Dutch Parliament lowers data retention term to 12 months

By EDRi · June 4, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The Dutch Parliament has lowered the data retention term in its
implementation of the Data Retention directive to 12 months. The law
has still to pass the Dutch Senate, which has been more critical of data
retention in the last four years. A lot is still unclear about the law
and many concerns, like the absence of evidence for the resulting
interference with the right to private life and private communications,
have not been adequately addressed yet. Still, the legislature will try
to finalize the law before the summer break of the Parliament.

Interestingly, the three-party coalition forming the present Government
was split into three camps, arguing for 6, 12 and 18 months
respectively. The government kept arguing for 18 months, but a majority
voted for an amendment lowering the term to 12 months. This term
traces back to a report of the Erasmus University about the usefulness
and necessity of data retention for telecommunication traffic and
location data. After failing to prove such usefulness and necessity for
data older than 3 months, the researchers had talks with police
representatives. Based exclusively on those talks, the report
recommended a 12 month retention period. Later on, the Dutch Council of
State referred to that research and the proposed reasonable term of 12
months when it advised the government to lower the term.

Although the debate focused a lot on the retention term and the lack of
evidence, there are many other issues that were debated. The Parliament
also spoke about European developments, such as the procedure of Ireland
before the European Court of Justice and the constitutional challenge in
Germany. It also discussed the extent of parliamentary involvement with
the contents of the decree which will contain more details about data
retention in practice. The law now contains a list of data to be
retained, after concerns were raised that this was the core of a data
retention obligation and that the list would have to be agreed upon in
Parliament. Unfortunately, the list is not very precise. It is as
general as the list in the directive and seems to contain a mistake. Whereas
the data retention directive does not require the retention of the
destination for Internet use other than e-mail or telephony, the Dutch list
does not make this distinction anymore.

The costs of data retention for the sector and consumers were also an
issue of debate, but the available cost estimates are still vague. One
of the reasons is that the precise scope of the data retention
obligation for Internet traffic is unclear. General costs of data
retention will not be reimbursed. The question about storage of the data
in centralized or decentralized facilities has been evaded. At first,
the data will be stored by the providers but this could change in the
future. An amendment that would have restricted the possibility of
claiming complete data sets – to be used for data mining in the context
of combating terrorism – didn’t make it. If the law is passed, both
national security and law enforcement agencies will have the possibility
to claim complete parts of the collection of data to be retained.

EDRi-gram: Dutch study fails to prove usefulness and necessity data
retention (29.05.2005)

EDRi-gram: Dutch DPA advises negatively on Dutch draft data retention

Data Retention 12 Months (only in Dutch, 22 May 2008)

The data retention implementation law as sent to the Dutch Senate (only in
Dutch, 22 May 2008)

(Contribution by Joris van Hoboken – EDRi-member Bits of Freedom – Netherlands)