On March 6, 2013 the Italian Data Protection Authority
("Garante") issued a
press release on the outcome of a series of investigations on
11 telecom and internet service providers ("ISPs"). The
operation, predictably named "Data Retention", aimed at
verifying whether or not such providers were compliant with data
protection legislation and, in particular, with the Garante's
specific measures issued on
2008. As a result, 9 out of the 11 investigated companies were
fined, which goes to prove that compliance in this area of the law
is not particularly high.
It is hard to blame ISPs, though.
Data retention legislation has been a maze of obligations that
has not been easy to follow, let alone to comply with. I have
counted 7 different amendments to sections 121 to 132bis of the
Italian Data Protection Code of 2003, an impressive average of
1.4 per year, also prompted by various changes to EU Directives on
the subject matter (e.g.,
To retain or not to retain data? This is the question.
The Garante's investigations may have surprised ISPs. In
fact, the Garante focused on compliance with data protection
obligations, which mandate ISPs to deletetraffic data immediately after the expiration of
the mandatory retention period of 12 months. ISPs are usually
confronted with the exact opposite requests by police authorities:
keeptraffic data!, says the
police, so you can send it to us when needed for fighting
The complexity of this legislation only mirrors the difficult
balance between opposing principles that must coexist in this area
of the law. To retain or not to retain data? This is the
A tale of conflicting principles...
On one hand, data retention is key to law enforcement
and crime prevention and suppression, a need which becomes
an absolute priority after terrorist attacks and
which prompts strong retention legislation. On the other hand,
privacy law was created for the exact purpose of allowing
individuals to enjoy a fundamental freedom, and to
avoid that private or public entities oppress people by keeping
track of every step they take, whether online or offline.
ISPs are right in the middle of this underlying
dilemma. The Electronic Frontier Foundation had well
summarized the costs of data retention laws for users and ISPs
("Government mandated data retention impacts millions
of ordinary users compromising online anonymity which is crucial
for whistle-blowers, investigators, journalists, and those engaging
in political speech. National data retention laws are invasive,
costly, and damage the right to privacy and free expression. They
compel ISPs and telcos to create large databases of information
about who communicates with whom via Internet or phone, the
duration of the exchange, and the users' location. These
regimes require that your IP address be collected and retained for
every step you make online. Privacy risks increase as these
vulnerableto theft and accidental disclosure. Service
providers must absorb the expense of storing and maintaining these
large databases and often pass these costs on to
Cyber-security: more cooperation required from ISPs.
And with the importance of the Internet growing both for
individuals and for governments, the legislator's request that
ISPs cooperate is only going to increase. A very recent
decree on cyber-security and national informatic
safety issued by the President of the Council of Ministry
on January 24, 2013 and published on
March 19, 2013requires that ISPs adopt best practices
in the area of cyber security, cooperate in the management of
cybernetic crises, alert the National Safety Unit of any
significant security breach and provide information to the
ISPs may have started their activity with a focus on technical
infrastructures: they better be equipped with a good compliance
Previously published by Privacy Europe, April 2013.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A recent opinion by the Article 29 Working Party provides practical guidance on the applicability of the "legitimate interests" of a data controller as one of the grounds for the lawful processing of personal data under the EU Data Protection Directive 95/46/EC.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Observers from outside the EU might understandably wonder whether the legislative process has derailed somehow.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”