Unauthorized global surveillance has had everyone’s outrage directed at the NSA. But a recent revelation by the Dutch sheds light on how Europe’s own otherwise forgotten data retention law was systematically abused by its telecom and internet providers.
Following a freedom of information request, Dutch digital rights organization Bits of Freedom publicizes a report, which details an exposing study into activities of local telecommunication operators and ISPs.
Though the study was concluded all the way back in April 2012, it has failed to lead to the prosecution of all parties guilty of misusing user metadata and abusing data retention directives by illegally advertising to their customers, the group says.
The report by the Radiocommunications Agency of the Dutch Ministry of Economic Affairs revealed that, following a mandatory survey of internet and telecom providers, at least 40 out of 229 companies who participated, used people’s meta-data "solely for purposes other than the legally permitted processing goals.”
Technology media, events and research company, International Data Group (IDG), wrote that the number would be even greater if it included companies that admitted to both legal and illegal use of the data, stipulated in the European Commission’s Data Retention Directive of 2006.
According to the government report, any use of private information for purposes other than billing requires the provider to obtain user consent, which that user may withdraw at any time. However, only 147 companies of the 229 surveyed had admitted to asking.
The EC website details the law as requiring “operators to retain certain categories of data (for identifying users and details of phone calls made and emails sent, excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.”
The Netherlands’ own version of the directive was passed in 2009
and required telecom providers to store metadata for up to a
year, and six months for their internet counterparts.
The government radio-com agency’s spokeswoman, Mariel Van Dam,
explained that because the law was still fresh at the time, the
findings of the agency’s study were played down and nothing came
of them. "We said that we should give the companies a chance
to comply with the law."
A follow-up study currently being conducted should pick up where the previous one left off, with results expected no later than 2014. That is the point the communications agency plans to start actually enforcing the law.
A maximum fine of 250,000 euro ($339,000) will be instituted, Van Dam said.
Bits of Freedom is presently calling for an end to the data retention law, for fear of its misuse by communications providers and the government alike. They are firstly asking the EU to lower its mandatory time frames for information storage and, in the end, to abolish data retention across the continent as a whole.
However, only the European Commission can decide that, meaning the Dutch really have no power over how the law affects their country.
European Digital Rights (EDRi), an organization dedicated to promoting civil and privacy laws, joined the chorus. Its executive director, Joe McNamee said in an email to the IDG that "It is nothing less than disgraceful that the European Commission has repeatedly taken Member States to court for failing to implement the Directive, but has not lifted a finger to take action when the Directive was implemented in ways that undermined the fundamental rights of European Citizens."
This attention given to Europe’s information retention law comes
very shortly after, across the Atlantic Ocean, Google was
embroiled in its own scandal and getting pummeled with a
combination of lawsuits against its Maps and Gmail services. The
latter assumed that utilizing user data to compile user-specific
advertising is not an invasion of their privacy.