Data Retention Directive
From the same series which is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights, today it is presenting:
Directive 2006/24/EC, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services.
Under Article 1 “Scope”, the Directive objective is to establish legal provisions concerning public communications providers in order for the traffic and location data (necessary to identify a user) to be stored for at least 6 month to a maximum period of 24 months. The purpose of users’ stored data is when criminal investigations, detection and prosecution of serious crimes require access to users’ traffic data, the communication service provider has to make it available.
From the definition section point of view, outlined under Article 2 “Definitions”, two new terms are introduced which are not mentioned under the Data Protection Directive.
i) user ID: refers to a unique identifiable number or sequence of numbers, letters or a combination of two, assigned to users when they subscribe to an Internet Service Provider (ISP) or Internet Communication Service (ICS).
ii) cell ID: refers to any means which could identify a user in relation with a cellular phone call, by determining the cell phone from where the phone call was made or terminated.
Further, the authorities’ access to the retained data is regulated under Article 5 as following:
i) any necessary data which traces and identifies the communication type and the person or entity that made it. Here no distinction is made between data in general, private information, natural person or legal person. The access is granted for traffic or subscriber of data.
ii) any traffic data which is made available through a digital, analog fixed telephony network or mobile network should be retained by the service provider in the scope of this Directive, whether is the calling number or/and the name and address of the user.
iii) the Internet ID (e.g. Internet Protocol address) or the VOIP number (e.g. Skype offers phone numbers to its subscribers), should be retained and made available for the scope of this Directive. Furthermore if a user is subscribed to a certain SNS (e.g. Facebook or YouTube) under an ID number or nickname, the identity of that user (if it could be determined) should be provided by that SNS provider in the cases outlined under Article 1 “Scope” of this Directive.
The same categories of information regarding the identification of the communication should be retained as well, as stipulated under Article 5 (b) “data necessary to identify the destination of a communication”. No content data of the communication can be retained.
The duration of retention of users’ data is regulated under Article 6 “Periods of retention” where this period of time should be between 6 months minimum and 24 months maximum.
Article 7 addresses the “Data protection and data security” issue by requiring the communication providers in relation with the stored data, to:
i) ensure that they have all the organizational and technical means to preserve and protect the data at the same quality as they protect the users’ data in their networks.
ii) provide all the technical and organizational means to protect users’ data from destruction, alteration, deletion (partial or total), processing, access or unlawful storage.
iii) make available all the stored data for access only by specially authorized personal.
iv) destroy all the data after the period of retention expires, except that data which is subject to necessary, appropriate and proportionate measures to safeguard national security, defence, public security, or prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system, as indicated under Article 15 (1) Directive 2002/58/EC.
Article 8 details that the requirements and standards for retained data are to be transmitted from the communication provider to the authorities, with no delay, and more specifically the users’ data is to be accessible and available in real time.
Article 9 refers to the obligation of providing supervision by the MS on how users’ data is stored, if it is secure, and thus not vulnerable or altered, etc. The supervisory authorities could be the same as described in Article 28 of Directive 95/46/EC.
The scope of this Directive is to require the operators of publicly available electronic communication networks to store and provide location and traffic data (not content data) processed through their networks, to the State authorities (e.g. police, intelligence service, government, etc) for the purpose of serving the detection, investigation and prosecution of serious crimes.
The corespondent national law that implemented this Directive in MS, was found unconstitutional in several countries already: Romania, Germany, Bulgaria, to name few. For the moment this Directive is suspended until will be decided its necessity in the existing form, in a new amended form or at all.
Stay tuned for the next post that will present the Directive 2009/136/EC known as “Cookie Directive Directive”.
Any questions can be submitted to: email@example.com
Additional information can be found at: www.e-crimeexppert.com
Did you know about this Directive? Do you think that the retention of data help you stay protected?
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.
- @k3rstin Hi Kerstin. Im fine thank you. Still in Brussels. Can we collaborate on any project/assignment? Best regards, Dan. 1 year ago
- 6 Essential Tips on How to Prevent Online Shopping Fraud wp.me/p1N1s0-jD 3 years ago
- Cyberbullying wp.me/p1N1s0-jz 3 years ago
- 10 Ways to Prevent Your Identity From Being Stolen wp.me/p1N1s0-jv 3 years ago
- Infographic-Privacy and Security on Facebook wp.me/p1N1s0-jp 3 years ago