How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?
A . The ePrivacy Directive allows individual EU member states to engage in such data retention.
B . The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.
C . The Data Retention Directive’s annulment makes such data retention now permissible.
D . The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

View Answer

Answer: A

Explanation:

The ePrivacy Directive (2002/58/EC), often referred to as the Cookie Directive, focuses on the confidentiality of communications and the protection of personal data in the electronic communications sector. Article 15(1) of the ePrivacy Directive allows EU member states to adopt legislative measures to restrict the scope of certain rights and obligations when necessary to safeguard, among other things, national security, defense, and public security, and for the prevention, investigation, detection, and prosecution of criminal offenses. This means that individual EU member states can engage in data retention for law enforcement purposes, but any such retention must respect the fundamental principles of necessity and proportionality.

To provide further clarity:

B. The ePrivacy Directive does not harmonize EU member states’ rules concerning data retention; rather, it provides a framework within which member states can legislate.

C. The Data Retention Directive (2006/24/EC) was introduced to harmonize member states’ approaches to data retention for law enforcement purposes. However, in 2014, the European Court of Justice (ECJ) declared the Data Retention Directive invalid because it disproportionately infringed upon fundamental rights. Its annulment doesn’t make data retention permissible per se; rather, the legal landscape went back to relying on the provisions of the ePrivacy Directive and national legislation.

D. The GDPR primarily addresses the protection of personal data and its processing. While it does mention processing for law enforcement purposes, the directive specifically governing data processing for law enforcement is the Directive (EU) 2016/680 (often referred to as the Law Enforcement Directive). The GDPR itself does not set out provisions specifically for the retention of communications traffic data for law enforcement.