The Netherlands' Data Protection Authority has criticised that government's proposed data retention legislation.
The government put forward amendments to its data retention regime in response to the April 2014 European Court of Justice decision that invalidated the EU's Data Retention Directive (along the way causing trouble for countries that had based their laws on the DRD).
A court case was launched in November 2014 in The Netherlands to overturn the legislation.
In this statement, the DPA says the current legislation should not be presented to parliament, because “the need to retain all telephony and internet data in the Netherlands is insufficiently substantiated”.
The proposed amendments created a warrant regime in which a judge would examine requests for data; and tweaks to the retention period. A distinction was created “between a retention period of twelve months for telephony data and the consultation period of these data of between six and twelve months, depending on the nature of the crime”.
The DPA says the retention period requires “an irrefutable demonstration of necessity”, a condition it doesn't believe has been met.
The authority continues: “the infringement of the private life of virtually all Dutch citizens is too big and disproportionate”.
It says citizens should be informed that their data has been accessed after any criminal investigations have concluded; that there needs to be transparency (such as published statistics) on the use of retained data; and that those with a “duty of professional confidentiality” be exempted from the laws.
It concludes that the distinction between the retention of data, and the use of that data, does not make the collection lawful: “This distinction does not alter the disproportionality between the purpose of the data collection and the infringement on the private life of virtually all citizens.” ®