EU data retention law could impact Asia

Asia's communications service providers with operations in EU countries must comply, too; and it could cost them dearly.
Written by Eileen Yu, Senior Contributing Editor

The data retention legislation passed by the European Union (EU) could spill over to Asia and force communications service providers and operators in this region to comply, say market experts.

Approved early last year amid much controversy, the EU data retention directive requires Internet service providers (ISPs), fixed-line and mobile operators to preserve details of their customers' communications for up to two years. Information such as the date, destination and duration of the mobile call, for example, must be stored and made available to law enforcement authorities for between six and 24 months.

The EU Data Retention Directive covers all EU members which currently include France, Germany, Sweden and the United Kingdom.

Fernando Elizalde, a London-based senior industry analyst for ICT Europe, Frost & Sullivan, told ZDNet Asia that each EU member will now have to pass the directive in its own country before the Sep. 16, 2007, deadline--though ISPs can ask for a deferment until March 2009.

The provisions of the EU directive apply not just to mobile and fixed telephony, but also to Internet telephony, e-mail services and messaging services, Elizalde said. Service providers will also have to bear the costs of acquiring additional storage themselves.

And while the data retention law will impact directly EU members, some Asian communications service providers may be required to observe the legislation as well.

EU data retention directive: grey areas

Industry experts say there are still some grey areas in the EU data retention law. For example:
•  It is unclear whether EU authorities have the ability to require interception of telecoms signals;
•  How should a lawful transfer of information take place across borders, for instance, with regards to data that is captured and stored in one EU country but is required for use as evidence in the judiciary court of another country.
•  It is not clear exactly how long is the time lag allowed for service providers to respond "without undue delay" to queries from law enforcement agencies; and
•  Law enforcement agencies can request for data to solve serious crime, but how "serious crime" is defined is still unclear. The types of law enforcement entities that can request for such data is also ambiguous.

Bryan Tan, an IT lawyer who runs his own practice at Singapore-based Keystone Law Corp, said: "Organizations [in the Asia-Pacific region] would also be concerned, especially if the EU starts to try to impose these standards on non-EU telecoms. A similar move was done with the EU Data Protection Directive."

According to Tan, Singapore has its data retention law, but service providers are only required to retain the customer's registration data, for example, when he applies for a new mobile line. Information related to the phone call is not required, he added.

Elizalde explained: "In principle, anyone who offers services in the EU will have to comply, even f they're foreign companies.

"Many Asia-Pacific companies have operations here [in London]...for example, I know that SingTel has operations in the United Kingdom."

He added that operators that provide Internet services or fixed and mobile voice services will be affected by the directive. "So, there's no way out of it [except to] look into what the requirements are and what they need to do to their systems to comply."

When contacted, a SingTel spokesperson said in an e-mail: "We are not affected... For data, we only provide links and we have no sight over the data."

The EU directive, however, requires service providers to retain information related to the communication, and not the content or data of the communication.

Greg Eden, head of corporate and international PR at storage vendor EMC, explained that telecommunications providers will have to keep data such as the time of each fixed and cell phone call made in Europe--whether the call is made to an EU state or an Asian country, and whether the call is answered or not. Other data include the duration of the call and details that can help trace the caller.

Internet service providers will be required to retain information on the times users connect to the Internet, the users' IP address and details pertaining to e-mail messages and VoIP calls, Eden told ZDNet Asia.

"The content of such communications will not be recorded," he added.

Some customer interest, but minimal
Tan noted that "several" of Keystone's local telco clients have already contacted the law firm for advice on how their global operations will be affected by the EU law.

He added that organizations in the region should start putting in place hardware systems and processes to capture the required data.

According to Eden, EMC has not seen any direct customer feedback on the EU data retention directive "as the impact to Asia is minimal". However, he said, the vendor's customers "recognize that we now live in an age of information, and information compliance is growing".

Mathew Lodge, director of product marketing at Symantec Europe, the Middle East and Africa, said the security company has seen "a significant increase" in customer interest in the EU directive. For example, some customers have asked for advice and support regarding e-mail and messaging services.

"There is still a lot of uncertainty on how to deal with these challenges," Lodge told ZDNet Asia. "We're getting a large number of participants in events and roadshows addressing this topic. It's not only the technology they want to hear about, it's also about the legal background and possible consequences for their companies."

"Studies say it could require millions of US dollars just to implement storage systems at the decent query requirements."
-- Fernando Elizalde
Frost & Sullivan

Ilias Chantzos, Symantec's senior manager of government relations at Symantec Brussels, said in an e-mail interview: "The directive is currently at an implementation stage among the different member states, and we need to understand how the different requirements will be finally mandated in each jurisdiction.

"The data should be both available to law enforcement authorities and also retained in a secure manner," Chantzos added.

Costly affair to comply
According to research company Frost & Sullivan, the directive will result in "an onerous burden" on communications service providers and operators as they scurry to implement solutions to stay compliant.

Elizalde said: "It will be costly. They don't usually keep information for so long...[and] they don't keep as much information, [which is usually used] only for commercial purposes."

He explained that service providers do not retain such data because it does not generate revenue. For example, details about calls made but not answered do not churn revenue and are not usually kept. But, with the EU directive, operators will now have to store such information.

On top of that, service providers will have to ensure the data is adequately secured and meet the requirements of another legislation--the EU data protection law.

Service providers will also need to implement a storage architecture that will allow them to respond to queries from law enforcement agencies "without undue delay", Elizalde said.

"Though it's not clear, lawyers and law enforcements here suggest [undue delay could mean] anywhere from 15 minutes to a couple of hours," he said. "And, it costs more to establish a shorter data recovery response time. You need a system that's powerful enough to search all the data fast...and the amount of data will be really large. And it has to be reliable... There are such systems available, but most service providers don't have such systems yet."

"That's why I said it'll involve very extensive resource requirements. Studies say it could require millions of US dollars just to implement storage systems at the decent query requirements, depending on the size of the service provider."

He added that other costs will surface, including resources to integrate the various systems and platforms such as billing and operating systems, both old and new.

Keystone's Tan said: "I think it will greatly increase the cost of telecoms because data now needs to be retained for six to 24 months. This will affect European telecom operators but they will eventually pass it on to consumers, which will include Asian consumers calling Europe."

The IT lawyer said he expects organizations to start separating Europe and non-Europe businesses so that data from their non-Europe businesses will be kept outside the EU. He added that European businesses will keep data in Europe, and which is subject to the EU standards, but this is likely to make Europe a less attractive place to do data hubbing.

"I think telcos will now try to keep non-EU traffic outside EU, which leads to [data] hub activity and data storage outside EU," he said. "They will now join other large data users who have already shifted their data hubs outside EU."

With telcos "ring-fencing" their operations to separate Europe and non-Europe traffic and customers, there would be increased costs and telcos could decide to pass the additional expenditure to customers.

EMC's Eden, however, said that data offshoring activities are driven primarily by business continuity and disaster recovery requirements, rather than compliance.

"The exception is when customers are looking to offline storage as a less expensive tier of storage," he said. "Of course, it is early days yet and this may change, but we have not come across any such moves by our customers."

Editorial standards