The purpose of data retention is to ensure the availability of data related to use of electronic communications networks and services, when necessary for combating serious crime or protecting national security. The legal framework is composed of two components, one setting out the conditions for registration and storage of data and another regulating access to the data. While “data retention” literally only means the first component, the term is often used to cover both. Retained data are stored with the provider and shall be deleted once the storage period ends. Stored data are not freely available to the police (or other public authorities). The data are protected by the statutory duty of confidentiality of the provider and may be accessed by the police only pursuant to a procedure laid down in law.
Rules of data retention form part of a larger legal framework whereby data related to electronic communication may be made available to the police. The other parts concern expedited data preservation and partial disclosure of traffic data; secret coercive measures targeting data related to electronic communication; production order targeting such data; and access to subscriber data.
Rules of expedited data preservation and partial disclosure of traffic data were introduced in criminal procedural law by the Council of Europe Cybercrime Convention (2001) Article 16 and 17. The purpose is to prevent deletion of vulnerable electronic data important to a criminal investigation, before the police have had a chance to collect them. A preservation order may thus be issued already at an early stage, that is, before the investigation has uncovered sufficient information to use coercive measures such as production order, to secure the data. Served with a preservation order the custodian must keep the data intact “for as long as necessary, up to a maximum of ninety days”, with a possibility for renewal (Article 16 no. 2). While Article 16 applies generally to natural and legal persons having data in their possession, Article 17 concerns providers of electronic communications services. The provision requires traffic data to be preserved “regardless of whether one or more service providers were involved in the transmission of that communication.” Concerning communications already transmitted, the provision requires “expedited disclosure” to the competent national authority (e.g., the police) of traffic data that disclose the source and destination of the communication. It is pointed out that determining the source or destination of a past communication can assist in the identification of a perpetrator.
A preservation order may only concern data generated and stored in the ordinary operation of the electronic communications service, it may not compel the provider to register and store other data. Consequently, if data are deleted forthwith as a matter of routine, there are no data to preserve. From a police perspective, rules of data retention improve the situation by laying down an obligation to register and store data once they are generated in a provider’s system. Thus, they trump providers’ routines for data deletion as well as the general obligation to delete data stemming from the e-Privacy Directive. However, as data retention rules specify the data to be registered and stored, they do not always comprise all kinds of data generated in the operation of a provider’s service. Data not subject to retention might still be collected by the police, pursuant to a production order or an initial preservation order backed by a production order. In Denmark signal data is a case in point, i.e., data generated by a connection established between a mobile phone and a cell mast when the mobile phone is turned on but not in use by the owner. Signal data fall outside the scope of the Danish data retention rules yet may be preserved and subsequently accessed by a production order. Alternatively, if stored already, the data may be accessed directly by a production order.
The data retention and data preservation regimes have in common that the procedure for subsequent police access to the data is regulated separately in provisions setting out specific conditions that must be fulfilled. Data retention/preservation do not provide for real-time access to data.
Secret coercive measures are another means by which the police may collect data related to use of electronic communications services. In this case police access to the data is a function of the legal permission to activate the measure (normally a court decision), entailing immediate access to the data. This applies both to data that are stored, and to data materializing in the future (real-time). Data retention rules differ in the sense that data registered and stored are not – as already noted – automatically made available to the police.
Providers of electronic communications networks and services may register data that identify the subscribers to their services. The data are an important supplement to retained data, providing a possibility to identify the person who used a communications service at a specific point in time. The legal framework for registration of and access to subscriber data thus matters to the police.
Originally, the legislative approach to data retention was to incorporate the first component (registration and storage) into the electronic communications act. The second component (the access procedure) was the set out in rules of criminal procedural law concerning coercive measures. Currently, Norway stands out by fully regulating both components in NECA. In the other end of the scale there is Denmark, where the data retention rules were revised with effect from 30 March 2022. In the Danish view, data retention belongs to the same family of interferences as secret coercive measures targeting private communication, and data preservation. Following the revision, the rules concerning these measures are all regulated in the same chapters in the Procedural Code (Retsplejeloven). The legal basis is provided in Chapter 71 “Interferences with private communication, etc.”, and the procedure for access (retained or preserved data) in Chapter 74 “Seizure and Production Order (edition).” Finland, Iceland, and Sweden apply the original model. However, in the report SOU 2023:22 “Data retention and access to electronic information” the Swedish rules are proposed to be revised along the lines settled for in Denmark.