The current EU regulation governing data retention is based on the Data Retention Directive 2006/24/EC, which requires Member States to ensure that telecommunications service and network providers retain certain categories of data (for identifying identity and details of phone calls made and emails sent, excluding the content of those communications) for the purpose of the investigation, detection and prosecution of serious crime, as defined by national law. The issue of data retention, just like privacy and data protection in the digital world, is followed by the cultural industries due to its possible interaction with the enforcement of intellectual property rights.
The Directive has not fully harmonised the approach to data retention or created a genuinely level-playing field for operators. Law enforcement authorities in most Member States have reported that retained data plays a central role in protecting the public against harm through effective criminal investigation. Data protection authorities have criticised the Directive on the grounds that it does not provide enough limitation of data retention and safeguards for how the data is stored, accessed and used. Some organisations have mounted a campaign against the Directive, and against data retention generally, on the grounds that it violates fundamental rights to privacy and the protection of personal data.
On 18 April 2011, the Commission adopted an evaluation report of the Data Retention Directive outlining the lessons learned since its adoption in 2006. The report concluded that retained telecommunications data play an important role in the protection of the public against serious crime. However, transposition of the Directive has been uneven and the remaining differences between the legislations of Member States create difficulties for telecommunication service providers. The Directive also does not in itself guarantee that data are stored, retrieved and used in full compliance with the right to privacy and protection of personal data, and this has led courts to annul the legislation transposing the Directive in some Member States. The Commission plans to review the current data retention rules, in consultation with the police and the judiciary, industry, data protection authorities, and civil society.
In April 2012, the ECJ has given its preliminary ruling in the Bonnier Audio case (C-461/10) where it established that the Data Retention Directive does not preclude Member States from enacting laws that allow an Internet Service Provider (ISP) to be ordered to supply information about subscribers whose Internet Protocol addresses have allegedly been used for intellectual property infringing purposes.