European Directive on Data retention
The Legislative proposal (Bill) for implementation of the European Directive on Data Retention overlooks the requirements imposed by the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). Article 8 of the ECHR sets out the fundamental rights of citizens to respect for their private life. The government may only infringe on that right to the extent that it is necessary in a democratic society. The Bill prescribes that providers of telecom services must retain telephone and e-mail information for 18 months and have it available for investigating, detecting and prosecuting serious crime. Retaining historical telephone and Internet information on every citizen in the Netherlands is an extremely radical measure, whose need must be demonstrated irrefutably. In the opinion of the Dutch Data Protection Authority (Dutch DPA) [ College bescherming persoonsgegevens (CBP)], the need for a retention period of 18 months has not been demonstrated satisfactorily.
The European Directive on Data Retention is designed to harmonise national legislation within Member States on the retention of telephone and e-mail data for investigating, detecting and prosecuting serious crime. The Directive has to be converted into national legislation. The Directive on Data Retention offers a range of between at least six months up to a maximum of two years for the retention period. Member States must take account of the requirements of the ECHR when determining the choice for the precise retention period. A longer retention period will increase the risk of infringing on the right to the private life. According to the Dutch DPA, insufficient account has been taken of the requirements imposed by the ECHR in the Bill; in particular it has not been shown why it is necessary to retain this information for 18 months. The Dutch DPA considers that a period of 6 months will suffice in the Netherlands, which is in many cases longer than the period for which the data is currently kept for business purposes, for example for billing.
The Dutch DPA has also expressed a number of other points of criticism relating to the Bill. Thus some important substantive choices with equally significant implications for the private life - for example the categories of information that have to be retained - are not regulated with all the safeguards of formal legislation, but are rather delegated to subordinate legislation. The parameters for access to information have also been inadequately limited. Finally, there are no control mechanisms for the lawful use of information. The Dutch DPA recommends that the implementation of this regulation should be dealt with transparently, by means of a stringent duty of notification and maintenance of publicly available statistics on the manner in which the affected parties are notified - or not - that their information is actually being requested.
About the Dutch DPA
The Dutch Data Protection Authority (Dutch DPA) supervises compliance with legislation regulating the use of personal data, under the terms of the Wet bescherming persoonsgegevens (Wbp) [Dutch Data Protection Act]. The use of personal data must be notified to the Dutch DPA unless the situation is covered by an exemption.
The Dutch DPA advises the government and other organisations on the protection of personal data and associated topics. The Dutch DPA assesses codes of conduct and mediates in disputes between citizens and users of personal data. The Dutch DPA can, either on its own initiative or at the request of an interested party, investigate whether the way in which personal data has been used in a particular situation is in line with the Act, and can impose sanctions if necessary. A fine may be imposed for continued failure to report. In the event of an infringement of the Act, or its subordinate regulations, the Dutch DPA can proceed to impose an administrative fine or non-compliance penalty.