New Data Retention Requirements in the EU

Are those of you with offices in the EU aware that there is now a new data retention directive to follow?  These to add on top of all the other data retention requirements that exist.  The huge challenge I’ve found many organizations struggling with is how to deal with conflicting retention requirements. 

I urge you to read this regulation if you have any customers or offices within any of the EU countries.  You’ll need to read the entire document to get the full effect, but the following excerpt is of particular interest:

Article 5
Categories of data to be retained
1. Member States shall ensure that the following categories of data are retained under this
Directive:
  (a) data necessary to trace and identify the source of a communication:
   (1) concerning fixed network telephony and mobile telephony:
    (i) the calling telephone number;
    (ii) the name and address of the subscriber or registered user;

   (2) concerning Internet access, Internet e-mail and Internet telephony:
    (i) the user ID(s) allocated;
    (ii) the user ID and telephone number allocated to any communication entering the public telephone network;
    (iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the     communication;
  (b) data necessary to identify the destination of a communication:
   (1) concerning fixed network telephony and mobile telephony:
    (i) the number(s) dialled (the telephone number(s) called), and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which     the call is
routed;
    (ii) the name(s) and address(es) of the subscriber(s) or registered user(s);
   (2) concerning Internet e-mail and Internet telephony:
    (i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;
    (ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;
  (c) data necessary to identify the date, time and duration of a communication:
   (1) concerning fixed network telephony and mobile telephony, the date and time of the start and end of the communication;
   (2) concerning Internet access, Internet e-mail and Internet telephony:
    (i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the     Internet access service provider to a communication, and the user ID of the subscriber or registered user;
    (ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;

(d) data necessary to identify the type of communication:
   (1) concerning fixed network telephony and mobile telephony: the telephone service used;
   (2) concerning Internet e-mail and Internet telephony: the Internet service used;
  (e) data necessary to identify users’ communication equipment or what purports to be their equipment:
   (1) concerning fixed network telephony, the calling and called telephone numbers;
   (2) concerning mobile telephony:
    (i) the calling and called telephone numbers;
    (ii) the International Mobile Subscriber Identity (IMSI) of the calling party;
    (iii) the International Mobile Equipment Identity (IMEI) of the calling party;
    (iv) the IMSI of the called party;
    (v) the IMEI of the called party;
    (vi) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated;
   (3) concerning Internet access, Internet e-mail and Internet telephony:
    (i) the calling telephone number for dial-up access;
    (ii) the digital subscriber line (DSL) or other end point of the originator of the communication;
  (f) data necessary to identify the location of mobile communication equipment:

   (1) the location label (Cell ID) at the start of the communication;
   (2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.

2. No data revealing the content of the communication may be retained pursuant to this Directive.

Article 6
Periods of retention
Member States shall ensure that the categories of data specified in Article 5 are retained for periods of not less than six months and not more than two years from the date of the communication.

And the directive continues on with the data protection, data security, and other requirements.

Folks, what are you doing to get your arms around data retention issues?  I see this as a sleeping giant that will emerge sometime soon to surprise and bonk on the head a great many compliance, info sec and privacy officers.  A few forward-looking organizations have established well-defined and effective data retention teams.  Be sure if you have one that you let them know about this new regulation…just in case they have not kept up with the international laws.  If you don’t have a dedicated data retention function, then start planning for how you will address the multitude of data retention requirements!

Technorati Tags



Leave a Reply