Directive
2006/c/EC of the European Parliament and of the Council
on the
retention of data generated or processed in connection with the provision of
publicly available electronic communications services or of public
communications networks
THE
EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN
Having
regard to the Treaty establishing the European Community, and in particular
Article 95 thereof,
Having
regard to the proposal from the Commission,
Having
regard to the Opinion of the European Economic and Social Committee,
Acting in
accordance with the procedure laid down in Article 251 of the Treaty,
Whereas:
(1)
Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data requires Member States to protect
the rights and freedoms of natural persons with regard to the processing of
personal data, and in particular their right to privacy, in order to ensure the
free flow of personal data in the Community.
(2)
Directive 2002/58/EC of the European Parliament and of the Council of
(3)
Articles 5, 6 and 9 of Directive 2002/58/EC lay down the rules applicable to
the processing by network and service providers of traffic and location data
generated by using electronic communication services. Such data must be erased
or made anonymous when no longer needed for the purpose of the transmission of
a communication, except for the data necessary for billing or interconnection
payments. Subject to consent, certain data may also be processed for marketing
purposes and the provision of value-added services.
(4) Article
15 (1) of Directive 2002/58/EC sets out the conditions under which Member
States may restrict the scope of the rights and obligations provided for in
Article 5, Article 6, Article 8 (1), (2), (3) and (4), and Article 9 of that
Directive. Any such restrictions must be necessary, appropriate and
proportionate within a democratic society for specific public order purposes,
i.e. to safeguard national security (i.e. State security), defence, public
security or the prevention, investigation, detection and prosecution of
criminal offences or of unauthorized use of the electronic communications
systems.
(5) Several
Member States have adopted legislation providing for the retention of data by
service providers for the prevention, investigation, detection, and prosecution
of criminal offences. Those national provisions vary considerably.
(6) The
legal and technical differences between national provisions concerning the
retention of data for the purpose of prevention, investigation, detection and
prosecution of criminal offences present obstacles to the internal market for
electronic communications, since service providers are faced with different
requirements regarding the types of traffic and location data to be retained
and the conditions and periods of retention.
(7) The
Conclusions of the Justice and Home Affairs Council of
(8) The
Declaration on Combating Terrorism adopted by the European Council on
(9) Under
Article 8 of the European Convention for the Protection of Human Rights and
Fundamental Freedoms (ECHR), everyone has the right to respect for his private
life and his correspondence. Public authorities may interfere with the exercise
of that right only in accordance with the law and where necessary in a
democratic society, inter alia, in the interests of
national security or public safety, for the prevention of disorder or crime, or
for the protection of the rights and freedoms of others. Because retention of
data has proved to be such a necessary and effective investigative tool for law
enforcement in several Member States, and in particular concerning serious
matters such as organised crime and terrorism, it is necessary to ensure that
retained data are made available to law enforcement authorities for a certain
period, subject to the conditions provided for in this Directive. The adoption
of an instrument on data retention that complies with the requirements of Article
8 of the ECHR is therefore a necessary measure.
(10) On
(11) Given
the importance of traffic and location data for the investigation, detection,
and prosecution of criminal offences, as demonstrated by research and the
practical experience of several Member States, there is a need to ensure at
European level that data that are generated or processed, in the course of the
supply of communications services, by providers of publicly available
electronic communications services or of a public communications network are
retained for a certain period, subject to the conditions provided for in this
Directive.
(12)
Article 15 (1) of Directive 2002/58/ continues to apply to data, including data
relating to unsuccessful call attempts, the retention of which is not
specifically required under this Directive and which therefore fall outside the
scope thereof, and to retention for purposes, including judicial purposes,
other than those covered by this Directive.
(13) This
Directive relates only to data generated or processed as a consequence of a communication
or a communication service and does not relate to data that are the content of
the information communicated. Data should be retained in such a way as to avoid
their being retained more than once. Data generated or processed when supplying
the communications services concerned refers to data which are accessible. In
particular, as regards the retention of data relating to Internet e-mail and
Internet telephone, the obligations to retain data may apply only in respect of
data from the providersf or the network providersf own services.
(14)
Technologies relating to electronic communications are changing rapidly and the
legitimate requirements of the competent authorities may evolve. In order to
obtain advice and encourage the sharing of experience of best practice in these
matters, the Commission intends to establish a group composed of Member Statesf
law enforcement authorities, associations of the electronic communications
industry, representatives of the European Parliament and data protection authorities,
including the European Data Protection Supervisor.
(15)
Directive 95/46/EC and Directive 2002/58/EC are fully applicable to the data
retained in accordance with this Directive. Article 30(1)(c) of Directive
95/46/EC requires the consultation of the Working Party on the Protection of
Individuals with regard to the Processing of Personal Data established under
Article 29 of that Directive.
(16) The
obligations incumbent on service providers concerning measures to ensure data
quality, which derive from Article 6 of Directive 95/46/EC, and their
obligations concerning measures to ensure confidentiality and security of
processing of data, which derive from Articles 16 and 17 of that Directive,
apply in full to data being retained within the meaning of this Directive.
(17) It is
essential that Member States adopt legislative measures to ensure that data
retained under this Directive are provided to the competent national
authorities only in accordance with national legislation in full respect of the
fundamental rights of the persons concerned.
(18) In
this context, Article 24 of Directive 95/46/EC imposes an obligation on Member
States to lay down sanctions for infringement of the provisions adopted
pursuant to that Directive. Article 15(2) of Directive 2002/58/EC imposes the
same requirement in relation to national provisions adopted pursuant to
Directive 2002/58/EC. Council Framework Decision 2005/222/JHA of 24 February
2005 on attacks against information systems provides that the intentional
illegal access to information systems, including to data retained therein, is
to be made punishable as a criminal offence.
(19) The
right of any person who has suffered damage as a result of an unlawful
processing operation or of any act incompatible with national provisions
adopted pursuant to Directive 95/46/EC to receive compensation, which derives
from Article 23 of that Directive, applies also in relation to the unlawful
processing of any personal data pursuant to this Directive.
(20) The
2001 Council of Europe Convention on Cybercrime and
the 1981 Council of Europe Convention for the Protection of Individuals with
Regard to Automatic Processing of Personal Data also cover data being retained
within the meaning of this Directive.
(21) Since
the objectives of this Directive, namely to harmonise the obligations on
providers to retain certain data and to ensure that those data are available
for the purpose of the investigation, detection and prosecution of serious
crime, as defined by each Member State in its national law, cannot be
sufficiently achieved by the Member States and can therefore, by reason of the
scale and effects of this Directive, be better achieved at Community level, the
Community may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty. In
accordance with the principle of proportionality, as set out in that Article,
this Directive does not go beyond what is necessary in order to achieve those
objectives.
(22) This
Directive respects the fundamental rights and observes the principles
recognised, in particular, by the Charter of Fundamental Rights of the European
Union. In particular, this Directive, together with Directive 2002/58/EC, seeks
to ensure full compliance with citizensf fundamental rights to respect for
private life and communications and to the protection of their personal data,
as enshrined in Articles 7 and 8 of the Charter.
(23) Given
that the obligations on providers of electronic communication services should
be proportionate, this Directive requires that they retain only such data as
are generated or processed in the process of supplying their communication
services. To the extent that such data are not generated or processed by those
providers, there is no obligation to retain them. This Directive is not
intended to harmonise the technology for retaining data, the choice of which is
a matter to be resolved at national level.
(24) In
accordance with paragraph 34 of the Interinstitutional
agreement on better law-making, the Council will encourage Member States to
draw up, for themselves and in the interests of the Community, their own tables
illustrating, as far as possible, the relation between this Directive and the
transposition measures, and to make them public.
(25) This
Directive is without prejudice to the power of Member States to adopt
legislative measures concerning the right of access to, and use of, data by
national authorities, as designated by them. Issues of access to data retained
pursuant to this Directive by national activities as are referred to in the
first indent of Article 3(2) of Directive 95/46/EC fall outside the scope of
Community law. However, they may be subject to national law or action pursuant
to Title VI of the Treaty on European Union. Such laws or action must fully
respect fundamental rights as they result from the common constitutional
traditions of the Member States and as guaranteed by the ECHR. Under Article 8
of the ECHR, as interpreted by the European Court of Human Rights, interference
by public authorities with privacy rights must meet the requirements of
necessity and proportionality and must therefore serve specified, explicit and
legitimate purposes and be exercised in a manner that is adequate, relevant and
not excessive in relation to the purpose of the interference.
HAVE
ADOPTED THIS DIRECTIVE:
Article 1
Subject matter and scope
1. This
Directive aims to harmonise Member Statesf provisions concerning the
obligations of the providers of publicly available electronic communications
services or of public communications networks with respect to the retention of
certain data which are generated or processed by them, in order to ensure that
the data are available for the purpose of the investigation, detection and
prosecution of serious crime, as defined by each Member State in its national
law.
2. This
Directive shall apply to traffic and location data on both legal entities and
natural persons and to the related data necessary to identify the subscriber or
registered user. It shall not apply to the content of electronic communications, including information consulted using an
electronic communications network.
Article 2
Definitions
1. For the
purpose of this Directive, the definitions in Directive 95/46/EC, in Directive
2002/21/EC of the European Parliament and of the Council of
2. For the
purpose of this Directive:
(a) gdatah means traffic data and location data and the related
data necessary to identify the subscriber or user;
(b) guserh means any legal entity or natural person using a
publicly available electronic communications service, for private or business
purposes, without necessarily having subscribed to that service;
(c) gtelephone serviceh means calls (including voice, voicemail
and conference and data calls), supplementary services (including call
forwarding and call transfer) and messaging and multi-media services (including
short message services, enhanced media services and multi-media services);
(d) guser IDh means an unique identifier allocated to persons
when they subscribe to or register with an Internet access service or Internet
communications service;
(e) gcell IDh means the identity of the cell from which a mobile
telephony call originated or in which it terminated;
(f) gunsuccessful call attempth means a communication where a
telephone call has been successfully connected but not answered or there has
been a network management intervention.
Article 3
Obligation to retain data
1. By way
of derogation from Articles 5, 6 and 9 of Directive 2002/58/EC, Member States
shall adopt measures to ensure that the data specified in Article 5 of this
Directive are retained in accordance with the provisions thereof, to the extent
that those data are generated or processed by providers of publicly available
electronic communications services or of a public communications network within
their jurisdiction in the process of supplying the communications services
concerned.
2. The
obligation to retain data provided for in paragraph 1 shall include the
retention of the data specified in Article 5 relating to unsuccessful call
attempts where those data are generated or processed, and stored (as regards
telephony data) or logged (as regards Internet data), by providers of publicly
available electronic communications services or of a public communications
network within the jurisdiction of the Member State concerned in the process of
supplying the communication services concerned. This Directive shall not
require data relating to unconnected calls to be retained.
Article 4
Access to data
Member
States shall adopt measures to ensure that data retained in accordance with
this Directive are provided only to the competent national authorities in
specific cases and in accordance with national law. The procedures to be
followed and the conditions to be fulfilled in order to gain access to retained
data in accordance with necessity and proportionality requirements shall be
defined by each Member State in its national law, subject to the relevant
provisions of European Union law or public international law, and in particular
the ECHR as interpreted by the European Court of Human Rights.
Article 5
Categories of data to be retained
1. Member
States shall ensure that the following categories of data are retained under
this Directive:
(a) data necessary to trace and identify the source of a
communication:
(1) concerning fixed network telephony and mobile telephony:
(i) the calling telephone number;
(ii) the name and address of the subscriber or registered user;
(2) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any
communication entering the public telephone network;
(iii) the
name and address of the subscriber or registered user to whom an Internet
Protocol (IP) address, user ID or telephone number was allocated at the time of
the communication;
(b) data necessary to identify the destination of a
communication:
(1) concerning fixed network telephony and mobile telephony:
(i) the
number(s) dialled (the telephone number(s) called), and, in cases involving
supplementary services such as call forwarding or call transfer, the number or
numbers to which the call is routed;
(ii) the name(s) and address(es) of the
subscriber(s) or registered user(s);
(2) concerning Internet e-mail and Internet telephony:
(i) the user ID or telephone number of the intended recipient(s)
of an Internet telephony call;
(ii) the name(s) and address(es) of the
subscriber(s) or registered user(s) and user ID of the intended recipient of
the communication;
c) data necessary to identify the date, time and duration of a
communication:
(1) concerning fixed network telephony and mobile telephony, the
date and time of the start and end of the communication;
(2) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the
date and time of the log-in and log-off of the Internet access service, based
on a certain time zone, together with the IP address whether dynamic or static,
allocated by the Internet access service provider to a communication, and the
user ID of the subscriber or registered user;
(2) the date and time of the log-in and log-off of the Internet
e-mail service or Internet telephony service, base on a certain time zone;
(d) data necessary to identify the type of communication:
(1) concerning fixed network telephony and mobile telephony:
the
telephone service used;
(2) concerning Internet e-mail and Internet telephony:
the
Internet service used;
(e) data necessary to identify usersf communication equipment or
what purports to be their equipment:
(1) concerning fixed network telephony, the calling and called
telephone numbers;
(2) concerning mobile telephony:
(i) the calling and called telephone numbers;
(ii) the International Mobile Subscriber Identity (IMSI) of the
calling party;
(iii) the International Mobile Equipment Identity (IMEI) of the
calling party;
(iv) the IMSI of the called party;
(v) the IMEI of the called party;
(vi) in the case of pre-paid anonymous services, the date and
time of the initial activation of the service and the location label (Cell ID)
from which the service was activated;
(3) concerning Internet access, Internet e-mail and Internet
telephony:
(i) the calling telephone number for dial-up access;
(ii) the digital subscriber line (DSL) or other end point of the
originator of the communication;
(f) data necessary to identify the location of mobile communication
equipment:
(1) the location label (Cell ID) at the start of the
communication;
(2) data identifying the geographic location of cells by
reference to their location labels (Cell ID) during the period for which
communications data are retained.
2. No data
revealing the content of the communication may be retained pursuant to this
Directive.
Article 6
Periods of retention
Member
States shall ensure that the categories of data specified in Article 5 are
retained for periods of not less than six months and not more than two years
from the date of the communication.
Article 7
Data protection and data security
Without
prejudice to the provisions adopted pursuant to Directive 95/46/EC and
Directive 2002/58/EC, each Member State shall ensure that providers of publicly
available electronic communications services or of a public communications
network respect, as a minimum, the following data security principles with
respect to data retained in accordance with this Directive:
(a) the retained data shall be of the same quality and subject
to the same security and protection as those data on the network;
(b) the data shall be subject to appropriate technical and organisatonial measures to protect the data against
accidental or unlawful destruction, accidental loss or alteration, or
unauthorised or unlawful storage, processing, access or disclosure;
(c) the
data shall be subject to appropriate technical and organisational measures to
ensure that they can be accessed by specially authorised personnel only; and
(d) the data, except those that have been accessed and
preserved, shall be destroyed at the end of the period of retention.
Article 8
Storage requirements for retained data
Member
States shall ensure that the data specified in Article 5 are retained in
accordance with this Directive in such a way that the data retained and any
other necessary information relating to such data can be transmitted upon
request to the competent authorities without undue delay.
Article 9
Supervisory authority
1. Each
Member State shall designate one or more public authorities to be responsible
for monitoring the application within its territory of the provisions adopted
by the Member States pursuant to Article 7 regarding the security of the stored
data. Those authorities may be the same authorities as those referred to in
Article 28 of Directive 95/46/EC.
2. The
authorities referred to in paragraph 1 shall act with complete independence in
carrying out the monitoring referred to in that paragraph.
Article 10
Statistics
1. Member States
shall ensure that the Commission is provided on a yearly basis with statistics
on the retention of data generated or processed in connection with the
provision of publicly available electronic communications services or a public
communications network. Such statistics shall include:
- the cases in which information was provided to the competent
authorities in accordance with applicable national law;
- the time elapsed between the date on which the data were
retained and the date on which the competent authority requested the
transmission of the data;
- the cases where requests for data could not be met.
2. Such
statistics shall not contain personal data.
Article 11
Amendment of Directive 2002/58/EC
The
following paragraph shall be inserted in Article 15 of Directive 2002/58/EC:
g1a.
Paragraph 1 shall not apply to data specifically required by Directive 2006/c/EC
of the European Parliament and of the Council of c on the retention of data
generated or processed in connection with the provision of publicly available
electronic communications services or a public communications network to be
retained for the purposes referred to in Article 1(1) of that Directive.
Article 12
Future measures
1. A Member
State facing particular circumstances that warrant an extension for a limited
period of the maximum retention period referred in Article 6 may take the
necessary measures. The
2. The
Commission shall, within a period of six months after the notification referred
to in paragraph 1, approve or reject the national measures concerned, after
having examined whether they are a means of arbitrary discrimination or a
disguised restriction of trade between the Member States and whether they
constitute an obstacle to the functioning of the internal market. In the
absence of a decision by the Commission within that period the national measures
shall be deemed to have been approved.
3. Where, pursuant to paragraph 2, the national measures of a
Article 13
Remedies, liability and penalties
1. Each
Member State shall take the necessary measures to ensure that the national
measures implementing Chapter III of Directive 95/46/EC providing for judicial
remedies, liability and sanctions are fully implemented with respect to the
processing of data under this Directive.
2. Each
Member State shall, in particular, take the necessary measures to ensure that
any intentional access to, or transfer of, data retained in accordance with
this Directive that is not permitted under national law adopted pursuant to
this Directive is punishable by penalties, including administrative or criminal
penalties, that are effective, proportionate and dissuasive.
Article 14
Evaluation
1. No later
than c, the Commission shall submit to the European Parliament and the Council
an evaluation of the application of this Directive and its impact on economic
operators and consumers, taking into account further development in electronic
communications technology and the statistics provided to the Commission
pursuant to Article 10 with a view to determining whether it is necessary to
amend the provisions of this Directive, in particular with regard to the list
of data in Article 5 and the periods of retention provided for in Article 6.
The result of the evaluation shall be made public.
2. To that
end, the Commission shall examine all observations communicated to it by the
Member States or by the Working Party established under Article 29 of Directive
95/46/EC.
Article 15
Transposition
1. Member
States shall bring into force the laws, regulations and administrative
provisions necessary to comply with this Directive by no later than. They shall
forthwith inform the Commission thereof.
2. When
Member States adopt those measures, they shall contain a reference to this
Directive or shall be accompanied by such reference on the occasion of their
official publication. The methods of making such reference shall be laid down
by the Member States.
2. Member
States shall communicate to the Commission the text of the main provisions of
national law which they adopt in the field covered by this Directive.
3. Until , each
Article 16
Entry into force
This
Directive shall enter into force on the twentieth day following that of its
publication in the Official Journal of the European Union.
Article 17
Addressees
This
Directive is addressed to the Member States.
Done at,
For the
European Parliament For the Council
The
President
The President