Italy to retain communications data for five years (1)
01 January 2004
The Data Protection Ombudsman is "concerned" about a decree that makes the data retention of telecommunications traffic data compulsory for five years.
On 23 December 2003, the data protection ombudsman's authority expressed its "concern" about a decree that the government approved earlier the same day on the compulsory storage of traffic data relating to telephone and Internet communications by service providers. The decree introduces the wholesale collection and storage of traffic data on all telephone and Internet communications by service providers compulsory for sixty months, in case it may subsequently prove useful for criminal investigations. The approval of law decree number 354/2003 was explained by the Council of Ministers (the government cabinet) as a result of "the extraordinary need and urgency for the regulation of the modes of storage of traffic data relating to telephone and Internet communications, so as to prevent its loss in case its acquisition should prove necessary for the scope of the repression of particularly serious crimes".
The decree makes the retention of traffic data by service providers compulsory for a minimum of thirty months (two and a half years) "for the verification and repression of criminal offences", although it will in fact be held for twice as long (60 months, or 5 years) with stricter access guidelines applying during the second thirty months, during which it will be held separately (access will be granted for particularly serious crimes including kidnapping, organised crime and terrorism, as well as crimes against IT or online systems). Prosecuting magistrates and defence lawyers will be given access to the data, subject to obtaining permission from a judge.
The "urgent" decree was agreed only days before the new "privacy code" was due to come into force, on 1 January 2004; it was set to make the retention of communications traffic data compulsory for thirty months, with billing details only available for six months, as well as decreeing the destruction of data that was collected previously. Thus, data from 1999, 2000 and part of 2001, which was due to be destroyed, will continue to be held. The Italian Data Protection Ombudsman's authority expressed its confidence that the decree will be "carefully examined by Parliament", warning that "the new discipline on data concerning electronic communications and the uses of Internet may also contravene constitutional norms on the freedom and secrecy of communications, and on the freedom of expression of one's thoughts".
Sources: Comunicato Stampa del Garante per la protezione dei dati personali, Roma, 23.12.2003; Decreto legge del 24 dicembre 2003, n.354; both available in the Italian data protection ombudsman's website on: www.privacy.it ; Resoconto del Consiglio dei ministri, n.359, 23.12.2003; il manifesto, 24.12.2003.