1 Special Edition March 2015 Print Version For more information, please contact: Wouter Seinen Partner, Amsterdam +31 20 551 7161 Wouter.Seinen@bakermckenzie.com The Hague Court sets aside the Dutch Data Retention Rules On 11 March, the District Court of The Hague struck down the Dutch Telecommunications Data Retention Act (“TDRA”) as being contrary to law for its failure to provide sufficient safeguards to protect the privacy of data subjects against the use of telecommunications data for the prevention, investigation, detection and prosecution of crimes. According to the court ruling, the scope of the TDRA was considered too broad since it does not restrict the right to use the retained telecommunications data for the prevention of serious crimes only, as contemplated by the European Data Retention Directive. In addition, the judge invalidated the TDRA on the grounds that the law does not require that the retained data be stored on European soil and that access requests of the authorities are not subject to prior judicial review and approval. Scope of the Dutch Telecommunications Data Retention Act The TDRA imposes a statutory obligation on telephone companies and Internet service providers ("ISPs") in the Netherlands to store certain traffic and location data of customers and subscribers, including details of telephone calls (numbers called, duration of calls, location data, etc.) and information on clients' Internet use in order to guarantee the availability of certain data during the conduct of criminal investigations by competent authorities. Telephone companies were required to store information on all fixed and mobile phone calls for a period of twelve months, while ISPs were required to store information on clients' Internet use for a period of six months. The purpose of the data retention requirement was to ensure access to certain data by public authorities for purposes of tracing and identifying the source, date, destination, time and duration of communications of individuals, as well as information about the mobile communication devices used, which are subject to the criminal investigation. The court ruling declares that the TDRA, in its current form, constitutes a breach of the respect for private and family life, as well as the right to protection of personal data (Articles 7 and 8 respectively of the Charter of Fundamental Rights of the European Union), as it is not limited in scope to that which is 'strictly necessary' for the fight against serious crimes. In addition, access to retained data is not subject to prior checks by a judicial or independent administrative authority. Dutch judge follows the ECJ's earlier decision on the 2 European Data Retention Directive The TDRA was based on the 2006 EU Data Retention Directive ("Directive"), which was invalidated in April 2014 by the European Court of Justice ("ECJ") for interfering with the fundamental rights to privacy and to the protection of personal data enshrined in the Charter of Fundamental Rights of the EU. The ECJ held that there were no objective criteria for determining which data were to be collected and stored. Moreover, the ECJ determined that access rights of the competent national authorities should be subject to adequate safeguards and prior review by a court or other independent authority. According to the District Court of The Hague, the privacy risks associated with the mandatory retention and storage of user data do not outweigh the benefits contemplated by the law's objective of enabling law enforcement authorities to better investigate serious crimes. Although the TDRA is necessary and serves a legitimate purpose, the law does not provide sufficient safeguards to protect the privacy of Dutch citizens. The main issues are that the right to grant access to retained data is not limited to investigations of serious crimes only and that requests are not reviewed by a court or other independent body. In addition, the court also considered that the TDRA does not require that the retained data be stored on servers located within the European Union, whilst the ECJ had considered such requirement "an essential component" of the necessary safeguards. Now what? The Dutch Security and Justice Ministry is considering filing an appeal against the court's decision. Following the court ruling, a number of ISPs have already announced plans of discontinuing their data retention programs. While the EU Home Affairs Commissioner Dimitris Avramopoulos has recently announced that the European Commission does not plan to present a new legislative initiative on data retention, the Dutch government, on the contrary, seems to favor the data retention system and has presented a draft legislative bill to amend the TDRA. This bill introduces prior judicial reviews of access requests and a differentiation between retention and accessibility periods on the basis of the nature of the crime. This proposed bill has been heavily criticized by the Dutch Data Protection Authority ("Dutch DPA") in its advice of February 2015. According to the Dutch DPA, the new act still does not adequately address the issue of whether it is necessary to retain all telecoms and Internet communications data in the Netherlands to serve the public interest of fighting serious crimes in a proportional manner. Whether a new or revised data retention act will be proposed by the Dutch government remains to be seen.