Proposal for altered data retention law is still unlawful, Dutch DPA says

Obliging telecom companies to retain customer data for months to help the police catch criminals is disproportionate, the DPA said

The Dutch government's proposed revision of the country's data retention law is not enough to bring it into compliance with a recent European Union court ruling, the Dutch privacy watchdog said Monday.

An effort by the Dutch government to adjust a law requiring telecommunications and Internet companies to retain their customers' location and traffic metadata for investigatory purposes should be dropped, as the infringement of the private life of virtually all Dutch citizens is too great, the Dutch Data Protection Authority (DPA) said on Monday.

The Dutch government is looking to change data retention obligations for telephone and Internet communications operators following a decision last year by the Court of Justice of the European Union (CJEU). The court invalidated the European data retention directive, on which the Dutch law is based, because it violates fundamental privacy rights.

The Dutch data retention law has been under pressure since the CJEU's ruling. The Council of State, a constitutional advisory body, last year already concluded that the law should be withdrawn because it violates fundamental privacy laws. But despite this advice, the government decided to amend it instead of annul it.

The government sees the law as indispensable for the investigation and prosecution of serious criminal offenses, and proposed maintaining it with minor adjustments to who will have access to the data and under what circumstances to bring it in line with the CJEU ruling.

But the Dutch DPA thinks the bill should not even be presented to Parliament as there is no proven necessity for such a law, it said in a letter to the government published Monday.

Retaining the telephony and Internet data of virtually all citizens for six to 12 months is a far-reaching measure which requires an irrefutable demonstration of necessity, it said, adding that during the 4.5 years this data has been retained, law enforcement authorities have not been able to show why data retention is necessary.

Moreover, the draft bill does not address the question whether less far-reaching alternative measures would be available to obtain the same result. If the bill was to go ahead, "the infringement of the private life of virtually all Dutch citizens is too big and disproportionate," it found

The government for instance proposed to retain telephony data for 12 months but only make it accessible to law enforcement for six to 12 months depending on the crime. However, this distinction between the retention and the use of the data does not alter the disproportionality between the purpose of the data collection and the infringement on the private life. Therefore, this general data retention obligation is unlawful, the DPA said.

The DPA's opinion is one of several that will have to be taken into account, said a spokesman for the Dutch government, who added that the government will comment on every suggestion in detail when the bill is submitted to the Parliament.

A DPA spokeswoman said the bill could still be altered before it will be discussed in parliament based on the advice.

Although the government has refused to annul the law, others are seeking to force its hand. On Wednesday, the District Court of the Hague is scheduled to hear a legal challenge to it, filed by a broad coalition of organizations who want the law invalidated because it violates fundamental privacy rights.

Other data retention laws in EU countries have already been ruled unconstitutional, In Austria for instance, the local law was invalidated in the wake of the CJEU ruling. In Germany, the local data retention law was ruled unconstitutional in 2010, long before the ruling.

In Sweden though, the government is looking to maintain a data retention obligation for telecommunication data on much the same grounds as in the Netherlands.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata protectionlegislationgovernmentprivacy

More about EUIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts