Belgium Introduces Broad Data Retention Obligations

The Belgian government recently issued a Royal Decree (implementing EU Data Retention Directive 2006/24/EC), which lays down broad data retention obligations for telecom, internet access, and webmail providers. After establishing the general framework of the data retention obligations in an Act earlier this year, the Royal Decree now determines what information needs to be retained by each type of electronic communication provider and for how long. Under the Act, electronic communication providers (i.e. companies providing or reselling phone and mobile phone services, internet access, and email or internet telephony services or the underlying networks for these services in Belgium) will need to retain (i) identification data regarding the end users, as well as the communication equipment and the communication service they used; and (ii) traffic and location data. The Decree specifies what information falls within these general data categories. The Decree requires electronic communication providers to retain significantly more information than the Directive, which has led to serious criticism from several organizations in Belgium. In terms of how long information must be retained, this depends on the type of data. End user identification data, as well as the electronic communication service and communication equipment identification data, should be retained from the moment of subscription to the service, until twelve months after the last inbound or outbound communication effected via this service. Traffic and location data on the other hand should be retained for twelve months after the date of the communication it concerns. In addition to stipulating data retention requirements, the Act and the Royal Decree also determine how providers, as data controllers, should handle the retained data and which organizational measures they should take in this respect (e.g. appointment of a data protection officer responsible to ensure that the retained data is processed in compliance with the law). Companies will have one year (until October 9, 2014) to get into compliance with the law.

TIP: Given the fact that significant organizational and technical measures will be required to be able to comply with the new data retention obligations, electronic communication providers should start taking the necessary steps to ensure compliance by next year.