Securing personal in the context of

Analysis and recommendations Version November 2013

European Union Agency for Network and Information Security www.enisa.europa.eu Securing personal data in the context of data retention Analysis and recommendations

Version November 2013

About ENISA The Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu.

Authors This work was partly commissioned by ENISA under contracts  ENISA P/18/12/TCD Lot 1, to time.lex, which is the contributor to Section 3 and  ENISA P/18/12/TCD Lot 2 to the consortium formed for this work by KU Leuven (BE) and University of Bristol (UK), which is the contributor for Section 4 Contributors: Eleni Kosta (time.lex), Vincent Rijmen (KU Leuven), Danny De Cock (KU Leuven), Jos Dumortier (time.lex), Hans Graux (time.lex), Nigel P. Smart (University of Bristol) ENISA project manager: Rodica Tirtea

Contact For contacting the authors please use [email protected] For media enquires about this paper, please use [email protected].

Acknowledgements We would like to extend our gratitude to the respondents to the survey for their collaboration and to the reviewers for their comments, suggestions, feedback. We also thank a number of respondents who provided anonymous input.

Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2013 Reproduction is authorised provided the source is acknowledged.

Page ii Securing personal data in the context of data retention Analysis and recommendations

Version November 2013

Table of Contents 1 Executive summary 1 2 Introduction 2 2.1 The in brief 2 2.2 Considering the overall picture 3 2.3 Security measures for data retention in the policy documents, reports and opinions 4 2.3.1 Security measures in the text of Data Retention Directive 4 2.3.2 Standardisation activities 5 2.3.3 Public opinions on security measures 5 2.4 Reactions on the Directive 7 3 Implementation of security measures at MSs level 10 3.1 Introduction 10 3.2 Security measures 10 3.3 Norms and standards on the security measures for retained data 17 3.4 Transfer of retained data to law enforcement authorities and relevant norms and standards 17 3.5 Supervisory authority for the monitoring of the application of the