Dutch DPA advises negatively on Dutch draft data retention
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
The Dutch Data Protection Authority (DPA) has made a strong case against the Dutch draft law regarding the implementation of the data retention directive. In its advice of 22 January 2007 the DPA comes to the conclusion that the draft disregards the requirements of article 8 of the European Convention on Human Rights, which protects the fundamental right to respect for one’s private life.
The draft introduces a retention period of 18 months, both for telephone and Internet traffic data. The arguments for this almost maximal retention period are mostly borrowed from a report of the Dutch Erasmus University of 22 June 2005, about which EDRI-gram previously reported.
This report was the first public research in Europe into the actual use by law enforcement of historical traffic data. The researchers looked at 65 police investigations that were provided by the Dutch Ministry of Justice as good examples of the usefulness of traffic data for law enforcement. They concluded that 'in virtually all cases' the police could get all the traffic data they needed, based on the average 3 months availability of telephony traffic data. The researchers also warned they could not qualify the usefulness of these data as direct or indirect evidence, or the representativeness of the sample of cases for law enforcement in general. But after failing to meet this essential test, the researchers organised talks with several anonymous police representatives. Based exclusively on those talks, the report recommended that a 1 year mandatory data retention term would be desirable.
This report did not fully convince the Dutch Parliament of the necessity of data retention at the time of EU negotiations about the directive. At the beginning of 2006, after a final compromise between the Council and the European Parliament had been reached, the Dutch minister voted in favour of the final data retention directive compromise against the wish of a majority of the Dutch Parliament. Former Minister of Justice Donner then stated in the Parliament: “I have indicated (in the Council) that I wanted room for the Netherlands for a retention period of one year, and for Internet data a period of half a year. That has been realised; that is possible now. That other Member States lay down longer terms in their national law is up to them.” The draft gives no account of this change of plans from rather minimal implementation to almost maximal, as regards the retention period.
The DPA further points out that by extending the retention of mobile telephone location data to all the location data generated during a communication, and not only the location data at the start of the connection, the draft goes beyond the demands of the directive. The DPA notes that this extension implies surveillance of the movement of large amounts of innocent citizens and points to the agreement in the European Parliament and the German implementation draft, where it is explicitly stated that the directive does not demand the retention of these location data generated during a mobile communication.
Another point of critique of the DPA are the limitations on access to the retained data. The DPA concludes that these provisions are too broad and need to be drafted more strict and precise. The Dutch DPA finally criticizes the use of delegation provisions. According to the DPA, the details on the specific data to be retained should be included in the law itself. The law should also be more specific about the obligation to provide the statistical data on the actual use of the retained data. The draft law is not at all clear about these essential ingredients of the data retention regime and delegates these matters power to the government.
The draft, now in the phase of consultation, was made public on 21 December 2006. It also provoked a strong reaction of a large coalition of telecom companies and ISPs. After this consultation phase the draft law will be sent to the Council of State.
Advice Dutch Data Protection Authority (in Dutch only, 22.01.2007)
Draft law implementation data retention directive (in consultation), (in
Dutch only, 21.12.2006)
EDRI-gram: Dutch study fails to prove usefulness and necessity data
(Contribution by Joris van Hoboken)