Implementation EC Data Retention Directive

28 June 2007

Belgium

Has consultation started?

No.

Formal consultation has not commenced and there has been little public debate on the implementation of the Data Retention Directive.

The government has not published draft legislation implementing the Directive. Belgium already has data retention legislation (Article 126 of the Belgian Electronic Communications Act of 13 June 2005 (“ECA”)) which predates the Directive and provides for a data retention period of a minimum of 12 and a maximum of 36 months. A royal decree is still required to implement Article 126 (issues to address include, for example: the type of data to be retained, the exact retention period(s) and the conditions for retention).

Expected implementation date for Telephony Data

It was expected that the Belgian government would amend a provision of the ECA to implement the obligations of the Directive by 31 December 2005. However, this deadline was extended by two years to 31 December 2007

It seems unlikely that this Directive will be implemented before Belgium’s federal elections, due on 10 June 2007.

Expected implementation date for IP Data

Belgium has requested a postponement of the application of the Directive for a period of 36 months after adoption as permitted by Article 15(3) of the Directive.

Are there any specific security requirements?

It remains unclear how Belgium will implement the specific security and storage requirements set out in the Data Retention Directive.

Can companies recover the cost of complying with the Directive?

The position of Belgium on this issue is unclear.

Germany

Has consultation started?

Discussions with LEAs (Law Enforcement Agencies), data protection officers as well as with Ministry of Justice

Expected implementation date for Telephony Data

15 Sep 2007.

Expected implementation date for IP Data

According to the Cabinet's decision IP data retention obligations are intended to become binding by 1 January 2008. Infringement will not be sanctioned, however, before 1 January 2009.

Are there any specific security requirements?

Likely that the data will be handled (in technical and operation terms) under the general security regulations relating to personal data.

Can companies recover the cost of complying with the Directive?

Yes

Italy

Rules on telephone and internet-traffic data retention have been in place in Italy since August 2005.
(see Article 6 of the Decree dated
27 July 2005, n. 144 on Urgent Measures against International Terrorism
(“Anti-terrorism Act”))

Has any consultation started?

Not yet. The detailed framework for the implementation of the Directive is not available yet.

Expected implementation date for Telephony Data

The Directive will be implemented by 4 May 2008. However, rules on the retention of telephony data have been introduced in the Anti-terrorism Act. (Article 6 requires providers of publicly available electronic communications services or any public communications network within Italian jurisdiction to retain telephone traffic data which allow the traceability of access and services used until 31 December 2007. The article overrules any other legislation which requires the deletion of data.)

Expected implementation date for IP Data.

Same principles and legislation apply as for telephony data.

Are there any specific security requirements?

No specific security requirements are stated in the Anti-terrorism Act. Currently, data must be handled in accordance with the security provisions on processing personal data as set forth by relevant Italian legislation, namely, D.Lgs. 196/2003 (such as, computerised authentication, implementation of authentication credentials management procedures, use of an authorisation system, etc.).

The Italian Data Protection Authority is expected to issue regulations regarding the retention of traffic data (Italian Data Protection Code, sect. 132, and the Anti-terrorism Act). Currently the rules issued by the Italian Data Protection Authority apply.

Can companies recover the cost of complying with the Directive?

The current Anti-terrorism Act does not allow companies to recover the cost of complying with data retention rules.

Privacy & Data Protection Group



The
Netherlands

Has any consultation started?

Yes. Informal working group consultation commenced in April 2006 with representatives from both government and industry.

In Spring 2007 a draft bill was published and the final Bill is expected to be presented to Parliament in May-June.

Expected implementation date for Telephony Data

The Directive seems very ambitious.

Expected implementation date for IP Data

The annex to the Directive includes a declaration from the Netherlands that would postpone the transition for Internet access, Internet telephony and Internet e-mail, for a period of max 18 months following the date of entry into force of the Directive.

Are there any specific security requirements?

Can companies recover the cost of complying with the Directive?

Yes – but presumable no full recovery of cost, and certainly no compensation for the investment in system / network adjustments.

Spain

Has any consultation started?

No consultation has been announced so far.

Expected implementation date for Telephony Data

There is no expected implementation date currently.

The draft legislation that was recently approved still has to go through Parliament for debate and approval. The final version approved by Parliament may differ substantially.

Expected implementation date for IP Data

The draft legislation does not make distinction between Telephony Data and IP Data. Therefore, the implementation date will be the same for both types of data.

Are there any specific security requirements?

The requirements in the draft legislation include: identification of the specially authorised personnel, as well as the appropriate technical and organisational security measures, in order to prevent data being manipulated or used for means other than those contained in the law.

The draft legislation refers to general Spanish regulations on security of personal data protection (see the Spanish Data Protection Act and Royal Decree on Security Measures).

Can companies recover the cost of complying with the Directive?

No, companies will have to cover their own costs in complying with the Directive and the draft legislation.


Sweden

Has any consultation started?

Yes.

The official government investigation into the implementation of the Data Retention Directive (“The Traffic Data Investigation”) consists of one investigator, aided by a secretary and a working expert, who are assisted by experts from various authorities and relevant groups from the Swedish Parliament, industry (the “technical reference group”) and others such as the customs service and the Swedish Security Service.

Expected implementation date for Telephony Data

No implementation date currently exists.

Sweden has declared that it wishes to have the option of postponing application of the Directive to the retention of communications data relating to internet access, internet telephony and internet e-mail. The Traffic Data Investigation is expected to complete its work, and present legislation to implement the Directive, by 1 November 2007.

Expected implementation date for IP Data

See above.

Are there any specific security requirements?

See above.

Can companies recover the cost of complying with the Directive?

This is being discussed with the reference groups.


The
UK

Has any consultation started?

Yes, the UK government launched its consultation in March 2007. The consultation is due to end in June 2007.

Expected implementation date for Telephony Data

The consultation document states that the UK is seeking permission to fix the commencement date of the implementing regulations at 1 October 2007.

Expected implementation date for IP Data

The UK Government has announced that it will delay implementation until no later than 15 March 2009.

Are there any specific security requirements?

“Appropriate technical and organisational security measures.” have been mentioned.

Measures should be taken to ensure that the data can only be accessed by specially authorised personnel, although it is unclear who such personnel would be.

Can companies recover the cost of complying with the Directive?

Yes. Any additional expenses incurred in complying with the Directive will be reimbursed. The expenses have to be notified to the Home Secretary and agreed in advance.