ISPs Meeting sparks debate over Dutch Data Retention obligations

By EDRi · November 4, 2009

This article is also available in:
Deutsch: [Treffen der ISPs heizt Debatte über niederländische Vorratsdatenspeicherung an |]

Dutch government agencies held a meeting on 14 October 2009 with internet
service providers, looking for ways to clarify the data retention
obligations under the country’s new Data Retention Act. After the meeting,
ISPs still face uncertainty over how long to store data, who falls within
the scope of the Act and how the authorities want the data to be stored or
disclosed. Dutch civil rights movement Bits of Freedom released a critical
report of the meeting, warning for the controversial possibility for
centralized storage of the data and its negative impact on the right to

The new act, which took effect 1 September, obligates telecom providers
and ISPs to retain identification, traffic and location data for 12 months
for intelligence agencies and the investigation of serious crimes. Whereas
most mobile and fixed telephony operators know what to expect of the new
law, all ISPs were puzzled after the quite chaotic meeting and most of them
concerned over the privacy interests of their customers.

First of all, it is still not sure if the retention period for ISPs will be
reduced to six months. As of now, both telecoms companies and ISPs need to
store the data for twelve months. But in the heat of the First Chamber
(Senate) hearings in July, the Minister of Justice proposed a new
“reparation law” reducing this term to six months for ISPs. This rather
unique manoeuvre of the Minister was needed to get a majority in the Senate
to pass the law. It remains to be seen, however, if the Second Chamber
(Parliament) agrees with this shorter term. The Second Chamber opted for a
twelve month period in May 2008.

Furthermore, uncertainty remained whether some specific services fall within
the scope of the data retention obligations. Some ISPs pointed out that it
was hard for them to determine if they had to comply or not, for instance
when primarily offering webhosting services with limited e-mail
functionality. Telecoms agency Agentschap Telecom (AT), responsible for
supervising and enforcing the data retention laws, could not answer some of
these questions, but promised to address the problem soon. In the meantime,
AT announced IPSs can count on mild supervision during one year, and will
only be punished for not complying to the obligations if they seem unwilling
to do so.

Thirdly, and most controversially, the government introduced plans about how
to store identification, traffic and location data. The officials did not
exclude the possibility of creating a centralized system that automatically
retrieves data from the roughly 300 ISPs in the Netherlands, a concept with
far-reaching privacy implications. Bits of Freedom criticized this option:
in stead of storing the data at 300 different databases, centralized storage
makes access to these data even more easy than it is today. In 2008,
identification data was already requested over 3 million times by the police
(on a population of 16,5 million in the Netherlands). There is no
information available to the public on traffic and location data requests by
both police and intelligence agencies, since this information is regarded a
“state secret”. Unauthorized and more widespread access become serious risks
for privacy, when the data is stored at one national database.

Major ISPs oppose centralization since they must also protect the privacy
interests of consumers. Gert Wabeke – a spokesperson at telecoms provider
KPN and a member of a European Commission expert group on data retention –
said the proposal has led to “a lot of rumors. It has a privacy impact; it
has (impact on) everything.” Nonetheless, small ISPs may see this option as
a way to cut the substantial costs involved with complying to the data
retention obligations.

Ministry of Economic Affairs spokesperson Edwin Van Scherrenburg commented
that “it is still very unsure if these (proposals) will lead to an
electronic system to collect data from ISPs.” Bits of Freedom will continue
to watch the (technical) implementation of the data retention obligations in
the Netherlands closely.

Detailed explanation of the Data Retention Act by Telecoms Agency AT (2009)

Data Retention Act (only in Dutch, 21.10.2009)

The Bits of Freedom report of the meeting with ISPs on 14 October (only in Dutch, 15.10.2009)

Earlier this year, Bits of Freedom argued that the Dutch Data Retention Act
interferes with the fundamental right to privacy (only in Dutch, 20.10.2009)

(Contribution by Axel Arnbak – EDRi-member Bits of Freedom – Netherlands)

This report was partly based on an article in the Privacy & Security Law
Report, 8 PVLR 1535 (26 October 2009). Copyright 2009 by The Bureau of
National Affairs, Inc. (800-372-1033)