Franz Büllingen, Aurélia Gillet, Christin-Isabel Gries, Annette Hillebrand, Peter Stamm
Stand und Perspektiven der Vorratsdatenspeicherung im internationalen Vergleich
Nr. 261 / Februar 2005
Summary
In April 2004 France, Ireland, UK and Sweden suggested a "Draft Framework Decision on the retention of data". The aim of this draft is to harmonize data retention regulation within the EU. In future all traffic data as well as customer data in the field of telephony (fixed and mobile) and the Internet shall be retained for at least 12 months and no longer than 36 months. During the controversial discussion about the draft it became obvious that an obligation for data retention is not implemented in the most important telecommunications markets. EU data retention plans go far beyond those data which are now stored by telecommunications providers for own purposes.
Against this background WIK-Consult examined on behalf of the German Federal Association for Information Industry, Telecommunications and New Media e.V BITKOM the legal basis and practice of data retention, data preservation and data storage for providers´ own purposes, the effectiveness of existing regulation and of law enforcement agencies` access to retained data as well as cost reimbursement regulations for data retention in France, Italy, the Netherlands, Austria, Sweden, Spain, UK and the US.
Our findings show, that a legal obligation to retain traffic data is hardly implemented in any market and that storage of "all traffic data" as the draft framework decision mentions is not carried out in any of the analyzed countries. Furthermore it becomes obvious, that the scope of the EU planned data retention reaches much further than the scope of the data that the providers store for their own purpose. Today data is mainly saved for billing and service provision itself. Because of data protection rules providers are not allowed to use the retained data for their own benefit, i.e. marketing activities.
The need for data retention is questionable. Systematic studies about its effectiveness could not be identified. Available statistics prove that in most cases only existing customer data is seized. Law enforcement agencies hardly seize traffic data older than 3-6 months. Thus a retention duration longer than the storage duration for providers´ purposes can barely be justified.
Main cost drivers in the field of data retention are the adjustment of IT systems for generating and saving additional data and the adoption of administrative procedures for securing as well as processing and analysing the data. Cost reimbursement regulations exist in almost every country. To prevent discrimination and competitive disadvantages in certain member states, EU harmonized rules for a comprehensive reimbursement are necessary.
ICT enterprises, data protection and consumer protection federations in all EU countries strongly oppose the draft framework decision. They criticize that the effectiveness of data retention, the costs and the data protection issues are not discussed sufficiently so far. The EU Commission´s hearing in September 2004 has shown that from the European Commission´s view the need for data retention is hardly justified and the costs are not sufficiently taken into consideration.
[Only German language version available.]
Diskussion Paper is available for download.