Dutch Court Throws Out Data Retention Law After Pressure from ISPs, Privacy Rights Groups

Internet service providers in the Netherlands will no longer have to retain customer metadata. The District Court of the Hague axed the law earlier this week that required telecommunications providers and ISPs to store customer metadata for a year to aid in law enforcement investigations.

According to a report by PC World, the court found that the law violates fundamental European Union privacy rights. The law suspended by the court was based on the EU’s Data Retention Directive, which was invalidated by the Court of Justice of the EU last year because of its violations to citizens’ privacy rights.

The EU Data Retention Directive required all ISPs and telecommunications providers in Europe to collect and retain incoming and outgoing phone numbers, IP addresses, location data, and other telecom and Internet traffic data. ISPs were required to store the data for six months to two years.

Since the EU’s data retention law was invalidated in April 2014, EU member states have been coming up with their own approaches to data retention. For example, the UK passed emergency legislation last year in order to continue giving law enforcement and intelligence agencies access to metadata, after obtaining a warrant signed by a Secretary of State.

It seems that the Netherlands also saw it necessary to maintain its national data retention law. It made a few adjustments to the law, mainly tightening access to data and specifying the circumstances under which data could be accessed, according to PC World.

A coalition of organizations including telecom companies SpeakUp and VOYS sued the government in January to get the law invalidated. The court recognized the overly broad scope of the law, ruling in their favor.

The court ruled that the law violates articles 7 and 8 of the Charter of Fundamental Rights of the EU, which cover the right to private life and the protection of personal data.

The law was also being misused to collect information on petty crime, and the plaintiffs stated that the theft of a bicycle could technically lead to data access.

With the law scrapped, ISPs and telecoms will no longer be legally required to retain data. It is unclear when telecoms in the Netherlands will delete the data they have already stored, but a spokesperson for Dutch ISP XS4ALL told PC World that it is having its legal department “make absolutely sure it can [delete data] before it will do so,” which makes sense considering the Dutch government could still appeal the decision.