Dutch Telcos Used Customer Metadata, Retained To Fight Terrorism, For Everyday Marketing Purposes

from the I'm-shocked,-shocked dept

One of the ironies of European outrage over the global surveillance conducted by the NSA and GCHQ is that in the EU, communications metadata must be kept by law anyway, although not many people there realize it. That's a consequence of the Data Retention Directive, passed in 2006, which:

requires operators to retain certain categories of data (for identifying users and details of phone calls made and emails sent, excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.
Notice the standard invocation of terrorism and serious crime as a justification for this kind of intrusive data gathering -- the implication being that such highly-personal information would only ever be used for the most heinous of crimes. In particular, it goes without saying that there is no question of it being accessed for anything more trivial -- like this, say:
Some Dutch telecommunications and Internet providers have exploited European Union laws mandating the retention of communications data to fight crime, using the retained data for unauthorised marketing purposes.
Of course, the news will come as no surprise to the many people who warned that exactly this kind of thing would happen if such stores of high-value data were created. But it does at least act as a useful reminder that whatever the protestations that privacy-destroying databases will only ever be used for the most serious crimes, there is always the risk of function creep or -- as in the Netherlands -- outright abuse. The only effective way to stop it is not to retain such personal information in the first place.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Martin, 18 Oct 2013 @ 6:02am

    "requires operators to [...] make them available, on request, to law enforcement authorities"

    This is not true. The data retention doesn't require any data to be handed over to anyone - it just mandates that traffic data is stored for a certain period of time. The rest is up to each nation to decide. In fact a EU country open to the idea of some political activism could do this:
    1) make the retention of data by ISPs mandatory (to comply with the directive), but not allow it to ever be handed over to any external party.
    2) have national regulation say that all retained data is to be encrypted with keys rotated on a daily basis and stored a much shorter interval than the retention period.

    Since the directive was voted on as a way to harmonize the market (by imposing the same type of costs on all companies - something which failed miserably, but that's another story) I can't see how one could legally object to 2) since it would still impose the same costs on ISPs. The data would be stored, although most of it wouldn't be readable.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.