U.S. CARRIERS CONCERNED OVER MANDATORY DATA RETENTION IN EUROPE
U.S. carriers are concerned about a law recently adopted by Italy’s parliament that would require them to store “data relating to telephony traffic” for 24 -- and in some cases 48 -- months. “This is the longest duration we have seen and it will have an effect on us,” a source from a large U.S. ISP with global operations said: “It’s very costly to store information for such a long period of time.” The new law is expected to be published soon in the Federal Gazette -- equivalent to the U.S. Federal Register.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The source said another problem was that different EU member states were setting different requirements about what data should be stored and for how long: “For an international business, it’s very difficult to comply.” The source also expressed concern that different states had different rules on how the stored data would be used. While the U.K. allows law enforcement to use data “only for the purposes of terrorism,” some other countries “allow law enforcement to use it for any crime purposes.” The source called on the European Commission to come up with guidance on what kind of data should be stored and for how long.
“The data-retention act has been inspired by the public prosecutors claiming” that if the law isn’t passed, they will be “unarmed against terrorism,” said Andrea Monti, pres. of the Italian Assn. for the Freedom of Electronic Communications (ALCEI). The decision amends the 2003 Italian Data Protection Act, which allows but doesn’t require such data storage.
Italy isn’t the only country in the European Union (EU) that came up with such requirements. Other EU countries that have similar requirements include Germany, which has a 6- month data retention period, Belgium (minimum of one year), Denmark (one year minimum) and Finland (minimum of 3 months). France is “coming next” with its State Counsel expected to rule within the next few weeks on what kind of data providers should store for one year, said Axel Spies, an attorney in Washington representing several U.S. phone companies doing business in Europe. The European Commission has suggested a mandatory data retention period of 3-6 months.
Monti expressed concern that the new requirement could cause confusion because there was no definition of “data relating to telephony traffic” in the Italian Data Protection Act passed by the Italian Parliament last year that contains a section on traffic data. Spies said the new requirements were “very burdensome for carriers and possibly ISPs doing business in Italy.” He said they “left in the dark” what kind of data needs to be stored and who falls under the new provisions. Spies said e-mail traffic and VoIP, which is classified as an information rather than telephone service in Europe, would probably not be covered by the new provisions. Monti said the “deliberate ambiguity of the text” would allow the “enforcement of the law both to carriers and ISPs.”
The new amendment refers to the Italian Decree 171 of 1998, which provides a broad definition of billing data, including: (1) A subscriber’s phone number and address. (2) The phone number of the person who receives the call. (3) The Number of units of the calls during the billing period. (4) Time and duration of the call and the volume of transmitted data, if any. (5) Data of the service used. (6) Other information concerning the payment. “This would be a tremendous amount of data that a ‘provider’ would have to store over 24 months for law enforcement purposes -- or even longer if ordered by a court to do so,” Spies said. He also said the amendment referred to affected parties as “providers,” which he said could “mean telecom carriers, ISPs and service providers.” Monti said ALCEI would “probably” challenge the law in court.
“What makes the situation even worse is that each EU member state has different rules on data retention and privacy in general,” Spies said. He said Austria didn’t have mandatory retention periods for law enforcement purposes. “International carriers and providers serving customers or corporations in several countries are struggling to comply with all these different rules,” he said.