Data Retention has Serious Consequences


Data retention image 1After the tragic events on September 11th 2001, the world is very aware of the threat of terrorism. The reactions of many governments, and new criminal actions, have led to an increase of law enforcement activities to prevent such events in future. Modern communication technology influences our daily life to a great extent, but it also constitutes a potential channel for criminality and terrorism. Policy makers see the advantage in gaining access to communication records in their fight against terrorism. On November 23th 2001 the Council of Europe opened the Cybercrime convention [1] for signature, which aims to improve law enforcement capabilities and to extend surveillance possibilities. In particular, articles 16 and 17 in this convention demand an implementation within national legislation on preservation of traffic data. According to statewatch [2], everything indicates that the European Commission is preparing the same kind of legislative basis for data retention in the European Union. The document mentions a data retention time of 12 to 24 months for traffic data. As traffic data the proposal for a directive defines:

• Data necessary to follow and identify the source of a communication;

• Data necessary to identify the destination of a communication;

• Data necessary to identify the time of a communication;

• Data necessary to identify the subscriber;

• Data necessary to identify the communication device.


CEPIS has serious concerns with regard to this proposal as follows: If governments require others to collect and keep data for future possible examination by Law enforcement (and make extracts from the retained data) – in the EC draft the service providers are mentioned – these laws need to clearly point out the privacy relevant character of this kind of data. Additionally, such sensitive data require confidentiality protection so that only authorized parties can access them. Moreover any regulation should clearly specify who should be authorized to access the data, under which circumstances, and which legislation, especially in the international environment, will be applicable. Another privacy related problem is directly connected to the nature of the data. With modern communication technology (Internet, GPRS, UMTS), people are “ever more connected”, and the traffic data reveals many more personal details than is the case in the world of „classical“ communication. Not all these data are necessary to be retained and stored.

Data retention image Our third concern is that in order to fulfil the upcoming legal requirements, a service provider must set up special facilities (to collect, retain and extract specific items from the data), which have both cost and technology implications. Given the set of data defined as traffic data, multiplied by the sum of communication events, the very substantial volume of data involved can be clearly recognized. We feel it necessary to point out that huge technical problems can arise concerning the storage, the ability to provide appropriate protection of such a volume of data, and for any extracts from the mass of data requested by law enforcement to be timely provided. Additionally, calculations undertaken in Germany [4] indicate high costs for the service providers, which if passed on to the customers will make internet access more expensive and therefore less attractive. Therefore it is unreasonable to place the cost of storing this data for 12 – 24 months to the service providers. CEPIS sees two options to solve this problem which need to be applied simultaneously. The first option is reduce the storage time and the amount of data to be stored. Secondly law enforcement should cover the additional costs for the installations .

A fourth concern is related to law enforcement.

1. There are serious doubts that enough resources for investigation are available to deal with the large data volumes to be expected. This lack would make retention an expensive but fruitless exercise

2. There is a need for cooperation between the investigating authorities and the service providers who have to collect and retain the data, and this cooperation needs to be described precisely. The directive fails to describe any process for achieving this cooperation, or who should cover the emerging expenses.

Our final concern is about the general intention of such a directive. We expect that the terrorists and criminals will find ways around this regulation, so that honest users will be left with the risks and costs of data retention but with no real benefit to themselves.

Recommendations Based on those findings CEPIS strongly recommends that the need for a data retention directive is reconsidered. Additionally CEPIS recommends that the European Commission acknowledges the need:

1. To ensure that privacy is given proper consideration in any data retention directive and that directives governing privacy of data are appropriately amended for the new legislative situation.

2. To regulate under which circumstances and under whose authority law enforcement authorities are entitled to access collected data. Equally to ensure the access provided will not prejudice the rights of defendants.

3. To specify legal requirements for confidentiality of any stored data and clear processes for ensuring the deletion of the data after a defined time-span.

4. To provide as narrow a definition of “traffic data” as possible in order to minimise the retention of privacy-related material, and the associated storage costs.

5. To reconsider the need for a 2 year retention period,

6. To clearly define a process for mutual cooperation between the service providers and the authorities, and to define rules for reimbursement of the expense of investigations.


[1] Convention on Cybercrime, ETS no. : 185, Council of Europe,

[2] EU Presidency issues statement on data retention, Statewatch,

[3] Surveillance of communications: data retention to be “compulsory” for 12-24 months, Statewatch,

[4] Datenschutzsymposium 14. September 2000, Datschutzbeauftragter,


Dowload the full statement on Data retention has serious consequences