The epic war over retaining personal data in the European Union, while far from over, could be reaching a turning point.

An internal EU report on its data retention policy - leaked to an Austrian civil rights group - shows some concern about whether Brussels can actually prove a need for retaining data.

In 2006, the EU approved its so-called Data Retention Directive, in a bid to combat terrorism, following bomb attacks in Madrid and London.

The measure calls for the storage of telephone and Internet information, such as names and addresses of the communicating parties as well as the time and data of the communication. The legislation, however, doesn't require the content of phone calls or e-mails to be saved.

The report, which the civil rights group Quintessenz posted on its website, speaks of "a continued perception that there is little evidence at an EU and national level on the value of data retention in terms of public security and criminal justice."

Viktor Mayer-Schönberger says he's looking forward to a re-examination of the directive

Feast for critics

It calls on all member states and not just "a minority" to prove "convincing evidence of the value of data retention for security and criminal justice."

The document is proving to be a feast for critics of the EU's controversial data retention policy.

"I'm delighted to see the report," said Viktor Mayer-Schönberger, a professor at the Oxford Internet Institute. "It's always good to see people correct themselves. Data retention is a very blunt tool, with a lot of negative repercussions and consequences."

Joe McNamee, advocacy co-coordinator with European Digital Rights in Brussels, goes one step further and questions the entire EU effort.

"No country can or should accept a directive that restricts fundamental rights if that directive is not demonstrably necessary," he wrote in an e-mail to Deutsche Welle.

"The document from the Commission shows that, despite having been in force for years in numerous EU member states, the measure is not demonstrably necessary or proportionate. In this context, it is difficult to show how a legal – and therefore acceptable – proposal on data retention could be made."

In 2011, Malte Spitz published an interactive map of his own data that had been captured due to data retention

Not everyone is onboard

Implementation of the six-year-old direction has been all but perfect, marred by irregularities across the European bloc. Some countries, like Germany, the Czech Republic and Romania introduced domestic laws, which were subsequently overturned by the constitutional courts.

To overcome these and other issues, the European Commission hopes to put proposals for a new directive on the table this summer. But a growing number of experts question whether the Commission will muster sufficient support for the new legislation.

"The problem that the Commission finds itself in at the moment is that it appears to believe it is not capable of pushing through a proposal that would be legal and finds itself trying to defend the current proposal, which it quite obviously believes to be illegal," McNamee added. "If the EU cannot show, despite years of experience, that legally mandated data retention is necessary, the only logical conclusion is that it is not necessary."

Stop monitoring people

In April 2011, Malte Spitz, a member of the German parliament, published a vast interactive database revealing six months of data gathered by his mobile phone provider, Deutsche Telekom. He did it as a way to show what six months of such data actually looks like and as a way to take a stand for better privacy.

"In its report, the EU admits itself there is no scientific proof data that retention is necessary," he wrote in an e-mail to Deutsche Welle. "Data retention must be ended – across Europe. The development over the past years to control and monitor people must stop."

Author: John Blau

Editor: Cyrus Farivar