Not all communications service providers destroy name and address details and other data they need to retain according to Dutch data retention rules in time. Also, not all providers comply with statutory obligations regarding the use of traffic data for business purposes (such as billing and marketing).

These findings were presented in the report “Measuring data retention 2013“, prepared by one of the telecommunications market regulators: the Radiocommunications Agency Netherlands (“RAN”). This report was offered by the ministries of Economic Affairs and Security and Justice to the House of Representatives last week.

The purpose of RAN’s measurement was to gain insight into the degree of compliance by 525 small and medium sized communications service providers. The six Dutch major providers of communications services were not taken into account in this study.

Telecommunications Act (“Tw”)

According to article 13.2a Tw (which is an implementation of the 2006 EU-directive on data retention), public telecommunications network providers have to retain certain data for a period of twelve months, to the extent that such data are generated and processed in the context of the services offered. The purpose of this retention obligation relates to the detection and prosecution of serious crimes.

Although the European Court of Justice has annulled the 2006 EU-directive on data retention on April 8 2014 due to violation of privacy of citizens, article 13.2a Tw still remains into force.

Upcoming monitoring period

With regard to the upcoming monitoring period, RAN will focus on:

  • The destruction of name and address details and traffic and location data. 14% of the providers monitored did not (fully) comply with timely destruction of such data.
  • Compliance with Dutch privacy regulations. 25% of the providers monitored use traffic data for business purposes. This is only allowed if providers meet the legal privacy requirements under the Tw. It appeared that forty-eight providers did not (fully) comply with such requirements. The consequence could be that RAN imposes fines for each violation in the upcoming monitoring period. Fines can go up to € 450,000, determined on a case by case basis.