The EU Directive on Data Retention: Implications for Service Providers

In May 2006, the European Union (EU) directive on data retention, Directive 2006/24/EC, came into effect. This directive imposes the obligation to retain traffic and location data on all service providers and network operators of mobile, fixed and Internet telephony, e-mail services, messaging and Internet access for specified minimum and maximum periods.

The European legislation was in direct response to the concerns of EU member states in relation to the use of communications in planning and perpetrating terrorist attacks. This comes in the wake of the attacks on the United States of America in 2001 and the recent attacks on Madrid and London in 2004 and 2005 respectively.

The introduction of the legislation aims at ensuring that data is accessible by law enforcement authorities to assist them in the investigation, detection and prosecution of serious crimes.

The provisions of the EU directive will need to be introduced by member states in their national legislations by 15 September, 2007. However, member states can opt to introduce regulations regarding Internet access as late as 15 March, 2009.

"Implementing solutions to comply with the EU directive on data retention will result in an onerous burden on communications service providers," notes the analyst of this research service. "The introduction of the legislation will have several implications for telecom operators, one of them being the cost to adapt current data retention and retrieval systems or deploy new ones, in order to ensure compliance with the provisions of the directive." Call detail record (CDR) systems will need to be updated to cope with the increase in communication and traffic data to be stored and managed. Costs will need to be incurred in assessing current systems, adapting them, and integrating new solutions that will comply with the regulations. Most importantly, service providers that were not previously included in the obligation to retain data will now have to meet the mandatory requirements of the EU directive.

According to the specifications of the directive, service providers are required to respond to lawful requests from competent authorities without ‘undue delay’. "The standard of ‘without undue delay’ was adopted as a criterion to measure the responsiveness of service providers to requests from law enforcement agencies," says the analyst. "However, the standard is unclear, with varied interpretations, some defining the standard to be in minutes, while others, a few hours." Thus, member states will need to define more clear parameters in this area.

Service providers and industry organisations will need to work with regulatory agencies and member state governments, as member states work on the transposition of the EU directive into national laws. By doing so, service providers will be able to positively influence the issues left unclear in the European legislation.