The European Commission has announced that it plans to amend the 2006 Data Retention Directive, Directive 2006/24/EC. This Directive states that the national laws of the EU Member States must require providers of publicly available electronic communications services and public communications networks to retain traffic and location data for a period between six months and two years, in order to allow for the investigation, detection and prosecution of serious crime.
According to the Report of the EU Commission, while it is clear that rules on data retention remain necessary as a tool for law enforcement, the protection of victims, and the criminal justice systems, the current regime has many flaws. The report, published in mid April 2011, provides an initial analysis of the problems raised by the current draft of the 2006 Data Retention Directive and explains that the Commission intends to develop a better legal framework that balances the needs of governments, the rights of data subjects, and the financial constraints of the operators.
National Security v. Personal Privacy
There is an inherent conflict between the 2006 Data Retention Directive and the current European Union data protection framework. Under the 1995 Data Protection Directive, the 2002 ePrivacy Directive, and Convention 108 of the Council of Europe, the right of private life and the protection of personal data are fundamental rights. On the other hand, the Data Retention Directive, which was drafted as a reaction to the September 2001 events and the 2004 bombings in Madrid, requires entities to retain certain records containing personal data after so that they can be used by law enforcement, for national security reasons. The retention of these data beyond their normal period of use constitutes a limitation of individuals’ privacy rights, as defined in the European Union. It has even been challenged in the European Court of Justice. [HYPERLINK TO http://www.edri.org/edrigram/number8.10/data-retention-ireland-ecj ] Thus, the EU Commission now wants to evaluate whether it would be possible to reduce or limit the current retention period, and the scope of the data to be retained.
Cautious, Limited Adoption
Another frustration of the European Commission is that the implementation of the 2006 Directive in the national laws is not yet completed. Adoption has been uneven. There are significant discrepancies among the Member States with respect to the manner in which the Directive has been adopted. Austria and Sweden have yet to transpose the 2006 Directive. Belgium has only partially adopted it. The constitutional courts of Germany, Romania, and the Czech Republic have annulled the legislation that was intended to implement it.
In addition, there are considerable differences between the laws that have been passed in the Member States to implement or transpose the Directive. These differences appear, in particular, in the areas of purpose limitation, access to data, periods of retention, data protection and data security, and statistics.
Financial Burden for the Operators
Significant discrepancies in the treatment of operators of telecommunication services throughout the European Union present considerable difficulties for operators, especially for those with operations in several countries. There are also financial issues. Currently, while the obligation to retain and retrieve data represents a substantial cost to operators, these operators are reimbursed to different degrees in the different states. The Commission intends to evaluate ways to reimburse or compensate operators in the cost incurred in preserving the data so that there is more uniformity, and no unfair advantage.
EU Wide Approach?
The Commission has also indicated that it will consider whether, and if so how, an EU approach to data preservation might complement data retention. This approach would definitely simplify the application of the retention requirements for entities that operate in several countries throughout the EU.
Proportionality will be a Key Component
Proportionally is a key component of the European Union data protection ecosystem. According to the 1995 Directive, only data that are necessary for a particular purpose may be collected, and they may be retained only to the extent that it is necessary. The Commission plans to ensure proportionality in the end-to-end process of storage, retrieval, and use. The future data retention proposal is expected to (i) respect the principle of proportionality; (ii) be appropriate for combating serious crime and terrorism, and (iii) limit the use of the data to be limited to what is necessary to achieve the intended purpose.
The Commission plans to conduct a further assessment of the data retention regime that will focus, in particular, on ensuring better consistency in limiting the purpose of data retention and types of crime for which retained data may be accessed and used, and harmonizing, and possibly shortening, the periods of mandatory data retention. The Commission would like to ensure independent supervision of requests for access and of the overall data retention and access regime applied in all Member States as well as limiting the entities authorized to access the data. It also wants to narrow down the scope of the Directive by reducing the data categories to be retained.
Addressing the wave of data security breaches is also an important goal. According to the Report, the Commission is planning to provide guidance on technical and organizational security measures for access to data including handover procedures, as well as on the use of data, such as the prevention of data mining.
Once this evaluation is completed, the Commission intends to propose a revision of the current data retention framework after consulting with law enforcement, the judiciary, industry and consumer groups, data protection authorities, and civil society organizations.