The European Commission on 18 April published an evaluation of the 2006 Data Retention Directive (Directive 2006/24/EC), which requires internet operators and telecommunications operators to hold on record communication traffic data for up to two years.

In the evaluation, the Commission noted that data retention represents a significant limitation on the right to privacy. While there are no concrete examples of serious breaches of privacy, the risk of data security breaches will remain unless further safeguards are put in place. The Commission will therefore consider more stringent regulation of storage, access to and use of the retained data.

The Commission said that the other main results of the evaluation were:

Most EU countries took the view that the rules on data retention remain necessary for law enforcement, the protection of victims and the criminal justice systems. As criminal investigation tools, the use of data related to telephone numbers, IP address or mobile phone identifiers has resulted in convictions of offenders and acquittals of innocent persons.

Member states differ in how they apply data retention. For example, retention periods vary between six months and two years, the purposes for which data may be accessed and used, and the legal procedures for accessing the data, vary considerably.

Given that the Directive only seeks to partially harmonise national rules, it is not surprising that common approach has not emerged in this area. The overall low level of harmonisation can however create difficulties for telecommunication service providers and in particular smaller operators. Operators are reimbursed differently across the EU for the cost of retaining and giving access to data. The Commission will consider ways of providing more consistent reimbursement of the costs.

Court cases

The evaluation noted that courts in three countries -- the Czech Republic, Germany and Romania -- have overturned the national implementation of the Directive in those countries. The German and Romanian decisions were largely techical, dealing with the form of the legislation. However, the Czech decision was made on the basis that the law dealt with fundamental privacy rights, and was insufficiently precise and clear in its formulation.

The Commission said that evaluation of the implementation of the Directive showed three points: that data retention "is here to stay"; that the legislation had been adopted under some time pressure in response to concerns at the time about terrorism, and a "proper and deeper review" would be necessary; and that a "more proportionate and harmonised approach" was required.

The Commission said it would open a consultation process to build on the evaluation prior to making any proposals to amend the legislation.

The Commission’s evaluation report is available here.