The EU's data retention directive - a critical overview [ 14 Nov 2006]

(Company and Commercial )

Under the controversial Data Retention Directive, approved by the European Parliament in December 2005 and subsequently by the EU Council of Ministers in February 2006 data, including calling and called telephone numbers, the name and address of the subscriber or registered user to whom each number pertains, and name and address of the intended recipient and date and time of log-in and log-off, both of internet access and of access to the internet e-mail or telephony service will have to be retained by providers of publicly available electronic communications services or public communications networks (service providers) for a minimum of six months and up to a maximum of two years. It has been left up to individual EU member states to decide precisely how long within that range. There is also an option for individual member states to introduce longer periods where they face particular circumstances warranting an extension for a limited period. It does not require retention of the content of a communications session such as a telephone call; in fact this is positively prohibited.

Member states will have to implement the Directive within 18 months of its enactment. However, each member state will be entitled to defer application of the Directive for an additional period of up to 18 months as regards the retention of communications data relating to internet access, internet telephony and email.

Retained data will only be made available to law enforcement agencies for the purpose of the investigation, detection and prosecution of serious crime, although the definition of serious crime has also been left up to member states.

The Directive has been heralded by the UK government and others as a necessary tool in the war against terror and organised crime. However, concerns have been raised: At its last annual awards ceremony the Internet Service Providers' Association (ISPA) awarded the UK presidency of the EU the dubious honour of internet villain of the year. Europe's telecoms and internet industries have said in a joint statement that "this directive will impose a significant burden on the European e-communications industry, impacting on its competitiveness".

Leaving it for member states to determine the precise period will most probably lead to inconsistency across the EU and create complicate operational procedures for service providers operating multi-jurisdictional services. Transferring the definition of serious crime to member states creates uncertainty about how the stored data will be used. Moreover, some believe that the Directive could, in theory, lead to the prosecution of illegal file-sharers.

However, the over-arching concern is that the Directive places an increased burden on the industry’s operating costs in a fiercely competitive market. Every service provider will have to put in place a vastly increased storage capability, develop management and security systems, and ensure that there are sufficient staff to deal with access requests from law enforcement agencies. The Directive dropped the requirement, contained in an earlier draft, for governments to reimburse service providers for the cost of compliance. In a speech to ISPA's Annual Parliamentary Advisory Forum last January, the Home Secretary, Mr Clarke, said that he wants "to work with industry on this legislation, and hear industry's major concerns." Unfortunately it may very well be that customers may end up footing the bill. This is likely to hit hardest smaller providers and those already working to a tight economic model.