Dutch telecom and internet providers are no longer required to retain the telephone and internet traffic data of their customers. On 11 March 2015, The Hague District Court suspended the law that requires telecom providers to collect and store data for at least six months and to provide access to this data to competent national authorities. The Court concluded that the law violates citizen’s fundamental rights to respect for private life and to the protection of personal data.
The Dutch Telecommunications Data Retention Act (WBT) requires telecom and internet service providers to store the data of the internet and telephone usage of their customers for six to twelve months. This includes the name, address, location data, telephone numbers called, used internet services, etc. Competent authorities (including the police or security agencies) are subsequently able to request access to details necessary to trace and identify the source, date, destination, time and duration of a communication, the communication device or the location of mobile equipment, etc.
The judgment of the District Court, which can still be appealed, found that the WBT’s objective of helping law enforcement authorities better investigate crimes does not outweigh the privacy risks of forcing ISP and telecom service providers to retain user data for six to twelve months.
This judgment follows the line and reasoning of previous case law. In April 2014, the European Court of Justice (ECJ) invalidated the EU Telecom Data Retention Directive, having ruled that unlimited and undifferentiated collection of personal data was not allowed. According to ECJ, there were no objective criteria for determining which data need to be collected and stored and when access by the competent national authorities was justified. Access requests to such data should be subject to prior control by an independent authority or court.
In response to the invalidation of the EU Data Retention Directive, which formed the basis for the WBT, the Dutch government is currently attempting to amend the national telecom data retention requirements. The draft law proposes several amendments, including prior reviews of access requests by courts and a differentiation between retention periods, depending on the nature of crime. However, in February 2015, the Dutch Data Protection Authority (CBP) recommended withdrawing the proposed amendments, concluding that the need to retain all telecom and internet communications data in the Netherlands was not sufficiently substantiated.
The Dutch Government has not decided yet whether it will appeal the judgment of the District Court, but has already announced that its proposed amendments to WBT are in line with the reasoning of the District Court.
Read our Legal alert of 9 April 2014 on the ECJ decision invalidating the EU Data Retention Directive.