Danish phone company kept call records for more than 10 years
According to a series of articles in the Danish edition of Computerworld on 6 May 2013, a Danish mobile phone provider has kept telephone call records since the company started its operations in 2000. The company, Telmore, currently has about 700 000 subscribers and a 10% market share in Denmark. Since 2004, Telmore has been a subsidiary of TDC, the largest Danish telecommunications company.
A 10-year retention period of telephone call records is a blatant violation of the Danish law that transposes the e-privacy directive 2002/58/EC. Article 6 of the directive states that traffic data (which includes call records) must be deleted or anonymized when they are no longer needed for business purposes such as subscriber billing or accounting documentation.
The e-privacy directive is, of course, modified by the data retention directive 2006/24/EC which requires storage of, among other things, telephone call records for 6-24 months. In Denmark, the mandatory retention period is 12 months. However, telephone call records are, in practice, kept for a longer period for billing or accounting purposes.
Judging from the articles in Computerworld, there appears to be some uncertainty about the precise interpretation of the maximum retention period that is allowed under the Danish law that transposes article 6 of the e-privacy directive.
The Danish Business Authority, which is the regulatory agency for telecommunications in Denmark, told Computerworld that the retention of call records for more than five years was illegal. The Danish accounting law requires that bookkeeping documentation is kept for a minimum of five years. However, the official guidelines for the bookkeeping also state that itemized telephone call records are not required for retention once the customer has been presented with an invoice for the calls, and the dispute resolution period has expired.
In response to the Computerworld article and the statements by the Danish Business Authority, Telmore told Computerworld that they would limit the retention of call records to three years, as soon as technically possible. Three years is the general statutory limitation period for simple claims in Denmark. However, the dispute resolution period for telephone customers in Denmark is about one year after the invoice has been received, so it could be argued that the allowed retention period should really be shorter than three years (or five years).
A recent parliamentary question to the Danish government focused on the interplay between mandatory data retention and the e-privacy rules. The minister responsible for the Danish Business Authority was asked whether she could guarantee that telecommunication data was deleted when required by law, and whether the agency had sufficient resources to supervise industry practices in this area. The question has not been answered yet.
Danish telephone company in violation of the law: your data is retained
too long (only in Danish 06.05.2013)
This is the problem which causes a Danish telephone company to break the
law (only in Danish 06.05.2013)
Telmore admits: the reason why we have broken the law (only in Danish
E-privacy directive 2002/58/EC
Website of the Danish Business Authority (in English)
Parliamentary question about deletion of telecommunication data (only in
Danish, not answered yet as of 06.05.2013)
(Contribution by Jesper Lund, EDRi member IT-Pol Denmark)