EU adopts Data Retention Directive

24 May 2006

Peter Van de Velde

Introduction

On 15 March 2006, the controversial Data Retention Directive (hereafter “the Directive”) was finally adopted by the European Parliament and the Council of the European Union[1].

The Directive aims to harmonise the national provisions of the Member States concerning the obligations of providers of publicly available electronic communications services and networks with respect to the retention of certain datawhich are generated or processed by them, in order to ensure that the data is available for the purpose of the investigation, detection and prosecution of “serious crime” (as defined by each Member State in its national law).

Background

The Directive has been subject to extensive debate and controversy because of its significant implications for the communications industry (ISP’s, telecoms operators, etc.) and the related privacy and cost issues.

In the aftermath of the terrorist attacks in Madrid, an initial proposal for new legislation was introduced in April 2004 by four Member States (the UK, Ireland, France, Sweden). The idea was to adopt a Framework Decision under the EU’sthird pillar (i.e. cooperation in the fields of justice and home affairs). The draft Framework Decision was however rejected by the European Parliament (during the consultation procedure).

The current Directive stems from a proposal introduced by the European Commission in September 2005 as a reaction to the draft Framework Decision. The Commission’s proposal was based on Article 95 of the EU Treaty (approximation of law in the internal market). The proposal was approved in a co-decision with the European Parliament, but the discussion on the appropriate legal basis for the Directive is not yet over: Ireland and Slovakia voted against the proposal and announced that they would challenge the Directive before the European Court of Justice.

Existing legal framework for data retention

Until now, the EU legal framework in relation to data retention consisted of the Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC (which translates the general principles of the Data Protection Directive into specific rules for the electronic communications sector).

Articles 5, 8 and 9 of the e-Privacy Directive lay down the rules that apply to the processing by network and service providers of traffic and location data generated by using their electronic communications services. The e-Privacy Directive provides that such data must be erased or made anonymous when no longer needed for the purpose of the transmission of the communication, except for the data necessary for billing or interconnection payments, or for marketing purposes and the provision of value-added services (subject however to the consent of the data subject).

The legislation of most Member States is in line with these principles. Several Member States however also adopted legislation providing for the retention of data for law enforcement purposes (i.e. the prevention, investigation, detection and prosecution of criminal offences)[2].

The differences, however, between the various national provisions governing data retention for law enforcement purposes are considered to present an obstacle to the internal market for electronic communications since service providers may be faced with different requirements (e.g. different retention periods) in different countries. The Directive therefore aims at harmonising these provisions to the maximum extent possible.

Nevertheless, the main reason for adopting the Directive seems to be the need for the Member States’ law enforcement agencies to dispose of a legal instrument that ensures the availability of data in their combat against terrorism and other serious crime.

Scope and implications of the Directive

The Directive applies to traffic and location data on both natural persons and legal entities and to related data necessary to identify subscribers or users. It does not apply to the content of electronic communications: no data revealing the content of a communication may be retained.

The retention period for this data may not be less than six months and not be more than two years from the date of the communication. Operators may thus be required to retain records of e-mails, phone calls, faxes, text messages, etc. until two years after the date of the communication. During that period, operators will need to be able to trace and identify the source, destination, location, type, date, time and duration of an electronic communication, as well as details with regards to internet, e-mail and internet telephony connections. The exact categories of data to be retained are listed in Article 5 of the Directive.

In addition, operators should retain the data in a way that they can be transmitted upon request to the competent authorities “without undue delay”. Not only will operators thus be required to store huge amounts of data, they will also need to ensure that they can promptly identify and retrieve those data following a request of the competent law enforcement authorities[3].

It is further made explicitly clear that only the competent national (law enforcement) authorities may be granted access to the retained data in specific cases and in accordance with national law. Each MemberState needs to define the conditions for such access taking into account the principles of necessity and proportionality[4].

Data security principles

With regards to the data retained, the Directive also imposes a minimum set of data security principles to be ensured by the providers of electronic communications services and networks:

(i) retained data needs to be of the same quality and needs to be subject to the same security and protection as data on the network;

(ii) retained data needs to be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, or accidental loss or alteration, unauthorised or unlawful storage, processing, access or disclosure;

(iii) retained data needs to be subject to appropriate technical and organisational measures to ensure that access to the data can only be undertaken by specially authorised personnel; and

(iv) retained data needs to be destroyed at the end of the retention period, except those that have been accessed and preserved.

Member States are also required to designate a public authority for the monitoring of the application within their territory of the provisions adopted regarding the security of stored data. This authority may be, for example, the local data protection authority.

Member States further need to ensure that the remedies, liabilities and sanctions provided for in the Data Protection Directive 95/46/EC are made fully applicable to the processing of data under the Directive. In particular, Member States should take the necessary measures to ensure that any intentional access to, or transfer of, retained data is made punishable by criminal sanctions that are effective, proportionate and dissuasive.

Privacy and cost issues

At the heart of the debate surrounding the Directive were, on one side, the privacy and fundamental rights concerns of the civil liberties community, and on the other side, the financial concerns of the e-communications industry.

In its opinion WP 113 on the draft Directive[5], the Article 29 Data Protection Working Party already voiced its concerns with regards to the potentially far-reaching impact on data privacy and the fundamental right to confidential communications, guaranteed to individuals by Article 8 of the European Convention on Human Rights. The Working Party put forward a set of 20 specific data protection safeguards that it wanted to see addressed by the Directive.

In its Opinion WP 119 on the final text of the Directive[6], the Article 29 Data Protection Working Party maintains a list of 7 minimum safeguards for the protection of retained data from unauthorised access. Member States are urged to introduce such safeguards when implementing the Directive into national law. The safeguards should at least address the following issues: purpose specification (i.e. clear definition of the term “serious crime” used in the Directive), access limitation (to specifically designated law enforcement authorities), data minimisation, no large-scale data mining, judicial/independent scrutiny of authorised access, no processing by providers for other purposes than those allowed under the Directive, separation of storage systems, definition of minimum security standards (specifying the general principles set out by the Directive).

Also other EU privacy authorities have officially criticised the (draft) Directive[7].

The e-communications industry, from its side, was rather concerned by the financial impact of the Directive on its business. This includes not only the cost of the storage of the retained data, but also the cost of the additional security measures and the search facilities for the immediate identification and retrieval of the requested data.

In its original proposal, the European Commission provided that Member States would be obliged to reimburse operators for additional costs which could be shown to have been incurred as a result of the Directive. The European Parliament however deleted this section. Operators will thus have to absorb the additional costs as part of their normal operating costs. Nevertheless, Member States may still decide to allow for reimbursement through their national law provisions (which are actually already provided in some Member States).

Transposition into national law

The Directive needs to be transposed into national law by 15 September 2007, but Member States may postpone application of the Directive to the retention of data relating to internet access, internet telephony and e-mail. A number of Member States have already taken this option[8].

Before 15 September 2010, the European Commission will make an evaluation of the application of the Directive and its impact on the industry and consumers. The Commission will in particular need to determine whether the list of data to be retained and the periods for retention need to be amended.



[1] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, O.J., L105/54 of 13 April 2006.

[2]For example, in Belgium, Article 126 §2 of the e-Communications Act of 13 June 2005 provides for a retention period of minimum 12 months and maximum 36 months for the purposes of law enforcement. The exact period needs to be determined by Royal Decree.

[3]Belgian law, for example, currently requires operators to keep the retained data “fully accessible from Belgium” (Article 126 §2 of the e-Communications Act of 13 June 2005).

[4]Meanwhile, the US have already indicated that they also want access to the retained data and that they will approach each Member State to ensure that the collected data are made available to them in the context of their fight against terrorist use of the Internet.

[5]Opinion 113/2005 on the Proposal for a Directive of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, WP 113, adopted on 21 October 2005.

[6] Opinion 3/2006 on the Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, WP 119, adopted on 25 March 2006.

[7]Cf. Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, O.J., C298 of 29 November 2005.

[8]For example, Belgium made a declaration that it will postpone application of the Directive for this type of data until 36 months after the date of the adoption of the Directive (i.e. until 15 March 2009).