"We may need to agree on more harmonised, and possibly shorter, retention periods," said EU Internal Affairs Commissioner Cecilia Malmström in a conference on the Data Retention Directive, which took place in Brussels last Friday (3 December).
Her statement came as the EU executive prepares to publish, at the beginning of 2011, an evaluation report on the application of the directive, which is likely to lead to legislative amendments to tackle shortfalls that could possibly emerge.
The directive has been in place since 2006 and sets out a legal framework on the collection, storage and use of electronic private information for security reasons. It obliges telecommunications providers to store various data regarding their customers, including telephone numbers contacted, Internet connections, locations at the moment of the connection and personal information given for subscriptions. However, the content of the communications is not recorded.
Periods of retention are indicated in the directive, albeit in a vague manner.
The text says that personal data must be "retained for periods of not less than six months and not more than two years from the date of the communication".
The window period is the result of a complex balance of opposite interests. On one side, law enforcement authorities are eager to keep and access private data for long periods as it helps them with their enquiries and provides evidence in trials.
On the other hand, citizens' rights groups want retention periods to be as short as possible. They were supported in their battle for such a cause by telecommunications operators, which have to bear the cost of data retention and are therefore keen to see their obligations reduced.
A patchwork of national laws
As a consequence of the directive's indefinite wording, member states opted for different retention periods in applying the text at national level. Only six members adopted legislations limiting retention to a minimum period of six months set out in the directive: Germany, Spain, Luxembourg, Slovakia, Cyprus and Lithuania.
The majority of member states are instead allowing retention periods of between 12 and 24 months. In some cases, data is stored for even longer periods than the two-year limit set by the directive. In Poland, for instance, some operators keep data for up to ten years and in Greece for five years. In Ireland, Latvia and Romania, retention can last up to 36 months.
"Those differences in how the directive has been implemented are due, more than anything else, to the fact that the provisions in the directive are formulated in an open-ended, not to say imprecise, way," acknowledged Commissioner Malmström.
"This raises the question [of] whether the provisions should be made more precise, to ensure that we strike the right balance between law enforcement needs and privacy concerns in all member states," she added.
The commissioner conceded that the review of the directive should also look into what kind of crimes should be persecuted with information obtained by means of the Data Retention Directive, what kind of data should be retained and which authorities should access this information.
Pressure from privacy watchdogs
Malmström's concessions follow strong criticism of the directive by European privacy and data protection authorities.
"The retention of traffic and location data of all persons in the European Union, whenever they use the telephone or the Internet, is a huge interference with the right to privacy of all citizens," repeated the European Data Protection Supervisor (EDPS), Peter Hustinx, speaking on Friday in Brussels.
"The EDPS regards the directive as the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects," Hustinx continued, requiring tangible evidence that "it constitutes a necessary and proportionate measure".
Otherwise the directive should be scrapped or replaced with a less privacy-invasive instrument, he said.
Hustinx's concerns echo the results of a report issued by a group of national data protection authorities, the so-called Article 29 Working Party, which last July highlighted a number of serious shortfalls in the application of the directive and went as far as saying that its implementation had been "unlawful".
In particular, the report revealed that "more data are being retained than is allowed". Even if the directive is clear in saying that no electronic communications content should be recorded or stored, the inquiry found evidence that "some of these data are being retained".
The inquiry also highlighted differences in the retention periods applied across the EU and found that in some instances, they exceeded the limits set by the directive. Moreover, "it was found that in many cases no automated data erasure procedures were in place upon expiry of the relevant retention periods," concludes the report.
Compensation for e-communications providers
Malmström recognised the financial burden imposed on telecommunications service providers by the retention obligations contained in the directive and underlined that the lack of harmonisation of such provisions across Europe can hit some operators more than others.
The commissioner purposely left the door open as to "whether we need clearer rules, including on state compensation for the cost of data retention".
In any case, she made clear that "the health of our telecoms sector has not been affected by the directive to any significant degree".
Operators, however, have a more drastic point of view. In a document sent to the Commission, the association which brings together all European electronic communications providers, including telecoms, cable and Internet firms, made clear that the directive "has a significant impact on industry and affects European competitiveness".
