Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

Dutch court strikes down data retention law

A Dutch court has struck down a law that forces telecommunications companies to store customer internet and phone data. The District Court of The Hague found that the law violates privacy rights, PC World reported12 Mar 2015

The law was enacted in 2009 and implemented the European Union Data Retention Directive, which required countries to pass laws ordering some communications providers to store data about communications for a period which could be between six months and two years.

The data involved is not the content of calls or messages but information about who made or received a call or message and when.

The Directive was declared "invalid" in 2014 by the Court of Justice of the European Union (CJEU), which said that it infringed rights to privacy and protection of personal data.

Since the CJEU ruling laws in some EU countries have been amended or removed to reflect the ruling. The UK government fast-tracked the implementation of new national data retention laws, and the Data Retention and Investigatory Powers (DRIP) Act came into force in July last year. It is, however, the subject of a judicial review challenge brought by civil rights campaign group Liberty on behalf of two MPs, David Davis and Tom Watson.

The Dutch government had announced in November that it was planning to amend its legislation to ensure that data would only be handed over to law-enforcement agencies with authorisation from a judge, and then only in the case of serious crimes, ZDNet said. It also proposed that stored data should be encrypted.

However, campaigners including Privacy First, the Dutch Association of Criminal Defense Lawyers and the Dutch Association of Journalists sued the government in January 2015 in an attempt to get the law overturned rather than amended, PC World said.

The district court has now ruled in their favour (link in Dutch), criticising the overly broad scope of the law, PC World said.

The case may still be appealed by the Dutch state, a court spokesperson told PC World, but until that happens the law will remain "inactive".

The Dutch law required telephone companies to store data in fixed and mobile calls for one year, while internet providers had to store information on internet use for six months, the Sydney Morning Herald said.

The judge accepted that removing data storage "could have far reaching consequences for investigating and prosecuting crimes", but that this cannot justify the privacy breaches involved, the Sydney Morning Herald said. No deadline has been set on disposal of data.

The decision is of interest in Australia where the government is preparing to pass legislation that requires telecommunication companies to retail data for two years, with access by law enforcement allowed without the need for judicial approval, ZDNet said.

In January 2015, the European Parliament's Legal Services unit said in a leaked document that since the CJEU's judgment EU countries  have had the option of either repealing their own laws on data retention or maintaining them. However, it said that should countries choose to maintain the rules then those rules must adhere to the e-Privacy Directive.

The e-Privacy Directive sets out rules that generally protect the privacy of electronic communications and 'traffic data' associated with those messages. One specific provision places a general prohibition on the unauthorised storage of communications and traffic data.