On February 18, 2015 a group of privacy advocates started legal action against the Dutch data retention law. Similar initiatives have taken place elsewhere in Europe and are likely to succeed following the demise of the EC’s Data Retention Directive in 2014. Devising rules that make data retention possible without hampering citizens’ privacy rights will be a challenge for European legislators, who should also be careful not to place an undue burden on telcos.
The demise of the Data Retention Directive creates a de facto regulatory vacuum
The legal action taken by a group of Dutch journalists, lawyers, and privacy advocates on February 18, 2015 aims to strike down the national data retention act. This move demonstrates the challenges that EU countries’ governments face in keeping data retention legislation in place.
In 2014 the European Courts of Justice struck down the EC’s Data Retention Directive of 2006, stating that it was disproportionate and failed to comply with the privacy principles set out in EU legislation. This decision did not repeal the national acts that transpose the directive, but it did clear the way for legal challenges, which are now likely to succeed in any EU country.
In order to tackle crime, governments need to have some data retention rules in place. However, they must also comply with the EC’s regulatory framework. They must ensure that any legislation they pass does not breach the E-Privacy Directive of 2002, which is currently in force, and which places specific data protection obligations on telcos.
The challenge now is to create a framework in which data retention is possible, but under which data protection safeguards are still in place. The EC should set out its new rules as soon as possible, and those rules should clearly say what public bodies can do (and, crucially, what they can ask telcos to do) – with clear and precise limits. This would also help to ensure that no unnecessary burden is placed on telecoms operators, which face a cost in retaining such data and making it available to public authorities.
Data Protection Tracker: 1Q15, TE0007-000867 (January 2015)
Current Status and Future Developments in Data Protection, TE0007-000812 (August 2014)
“The demise of the Data Retention Directive provides an opportunity for legislators,” TE009-001076 (April 2014)
Luca Schiavoni, Analyst, Regulation