Dutch Parliament lowers data retention term to 12 months
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
The Dutch Parliament has lowered the data retention term in its implementation of the Data Retention directive to 12 months. The law has still to pass the Dutch Senate, which has been more critical of data retention in the last four years. A lot is still unclear about the law and many concerns, like the absence of evidence for the resulting interference with the right to private life and private communications, have not been adequately addressed yet. Still, the legislature will try to finalize the law before the summer break of the Parliament.
Interestingly, the three-party coalition forming the present Government was split into three camps, arguing for 6, 12 and 18 months respectively. The government kept arguing for 18 months, but a majority voted for an amendment lowering the term to 12 months. This term traces back to a report of the Erasmus University about the usefulness and necessity of data retention for telecommunication traffic and location data. After failing to prove such usefulness and necessity for data older than 3 months, the researchers had talks with police representatives. Based exclusively on those talks, the report recommended a 12 month retention period. Later on, the Dutch Council of State referred to that research and the proposed reasonable term of 12 months when it advised the government to lower the term.
Although the debate focused a lot on the retention term and the lack of evidence, there are many other issues that were debated. The Parliament also spoke about European developments, such as the procedure of Ireland before the European Court of Justice and the constitutional challenge in Germany. It also discussed the extent of parliamentary involvement with the contents of the decree which will contain more details about data retention in practice. The law now contains a list of data to be retained, after concerns were raised that this was the core of a data retention obligation and that the list would have to be agreed upon in Parliament. Unfortunately, the list is not very precise. It is as general as the list in the directive and seems to contain a mistake. Whereas the data retention directive does not require the retention of the destination for Internet use other than e-mail or telephony, the Dutch list does not make this distinction anymore.
The costs of data retention for the sector and consumers were also an issue of debate, but the available cost estimates are still vague. One of the reasons is that the precise scope of the data retention obligation for Internet traffic is unclear. General costs of data retention will not be reimbursed. The question about storage of the data in centralized or decentralized facilities has been evaded. At first, the data will be stored by the providers but this could change in the future. An amendment that would have restricted the possibility of claiming complete data sets - to be used for data mining in the context of combating terrorism - didn't make it. If the law is passed, both national security and law enforcement agencies will have the possibility to claim complete parts of the collection of data to be retained.
EDRi-gram: Dutch study fails to prove usefulness and necessity data
EDRi-gram: Dutch DPA advises negatively on Dutch draft data retention
Data Retention 12 Months (only in Dutch, 22 May 2008)
The data retention implementation law as sent to the Dutch Senate (only in
Dutch, 22 May 2008)
(Contribution by Joris van Hoboken - EDRi-member Bits of Freedom - Netherlands)