DATRET/EXPGRP (2009) 6 FINAL Document 6

Transcription

1 DATRET/EXPGRP (2009) 6 FINAL EXPERTS GROUP "THE PLATFORM FOR ELECTRONIC DATA RETENTION FOR THE INVESTIGATION, DETECTION AND PROSECUTION OF SERIOUS CRIME" ESTABLISHED BY COMMISSION DECISION 2008/324/EC SERIES A: GUIDANCE DOCUMENTS Document 6 Closer understanding of the possibilities of providers to store traffic data in a Member State other than the Member State of origin of the data ( Central Data Storage ), in relation to its application in Directive 2006/24/EC version of 11 October 2010 (final) Scope The aim of this document is to discuss the situation where companies centralise the storage under Directive 2006/24 for commercial reasons and not the situation where national law of a MS requires central storage within that MS. The paper does not deal with the question of the applicable law to data retention which is closely linked to the centralised storage. This difficult legal issue will be the subject of a separate Position Paper Document. The issue is currently also discussed - but from a slightly different perspective - in the Article 29 Working Party on Data Protection. Date and Status This is the final version that was unanimously adopted by the Expert Group on Monday 11 October A disclaimer applies (see at the end of the document). Aspects of EU Directive 2006/24/EC covered in this paper Articles 1(1), 3 and 8 Retention and Storage The term "Central Data Storage will only be used in this paper in relation to the possibilities of providers to store traffic data in a Member State other than the Member State of origin of the data. Page 1 of 7 FINAL

2 Key Observations Directive 2006/24 is silent about the place of storage. Under those conditions, the principles of the Internal Market, must be applied, with the following result: a provider is allowed to store the data on the territory of another MS than the MS where the data were generated or processed, in the meaning of Article 3 of the Directive. Moreover: Any obligation imposed by a MS for the data to be retained on its own territory, is a restriction to the principle of free flow of data within the EU. Such a restriction is in principle not allowed for data protection considerations, but could be justified for reasons of public policy subject to the conditions imposed by the case law of the ECJ. The law of the originating Member State determines the storage period, i.e. the data retention legislation of the originating MS applies to the data. The providers wishing to store data in a central data base in EU should proceed to the (physical and[/or] logical) separation of the data originating from different MS, because of the lack of harmonisation of the directive (retention periods, different definitions of serious crime, etc) in order to ensure data security and to facilitate the application of the national legislation of each originating MS. In any case, national law must not only ensure the effectiveness of the Data Retention Directive but also of the Data Protection Directive. This means for instance that data should be stored only once except for back-up for security reasons and/or business continuity of the system (data minimisation), that the data subjects whose personal data are retained can effectively exercise their rights and that data protection authorities of the originating Member State can effectively fulfil their tasks. Specific attention is needed for data security measures. The rules on applicable law determine what MS must be considered as the MS where the data were generated or processed (further: 'originating MS). The main legal provisions relevant for applicable law are Article 4 of Directive 95/46, Article 15 of Directive 2002/58 and Article 3 of Directive 2006/24. Those legal provisions will be explained in a separate Guiding Document (see above). Page 2 of 7 FINAL

3 Central Data Storage within EU B.1. Objective and context of the Data Retention Directive The objective of the Data Retention Directive 2006/24/EC is to harmonise MSs' provisions concerning the obligation of the providers of publicly available electronic communications services to retain certain data in order to ensure that these data are available for the purpose of investigation of serious crime (art. 1). The data must be retained in such a way that they can be transmitted to the competent public authorities upon request (art. 8). Article 3 provides that data listed in Article 5 "are retained in accordance with the provisions [of Article 5], to the extent that those data are generated or processed by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying the communications services concerned." The provisions of the Data Retention Directive apply without prejudice to the provisions of the Data Protection Directive 95/46. 1 The principles and provisions of the latter apply to any processing based on the Data Retention Directive unless the latter explicitly derogates from the former Directive. The provisions of the Data Retention Directive apply without prejudice to the provisions of Directive 2002/58. The Data Retention Direction is a specific derogation of an obligation under data protection law, in particular Article 6 of that directive. The Data Retention Directive does not contain a specific provision on the "territoriality" of storage of the relevant data. It does not prohibit the storage of data in different MSs. Article 4 of the Directive 95/46/EC has specific relevance: It provides that each MS shall apply its national provisions to the processing of personal data, where the processing is carried out in the context of the activities of an establishment of the controller (provider) on the territory of the MS. When the same controller is established on the territory of several MS, he must take the 1 In this context, several articles (2, 3, 7, 9, 13, 14) and recitals (1, 2, 15, 16, 18, 19, 25) of Directive 2006/24 are relevant. Page 3 of 7 FINAL

4 necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable (see further under 'applicable law'). Any approach to the problem of central data storage should guarantee (a) that the obligations of the providers can be performed, (b) the aim of the Data Retention Directive is ensured and (c) the rights of the data subjects are efficiently and effectively protected. B.2. Data to be stored The provision of electronic communications services generates, at different stages, a large amount of information that the providers of communication services have to retain, often cooperating with each other. The meaning of Art. 3 of Directive 2006/24 is to delimit the scope of the retention obligation and minimize the economic and organisational burden on providers (see recital 23). Each provider has to store, when generated or processed, only the data necessary, within his jurisdiction, to provide his own communication service. Thus the provider is - in principle - not required to keep additional data generated or processed by other providers in the process of supplying a given communication service, nor to generate or process data for retention as a result of Directive 2006/24. B.3. May the data identified in Article 5 Directive 2006/24 be stored by parties other than the providers? The data can also be stored by parties other than the provider. Article 6(5) of Directive 2002/58 (read in the light of Articles 2, lett. e) and 16 of Directive 95/46) introduces particular guarantees for the processing of traffic data, restricting it "to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, Page 4 of 7 FINAL

5 marketing electronic communications services or providing a value added service" and only to the data "necessary for the purposes of such activities". These guarantees do not exclude that data are processed by a third party, provided that he acts under the authority of the provider. In the terminology of Directive 95/46, the third party must be considered to be a 'processor', not a 'controller'. 2 B.4. Could the data be stored within a MS other than that from which they originate? Neither Directive 2006/24/EC nor Directive 2002/58 contain specific provisions about the application of the law of the Member State where data are stored; as a consequence Directive 95/46 is applicable. The objective of Directive 95/46 is to ensure: free flow of such data within EU, and in that context; protection of individuals with regard to the processing of personal data. According to the above, any obligation imposed by a MS regarding the retention of the data within its own territory could be considered as a restriction of the principle of free flow of data within EU established by Directive 95/46. In principle, such restriction is not allowed. However, it is not excluded that MSs under national law introduce such restriction, provided that it proves that such restriction is necessary for a reason recognised in the Treaty (public policy; public security) or for another reason mentioned in Article 13 of Directive 95/46, and not disproportionate. 2 According to its Article 2, 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. 'Processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Page 5 of 7 FINAL

6 B.5. Retention periods, security measures and supervision by DPA's. In case of different retention periods between the "originating MS" and the "storage MS", the legislation of the "originating MS" should apply. The storage provider must retain the data for the period required by the data retention legislation of the "originating MS", in order to be able to comply with its obligations to transmit them to the competent public authorities upon request. More concrete, he should take all the necessary measures (logical or physical) to keep separate the data originating from different MS and/or from different providers. Account should also be taken of Article 17 (3) of Directive 95/46, second indent, which makes reference to the security of processing, and which defines the law that has to be respected in this regard. As a consequence, storage provider will have to respect the law of the MS where the storage takes place, adopting the "appropriate technical and organizational measures to protect personal data". Moreover, the security measures provided for by Article 7 Directive 2006/24 should also be applied. The jurisdiction of the national Data Protection Authorities (DPAs) is determined by Article 28.6 of Directive 95/46: "[e]ach supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own MS, the powers conferred on it in accordance with paragraph 3. (...)". Furthermore, cooperation among national DPAs is foreseen: "(...) Each authority may be requested to exercise its powers by an authority of another MS. The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information". In short, the competent authority is the authority of the MS in which the processing takes place, who checks the lawfulness of the processing in the State in which the data are stored. He may be requested to exercise its powers by the authority of the MS of origin of the data. Disclaimer Page 6 of 7 FINAL

7 The views and opinions expressed in this document are not necessarily shared by all Members of the Expert Group "the Platform for Electronic Data Retention for the investigation, detection and prosecution of serious crime" and do not constitute legal advice. For details about the origin and status of the guidance contained in this document refer to the accompanying document "Introduction to the Series". The opinions expressed in this document do not necessarily reflect the views of the European Commission which accepts no responsibility or liability whatsoever with regard its contents. Page 7 of 7 FINAL