Header graphic for print
Privacy Compliance & Data Security Information on Data Breach Prevention and the Appropriate Response

European Telecoms and ISPs Start Storing User’s Internet Data

Posted in European Union

Starting April 6, 2009, European Union telecommunications companies and Internet service providers (ISPs) suddenly found themselves required to store even more data about their users.

Under existing requirements under the 2006 Data Retention Directive, telecommunications providers are required to retain records (when calls were made and the origination/destination details) regarding telephone calls made over their lines.

Now, The Data Retention Regulations 2009, those European telecommunication providers, and for the first time some ISPs (other than ISPs that also provide voice over IP services, which have always been covered), must retain details of Internet traffic and electronic mail transmissions for a period of six (6) to twenty-four (24) months from origination.  The United Kingdom has determined that the period of retention shall be twelve (12) months.  Sweden has threatened to “ignore” these new requirements.

Although the new regulations do not require the retention of the actual data (i.e., the telephone conversations, Internet content or the electronic mail content), affected European telecommunication providers and ISPs must retain the details of the transmissions (e.g., origination and destination telephone numbers, length of telephone calls, IP address of the user, but not the destination IP addresses, and electronic mail addresses, time of transmission).

 

The new requirements do not require retention of Internet data by all European telecommunication providers and ISPs.  Rather, providers must only retain this information when it is notified by the Secretary of State.  However, the existing requirement to retain records (e.g., when calls were made and the origination/destination details) regarding telephone calls made over their lines remains unaffected.

Government officials in the United Kingdom will be able to exercise powers under the Regulation of Investigatory Powers Act of 2000 (RIPA) to seek a court order for the release of the information stored under the revised Directive "for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.”

Opponents of the new regulations speculate that this is another step toward a nationalized database, permitting governmental agencies to determine where a person was situated (whether telephonically or on the Internet) at any given time.  Proponents counter that the content is not recorded, and that the information can only be accessed when it is necessary and proportionate to make such collection.

Mark McCreary is a partner in Fox Rothschild’s Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.