Complying with European Union and United States Data Retention Regulations

Complying with the laws in force regarding data retention and preservation is a must for virtually any company offering publicly available electronic communications services or public communications networks. By reading this article, you will get acquainted with the E.U. and U.S. data retention policies and learn how to deploy and maintain a fully compliant messaging solution while preserving user privacy.

Lately, the Internet news sites and blogs have all been buzzing with reports of privacy infringements by various IT companies, regulation changes and updates on the laws already in effect, all related to data retention policies.

Well what does all this mean? In effect, the majority of companies providing IT services in one way or another have to abide by these new regulations in order to comply with the new standards. Initially, data retention was not mandatory, but it soon became clear (mostly in the past few years) that legal, administrative, commercial and even social interests can be better protected through such an initiative.

This article describes how the Axigen messaging solution is in compliance with both United States and European Union currently effective laws and policies related to data retention and data preservation. These measures were adopted by service providers mainly to minimize the risk of deletion or modification of records and communications.

Alternatively, we also invite you to join our free live webinar on the topic. Not only that you will get acquainted with the data retention regulations in force, but also learn how to deploy and maintain a fully compliant and secure messaging solution. For more information, please visit: http://www.axigen.com/webinars/data-retention-regulations/

First Stop: Europe

European Union data retention policies are listed in the Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. This Directive can be accessed online at the following link:

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML

According to this Directive, any service provider (SP) that offers publicly available electronic communications services or public communications networks must abide by the rules listed below.

Categories of data to be retained (excerpt from the above linked page):
  • Data necessary to trace and identify the source of a communication:
    - The user ID allocated;
    - The name and address of the subscriber or registered user to whom an IP address or user ID was allocated at the time of the communication;

  • Data necessary to trace and identify the destination of a communication:
    - The user ID or telephone number of the intended recipient(s);
    - The name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;

  • Data necessary to identify the date, time and duration of a communication:
    - The date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
    - The date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;

  • Data necessary to identify the type of communication:
    - The Internet service used;

For all of these categories of data to be retained, the Axigen Mail Server makes use of the logging functionality to store the information and save it to disk. The data should be kept for a minimum six months and not more than two years.

As a side-note, the Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks stipulates the following restriction on the data retention policies (Article 5, indent 2):

“No data revealing the content of the communication may be retained pursuant to this Directive.”

This Directive only applies to EU member states and includes regulations concerning Internet access, Internet e-mail and Internet telephony. For this reason, saving actual messages that pass through the email server does not comply with the European regulations. For more information, please consult the official Directive, here:

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML

Therefore, in a way, the privacy of each individual is rather safe (at least for the moment). This should be of much interest to anyone who is part of a company’s management, because they should be extremely cautious with how messages are stored, copied, archived and who has access to these potentially “illegal” materials.