Council of the European Union/European Parliament: Directive on the Retention of Data in the Electronic Communications Sector Amending Directive 2002/58/EC

IRIS 2006-3:1/40

Mara Rossini

Institute for Information Law (IViR), University of Amsterdam

15 September 2007 was no ordinary date for matters relating to privacy. Indeed, it was the deadline to be observed by Member States for complying with the provisions of Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. This document is preceded by two legal instruments relating to the same field: the first is Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the second is Directive 2002/58/EC on privacy and electronic communications. The former requires Member States to protect the rights and freedoms of natural persons with regard to the processing of personal data, the latter translates this obligation into rules specifically adapted to the electronic communications sector and has been amended by the latest in the series (i.e. Directive 2006/24/EC).

The stated objective of Directive 2006/24/EC is to harmonise the obligations on providers (of publicly available electronic communications services or of public communications networks) to retain certain data which are generated or processed by them and to ensure that those data are available for the purpose of the investigation, detection and prosecution of serious crime as defined by each Member State in its national law. The legal and technical differences between national provisions concerning the retention of data for the prevention and detection of criminal offences formed a hindrance to the internal market for electronic communications, obliging service providers to face different requirements regarding the types of data to be retained and the conditions and periods of retention. This reason was further compounded by the 2005 London terrorist attacks. Common measures on the retention of telecommunications data seemed necessary in order to effectively combat terrorism. This warranted action at Community level without neglecting the obligations under Article 8 of the European Convention for the protection of Human Rights and fundamental Freedoms, according to which everyone has the right to respect for his private life and his correspondence. These different considerations brought forth Directive 2006/24/EC.

The Directive applies to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. By way of derogation from three key articles relating to traffic and location data in Directive 2002/58/EC (which subjected data-processing to consent and required such data to be erased or made anonymous when no longer needed for the purpose of the transmission of a communication) Member States are now required to adopt measures ensuring all the data as listed in its Art.5 are retained for a period of time of no less than 6 months and no more than two years (Art.6). The categories of data to be retained by Member States are the following: data necessary to trace and identify both the source and the destination of a communication; data necessary to identify the date, time and duration of a communication; data necessary to identify the type of communication, users’ communication equipment and the location of mobile communication equipment. The Directive only targets data generated or processed as a consequence of a communication or a communication service. The cited communication means are fixed and mobile network telephony, Internet access, Internet e-mail and Internet telephony. The retention of data relating to Internet e-mail and Internet telephony in particular applies only in respect of data from the providers’ or the network providers’ own services.

It should be pointed out that though Art. 6 prescribes a maximum of two years, this term can be extended for a limited period in case a Member State is confronted with particular circumstances. Also, it must be noted that the Directive repeatedly stresses it does not apply to the content of electronic communications, including information consulted using an electronic communications network. Finally, the option is given to Member States to postpone until 15 March 2009, the application of this Directive to the retention of communications data relating to Internet access, Internet telephony and Internet e-mail. Sixteen Member States have chosen to make use of this option.