The recent "Data Retention Operation" by the Italian DPA revealed that compliance with data retention legislation among telecom and internet service providers is still considerably low.
The DPA’s investigation.
On March 6, 2013 the Italian Data Protection Authority (“Garante”) issued a press release on the outcome of a series of investigations on 11 telecom and internet service providers (“ISPs”). The operation, predictably named “Data Retention”, aimed at verifying whether or not such providers were compliant with data protection legislation and, in particular, with the Garante’s specific measures issued on January 17, 2008. As a result, 9 out of the 11 investigated companies were fined, which goes to prove that compliance in this area of the law is not particularly high.
It is hard to blame ISPs, though.
Data retention legislation has been a maze of obligations that has not been easy to follow, let alone to comply with. I have counted 7 different amendments to sections 121 to 132bis of the Italian Data Protection Code of 2003, an impressive average of 1.4 per year, also prompted by various changes to EU Directives on the subject matter (e.g., 2002/58/CE and 2006/24/CE.
To retain or not to retain data? This is the question.
The Garante’s investigations may have surprised ISPs. In fact, the Garante focused on compliance with data protection obligations, which mandate ISPs to delete traffic data immediately after the expiration of the mandatory retention period of 12 months. ISPs are usually confronted with the exact opposite requests by police authorities: keep traffic data!, says the police, so you can send it to us when needed for fighting crime.
The complexity of this legislation only mirrors the difficult balance between opposing principles that must coexist in this area of the law. To retain or not to retain data? This is the question.
A tale of conflicting principles…
On one hand, data retention is key to law enforcement and crime prevention and suppression, a need which becomes an absolute priority after terrorist attacks and which prompts strong retention legislation. On the other hand, privacy law was created for the exact purpose of allowing individuals to enjoy a fundamental freedom, and to avoid that private or public entities oppress people by keeping track of every step they take, whether online or offline.
ISPs are right in the middle of this underlying dilemma. The Electronic Frontier Foundation had well summarized the costs of data retention laws for users and ISPs
(“Government mandated data retention impacts millions of ordinary users compromising online anonymity which is crucial for whistle-blowers, investigators, journalists, and those engaging in political speech. National data retention laws are invasive, costly, and damage the right to privacy and free expression. They compel ISPs and telcos to create large databases of information about who communicates with whom via Internet or phone, the duration of the exchange, and the users’ location. These regimes require that your IP address be collected and retained for every step you make online. Privacy risks increase as these databases become vulnerable to theft and accidental disclosure. Service providers must absorb the expense of storing and maintaining these large databases and often pass these costs on to consumers”.
Cyber-security: more cooperation required from ISPs.
And with the importance of the Internet growing both for individuals and for governments, the legislator’s request that ISPs cooperate is only going to increase. A very recent decree on cyber-security and national informatic safety issued by the President of the Council of Ministry on January 24, 2013 and published on March 19, 2013 requires that ISPs adopt best practices in the area of cyber security, cooperate in the management of cybernetic crises, alert the National Safety Unit of any significant security breach and provide information to the competent authorities.
ISPs may have started their activity with a focus on technical infrastructures: they better be equipped with a good compliance office, too.