Navigation path

Emerging data protection themes

The Commission is considering how to improve the current framework for storing, access and use of telecommunications data for the purposes of combating crime.

Necessity of data retention for criminal investigations.

  • Police and judges across the EU say that communications data are crucial for criminal investigations and trials involving terrorism, serious crime and crimes using the internet or by telephone. But others argue that there is not enough evidence at an EU and national level on the need for data retention. For example: what are the alternatives? How often do retained data which has been accessed by law enforcement authorities actually solve crimes? Would these data be available anyway without the retention obligation?

Retention obligations do not match actual needs.

  • Some data categories are being retained unnecessarily; other types of data needed by law enforcement cannot be easily accessed. Law enforcement favour 'technological neutrality' so that their ability to know who communicated with whom, when, where and how is not diminished as technologies develop. But definitions in the Directive sometimes leaves room for interpretation e.g. which operators and which types of data does retention apply to? Some types of communications – e.g. instant messaging – which can be very valuable in investigations are outside the scope of the Directive, and there is no standard EU approach to accessing this data. As a result police sometimes find it difficult to access these data in time for their investigations. Requests for email traffic data, and for data held by business-to-business service providers, are very rare.

What is data retention actually for?

  • The purpose of the Directive concerns 'serious crime'. But this is not defined at EU level or in many Member States. Certain crimes, e.g. hacking, may not be deemed 'serious' but can only be tackled through telecoms data. The Directive does not cover urgent cases for protection of life and limb not related to crime e.g. suicide/ self harm, missing persons, emergencies. There are also some calls for extension of the purpose to include copyright infringements, which may include illegal downloads/ piracy. Moreover, there is no clear distinction between data kept by telecommunications providers for commercial purposes, and data kept under the retention requirement. Without a clear definition of 'serious crime' and distinction between data kept for different purposes, it is claimed, legal uncertainty is undermined and there is a risk of data being used for too wide a range of purposes.

Difficulties in police and judicial cross-border cooperation.

  • Police and judicial cooperation can suffer as a result of differences in data retention practices across the EU, especially where Member States have not transposed the Directive at all and therefore cannot participate in joint investigations.

Citizens are not sufficiently informed.

  • Service providers do not always notify their customers that their data may be disclosed to authorities where needed for criminal investigation. There is no procedure for reporting and redressing data breaches. Citizens often do not know who has access to the data.

Uneven data retention practices are an obstacle to the internal market.

  • Businesses in the telecommunications sector say that it is uncertain what types of data must be retained. The cost of compliance is claimed to be considerable, and this creates an obstacle to operating in more than one Member State, if there is no consistent cost reimbursement. Businesses also claim that this affects research and innovation into client-facing products. There are no enforceable EU standards for handover of the data when access is requested by law enforcement authorities, which can lead to inefficiency, especially if operators do not know which authorities are competent to request data. Sometimes, each request for data is sent to all major operators in the Member State, distorting the statistics which Member States provide to the Commission under Article 10 of the Directive.

Key consultation questions

To what extent is data retention necessity?

  • What is the evidence for the necessity of an EU obligation on operators to retain certain categories of telecommunications data?
  • In relation to what types of crime should it be permissible to access and use stored telecommunications data?
  • What precise categories of data should be retained in the light of evolutions in technology and criminal behaviour?
  • For how long should these categories of data be stored?
  • How can the EU ensure that data is stored and used only where it is strictly necessary to do so for the protection of the public against the harm of crime and terrorism?
  • What rules at EU level would be proportionate to the crimes which the storage and use of telecommunications data is intended to help solve?
  • Which authorities should be authorised to access and analyse these data?
  • Are there any alternatives to data retention which could be equally effective in fighting crime? What could be the role at EU level of a form of data preservation or 'quick freeze'?

How could the data retention regime be better regulated?

  • How should the risks of breaches of privacy and data protection be managed and minimised throughout the process of storage by providers, handover and use by authorities?
  • How could the EU ensure independent supervision of requests for access and of the overall storage and use regimes applied in all Member States?
  • How can particularly confidential communications data be protected?

How can we ensure appropriate standards of accountability?

  • How can the EU ensure that service providers are consistently reimbursed and that the impact on consumers is minimised?
  • What metrics and reporting procedures would enable assessment and comparison of how Member States apply the EU framework?
  • How can the EU ensure that citizens and data protection authorities are able to report abuses or seek information on how data is being used?

Impact

  • What would be the impact for security, criminal justice systems, for the work of law enforcement, for service providers and consumers of greater regulation at EU level in this area?

Additional tools




Glossary

Terrorism

In the absence of a generally accepted definition under international law, “terrorism” can be defined as ...

+

Telecommunications data

Personal data processed in connection with the provision of electronic communications services.

+

Interconnection payment

Charged by network operators on other service providers to recover the costs of the interconnection facilities ...

+

Data retention

Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes...

+

Data

Characteristics or information, usually numerical, that are collected through observation.

+