Archives

EU Data Retention Directive: Evaluation

Since its enactment in March 2006, the European Commission (EC) Data Retention Directive 2006/24/EC has generated a lot of controversy within the data protection and privacy rights community. A number of very visible bodies, including the Electronic Frontier Foundation (EFF), have called for the repeal of the Data Retention Directive.

In May 2009, the European Commission launched a lengthy evaluation procedure, including a report issued by the Article 29 Working Party, entitled, “Evaluation of Directive 2006/24?EC and of National Measures to Combat Criminal Misuse and Anonymous Use of Electronic Communications,” (referred to in this article as the Evaluation Report).

Working Party Evaluation

The Article 29 Working Party took a look at a number of issues regarding the Data Retention Directive. The Working Party consulted with stakeholders, which included:

  • EU Member States
  • European Economic Area States
  • Law enforcement authorities (e.g. Ministry of Interior, Ministry of Justice)
  • Telecommunication authorities (e.g. Ministry of Telecommunication, National Regulatory Authorities)
  • European Parliament
  • European civil society
  • National data protection authorities
  • European Data Protection Supervisor (EDPS)
  • Private sector (e.g. communications service providers; internet service providers; fixed and mobile telecommunication operators; network and cable operators)

The Evaluation Report is divided into two parts. Part A evaluated the Data Retention Directive. Part B considered how to enhance the traceability of users of communication services.

Part A took a look at the following areas:

Law Enforcement Issues:

  • National requests
  • Conditions for retention and use
  • Adequacy and law enforcement relevance of the data retained under Articles 3 and 5 of the Data Retention Directive
  • Obtaining data
  • Cost and effectiveness
  • Cross-border requests
  • Telecommunications authorities

Parliament and Civil Society

  • Effect on civil liberties
  • Offsetting the impact
  • New technologies and proportionality of the DRD

Data Protection Authorities

  • Competencies
  • Problems
  • Extraterritoriality
  • Case law

Private Sector

  • Length of storage period
  • Extent and start of the legal obligations to retain data
  • Costs
  • Obligations

Response

  • Economic effects
  • Storing data abroad

Part B examined the following areas regarding user traceability:

Law enforcement issues

  • Existing national measures
  • Efficiency
  • Costs for the private sector
  • European measures
  • Market impact of measures
  • Monitoring and enforcement

Parliament and civil society

  • Effect of national measures on civil liberties
  • Measures to offset the negative impact

Data protection authorities

  • Measures to enhance traceability
  • Means to identify users of prepaid SIM cards

Private sector

  • Identification of users of prepaid services
  • Methods of identification

Working Party Findings

Contrary to the criticisms of the data protection community, the Evaluation Report concludes that data retention is valuable, as it is essential in combating serious crime in Europe. The Report also recognizes that the Data Retention Directive has not been implemented in a satisfactory or uniform way amongst Member States, nor have additional measures regarding access to data and further use of data are necessary to ensure compliance with both privacy rights and data protection requirements.

The Evaluation Report also pointed out the following areas of improvement that the European Commission intends to focus on in its proposal to revise the current data retention framework. These areas of focus are as follows:

  • Limiting the purpose of the Data Retention Directive (e.g. clear definition of “serious crime”)
  • Harmonizing and shortening data retention periods
  • Limiting the number of authorities having access to data and ensuring independent supervision of access requests
  • Narrowing the categories of data to be retained
  • Providing guidance on technical and organizational security measures for access to data
  • Providing guidance on data usage to prevent data mining
  • Providing consistent reimbursement for operators
  • Developing feasible procedures for Member States to provide statistics for future evaluations

Another significant aspect of the Evaluation Report was the call for clarification, regarding the legal relationship between the Data Retention Directive and Article 15 of the EU e-Privacy Directive 2002/58/EC. The e-Privacy Directive allows for similar optional retention measures and is still a source of legal contention.

Summary

This article takes a look at the European Commission’s evaluation process of the Data Retention Directive 2006/24/EC, which began in May 2009. It focuses on the Evaluation Report, which focused on the Data Retention Directive, as well as enhancing the traceability of users of communication services. The article also summarizes the Article 29 Working Party’s conclusions.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Europe (CIPP/E) exam, a privacy professional should be comfortable with topics related to this post, including:

  • European Commission (I.B.d.)
  • EU Data Retention Directive (2006/24/EC) (I.C.d.)
  • Article 29 Working Party (I.J.b.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>