Emergency Info

Morrison | Foerster
Japan
Japan		 China
China		 Europe Israel
Hebrew
SEARCH

About the Firm Practices and Industries Attorneys & Professionals Careers Legal Updates and News Events
Legal Updates and News
Overview
Legal Updates
Press Releases
In The News


Related Practices:

Data Retention - Implications for Business
February 2006
by   Miriam Wugmeister, Karin Retzer

Employers, internet service providers and telecommunication operators need to closely follow developments relating to data retention in the European Union.  On December 14, 2005, the European Parliament adopted a controversial Directive on the retention of communication data ("Directive")[1] that raises privacy and data security concerns for both consumers and communication service providers and may result in costly investments to comply with the new requirements.  The Directive, if formally approved by the Council, will require all "providers of publicly available communications services" to store and retain communications data.  Under the Directive, "providers" may be interpreted to encompass telecommunication operators, Internet service providers, employers providing employees with e-mail, internet cafes or hotels allowing guests to use communications devices, or even universities facilitating the use of the Internet.

The data covered by the Directive will include data necessary to identify and trace the source, destination, routing, date, time, and location of every communication, including unsuccessful call attempts.  The Directive mandates a minimum storage period of six months from the date of the communication but individual Member States may extend the time period up to twenty-four months.  The data will need to be made available as needed to law enforcement agencies in the course of the investigation and prosecution of "serious criminal offences."

The Directive was strongly opposed by civil liberties groups, data protection officials, and service providers alike.  Currently, communications data generated through communications services such as landline, mobile, and Internet telephony, data text messaging, voicemail, call forwarding, instant messaging, paging, electronic mail, and other multi-media services must be erased or made anonymous at the time the communication is completed, unless the information is needed for subscriber billing, interconnection payments, or marketing, or where national law requires the retention of certain information. Blanket retention of communications data for six to twenty-four months marks a dramatic departure from the EU's[2] formerly cautious attitude towards data retention, creating a regime far more intrusive than anything known in the United States or Japan.  In Europe, communications data can now be held without there being a substantial basis to suspect the relevance of those data to criminal investigations or for national security.  Another concern was that, due to the sheer magnitude of the data that must be retained under the new regime, the investment in equipment and technological expertise for retaining and accessing such data will be significant, and might result in increased communication costs for consumers.  This could delay the development of electronic communications in Europe.

The European Parliament, however, in voting to approve the Directive, rejected these concerns.  It agreed with Member States’ law enforcement agencies that broad retention obligations were necessary for criminal and anti-terrorism investigations across Europe.  In addition, the Parliament decided to strike out the provision in the earlier Commission proposal requiring Member States to compensate providers for their increased costs, leaving it to the Member States’ discretion to reimburse providers (or not). 

Background: The Changing Legal Landscape

Data retention rules have evolved over the past decade.  The original rules issued in 1997[3] permitted, but did not require, Member States to impose retention obligations on telecom operators for law enforcement purposes.  In 2002, the data retention rules were revised to cover the entire electronic communications sector but left unchanged the voluntary nature of those obligations.[4]  As a result of the discretion given to Member States, there are wide variations among the EU Member States.  Some have opted not to impose retention obligations, while others require electronic communications service providers to retain communications data for periods ranging from a few months to four years.[5] 

Since 2002, EU law enforcement agencies have lobbied for broader and more harmonized retention schemes, particularly because mobile phone records were instrumental in tracking down the perpetrators of the Madrid bombings which killed 191 and injured approximately 1,800 people on March 11, 2004.[6]  In the aftermath of those bombings, the European Council issued the Declaration on Combating Terrorism (the Declaration)[7] which among other things recommended the introduction of traffic data retention rules. 

In April 2004, France, Ireland, Sweden, and the United Kingdom put forward a joint proposal on data retention[8] that was rejected by the European Parliament in 2005.  In its place, the European Commission launched its own data retention initiative in close collaboration with the Parliament that resulted in the current Directive.[9]

To become law, the Directive must now be approved by the Council but, since the final text approved by the Parliament was negotiated with the Council in informal meetings prior to the Parliament’s plenary vote, approval by the Council is likely.   Member States must adapt national laws within eighteen months (thirty-six months for Internet data) after the publication of the final text in the Official Journal.  

The Scope

The Directive covers "…providers of publicly available electronic communications service or of a public communications network…" (Article 3.1).  As a result, all telecommunication and Internet service providers within Member States’ jurisdiction must store communications data.  It remains to be seen how the new retention regime is applied by national regulators and courts, and whether, e.g., hotels or apartment owners providing guests with telephone and e-mail, internet cafes, universities allowing students to use internet and e-mail, or even private citizens with unprotected wireless LANs are covered by the regime.  In addition, as discussed previously in a March 2005 legal update,[10] employers throughout Europe have been facing the question of whether they would also be considered "providers of publicly available electronic communications services" and thereby become subject to data retention obligations when they provide Internet access to their employees.  In this respect, a French appeals court ruled in 2005 that employers can be required to retain and hand over all relevant traffic data under court order.[11]  The Court found that the French data retention regime makes no distinction between ISPs who offer Internet access on a commercial basis, and employers who give Internet access to staff.  It appears, therefore, that the issue of mandatory retention schemes for communications data may also be expanded to encompass a broad range of different organizations and private citizens.    

As regards the types of data covered, while the Directive is not applicable to data revealing the content of communications, it does cover a wide variety of data, including data required to identify and trace the identity, source, destination, routing, date/time, location, the communications device and equipment involved, of every communication.  The categories of data that must be retained will be revised on a regular basis.  Interestingly, in a previous proposal, the data to be retained were limited to data that providers kept for business purposes anyway.  This limitation has not been included in the final draft.

The Directive also requires retention of data on unsuccessful calls, defined as "a communication where a telephone call has been successfully connected but is unanswered or there has been a network management intervention."  (Article 2(2).)  This provision was controversial because providers do not currently register lost calls for billing purposes. 

Internet-related data to be retained is limited to email and IP-telephony data – which means that data on web pages visited need not be retained by providers. 

Circumstances for Access to Retained Data 

The aim of the Directive is to ensure that the data are available for the purposes of investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.  During the Parliamentary debate on the Directive, the Parliament’s Civil Liberties Committee suggested a specific list of serious crimes in the investigation of which retained data could be used.  The Parliament plenary session, however, voted against a definite catalogue as it was felt that the competencies for that lie with the Member States.  In this respect it is interesting to note that content owners have – unsuccessfully – lobbied to have the Directive require retention of data for criminal offenses other than "serious" crimes, presumably so that law enforcement agencies could use retained data to prosecute violators of intellectual property law.  Those requests were rejected, but, depending on the scope of Member States’ definition of "serious crime," the distinction in the wording of the Directive may be irrelevant. 

Further, Member States must ensure that data retained in accordance with the Directive are only provided upon request from competent national authorities, in specific cases and in accordance with national legislation.

Retention Period

The Directive obliges each Member State to ensure that the relevant data is retained "…for a period of not less than 6 months and for a maximum of two years from the date of communication" (Article 7).  There is, however, derogation from the time period for particular circumstances warranting an extension of the maximum retention period for a limited time. 

Data Storage

Each Member State will be required to ensure that communications service providers respect, as a minimum, certain prescribed data security principles with respect to data retention.   There is a provision for "effective, proportionate and dissuasive" penal sanctions for companies that fail to store the data or misuse the retained information, and Member States must designate an independent supervisory authority to ensure compliance with the Directive, which "may be the same authorities as those referred to in Article 28 of Directive 95/46/C."  Hence, the data protection authorities may assume supervisory authority for compliance with the implementation legislation of this Directive as well.

Storage should allow for sharing with law enforcement authorities without "undue delay."  However the technical implications will need to be defined in the implementation legislation.  Data must be destroyed after the period of retention, except for those data that have been accessed and preserved. 

Reimbursement of Costs 

While the original Commission proposal would have required Member States to reimburse providers for the additional costs of retention, the Directive approved by the Parliament contains no reimbursement provisions, thereby leaving it to the discretion of the Member States whether (or not) to reimburse providers.  Communications service providers are disappointed by the Parliament’s attitude to cost reimbursement, as the cost of implementing a data retention capability is estimated to run to millions of euros.


 

[1] European Parliament legislative resolution on the proposal for a directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC (COM(2005)438 – C6-0293/2005 – 2005/182(COD)), available at:
http://www.europarl.eu.int/omk/sipade3?L=EN&PUBREF=-
//EP//TEXT TA 20051214 ITEMS DOC XML V0//EN&NAV=S&
MODE=XML&LSTDOC=N&LEVEL=0&SAME_LEVEL=1#sdocta1.

[2] The 25 Member States of the European Union currently are: Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, the Netherlands, and the United Kingdom.

[3] Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector, Official Journal L 24/1 of January 30, 1998.   

[4] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L 201/37 of 31 July 2002. 

[5] National laws must, however, (a) ensure that the data are only retained for a limited period of time; (b) aim to achieve specific, enumerated "public order" purposes; (c) be necessary, appropriate, and proportionate within a democratic society for achieving these purposes; and (d) be consistent with the European Convention on Human Rights. 

[7] Note from the General Secretariat Re: Declaration on combating terrorist, Council of the European Union, No. 7906/04, March 29, 2004.  

[8] Note from France, Ireland Sweden and UK to Secretary-General, Re Draft Framework Decision on the retention for data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism, No. 8958/04, April 28, 2004.

[9] Proposal for a Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC, COM(2005) 438 final.