Implementation of the Data Retention Directive as at February 2008

18 March 2008

Belgium

Status of legislation

The government has not yet published any draft legislation implementing the Directive. Formal consultation on the legislation has not commenced and it remains unclear whether the Belgian (interim) government will consult.

Belgium already has data retention legislation (Article 126 of the Belgian Electronic Communications Act of 13 June 2005 (“ECA”)) which predates the Directive and allows data to be retained for 12-36 months. A royal decree is still required to implement Article 126 (issues to address include the type of data to be retained, the exact retention period(s) and the conditions for retention).

A draft law amending Article 126 of the ECA is required and two draft royal decrees to implement the Directive further.

Expected implementation date for Telephony Data

It was expected that the Belgian government would amend a provision of the ECA to implement the Directive by 31 December 2005. However, this deadline was extended by two years to 31 December 2007; however the deadline was not met.

It seems unlikely that the Directive will be implemented within the next few weeks as several public bodies (such as the national regulatory authority for telecommunications) are currently working on the final drafts to be submitted to the government. In addition, the Privacy Commission will have to be consulted on the draft legislation.

Expected implementation date for IP Data

Belgium has requested a postponement of the application of the Directive for a period of 36 months after adoption. However, the government will now implement the provisions relating to IP data together with the provisions for telephony data.

Are there any specific security requirements?

It remains unclear how Belgium will implement the specific security and storage requirements set out in the Data Retention Directive.

Can companies recover the cost of complying with the Directive?

The position on this issue remains unclear. This may be subject to political debate once the draft texts are tabled.

Germany

Status of legislation

On 21 December 2007, the Directive was implemented into German Law with the adoption of the “Act on the Revision of Telecommunications Surveillance and other Concealed Investigation Activities as well as on the Implementation of Directive 2006/24/EC” ("Gesetz zur Neuregelung der Telekommunikationsüberwachung und anderer verdeckter Ermittlungsmaßnahmen sowie zur Umsetzung der Richtlinie 2006/24/EG").

The Act amends a number of German Acts, most significantly the German Telecommunications Act ("Telekommunikationsgesetz", TKG) and the German Criminal Procedure Act ("Strafprozessordnung"). It came into force on 1 January 2008.

Implementation date for Telephony Data

1 January 2008. However, if companies fail to comply with data retention obligations there will no sanctions before 1 January 2009

Implementation date for IP Data

ISPs must comply with data retention obligations by 1 January 2009

Are there any specific security requirements?

No, data must be handled (in technical and operational terms) in compliance with the general security regulations relating to personal data.

Can companies recover the cost of complying with the Directive?

Compensation for costs of data collection and data retention will not be granted). However, specific requests by law enforcement agencies are subject to compensation at an hourly rate of no more than €17 under Section 23 of the German Act on Compensation and Reimbursement by the Judiciary ("Justizvergütungs- und -entschädigungsgesetz", JVEG). The JVEG may be amended. However, a significant increase of the compensation rate is not expected.

Italy


Rules on telephone and internet-traffic data retention have been in place in
Italy since August 2005. (see Article 6 of the Decree dated 27 July 2005, n. 144 on Urgent Measures against International Terrorism (Anti-terrorism Act”)).

Status of legislation

Consultations between various authorities have started: a first draft of the implementing legislation (not yet available) has been submitted by the Italian government to the Data Protection Authority for comments.

On 17 January 2008, the Italian Data Protection Authority issued a regulation concerning data retention regarding retaining telephone and internet data for crime prevention purposes. For the purpose of this regulation, the telephony and internet data to be retained are those listed under section 5 of EU Directive 2006/24/CE.

Expected implementation date for Telephony Data

The Directive should be implemented by 4 March 2008.

However, rules on the retention of telephony data have already been introduced by the Anti-terrorism Act. (Article 6 requires providers of publicly available electronic communications services or any public communications network within the Italian jurisdiction to retain telephone traffic data (information about access and services used until 31 December 2008). This legislation overrules any other legislation which requires the deletion of data.

Expected implementation date for IP Data.

Same principles and legislation apply as for telephony data.

Are there any specific security requirements?

The Anti-terrorism Act does not set out any specific security requirements. Currently, data must be handled in accordance with the security provisions in Italian data protection legislation and with the additional security measures set out in the Italian Data Protection Authority’s regulation dated 17 January 2008.

In particular, the Italian Data Protection Authority regulation requires the following main measures: specific technical provisions relating to the use of strong authentication systems with coordinated use of at least two technologies (one of the two should be based on biometric features); separate storage of telephone and internet data retained for crime prevention purposes; specific appointment of persons responsible for data processing; immediate removal of telephone and internet data after the legal retention period; audit activities; proper documentation of systems; data coding and protection against the risk of authorised data access.

Electronic communication providers must comply with this regulation by 31 October 2008.

Some of those additional measures are imposed on electronic communication providers in relation to processing of telephone and Internet traffic data for the purposes of invoicing, payment and marketing of services.

Can companies recover the cost of complying with the Directive?

The current Anti-terrorism Act does not allow companies to recover costs.

Recent regulation of the Italian Data Protection Authority states that in determining the security measures to be implemented by electronic communication providers the costs and impact on various technical providers have been taken into account.

However, it is possible that the forthcoming implementation legislation may allow for recovery of costs


The
Netherlands

Status of legislation

Informal working group consultation commenced in April 2006 with representatives from both government and industry.

On 14 September 2007 a Bill was sent to Parliament. The Minister of Justice hopes that the Bill will be adopted before the summer recess. This seems rather ambitious, though.

Expected implementation date for Telephony Data

Summer 2008.

Expected implementation date for IP Data

The annex to the Directive includes a declaration from The Netherlands that would postpone the transition for internet access, internet telephony and internet e-mail, for a period of maximum of 18 months following the date the Directive entered into force (i.e. 15 March 2006). This implies that this part of the Directive should have been implemented in November 2007.

In the explanatory memorandum to the Bill the Minister seems to take the view that The Netherlands only have to implement IP Data requirements 18 months after the date mentioned in Art. 15 of the Directive, (i.e. 15 September 2007), so March 2009.

Are there any specific security requirements?

Yes. Providers have to implement security measures.

Can companies recover the cost of complying with the Directive?

Yes – but no full recovery of cost, and no compensation for the investment in system and network adjustments.

Spain

Status of legislation

The Directive was implemented in Spain through Law 25/2007, dated 18 October 2007, on the retention of data related to electronic communications and public communications networks.

Implementation date for Telephony Data/IP Data

The Law does not make a distinction between Telephony Data and IP Data for these purposes. Therefore, the implementation date is the same for both types of data.

The Law entered into force on 9 November 2007.

Nevertheless, providers of electronic communications services and public communications networks have 6 months from the date the law entered into force to adapt their equipments and technical means to comply with these provisions.

Are there any specific security requirements?

Article 8 of the Law established the protection and security requirements. This Law refers to general personal data protection legislation (i.e. Act 15/1999, on Data Protection and Royal Decree 994/1999, on the Regulation on Security Measures). The current Regulation developing the Data Protection Act (which has been recently approved but that has not been published yet requires that traffic and location data is subject to security measures of medium level and to a particularly high level security measure. Therefore, if the draft regulation was finally approved with its current wording, operators will have to apply additional security measures to this kind of data.

Article 8 states that specifically authorised personnel that can access the personal data must be identified; they should adopt appropriate technical and organisational security measures in order to prevent data being misused, to prevent their destruction, loss, and unauthorised disclosure.

In particular, obligations related to (i) quality of the data; (ii) appropriate level of protection shall be as contained in the Act 15/1999 on Data Protection and other legislation developing.

Can companies recover the cost of complying with the Directive?

No, companies will have to cover their own costs in complying with the Directive and the new Law.


Sweden

Has any consultation started?

The official government investigation into the implementation of the Data Retention Directive (“The Traffic Data Investigation”) presented its Official Government Report, SOU 2007:76, in November 2007. The Official Government Report has been referred to the relevant bodies, whose comments are due by 14 March 2008. It is expected that once comments have been submitted a draft bill will first be referred to the Council on Legislation for comments before it is submitted to the Swedish parliament in Autumn 2008.

Expected implementation date for Telephony Data

The Traffic Data Investigation suggested that the implementation date will be 1 January 2009.

Expected implementation date for IP Data

Sweden has declared that it will use the option to postpone application of the Directive to the retention to data relating to internet access, internet telephony and e-mail, and that it will implement regulations regarding telephony data at the same time as these types of data.

Are there any specific security requirements?

The Traffic Data Investigation has suggested that companies shall take special technical and organisational security measures to ensure sufficient protection when processing retained traffic data.

Can companies recover the cost of complying with the Directive?

The Traffic Data Investigation suggested that companies should pay for adapting their systems and that authorities that apply to have data handed over to them shall pay compensation, established by the government, for that.

The UK

Status of legislation

The Data Retention (EC Directive) Regulations 2007 was agreed by parliament on 26 July 2007, and came into force on 1 October 2007.

Implementation date for Telephony Data

The Data Retention Regulations only covers Telephony Data (which came into force in October 2007).

Expected implementation date for IP Data

The UK Government has announced that it will delay implementation until no later than 15 March 2009.

Are there any specific security requirements?

Data must be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure.

Measures should be taken to ensure that the data can only be accessed by specially authorised personnel, although it is unclear who such personnel would be.

Can companies recover the cost of complying with the Directive?

Any additional expenses incurred in complying with the Directive may be reimbursed. The expenses have to be notified to the Home Secretary and agreed in advance.