EU Forum on
CyberCrime discussion paper for Expert’s Meeting on Retention
of Traffic Data, 6 November 2001
This is an informal Working Paper prepared by the Commission services but this paper will be discussed at the Plenary session of the EU Forum on CyberCrime, Brussels, 27 November 2001. Important questions include: What data need to be retained and for how long? What are the kind of data most often required by law enforcement?
In what concrete cases do law enforcement authorities get traffic data from electronic CSPs? Have there been cases where absence of data has led to failure to investigate? Why does mandatory retention pose legal problems with regard the ECHR? Would mandatory transfer of the necessary data to a trusted third party infringe personal data protection ?
New Scientist, European ministers approve cybercrime convention, 09 November, 2001
European Commission, Proposal for a COUNCIL FRAMEWORK DECISION on combating serious attacks against information systems, Brussels, COM(2001)
The objectives of this Council Framework Decision are therefore to approximate criminal law in the area of serious attacks against information systems, in particular to contribute to the fight against organised crime and terrorism, and to ensure the greatest possible police and judicial co-operation in the area of criminal offences related to attacks against information systems. It is not intended to require Member States to criminalise minor or trivial conduct. It is clear from Article 47 of the Treaty on European Union that this Framework Decision is without prejudice to Community law. In particular, it does not affect privacy or data protection rights and obligations provided for under Community law such as in Directives 95/46 and 97/66. It is not intended to require Member States to criminalise breaches of rules on access to / disclosure of personal data, secrecy of communications, security of processing of personal data, electronic signatures20 or intellectual property violations and it does not prejudice the Directive 2000/31 “on certain legal aspects of information society services, in particular electronic commerce, in the internal market”.
These are important issues, but they are already covered by existing Community legislation. Any approximation of criminal law in these areas to meet Community law
objectives, such as the protection of personal data or intellectual property, therefore needs to be considered using the framework of Community law rather than Title
VI of the TEU. For these reasons, this Framework Decision limits itself to addressing the conduct described in points (a)-(c) in section 1.1.
Legislative action at the level of the European Union also needs to take into account developments in other international fora. In the context of approximation of substantive criminal law on attacks against information systems, the Council of Europe (C.o.E.) is currently the most far-advanced. The Council of Europe started preparing an international Convention on cyber-crime in February 1997, and is expected to complete this task by the end of 2001.22 The draft Convention seeks to approximate a range of criminal offences including offences against the confidentiality, integrity and availability of computer systems and data. This Framework Decision is intended to be consistent with the approach adopted in the draft Council of Europe Convention for these offences.
In G8 discussions on high tech crime, two major categories of threats have been identified. First, threats to computer infrastructures, which concern operations to disrupt, deny, degrade or destroy information resident in computers and computer networks, or the computer and networks themselves. Secondly, computer-assisted threats, which concern malicious activities, such as fraud, money laundering, child pornography, infringement to intellectual property rights and drug trafficking, which are facilitated by the use of a computer. This proposal deals with the first category of threats.
Approximation at the level of the EU should take into account developments in international fora and should be consistent with current Community policies. This proposal also seeks to provide greater approximation within the EU than has been possible in other international fora.
European Commission Communication, on Creating a
Safer Information Society by Improving the Security of Information
Combating Computer-related Crime, COM(2000) 890 final, February 2001, at http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html