Watchdog slams EU data retention directive

European Data Protection Supervisor says law does not meet requirements of rights to privacy and data protection

Following patchy adoption and the recent publication of a report critical of its effectiveness, the European Data Protection Supervisor (EDPS) has weighed in on the European Union (EU) Data Retention Directive.

The EDPS yesterday said the current law does not meet the requirements of fundamental rights to privacy and data protection and called for its revision or replacement.

It said the directive has failed to meet its main purpose, in response to the recent publication of the European Commission's evaluation of the 2006 Data Protection Directive.

The purpose was, "namely, to harmonise national legislation concerning data retention," wrote EDPS and Dutch Data Protection Commissioner Peter Hustinx.

The Commission's own evaluation released on 18 May found that, while the directive has proven useful in criminal investigations, it needed revision and improvements in response to the fact that not every EU member state has adopted it and, in cases where they have, retention requirements vary wildly.

"Such a lack of harmonisation is detrimental to all parties involved: citizens, business operators and law enforcement authorities," he concluded.

The publication highlighted a number of shortcomings with the directive, including the fact that it was closely related to the EU ePrivacy Directive.

The Data Retention Directive, which builds on and complements the general Data Protection Directive (95/46/EC), mandates that member states should ensure the confidentiality of communications and related traffic data.

But the ePrivacy Directive requires that traffic and location data generated by using electronic communications services must be erased or anonymised when no longer needed for communication or billing purposes.

The EDPS also questioned the law's compatibility with privacy rights. "Data retention as regulated in the Data Retention Directive, in any event, goes beyond what is necessary," continued the EDPS opinion, adding: "Data retention could have been regulated in a less privacy-intrusive way."

And it even went so far as to call for the possibility of repealing the law completely or combining such a move with a proposal for an alternative, more targeted EU measure.

The UK is among those not to have adopted the retention directive, relying on the Data Protection Act to ensure it is compliant with EU requirements.