Directive 2006/24/EC

Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (‘Data Retention Directive’)

Published under Risk Management
Title: Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
Source reference: http://eur-lex.europa.eu/LexUriServ/
Topic: Requirement for the providers of public electronic telecommunications service providers to retain certain information for the purposes of the investigation, detection and prosecution of serious crime
Direct / indirect relevance Direct. The text directly prescribes an obligation to ensure the availability and quality of the retained data.
Scope: Applicable to the providers of publicly available electronic communications service providers in the E.U.
Legal force: EU Directive, requires transposition into national law. The deadline for transposition depends on the activity of the service provider (a later deadline is provided for ISPs) and on the Member State (certain Member States have announced that they require more time for ISPs); but the earliest deadline for transposition is 15 September 2007
Affected sectors: Providers of publicly available electronic communications services in the E.U., including ISPs
Relevant provision(s): Article 3 – Obligation to retain data

1. By way of derogation from Articles 5, 6 and 9 of Directive 2002/58/EC, Member States shall adopt measures to ensure that the data specified in Article 5 of this Directive are retained in accordance with the provisions thereof, to the extent that those data are generated or processed by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying the communications services concerned.

2. The obligation to retain data provided for in paragraph 1 shall include the retention of the data specified in Article 5 relating to unsuccessful call attempts where those data are generated or processed, and stored (as regards telephony data) or logged (as regards Internet data), by providers of publicly available electronic communications services or of a public communications network within the jurisdiction of the Member State concerned in the process of supplying the communication services concerned. This Directive shall not require data relating to unconnected calls to be retained.

Article 4 – Access to data

Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided only to the competent national authorities in specific cases and in accordance with national law. The procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in accordance with necessity and proportionality requirements shall be defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights.

Article 7 – Data protection and data security

Without prejudice to the provisions adopted pursuant to Directive 95/46/EC and Directive 2002/58/EC, each Member State shall ensure that providers of publicly available electronic communications services or of a public communications network respect, as a minimum, the following data security principles with respect to data retained in accordance with this Directive:

(a) the retained data shall be of the same quality and subject to the same security and protection as those data on the network;
(b) the data shall be subject to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure;
(c) the data shall be subject to appropriate technical and organisational measures to ensure that they can be accessed by specially authorised personnel only; and
(d) the data, except those that have been accessed and preserved, shall be destroyed at the end of the period of retention.

Article 8 – Storage requirements for retained data

Member States shall ensure that the data specified in Article 5 are retained in accordance with this Directive in such a way that the data retained and any other necessary information relating to such data can be transmitted upon request to the competent authorities without undue delay.
Relevance to RM/RA: The cited articles require the affected providers of publicly accessible electronic telecommunications networks:
• To retain certain communications data (including unsuccessful call attempts) to be specified in their national regulations, for a specific amount of time, under secured circumstances in compliance with applicable privacy regulations;
• To provide access to this data to competent national authorities. This requires that the providers is aware of the locally competent authorities, and that it is capable of assessing the validity of the request;
• To ensure data quality and security through appropriate technical and organisational measures, shielding it from access by unauthorised individuals; and to ensure its destruction when it is no longer required;
• To ensure that stored data can be promptly delivered upon request from the competent authorities.
Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies