WP29 criticizes the implementation of the EU data retention directive

By EDRi · July 28, 2010

This article is also available in:
Deutsch: [WP29 Datenschutzgruppe kritisiert Umsetzung der Vorratsdatenspeicherung | http://www.unwatched.org/node/2089]

Article 29 Working Party (WP29) adopted during their meeting on 12-14 July
2010 a report on the implementation of the European data retention directive
2006/24/EC reaching the conclusion that the directive is currently not
applied in a homogenous manner by all EU member states.

The report, which is a result of a joint inquiry performed by data
protection authorities in EU member states, shows that the European
directive is interpreted and implemented differently in the EU countries.
According to the directive, the member states may choose a retention period
between 6-24 months.

“The Article 29 Working Party is concerned to find that the directive does
not seem to have been consistently implemented at domestic level. In
particular it appears that it has been interpreted by Member States as if it
was leaving open the decision on its scope,” says the report.

Moreover, it is very difficult to assess the results of the directive due to
the lack of significant statistics from the member states. WP29 is therefore
calling on the European Commission to take its findings into consideration
before taking a decision. The European Commission is to decide over the
impact of the directive by 15 September 2010 and whether it has to be
amended or repealled.

The report shows that, in many cases, more data are being retained than is
allowed. The data retention directive provides a limited list of traffic
data to be retained while the retention of data related to the communication
content is explicitly prohibited. It seems however that such data are yet
retained and that several ISPs retain websites URLs, headers of e-mail
messages and even recipients of e-mail messages in “Carbon Copy”. For phone
traffic,
it has come out that the location of the caller is retained at the start of
the call but it is also monitored continuously.

WP29 mainly believes that the directive should be applied in a harmonised
way in all EU countries and the report includes a series of recommendations
for the change of the directive that would bring about a common ground but
also ensure improved individuals’ privacy rights, a more secure data
transmission and standardized handover procedures.

“There are significant discrepancies as for the retention of Internet
services traffic data categories, and the retention periods are also found
to vary significantly in the individual Member States, whilst a more uniform
picture emerges as far the retention of telephone traffic data categories is
concerned. In many Member States’ national laws a shorter retention period
than the maximum allowed by the Directive proves to be the preferred
option,” says the report.

Therefore, the group recommends the maximum retention period allowed be
shortened and consistency be endured by removing the countries’ right to
choose a period. “In order to attain a level playing field the maximum
retention period should be reduced and to set a single, shorter term to be
complied with by all providers throughout the EU.”

A lack of consistency also appears to occur in the type and amount of
security measures related to the gathering of data. “Regarding information
security, no homogeneous picture was found based on the enforcement
exercise; indeed, the security measures can be said to vary with the
providers’ business size. Whilst larger providers were
found to deploy technical and organisational measures that could ensure the
appropriate security level for the retained traffic data, smaller providers
would appear to afford lower security standards; indeed, most of them –
mainly on account of cost-containment strategies – are unable to implement
top IT security solutions protecting the traffic data,” reads the report.

The group recommends also the strengthening of the traffic data security.
“In a broader perspective, the overall security of traffic data ‘per se’
should be re-considered by the Commission.” The report advises also that
telecoms companies should be ordered to protect data with certain specified
measures.

The data protection group hopes that the European Commission will take its
recommendations into account when deciding on the fate of the European data
retention directive.

This opinion comes in line wih the statement of over100 organisations
(including EDRi) from 23 European countries who asked in June 2010 the EU
Commissioners to entirly repeal the data retention directive.

Report 01/2010 on the second joint enforcement action: Compliance at
national level of Telecom Providers and ISPs with the obligations required
from national traffic data retention legislation (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf

Annex to the report (situation per countries) (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_annex_en.pdf

Privacy watchdogs urge more data retention harmonisation (16.07.2010)
http://www.out-law.com:80/page-11231

EDRi-gram: Data retention – time for evidence-based decision making
(30.06.2010)
http://www.edri.org/edrigram/number8.13/data-retention-challange