While the Data Protection regime of the European Union is going through a facelift and amendments are expected to be published by 2012, the European Commission has announced that it is embarking onto another major project that focuses on the protection of personal data and privacy rights. This time, the target is the 2006 Data Retention Directive, Directive 2006/24/EC1. In its Evaluation Report on the Data Retention Directive (Directive 2006/24/EC), COM (2011) 225 (Communication 225), published in April 2011, the European Communication has announced its plan intent to revise the 2006 Directive with a view to proposing an improved legal framework that balances the needs of governments, the rights of data subjects, and the financial constraints of the operators.
Communication 225 analyses how the 2006 Data Retention Directive has been implemented (or not) in the national laws of the Member States, with a view to determining whether the 2006 Directive should be amended, in particular with regard to its data coverage and retention periods. The report points to the lack of uniformity and discrepancies in these implementations, identifies deficiencies, and analyses the impact of the retention requirements on economic operators and consumers. It also evaluates the implications of the Directive on the protection of fundamental rights, in view of the criticisms that have been made with respect to the retention of personal data for national security reasons. The report concludes that the provisions set forth in the 2006 Data Retention Directive need improvement and indicates how the European Commission plans to drive the preparation of an amendment.
Data Retention as a Security Measure
The 2006 Data Retention Directive provides that the national laws of the Member States must require providers of publicly available electronic communications services and public communications networks to retain traffic and location data for a period between six months and two years, in order to allow for the investigation, detection and prosecution of serious crime.
There is an inherent conflict between the provisions of the 2006 Directive, and the rights and freedoms that have been the basis for the 1995 Data Protection Directive, the 2002 ePrivacy Directive, and other documents that have shaped the protection of personal data throughout the European Union. Data retention constitutes a limitation of the right of private life and the protection of personal data, which are fundamental rights in the European Union. According to Communication 225, while it is clear that rules on data retention remain necessary as a tool for law enforcement, the protection of victims, and the criminal justice systems, the current regime has many flaws. These flaws are described in detail in the report, and summarized below.
Uneven Transposition and Limited Harmonization
One of the key frustrations of the European Commission is that the implementation of the 2006 Directive in the national laws is not completed. It has been uneven and there are significant discrepancies among the Member States with respect to the manner in which the directive has been adopted. Only 22 out of the 27 members currently have laws that are consistent with the 2006 Directive.
There are considerable differences between the laws that have been passed in the Member States to implement or transpose the Directive. These differences appear, in particular, in the areas of purpose limitation, access to data, periods of retention, data protection and data security, and statistics.
In addition, the constitutional courts of three Member States – Germany, Romania, and the Czech Republic – have annulled the legislation that was intended to implement the Directive into the country’s national laws. Two Member States – Austria and Sweden – have yet to transpose the 2006 Directive; draft legislation is still under discussion.
Burden on Operators
Communication 225 observes that, as a result of the discrepancies in the implementation and transposition, the 2006 Directive has not fully harmonized the approach to data retention and has not created a level-playing field for operators of telecommunication services throughout the European Union. The differences in national application of data retention have presented considerable difficulties for operators.
The European Commission proposes to alleviate some of the burden on operators. Currently, while the obligation to retain and retrieve data represents a substantial cost to operators, these operators are reimbursed to different degrees in the different states. Communication 225 indicates that the Commission will evaluate ways to reimburse or compensate operators in the cost incurred in preserving the data.
The Commission also indicates that it wishes to ensure proportionality in the end-to-end process of storage, retrieval, and use. In this respect, according to Communication 225, the Commission will ensure that any future data retention proposal (i) respects the principle of proportionality; (ii) is appropriate for combating serious crime and terrorism, and (iii) does not go beyond what is necessary to achieve the intended purpose.
In the next phase, more analysis and evaluations will be conducted. The Commission plans to conduct a further assessment of the data retention regime that will focus, in particular, on the following areas:
- Consistency in limitation of the purpose of data retention and types of crime for which retained data may be accessed and used;
- Harmonizing, and possibly shortening, the periods of mandatory data retention;
- Ensuring independent supervision of requests for access and of the overall data retention and access regime applied in all Member States;
- Limiting the authorities authorized to access the data;
- Reducing the data categories to be retained;
- Guidance on technical and organizational security measures for access to data including handover procedures;
- Guidance on use of data including the prevention of data mining; and
- Developing feasible metrics and reporting procedures to facilitate comparisons of application and evaluation of a future instrument.
The Commission will also consider whether, and if so how, an EU approach to data preservation might complement data retention.
Once this evaluation is completed, the Commission intends to propose a revision of the current data retention framework after consulting with law enforcement, the judiciary, industry and consumer groups, data protection authorities, and civil society organizations.