New Dutch data retention regime proposed: data must stay within the EU
More than seven months after the European Court of Justice declared the European Data Retention Directive ( 2006/24/EC) invalid, the Dutch Minister of Security and Justice proposed a bill to maintain the data retention requirements in the Netherlands. In response to the European Court’s judgment, this legislative proposal introduces several additional requirements for law enforcement agencies to gain access to the retained telecommunications data and requires providers to retain the data within the EU, but the old regime will largely remain intact.
For providers, the only real change is the requirement to keep the data it is required to retain within the Netherlands or another EU Member State.
Limitations for law enforcement agencies to access retained data
The most important change for law enforcement agencies will be the introduction of the requirement of prior authorization from an examining judge (rechter-commissaris) before the retained data may be accessed. Furthermore, law enforcement agencies can only access telephony data over a period of 12 months in the case of certain crimes which carry a sentence of 8 years or more on it. In case of less serious offences, this period is limited to 6 months. Besides these two limitations, there are several minor amendments which do not substantially alter the data retention regime which is currently in place in the Netherlands.
Requirement to retain data in the EU
Providers will still be required to retain all traffic data falling under the retention obligation for a period of 12 months (telephony data) or 6 months (internet data). The bill also introduces a new obligation which requires providers to keep the data it must retain within the EU. It will therefore no longer be possible for providers to retain such data outside the EU. Instead of applying a regime that is similar to the processing (including the storage) of personal data outside the EU, this proposal clearly imposes a territorial restriction on the location of data without any exceptions.
Political debate
Although the coalition parties (which make up the Cabinet) announced their support to this proposal, several Dutch opposition parties immediately announced that they oppose this bill and will likely try to have a vote on an alternative bill revoking the data retention obligation altogether, which was issued earlier this year. A day after the Minister of Security and Justice published the proposal, the Dutch Data Protection Authority issued a statement that it will review the proposal to maintain the data retention requirement.
In any event, the proposal will likely spark a heavy debate in Dutch parliament and we recommend providers offering telecommunications services in the Netherlands to keep a close eye on these developments.
- The judgment of the European Court of Justice invalidating the Data Retention Directive can be found here.
- The legislative proposal, including the explanatory memorandum, can be found here (only available in Dutch).
- The legislative proposal by the opposition parties to revoke the national data retention obligations can be found here (only available in Dutch).