Privacy & Information Security Law Blog

On July 14, 2010, the Article 29 Working Party issued a press release regarding its findings on the implementation of the European Data Retention Directive (Directive 2006/24/EC).  The findings, compiled in a report to be contributed to the European Commission’s forthcoming evaluation of the Directive, indicate that the obligation to retain all telecom and Internet traffic data is not being applied correctly or uniformly across the EU Member States.  Specifically, the Working Party’s press release states that service providers retain and share data in ways contrary to the Directive.  The Working Party further noted that Member States’ reluctance to provide statistics on the use of retained data limits the ability to verify the value of data retention practices.

The joint inquiry that formed the basis of the report focused on (i) security measures, (ii) prevention of abuse, (iii) compliance with storage limit obligations and (iv) the type of retained information.  Its findings show significant discrepancies among the Member States, particularly regarding retention periods which range from six months to ten years (far exceeding the maximum allowable retention period of 24 months).  As to the type of data being retained, the report notes that some service providers retain Internet traffic data prohibited by the Directive, including website URLs and information from email headers.

The Working Party’s report includes recommendations for changes to increase harmonization, promote secure data transmissions and standardize handover procedures, and calls on the Commission to take the report into consideration when discussing the issue of whether or not to amend or repeal the Directive.

The European Commission’s evaluation of the Data Retention Directive is expected to be published in September 2010.