EU Data Retention Directive: A Closer Look

By Chris Jones, Statewatch researcher

This article, the second in a series examining the EU’s Data Retention Directive, dives into the Directive’s details and its implementation across EU member states. It builds upon the background information presented in the first post and precedes a final post focusing on legal challenges.

Dissecting the Directive

Article 1 outlines the Directive’s goal: harmonizing data retention laws across member states to aid investigations of serious crime, with each country defining “serious crime” individually. While Article 1(2) exempts communication content, concerns remain about the potential to infer content from retained traffic data.

Article 2 provides definitions, and Article 3 mandates telecom providers to retain data, overriding certain e-Privacy Directive articles. This creates tension with provisions protecting communication confidentiality and restricting traffic data retention.

Article 4 grants “competent authorities,” defined by each member state, access to retained data under national law. This lack of specificity allows for variation in which entities can access data and through what procedures, raising concerns about potential inconsistencies and lack of judicial oversight.

Article 5 details data subject to retention: communication source and destination, date, time, duration, type, user equipment, and mobile equipment location. Retention periods, determined by each member state, are stipulated in Article 6, ranging from six months to two years. Articles 7-9 address data protection, security, and transmission to authorities.

Article 10 mandates annual statistics from member states, while Article 11 amends the e-Privacy Directive, potentially creating legislative overlap. The Commission has suggested limiting data use to the Data Retention Directive’s objectives. Article 12 allows temporary retention extensions under specific conditions, subject to Commission approval.

Article 13 enforces data protection laws, liabilities, sanctions, and penalties for data misuse. Article 14 tasks the Commission with evaluating and potentially amending the Directive. Articles 15-17 set the transposition deadline, allowing postponement for internet data retention, a provision used by many member states.

Implementation Challenges and Review

Seven years post-deadline, full implementation across all covered states remains incomplete, with harmonization proving challenging. Despite leeway regarding internet data, several member states faced infringement proceedings for delayed implementation. The Commission’s delayed evaluation highlighted the value of data retention for law enforcement but acknowledged limited harmonization regarding retention periods, purpose, and cost reimbursement.

The Directive’s failure to define “serious crime” resulted in discrepancies across member states, with some applying it broadly to all criminal offenses and others using specific criteria. Similarly, access to retained data varies significantly among member states, with different authorities, authorization procedures, and oversight mechanisms.

Legitimacy and Effectiveness Concerns

The legitimacy and effectiveness of mandatory data retention are contested. Critics argue it lacks sufficient evidence and proportionality. The European Data Protection Supervisor urged the Commission to gather more practical evidence demonstrating its necessity. Concerns about the lack of evidence for data retention’s value in public security and criminal justice persist. The Commission acknowledged the need for more convincing evidence from member states beyond anecdotal reports.

Data Preservation: An Alternative Approach?

Data preservation, a system limiting data retention to specific authorized investigations, is presented as an alternative. While the Council of Europe Convention on Cybercrime mandates data preservation, differing from the Directive by explicitly allowing content storage, the Commission considers both approaches complementary.

Future of the Directive

While the Directive requires the Commission to assess potential revisions, it has postponed this process, prioritizing the e-Privacy Directive review and the adoption of a data protection package. However, the European Court of Justice’s judgment on the Directive’s legality might significantly impact its future.

Barnard & Peers: chapter 9, chapter 25