Slovakia

No

Slovenia

No

Spain

No

United Kingdom

Yes

incentives to be efficient by investing in appropriate technologies’ and the government may ‘end up paying more than the real value of obtaining retained data from storage’ (Danezis 2007). However, even partial reimbursement may disadvantage certain service providers within Member States; especially small service providers. While the costs of retaining data are likely to be passed on to customers regardless of the size of the service provider, smaller operators will be forced to charge customers considerably more because larger operators have a greater customer base over which to spread the costs of retention (Internet Society of England 2002). Accordingly, if service providers are not fully reimbursed for implementing law enforcement measures, then these measures would unreasonably burden small service providers; thus, making these measures disproportionate. The Directive itself states that in order to be proportionate a measure should limit the number of different factors included in the proposal, most notably the data sets to be retained, the actual retention periods proposed, and include a cost reimbursement scheme. The analysis has shown that the various factors included in the Directive (types of data, period of retention, and lack of cost-reimbursement) created additional costs (instead of limiting them as claimed in the impact assessment) and unnecessarily burdened service providers. The next section explores the indirect consequences of data retention.

4 Indirect economic consequences: other areas and policies affected Other than the implementation costs of measures on public authorities and/or service providers and burdens to businesses and individuals (illustrated above), impact assessments also include the economic consequences of proposed measures

123

462

Eur J Law Econ (2012) 33:447–472

such as its impact on economic growth and competitiveness, impacts on the potential for innovation and technological development and its resulting increases or decreases in consumer prices (Commission 2002a: 15). This section examines whether or not the Data Retention Directive adversely affects telecommunications and electronic communications service providers’ competitiveness and other initiatives in the European Union (Ibid.). 4.1 Competition The economic gains of regulation are caused by reduced cost and increased competition. Even Member State laws, such as the German Telecommunications Act (TKG) 1996, restrict the scope of regulation to those which foster competition (Werle 1999: 114). Indeed, regulation must protect the process of competition because it helps reduce prices and facilitate choice. Competitive markets are the very core of a fully functioning internal market. Regulations, such as data retention, must be carefully examined before they are introduced in order to ensure that they do not impede competition. In fact, when conducting an impact assessment, European Community institutions are required to determine whether and to what extent a proposed measure affects EU competition policy and the functioning of the internal market. That is, will the measure adversely affect competition by creating barriers for service providers? If so, how are these barriers created? Who is affected by them (for example, new entrants and small service providers)? The impact assessment stated that a positive consequence of data retention was the European wide harmonisation of data available for law enforcement purposes. In fact, the economic objective of the Data Retention Directive is to. ensure the creation of a level-playing field for operators, so that no distortions in the market for electronic communication services are created or continue to exist due to different national approaches to the issue of traffic data retention (Commission 2005c: 7). This level-playing field refers to the competitive landscape of service providers in the EU. The main reason for implementing a directive on data retention was to ensure the harmonisation of data retention laws in the EU. The implementation of the Directive can either positively or negatively affect the competitive landscape depending on whether or not harmonisation is achieved. If intervention (for example, the Data Retention Directive) into the internal market affects different market participants (in this case, the service providers) in different ways, then certain competitors may face an advantage or disadvantage. Some service providers may be more disadvantaged by data retention requirements than others. Specifically, EU service providers who keep logs of unsuccessful call attempts, ‘a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention’, for business purposes would be obliged to do so for extended period of time.18 18 See Article 2(f) for definition of unsuccessful call attempts and Article 3(2) for service providers’ obligation to retain this data, Directive (2006/24/EC).

123

Eur J Law Econ (2012) 33:447–472

463

Telecommunications and electronic communications service providers who do not generate or process this data in supply of their services, are exempt from this requirement. Therefore, some service providers within a Member State will be obliged to retain this data, while others will not. How is harmonisation achieved if some service providers retain this data while others do not? According to the symmetry principle (or equality of opportunity), individuals in similar situations should be treated similarly (Parkin 2005: 114). Comprehensive reimbursement of service providers would allow the creation of a level-playing field (by avoiding discrimination between market players) throughout the European Union (Commission 2005c: 14). Therefore, whether or not a level-playing field is created depends on whether or not costs are reimbursed by Member States. The above mentioned requirement discriminates against those service providers who already retain this information for business purposes; even more so if these service providers are not fully reimbursed for this additional data retention obligation. That is, if the service providers who have to retain this data operate within a Member State that does not compensate them for complying with the Directive, their respective position within the market will be worse off than others in the same Member State that do not need to incur these additional costs. This requirement thus places the former service providers at a competitive disadvantage with other market participants because it affects service providers in different ways. Clearly, the creation of a level-playing field is hindered by this requirement of the Data Retention Directive. However, one of the reasons for creating this Directive was because of the lack of harmonised types of data and retention periods, which resulted from the transposition of the Electronic Communications Directive (Directive 2002/58/ EC)19 into national laws. By exempting some providers from the above mentioned requirement (retention of unsuccessful call attempts), authorities would be faced with the same problems they had with the Electronic Communications Directive (Directive 2002/58/EC), which provided a voluntary data retention scheme (i.e. it permitted—not required—EU Member States to pass data retention laws). Additionally, and more importantly, if, as it is being claimed, such a measure was implemented in an attempt to combat terrorism, there should be an obligation to retain this specific type of data because it aided in tracking down the perpetrators of the bombings in Madrid (Retzner and Schu 2006: 9). Moreover, as a result of Directive (2002/58/EC), the data retention policy landscape across the EU was fragmented, even regarding retention periods (Whitley and Hosein 2005: 865). This is also observed in the transposition of the Data Retention Directive into Member States’ laws. For instance, Member States have also taken different approaches to the period of retention. Germany, Finland and the Czech Republic have opted to retain data for a minimum of 6 months. Other countries, such as France, Denmark, Spain, Belgium, and the United Kingdom are opting for a retention period of 12 months. Poland and Slovenia plan on retaining data for 24 months.

19 Council Directive (EC) Directive (2002/58/EC) of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector [2002] OJ L 201/37.

123

464

Eur J Law Econ (2012) 33:447–472

Considerable variations in the approaches Member States take in implementing the Directive could potentially distort competition in the internal market (Commission 2007b: 7). The European Commission’s (2002b) report on the State of the Internal Market for Services revealed how the internal market was not functioning as a result of barriers affecting service providers and users. Proposed measures such as the Directive are screened in order to determine if they raise or lower ‘the barriers to entry or exit, making it harder or easier for firms to enter or leave the market’ (Commission 2005b: 30). The impact assessment stated that a positive consequence of data retention is the resulting European wide harmonisation which will likely have a ‘positive effect on any enterprise from outside of the EU who would wish to invest in the EU-wide electronic communications market in Europe’ (Commission 2005c: 21). However, the internal market barriers that may result from the implementation of this Directive may prevent new service providers from entering this market (Alvaro 2005: 57). Barriers to market entry consist of a range of ‘different factors that restrict the ability of new competitors to enter and begin operating in a given industry’ (Encyclopedia of Small Business 2007). For instance, ‘an industry may require new entrants to make large investments in capital equipment’ (Ibid.). With data retention, such investments would be required of those wishing to enter and compete in the market. The high costs of retention may also cause market distortion by deterring market entry to potential communications and internet service providers and causing smaller service providers to fail. Small and mediumsized enterprises (or SMEs) are predominant in the EU. If costs associated with data retention would have to be borne solely by service providers, this could have a significant impact, especially for smaller entrants into the market. Lack of reimbursement or partial reimbursement for service providers’ compliance with the Data Retention Directive may not only disadvantage new entrants to the market, but also put smaller service providers out of business. The latter might occur because while large internet service providers may have full-time staff to handle requests, this is not the case with smaller internet service providers (Whitley and Hosein 2005: 866). Small internet service providers may not have the capability and may need to devote valuable senior management whenever requests are received (Ibid.). Furthermore, Member States may have allotted a specific limited amount of funds for reimbursement. Flat rate tariffs are currently in effect in France, although service providers have complained that the level of reimbursement is insufficient. Given that the components for the systems for data retention ‘would be almost independent of the company size, this would make the expense fall disproportionately upon the smaller players’ (APIG 2003: 24). Even if the funds are split evenly among telecommunications and electronic communications service providers some may still be disadvantaged. As the UK delegate stated during the meeting on the initial transposition of the Data Retention Directive, a flat rate reimbursement ‘will benefit some providers and under-compensate others as they will not have the same cost structure’ (Commission 2007b: 8). The failure to provide full reimbursement to all service providers could adversely affect market competition.

123

Eur J Law Econ (2012) 33:447–472

465

4.2 The Lisbon strategy and beyond Within the impact assessment, it was argued that data retention should be in line with Lisbon Agenda20 and other general policies concerning the Information Society (Commission 2005c: 8). The European Council asserted that the Lisbon strategy could not be met unless further efforts were made ‘to lower the costs of doing business…which are particularly burdensome for SMEs’ (Commission 2004a: 5). Additionally, internal market barriers to services were found to ‘have a significant adverse effect on economic growth, employment and competitiveness in the EU’ (Ibid.). This occurrence runs contrary to the Lisbon agenda, which can be achieved, according to the European Council, with the removal of barriers to services. The Data Retention Directive both increases costs and creates more barriers instead of removing them. Clearly, the Lisbon strategy is not met by implementing the Data Retention Directive. Consider the European Commission’s ‘i2010 Initiative: European Information Society 2010’, which concerns the contribution of the information and communication technology (ICT) sector to the EU’s renewed Lisbon strategy to stimulate growth, competitiveness and employment (Commission 2005d, 2004b: 4). The ‘i2010’ initiative aims at achieving world class performance in research and innovation in information communication technology by closing the gap with Europe’s leading competitors. That is, it seeks to increase investment in innovation and research in ICT (EU ICT Task Force Report 2006: 1). When electronic communications were debated in the European Parliament, MEP Toia asserted that the ICT sector. is a driving force behind the development of the European economy, both according to Lisbon and because telecommunications are the cornerstone of any economy based on knowledge, innovation and research. Telecommunications technologies act as a stimulus for productive innovation and a catalyst for the productivity of labour (European Parliament 2005a). European competitiveness will depend on the level of investment particularly in innovation, research, and development. As was previously shown, insufficient compensation of service providers for implementing this Directive may force providers to direct resources for research in new technologies and services to costs for data retention. Removing the cost-reimbursement principle thus may have an indirect consequence of limiting innovation in the industry. The unanticipated consequences of regulation are not necessarily undesirable (Merton 1936: 895). In terms of the Directive, however, the opposite holds true. The best reference to the unintended consequences of data retention is included in Alvaro’s report (Alvaro 2005). According to this report, by implementing the Data Retention Directive, if an operator in Europe provides internet access for an individual who uses email services as Hotmail, Yahoo and Gmail, the service 20 The Lisbon agenda was agreed upon by EU leaders at the Lisbon Summit. It aims to make Europe by 2010 ‘the most competitive and dynamic knowledge-based economy in the world, capable of sustainable economic growth and more and better jobs and greater social cohesion’.

123

466

Eur J Law Econ (2012) 33:447–472

provider is not required to store information on a user’s emails because these services are not covered by the Directive. And yet, if the Directive was in fact designed with the intention of combating terrorism (as proponents of this measure have declared) then information on these email services should be retained because intelligence has shown that the terrorists responsible for 9/11 had Hotmail accounts. Also, the lack of coverage of these services by the Directive may provide serious criminals with ‘safe havens’ where they can communicate with each other undetected. However, the supposed creation of these ‘safe havens’ with voluntary retention schemes were one of the main arguments for calling for EU-wide mandatory data retention in the first place.21 Furthermore, it was argued that ‘criminal elements were likely to use systems that were inherently ‘‘off-shore’’ such as satellite phones and foreign web-based email services’ (APIG 2003: 25). Another unintended consequence is that Member States’ data retention laws (especially those which do not fully reimburse service providers) ‘could prompt service providers to store data ‘‘off-shore,’’ where it would be out of the immediate reach of law enforcement and where access would be subject to the laws of other countries, defeating the whole purpose of the mandate’ (Libin 2006: 3). For instance, in Belgium, although they offer access or services in Belgium, some internet access providers (IAP) or internet service providers (ISP) try to evade legal obligations to retain traffic data by installing their technical infrastructure in a geographical region where there is another legal framework (Council of the European Union 2002). Non-EU service providers are not subject to the same obligations. Consequently, some service providers may decide to move their operations to other countries such as the United States that do not have data retention obligations, which could threaten jobs in the EU (Breyer 2005). As part of the Lisbon strategy, the telecommunications and internet industry is said to play a key role in contributing to the process of creating a safer Information Society. Specifically, the ‘i2010’ initiative focuses on the need to provide an adequate, legal framework to protect citizens and businesses using electronic communications (Commission 2005c: 4). The mandatory retention of data on all European citizens for a prolonged period of time, however, raises significant concerns for the security of this data.22 These concerns may make users ‘more sceptical when using the offered services from EU providers’ (Commission 2005c: 21). Nevertheless, users ought to be confident that their information is confidential and secure (ICC et al. 2003: 11). It is important to note that the use of electronic communications is expected to ‘grow substantially in the future’ (Commission 2005c: 16). However, an unintended consequence of mass data retention might be a decrease in the use of certain electronic communications services (Ibid.: 21). In fact, 21 What was not mentioned about these voluntary schemes, however, was that providers who volunteered to retain data remained anonymous. In light of this, one has to wonder how these ‘safe havens’ could be created, especially since the information which providers retain was unknown and unavailable. 22

The security consequences of mass data retention have been explored elsewhere (Maras 2008).

123

Eur J Law Econ (2012) 33:447–472

467

in Germany, it was believed that users’ privacy concerns would lead to a decrease in the use of electronic communications services (Breyer 2005). The indiscriminate data retention mandated by the Directive could deter European consumers from using EU communications services. The loss of consumer confidence (due to fear that their communications data is being recorded and analyzed), therefore, holds the danger that the further development of the information society (‘i2010’ initiative) could be inhibited in the long term and thus the Lisbon Strategy could also be endangered.

5 Impact of the directive on the market The Data Retention Directive was created, in part, to remedy a market failure.23 Market failure refers to ‘a situation in which a market left on its own fails to allocate resources efficiently’ (Mankiw 2001: 11). Obstacles to the internal market are an example of market failure. European Community institutions initially intervened because of the disparity in approaches on data retention. Some states had data retention laws in place (for example, Ireland), while others did not (such as Greece and Luxemburg). Defects were also said to arise from the differences in national data retention laws (Recital 5) and the legal and technical differences between national provisions concerning data retention (Recital 6). The European Community, in order to remedy this market failure, adopted the Directive. Sometimes, however, government intervention (or in the Directive’s case, intervention by the EC) aimed at rectifying failures may make the internal market ‘worse off than leaving the original failure in place’ (Brauer 2002: 8). Such intervention should only be pursued if its ‘benefits appear to outweigh the measurable costs and the best guess about the immeasurable costs’ (Lipsey and Chrystal 2004: 356). Accordingly, only if the benefits of data retention outweigh the costs should the Directive be implemented. Whilst the impact assessment stated that a positive consequence of retention (and thus advantage) would be European-wide harmonisation, the final version of the Directive includes factors which ensure that this will not occur. The types of data, retention period, and lack of reimbursement principle in the Directive, confirm this. Specifically, instead of data retention having positive consequences, it will result in negative consequences due to the types of data retained (some redundant and unnecessary), the period of retention (increased to 2 years beyond needs of law enforcement), and the removal of the cost-reimbursement principle (despite claims of its necessity in the impact assessment and proposal on data retention). These factors, rather than limiting the negative effects of retention, create unnecessary hardships for the affected individuals and businesses; thus, making the Directive a disproportionate measure. Furthermore, as illustrated above, the Directive not only significantly increases the monetary costs of retention, and unnecessarily burdens 23

The term ‘in part’ is used because the Directive has two objectives. One of the objectives deals with the market failure; that is, creating (for those who did not have them) and regulating national data retention laws. The other objective is concerned with ensuring data availability for law enforcement purposes.

123

468

Eur J Law Econ (2012) 33:447–472

service providers and individuals, but it is likely to have an adverse impact on competitiveness and might affect innovation and consumer confidence. In so doing, the Data Retention Directive also runs counter to other important policies currently in force within the EU. If data retention is likely to cause more harm than good, then even in the face of a market failure, the ‘do nothing’ option (no action taken to remedy the situation at hand) would be the best course of action. This option is the first one to be considered in respect of proposed measures because it concerns what consequences would ensue if no action was taken. For data retention, the impact assessment included the following consequences that were said to result if mandatory data retention was not implemented: ‘a patchwork of different national laws dealing with data retention which would hamper international cooperation, and put an increased burden on the telecommunications industry, leading to increased costs and a possible lack of innovation’ (Commission 2005c: 9). Yet, these consequences will also ensue from implementing the Data Retention Directive, arguably to a far greater extent. Accordingly, it could be argued that if no action were taken with respect to data retention, fewer economic disadvantages would arise. For instance, the Directive indicated that obstacles to the internal market would arise without a directive on data retention because of the differences in national data retention provisions (Recitals 5 and 6). However, only a few EU Member States had data retention laws in place (and in even fewer were they operational) when the Directive was being debated by European Community institutions. Logically, the costs of retention for the service providers within these Member States would be significantly less than the costs required to have all service providers within all Member States implement data retention. Efficient markets should provide consumers with lower prices, quality, diversity, and affordable and secure services (Commission 2007a: 3). It has already been demonstrated that the high costs of implementing measures may adversely affect competition, end-user prices, and may put small service providers out of business, drive others out of the market, and create barriers for entry of new, emerging service providers. The scale of these consequences is exacerbated by the differences in proposed national data retention laws and the far-reaching implications of data retention. Regulatory intervention, such as the Directive, must ensure that conditions are equal for all service providers so that ‘success or failure of intervention is a function of market responsiveness, not regulatory rules’ (Garfinkel 1994: 429). Since the Directive does not provide equal conditions for all service providers, the failure is a result of regulation. Instead of remedying the existing market failures the Directive makes the internal market worse off than it would be if the original disparities in approaches on data retention were left in place.

6 Conclusion As this article sought to show, the Data Retention Directive will result in considerable monetary costs; despite European Community institutions claim that

123

Eur J Law Econ (2012) 33:447–472

469

they had taken appropriate steps to ensure that the costs of this measure would be limited. Regardless of whether or not service providers are reimbursed by Member States for implementing the Directive, citizens may end up paying to have all of their communications data stored for a period of up to 2 years (with the possibility of extension). The Directive may also negatively impact competition and other economic policies in the European Union. The adverse economic effects of data retention might lead consumers to use international webmail services (that is, nonEU providers) and new (and even existing) market participants to take their businesses elsewhere. In short, the economic advantages of pursuing EU-wide data retention were found to be more than outweighed by its economic disadvantages. The Data Retention Directive is, therefore, a disproportionate measure. Acknowledgments I would like to sincerely thank Dr. Lucia Zedner, my DPhil thesis supervisor, for her guidance, advice, and comments on my research on the EU Data Retention Directive while studying at the University of Oxford.

References All Party Parliamentary Internet Group (APIG). (2002). APIG communications data inquiry oral evidence. http://www.apcomms.org.uk/apig/archive/activities-2002/data-retention-inquiry/oral-evidence-forthe-data-retention-inquiry/ispa-evidence.html. Accessed 18 March 2008. All Party Parliamentary Internet Group (APIG). (2003). Communications data: Report of an inquiry by the all party internet group. http://www.apig.org.uk/archive/activities-2002/data-retention-inquiry/ APIGreport.pdf. Accessed 29 April 2007. Alvaro, A. N. (2005). Report on the proposal for a directive of the European parliament and of the council on the retention of data processed in connection with the provision of public electronic communication services and amending directive 2002/58/EC (COM (2005)0438—C6-0293/ 2005—2005/0182(COD)). European Parliament Committee on Civil Liberties, Justice and Home Affairs. http://www.edri.org/docs/364679XM.pdf. Accessed 15 October 2007. Baker, S. A. (2002). Comments on the lawful access—consultation document. US ISPA. http://www. usispa.org/pdf/USISPA_Canada_Response.pdf. Accessed 10 September 2007. BDI, BITKOM & VATM (2005) Comments and amendments concerning THE Proposal for a directive of the European parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending directive 2002/58/EC. http://www.bdi-online.de/BDIONLINE_INEAASP/iFILE.dll/ X6989A500C35B4ABD892C368266 6A7EEA/2F252102116711D5A9C0009027D62C80/PDF/Amendments%20BDI%20BITKOM% 20VATM%20Data%20Retention%20Directive%20EN%2013_10_05.PDF [ accessed 15 August 2007. Becker, G. S. (1968). Crime and punishment: An economic approach. Journal of Political Economy, 76, 169–217. Brauer, J. (2002). On the production of peace. France: Paper for seminar in Grenoble. Breyer, P. (2005). Joint declaration on data retention: Explanatory notes. http://www.jointdeclaration. com/jointdeclarationwithnotes.pdf. Accessed 7 May 2006. Cederschio¨ld, C. (2005). Draft opinion of the committee on the Internal market and consumer protection for the committee on civil liberties, Justice and home affairs on the proposal for a directive. http://www.europarl.europa.eu/meetdocs/2004_2009/documents/pa/587/587870/587870en.pdf. Accessed 15 October 2007. Commission (EC). (2002a). Communication from the commission on impact assessment. COM (2002) 276. http://ec.europa.eu/governance/impact/docs/key_docs/com_2002_0276_en.pdf. Accessed 13 May 2007. Commission (EC). (2002b). Report from the commission to the council and the European parliament on the state of the internal market for services COM (2002) 441. http://eur-ex.europa.eu/LexUriServ/ site/en/com/2002/com2002_0441en01.pdf. Accessed 08 December 2007.

123

470

Eur J Law Econ (2012) 33:447–472

Commission (EC). (2004a). Commission staff working paper Extended impact assessment of proposal for a directive on services in the internal market SEC (2004) 21 COM (2004)2 final. Commission (EC). (2004b). Review of the EU regulatory framework for electronic communications networks and services. Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions COM (2006) 334 final. Commission (EC). (2005a). Impact assessment guidelines SEC(2005) 791. http://ec.europa.eu/gover nance/impact/docs/SEC2005_791_IA%20guidelines_annexes.pdf. Accessed 17 March 2008. Commission (EC). (2005b). Annexes to impact assessment guidelines. http://ec.europa.eu/governance/ impact/docs/key_docs/sec_2005_0791_anx_en.pdf. Accessed 17 March 2008. Commission (EC). (2005c). Annex to the: Proposal for a directive of the European parliament and of the council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC. Staff Working Document Extended Impact Assessment COM (2005) 438 final. http://ec.europa.eu/justice_home/doc_centre/police/ doc/sec_2005_1131_en.pdf. Accessed 02 October 2006. Commission (EC). (2005d). i2010—A European information society for growth and employment. Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of Regions COM (2005) 229 final. Commission (EC). (2005e). Proposal for a directive of the European parliament and of the council on the retention of data processed in connection with the provision of public electronic communication services and amending directive 2002/58/EC. http://www.euractiv.com/25/images/Draft_Dir_DR_ tcm25-144586.pdf. Accessed 13 January 2007. Commission (EC). (2006). A strategic review of better regulation in the European Union. Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions COM (2006) 689 final. http://ec.europa.eu/enterprise/ regulation/better_regulation/docs/en_689.pdf. Accessed 15 November 2007. Commission (EC). (2007a). A single market for 21st Century Europe. Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions COM (2007) 724 final. Commission (EC). (2007b). Transposition of data retention directive 2006/24/EC: Summary report. http://ec.europa.eu/justice_home/news/events/data_retention/meeting_report_30_11_07.pdf. Accessed 17 March 2008. Council Directive (EC). (2002/58). of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector [2002] OJ L 201/37. Council Directive (EC). (2006/24). of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L105/54. Council of the European Union. (2002). Answers to questionnaire on traffic data retention. http:// www.statewatch.org/news/2002/nov/euintercept-2002-11-20.html. Accessed 21 November 2007. Council of the European Union. (2005). Declaration on the EU response to the london bombing. http://www.libertysecurity.org/IMG/pdf/JHA_Council_13_July_2005.pdf. Accessed 23 November 2006. Craig, C., & Bergman, A. (2006). Data retention. Total Telecom http://www.totaltele.com/About.aspx. Accessed 4 August 2007. Danezis, G. (2007). Comments on EU cybercrime forum: Technical issues around data retention. http:// research.microsoft.com/users/gdane/papers/RetentionComments.pdf. Accessed 21 November 2007. Dilulio, J. J., Jr. (1996). Help wanted: Economists, crime, and public policy. Journal of Economic Perspectives, 10(1), 3–24. EDRI. (2005). Technical questions on data retention. http://www.edri.org/docs/Technical_Questions_ on_Data_Retention_answers.pdf. Accessed 15 October 2007. Encyclopedia of Small Business. (2007). Barriers to market entry. http://www.referenceforbusiness.com/ small/A-Bo/Barriers-to-Market-Entry.html. Accessed 18 March 2008. European Council. (2004). Declaration on combating terrorism. http://www.consilium.europa.eu/uedocs/ cmsUpload/DECL-25.3.pdf. Accessed 23 November 2006. European Parliament. (2005a). Electronic communications. Debate (30 November). European Parliament. (2005b). Data retention. Debate (13 December).

123

Eur J Law Econ (2012) 33:447–472

471

European Research into Consumer Affairs (ERICA). (2001). Statement on retention of traffic data. EU Cybercrme Forum (Plenary session, Brussels). http://www.net-consumers.org/policy/cybercrime. htm. Accessed 28 April 2008. European Union ICT Task Force Report. (2006). Fostering the competitiveness of Europe’s ICT Industry. http://ec.europa.eu/enterprise/ict/policy/doc/icttf_report.pdf. Accessed 15 October 2007. European Union Preparatory Acts. (1997). Resolution on the strengthening of the impact assessment system OJ C 150/71. European Union Preparatory Acts. (2006). Opinion of the European economic and social committee on the proposal for a directive of the European parliament and of the council on the retention of data processed in connection with the provision of public electronic communication services and amending directive 2002/58/EC (COM (2005) 438 final—2005/0182 (COD)) OJ C 69/20. Furedi, F. (2007). Invitation to terror: The expanding empire of the unknown. New York: Continuum. Garfinkel, L. (1994). The transition to competition in telecommunications services. Telecommunications Policy, 18(6), 427–431. Goodall, J. (2007). Data retention: transposition of the data retention directive into law. Data Protection Law and Policy, 4(4) [online]. GSM Europe (GSME). (2005). GSME position on data retention—implications for the mobile industry. http://www.gsmworld.com/gsmeurope/documents/positions/2005/gsme_position_data_retention.pdf . Accessed 15 September 2007. Hutty, M. (2005). Memorandum on mandatory data retention: Proposed european framework decision and proposed european directive. London internet exchange http://publicaffairs.linx.net/ public/Data_Retention_memo_2005-11-30.pdf. Accessed 10 September 2007. Information Technology Association of America (ITAA). (2004). Comments on the 30 July 2004 consultation document on traffic data retention (the ‘‘Consultation’’) from the directorates-general for information society and justice and home affairs. http://www.ustr.gov/assets/World_Regions/ Europe_Middle_East/Transatlantic_Dialogue/Public_Comments/asset_upload_file557_7049.pdf. Accessed 15 August 2007. Information Technology Association of America (ITAA). (2005). Comments: On the 27 July 2005 European Commission Interservice consultation proposal for a data retention directive a harmonized and proportionate compromise. http://www.itaa.org/eweb/upload/FINAL_DataReten tionComments_09062005.pdf. Accessed 4 August 2007. Information Technology Association of America (ITAA). (2006). Data retention advisory. http:// www.itaa.org/global/docs/ITAA_DataRetentionAdvisory.doc. Accessed 15 September 2007. International Chamber of Commerce (ICC) et al. (2003). Common industry statement on storage of traffic data for Law enforcement purposes. http://www.iccwbo.org/uploadedFiles/ICC/policy/e-business/ Statements/Common_Industry_Statement_on_Storage_of_Traffic_Data_June03.pdf. Accessed 4 August 2007. Internet Data Retention for 332 Million Euro. (2007). Mittelstands Wikki. http://www.just4business.eu/ 2007/09/internet-data-retention-for-332-million-euros. Accessed 13 September 2007. Internet Society of England. (2002). Response from ISOC England to the parliamentary All party internet group’s consultation on the retention of and access to communications data for law enforcement purposes. http://www.apcomms.org.uk/apig/archive/activities-2002/data-retention-inquiry/ writtenevidence-for-the-data-retention-inquiry/isoc.pdf. Accessed 18 March 2008. Koops, B. -J., & Bekkers, R. (2007). Interceptability of telecommunications: Is US and Dutch Law prepared for the future? Telecommunications Policy, 31, 45–67. Libin, N. (2006). Mandatory data retention poses major concerns, may have little benefit. Center for Democracy and Technology. http://www.cdt.org/privacy/20061113dataretention.pdf. Accessed 23 November 2008. Lipsey, R. G., & Chrystal, K. A. (2004). Economics (10th ed.). Oxford: Oxford University Press. Logica, C. M. (2007). Whitepaper on EU data retention directive. http://www.logica.com/library/getfile.aspx?fileId=7205. Accessed 17 March 2008. Mankiw, N. G. (2001). Principles of economics. Orlando Florida: Harcourt College. Maras, M.-H. (2008). From targeted to mass surveillance: The costs and consequences of mass data retention. DPhil Thesis, University of Oxford. Maras, M.-H. (forthcoming-a). The social consequences of a mass surveillance measure: What happens when we become the ‘‘Others’’?’ Maras, M.-H. (forthcoming-b). While the EU was sleeping, the directive was passed: The political consequences of mandatory data retention.

123

472

Eur J Law Econ (2012) 33:447–472

Merton, R. K. (1936). The unanticipated consequences of purposive social action. American Sociological Review, 1(6), 894–904. Mitchell, D. J. (2005). Fighting terror and defending freedom: The role of cost-benefit analysis. PACE Law Review, 25, 219–233. Ordinance of the Federal Minister of Justice over the reimbursement of costs for the assistance in the ¨ berwachungskostenverordnung—U ¨ KVO) Federal Law Surveillance of Telecommunication (U Gazette II, No. 322/2004. Parkin, M. (2005). Economics (7th ed., p. 114). London: Pearson. Privacy International. (2007). PHR2006—United Kingdom of Great Britain and Northern Ireland. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559479. Accessed 17 March 2008. Retzer, K., & Vanto, J. (2007). Data retention: Denmark is first EU member state to implement controversial directive. Privacy and Security Law Report, 6(18), 1–4. Retzner, K., & Schu, R. (2006). Data retention–a bone of contention. Electronic Business Law, 8(1), 6–11. ¨ sterreichische Schro¨der, C., & Laurant, C. (2003). Outline—comments—relevant links: Der O Verfassungsgerichtshof (Austrian Federal Constitutional Court) VfGH, G 37/02 ua, February 27, 2003’ Electronic Privacy Information Center. http://www.epic.org/privacy/intl/austrian_vfgh022703.html. Accessed 15 September 2007. Taylor, M. (2006). The EU data retention directive. Computer Law and Security Report, 22, 309–312. UK Presidency Paper (2005). Liberty and security: Striking the balance. http://www.edri.org/docs/ UKpresidencypaper.pdf. Accessed 24 November 2006. Waldron, J. (2004). Terrorism and the uses of terror. Journal of Ethics, 8(1), 5–35. Werle, R. (1999). Liberalisation of telecommunications in Germany. In K. A. Eliassen & M. Sjovaag (Eds.), European telecommunications liberalisation. London: Routledge. Whitley, E. A., & Hosein, I. (2005). Policy discourse and data retention: The technology politics of surveillance in the United Kingdom. Telecommunications Policy, 29, 857–874. World Information Technology and Services Alliance (WITSA). (2004). Background paper on traffic data requirements and cooperation with law enforcement authorities. http://www.witsa.org/papers/ DataRetention-final.pdf. Accessed 23 November 2007.

123