Blogs
LIMA Weekly Insights

EU initiatives strengthening the legal basis for Data Retention

Max Posthuma de Boer, Product Manager at Group 2000

Date January 27, 20224
Author Max Posthuma de Boer
Read 12 Min
Abstract display of bright, streaking white and blue lights resembling fast-moving beams or digital data streams.

Ever since the CJEU court ruling of April 8th, 2014, where the CJEU ruled that the validity of the Data Retention Directive 2006/24/EC is no longer valid, several initiatives have been taken to re-introduce a legal basis directly or indirectly on both national and European wide level.

Some of these initiatives are based upon more recent judgments of the CJEU, which ruled that data retention is still permissible as long as they are based on clear and proportionate obligations as described in the legislation and subject to strict substantive and procedural safeguards.

In this blog, Group 2000, your architects in safety and intelligence, will discuss two of these initiatives which are currently on the table and which are related to the possible re-introduction of new data retention laws and/or directives or which justifies the need for service providers to have a data retention platform for legal purposes.

EU initiative

Mid 2021, the Council of the European Union requested their member states how to introduce data retention again while respecting the principles of purpose limitation, proportionality, and necessity as ruled by the CJEU. Three scenarios were proposed:

  1. National implementation without any EU initiative.
  2. Only guidance and recommendation from the EU, but no regulatory initiative.
  3. EU Regulatory initiative on data retention.

The legislative approaches in option 3 consist of:

  • Data retention for national security: Generalised retention and location data of electronic communication services, including Over-The-Top communication services for national security purposes.
  • Targeted data retention: retention of data of specific persons, groups, or geographical locations for serious crime and serious threats to public security.
  • Quick freeze: allow authorities to issue an order to retain traffic and location data of an individual for a specified (renewable) period.
  • IP address retention: retention of information on each Internet connection allowing to identify Internet users and trace their online actions.
  • Civil identity data: retention of identity data on all subscribers of communications services.

These options are detailed in the EU Commission’s Non-paper on the way forward on data retention.
The member states were requested to answer questions related to each scenario and approach before July 16th, 2021.

The written responses of five member states have been made public and can be found here: FinlandGermanyLuxembourgthe Netherlands, and Sweden.

Although the responses of the other member states are not public, it is clear that so far the only consensus is the need for data retention legislation. However discussions and negotiations are still required on the approach, the scope of such legislation(s), and terminology used within the non-paper, like for example what the definition is of a serious crime.
From the public responses, many concerns were raised, e.g. the proposal for targeted data retention member states had concerns regarding the effectiveness, technical implementation but also legal concerns about how the proposal could be performed without discriminating against certain groups of persons in the process.

From the responses, it is clear that the EU will play a pivotal role in new legislation for data retention. Up to that moment, current local data retention laws if and when in place remain active. For those countries where there is no legal basis for data retention, disclosure requests on subscriber information or subscriber data are still being issued at service providers. Therefore, having a Data Retention or Legal Disclosure solution remains beneficial for many CSPs, specifically when they are faced with a substantial amount of disclosure requests.

Protocol for Cyber Crime Convention

Already since 2001, EU Member states and other parties were discussing protocols regarding enhanced cooperation and disclosure of electronic evidence. This month, the 2nd draft of the Cybercrime Convention was approved for further editorial review and submission for signatures in May 2022.
Within this treaty, two articles (art. 7 and 8) of this treaty will impact the use and adoption of Data Retention.
These articles empower authorities to submit cross-border Legal Disclosure requests on subscriber information and traffic data and forces each party of this treaty to implement legislation to address these request.

Art 7.1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to issue an order to be submitted directly to a service provider in the territory of another Party, in order to obtain the disclosure of specified, stored subscriber information in that service provider’s possession or control, where the subscriber information is needed for the issuing Party’s specific criminal investigations or proceedings.

Art 7.2a Each Party shall adopt such legislative and other measures as may be necessary for a service provider in its territory to disclose subscriber information in response to an order under paragraph 1.

  1. Art. 8.1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to issue an order to be submitted as part of a request to another Party for the purpose of compelling a service provider in the requested Party’s territory to produce specified and stored.
    1. subscriber information, and traffic data. In that service provider’s possession or control which is needed for the Party’s specific criminal investigations or proceedings.

Art 8.2 Each Party shall adopt such legislative and other measures as may be necessary to give effect to an order under paragraph 1 submitted by a requesting Party.

When this treaty comes into effect, the increased number of Legal Disclosure requests service providers might receive from either local authorities or indirectly from foreign authorities provides further justification for having a Data Retention or Legal Disclosure solution in place to efficiently handle these requests. In addition, the articles mentioned above within this treaty might accelerate (further) legislative measures for data retention in EU member states and other parties of this treaty.

Feel free to contact us if you want to learn more about our Storage and Disclosure solutions for compliance needs. Leave your details in the form and we will contact you as soon as possible. Or you could contact us on 0031 546 482 400 or info@group2000.com.

Max Posthuma de Boer
Senior Product Manager

We Support Your Business

Do you have a question, or an interesting case? Get in touch with one of our experts.