EU Report: Member States lazy to protect data

By EDRi · December 15, 2004

The European Commission has adopted, on 7 December 2004, its annual report on the implementation of the EU electronic communications regulatory package. The report states that 20 of the EU’s present 25 Member States have notified the Commission that they have adopted primary legislation transposing the package, which became law in 2002. The Commission has launched infringement proceedings against Belgium, the Czech Republic, Estonia, Greece, and Luxembourg, who have so far failed to notify transposition. All of these countries have failed to transpose the 2002 e-Privacy Directive, which is part of the package.

The Staff Working Paper attached to the report examines in particular three issues from the e-Privacy Directive, which are according to the Commission “most debated in the market and by national authorities, and which may have a significant impact on the consumer”: Data retention, spam, and cookies.

Concerning traffic data, the report recalls Article 5(1) of the e-Privacy Directive, which requires that confidentiality be guaranteed not only for the content of communications but also for the related traffic data, and Article 6, which requires that service and network providers erase traffic data when they are no longer needed for the transmission of a communication or for billing purposes. In addition, Article 9 allows for location data other than traffic data to be used only with the consent of the user. None of these limitations have been transposed in the Czech Republic, Estonia, Greece, Luxembourg and Belgium; the Latvian rules for dealing with traffic data will be examined more closely by the Commission.

The report states that there is a “considerable increase of the interest in the use (and retention) of traffic data by law enforcement authorities”, sometimes exceeding even the wide limits of the disputed Article 15 of the e-Privacy Directive. It names the examples of Denmark and Poland, who log traffic data for one year, and of Italy, where telecommunication data must be retained for 2 years and may be stored for another 24 months in cases of crimes against electronic systems and for reasons related to organised crime or terrorism. The Commission states: “This period of retention is one of the longest in Europe. Operators have complained about the fact that they will have to bear heavy costs for data storage.” Finland even stores for two years, and for all kinds of electronic communication, information on the time of the processing, the duration of the processing and the person who processed the data. As is the case in Italy and some other countries, “operators have complained about the fact that they have to bear additional costs for such data storage”.

The report states: “Besides the need to maintain proportionality as between the length of retention periods, the intrusion on privacy and the actual need for the traffic data for law enforcement purposes, it is also necessary to keep in mind the costs to be borne by operators. The economic impact of traffic data retention periods increases as the retention period gets longer. In addition there has been an increase in the number of request from law enforcement authorities to retrieve certain data.”

Commission Communication ‘European Electronic Communications Regulation and Markets 2004’ (02.12.2004)

Commission Staff Working paper SEC(2004)1535 Volume 1

Volume 2 (market overview)

(Contribution by Andreas Dietl, EDRI EU Affairs Director)