Dutch DPA advises negatively on Dutch draft data retention

By EDRi · January 31, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The Dutch Data Protection Authority (DPA) has made a strong case against
the Dutch draft law regarding the implementation of the data retention
directive. In its advice of 22 January 2007 the DPA comes to the
conclusion that the draft disregards the requirements of article 8 of
the European Convention on Human Rights, which protects the fundamental
right to respect for one’s private life.

The draft introduces a retention period of 18 months, both for telephone
and Internet traffic data. The arguments for this almost maximal
retention period are mostly borrowed from a report of the Dutch Erasmus
University of 22 June 2005, about which EDRI-gram previously reported.

This report was the first public research in Europe into the actual use
by law enforcement of historical traffic data. The researchers looked at
65 police investigations that were provided by the Dutch Ministry of
Justice as good examples of the usefulness of traffic data for law
enforcement. They concluded that ‘in virtually all cases’ the police
could get all the traffic data they needed, based on the average
3 months availability of telephony traffic data. The researchers also
warned they could not qualify the usefulness of these data as direct or
indirect evidence, or the representativeness of the sample of cases for
law enforcement in general. But after failing to meet this essential
test, the researchers organised talks with several anonymous police
representatives. Based exclusively on those talks, the report
recommended that a 1 year mandatory data retention term would be desirable.

This report did not fully convince the Dutch Parliament of the necessity
of data retention at the time of EU negotiations about the directive. At
the beginning of 2006, after a final compromise between the Council and
the European Parliament had been reached, the Dutch minister voted in
favour of the final data retention directive compromise against the wish
of a majority of the Dutch Parliament. Former Minister of Justice Donner
then stated in the Parliament: “I have indicated (in the Council) that I
wanted room for the Netherlands for a retention period of one year, and
for Internet data a period of half a year. That has been realised; that
is possible now. That other Member States lay down longer terms in their
national law is up to them.” The draft gives no account of this change
of plans from rather minimal implementation to almost maximal, as
regards the retention period.

The DPA further points out that by extending the retention of mobile
telephone location data to all the location data generated during a
communication, and not only the location data at the start of the
connection, the draft goes beyond the demands of the directive. The DPA
notes that this extension implies surveillance of the movement of large
amounts of innocent citizens and points to the agreement in the European
Parliament and the German implementation draft, where it is explicitly
stated that the directive does not demand the retention of these
location data generated during a mobile communication.

Another point of critique of the DPA are the limitations on access to the
retained data. The DPA concludes that these provisions are too broad and
need to be drafted more strict and precise. The Dutch DPA finally criticizes
the use of delegation provisions. According to the DPA, the details on the
specific data to be retained should be included in the law itself. The law
should also be more specific about the obligation to provide the statistical
data on the actual use of the retained data. The draft law is not at all
clear about these essential ingredients of the data retention regime and
delegates these matters power to the government.

The draft, now in the phase of consultation, was made public on 21 December
2006. It also provoked a strong reaction of a large coalition of telecom
companies and ISPs. After this consultation phase the draft law will be
sent to the Council of State.

Advice Dutch Data Protection Authority (in Dutch only, 22.01.2007)

Draft law implementation data retention directive (in consultation), (in
Dutch only, 21.12.2006)

EDRI-gram: Dutch study fails to prove usefulness and necessity data
retention (29.06.2005)

(Contribution by Joris van Hoboken)