Connect Europe & GSMA Comments on an EU Initiative on Retention of Data by Service Providers for Criminal Proceedings
Protecting user data and confidentiality, while ensuring effective cooperation with law enforcement authorities, is essential for the safe and balanced functioning of a digital society. However, the current data retention regulatory framework presents several compliance challenges for telecom operators, which we would like to take this opportunity to highlight.
Telecom operators have had to deal with several iterations of data retention obligations over the years – from the initial EU Directive of 2006, to the CJEU decision, and to various member states developing their own approaches before, throughout, and after this process. These changes have already imposed considerable investments and operational costs on telcos.
This also resulted in today’s fragmented situation across EU Member States in a number of ways. Firstly, a legal framework exists in some Member States but is either absent or not effectively applied in others. Additionally, there is a wide variety of definitions for metadata and the types of data to be retained. Retention periods are also strikingly different, ranging from 6 to 72 months. Due to these divergences, it can be challenging to draw commonalities in the impact of data retention laws (or the absence thereof) on the European telecom industry. With that in mind, and considering the EU’s ambitions for regulatory simplification, any changes should bring tangible improvements to the current situation. For example, any new rules should avoid being prescriptive about operational requirements, such as how or where the data is stored, as long as it is stored within the EU/EEA.
The most significant impact of data retention law is related to the differing retention periods for data collected and retained for business purposes, in compliance with the GDPR and the ePrivacy Directive, compared to those retained for law enforcement purposes. This has resulted in significant costs for operators to purchase storage equipment, redefine the system architecture, and hire personnel. Furthermore, retaining large volumes of data requires significant energy consumption, which contributes to environmental impact. Data retained for business purposes is related to billing, operation or maintenance, network security, and commercial purposes. Other data that are not relevant for business purposes are stored for much shorter timeframes. However, there are significant variations across operators and countries. Additionally, the GDPR has affected the situation by driving the implementation of data minimization. The fact that different national laws mandate the retention of different categories of data poses a challenge for companies providing global business services across the EU, including divisions of many telecom operators. The challenge is even greater for providers of M2M cross-border connectivity services, which may use the same SIM profile across multiple Member States with diverging data retention requirements.
The majority of requests are targeted at individual subscribers or devices, with an increasing number of bulk requests. Bulk requests can be problematic because Law Enforcement Authorities (LEAs) often underestimate the scale and complexity of the data involved, which may result in inefficiencies and unnecessary compliance burdens for operators. Processing bulk requests requires significantly more time and resources, which can impact the response time for other requests. It is therefore important to minimize the scope of bulk requests and to establish an effective queuing and priority system that accommodates all stakeholders, both national and international.
Access typically involves automated systems and the use of Single Points of Contact (SPOCs) for the majority of access requests. These interfaces should be easy to use and not require costly adaptations for operators. The exchange is typically based on the ETSI request-response standard, which speeds up responses and significantly reduces access refusal rates (e.g., when a LEA contacts the wrong operator or when the requested data is no longer available).
Any data retention approach should also be proportionate and based on a cost-benefit assessment. Only data that has already been processed and stored for billing, commercial, or other legitimate business purposes should be retained, as any additional requirements could have significant technical and financial implications. The cost-benefit assessment of the types of data relevant for LEA purposes should take into account the differences between human communication and M2M communications.
We elaborate on our recommendations in the paper. For questions and clarifications regarding this position paper, please contact Paolo Grassia (grassia@connecteurope.org), Senior Director of Policy and Advocacy at Connect Europe.
