Privacy and data retention policies in selected countries
Currently, Article 15(1) of the Privacy Directive provides EU member states a national security and crime prevention exception to EU data protection requirements. However, at least nine EU member countries (Belgium, Denmark, Finland, France, Ireland, Italy, Spain, Switzerland and the United Kingdom) have adopted various national laws mandating data retention. The EU Commission’s draft Directive on Data Retention would require communications companies to retain all fixed and mobile telephony data and location data for one year, and IP-based communications data for six months.1 This draft was introduced by the Justice Ministries of France, Ireland, Sweden and the United Kingdom on 28 April 2004 and seeks to harmonize the rules on communications data retention among member states in order to facilitate judicial cooperation in the criminal area. The storing of location data of mobile phones includes lists of websites visited, all details of phone calls made (including the identity, at least by number, of the caller and recipient), and details of any e-mails and text messages sent. In addition, companies that temporarily retain individual customer information for billing and related business purposes would be required to keep it in a form accessible to law enforcement and other government agencies for one to three years.
In Italy, the government passed the Decree Law on Anti-terror Measures on July 27, 2005 which mandates a data retention period for telephone data for a minimum of two years and five months, and Internet traffic data for at least six months. Article 6 of the Decree Law orders the suspension until 31 December 2007 of the implementation of any measures that order or allow the deletion of telephone or Internet based communication traffic data that allows for tracing access and services. Traffic data will include data concerning telephone calls that were not answered. In addition, before issuing a SIM card, it will be compulsory for telecommunications service providers to acquire personal data contained in an official identification document presented by a customer.2 In addition, when Italy adopted the EU Privacy Directive in 2002, immediately created an exception to the obligation to erase traffic data, and under Article 132 of the Data Protection Code, telecommunications service providers are already required to retain telephone traffic data for the purpose of detecting and preventing crime for four years (albeit without the location data).3
In New Zealand, the Telecommunications Information Privacy Code 20034 was enacted under the Privacy Act 19935 in order to amend the information privacy principles in the Act with regard to telecommunications agencies. The Code affects all telecommunications agencies (including telephone companies, publishers of telephone directories, Internet service providers, mobile telephone retailers and call centers) in their handling of personal customer information. The Code provides for the following: (a) ensures that subscribers need not pay to keep their details from being published in the telephone directory, (b) requires “blocking” options to be available free of charge when caller ID is offered, (c) prohibits the use of traffic data gained from interconnection for unauthorized direct marketing, (d) prohibits reverse search directories without individual consent, (e) allows telecommunications agencies discretion in processing personal information, such as allowing disclosure for purposes of preventing or investigating a threat to the telecommunications network or service security or integrity, and (f) prohibits the retention of telecommunications information for longer than is required for the purposes for which the information may be lawfully used. In addition, the Telecommunications Interception Capability Act 20046 requires public telecommunications networks to be interception-capable so as to achieve greater effectiveness in law enforcement and security.
In the United States, Title 18 of the United States Code, Section 2703(f) states that: “A provider of wire or electronic communications services or a remote computing service, upon the request of a government entity, shall take all necessary steps to preserve records and other records in its possession pending the issuance of a court order or other process.” The policy of the U.S. Government is based on the belief that investigators and prosecutors need the ability to have service providers preserve (without disclosing) for a limited period of time, any data which already exists within their network architecture and which relates to a specific investigation. The law requires preservation for 90 days, renewable for another 90 day period. After such period, access to these historical records can be obtained pursuant to a court order or in conformity with other due process protections. For example, the Privacy Act requires, with some exceptions, that disclosure of any personal information be allowed only pursuant to a written request or prior written consent of the individual to whom the information belongs.7 The requirement for data preservation does not, however, require a service provider to collect data prospectively, nor does it permit the preservation of everything in a service provider’s systems – only the information that related to a specific investigation. The United States also does not require ISPs to routinely destroy or retain communications data. ISPs are free to destroy or retain communications data as they each choose, based upon their own assessments, resources, needs and limitations.8
1 A copy of the draft directive is available from the website of the European Digital Rights organization at http://www.edri.org/docs/EUcommissiondataretentionjuly2005.pdf.
2 Decree Law no. 144 of 27 July 2005 on urgent measures to fight international terrorism.
3 See Personal Data Protection Code, Legislative Decree no. 196 of 30 June 2003. See also EDRI, Italy decrees data retention until 31 December 2007, 10 August 2005, available at http://www.edri.org/edrigram/number3.16/Italy.
4 Telecommunications Information Privacy Code 2003, 2 May 2003.
5 Privacy Act 1993, Law no. 28, 17 May 1993.
6 Telecommunications (Interception Capability) Act 2004, Law no. 19, 5 April 2004.
7 The Privacy Act of 1974, as amended, 5 U.S.C, Section 552(a). The Privacy Act protects records held by U.S. government agencies.
8 “U.S. Discusses Data Protection, Retention Policies with EU Member states,” speech by Mark M. Richard, Counselor for Justice Affairs at the U.S. Mission to the EU, 14 April 2005.