In-house data retention by telecoms providers 'not pragmatic', says expert prior to major CJEU case

Out-Law News | 07 Apr 2014 | 4:29 pm | 2 min. read

It would "not be pragmatic" to require telecommunication providers to store data useful for preventing terrorism and other serious crime internally, an expert has said.

Paris-based telecoms expert Diane Mullenex of Pinsent Masons, the law firm behind, warned that a judgment expected from the EU's highest court on Tuesday could have significant implications for the way telecoms providers store data.

The Court of Justice of the EU (CJEU) is set to determine whether the EU's Data Retention Directive is lawful following a challenge brought by privacy campaigners in Austria and by Digital Rights Ireland.

In December, a legal advisor to the CJEU issued an opinion which recommended that the Directive be deemed incompatible with individuals' rights to privacy under EU law.

The Directive requires telecoms and other electronic communications businesses to retain identifying details of phone calls and emails, such as the traffic and location, to help the police detect and investigate serious crimes. The details exclude the content of those communications.

Advocate General Pedro Cruz Villalón said that the maximum period of time that the companies should be forced to hold onto that data for – two years – is too long and recommended that the maximum limit be reduced to "less than one year". He called for the Directive to be scrapped once a replacement framework has been put in place with greater controls and safeguards around the access to and use of the data collected.

The CJEU is not bound by the recommendations of Advocate General Villalón but in many cases the judges do follow their opinion.

In his opinion, Advocate General Villalón also expressed concern with the fact that the Data Retention Directive does not oblige providers of electronic communications services to store data "in the territory of a member state" and said that data security is put at "considerably increased" risk as a result.

"That ‘outsourcing’ of data retention admittedly allows the retained data to be distanced from the public authorities of the member states and thus to be placed beyond their direct grip and any control, but by that very fact it simultaneously increases the risk of use which is incompatible with the requirements resulting from the right to privacy," Advocate General Villalón said.

If the CJEU follows the Advocate General's opinion new replacement EU laws on data retention would be created. Diane Mullenex of Pinsent Masons said that any new framework should permit outsourcing of data retention.

"Telecoms companies are already under pressure to scrap roaming charges and invest in new 4G technologies," Mullenex said. "It is not pragmatic to ask companies to store data internally due to the large costs involved in establishing and managing data centres and other associated IT infrastructure. These costs would only end up being passed on to consumers at a time when the EU is backing telecoms market reforms designed to promote competition and drive down end costs to consumers."

"If the Data Retention Directive is to be remodelled, it should give telecoms providers enough flexibility to store data externally with specialised suppliers," she added.

EU member states have implemented the current Directive very differently, with some countries - including Germany - yet to have implemented its requirements into national law.

Mullenex said that it is both extremely costly and time consuming for telecoms providers to adhere to requests from law enforcement bodies for access to data they hold and that, particularly in countries where the existing Directive has not been implemented, operators could face a major investment in their IT infrastructure if a replacement law requires them to change their data retention practices.