[zdnet] On Monday, the Commission published a report evaluating the implementation so far of the Data Retention Directive, which came into force in 2006, and is now set to be revised. The report said most member states still see the directive, formulated after the 2004 Madrid bombings, as necessary.
It also said there was a great amount of variation in the way the directive is being transposed into national law, although this is to be expected as the directive was designed to allow a certain amount of leeway.
However, the report also noted that the idea of data retention remains a "significant limitation on the right to privacy", and the Commission said it may therefore strengthen safeguards to stop citizens' data being used inappropriately.
"Whilst there are no concrete examples of serious breaches of privacy, the risk of data security breaches will remain unless further safeguards are put in place," the Commission said in a statement. "The Commission will therefore consider more stringent regulation of storage, access to and use of the retained data."
The directive orders communications providers to store their records of customers' interactions for between six and 24 months — the UK chose one year — so law enforcement officials can access that data if necessary. The data includes details of who contacted whom when, rather than the contents of communications.
The Commission's report is based on member states' experiences of data retention, as gauged for more than a year through conferences, meetings and a stakeholder questionnaire.
On Monday, the Commission said it will revise the directive "in consultation with the police and the judiciary, industry, data-protection authorities and civil society, with a view to proposing an improved legal framework".
Europe to overhaul data-retention law
see also report