Privacy & Information Security Law Blog

On April 18, 2011, the European Commission (the “Commission”) adopted an Evaluation Report on the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”).

The Data Retention Directive requires that, for law enforcement purposes, telecommunications service and network providers (“Operators”) must retain certain categories of telecommunications data (excluding the content of the communication) for not less than six months and not more than two years.  To date, most of the EU Member States have implemented the Data Retention Directive, but Czech Republic, Germany and Romania no longer have implementing laws in place because their constitutional courts have annulled the implementing laws as unconstitutional.

The Commission’s Evaluation Report follows a lengthy evaluation procedure launched in 2009 which also includes a report issued by the Article 29 Working Party that we reported on in July 2010.  Although national data protection authorities have criticized data retention as a privacy-intrusive measure, the Evaluation Report concludes that data retention is valuable for the important role it plays in combating serious crime in Europe.  The Commission acknowledges, however, that the Data Retention Directive has not been implemented in a harmonized way among the Member States, and that additional measures regarding access to data and further use of data are necessary to ensure compliance with privacy rights and data protection.

The Evaluation Report also highlights the following key areas of improvement that the Commission will focus on in its proposal to revise the current data retention framework:

• Limiting the purpose of the Data Retention Directive (including defining “serious crime”)
• Harmonizing and possibly shortening data retention periods
• Limiting the number of authorities having access to data and ensuring independent supervision of access requests
• Narrowing the categories of data to be retained
• Providing guidance on technical and organizational security measures for access to data
• Providing guidance on data usage to prevent data mining
• Providing consistent reimbursement for Operators
• Developing feasible procedures for Member States to provide statistics for future evaluations

Furthermore, the Evaluation Report calls for clarification with regard to the legal relationship between the Data Retention Directive and Article 15 of the EU e-Privacy Directive 2002/58/EC which allows for similar optional retention measures and continues to cause legal uncertainty.  Finally, the Commission is committed to ensuring that any future data retention proposal respects the principle of proportionality by not going beyond what is necessary to combat serious crime and terrorism, and it will examine how, and in what ways, data preservation (also referred to as “quick freeze”) might complement data retention.