The Dutch government's proposed revision of the country's data retention law is not enough to bring it into compliance with a recent European Union court ruling, the Dutch privacy watchdog said Monday.
An effort by the Dutch government to adjust a law requiring telecommunications and Internet companies to retain their customers' location and traffic metadata for investigatory purposes should be dropped, as the infringement of the private life of virtually all Dutch citizens is too great, the Dutch Data Protection Authority (DPA) said on Monday.
The Dutch government is looking to change data retention obligations for telephone and Internet communications operators following a decision last year by the Court of Justice of the European Union (CJEU). The court invalidated the European data retention directive, on which the Dutch law is based, because it violates fundamental privacy rights.
The Dutch data retention law has been under pressure since the CJEU's ruling. The Council of State, a constitutional advisory body, last year already concluded that the law should be withdrawn because it violates fundamental privacy laws. But despite this advice, the government decided to amend it instead of annul it.
The government sees the law as indispensable for the investigation and prosecution of serious criminal offenses, and proposed maintaining it with minor adjustments to who will have access to the data and under what circumstances to bring it in line with the CJEU ruling.
But the Dutch DPA thinks the bill should not even be presented to Parliament as there is no proven necessity for such a law, it said in a letter to the government published Monday.
Retaining the telephony and Internet data of virtually all citizens for six to 12 months is a far-reaching measure which requires an irrefutable demonstration of necessity, it said, adding that during the 4.5 years this data has been retained, law enforcement authorities have not been able to show why data retention is necessary.
Moreover, the draft bill does not address the question whether less far-reaching alternative measures would be available to obtain the same result. If the bill was to go ahead, "the infringement of the private life of virtually all Dutch citizens is too big and disproportionate," it found
The government for instance proposed to retain telephony data for 12 months but only make it accessible to law enforcement for six to 12 months depending on the crime. However, this distinction between the retention and the use of the data does not alter the disproportionality between the purpose of the data collection and the infringement on the private life. Therefore, this general data retention obligation is unlawful, the DPA said.
Sign up for CIO Asia eNewsletters.