Sélecteur de langues
Brussels, 18 April 2011
Frequently Asked Questions: Evaluation report of the Data Retention Directive
Data concerning telecommunications traffic through telephone networks and through the internet is, to some extent, retained (stored) by telecommunication service providers for their own commercial purposes (e.g., for billing purposes). The Data Retention Directive seeks to harmonise certain aspects of national rules on such storage. It requires telecommunication service providers to store traffic and location data regarding fixed and mobile telephony, internet access, email and telephony, for a period of at least six months (and no more than two years), and to make it available on request to law enforcement authorities for the purpose of investigation, detection and prosecution of serious crime and terrorism.
How was the evaluation carried out?
The evaluation report takes stock of national experiences with regard to data retention. The Commission gathered information in various ways:
Two conferences were organised (on 14 May 2009: "Towards the Evaluation of the Data retention Directive" and on 3 December 2010: "Taking on the Data retention Directive").
Bilateral meetings were held with all Members State and stakeholders from industry, data protection authorities, academia and privacy groups.
A questionnaire was issued in September 2009 to all stakeholders, and a request was made for additional statistics and examples from Member States in 2010.
Discussions were held with and position papers adopted by the expert group 'Platform on Electronic Data Retention for the investigation, detection and prosecution of serious crime'.
Reports were compiled on by the Article 29 Data Protection Working Party.
What are the issues considered by the report?
The evaluation report covers 5 main issues:
The role of retained telecommunications data in criminal investigation and law enforcement (chapters 3 and 5);
The transposition of the Data Retention Directive by Member States, including the implications of judgments of certain national constitutional courts (chapter 4);
The impact of data retention on telecommunication service providers and on consumers (chapter 6);
The implications for the fundamental rights of privacy and of the protection of personal data (chapter 7);
The Commission's plans for a review of and amendments to the directive (chapter 8).
Which types of data are being retained under the Directive?
The Directive requires telecommunications service providers to retain (store) traffic and location data generated or processed by service and network providers as a result of communications activities. It does not require or allow the retention of the content of the communications (it is therefore different from lawful interception or 'wire tapping'). The Data Retention Directive applies to the fields of fixed network telephony, mobile telephony, internet access, internet email and internet telephony. It requires service providers to retain those traffic data necessary for identifying the source (i.e. sender), destination (recipient), date, time and duration, type, equipment of communication, and, for mobile telephony, the location of the equipment.
How valuable is data retention for criminal justice systems and law enforcement?
Data retention takes place in most Member States. Member States have generally reported that retained data is very valuable, and in some cases indispensable, for preventing and combating crime, for protecting victims and for the acquittal of the innocent in criminal cases.
The evidence, in the form of statistics and examples provided by Member States, is limited in some respects but nevertheless attests to the very important role of retained data for criminal investigation. This data provides valuable leads and evidence in the prevention and prosecution of crime and ensuring criminal justice. Its use has resulted in convictions for criminal offences which, without data retention, might never have been solved. It has also resulted in acquittals of innocent persons.
Data retention enables the construction of trails of evidence leading up to an offence. It also helps to discern or corroborate other forms of evidence on the activities of and links between suspects and victims. In the absence of forensic or eye witness evidence, data retention is often the only way to start a criminal investigation. Generally, data retention appears to play a central role in criminal investigation even if it is not always possible to isolate and quantify the impact of a particular form of evidence in a given case.
How often do law enforcement authorities request access to retained data?
The volume of both telecommunications traffic and requests for access to retained data is increasing. The Commission received statistics on the volume of requests for access to retained data from 19 Member States for 2008 and/or 2009. These statistics vary considerably in scope and detail – for instance, in the Czech Republic, Latvia and Poland (a total of about 1.3 million requests per year) the volumes included identical requests sent to each of the main mobile telephony operators (and so may be misleadingly high). Based on figures provided by 17 Member States, there were about 1.4 million requests for data in 2008 and, based on statistics from 14 Member States, there were about 2.05 million requests in 2009. The volume of requests varies considerably from one Member State to the next. The most frequently requested type of data overall concerns mobile telephony.
What will the Commission propose for revising the Directive?
The evaluation report concludes that the EU should continue to support and regulate data retention as a highly valuable tool in criminal investigation and as a means of protection against the harm caused by crime and terrorism. The Commission recognises that data retention has an impact on the fundamental rights to privacy and to the protection of personal data, and that any such limitation must be demonstrated to be strictly necessary and proportionate to the problem it seeks to address.
The Commission, in consultation with law enforcement, judiciary, industry, data protection authorities and other stakeholders, intends to propose a number of improvements to the current regime.
Those proposals will help ensure that law enforcement authorities are equipped with the tools they need to serve the criminal justice system, that telecommunication services providers benefit from harmonised rules to ensure a smooth functioning of the internal market and that people are fully assured that high standards of personal data protection will be applied in all Member States.
The key areas of the end-to-end process of data retention – storage, access and use – are highlighted in the conclusions of the evaluation report and options for addressing them will be carefully considered. These areas include the purpose of data retention, the period of retention, which authorities may request access to the data, the procedures that those authorities must follow when requesting access, and arrangements for reimbursing operators for the costs of retaining and providing access to the data.
How can the Commission ensure that Member States implement the Directive?
Member States had until 15 September 2007 to implement the Data retention Directive (except for internet related data for which the deadline was 15 March 2009). Twenty-five Member States have notified measures transposing the Directive, and draft legislation is still under parliamentary consideration in Austria and Sweden. In three other Member States (Romania, Germany and Czech Republic) the transposing law has been annulled by national courts.
Austria was part of a group of Member States (along with Sweden) brought before the European Court of Justice for non-communication of national legislation implementing the Directive. On the 29 July 2010 the Court ruled that Austria had failed to fulfil its obligations under the Directive.
Austrian authorities have recently transmitted to the Commission drafts of their implementing law. If this legislation is adopted swiftly, according to the timetable submitted, no further step in the procedure would be required (such as a second referral to the Court - Article 260 TFEU).
Despite a first ruling by the European Court of Justice on 4 February 2010, Sweden has not yet transposed the Data Retention Directive. On 16 March 2011, the Swedish Parliament chose to defer the vote on the proposed legislation for a further 12 months. In consequence, the Commission decided to bring Sweden to court for the second time, with the possibility that fines will be imposed (IP/11/409).
The Commission intends to continue to enforce the Directive, through infringement procedures (Articles 258 and 260 TFEU) where required.
What do national Constitutional Courts say about data retention and the Directive?
Following rulings of their respective constitutional courts, the Czech Republic, Germany and Romania are currently considering how to re-transpose the Directive. In all cases, the national Courts annulled the national laws transposing the Directive because they were found unconstitutional. In no case did the courts rule that the Data Retention Directive is unconstitutional.
The German Constitutional Court did not consider data retention unconstitutional as such, but found the law transposing the Directive to be unconstitutional since it did not sufficiently limit the circumstances in which law enforcement authorities could access the data, and did not contain sufficient measures to protect retained data against breaches of confidentiality (data security).
The Romanian Court found the law transposing the Directive to be ambiguous in its scope and purpose, with insufficient safeguards, and found, against that background, the obligation to retain data for a period of six months to be unconstitutional.
The Czech Constitutional Court annulled the law transposing the Directive on the basis that, as a measure which interfered with fundamental rights, it was insufficiently precise and clear in its formulation.
What is the security and privacy impact of data retention?
Data retention constitutes a restriction of the right to privacy, and the Directive expressly states that national laws governing access to those data must respect fundamental rights as guaranteed by the European Convention of Human Rights (in particular Article 8 on the right to privacy). This means that this data cannot be accessed in an arbitrary manner without due reason (for instance, national rules on access to this data must comply with the principles of necessity and proportionality).
Telecommunications data are stored by companies for normal business purposes. They are not stored in police databases. Law enforcement authorities can only require access to data on a case-by-case basis and, in most Member States, only after a request has been made to a judge. Hence, there is no unlimited access to data by law enforcement authorities.
While no concrete examples of serious breaches of privacy have emerged under the Directive, data retention implies in itself a risk of a potential breach. The Commission therefore intends to propose more stringent safeguards regarding how the data is stored, accessed and used.
Is Data preservation (or quick freeze) an alternative to Data retention?
Data preservation and Data retention are two different criminal investigation tools. Data preservation, also known as 'quick freeze', is applied only from the moment a suspicion arises and a preservation order is issued with respect to a particular person. Data retention, on the other hand, is key to conducting investigations into events that took place prior to the moment a criminal suspicion arose. It guarantees the availability of historical data linked to the case under investigation.
Unlike data retention, data preservation does not guarantee the ability to establish evidence trails prior to the preservation order. For instance, it does not allow for evidence to be gathered on the movements of either victims of or witnesses to a crime.
Lawful interception, or 'wire tapping', is different from data preservation and data retention. Interception involves real time listening/reading into the content of conversations and exchanges between a target and his associates. It is not regulated by EU law.
What is the cost of data retention?
Operators have argued that the cost of complying with the Directive is very significant, although estimates provided by specific operators in terms of capital and operational expenditure vary considerably. There appears to have been no major impact on competition or retail prices for consumers.
A study carried out before the transposition of the Directive estimated the cost of setting up a system for retaining data for an internet service provider to be around €375 000 in the first year and about €10 000 in operational costs.