By Patrick Van Eecke and Didier Wallaert
Belgium has enacted new data retention legislation on 30 July 2013. Telecom operators must now store communications traffic data, location data, data identifying the end-user, data on the communication service used and on the terminal equipment used (i.e. so-called metadata). The data retention period is one year. The new data retention legislation does not apply to the content of the communications (such as call recording), which requires a court order according to existing Belgian law.
The new data retention obligations apply to operators offering fixed or mobile telephony services to the public, internet services, e-mail services or internet telephony services on the Belgian market and operators providing the underlying public electronic or communication networks.
The purpose of the data retention obligations is to facilitate criminal investigations, to track malicious calls to emergency services, to investigate cases of harassment and to fulfil information requests by the Belgian intelligence authorities.
The new data retention legislation is a belated transposition of the European Data Retention Directive of 15 March 2006. The Directive provided the possibility for Member States to postpone the application of the Directive for up to three years. Belgium declared at the time that it would postpone the transposition until 2009. The transposition to Belgian law subsequently encountered several political roadblocks, including delays caused by the 2010–11 government formation.
Operators who fall under the new data retention obligations must ensure that the stored data are accessible from Belgium without any restriction and that all information related to these data will be promptly communicated to the competent authorities upon their request.
Operators must also put in place adequate technical and organisational measures to protect the data against destruction, modification and any unauthorised access, storage, processing and publication. The data must be destroyed after a period of one year.
The government will provide statistical information on the data retention to the European Commission and the Belgian Parliament on a yearly basis. The statistical information includes the cases in which data was provided to the competent authorities, the time elapsed between the time the data are stored and the time of request by the competent authorities and the cases in which the requests could not be completed. Operators will therefore have additional reporting obligations regarding data retention.
The new data retention legislation imposes criminal sanctions (a fine up to 300.000 Euro and a prison sentence of up to three years) for anyone who in the exercise of their duties stores or uses the data fraudulently or with the intent to cause harm and anyone who stores, divulges or uses the data, knowing that the data were obtained unlawfully.
The new data retention legislation provides the option for the Belgian government to extend the retention period of one year to 18 months by Royal Decree, but there is no indication at this time that such an extension is planned.