Time to revisit data retention?

The European Commission received over 5,000 responses to its recent call for evidence for an impact assessment with regard to the role of data retention rules at EU level. Many of the responses to the consultation, which closed on 18 June, strongly opposed the Commission’s initiative to reboot data retention obligations. This illustrates that data retention is a hot topic that gets wide attention across the market, civil rights organisations and EU citizens.

According to the Commission, certain metadata processed by service providers are needed to effectively fight crime. Since no EU-wide legal framework exists requiring providers to retain metadata for a reasonable and limited period of time for criminal proceedings, data may no longer exist by the time authorities request them. The lack of harmonised data retention rules for key categories of data was identified by the police, prosecution services and judicial authorities as a substantial challenge for national criminal proceedings in crimes happening both online and offline and hampers cross-border cooperation across the EU. In the Commission’s view, the current divergences between EU Member States’ laws governing the retention of data can hamper criminal proceedings and affect service providers operating across the EU.

To recall, in 2006, the European Union adopted the Data Retention Directive. It required EU Member States to retain telecommunications data for a minimum of six months and up to two years. This data included details such as IP addresses, time of use and other metadata related to phone calls, emails and text messages.

On April 8, 2014, the European Court of Justice (CJEU) declared the Directive invalid. The Court ruled that the Directive violated the EU Charter of Fundamental Rights, particularly the right to privacy, as it mandated blanket data collection without sufficient safeguards. The Commission is now seeking ways to re-introduce harmonised data retention obligations.

The overall objective of the Commission’s proposed initiative is to ensure the availability of certain categories of non-content data for the purpose of carrying out successful criminal investigations and prosecutions, while respecting and safeguarding EU standards for the protection of fundamental rights, preserving cybersecurity and the integrity of the EU Market.

To achieve this, the Commission will consider and assess different options. These include:

• Soft law measures to enhance cooperation between public authorities and electronic communication service providers, both number dependent and number independent, such as common standards at EU level for data categorisation, forms for requesting and providing data, guidelines on minimum retention periods on subscribers’ and IP addresses/w timestamp, voluntary cooperation; and
• Legislative measures setting mandatory requirements for all service providers covered by the European Electronic Communication Code (EECC) for the retention of and access to non-content data in compliance with existing case law of the Court of Justice of the European Union. Different legislative solutions might be designed depending on the non-content data to be retained in conjunction with the crime to be pursued.

In any case, the Commission will need to take due notice of the decision of the CJEU ruling of 8 April 2014 with regards to data retention vis-a-vis the EU Charter of Fundamental Rights, particularly the right to privacy. In this context, the Commission is advocating that “Retaining metadata with purpose and restraint can become a cornerstone of proactive cybersecurity. It can help protect not only institutions but also the everyday citizen.” Nevertheless, many EU-citizens have strongly voiced privacy concerns.

Next steps

The European Commission will decide on what it regards as the most appropriate option during the impact assessment, based on the evidence collected, the consultation of stakeholders and after comparing the different options. The impact assessment is announced for the first quarter of 2026.