The European Directive on Data Retention is designed to harmonise national legislation within Member States on the retention of telephone and e-mail data for investigating, detecting and prosecuting serious crime. The Directive has to be converted into national legislation. The Directive on Data Retention offers a range of between at least six months up to a maximum of two years for the retention period. Member States must take account of the requirements of the ECHR when determining the choice for the precise retention period. A longer retention period will increase the risk of infringing on the right to the private life. According to the Dutch DPA, insufficient account has been taken of the requirements imposed by the ECHR in the Bill; in particular it has not been shown why it is necessary to retain this information for 18 months. The Dutch DPA considers that a period of 6 months will suffice in the Netherlands, which is in many cases longer than the period for which the data is currently kept for business purposes, for example for billing.
The Dutch DPA has also expressed a number of other points of criticism relating to the Bill. Thus some important substantive choices with equally significant implications for the private life - for example the categories of information that have to be retained - are not regulated with all the safeguards of formal legislation, but are rather delegated to subordinate legislation. The parameters for access to information have also been inadequately limited. Finally, there are no control mechanisms for the lawful use of information. The Dutch DPA recommends that the implementation of this regulation should be dealt with transparently, by means of a stringent duty of notification and maintenance of publicly available statistics on the manner in which the affected parties are notified - or not - that their information is actually being requested.