On March 15, 2006, the European Parliament issued Directive 2006/24/EC (.pdf), outlining a new program that woud require internet service providers (ISPs) and telecommunications carriers to begin retaining comprehensive records of customer communications. Specifically, the Directive required member states to ensure that a range of communications data be retained by service providers, including:
- The names, addresses, telephone numbers, Internet Protocol (IP) addresses and user IDs involved in Internet access, email and Internet telephony services;
- The date and time of the start and end of communications;
- The telephone numbers involved during a telephone call and the registered owners’ names and addresses;
- Information allowing the identification of mobile phones used to make telephone calls and their geographic location when used to make calls.
The Directive expressly states that "[n]o data revealing the content of the communication may be retained pursuant to this Directive." Under the Directive, service providers will be required to retain these records "not less than six months and not more than two years" and ensure that the retained records can be communicated to government authorities "without undue delay."
Implementation of Directive 2006/24/EC to Internet communications has been delayed (if, for no other reason to figure out how to store the terrabytes of information as required under the new Directive). During the interim, Ireland challenged the Directive in the European Court of Justice. Examining the Directive, the ECJ held that it essentially pertained to commercial activities of service providers, rather than police and security matter, and dismissed the case.
Member states recently have begun implementing the Directive. In the United Kingdom, the Home Office has prepared draft regulations transposing Directive 2006/24/EC into law (.pdf) that requires the retention of communications data for 12 months. This has led to significant criticism of the retention rules (see news coverage at the BBC and the Telegraph). Sweden has stated that it intends to postpone implementation of the Directive to Internet activity.
Between the implementation of Directive 2006/24/EC and other invasive surveillance law being considered in Europe (France appears to be on the verge of legalizing government spyware), the landscape of Internet communications is evolving rapidly. Anyone transacting business in Europe or who may transfer data through member states may need to consider the privacy implications of and retention obligations imposed by the new rules.