Regulations implementing the Data Retention Directive

The proposal regulates the obligation for telecom companies to retain certain kind of traffic data for 6 months. The purpose of storing traffic data is detecting, investigating and prosecuting serious crime. The regulation includes inter alia provisions on processing of those data which shall be stored, authorization of personnel who will process the data, when the authorized personnel can process the data and how those data can be stored and disclosed.

According to the proposal, various kinds of traffic data shall be stored. For instance, both the caller (A) and the receiver's telephone number (B) for both fixed line and mobile services should be included in the storage. However, NPT pointed out that, according to local legislation, storing numbers A and B is unnecessary as the police can go directly to B and require B's traffic data. Thus, in order to avoid the same information being saved twice (by different telecom companies), the provider of a mobile service or a provider of internet access shall only store the traffic data relevant to its own subscriber.

In addition, in order to safeguard the police's need for accessing traffic data in the most effective way, NPT identified three alternative methods for storing the mobile service and mobile internet access information: NPT recommended that a telecom company which has the customer relationship with the subscriber shall store all the required data for its own customers. Further, owners of public communication networks shall store all the traffic and location data generated in its own network. Moreover, traffic and location data generated by any roaming partners shall be stored by the company which has customer relationship with the subscriber.

Taking into account security and privacy concerns, NPT also proposed that companies shall regularly make back-up of the saved traffic data and store the copies under the same conditions as the main storage medium. Further, NPT considered it necessary to make daily back-ups of the stored data. NPT also suggested that it should be required to store traffic data in a way that does not degrade the quality of the data. This includes implementation of adequate measures to prevent unauthorized modification or deletion of the stored data.

The implementation of the Data Retention Directive in Norway is controversial and may raise privacy issues according to local data protection legislation as well as according to The Charter of Fundamental Rights of the European Union. The debate also focuses on which of the parties (government or private companies) shall bear the cost of technical preparation and execution of the regulation.