Other available languages: FR
Brussels, 21 September 2005
Is data retention needed?
Each and every move over electronic communications networks generates so-called ‘traffic data’ i.e. data processed for the purpose of conveyance of a communication on an electronic communications network or for the billing thereof. Traffic data include details about time, place and numbers used for fixed and mobile voice services, faxes, e-mails, SMS, and data on use of the internet. Subscriber (and sometimes user) data, such as the name and address of the subscriber, are also processed by providers or subscription-based electronic communications services.
To protect citizen’s fundamental rights and freedoms, and in particular their privacy and personal data, Community law provides for the deletion of traffic data once it is no longer needed for the purpose of the transmission of the communication. Some may however be kept and further processed by service and network providers for their own business purposes such as billing or with the consent of the consumers (See in particular the provisions of Directive 2002/58/EC on Privacy and Electronic Communications).
Beyond these business purposes, ‘public order’ purposes can also be invoked to justify the further processing of traffic data. This is why public authorities in the Member States are in principle, if necessary and in accordance with applicable law, able to request access to traffic data stored by electronic communications operators. Legitimate requests for the retention of specific data – otherwise called data preservation – are also allowed when necessary for specific purposes, such as investigations and prosecutions. Data preservation ensures the onward storage of specific data on specific users as from the date of the request.
However, with changes in business models and service offerings, such as the growth of flat rate tariffs, pre-paid and free electronic communications services, traffic data may not always be stored by all operators to the same extent as they were in recent years, depending on the services they offer. This trend is reinforced by recent offerings of Voice over IP/05/167 communication services, or even flat rate services for fixed telephone communications. Under such arrangements, the operators would no longer have the need to store traffic data for billing purposes. If traffic data are not stored for billing or other business purposes, they will not be available for public authorities whenever there is a legitimate case to access the data.
In other words, these developments are making it much harder for public authorities to fulfil their duties in preventing and combating (organised) crime and terrorism, and easier for criminals to communicate with each other without the fear that their communications data can be used by law enforcement authorities to thwart them.
Member States’ response so far
To respond to this concern, a number of Member States have adopted, or plan to adopt, national general data retention measures. Compared to data preservation measures, which are targeted at specific users and for specific data, general data retention measures aim at requiring (some or all) operators to retain traffic data on all users so that they can be used for ‘public order’ purposes when necessary and allowed.
The need to take legislative action in this area at the European level has been confirmed by the European Council in its Declaration on Combating Terrorism of 25 March 2004, adopted shortly after the horrific events in Madrid on 11 March. In that Declaration the European Council explicitly recognises the importance of legislative measures on traffic data retention, through its instruction to the Council to examine measures in the area of “proposals for establishing rules on the retention of communications traffic data by service providers”. The European Council Declaration continues to state that “Priority should be given to proposals under the retention of communication traffic data (...) with a view to adoption by June 2005”. The priority attached to adopting an appropriate legal instrument on this subject was recently confirmed in the Conclusions of the European Council of 16 and 17 June, as well as at the special JHA Council meeting of 13 July 2005 following the London terrorist bombings.
The issue of retention of traffic data has initially been dealt with in a draft Framework Decision, submitted in April 2004 as an initiative of France, Ireland, Sweden and the UK – which is a third pillar legal instrument.
The data retention regimes introduced or planned by the Member States vary significantly with respect to inter alia their scope, the purposes for which they have been adopted or planned, the data to be retained, the duration of the retention, the reimbursement possibilities, and the conditions for access to the data. There is at present therefore a patchwork of national data retention obligations in Member States, which can be summarised as follows:
The current situation is therefore one which is unsatisfactory in terms of addressing the serious concerns voiced by the European Council, and in terms of addressing the consequences of the diverging measures adopted by Member States for the effectiveness of international law enforcement co-operation, as well as the consequences for electronic communications service providers, especially those who provide services in different Member States of the European Union.
The Commission’s position has been that the largest part of that Framework Decision – the part concerning obligations on providers to retain certain traffic data – should be adopted on a first pillar legal basis. This position has also been adopted by the Legal Service of the Council and by the European Parliament.
What will the Directive do?
The Commission proposal provides for harmonisation of the obligations on providers of publicly available electronic communications or a public telecommunications network to retain data related to the usage of mobile and fixed telephony as well as the internet communications for a period of one year and six months respectively. It is not applicable to the actual content of the communications. It also includes a provision ensuring that the service or network providers will be reimbursed for the additional costs they will have to make to comply with the obligations imposed on them as a consequence of the Directive.
Fundamental rights aspects have been carefully weighed in the preparation of the proposal, and data protection authorities will be involved in the evaluation foreseen, as well as in any amendments to the list of data to be retained, which can be decided through a Comitology procedure. The data to be retained will be processed under the already existing legislation on data protection, in particular Directives 95/46 and 2002/58.
Is the Commission’s proposal different compared to the Council’s text?
Although the proposal has taken account to a significant extent of the work done by the Council on the draft Framework Decision, especially as far as the categories of data to be retained are concerned, it differs from the draft Framework Decision in a number of important areas. These can be summarised as follows:
The proposal will follow the co-decision procedure with full involvement of the European Parliament, and consultation of the Economic and Social Committee and the Committee of the Regions.
 Article 2a of Directive 2002/58/EC on Privacy and electronic Communications (OJ L 201, 31 July 2002)
 “Public order’ purposes are understood in the present document as referring to the public order interests mentioned in Article 15 of Directive 2002/58: national security (i.e. State Security), defense, public security, the prevention, detection and prosecution of criminal offences or of unauthorized use of the electronic communications system. For the sake of this document, law enforcement purposes are understood as restricted to the prevention, investigation, detection and prosecution of criminal offences.