Widespread Unlawful Data Retention in the EU

July 20, 2010

At their latest meeting on 12 – 14 July, the Article 29 Data Protection Working Party adopted a report on the Data Retention Directive 2006/24/EC. The report results from a joint inquiry carried out by the data protection authorities and concludes that the obligation to retain all telecom and internet traffic data resulting from the Directive is not applied correctly in the EU Member States. Most importantly, service providers were found to retain and hand over data in ways contrary to the provisions of the Directive. The  report finds that the provisions of the Data Retention Directive are not respected and that the lack of available sensible statistics hinders the assessment of whether the Directive has achieved its objectives. The European Data Protection Authorities have called on the European Commission to take into account the findings of the report when taking the decision on whether or not to amend or repeal the Directive. 

The joint inquiry focused on security measures and preventions of abuse, compliance with storage limit obligations and the type of retained information. It showed that the Directive has not been implemented in a harmonized way. Significant discrepancies were found between the Member States, especially regarding the retention periods which vary from six months to up to ten years (massively exceeding the allowed maximum of 24 months). 

Another important finding of the report is that more data are being retained than allowed. The Data Retention Directive provides a limited list of data to be retained, all of which relate to traffic data. The retention of data relating to the content of communication is explicitly prohibited. However, it appears from the inquiry that such data are nevertheless being retained. In the case of Internet traffic data, several service providers were found to retain the urls of web sites, headers of e-mail messages and the recipients of e-mail messages in ‘CC’- mode at the destination mail server. For phone traffic data, it was established that not only the location of the caller at the start of the call is retained, but that the caller’s location is monitored continuously thereafter. 

The report states that Member States have provided very little in the way of statistics on the use of data retained under the Directive. This greatly reduces the chances of verifying the usefulness of data retention. 

The report includes several recommendations for changes to be made to the Directive. They entail increased harmonisation, more secure data transmission and standardised handover procedures. Furthermore, the report states that no additional data retention obligations for the providers may be imposed by national laws. It also advocates reduction of the maximum retention period to a single, shorter term, reconsideration of the overall security of traffic data by the Commission, clarification of the concept of ‘serious crime’ at Member State level and disclosure to all the relevant stakeholders of the list of the entities authorized to access the data. 

The European Commission is currently evaluating the Data Retention Directive with a view to its amendment and their report is expected to be published in September 2010.

The Article 29 Working Party report can be read here.