The Dutch government’s proposed revision of the country’s data retention law is not enough to bring it into compliance with a recent European Union court ruling, the Dutch privacy watchdog said Monday.
An effort by the Dutch government to adjust a law requiring telecommunications and Internet companies to retain their customers’ location and traffic metadata for investigatory purposes should be dropped, as the infringement of the private life of virtually all Dutch citizens is too great, the Dutch Data Protection Authority (DPA) said on Monday.
The Dutch government is looking to change data retention obligations for telephone and Internet communications operators following a decision last year by the Court of Justice of the European Union (CJEU). The court invalidated the European data retention directive, on which the Dutch law is based, because it violates fundamental privacy rights.
The Dutch data retention law has been under pressure since the CJEU’s ruling. The Council of State, a constitutional advisory body, last year already concluded that the law should be withdrawn because it violates fundamental privacy laws. But despite this advice, the government decided to amend it instead of annul it.
The government sees the law as indispensable for the investigation and prosecution of serious criminal offenses, and proposed maintaining it with minor adjustments to who will have access to the data and under what circumstances to bring it in line with the CJEU ruling.
But the Dutch DPA thinks the bill should not even be presented to Parliament as there is no proven necessity for such a law, it said in a letter to the government published Monday.
Retaining the telephony and Internet data of virtually all citizens for six to 12 months is a far-reaching measure which requires an irrefutable demonstration of necessity, it said, adding that during the 4.5 years this data has been retained, law enforcement authorities have not been able to show why data retention is necessary.
Moreover, the draft bill does not address the question whether less far-reaching alternative measures would be available to obtain the same result. If the bill was to go ahead, “the infringement of the private life of virtually all Dutch citizens is too big and disproportionate,” it found
The government for instance proposed to retain telephony data for 12 months but only make it accessible to law enforcement for six to 12 months depending on the crime. However, this distinction between the retention and the use of the data does not alter the disproportionality between the purpose of the data collection and the infringement on the private life. Therefore, this general data retention obligation is unlawful, the DPA said.
The DPA’s opinion is one of several that will have to be taken into account, said a spokesman for the Dutch government, who added that the government will comment on every suggestion in detail when the bill is submitted to the Parliament.
A DPA spokeswoman said the bill could still be altered before it will be discussed in parliament based on the advice.
Although the government has refused to annul the law, others are seeking to force its hand. On Wednesday, the District Court of the Hague is scheduled to hear a legal challenge to it, filed by a broad coalition of organizations who want the law invalidated because it violates fundamental privacy rights.
Other data retention laws in EU countries have already been ruled unconstitutional, In Austria for instance, the local law was invalidated in the wake of the CJEU ruling. In Germany, the local data retention law was ruled unconstitutional in 2010, long before the ruling.
In Sweden though, the government is looking to maintain a data retention obligation for telecommunication data on much the same grounds as in the Netherlands.