UN Report Calls for Mandatory Data Retention
By Kurt Wimmer and Josephine Liu
The United Nations Office on Drugs and Crime has released a report warning that terrorists are increasingly using the Internet to spread propaganda, recruit and train supporters, finance their activities, and plan terrorist attacks. Besides providing an overview of the existing legal frameworks to address terrorists’ use of the Internet, the report highlights a number of challenges associated with investigating and prosecuting terrorism cases — and specifically notes that “[o]ne of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.”
As the report notes, some countries already require ISPs to retain certain types of data for a specified time period. But even in the European Union, where Directive 2006/24/EC requires Member States to ensure that regulated providers retain specified communications data for a period between six months and two years, there is no consistent data-retention period. Some Member States require data to be retained for six months, others for two years. In addition, several Member States continue to grapple with implementing the Directive, including Germany (where an attempt to implement it was struck down by the constitutional court).
There have been a number of recent attempts to enact or expand data-retention legislation. For example:
- Earlier this year, the Australian government asked Parliament to begin an inquiry into whether ISPs should be required to retain data for up to two years. The Attorney General recently clarified that the government is proposing retention of subscriber and traffic data, not the content of communications.
- A draft cybercrime law was introduced in Brazil’s Senate that would require Internet intermediaries to retain “electronic address data” associated with the source and timing of an Internet connection for three years.
- As chronicled here, a number of data-retention bills have been proposed in the United States. The most recent federal proposal is H.R. 1981, which passed out of committee in December 2011. The bill would require ISPs to retain for at least one year a log of “temporarily assigned network addresses” to enable identification of customers.
- The UK Parliament is considering a draft Communications Data Bill that would expand the types of data that telecommunications operators must retain for a year. Telcos would need to retain traffic data — e.g., time, duration, originator, recipient, location of sending device — for communications made via social media, webmail, VoIP, or online gaming.
The UN report’s call for the “development of a universally agreed regulatory framework imposing consistent obligations on all ISPs regarding the type and duration of customer usage data to be retained” may prompt law enforcement agencies to push harder for mandatory data retention periods, although we expect that privacy groups will continue to oppose these efforts.