Implementation of Data Retention Directive
(IPRinfo 1/2007)
Guntis Lauskis
Associate, Lejins, Torgans & Partners
The Data Retention Directive (2006/24/EC) should be transposed in national legislation by September 15, 2007. The author believes that the implementation will raise similar debates in the Member States on data protection, security needs and ISP obligations as in the EU before the adoption of the final text. He considers the positive impact in Latvia to outweigh the negative consequences.
The safety consciousness of European residents was noticeably shaken with the explosions which took place in suburb trains of Madrid in March 2004. Approximately after a year – in July 2005, the series of repeated explosions in London strengthened the society’s need for internal safety and protection. Representatives of law enforcement institutions of these two countries assured that the investigations of explosions were carried out by analysing all available information.
Traffic data – the electronic mirror of a private life
The data on mobile phones usage, i.e. electronic communications, have turned out to be especially useful in finding out the guilty persons. In the European Union, a special attention was paid to drafting equal requirements for retention of traffic data of public electronic communications networks (hereinafter – traffic data) for the purpose of prevention and investigation of crimes.
It is important to separate traffic data from contents of a definite call. Traffic data do not give an possibility to determine a content of specific calls. Directive 2002/58/EC regulates data retention of technical nature only.
Concerns for data protection
Being aware of significance of personal data and the necessity to protect private life of every person, two directives were adopted in the European Union.
Pursuant to the directives, every unit of information which makes it possible to identify an individual (or the electronic communications services received by such person) shall be protected. The further processing of these data without the consent of the identified person is allowed only in particular cases according to respective legislative acts.
As the significance of traffic data increased, several countries (France, Sweden, Great Britain, Ireland) – reacting to the reduction of the safety illusion – made an initiative for a EU Framework decision for the retention of traffic data.
Nobody remained indifferent when evaluating the draft. The defenders of the project encouraged supplementing and detailing the amount of data to be compulsory retained. However, defenders of privacy saw a risk of unnecessary threat to privacy.
At the end of 2005, following extensive debates and changes of opinions, the draft Framework decision and directive were combined. The Directive 2006/24/EC (hereinafter – Data Retention Directive) was eventually adopted on 21 February 2006.
Directive 95/46/EC (on protection of individuals with regard to the processing of personal data and on the free movement of such data) was implemented in Latvia by
Individuals Data Protection Law (adopted on 23.03.2000.);
and Directive 2002/58/EC was implemented in Latvia by
Electronic Communications Law (adopted on 28.10.2004.).
The storage time left to Member states
Pursuant to the Data Retention Directive, the data to be retained can be divided into three main groups: 1) user identifying data; 2) traffic data; 3) location data. The electronic communications service providers are obliged to retain the data which are generated or processed in the process of supplying the public telephony services or Internet access, including Internet telephony services.
Definitions of the data to be retained:
A more precise definition of data to be retained can be found in Article 5 of the Data Retention Directive. The general lines are as follows:
1. Data identifying the source of communication – the calling telephone number; name of subscriber or username of the registered user and address;
2. Data identifying the destination of a communication – the numbers dialled, identifier of a user (for Internet access services), name and address of the intended recipient of the communication;
3. Data identifying the date, time and duration of a communication;
4. Data identifying the type of communication – the used public fixed or mobile telephone network services or Internet access services (e-mail or Internet telephony);
5. Data identifying the users’ equipment – the calling and called telephone numbers, identifiers of mobile telephone and SIM card (IMEI and IMSI codes); the date, time and place of initial activation of prepaid card;
6. Data identifying the location of mobile communication equipment – identifier of a base station cell and reference of the indicator with geographical location.
As the Member States could not reach an agreement on the period of data retention, the Directive leaves this to the discretion of national decision makers. However, the minimum period of keeping the data is six months and the maximum period is two years from the date of the communication.
Data on unsuccessful call attempts must be retained
During the preparation of the Data Retention Directive, active debates took place regarding the necessity to store the data on unsuccessful call attempts. These data may make up a great part of all data to be retained.
Eventually, despite the objections of several Member States, the obligation to retain data on unsuccessful call attempts was included in the Directive. Electronic communications service providers should not re-program or modify their network equipment in order to generate data which previously were not generated in order to provide services.
Negative impact of the Data Retention Directive
The additional costs are considered to be the most negative consequence of the implementation of the Data Retention Directive. The electronic communications services providers will have to acquire new equipment and/or modify the current systems in order to provide data retention.
Also, the increasing number of services should be taken into account, as the increase in services necessarily increases the amount of the generated traffic data. A point may come when the existing equipment and resources will not technically be up to the service providers’ obligations. Therefore, data retention costs may grow in spite of the technical evolution or the improved efficiency of the data processing.
At the initial elaboration stages of the directive, the possibilities to compensate the data retention costs to service providers were discussed. Unfortunately, the conclusion was that it would be impossible to propose a solution acceptable to all Member States.
Compensation to service providers
Considering the priorities and financial resources of Latvia, one may believe that Latvia’s electronic communications service providers will not receive any compensation for data retention. However, in Lithuania the statutory requirements demanding the electronic communications network operators to provide the calls interception functionality for law enforcement institutions at their own expense were repealed by the decision of the Constitutional Court in September 2002.
The Court indicated that interception is a function of the public administration; therefore, the usage of the private sector property without a proper compensation cannot be justified. The conclusions could be the same when analysing the issue on data retention costs: data retention is required for the accomplishment of the public administration functions. Therefore, electronic communications service provider could be entitled to receive proper compensation.
Another negative consequence of the Data Retention Directive is the application of the data storage obligation to Internet service providers. For the time being, different degrees of data detail are applied for telephony and for Internet services.
Namely, the bills for Internet services are not usually composed by the number of connections or transferred megabytes. Instead, fixed monthly payment is set, and dynamic IP addresses are assigned in order to maximally reduce the inefficient load of the information systems and decrease the costs of service providers.
Therefore, immediate implementation of the Data Retention Directive would mean that almost every Internet service provider would be forced to install additional equipment. This additional cost would probably raise the costs of the service to users. In order to reduce such negative consequences, the Data Retention Directive entitles Member States to postpone the retention obligation relating to Internet services for certain period of time.
It must be noted that Latvia (as indeed most Member States) has postponed the implementation of the Directive as regards the access to Internet, Internet telephony and e-mail services until 15 March 2009.
Positive impact outweighs the negative consequences
Regardless negative consequences, in general the Data Retention Directive may be recognized as positive and welcomed for Latvia’s electronic communications service providers.
For instance, the situation now regulated by Latvia’s Electronic Communications Law concerning the obligation to retain traffic data and to provide them to law enforcement institutions will be improved. As long as it is not clearly stated what kind of data are necessary for law enforcement agencies, the service providers have a lot of extra work to find, classify and adopt the available technical information to the various investigation requests.
By the Directive, the information retainers will exactly know what data should be stored and the information requestors what data are available.
Another positive impact is the fixed term of data retention. Even if the longest possible period – two years – should be implemented in Latvia, the present data storage term (3 years) will shorten by a third. Thus, despite the increase of data to be retained according to precisely defined data types, the number of the stored gigabytes will probably be less due to the shortened data retention term.
As the third positive impact the protection and safety measures for retained data may be acknowledged. The electronic communications service providers are entitled to delete retained data if they have not been requested by the end of the retention period. This creates appropriate legal presumption which allows considering certain data as unnecessary for investigation if they are not requested during a certain period of time.
The rights to delete the data are essential not only for personal data protection but also for the practical aspects, i.e. costs. Thus, the space cleared by deletion may be used for the retention of newly generated data.
Implementation of the Data Retention Directive
The Data Retention Directive is the first attempt of drawing the real centre line between the high requirements for protection of private life of a person set by the European Union and a willing to combat crime through taking advantage of maximally available information on a person. Certainly, the Directive itself cannot solve anything, but each Member State must take definite steps to adjust and introduce the requirements of the Directive in the national law.
In Latvia, the Directive may be implemented either by making amendments to the Electronic Communications Law or by drafting a separate law or regulations of the Cabinet of Ministers. The first draft regulations of the Cabinet of Ministers regarding traffic data retention were drafted before the adoption of the Data Retention Directive. This draft did not comply with the final Directive text, as the definitions and types of traffic data covered generated data more broadly than the requirements set by Data Retention Directive.
Evidently, for the implementation of Data Retention Directive not only new draft regulations will have to be developed. The current requirements of the Latvian Electronic Communications Law concerning traffic data retention contradict with the Data Retention Directive (e.g. the maximum period of the data retention, obligation to retain data on unsuccessful call attempts). Thus, the amendments to the law are anticipated until 15 September 2007 (when the Data Retention Directive should be implemented in Latvia).
The same discussions once raised and settled in general in the institutions of the European Union before the adoption of the Data Retention Directive will now rise again in Member States. The level and participants of the discussion may change, but the main objective remains: to handle issues of technical and legal nature in order to balance the rights and obligations of law enforcement, electronic communications service providers and service users.
Directives
The mentioned directives can be found in the Eur-lex database of the European Commission. You can use e.g the natural number or the CELEX code in the search field:
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
OJ L 281, 23.11.1995, p. 31-50
Celex number: 31995L0046
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
OJ L 201, 31.7.2002, p. 37-47
Celex number: 32002L0058
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
OJ L 105, 13.4.2006, p. 54-63
Celex number: 32006L0024/
URL address:
http://eur-lex.europa.eu/RECH_menu.do
