Current Status: The EU Data Retention Directive (DRD), adopted by the European Union in 2006, is the most prominent example of a mandatory data retention framework. The highly controversial Directive compels all ISPs and telecommunications service providers operating in Europe to collect and retain a subscriber's incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of 6 months to 2 years. This applies to all European citizens, including those not suspected or convicted of any crime. Pushed through by powerful U.S. and U.K. government interests, the DRD forces services providers to retain traffic data revealing who communicates with whom by email, phone, and SMS, including the duration of the communication and the locations of the users. The data is often made available to law enforcement.
A number of countries have transposed the Directive into national legislation including Austria, Bulgaria, Denmark, Estonia, France, Italy, Latvia, Liechtenstein, Malta, the Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, Norway, and the United Kingdom. Countries outside the European Union such as Serbia and Iceland have also adopted data retention laws. Constitutional Courts in some countries have issued decisions striking down national data retention laws for violating human rights. Nations now fighting the Directive include Cyprus, Czech Republic, Germany, Greece, and Romania. The DRD was adopted in Romania, but declared unconstitutional in 2009. In February 2011, Cyprus declared their national data retention law unconstitutional. The Courts in Bulgaria declared their mandatory data retention laws unconstitutional and the German law adopting the Directive was declared unconstitutional in March 2010.
In March 2011, the law transposing the EU Directive in the Czech Republic was annulled by the country’s constitutional court. Lithuania's law implementing the Directive was declared unconstitutional before the law took effect. Hungary's implementation of the directive is still under review by the Constitutional Court of Hungary. Some members of the European Union have refused to adopt the DRD into their national laws. In addition to Germany, Sweden continues to delay the implementation of the DRD. The European Commission has referred Sweden back to the European Court for failing to transpose the EU legislation into national law. In Slovakia, the NGO European Information Society Institute is opposing the Slovakian data retention implementation law.
Public Discussion: Since its passage, the EU Data Retention Directive has faced intense criticism and has an uncertain future. The Directive has been opposed by lawmakers in the European Parliament who argue that it fosters a surveillance society and undermines fundamental rights. While it has been integrated into national laws, legal fights against the DRD continue. An Irish constitutional challenge against its 2009 data retention law has been referred to the European Court of Justice (ECJ). The ECJ may decide on the legality of the overall Directive, which can have implications throughout the European Union.
The European Commission is carrying out an impact assessment of the Directive and has announced its intention to propose a revision. Leaked documents confirm that the Commission is seeking to create evidence supporting the need for a DRD scheme in the EU and unnamed parties are seeking to broaden the uses of DRD to include prosecution of copyright infringement. In April 2011, the Commission published an evaluation report of the DRD that revealed inconsistencies with how EU members implement the legislation and which authorities can access the data. The European Data Protection Supervisor (EDPS) criticized the report, arguing that the Commission has failed to demonstrate that the DRD is necessary and proportionate. Under the EU Charter on Fundamental Rights, the Directive will only be legal if both requirements are met. According to EDPS, the Commission has not demonstrated that data retention could have been regulated in a less privacy-intrusive way. EDPS also charges that the Directive leaves too much leeway for Member States to decide how the data is used, who can access the data and under what conditions.
Opponents are demanding that the Commission provide evidence that in the absence of a mandatory data retention law, traffic data crucial to the investigation of a "serious crime" would not have been available to law enforcement. They are also calling for a system of oversight that allows citizens to monitor the impact of DRD on their privacy. European Digital Rights (EDRI), a Brussels-based NGO, along with EFF and AK Vorrat is fighting to repeal the DRD in favor of targeted collection of traffic data. EFF supports EDRI’s position urging the Commission to overturn the DRD and stop the ongoing violation of 500 million innocent Europeans. This action would prevent Member States from using the Directive to legally justify massive collection and overbroad use of personal data.