This article is also available in:
Deutsch: Treffen der ISPs heizt Debatte über niederländische Vorratsdatenspei...
Dutch government agencies held a meeting on 14 October 2009 with internet service providers, looking for ways to clarify the data retention obligations under the country's new Data Retention Act. After the meeting, ISPs still face uncertainty over how long to store data, who falls within the scope of the Act and how the authorities want the data to be stored or disclosed. Dutch civil rights movement Bits of Freedom released a critical report of the meeting, warning for the controversial possibility for centralized storage of the data and its negative impact on the right to privacy.
The new act, which took effect 1 September, obligates telecom providers and ISPs to retain identification, traffic and location data for 12 months for intelligence agencies and the investigation of serious crimes. Whereas most mobile and fixed telephony operators know what to expect of the new law, all ISPs were puzzled after the quite chaotic meeting and most of them concerned over the privacy interests of their customers.
First of all, it is still not sure if the retention period for ISPs will be reduced to six months. As of now, both telecoms companies and ISPs need to store the data for twelve months. But in the heat of the First Chamber (Senate) hearings in July, the Minister of Justice proposed a new "reparation law" reducing this term to six months for ISPs. This rather unique manoeuvre of the Minister was needed to get a majority in the Senate to pass the law. It remains to be seen, however, if the Second Chamber (Parliament) agrees with this shorter term. The Second Chamber opted for a twelve month period in May 2008.
Furthermore, uncertainty remained whether some specific services fall within the scope of the data retention obligations. Some ISPs pointed out that it was hard for them to determine if they had to comply or not, for instance when primarily offering webhosting services with limited e-mail functionality. Telecoms agency Agentschap Telecom (AT), responsible for supervising and enforcing the data retention laws, could not answer some of these questions, but promised to address the problem soon. In the meantime, AT announced IPSs can count on mild supervision during one year, and will only be punished for not complying to the obligations if they seem unwilling to do so.
Thirdly, and most controversially, the government introduced plans about how to store identification, traffic and location data. The officials did not exclude the possibility of creating a centralized system that automatically retrieves data from the roughly 300 ISPs in the Netherlands, a concept with far-reaching privacy implications. Bits of Freedom criticized this option: in stead of storing the data at 300 different databases, centralized storage makes access to these data even more easy than it is today. In 2008, identification data was already requested over 3 million times by the police (on a population of 16,5 million in the Netherlands). There is no information available to the public on traffic and location data requests by both police and intelligence agencies, since this information is regarded a "state secret". Unauthorized and more widespread access become serious risks for privacy, when the data is stored at one national database.
Major ISPs oppose centralization since they must also protect the privacy interests of consumers. Gert Wabeke - a spokesperson at telecoms provider KPN and a member of a European Commission expert group on data retention - said the proposal has led to "a lot of rumors. It has a privacy impact; it has (impact on) everything." Nonetheless, small ISPs may see this option as a way to cut the substantial costs involved with complying to the data retention obligations.
Ministry of Economic Affairs spokesperson Edwin Van Scherrenburg commented that "it is still very unsure if these (proposals) will lead to an electronic system to collect data from ISPs." Bits of Freedom will continue to watch the (technical) implementation of the data retention obligations in the Netherlands closely.
Detailed explanation of the Data Retention Act by Telecoms Agency AT (2009)
http://www.agentschap-telecom.nl/english/companies/retentionobligation...
Data Retention Act (only in Dutch, 21.10.2009)
http://wetten.overheid.nl/BWBR0026191/geldigheidsdatum_21-10-2009
The Bits of Freedom report of the meeting with ISPs on 14 October (only in Dutch, 15.10.2009)
http://www.bof.nl/verslag151009.pdf
Earlier this year, Bits of Freedom argued that the Dutch Data Retention Act
interferes with the fundamental right to privacy (only in Dutch, 20.10.2009)
http://sargasso.nl/archief/2009/09/20/wet-bewaarplicht-strijd-met-gron...
(Contribution by Axel Arnbak - EDRi-member Bits of Freedom - Netherlands)
This report was partly based on an article in the Privacy & Security Law Report, 8 PVLR 1535 (26 October 2009). Copyright 2009 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com