In a landmark announcement issued today, the data protection officials across the European Union found that the way that EU Member States have implemented the data retention obligations in the 2006 EU Data Retention Directive is unlawful. The highly controversial 2006 EU Data Retention Directive compels all ISPs and telecommunications service providers operating in Europe to retain telecom and internet traffic data about all of their customers' communications for a period of at least 6 months and up to 2 years.

European privacy officials from the Article 29 Data Protection Working Party have been reviewing how the EU Member States have implemented these obligations in their national laws.

Among the most important findings of the Article 29 Working Party’s report are:

  • "Service providers were found to retain and hand over data in ways contrary to the provisions of the [data retention] directive."
  • "There are significant discrepancies regarding the retention periods, which vary from six months to up to ten years, which largely exceeds the allowed maximum of 24 months."
  • "More data are being retained than is allowed. The data retention directive provides a limited list of data to be retained, all relating to traffic data. The retention of data relating to the content of communication is explicitly prohibited. However, it appears from the inquiry that some of these data are nevertheless retained."
  • Regarding Internet traffic data: "Several service providers were found to retain URLs of websites, headers of e-mail messages as well as recipients of e-mail messages in "CC"- mode at the destination mail server.
  • Regarding phone traffic data: "it was established that not only the location of the caller is retained at the start of the call, but that his location is being monitored continuously."
  • "Member states have scarcely provided statistics on the use of data retained under the Directive, which limits the possibilities to verify the usefulness of data retention."
  • "The provisions of the data retention directive are not respected and the lack of available sensible statistics hinders the assessment of whether the directive has achieved its objectives."

The timing of the Article 29 Working Party’s opinion is particularly sensitive because the European Commission is currently conducting an evaluation of the impact of the Data Retention Directive on economic operators and citizens in Europe. One of the possible outcomes of this evaluation is a recommendation that the Data Retention Directive should be amended or repealed in its entirety. The Article 29 Working Party has submitted its report to the European Commission to provide the Commission with vital empirical evidence for its evaluation of whether to recommend the amendment or repeal the Directive.

Once completed, the Commission’s evaluation will be sent to the European Parliament and the Council of Ministers. Reflecting the far-reaching impact and sensitive policy issues involved in the Data Retention Directive, three Commissioners are likely to be engaged in its review. The EU Commissioner for Home Affairs, Commissioner Malmström leads the evaluation process, but it is expected that Vice President of the Commission and EU Commissioner for Justice, Fundamental Rights and Citizenship, Commissoner Reding and the Commissioner for the Digital Agenda, Commissioner Kroes will also participate actively in the review process.

EFF, AK Vorrat and a coalition of over 100 organizations across Europe recently called for an end to mandatory data retention of telecom and Internet traffic data. In a joint letter sent last month to European Commissioners Malmström, Reding, and Kroes, the coalition urged the Commissioners to "propose the repeal of the EU requirements regarding data retention in favor of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe's Convention on Cybercrime."

In her July 7 reply to the coalition letter, Commissioner Reding stated that, "the review of the EU Data Retention directive provides the European Commission, but also the 27 EU Member States and the European Parliament, with an opportunity to assess the effectiveness and proportionality of the measures included in the Directive. I will in this context ask for a particular focus on the considerable impact data retention may have on fundamental rights of all European citizens, especially with regard to their privacy."

With the recent adoption of the Lisbon Treaty and the entry into force of the Charter of Fundamental Rights, privacy and data protection has been strengthened in the European Union, including in the sensitive areas of law enforcement and crime prevention.

We must now see whether the European Commission will be faithful to the Charter of Fundamental Rights, and recommend the repeal of the overbroad 2006 Data Retention Directive.