Spotlight on: Data Retention Obligations in the European Union

Guest WiFi Risks|||||||||
Posted on | Updated on

(Important Note added on 14 July 2014: The EU law in this area is currently undergoing change and this blog post requires updating to reflect the current circumstances. We will be re-publishing with the up to date legal information as soon as possible.)

The need to allow access to public communications data, for the purposes of combating terrorism and bringing serious offenders to justice, is unquestionable. However, the law in the EU which is intended to regulate the retention of, and access to, this data is currently in disarray as a result of a controversial EU Directive. This Directive has failed to effectively harmonise the law and was recently held to be incompatible with the EU Charter of Fundamental Rights. As a result, those obliged to comply with these laws must currently navigate through a raft of varying local regulations in force throughout the EU, which are likely to be subject to further change in the near future.

In more detail:- 

  • The EU Data Retention Directive which came into force on 3 May 2006, obliged EU Members States to implement national laws requiring communication service providers to retain certain types of traffic, subscriber and location data generated by their users for a period of between 6 and 24 months. The retained data must be made available to national authorities for the purposes of the investigation, detection and prosecution of serious crimes.
  • The implementation of the Directive in individual EU Member States raised substantial issues. It has been challenged, for example, in both the Irish and Austrian courts, on the basis that it does not contain sufficient guarantees to safeguard the right to privacy and, that it relates to issues of criminal justice which fall outside the scope of the EU’s power to legislate.
  • As a result, the Directive has been implemented to varying degrees and effects in some EU Member States, and has yet to be implemented at all in others, leaving local law to apply. The Directive permitted each Member State to choose the relevant retention period (as long as it fell between 6 – 24 months) – many have opted for a retention period at the lower end of this scale. It also left them to individually define “serious crime” according to local law. Consequently, objections have been raised on the basis that data has been accessed in some circumstances for offences such as copyright infringement, which does not fall within the original intention of this law.

  • In the UK, the implementing Regulations require the data to be retained for 12 months from the date of the communication. This obligation only applies to public communications providers who have been given written notice by the Secretary of State.

  • On 12 December 2013, the Advocate General of the European Court of Justice published his non-binding opinion that the Data Retention Directive is, as a whole, incompatible with the EU Charter of Fundamental Rights, as it fails to balance the “very serious interference with fundamental rights to privacy and data protection” with appropriate guarantees, such as those relating to the circumstances in which retained data can be accessed. Nonetheless, the AG stated that the Directive should be kept in place, subject to a legislative review dealing with issues such as a more precise regulation of access to the data.

Looking Forward

Despite the controversy caused by the Data Retention Directive, due to the importance of its underlying principles, the obligation on communication providers to retain communications data is likely to remain in some form. How data retention obligations will evolve over the coming years, remains to be seen. The challenge for businesses engaged in this area is in keeping abreast of developments in both  this area and the wider data privacy landscape, in light of the new EU Data Privacy Regulation which is currently under discussion.

Squire Sanders 

Squire Sanders is one of the world’s strongest integrated legal practices with more than 1,300 lawyers in 39 offices across 19 countries. Our EU Data Protection Group is ideally placed to advise on this and all other data privacy issues, with specialist data privacy lawyers, located for example, in France, Germany, the UK, Belgium, the Czech Republic, Hungary, Slovakia and Spain.

Widely acknowledged for its international reach and diverse sector expertise, it advises every type of business from fast-growth companies and the established global mid-market to Fortune 100 and FTSE 100 businesses, together with regional and national governments. For more information, visit 

This article is made available by Squire Sanders only to provide general commentary of the law as it stands on 20 January 2014, not to provide specific legal advice nor to warrant compliance with the law by Purple WiFi Limited. There is no attorney-client relationship between the reader and Squire Sanders. This article should not be used as a substitute for competent, up-to-date legal advice from a licensed professional attorney.

© Squire Sanders.
All rights reserved
January 2014

To discuss how we can help you contact:-
Emily Turner
Intellectual Property and Technology

T – +44 (0)113 284 7679
E –

Peter Flanagan
Senior Associate
Intellectual Property and Technology

T – +1(703)720-7864
E –

Important Note added on 14 July 2014: The EU law in this area is currently undergoing change and this blog post requires updating to reflect the current circumstances. We will be re-publishing with the up to date legal information as soon as possible.

© 2024 Purple. All Rights Reserved.