European court condemns Dutch for faulty privacy-legislation

By EDRi · June 30, 2004

The European Court has condemned the kingdom of the Netherlands for a faulty implementation of the Privacy directive of 1997, also known as the ISDN-directive. In the Dutch telecommunication law of 1998 the obligation to erase or anonymise traffic data after termination of the call was not made specific enough, leaving ample room to the telecom operators to store sensitive data about their subscribers. Instead of just literally translating Article 6 of the directive, the Dutch inserted a reference to a decree that would specify which data had to be erased. The decree was never produced, and in October 2002, after plenty of warnings, the European Commission decided to take the issue to the European Court in Luxembourg.

On 19 May 2004, the new Dutch Telecommunication Law went into effect, with a revised article on traffic data in agreement with the new 2002 Privacy directive, that replaced the 1997 directive. The verdict is not insignificant though, in the light of new EU Council plans to introduce mandatory data retention for a period of 12 to 36 months. There is no legal obligation for data retention yet in the Netherlands, except for the location data of pre-paid mobile phones, for a period of 3 months. The new Telecom law obliges service providers to anonymise any historical data they might have kept.

European Court case C-350/02 (24.06.2004)