Data retention

Historical telecommunications data are highly valuable in the investigation and prosecution of crime and the protection of the public. Under EU law, telecommunications service and network providers are obliged to retain certain categories of data for a specific period of time and to make them available to law enforcement where needed. The Commission is currently revising this law.

Storage and use of telecommunications data

Telecommunication service providers or operators store clients' personal data for the purposes of transmitting communications, invoices, and interconnection payments, marketing and certain other value-added services. Because of the value of these data in preventing danger and investigating criminal activity, the EU has sought to ensure that they are made available to law enforcement authorities.

The Data Retention Directive requires operators to retain certain categories of data (for identifying users and details of phone calls made and emails sent, excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.

27 EU States have notified the Commission about the transposition of the Directive into their national law. However, of these, Germany and Belgium have only transposed the legislation partially.

Effectiveness of the current framework

Law enforcement authorities in most EU States have reported that retained data play a central role in their criminal investigations. These data have provided valuable leads and evidence that have resulted in convictions for criminal offences and in acquittals of innocent suspects in relation to crimes which, without an obligation to retain these data, might never have been solved.

However, the application of data retention continues to be uneven. The diversity of approaches - in terms of limitations to the use of data, data storage periods and other aspects, such as reimbursement of costs of complying with data retention rules - means that there is no level playing field for service providers and consumers across the EU. This has presented considerable difficulties for the industry. Furthermore, there is a need to strengthen the protection of personal data and to minimise the risk of breaches of privacy during storage, access and use.

• Amended statistics for 2008 can be found here [106 KB] .
• Statistics for 2010 [153 KB]

Experts' Group on Data Retention

The Commission is setting up an expert group [84 KB] to advise on best practice in the implementation of the Data Retention Directive. If you have relevant expertise and would like to be a member of this group, please read carefully the call for applications [417 KB] and write to us by 3 June 2013.

Information on the previous expert group which met between March 2008 and December 2012 can be found here.

Review of the Data Retention Directive

The Commission's evaluation report , presented in April 2011, concluded that the EU should continue to support and regulate the storage of, access to and use of telecommunications data. However, EU rules in this area need to be improved to prevent the different types of operators from facing unfair obstacles in the Internal Market and to ensure that high levels of respect for privacy and the protection of personal data are applied consistently.

As Commissioner Malmström stated in the European Parliament in October 2012, the Commission has continued to consult the judiciary, law enforcement authorities, data protection authorities, industry, civil society organizations and consumers on the options for reforming the current framework. Emerging themes can be found here. The Commission intends to propose changes to EU data retention, although there is no precise timetable at present.

Data preservation

The Commission also announced in the report on the evaluation that it would consider whether and how an EU approach to data preservation might complement data retention. An independent external study on current approaches to data preservation in EU Member States and third countries [417 KB] was carried out between December 2011 and November 2012 by the Centre for Strategy and Evaluation Studies. The researchers conducted surveys of law enforcement authorities, service providers, data protection authorities and NGOs, and held a seminar with experts in May 2012. Input was received from 15 countries – 12 EU Member States plus Croatia, Norway and the United States. The study finds that data retention and data preservation are complementary rather than alternative instruments and that data retention plays a role in ensuring that data are kept, which is sometimes a prerequisite for data preservation, as data may have already been deleted before a data preservation order is issued.