D11.3: Economic aspects of mobility and identity

Title: DATA RETENTION

Data retention

Why data retention?

The retention of traffic and location data is a vigorously debated issue within the European Union and has significant implications on the industry. In the frame of the European Union a directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (hereinafter ‘data retention directive’) is recently adopted. Setting aside the fierce comments against the Directive, we will restrain ourselves in examining its substantial provisions that have impact on the industry.

An issue that could lead to legal uncertainty is the lack of definition of providers that fall under ‘providers of publicly available electronic communications services or of public communications networks’ (Art. 1 data retention directive) for the scope of this directive. The use of these general terms creates an uncertainty as to how the Member States will define this term. Such providers can be not only telecom operators and Internet Service Providers, but also internet cafes, universities that offer use of the internet to their students or even hotels who offer the use of communication facilities to their guests. An example of how much the obligation for retention of data can affect especially the SMEs in the Italian legislation that obliges internet cafes to ask for identification (keep a copy of the document) and log the user’s name and the type of the identification document.

Traffic data vs. content data

The data retention directive provides for the retention of traffic and location data as well as any related data necessary to identify the user or the subscriber. However the definition of traffic data is so broad that can reveal private and important information with regard to the user or the subscriber of the specific service. In the case of e-mail, as explained in detail in Working Part 29 Doc 37 ‘Privacy on the internet’, traffic data consists partly of information supplied by the sender and partly of technical information generated automatically during the processing of the e-mail. An example of traffic data are the e-mail addresses of the sender and the recipient. When the e-mail address has for instance the form ‘name.lastname@law.kuleuven.be’, it reveals obviously that there is a connection between the two participants in this communication, who are easily recognisable, and the collection and connection of more data might reveal personal information.

Pursuant to the goals of the new regulatory framework for electronic communications that wishes to separate the regulation of transmission from the regulation of content, the data retention directive does not cover data related to the content of the information communicated (content data) safeguarding the confidentiality of communications. The data retention directive does not call for the retention of traffic data related to the web browsing activities of the user. However such an obligation can be imposed by the national legislation of the Member States by virtue of Art. 15(1) ePrivacy directive which allows the retention of data for public order purposes. Therefore it is important to discuss on a ‘hidden’ privacy threat. The distinction between traffic data and content data is however not always as clear as the European institutions would like to believe, especially when it comes to the Internet. The following example will demonstrate how traffic data can reveal simultaneously generated content data as well, unveiling personal information about the user. When the user visits a search engine, his IP address is treated as traffic data. The same happens most commonly with the URL of the requested search. If for example the user gives Google the command to look for ‘scuba diving’, the URL:

www.google.com/search?hl=en&lr=&q=scuba+diving&btnG=Search (emphasis added)

will be generated, an information that is automatically logged together with the time and the IP of the user. When the URL that results from a search request is combined with the IP address of the user, the aforementioned information turns into an information ‘relating to an identified of identifiable natural person’ and thus to personal data. The aforementioned example is only one of the cases where the border between content and traffic data is vague.  

Types of data to be retained and retention period

The data retention directive includes a detailed list with the categories of data to be retained in Art. 5 and the main categories read as follows: 

a) Data necessary to trace and identify the source of a communication; 

b) Data necessary to identify the destination of a communication; 

c) Data necessary to identify the date, time and duration of a communication; 

d) Data necessary to identify the type of communication; 

e) Data necessary to identify users’ communication equipment or what purports to be their equipment; 

f) Data necessary to identify the location of mobile equipment. 

The providers of publicly available electronic communications services or of public communications networks need to be very carefully about the types of data they need to retain. For instance the data retention directive stipulates that with regard to data necessary to identify the date, time and duration of a communication concerning Internet e-mail, the data that shall be retained are ‘the date and time of the log-in and log-off of the Internet e-mail service, based on a certain time zone’ and not the time when an e-mail was sent and received.

The data retention directive provides for retention periods of not less than 6 months and for a maximum of two years from the day of the communication. Art. 15 (3) of the directive allows the Member States to postpone the application of the directive ‘to the retention of communications data relating to Internet Access, Internet telephony and Internet e-mail’ until 36 months after the data of adoption of the directive. 11 countries have declared to postpone the retention of such data.

The fact that the data retention directive does not take the modalities of Internet data into consideration is highly criticised. The volume of Internet data created every year is huge and several problems arise from these vast numbers of data that need to be retained. Furthermore the providers of publicly available electronic communications services or of a public communications network are obliged to retain all internet data for a long period of time, even when these data are never going to be useful for law enforcement purposes, like in the case of spam, which does not reveal any connection between the sender and the recipient. Moreover they need enormous storage capacities not only to save, but also to manage these data and the actual possibility to find some data that can be useful for law enforcement purposes is most unlikely. In addition to that the typical internaut leaves a ‘trail’, creating traffic data that can reveal much more information about his/hers habits and interests than data on whom a person was contacted by telephone.

The data retention directive allows the Member States to extend the maximum retention period, when facing particular circumstances. The taking of this measure shall follow an immediate notification to the Commission and information to the other Member States of the measures taken, indicating the grounds for introducing them. Within six months the Commission shall approve or reject the imposed national measures. In case the Member States decide to extend the retention period for a longer period of time the economic burden on the providers of publicly available electronic communications services or of a public communications network is going to be heavy.

Cost reimbursement

The data retention directive does not provide for the reimbursement of the providers of publicly available electronic communication services or of a public communication network for demonstrated additional costs they have incurred in order to comply with obligations imposed on them as a consequence of the data retention directive. However, the European Commission has recognised the opinion that ‘reimbursement by Member States of demonstrated additional costs incurred by undertakings for the sole purpose of complying with requirements imposed by national measures implementing this Directive for the purposes as set out in the Directive may be necessary’. Although such a reimbursement could thus be granted as a legitimate state aid, the Member States are not obliged by the data retention directive to reimburse such costs.