Dutch DPA issues advice on revision data retention law
The Dutch Data Protection Authority (Dutch DPA) at the request of the minister of Security and Justice has issued its advice on a draft bill containing amendments to the existing data retention obligations for telephony and internet communications data. The Dutch DPA finds the need to retain all telephony and internet data in the Netherlands is insufficiently substantiated. The Dutch DPA therefore recommends that the bill shall not be presented to Parliament.
The draft bill is proposed following a decision from the Court of Justice of the European Union in April 2014, annulling the European data retention directive. The Court ruled that a general retention obligation for telecommunications data is in contradiction with the fundamental right to data protection as laid down in European law.
Content of the draft bill
The draft bill proposes amendments on several points, including:
- the introduction of a prior check by an examining judge of requisitions by public prosecutors to obtain historical telecommunications data;
- the introduction of a distinction between a retention period of twelve months for telephony data and the consultation period of these data of between six and twelve months, depending on the nature of the crime.
The retention of the historical telephony and internet data of virtually all Dutch citizens for 6 to 12 months is a far-reaching measure, requiring an irrefutable demonstration of necessity.
The Dutch DPA notes that the substantiation of this necessity in the draft bill falls short, even though law enforcement authorities have been able to gain experience with using retained telecommunications data in the 4,5 years since the entry into force of the Data Retention Law.
Moreover, the draft bill does not address the question whether less far-reaching alternative measures would be available to obtain the same result.
Disproportionate infringement of private life
The Dutch DPA notes the government holds on to a general data retention obligation. The Dutch DPA therefore concludes the infringement of the private life of virtually all Dutch citizens is too big and disproportionate.
It furthermore finds that 3 other preconditions have not been met that remain important, even if the data retention obligation were to be restricted. These are:
- the need to inform people that their data have been accessed after a criminal investigation has been finalised;
- transparency on the use of retained data, for example through the release of statistics on the number of times data have been accessed;
- the need to introduce exemptions for those bound by a duty of professional confidentiality.
Distinction between collection and use
Finally, the Dutch DPA has assessed the distinction between the retention of data and the subsequent use of these data, as envisaged by the government. This distinction does not alter the disproportionality between the purpose of the data collection and the infringement on the private life of virtually all citizens. Therefore, this general data retention obligation is unlawful.