Since the demise of the EU’s Data Retention Directive of 2006, a de facto regulatory vacuum has existed in this area in the EU. Although national legislation formally remained valid, legal challenges in countries such as Austria, the Netherlands, and Romania have been successful.
Some form of data retention appears to be necessary for the purpose of tackling crime. However, it will be important to keep in mind the proportionality of such measures, which often have conflicted with constitutional rights, and the actual costs faced by telcos, which have been frequently required to retain data for longer than necessary. The German legislator appears keen to reduce retention times significantly, but is also likely to clamp down on telcos’ ability to store metadata outside Germany.
German legislation could be a sign of things to come at the EU level
When the EU Data Retention Directive of 2006 was struck down by the European Court of Justice during 2014, Germany was one of the countries that had little to worry about. The law to transpose the directive was deemed to be against the German constitution by the country’s constitutional court in 2010 and the directive was never implemented.
Although no new legislation is planned at the European level, German legislators have been working on a new data retention law. The current draft has a much shorter retention time for metadata than the previous version (10 weeks for telephone and Internet data and four weeks for geolocation, as opposed to the previous six months). Telcos are likely to be happy with a relatively short retention time for communications metadata; one of the problems of the 2006 Data Retention Directive was the inconsistency of retention times across countries (the directive required minimum retention times of between six months and two years, and transposing legislation differed widely on this point). In many cases, such a long retention time is likely to be unnecessary – the EC found that the vast majority of requests relate to data that is less than three months old.
Data retention is also a cost for telcos, particularly for smaller operators, and one that is often not reimbursed by public authorities. While the EC’s directive was in place, some countries refunded either operational or capital expenditure related to such activity, but only in two countries were telcos reimbursed for both. In 13 countries no expense at all was refunded to operators by public authorities.
On the other hand, a much stricter provision is proposed for the transfer of retained data. Whereas the previous law allowed metadata to be stored anywhere in the EU (in line with the existing European frameworks on data protection and data retention), the proposed bill would prevent any transfer of such data outside Germany. This is hardly surprising given the recent protectionist stance taken by many governments (including the German one) toward personal data. In fact, it is likely to set a meaningful precedent: other countries could be willing to adopt a similar approach and negotiations between member states on the upcoming Data Protection Regulation are still in progress. So far, proposals on data transfer in the Data Protection Regulation have been stricter than the current provisions of the Data Protection Directive, although they have never envisaged an outright ban on data transfer within the EU.
Data Protection Tracker: 1Q15, TE0007-000867 (January 2015)
Regulatory Developments in Data Protection and Data Retention in the EU, TE009-000987 (July 2013)
“The demise of the Data Retention Directive provides an opportunity for legislators,” TE009-001076 (April 2014)
Luca Schiavoni, Senior Analyst, Regulation