EDPS: noodzaak bewaarplicht onvoldoende onderbouwd

Afbeelding: Racked maturation warehouse 5 van yvescosentino | Licentie: CC BY

De Europese Toezichthouder voor gegevensbescherming acht de onderbouwing voor de noodzaak van de bewaarplicht onvoldoende.

Zij schrijft dat in het rapport Opinion of the European Data Protection Supervisor on the Evaluation report from the Commission to the Council and the European Parliament on the Data Retention Directive (Directive 2006/24/EC)

After careful analysis, the EDPS takes the view that, although the Commission has clearly put much effort into collecting information from the Member States’ governments, the quantitative and qualitative information provided by the Member States is not sufficient to confirm the necessity of data retention as it is developed in the Data Retention Directive.

According to the EDPS, the information in the Evaluation report does not contain sufficient evidence to demonstrate the necessity of the data retention measure as laid down in the Data Retention Directive. However, the Evaluation report does permit the conclusion that the Data Retention Directive has regulated data retention in a way which goes beyond what is necessary, or, at least, has not ensured that data retention has not been applied in such a way. In that respect, four elements can be highlighted.

In the first place, the unclear purpose of the measure and the wide notion of ‘competent national authorities’ has led to the use of retained data for far too wide a range of purposes and by far too many authorities. Furthermore, there is no consistency in the safeguards and conditions for access to the data. For instance, access is not made subject to prior approval by a judicial or other independent authority in all Member States.

In the second place, the maximum retention period of two years appears to go beyond what is necessary. Statistical information from a number of Member States in the Evaluation report shows that the large majority of access requests relate to data up to six months, namely 86%. Furthermore, sixteen Member States have chosen a retention period of 1 year or less in their legislation. This strongly suggests that a maximum period of two years goes far beyond what is considered necessary by the majority of Member States.

Furthermore, the lack of a fixed single retention period for all Member States, has created a variety of diverging national laws which may trigger complications because it is not always evident what national law – on data retention as well as on data protection – is applicable when operators store data in a Member State other than the one in which the data are collected.

In the third place, the level of security is not sufficiently harmonised.  […]

In the fourth place, it is not clear from the report whether all categories of retained data have proven to be necessary. Only some general distinctions are made between telephone and internet data.

De EDPS trekt vervolgens de conclusie:

The analysis in the previous part justifies the conclusion that the Data Retention Directive does not meet the requirements set out by the rights to privacy and data protection. It is therefore clear that the Data Retention Directive cannot continue to exist in its present form. In that respect, the Commission rightly proposes a revision of the current data retention framework.

However, before proposing a revised version of the Directive:

  1. the Commission should, during the impact assessment, invest in collecting further practical evidence from the Member States in order to demonstrate the necessity of data retention as a measure under EU law.
  2. If a majority of Member States considers data retention to be necessary, these Member States should all provide the Commission with quantitative and qualitative evidence demonstrating it.
  3. Member States that oppose such a measure of data retention should provide the Commission with information to enable a broader assessment of the matter.

In the impact assessment it should furthermore be examined whether alternative, less privacy-intrusive means could have led or could still lead to comparable results. […]

The EDPS is pleased to see that the Commission has announced the consultation of all stakeholders concerned during the impact assessment. […]

It should be underlined that an assessment of the necessity and the examination of alternative, less privacy-intrusive means can only be conducted in a fair way if all options for the future of the Directive are left open. In that respect, the Commission seems to exclude the possibility of repealing the Directive, either per se or combined with a proposal for an alternative, more targeted EU measure.

Only if there is agreement on the need for EU rules from the perspective of the internal market and police and judicial cooperation in criminal matters and if, during the impact assessment, the necessity of data retention, supported and regulated by the EU, can be sufficiently demonstrated, which includes a careful consideration of alternative measures, a future Data Retention Directive can be considered.

Any future EU instrument on data retention should therefore meet the following basic requirements:

  • It should be comprehensive and genuinely harmonise rules on the obligation to retain data, as well as on the access and further use of the data by competent authorities.
  • It should be exhaustive, which means that it has a clear and precise purpose and that the legal loophole which exists with Article 15(1) of the ePrivacy Directive is closed.
  • It should be proportionate and not go beyond what is necessary […]