Transcript of http://edri.org/doc/EUcommissiondataretentionjuly2005.pdf:
EXPLANATORY MEMORANDUM
1. INTRODUCTION
Citizens increasingly perform daily activities and transactions using electronic
communications network and services. These communications generate 'traffic data' or
'location data' which include for example details about the location of the caller, the number
called, the time and duration of the call.
Directive 2002/58/EC on Privacy and Electronic Communications harmonises through its
Articles 6 and 9 the personal data protection rules which are applicable to the processing of
traffic and location data generated by the use of electronic communications services. Such
data must be erased or made anonymous when no longer needed for the purpose of the
transmission, except for the data necessary for billing or interconnection payments; subject to
consent, certain data may also be processed for marketing purposes and the provision of value
added services.
When combined with data enabling the identification of the subscriber or user of the service,
the availability of such traffic data is important for purposes related to law enforcement and
security, such as the prevention, investigation, detection and prosecution of crime and
terrorism. This is recognised in Article 15 (1) of Directive 2002/58, which stipulates that
Member States may provide for restrictions of the scope of (amongst others) Article 6 and 9
mentioned above, when such restrictions constitute a necessary, appropriate and proportionate
measure within a democratic society to safeguard national security, defence, public security
and the prevention, investigation, detection and prosecution of criminal offences. As a
consequence, these purposes can be invoked to justify the storage and processing of traffic
and location data other than in accordance with Articles 6 and 9.
It has now become urgent to adopt harmonised provisions at EU level on this subject. A
certain number of Member States have adopted, or plan to adopt, national measures requiring
some or all operators to retain given types of data so that they can be used for the purposes
identified above when necessary. Differences in the legal, regulatory, and technical provisions
in Member States concerning the retention of traffic data present obstacles to the Internal
Market for electronic communications as service providers are faced with different
requirements regarding the types of data to be retained as well as the conditions of retention.
These provisions should therefore be further harmonised in accordance with Article 14 of the
EC-Treaty.
The necessity to have ruls at EU level that guarantee the availability of traffic data for anti-
terrorism purposes across the 25 Member States was also confirmed by the European Council
in its Declaration on combating terrorism of 25 March 2004. Following the Madrid terrorist
bombings, the European Council instructed the Council to examine 'proposals for establishing
rules on the retention of communications traffic data by service providers'. The Declaration
also stated that priority should be given to these with a view to adoption in 2005. The priority
attached to adopting an appropriate legal instrument on this subject was recently confirmed in
the Conclusions of the European Council of 16 and 17 June, as well as at the special JHA
Council meeting of 13 July.
While the desirability of establishing rules on this issue from a public security perspective is
therefore clearly established, it is important to find an appropriate balance between different
kinds of interests, sometimes diverging: law enforcement needs, human rights and
competition aspects. An approach needs to be found which takes these different interests into
consideration.
In terms of protecting risks to the private life of citizens, this can be achieved firstly through
clearly establishing the purpose for which data which are retained can be used, secondly
through limiting the categories of data which need to be retained, and thirdly through limiting
the period of retention time. Another important safeguard is that this Directive is not
applicable to the content of communications - this would amount to interception of
telecommunications, which falls outside the scope of this legal instrument.
Another point worth considering within this context is that the personal data retained by the
sevice and network providers under the provisions of this Directive are covered by the
general and specific data protection provisions established under Directives 95/46/EC and
2002/58/EC - which means in practice that additional provisions on general data protection
principles and data security are not necessary. It also means that the processing of such data
will be under the full supervisory powers of the data protection authorities established in all
Member States.
As a final protective element, the Directive foresees an active involvement of the Working
Party on the Protection of Individuals with regard to the Processing of Personal Data
instituted by Directive 95/46/EC in the evaluation process of the Directive.
These guarantees will aid in ensuring that the threat to the private life of citizens of this
measure will be very limited, and that the data will be used by a limited number of competent
authorities, and for well-established, legimate purposes. At the same time, it should be
recognised that the rules establishing the authorities competent to have access to the data, and
the subsequent use of such data, are to a large extent issues which belong to the competence
of the Member States. They therefore fall outside the authority of the Community legislator,
and can only be regulated at the EU level insofar as the Treaty of European Union provides
for a legal basis for this. The same is true for cooperation between competent authorities
across borders - this is not addressed by the present instrument, since approximation of
national provisions governing such cooperation must persued under Title VI of the Treaty
on European Union.
In order to ensure that the Directive stays up-to-date within the rapidly changing technical
environment of electronic communications, it provides for two additional elements. Firstly, a
Comitology mechanism is foreseen to allow for quick amendments to the details of the data
which need to be retained. Secondly, the Directive sets up an advisory Platform with
representatives of law enforcement, the electronic communications industry and data
protection authorities, which will provide for opportunities to work together on this difficult,
but important issue in a public-private partnership approach. The Platform will be consulted
whenever the details of the list of data to be retained are to be amended.
2. AIMS AND OBJECTIVES
The proposed Directive is intended to harmonise obligations for providers of publicly
available electronic communications services or a public communications network to retain
certain data for the purpose of the prevention, investigation, detection and prosecution
of criminal offences.
As a consequence the provisions of the first paragraph of Article 15 of Directive 2002/58/EC,
relating to the prevention, investigation, detection and prosecution of criminal offences, need
to be amended as the measures related to them are harmonised with this Directive.
The Directive also confirms that it applies not only to data related to natural persons, but also
to data related to legal persons. There is no legitimate reason why communications emanating
from a legal person should not be covered by this Directive - there are certainly cases where
this information, even if it does not yet provide a link to the actual person involved in the
communication, is a useful starting point for further inquiries and investigation by the
competent authorities. It should not be possible for suspects of crime and terrorism to 'hide
behind' a corporate front, and thus escape the application of the data retention obligations.
It has been argued that an obligation to retain traffic data of the electronic communications of
all citizens is a diproportionate measure, since it targets not only suspects of crime and
terrorism. This argument is usually accompanied by a reasoning which states that measures to
preserve data related to only those suspects would be an equally adequate measure. Whilst it
is certainly true that the measures obliging network and service providers to preserve data on
specific suspects is necessary, both for preventive and investigative purposes, those measures
can only cover the needs of law enforcement partially, since this only relates to the
general obligation of data retention, it is not guaranteed that law enforcement can investigate
communications which took place before the crime or act of terrrorism was actually
committed. This would then depend on the availability of data which was retained
coincidentally, or on prior knowledge by law enforcement of the identity of a suspect before
the actual criminal event took place will provide valuable clues and evidence as to the
preparation of offences, and the other persons who were involved in that preparation. The
conclusion drawn from this must be that a general data retention obligation is an
indispensable element for the prevention and investigation of crime, in addition to the
posssibilities offered by data preservation schemes, which can only focus on specific persons
identified beforehand by the law enforcement authorities.
The proposed Directive harmonises the following elements: (a) the types of data to be
retained, (b) the periods of time during which the data should be retained (c) the purposes for
which the data may be supplied to the competent authorities. It also provides for an obligation
on the service providers to retain the data in such a way that they can co-operate with the
competent authorities without undue delay, whilst leaving it to the Member States to
determine which authorities are competent under national legislation. Finally, the Directive
also provides for the principle of reimbursement of the additional costs incurred by the
network and service providers o comply with the obligations imposed on them as a
consequence of this Directive. This is an essential element to ensure that there will be no
market distortion through the application of different national cost reimbursement schemes.
3. DESCRIPTION OF ARTICLES
Articles 1 and 2: Scope and Aim and Definitions
The provisions on the scope and aim of the Directive are covered in the general part of this
explanatory memorandum. With respect to the definitions it should be noted that this
Directive uses to a large extent the definitions already established in the general legal
framework regulating the electronic communications sctor. This provides the benefit of a
consistent approach, and makes it possible to limit the introduction of new definitions.
Article 3: Obligation to retain data
This provision is the core element of the proposal and is largely self-explanatory. Member
States must adopt measures to ensure that data which are processed by providers of publicly
available electronic communication services or a public communications network within their
jurisdictions are retained in accordance with the provisions of this Directive, The definitions
ensure that both network and service providers are covered by this provision.
The second paragraph guarantees that the relevant information can only be provided for the
purposes of prevention, investigation, detection and prosecution of criminal offences. This
wording is taken directly from Article 15(1) of Directive 2002/58/EC.
Given the amendment proposed to Article 15 of Directive 2002/58/EC in Article 9 of the
current proposal, it is necessary to specify that the measures foreseen under the new Directive
provide for a restriction of the scope of the rights laid down in Articles 5, 6 and 9 of Directive
2002/58/EC.
Article 4: Categories of information to be retained
Rather than providing a detailed technical description of the various types of data to be
retained, the Directive itself lists the categories of information that electronic service
providers should be able to make available to the competent authorities. Such a 'result-
oriented' list provides a certain degree of flexibility to the Member States in deciding what
obligations will need to be met and to the operators on how to meet these obligations. The
further detail of the types of data to be retained under these categories is included in the
Annex to the Directive, which can be amended quickly using the Comitology approach. In
order to assist Member States in the implementation of the Directive, an advisory Platform
will be created consisting of representatives of the Member states and their law enforcement
authorities, data protection authorities and industry representatives. Both this Platform and the
Article 29 Working Party will be involved in any amendments to the list of types of data to be
retained.
Article 5: Retention periods
With resprect to the periods of time for retention, as indicated before, an appropriate balance
must be struck between the different interests at stake. The fact that there is no way of
predicting with any certainty what communication data is going to provide the essential
element in preventing a terrorist attack or finding the perpetrator of a crime, and how old that
communication data is going to be once the competent authorities discover that they need it,
would point in the direction of longer retention periods. The other interests identified before -
a limited invasion of privacy, and a limited impact on the competitiveness of the electronic
communications industry - would dictate shorter periods. At the current time, where in the
Member States the priods of obligatory dat retention vary between 6 months and 4 years, a
period of one year for traditional fixed and mobile electronic communication services and of 6
months for electroic communications using the Internet Protocol (IP-based communications)
is seen as a proportionate solution which will accommodate all interests involved. This is also
based on the Impact Assessment prepared by the Commission. The use of the phrase "solely
the Internet Protocol" in both paragraphs of the Article indicates that data related to electronic
communications which start from an internet base, but connect to a traditional fixed or mobile
number should be retained for one year.
Article 6: Storage requirements for retained data
This article ensures that the data must be retained in such a manner as to ensure that requests
for transfer of the data to the competent authorities can be dealt with in a speedy and effective
manner. This implies also that it must be technically feasible to provide information on the
main categories of data specified under Article 4 quickly and easily. It also provides for an
obligation to submit additional information to the competent authorities - e.g. on the details of
the retention scheme utilised by the electronic communications and network service providers
- in order to ensure that the co-operation with the competent authorities will proceed
smoothly.
Article 7: Statistics
Today no verifiable statistics exist at the European level on the usage of traffic data. This
article provides for the obligation of services and network providers to keep statistics on the
number of cases they have actually supplied information to the competent authorities,
including information on how old the data was when it ws supplied to those authorities, and
to provide such information to the Commission on a yearly basis. For reasons of
proportionality and protection of privacy, it also makes explicit that this information should
not contain the personal data of the persons regarding whom information was requested by the
competent authorities. This information, once aggregated, will provide the factual information
necessary to evaluate the effectiveness of the Directive.
Article 8: Costs
As indicated above, the obligation to retain data in such a way that the relevant information
can be made available to the competent authorities upon request may lead to additional costs
for the service and network providers. It is reasonable for governments to contribute to
meeting the costs incurred as a consequence of the implementation of this Directive. The
Article stipulates that this should be limited to demonstrated additional costs which the
providers have had to incur in order to comply with the obligations imposed on them as a
consequence of this Directive.
Article 9: Platform for Law Enforcement, Electronic Communications and Data Protection
As indicated in the introduction of the Explanatory Memorandum, this Article sets up a
formal advisory body, bringing together representatives form law enforcement, the electronic
communications industry and European data protection authorities. Practice in some Member
States has shown that a thorough discussion between these parties is conducive to finding
workable solutions in this difficult area. This is particularly important given the ever-changing
environment within which this Directive finds its application.
Article 10: Amendment of Directive 2002/58/EC
As indicated in the general part of this explanatory memorandum, Article 15 (1) of Directive
2002/58EC needs to be amended in order to ensure that the purpose of harmonisation of the
Member States' provisions in this area is actually achieved. This is done through the addition
of a new paragraph 2, which clarifies that as far as data retention for the purpose of
prevention, investigation, detection and prosecution of criminal offences is concerned,
Member States may no longer make use of the possibility of restricting the scope of certain
rights provided for under the first paragraph of Article 15.
Article 11: Evaluation
Given the fact that the current Directive deals with a topuc which is closely linked to
technological developments, and is likely to have an impact on both law enforcement
practices and the electronic communications market, a thorough evaluation of its
implementation will assist in identifying whether the Directive has achieved its purpose, and
whether any adaptations are necessary. To this end, the evaluation clause contained in Article
10 provides for an obligation on the Commission to evaluate the implementation of the
Directive and to inform the European Parliament and the Council of the results. As indicated
above, the statistical information gathered under Article 7 should provide a substantial part of
the factual information equired for the evaluation. The evaluation should also look at the
data protection aspects of the implementation of the Directive, which is why the Working
Party on the Protection of Individuals with regard to the Processing of Personal Data
instituted by Article 29 of Directive 95/46/EC will be consulted during the evaluation process.
Also, the Platform set up under Article 9 will be involved in the evaluation exercise. As a
result of the evaluation the Commission will consider the need to propose the necessary
amendments to the current directive.
Article 12, 13 and 14 Final Provisions
These articles are the standard closing provisions of a Directive, and provide for the deadline
of transposing the Directive into national law, the entry into force of the Directive and the fact
that the Directive is addressed to the Member States.
4. LEGAL BASIS
The legal basis is Article 95 of the EC-Treaty. As indicated before. differences in the legal,
regulatory, and technical provisions in Member States concerning the retention of certain
data, as well as cost compensation schemes, present obstacles to the Internal Market for
electronic communications as service providers are faced with different requirements
regarding the types of data to be retained as well as the conditions and the duration of
retention. These provisions should therefore be further harmonised in accordance with Article
14 of the EC-Treaty.
The choice for an EC-Treaty legal basis is also related to the fact that both Directivs 95/46
and 2002/58 already provide for rules on how these types of data should be processed - with
Article 15 (1) making an explicit reference to provisions on the storage of traffic data. This
implies that further legislative action in this area should also be based on a first pillar legal
basis, as opposed to a third pillar lagal basis. This choice is also in line with the wording of
Article 47 of the Treaty on European Union (TEU), which stipulates the relationship between
the EC Treaties and the TEU. Under this Article 47, nothing in the EU Treaty shall affect the
Treaties establishing the European Communities or the subsequent Treaties and Acts modifying
or supplementing them.
Since the objectives of the proposed action cannot be sufficently achieved by the Member
States and can therefore, by reason of the scale and effects of the action, be better achieved at
Community level, the Community may adopt measures in accordance with the principle of
subsidiarity as set out in Article 5 of the EC-Treaty. In accordance with the principle of
proportionality, as set out in this Article, this Directive does not go beyond what is necessary
for those objectives.
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND THE COUNCIL
on the retention of data processed in connection with the provision of public electronic
communication services
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty establishing the European Community, and in particular
Article 95 thereof,
Having regard to the proposal from the Commission1,
Having regard to the opinion of the European Parliament2,
Having regard to the opinion of the European Economic and Social Committee3,
Having regard to the opinion of the Committee of the Regions4,
Whereas:
(1) Directive 95/46/EC of the European Parliament and of the Council on the protection of
individuals with regard to the processing of personal data 5 requires Member States to
ensure the rights and freedoms of natural personal with regard to the processing of
personal data, and in particular their right to privacy, in order to ensure the free flow of
personal data in the Community;
(2) Directive 2002/58/EC of the European Parliament and of the Council concerning the
processing of personal data and the protection of privacy in the electronic
communications sector6 translates the principles set out in Directive 95/46/EC into
specific rules for the electronic communications sector;
(3) Articles 5, 6 and 9 of Directive 2002/58/EC define the rules applicable to the
processing of personal data by network and service providers of traffic and location
data generated by using electronic communications services. Such data must be erased
or made anonymous when no longer needed for the purpose of the transmission,
except for the data necessary for billing or interconnection payments; subject to
consent, certain data may also be processed for marketing purposes and the provision
of value added services;
-----------------------------
1 OJC [...], [...], p. [...].
2 OJ C [...], [...], p. [...].
3 OJ C [...], [...], p. [...].
4 OJ C [...], [...], p. [...].
5 OJ L 281, 23.11.1995, p. 31.
6 OJ L 201, 30.7.2002, p. 37.
(4) Article 15 (1) of Dirctive 2002/58/EC sets out the conditions under which Member
States may restrict the scope of the rights and obligations provided for in Article 5,
Article 6, Article 8(1)(2)(3) and (4), and Article 9 of the Directive; any such
derogations need to be necessary, appropriate and proportionate within a democratic
society for specific public order purposes, i.e. to safeguard national security (i.e. State
security) defence, public security or the prevention, investigation, detection and
prosecution of criminal offences or of unauthorised use of the electronic
communications systems;
(5) Many Member States have adopted legislation providing for the retention of data by
service providers for the prevention, detection, investigation and prosecution of crime
and criminal offences; the provisions of the variouos national legisalation vary
considerably;
(6) The legal and technical differences between national provisions concerning the
retention of data for the purpose of prevention, investigation, detection
and prosecution of criminal offences present obstacles to the internal market for electronic
communications; service providers are faced with different requirements regarding the
types of traffic data to be retained as well as the conditions and the periods of
retention;
(7) The Conclusions of the JHA Council of 20 September 2001 call for ensuring that law
enforcement authorities are able to investigate criminal acts which involve the use of
electronic communications and to take legal measures against perpetrators of these
crimes, while striking a balance between the protection of personal data and the needs
of law enforcement authorities to gain access to data for criminal investigation
purposes;
(8) The Conclusions of the JHA Council of 19 September 2002 underline that, because of
the significant growth of the possibilities of electronic communications, data relating
to the use of electronic communications is particularly important and therefore a
valuable tool in the prevention, investigation, detection and prosecution of criime and
criminal offences, in particular against organised crime;
(9) The Declaration on combating Terrorism adopted by the European Council on 25
March 2004 instructed the Council to examine measures for established rules on the
retention of communications traffic data by service providers with a view for adoption
by June 2005;
(10) The declaration adopted by the special informal Council of 13 July 2005 reinforces the
need to adopt measures related to the retention of electronic communications traffic
data as soon as possible;
(11) It is essential to ensure that data which are processed by electronic communication
providers when offering public electronic communication services are retained for thr
prevention, investigation, detection, and prosecution of criminal offences;
(12) The elaboration of categories of information to be retained and the applicable retention
periods must reflect an appropriate balance between the benefits for the prevention,
detection, investigation and prosecution of crime and terrorism and the level of
invasion of privacy they will incur;
(13) It should be recalled that Directive 95/46/EC 7, including Chapter III on judicial
remedies, liabilities and sanctions, as well as Directive 2002/58/EC 8 are fully
applicable to the data retained in accordance with this Directive;
(14) Since the measures necessary for the implementation of this Directive are measures of
general scope within the meaning of Article 2 of Council Decision 1999/468/EC of 28
June 19999, laying down the procedures for the exercise of implementing powers
conferred on the Commission, they shoould be adopted by use of the regulatory
procedure provided for in Article 5 of that Decision;
(15) This Directive respects the fundamental rights of observes the principles recognised,
in particular, by the Charter of Fundamental Rights of the European Union;
HAVE ADOPTED THIS DIRECTIVE:
Article 1
Scope and aim
1. This Directive aims to harmonise the provisions of the Member States on obligations
for the providers of publicly available electronic communications services or a public
communications network with respect to the processing and retention of traffic and
location data of both private and legal persons, as well as the related data necessary
to identify the user, in order to ensure that the data is available for the purpose of the
prevention, investigation, detection and prosecution of criminal offences.
2. This Directive is not applicable to the content of electronic communications,
including information consulted using an electronic communications network.
3. All measures in this Directive shall be in accordance with the general principles of
Community Law, including those referred to in Article 6(1) and (2) of the Treaty on
European Union.
Article 2
Definitions
1. Unless otherwise provided, the definitions in Directive 95/46/EC, in Directive
2002/21/EC 10, as well as in Directive 2002/58/EC shall apply.
2. For the purpose of this Directive, 'data' means traffic data and location data, as well
as the related data necessary to identify the subscriber or user.
-----------------------------
7 OJ L 281, 23.11.1995, p.31
8 OJ L 201, 30.7.2002, p.37.
9 OJ L 184, 17.7.1999, p. 23.
10 OJ L 108, 24.4.2002, p.33
Article 3
Obligation to retain data
1. Member States shall adopt measures to ensure that data which are generated or
processed by providers of publicly available electronic communications services or a
public communications network within their jurisdiction in the process of supplying
communication services are retained in accordance with the provisions of this
Directive, notwithstanding the provisions of Articles 5, 6 and 9 of Directive
2002/58/EC.
2. Member States shall adopt measures to ensure that data retained in accordance with
this Directive shall only be provided to the competent national authorities in specific
cases and in accordance with national legislation, for the purpose of the prevention
investigation, detection and prosecution of criminal offences.
Article 4
Categories of data to be retained
1. Member States shall ensure that the following categories of data are retained under
this Directive:
a) data necessary to trace and identify the source of a communication;
b) data necessary to trace and identify the destination of a communication;
c) data necessary to identify the date, time and duration of a communication;
d) data necessary to identify the type of communication;
e) data necessary to identify the communication device or what purports to be the
communication device;
f) data necessary to identify the location of mobile communication equipment.
2. The categories of data referred to in paragraph 1 are further specified in the Annex to
this Directive. The Commission will be responsible for revising this Annex on a
regular basis as necessary in accordance with the procedure provided for under
paragraph 5.
3. The Commission shall be assisted in its task under paragraph 2 by a Committee,
composed of represenatatives of the Member States and chaired by the representative
of the Commission.
4. The Commission shall ensure that the Working Party on the Protection of Individuals
with regard to the Processing of Personal Data instituted by Article 29 of Directive
95/46/EC, as well as the Platform set up under Article 9 of this Directive are
consulted during the revision of the Annex referred to in paragraph 2.
5. Where reference is made to this paragraph, the regulatory procedure laid down in
Article 5 of Decision 1999/468/EC shall apply, in compliance with Article (3) and
Article 8 thereof.
6. The period provided for in Article 5(6) of Decision 1999/468/EC shall be three
months.
Article 5
Periods of retention
1. Member States shall ensure that the categories of data referred to in article 4 are
retained for a period of one year, with the exception of data related to electronic
communications taking place using solely the Internet Protocol.
2. Member States shall equally ensure that within the categories of data referred to in
article 4, those data which relate to electronic communications taking place using
solely the Internet Protocol are retained for a period of months.
Article 6
Storage requirements for retained data
Member States shall ensure that the data are retained in accordance with the provisions of this
Directive in such a way that the data retained and any other necessary information related to
such data can be transmitted upon request to the competent authorities without undue delay.
Article 7
Statistics
Member States shall ensure that providers of publicly available electronic communications
services or a public communications network provide statistics to the European Commission
on a yearly basis on the cases in which they have provided information to the competent
authorities in accordance with national law implementing this Directive, including statistics
on the time elapsed between the request and the date when the data have been retained, as
well as on cases where requests could not be met. Such statistics shall not contain personal
data.
Article 8
Costs
Member States shall ensure that service and network providers offering public electronic
communication services will receive an appropriate compensation for demonstrated additional
costs they have incurred in order to comply with obligations imposed on them as a
consequence of this Directive.
Article 9
Platform for Law Enforcement, Electronic Communications and Data Protection
1. A Platform for Law Enforcement, Electronic Communications and Data Protection,
hereinafter referred to as the Platform, will be set up by the Commission. It shall
have advisory status and act independently.
2. The Platform shall be composed of representatives of the law enforcement authorities
of the Member States and of European law enforcement bodies or organisations,
representatives of the European associations of the electronic communications
industry, representatives of European data protection authorities or advisory groups,
in particular representatives from the Working Party on the protection of Individuals
with regard to the Processing of Personal Data instituted by Article 29 of Directive
95/46/EC, and a representative of the Commission. Each member of the platform
shall be designated by the institution, authority, organisation or body which he
represents.
3. The Platform shall elect its chairman. The chairman's term of office shall be two
years. His appointment shall be renewable.
4. The Platform's secretariat shall be provided by the Commission.
5. The Platform shall adopt it own rules of procedure.
6. The Platform shall consider items placed on its agenda by its chairman, either on his
own initiative or at the request of on or more of its memebers.
Article 10
Amendment of Directive 2002/58/EC
Article 15 of Directive 2002/58/EC is amendded as follows:
1. a new paragraph 2 is inserted which reads: "Paragraph 1 is not applicable to
obligations relating to the retention of data for the prevention, investigation,
detection and prosecution of criminal offences, as harmonised by Directive
2005/../EC.";
2. paragraphs 2 and 3 are renumbered to paragraphs 3 and 4.
Article 11
Evaluation
1. Not later than three years from the date referred to in Article 11(1), the Commission
shall submit to the European Parliament and the Council an evaluation of the
application of this Directive and its impact on economic operators and consumers, in
particular taking into account the statistical elements provided to the Commission
persuant to article 7 of this Directive as to determine the necessity to modify the
retention period referred to in article 5 of this Directive.
2. To this end, the Commission shall take into account any observations that might be
communicated to it by Member States, by the Working Party on the Protection of
Individuals with regard to the Processing of Personal Data instituted by Article 29 of
Directive 95/46/EC, or by the Platform set up under Article 9 of this Directive.
Article 12
Transposition
1. Member States shall bring into force the laws, regulations and administrative
provisions necessary to comply with this Directive by no later than 15 months after
its adoption at the latest. They shall forthwith communicate to the Commission the
text of those provisions and a correlation table between those provisions and this
Directive.
When Member States adopt those provisions, they shall contain a reference to this
Directive or be accompanied by such a reference on the occasion of their official
publication. Member States shall determine how such reference is to be made.
2. Member States shall communicate to the Commission the text of the main provisions
of national law which they adopt in the field covered by this Directive.
Article 13
Entry into force
This Directive shall enter into force on the day of its publication in the Official Journal of the
European Union.
Article 14
Addressees
This Directive is addressed to the Member States.
Done at Brussels, [...]
For the European Parliament For the Council
The President The President
[...] [...]
Annex
Types of data to be retained under the categories identified in Article 4 of this Directive:
a) Data necessary to trace and identify the source of a communication:
(1) Concerning Fixed Network Telephony:
(a) The calling telephone number;
(b) Name and address of the subscriber or registered user;
(2) Concerning Mobile Telephony:
(a) The calling telephone number;
(b) Name and Address of the subscriber or registered user;
(3) Concerning Internet Access and Internet Communication Services:
(a) The Internet Protocol (IP) address, whether dynamic or static,
allocated by the Internet access provider to a communication;
(b) The User ID of the source of a communication;
(c) The Connection Label or telephone number allocated to any
communication entering the public telephone network;
(d) Name and address of the subscriber or registered user to whom the IP
address, Connection Label or User ID was allocated at the time of the
communication.
b) Data necessary to trace and identify the destination of a communication:
(1) Concerning Fixed Network Telephony:
(a) The called telephone number or numbers;
(b) Name(s) and address(es) of the suscriber(s) or registered user(s);
(2) Concerning Mobile Telephony:
(a) The called telephone number or numbers;
(b) Name(s) and address(es) of the subscriber(s) or registered user(s);
(3) Concerning Internet Access and Internet Communication Services:
(a) The Connection Label or User ID of the intended recipient(s) of a
communication;
(b) Name(s) and address(es) of the subscriber(s) or registered user(s) of
the intended recipient(s) of the communication.
c) Data necessary to identify the date, time and duration of a communication;
(1) Concerning Fixed Network Telephony and Mobile Telephony:
(a) The date and time of the start and end of the communication.
(2) Concerning Internet Access and Internet Communication Services:
(a) The date and time of the log-in and log-off of the Internet sessions
based on a certain time zone.
d) Data necessary to identify the type of communication;
(1) Concerning Fixed Network Telephony:
(a) The telephone service used, e.g. voice, conference call, Short Message
Service, Enhanced Media Service or Multi-Media Service.
(2) Concerning Mobile Telephony:
(a) The telephone service used, e.g. voice, conference call, Short Message
Service, Enhanced Media Service or Multi-Media Service.
e) Data necessary to identify the communication device or what purpots to be the
communication device:
(1) Concerning Mobile Telephony:
(a) The International Mobile Subscriber Identity (IMSI) of the calling and
called party;
(b) The International Mobile Equipment Identity (IMEI) of the calling and
called party.
(2) Concerning Internet Access and Internet Services:
(a) The calling telephone number for dial-up access;
(b) The asymmetric subscriber line (ADSL) or other end point of the
originator of the communication;
(c) The media access control (MAC) address or other machine identifier
of the originator of the communication.
f) Data necessary to identify the location of mobile communication equipment:
(1) The location label (Cell ID) at the start and end of the communication;
(2) Location labels (Cell ID) throughout the communication;
(3) Data mapping between Cell IDs and their geographical location at the time of
the communication.
Transcript of http://edri.org/doc/EUcommissiondataretentionjuly2005.pdf