Brussels, 18 April 2011
Commission evaluates the Directive on retention of telecommunications data
Today the European Commission adopted an evaluation report of the Data Retention Directive outlining the lessons learned since its adoption in 2006. The Directive established data retention as a response to urgent security challenges, following major terrorist attacks in Madrid in 2004 and in London in 2005. The report concludes that retained telecommunications data play an important role in the protection of the public against the harm caused by serious crime. They provide vital evidence in solving crimes and ensuring justice is served. However, transposition of the Directive has been uneven and the remaining differences between the legislations of Member States create difficulties for telecommunication service providers. The Directive also does not in itself guarantee that data are stored, retrieved and used in full compliance with the right to privacy and protection of personal data, and this has led courts to annul the legislation transposing the Directive in some Member States. The Commission will now review the current data retention rules, in consultation with the police and the judiciary, industry, data protection authorities, and civil society with a view to proposing an improved legal framework.
"Our evaluation shows the importance of stored telecommunications data for criminal justice systems and for law enforcement. Such data are used as evidence not only to convict the guilty of serious crimes and terrorism, but also to clear the innocent of suspicion. Retained data was for example crucial to the success of Operation Rescue which helped reveal the identities of 670 suspected members of an international paedophile network and protect children from abuse in Member States where the directive has been transposed. But the evaluation report also identifies serious shortcomings. We need a more proportionate, common approach across the EU to this issue. I therefore intend to review the Directive to clarify who is allowed to access the data, the purpose and procedures for accessing it", said Cecilia Malmström, Commissioner for Home Affairs.
The evaluation report analyses how Member States have transposed the Directive and assesses the use of retained data and the impact on operators and consumers.
Its main findings are:
Most Member States take the view that EU rules on data retention remain necessary for law enforcement, the protection of victims and the criminal justice systems. As criminal investigation tools, the use of data related to telephone numbers, IP address or mobile phone identifiers have resulted in convictions of offenders and acquittals of innocent persons.
Member States differ in how they apply data retention. For example, retention periods vary between 6 months and 2 years, the purposes for which data may be accessed and used, and the legal procedures for accessing the data, vary considerably.
Given that the Directive only seeks to partially harmonise national rules, it is not surprising that common approach has not emerged in this area. The overall low level of harmonisation can however create difficulties for telecommunication service providers and in particular smaller operators. Operators are reimbursed differently across the EU for the cost of retaining and giving access to data. The Commission will consider ways of providing more consistent reimbursement of the costs.
Data retention represents a significant limitation on the right to privacy. Whilst there are no concrete examples of serious breaches of privacy, the risk of data security breaches will remain unless further safeguards are put in place. The Commission will therefore consider more stringent regulation of storage, access to and use of the retained data.
Telecommunications data retained by telecommunications operators is used by police and prosecutors in the investigation, detection and prosecution of serious crime and terrorism.
The EU, through a number of directives in the last 10-15 years, has sought to regulate the requirement for telecommunications service providers to retain data for a specific period of time.
The Data Retention Directive (Directive 2006/24/EC) requires Member States to ensure that these operators retain certain categories of data (for identifying identity and details of phone calls made and emails sent, excluding the content of those communications) for the purpose of the investigation, detection and prosecution of serious crime, as defined by national law. The data must be retained for a minimum of six months to a maximum of two years (to be decided by Member State in transposing the Directive into national laws).
Law enforcement authorities in most Member States have reported to the Commission that retained data plays a central role in protecting the public against harm through effective criminal investigation. These data provide valuable leads and evidence which have resulted in convictions for criminal offences and in acquittals of innocent suspects in relation to crimes which, without data retention, might never have been solved.
Data protection authorities have criticised the directive on the grounds that it does not provide enough limitation of data retention and safeguards for how the data is stored, accessed and used.
Article 14 of the Directive requires the Commission to provide an evaluation of the application of this instrument and its impact on economic operators and consumers.
Building on this evaluation, the Commission will prepare a proposal to amend the Directive. Over the coming months, it will consult law enforcement authorities, the judiciary, data protection authorities, industry and civil society on options for a future legal framework. The results of the consultation will feed into an impact assessment as a basis for the future proposal.
For more information
Homepage of Cecilia Malmström, Commissioner for Home Affairs:
Homepage of DG Home Affairs: