Out-Law News 3 min. read
16 Jul 2010, 12:27 pm
The Article 29 Working Party, a committee made up of the privacy watchdogs of the EU's 27 member countries, has proposed the change along with other recommendations on how the EU's Data Retention Directive should be changed to improve individuals' privacy rights.
The Directive orders all EU countries to pass laws requiring telecoms companies, including ISPs, to save the details of calls or internet use so that law enforcement authorities can access the details. Countries can choose a retention period of between six and 24 months.
The European Commission is due to report on the impact of the Directive by 15 September this year. It will tell the European Parliament and Council whether or not the Directive needs to be modified to be effective in the light of its actual application over the past four years.
The Article 29 Working Party has produced a set of recommendations which it hopes will influence the Commission's analysis of the Directive.
The committee has said that the retention period should be shortened; that there should be greater clarity about what data should be retained and what should not; and that there should be a tightening of the technical standards governing the storing and handing over of information to authorities.
"The Article 29 Working Party is concerned to find that the directive does not seem to have been consistently implemented at domestic level. In particular it appears that it has been interpreted by Member States as if it was leaving open the decision on its scope," said the report.
EU member countries, the Working Party concluded, had interpreted the Directive in quite different ways. They acted as though the Directive left it up to them to decide the exact legal basis of retention, a question it said had been settled by the European Court of Justice (ECJ).
It also said that some countries allowed the retention of extra data, while some did not.
"The Working Party considers it appropriate to lay down specific recommendations to ensure increased harmonization,more secure data transmission and standardized handover procedures," said the Working Party's report. "The list of traffic data that are to be retained on a mandatory basis is to be regarded as exhaustive. Accordingly, no additional data retention obligations may be imposed on providers pursuant to the [Data Retention] Directive."
The committee said that there was little consistency in the retention time limits chosen by countries within the six to 24 month scope allowed by the Directive. This, it said, should change.
"There are significant discrepancies as for the retention of Internet services traffic data categories, and the retention periods are also found to vary significantly in the individual Member States, whilst a more uniform picture emerges as far the retention of telephone traffic data categories is concerned," it said. "In many Member States’ national laws a shorter retention period than the maximum allowed by the Directive proves to be the preferred option."
It recommended that, since most countries have chosen a shorter period than the maximum-allowed 24 months, the Directive should be changed to shorten the maximum period allowed and mandate consistency between countries by removing their right to choose a period.
"In order to attain a level playing field the maximum retention period should be reduced and to set a single, shorter term to be complied with by all providers throughout the EU," the Working Party report said. "In a broader perspective, the overall security of traffic data 'per se' should be re-considered by the Commission."
The Working Party said that there was also a lack of consistency in the type and amount of security surrounding the gathered data.
"Regarding information security, no homogeneous picture was found based on the enforcement exercise; indeed, the security measures can be said to vary with the providers’ business size," the report said. "Whilst larger providers were found to deploy technical and organisational measures that could ensure the appropriate security level for the retained traffic data, smaller providers would appear to afford lower security standards; indeed, most of them - mainly on account of cost-containment strategies - are unable to implement top IT security solutions protecting the traffic data."
The report said that telecoms companies should be ordered to protect data with certain specified measures.
The Working Party's report is based on questionnaires and inpections carried out by national regulators, including the UK's Information Commissioner's Office.
