Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

Netherlands: Court Strikes Down Data Retention Law

(Mar. 23, 2015) On March 11, 2015, the district court of The Hague in the Netherlands struck down the country’s 2009 Telecommunications Data Retention Act (TDRA), which requires telephone and Internet service providers to save the traffic and location data of their users for 12 months. The court ruled that the Act violates the right to respect for private life and the right to protection of personal data, in contravention of the Charter of Fundamental Rights of the European Union, and this infringement is not limited to the minimum necessary. (Wet bewaarplicht telecomgegevens buiten werking gesteld [Telecommunications Data Retention Law Inoperative], DE RECHTSPRAAK [official site of the Netherlands Judiciary] (Mar. 11, 2015); Charter of Fundamental Rights of the European Union, 2000 O.J. (C 364) 1, European Parliament website.)

The court therefore declared the TDRA inoperative and the judgment to be enforceable to the extent practicable. (ECLI:NL:RBDHA:2015:2498, Stichting Privacy First et al. v. de Staat der Nederlanden (het Ministerie van Economische Zaken en het Ministerie van Veiligheid en Justitie) [Judgment], Case No. C/09/480009 / KG ZA 14/1575 (Mar. 11, 2015).) The TDRA will remain inoperative indefinitely pending a potential appeal by the Dutch government. (Taylor Brailey, Dutch Court Holds Data Retention Law Violates Privacy, PAPER CHASE (Mar. 12, 2015).)

Prior to the ruling, the (former) Dutch Minister of Security and Justice, Ivo Opstelten, had made a proposal to revise the law through the adoption of stricter data access rules. He stressed that data retention is vital for monitoring jihadist groups and organized crime and that the government cannot “make a distinction in advance between suspected and non-suspected citizens.” (Maarten Van Tartwijk, Privacy Groups Challenge Dutch Data Retention Law, WALL STREET JOURNAL (Feb. 18, 2015).) Critics contend, however, that the changes in the proposed revision “still fail to address privacy concerns.” The Dutch Data Protection Authority, a government-funded privacy watchdog, strongly criticized the draft legislation, stating “[t]he infringement of the private life of virtually all Dutch citizens is too big and disproportionate.” (Id.)

TDRA and the EU Directive on Data Retention

The suspended TDRA was based on the European Union Data Retention Directive, which had been adopted in 2006 following terrorist attacks in Madrid in 2004 and London in 2005, in order “to harmonize the EU efforts in the investigation and prosecution of the most serious crimes such as, in particular, organized crime and terrorism.” (Data Retention, European Commission website (last updated Apr. 6, 2014).) The Directive was invalidated by the Court of Justice of the EU (CJEU) in 2014, however, on grounds that it violated fundamental privacy rights. (Loek Essers, Dutch Court Scraps Telecommunications Data Retention Law, CIO (Mar. 11, 2015); Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, EUR-LEX; Judgment of the Court (Grand Chamber) of 8 April 2014, Digital Rights Ireland Ltd (C-293/12) v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung (C-594/12) and Others, EUR-LEX.)

TDRA and the Telecommunications Act

In its amendment of article 13.2a of the Dutch Telecommunications Act, the TDRA provided for the retention of data for a period of 12 months from the date of the communication (in art. 13.2a(3) of the Telecommunications Act). The types of data to be preserved are set forth in the Annex to the Telecommunications Act. Such data is to be retained for the purpose of “the investigation, tracing, and prosecution of serious offences.” (TDRA, 333 STAATSBLAD VAN HET KONINKRIJK DER NEDERLANDEN (July 18, 2009); Dutch Telecommunications Act (Oct. 19, 1998) (English text applying 7 June 2012), Government of the Netherlands website; Telecommunicatiewet (last amended effective Mar. 11, 2015), OVERHEID.NL.)

Article 13.2a(3) was further amended by a law adopted in July 2011 to specify that a twelve-month retention period applied to data related to telephony on a fixed or mobile network, and a six-month data retention period applied to data relating to Internet access, e-mail, and Internet telephony. (Judgment, at § 1.5; see also Wendy Zeldin, Online Privacy Law: Netherlands (June 2012), Law Library of Congress website.)

More on the District Court Ruling

The district court of The Hague ruled that the TDRA was in violation of articles 7 and 8 of the Charter of Fundamental Rights of the EU, especially because it did not make data access by the authorities subject to review by a court or administrative agency. The court also found “while the government promised not to use the law lightly, the fact remains that the opportunity to do so exists and there are no safeguards to effectively restrict access to information to what is strictly necessary for the fight against only serious crime.” (Essers, supra.) The court further opined that “[w]hile the inactivation of the law may have profound implications for the investigation and prosecution of criminal offenses, that does not justify the persistence of the infringement” of rights. (Id.) Specifically in regard to the data retention period, the court stated:

The retention of all traffic and location data for six to twelve months, regardless of the purpose, goes too far; there must be a limited and targeted selection of data that is not found in the TDRA. … The Court has also raised objections to the retention periods as required by the Data Retention Directive; at present there is no distinction depending on the usefulness, the objective pursued, or the persons involved and no objective criteria are provided to limit the storage time limits to what is strictly necessary. (Judgment, at §2.2.)

Future Steps

In the short term, the Ministry of Security and Justice, led by Minister Opstelten’s temporary replacement Stef Blok, will have to respond to the ruling. The Dutch political party GroenLinks has already taken the step of submitting a proposal to the Parliament to revoke the law. In the long term, Opstelten’s successor and the Parliament will have to present a solution. (Dutch Data Retention Law Struck Down – for Now, EDRI (Mar. 12, 2015); Minister Opstelten and State Secretary Teeven Resign, Government of the Netherlands website (Mar. 10, 2015).)