The focus of this chapter is the first evaluation of European legislation designed to harmonise domestic laws on the retention of telecommunications data for the purpose of assisting law enforcement efforts. The European Union introduced the EC Data Retention Directive in 2006. This Directive requires the retention of every European citizen’s communications data for up to two years for the purpose of investigation, detection, and prosecution of serious crime, as defined by each Member State in their domestic legislation. The Directive was the source of considerable unease amongst legislators, Data Protection authorities, and the private sector. This chapter analyses the results provided in this evaluation on the use and operation of the Directive by individual Member States of the EU.
TopIntroduction
In 2006, the EU enacted groundbreaking legislation to regulate the retention of data and its use in the form of the Data Retention Directive 2006/46/EC (“the Directive”). Under the Directive, electronic communications operators are required to retain data related to telephone calls and emails for a period of up to two years. This data includes the identification information of both parties to the communication, via telephone or internet, along with the time, date, and duration of these communications. The data also identifies the geographic location of the caller by identifying the position of their landline or mobile communications device. The content of these communications is not retained.
The European Commission’s evaluation of this legislation was undertaken in line with requirements under Articles 10 and 14 of the Directive. Article 10 requires that each Member State provide yearly statistics to the Commission on the operation of the Directive in that Member State. Article 14 requires that the Commission submit an evaluation of the application of the Directive to the European Parliament and the Council with a view to determining whether it is necessary to amend the scope of the law, particularly with regard to the types of data to be retained and the periods of retention provided for under Articles 5 and 6. The Commission was also to consider the impact of the Directive on economic operators and consumers in this evaluation, taking into account further developments in electronic communications technology and the statistics on the operation of the Directive in each Member State.
Finally, the Commission was required to examine all observations communicated to it by the Member States or by the Working Party established under Article 29 of Directive 95/46/EC (to be referred to hereafter as “WP29”). Article 29 of the principal Data Protection Directive 95/46/EC established the ‘Article 29—Data Protection Working Party.’ The Working Party is independent, acts in an advisory capacity, and consists of the Member States’ Data Protection Commissioners with a representative from the EU Commission. The tasks of the Working Party are outlined in Article 30. One of these tasks consists of advising the Commission on any Community measures affecting the rights and freedoms of natural persons with regard to the processing of personal data and make recommendations to the public, and particularly to Community institutions, on matters relating to the protection of persons with regard to the processing of personal data in the EU.
Of note is the decision of the Commission to expand the scope of its evaluation to include the implications of the Directive for fundamental rights. The Commission states that this decision was a response to “criticisms … leveled in general at data retention” (Evaluation, 2010, p. 1). This expansion of the evaluation’s scope reflects the implications of the Directive for the fundamental rights of EU citizens, now part of EU law since the Lisbon Treaty came into effect, as discussed in further detail below.
An assessment of the preliminary impact of the Directive was undertaken by WP29 prior to the report due from the Commission in September, 2010. WP29 investigated the compliance at national level of telecommunications providers and ISPs with the obligations arising from national traffic data retention legislation on the legal basis of Articles 6 and 9 of the e-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC “as part of the priorities set forth in its Work Programme to verify the uniform application of the data protection principles harmonised at Community level” (WP29, 2010, p. 3).
The Commission took into particular “consideration” the evaluation of WP29 into the operation of the Directive and its Second Joint Enforcement Action Report published in January, 2010. The Commission also took into account other reports by WP29 and the recommendations of the Expert Group (Evaluation, 2010, p. 2). The main findings and recommendations of WP29 will be taken into consideration by the Commission in their review of the legislation framework governing data retention currently provided under the Directive.