Electronic communications and data retention29/11/06 / cata_european-union-news

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or public communications networks, and amending Directive 2002/58/EC aims to harmonize Member States’ provisions concerning the obligations of the providers of publicly available electronic communications services and public communications networks to retain certain data generated or processed by them, to ensure the data is available for investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.

The reason for the adoption of this Directive is the current state concerning national regulations in this area. Several Member States have adopted legislation providing for the retention of data by service providers to safeguard their various public interests. Due to the fact that these national provisions vary considerably, service providers are faced with different requirements regarding the types of traffic and location data to be retained and the conditions and periods of retention. These legal and technical differences present obstacles to the internal market for electronic communications.

This Directive thus harmonizes the scope of data to be retained, the mandatory time period for retaining data, the data security principles and storage requirements.

The Directive applies to data generated or processed by providers of publicly available electronic communications services or by public communications network supplying the concerned communications services, including data related to unsuccessful call attempts. But it does not require any retention of data relating to unconnected calls.

The Directive imposes the obligation to retain the data necessary to trace and identify: (a) the source of a communication; (b) the destination of a communication; (c) the date, time and duration of a communication; (d) the type of communication; (e) users’ communication equipment or what purports to be their equipment; and (f) the location of mobile communication equipment. However no data revealing the content of the communication may be retained pursuant to this Directive.

These data are to be retained for periods of not less than six months and not more than two years from the date of the communication. Further they are to be provided only to the competent national authorities in specific cases and in accordance with national law. The Directive sets up the procedures to be followed and the conditions that must be fulfilled to gain access to retained data, which must be in accordance with necessity and proportionality requirements.

In order to protect end-user’s privacy, providers of publicly available electronic communications services and public communications networks are required to respect, at minimum, the following data security principles concerning retained data:

1. the retained data must be of the same quality and subject to the same security and protection as the data on the network;
2. the data must be subject to appropriate technical and organizational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorized or unlawful storage, processing, access or disclosure;
3. the data must be subject to appropriate technical and organizational measures to ensure they can be accessed by only specially authorized personnel; and finally
4. the data, except those that have been accessed and preserved, are to be destroyed at the end of the period of retention.

Concerning the storage of retained data, the Directive requires that they be stored in such a way that the data and any other necessary information relating to such data can be transmitted on request to the competent authorities without undue delay.

This Directive entered into force on 3 May 2006 and Member States are required to comply with the Directive by no later than 15 September 2007. In case of retention of communications data relating to Internet Access, Internet telephony and Internet e-mail, a Member State that makes a declaration may postpone application of this Directive until 15 March 2009.