Revising the Data Retention framework

Retaining data

The Directive requires telecommunications servi­ce providers to store traffic and location data, generated or processed by them, stemming from communications activities. The content of such communications, however, cannot be stored. The requirement covers fixed and mobile network telephony as well as internet access and e-mail. Service providers are required to retain data necessary to identify a number of elements, inclu­ding a communication’s source and destination, as well as location in the case of mobile telephony.

Data retention takes place in most MS, with many reporting it plays an important role in criminal investigations. According to Commission figures, there were over 2 million requests for access to retained data in 17 MS in 2009. Nevertheless the Directive has raised a number of concerns over the right to privacy and in particular the perceived lack of safeguards.

Objections to the DRD have been expressed in several MS, with a number brought before the Court of Justice (CJEU) by the Commission for failing to implement the Directive. The deadline for transposition was September 2007. In Sweden it was only finally implemented in March 2012 after a second CJEU ruling.

In October 2009, the Romanian Constitutional Court found aspects of the national law implementing the DRD breached both its constitution and Article 8 of the European Convention on Human Rights (Right to respect for private and family life). Similar findings were later made by the Constitutional Courts of the Czech Republic and Germany. The latter considered such data retention to be an “especially grave intrusion” of privacy.

Although most states have now transposed the DRD, issues still remain. In 2010, its transposition in Ireland was challenged by a public interest group and has now been referred to the CJEU for a preliminary ruling. On 31 May, the Commission announced that it was taking Germany to the CJEU for failure to transpose the DRD with a request for financial penalties.

The Commission undertook an evaluation of the DRD, published in 2011. It concluded that the EU should continue to support data retention as a valuable tool in criminal investigation and to protect against harm caused by crime and terrorism. It nevertheless recognised the impact of data retention on the right to privacy and the importance of establishing both necessity and proportionality. It stated its intention to propose improvements to the current regime.

Reacting to the report, the European Data Protection Supervisor stated that there was not sufficient evidence to support the need for data retention as developed in the Directive. He called for an examination of “alternative, less privacy-intrusive means”.

The Commission’s Action Plan implementing the Stockholm Programme indicated that any pro­posal to revise the DRD would be made during 2012. In the light of this statement, oral questions with debate have been tabled by MEPs on behalf of the EPP, S&D, ALDE, Greens/EFA and GUE/NGL groups asking, inter alia, when the proposal will be published.

However in an e-mailsent in early July and now in the public domain, the Commission indicated that the revision of the DRD could now be announced in 2013 or 2014 depending on progress with the General Data Protection Regulation, currently being discussed by the EP and Council. The Commission also stated that the revision would be postponed to coincide with a review of the e-privacy Directive.