Main page content begins

Technology, Media & Telecommunications News 

Belgium – Further proposals to implement the EU Data Retention Directive 

18 July 2013

A draft bill has been introduced into the Belgian Parliament to modify the Electronic Communications Act of 13 June 2005 (the “ECA”) to ensure the full implementation of the Data Retention Directive 2006/24 (the “Directive”).

Current implementation status

The Directive has already been partially implemented through amendments to the ECA. This enables a Royal Decree to be issued setting out when and under which conditions operators should retain traffic and identification data regarding end-users for law enforcement purposes. The ECA also explicitly provides that, for telephone services, the retention period to be set by the Royal Decree must not be shorter than 12 months or longer than 36 months (this exceeds the maximum retention period of 24 months allowed by the Directive).

However, no such Royal Decree has been issued, leaving operators uncertain as to their retention obligations.

Proposed legislation

If adopted, the draft bill would provide some clarity about the implementation of the Directive into Belgian law, as set out below.

Persons subject to data retention obligations – The data retention obligations would apply to providers of publicly available fixed and mobile telephony services (including teleconferencing, voicemail, call forwarding and SMS), internet access providers, e-mail providers and voice-over-IP providers, as well as to the providers of the underlying electronic communications networks (the “Providers”). This amendment would bring the list in the ECA in line with the Directive, which explicitly limits the retention obligations to these categories of providers.

Data to be retained – The Providers must retain the so-called “meta-data” about the communications, but not the actual content (unless otherwise provided by law). The following meta-data must be retained: (i) traffic data; (ii) location data; and (iii) information allowing the identification of the end-user, the electronic communication service and the probable type of equipment used. A Royal Decree is still needed to specify the exact data to be retained, but the scope of that decree is limited to specifying the data to be retained depending on the type of service.

Retention period – The bill distinguishes between different types of meta-data. Traffic and location data must be retained for 12 months as of the date of the communication. Other meta-data must be retained “for as long as an incoming/outgoing communication is possible using the subscribed services and for 12 months as of the last recorded communication”. This retention period can be extended by Royal Decree for a limited period of time for reasons of public health, safety or defence. Should this period exceed 24 months, the Minister of Economy must notify the EU Commission and other EU Member States. These changes will bring the ECA into line with the retention period limits imposed by the Directive.

Purposes – The meta-data must be retained for the following purposes: (i) the exercise by the public prosecutor, the investigating magistrate and the Belgian secret services of their investigatory powers relating to electronic communication services; (ii) the prosecution of malicious calls to emergency services; and (iii) the identification by the Telecom Ombudsman of persons misusing an e-communication service or network. Providers must ensure that the meta-data is accessible to the competent authorities from anywhere in Belgium and can be disclosed to them upon request.

Technical and organisational measures – The draft bill explicitly qualifies Providers as data controllers under the Belgian Data Protection Act. Providers will have to (i) guarantee the quality of the meta-data; (ii) implement technical and organisational measures to protect such data; (iii) limit access to the data to only the competent personnel of the operator; and (iv) ensure the data is destroyed at the end of the retention period. Providers will also need to take into account the other obligations imposed by the Belgian Data Protection Act, such as the obligation to inform the end-users whose data is being collected.

By Guillaume Couneson and Ronan Tigner, Brussels

Find Publications

Search by one or more criteria