Data retention legislation has been adopted to address concerns related to national security and serious criminal activity. The legislation provides access to communication data for law enforcement purposes. However, according to the Data Retention Directive (DRD) personal data collected, stored or in any way processed in most European Union (EU) Member States (MSs) needs to be securely protected, to meet the requirements of data protection legislation.
This study provides the results of (a) a survey on the national implementation of the DRD in six selected Member States on the requirements regarding technical and organisational security measures (in short ‘security measures’) and the implementation of the data security principles that are provided for in the Directive, and (b) a state-of-the-art analysis of the security measures proposed for the protection of personal data collected and stored in the context of the DRD. ENISA initiated this study following a request by the Directorate General Home Affairs (DG HOME) of the European Commission.
This document aims at providing a set of recommendations for a common European approach on the security measures that should be taken in relation to retained data, taking into account existing specifications on security measures.