You are currently browsing EDRi's old website. Our new website is available at https://edri.org

EDRI-gram

If you wish to help EDRI promote digital rights, please consider making a private donation.


Flattr this

logo

EDRi booklets

WP29 criticizes the implementation of the EU data retention directive

28 July, 2010
» 

This article is also available in:
Deutsch: WP29 Datenschutzgruppe kritisiert Umsetzung der Vorratsdatenspeicherun...

Article 29 Working Party (WP29) adopted during their meeting on 12-14 July 2010 a report on the implementation of the European data retention directive 2006/24/EC reaching the conclusion that the directive is currently not applied in a homogenous manner by all EU member states.

The report, which is a result of a joint inquiry performed by data protection authorities in EU member states, shows that the European directive is interpreted and implemented differently in the EU countries. According to the directive, the member states may choose a retention period between 6-24 months.

"The Article 29 Working Party is concerned to find that the directive does not seem to have been consistently implemented at domestic level. In particular it appears that it has been interpreted by Member States as if it was leaving open the decision on its scope," says the report.

Moreover, it is very difficult to assess the results of the directive due to the lack of significant statistics from the member states. WP29 is therefore calling on the European Commission to take its findings into consideration before taking a decision. The European Commission is to decide over the impact of the directive by 15 September 2010 and whether it has to be amended or repealled.

The report shows that, in many cases, more data are being retained than is allowed. The data retention directive provides a limited list of traffic data to be retained while the retention of data related to the communication content is explicitly prohibited. It seems however that such data are yet retained and that several ISPs retain websites URLs, headers of e-mail messages and even recipients of e-mail messages in "Carbon Copy". For phone traffic, it has come out that the location of the caller is retained at the start of the call but it is also monitored continuously.

WP29 mainly believes that the directive should be applied in a harmonised way in all EU countries and the report includes a series of recommendations for the change of the directive that would bring about a common ground but also ensure improved individuals' privacy rights, a more secure data transmission and standardized handover procedures.

"There are significant discrepancies as for the retention of Internet services traffic data categories, and the retention periods are also found to vary significantly in the individual Member States, whilst a more uniform picture emerges as far the retention of telephone traffic data categories is concerned. In many Member States' national laws a shorter retention period than the maximum allowed by the Directive proves to be the preferred option," says the report.

Therefore, the group recommends the maximum retention period allowed be shortened and consistency be endured by removing the countries' right to choose a period. "In order to attain a level playing field the maximum retention period should be reduced and to set a single, shorter term to be complied with by all providers throughout the EU."

A lack of consistency also appears to occur in the type and amount of security measures related to the gathering of data. "Regarding information security, no homogeneous picture was found based on the enforcement exercise; indeed, the security measures can be said to vary with the providers' business size. Whilst larger providers were found to deploy technical and organisational measures that could ensure the appropriate security level for the retained traffic data, smaller providers would appear to afford lower security standards; indeed, most of them - mainly on account of cost-containment strategies - are unable to implement top IT security solutions protecting the traffic data," reads the report.

The group recommends also the strengthening of the traffic data security. "In a broader perspective, the overall security of traffic data 'per se' should be re-considered by the Commission." The report advises also that telecoms companies should be ordered to protect data with certain specified measures.

The data protection group hopes that the European Commission will take its recommendations into account when deciding on the fate of the European data retention directive.

This opinion comes in line wih the statement of over100 organisations (including EDRi) from 23 European countries who asked in June 2010 the EU Commissioners to entirly repeal the data retention directive.

Report 01/2010 on the second joint enforcement action: Compliance at national level of Telecom Providers and ISPs with the obligations required from national traffic data retention legislation (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en...

Annex to the report (situation per countries) (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_an...

Privacy watchdogs urge more data retention harmonisation (16.07.2010)
http://www.out-law.com:80/page-11231

EDRi-gram: Data retention - time for evidence-based decision making (30.06.2010)
http://www.edri.org/edrigram/number8.13/data-retention-challange

‹ EDRi and EuroISPA attack EC's demands for notice and takedownupGermany: Filtering by keywords is not an obligation for a hosting company ›
Printer-friendly version
 
Site by Floatleft.

Syndicate:

Syndicate contentCreative Commons License

With financial support from the EU's Fundamental Rights and Citizenship Programme.
eu logo