The act of 29 May 2016 regulates the retention and storage by electronic network providers and service providers of data generated by electronic communication. It replaces the previous act on data retention, which was annulled by the Constitutional Court due to its incompatibility with the protection of privacy. The new provisions regulate which data operators and providers of telecommunication should retain, as of when, and for how long. It further clarifies to whom and under which conditions data may be transferred. Operators and providers must establish a coordination unit to review and respond to requests for the transfer of data.
Which data should providers of electronic communication retain and for how long?
The new rules amend the Electronic Communication Act of 13 June 2005 and are applicable to providers of publicly available electronic communication services and to operators of public communication networks. Providers of telephone and digital communication services and networks therefore both fall within the scope of this act.
The act determines which data the providers should retain, as well as the starting point of retention/storage and its duration:
Who may request access to the communication data?
Only the following entities may obtain this information:
- the judicial authorities;
- the intelligence and security services;
- the judicial police of the institute for electronic communication, in order to detect security breaches of a communication network or breaches of telecommunication secrecy;
- the emergency services in connection with an emergency call;
- the judicial police of the missing persons unit following a worrying disappearance; and
- the ombudsman for telecommunication in the case of abuse of an electronic communication network or service in order to harass a person.
The new act does not change the data retention period: it remains at 12 months. However, the period during which judicial authorities have access to the data alters and now depends upon the severity of the crime under investigation. Moreover, the public prosecutor and the investigating judge will need to justify their access request, taking into account the impact on the protection of privacy.
What adjustments does your company need to make?
The act provides for the establishment of a coordination unit within each operator and provider of an electronic network or communication service. This unit deals with requests from the authorities to transfer data. The legislator was conscious of the fact that the establishment of such a unit might not be feasible for small operators and providers; therefore, operators and service providers are allowed to join forces to establish a joint coordination unit.
The members of this unit must be able to work with complete independence; they are responsible for the protection of data in accordance with the Privacy Act and are bound by professional secrecy. A royal decree will further detail the rules governing the functioning of the coordination units.
Why were these new data retention rules necessary?
Authorities, in particular judicial authorities, regularly turn to providers of electronic networks and services to transfer retained data. The Electronic Communication Act of 13 June 2005 governed the retention and transfer of such data. In 2013, that act was supplemented with new rules on data retention in order to bring the Belgian legislation in line with the European Data Retention Directive.
After that directive was declared invalid by the Court of Justice, the Constitutional Court found the Belgian transposition of its provisions to be in breach of the protection of privacy. The new act seeks to find an answer to this criticism. It is expected that the new act will also be challenged before the Constitutional Court.
The act entered into force on 28 July 2016.