12 November, 2015
Several European countries have recently embarked upon new initiatives regarding data retention. The Netherlands, Germany and the UK are to (re)instate data retention laws. This trend however is at odds with the jurisprudence of the European Court of Justice, as it rendered the Data Retention Directive (2006/24/EG) invalid last year. An important factor according to the Court was the lack of proportionality. The upcoming data retention laws are to mitigate the disproportionality by demanding shorter retention-periods, lessening the data to be retained and by intensifying judicial and political control.
Dutch, British and German data retention bills
Following the European Court of Justice, in March this year the Dutch version of the legal duty to data retention was invalidated. A draft bill to alleviate the concerns and retain the duty for companies to retain data is already issued and presented to the Council of State. The draft will, if accepted by the Council, be put forward to parliament. Data regarding phone use will be retained for 12 months and data regarding internet use will be stored for 6 months. The retention duty will not involve the content of conversations, only metadata will be retained. Metadata considers for example information as to when a conversation was held and by whom. In order to alleviate privacy concerns, restrictions to the access of the stored information will be increased.
The British government has brought the ‘Investigatory Powers Bill’ before parliament last week. Companies are to retain information regarding the ‘where’, ‘when’, ‘through which channels’ and ‘how’ services are used by consumers. All information is to be stored and shared with government officials. Only the actual content of conversations engaged in by users and websites the users visit are to be accessed by officials with a formal permission issued by the Minister of Interior. The British Ministry of Interior, the ‘Home Office’, will compensate the costs companies incur in storing the information.
Perhaps the least far-reaching return of the duty to retain data is found in the recent German law, which was passed halfway October. The law will probably enter into force at the end of this year. The companies obligated to retain information shall have a transitional period of 18 months in order to set up the necessary infrastructure. In comparison with other countries, the German obligations are less intrusive. There are for instance more restrictions for government officials and shorter retention periods. The data to be retained will be the metadata regarding telephone and internet use. This data is to be stored for 10 weeks at most. Data containing the location of phones are only to be stored for 4 weeks. The actual content of conversations nor the metadata regarding e-mails will be stored.
What are the implications for companies?
The (upcoming) laws will bring forth responsibilities for ISP’s and telecommunication providers that are not to be underestimated. Procedures will have to be adjusted and privacy policies will need revision. This could for example entail the adjustment of privacy statements or the alteration of the policy regarding notification to national supervisory authorities. Furthermore, the political process regarding these issues is still ongoing. It is recommended to closely monitor the upcoming developments.
What are the consequences of a Brexit for the privacy and data protection obligations of your company?
Can I still transfer data to the United Kingdom? And is it still possible to transfer data from the...