Electronic communications and data retention

Directive 2006/24/EC of the European Parliament and of the Council of 15March 2006, on the retention of data generated or processed in connection withthe provision of publicly available electronic communications services or publiccommunications networks, and amending Directive 2002/58/EC aims to harmonizeMember States’ provisions concerning the obligations of the providers ofpublicly available electronic communications services and public communicationsnetworks to retain certain data generated or processed by them, to ensure thedata is available for investigation, detection and prosecution of serious crime,as defined by each Member State in its national law.

The reason for the adoption of this Directive is the current state concerningnational regulations in this area. Several Member States have adoptedlegislation providing for the retention of data by service providers tosafeguard their various public interests. Due to the fact that these nationalprovisions vary considerably, service providers are faced with differentrequirements regarding the types of traffic and location data to be retained andthe conditions and periods of retention. These legal and technical differencespresent obstacles to the internal market for electronic communications.

This Directive thus harmonizes the scope of data to be retained, themandatory time period for retaining data, the data security principles andstorage requirements.

The Directive applies to data generated or processed by providers of publiclyavailable electronic communications services or by public communications networksupplying the concerned communications services, including data related tounsuccessful call attempts. But it does not require any retention of datarelating to unconnected calls.

The Directive imposes the obligation to retain the data necessary to traceand identify: (a) the source of a communication; (b) the destination of acommunication; (c) the date, time and duration of a communication; (d) the typeof communication; (e) users’ communication equipment or what purports to betheir equipment; and (f) the location of mobile communication equipment. Howeverno data revealing the content of the communication may be retained pursuant tothis Directive.

These data are to be retained for periods of not less than six months and notmore than two years from the date of the communication. Further they are to beprovided only to the competent national authorities in specific cases and inaccordance with national law. The Directive sets up the procedures to befollowed and the conditions that must be fulfilled to gain access to retaineddata, which must be in accordance with necessity and proportionalityrequirements.

In order to protect end-user’s privacy, providers of publicly availableelectronic communications services and public communications networks arerequired to respect, at minimum, the following data security principlesconcerning retained data:

1. the retained data must be of the same quality and subject to the samesecurity and protection as the data on the network;
2. the data must be subject to appropriate technical and organizationalmeasures to protect the data against accidental or unlawful destruction,accidental loss or alteration, or unauthorized or unlawful storage,processing, access or disclosure;
3. the data must be subject to appropriate technical and organizationalmeasures to ensure they can be accessed by only specially authorizedpersonnel; and finally
4. the data, except those that have been accessed and preserved, are to bedestroyed at the end of the period of retention.

Concerning the storage of retained data, the Directive requires that they bestored in such a way that the data and any other necessary information relatingto such data can be transmitted on request to the competent authorities withoutundue delay.

This Directive entered into force on 3 May 2006 and Member States arerequired to comply with the Directive by no later than 15 September 2007. Incase of retention of communications data relating to Internet Access, Internettelephony and Internet e-mail, a Member State that makes a declaration maypostpone application of this Directive until 15 March 2009.