The EU Data Retention Directive
The European Union's Data Retention Directive became law in 2006, in the aftermath of the 2005 London terrorist attacks. It created an obligation on telephony companies to retain log data on the telephone, e-mail and intranet traffic that goes over their networks so that police and security forces could access it for crime prevention and detection.
The Directive covered telephone calls made and received, e-mails sent and received, and web sites visited. The Directive was not concerned with the content of communications. Instead it was concerned with traffic information: who made the communication? Where were they at the time? Who did they communicate with? By what means, using what device?
A controversial Directive
Civil liberties groups and journalists are vehemently opposed to the Directive; the telecommunications companies don't like the burdens it imposes on them; and the European Data Protection Supervisor thinks it doesn't accord with the fundamental rights to privacy and data protection. The European Commission, which drafted the original Directive, wants to change it.
But the governments of most of the member states like the Directive, and the access it gives their police and security forces to telecommunications log data. It remains unclear as to whether or not the Commission will be able to get the European Parliament and the European Council (itself comprised of representatives of member state governments) to agree to a revision of the Directive.
The case for revision
Christian D'Cunha is the European Commission's desk officer for the Data Retention Directive. At last month's ARMA convention in London he explained why the Commission wants to revise the Directive, and gave a frank assessment of the difficulties the Commission faces in obtaining such a revision.
Christian said that the main reason to legislate at EU rather than at member state level was to build harmonisation across the member states, which in turn benefited companies who only need to adapt themselves to one regulatory framework across the whole of the European Union trading block. However in the case of the Data Retention directive this harmonisation had not been achieved.
Harmonisation not achieved
European Union directives create an obligation on member states to translate the provisions of each directive into their own national law. 23 of the 27 EU member states have passed legislation enacting the Data Retention Directive into their national law. However in three of those countries (including Germany) judgements had been made in national courts that had effectively annulled the law in their states.
The legislation enacted in the members states differed from each other on issues as fundamental as why the information was required to be held, who was able to access it, and how long the data needed to be kept. Polish law stated that such data has to be kept for a two-year period, Austria specified six months, the majority of member states have specified one year.
The lack of harmonisation created practical difficulties - when a communication is generated by a participant in one member state but the information is kept by a telecoms operator in another member state, which of the two state's laws applies?