The Impact of the Data Retention Directive

March 1, 2006

The Data Retention Directive[1] was enacted by the European Parliament in December and adopted by the justice and Home Affairs Council in February. Irish and Slovak ministers are reported to be continuing to oppose it.  The Directive has been welcomed by a number of governments, including the British Government, which has championed the idea for some time.  Communications services providers and civil liberties campaigners have reacted with concern, albeit for somewhat different reasons; the former concerned about costs and liabilities, the latter because of a perceived danger of infringement of privacy rights.


The content of the Directive has indeed been watered down somewhat from earlier drafts, reflecting these civil liberties concerns. 


In this article I will deal with the history of how the Directive came into being, set out the key legal provisions, assess the likely practical implications for communications service providers in the United Kingdom, and look to the future.




The growth of international terrorism, and in particular the 9/11 attack in New York, the Madrid Train bombings and the 7 July 2005 London Underground bombings provide the social and political context for the Directive.  In April 2004, four member states, the United Kingdom, France, Ireland and Sweden, proposed a draft Council Framework Decision aimed at establishing rules governing the retention of data. 


The basic premise was that terrorists, in planning attacks, need to communicate amongst themselves, mainly via mobile telephones.  The more sophisticated the attack the greater the extent to which the parties involved will need to communicate.  In order to combat the activites of terrorists effectively, both in preventing attacks and in identifying and punishing those responsible for successful attacks, it is considered important for the state and its law enforcement agencies to be able to obtain “traffic” and “location” data relating to  such communications.


Such data, which is the subject of the Directive, concerns the identity of the source of a communication, its date, time and duration and the location of the communications equipment used.  It is important to emphasise that the Directive is not concerned with the “content” of the communications (ie the subject of the communication). 


As a practical matter it is not possible for the law enforcement agencies to make any use of this data unless it is retained by the companies providing the communications networks and services.  This is why the proponents of the legislation were so keen to impose a legal obligation on such companies to retain data (an obligation to which they were, previously, not necessarily subject).


It is also important to note here that the Directive is not primarily concerned with creating powers regarding the access to, or use of, such data.  It is mainly concerned with the obligation to retain data, given that other legislation regulates the access to, and use of, data for crime prevention purposes.  The Directive does provide some regulation as to the scope for which such “retained” data may be used as set out in further detail below.

Those proposals did not get off the ground initially and were rejected by the EU Parliament in 2005. The Commission then took up the baton, proposing a draft Directive shortly thereafter which was reviewed, and amended, by the Parliament.  The final version of the Directive, which has now been implemented, reviews the compromise finally agreed with the Parliament.


Key Provisions of the Legislation


The legislation imposes data retention obligations on Internet and other communications service providers, but not content providers who happen to use mobile telephony or the Internet as a medium.  The Directive imposes obligations on providers of publicly available electronic communications service/networks.  This terminology comes from a number of EU Telecommunications Directives (and is found in the UK Communications Act 2003 which implements them).  Although there has been some case law[2] to suggest that large companies who are not ISPs (but who merely give Internet access to their staff) could be caught within these definitions, the reality is that such companies have little to fear.  If a body has never been contacted by the police or law enforcement agencies in the past it is very unlikely that they will be contacted in future with a request to provide communications data.


Data is defined to include the traffic and location data referred to above.  “Content” data is expressly excluded.


The prescribed retention period, an issue of much debate within and between the EU institutions, is set as a minimum of six months, but with each Member State having a discretion to set a higher statutory period, up to a maximum of 24 months.  It is not yet clear whether the UK will opt for the lower or higher figure.


Finally, the Directive sets certain limits on the permitted uses of the retained data.  The data may only be used for the investigation, detection or prosecution of serious criminal offences.  Whilst the driving force behind the legislation was the need to combat terrorism, it is clear that non-terrorist criminal offences, such as drug smuggling, money laundering and sophisticated fraud, are also likely to fall within the definition of “serious criminal offences”.


Practical impact on ISPs in the United Kingdom


It is fair to say that the reaction from ISPs has been mixed.  Despite the understandable concerns, there are two possible grounds for optimism.  Firstly a number of UK based ISPs have been following the government’s Voluntary Code of Practice (“the Code”) introduced under Part 11 of the Anti-terrorism, Crime and Security Act 2001 for some time now.  Under the Code, the retention of such data (for similar periods) has been an accepted way of life.  In practice little may change.


Second, it has been suggested by some commentators that much of the data which ISPs will be obliged to “retain” is, from an ISP perspective, the most commercially important and valuable and so is generally retained as a matter of course. 


There is, however, a significant difference between a situation where most ISP’s may usually (and voluntarily) retain such data, and the new situation where all ISPs will be required to do so and will have to ensure that it is kept for the minimum periods.


A significant concern, particularly for the smaller ISPs, is the cost of having to retain all this data.  The Directive contains no provisions obliging Member State governments to reimburse “their” ISP’s for the cost of retaining such data.  The position of the UK government appears to be that it will reimburse such costs (as it has done in the past).


The Future


The next step is for the UK government to prepare implementing legislation.  We are waiting for a draft to be circulated. However, it has been reported that the Irish Government is to mount a challenge to the Directive on procedural grounds and clearly that could delay implementation in Ireland and, potentially, in all other Member States.


Robert Steadman is an Associate at Addleshaw Goddard.

[1] Directive 2005/0182. Directive of the European Parliament and the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communication networks and amending Directive 2002/58/EC.

[2] BNP Paribas v World Press Online (2005) in France