Dutch telecom providers have to delete data that had been retained under the now-scrapped data retention law, unless it is needed for business purposes.
The Dutch data retention law that required ISPs and telecommunications operators to store customer metadata for police investigations was scrapped by the District Court of the Hague earlier this month for violating fundamental privacy rights.
While most providers were quick to stop collecting the data, uncertainty remained about what should happen with the data that was already collected and stored when the law was in force.
However, all data retained because of the now defunct law should be deleted, Minister of Security and Justice Ard van der Steur wrote in a letter to Parliament. That includes data that was retained before the law was annulled, a ministry spokesman said.
Providers will still be allowed to store data for business purposes. Many Dutch telecom providers store metadata, including location data, for billing purposes, network management and customer services.
This data can still be used for police investigations, the ministry spokesman said. But what data is available at different providers may vary wildly, he said, adding that when the law was in force there was certainty about what data was available.
Scrapping the law will have consequences for victims of serious crimes because perpetrators will be harder to identify, and certain types of crimes can almost exclusively be detected through the use of historical telecom data, the minister said.
That is why the Dutch government is making haste with a bill proposing a new data retention law. The new law would keep the court’s verdict in mind and seek to restrict access to data. To limit the consequences of annulling the law, the minister plans to send the bill to the parliament as soon as possible.
The ministry has still to decide whether it will appeal the court’s decision.