EU law on data retention sparks condemnation

Bowing to a hawkish mood that has gripped European policy makers since September 11, the European Parliament Thursday voted in a new European Union data protection law that civil liberty campaigners and industry representatives condemn.

The most controversial part of the new law is a clause that allows the member states to force ISPs (Internet service providers) and telecommunications providers to retain data on their customers’ online and phone activity beyond the one or two months this information is normally stored for billing purposes.

The purpose of this clause is to ensure that law enforcement officials can make use of the so-called digital trail people leave behind them in criminal investigations. This point was adopted after 351 Members of the European Parliament (MEPs) voted for it and only 133 voted against.

Parliament largely approved a compromise on the directive that was worked out between its two biggest parties, the European People’s Party and European Democrats (EPP/ED) and the European Socialist Party (PES) with the national governments earlier this week, the European Parliament said in a statement.

The compromise was fiercely opposed by some MEPs, including the chairman of the debate on the directive at committee level, Italian MEP Marco Cappato. Cappato rejected any responsibility for the outcome of the vote, saying it “entailed massive restrictions on civil liberties,” and ran counter to the position of the freedoms and rights committee that he chairs.

The law will “pave the way for blanket surveillance of individuals,” warned Tony Bunyan, editor of U.K.-based European civil liberties group Statewatch. For example, the wording of the data retention clause in the new law does not state that surveillance must be carried out on a case-by-case basis, as the law on police surveillance in the U.S. does, Bunyan pointed out.

Bunyan said it is “a myth to say data retention is needed in order to tackle terrorism.” But that argument has come out on top in recent months. The terrorist attacks on the U.S. on Sept. 11 last year weakened the resolve of many civil liberties advocates who tried to resist the move towards the law enforcement camp.

“This is the beginning, not the end of the issue,” said Joe McNamee, European affairs manager at EuroISPA, an ISP trade group. “Member states will now be able to pass national laws on the retention of data by ISPs and telecom providers, and there is nothing here in this E.U. data protection directive to stop them,” he said, describing the vote on data retention as “unfortunate.”

Erkki Liikanen, the European Commissioner in charge of drafting the new data protection directive, last December said that policy must “look at the world differently” after Sept. 11, and dropped his opposition to extended data retention times. On Wednesday he opened up the next phase of the debate: How to cap data retention times. “We can live with this compromise. But we must have a position on the length of data retention, the maximum number of months it can be held,” he said.

Liikanen said the discussion about who should pay to store and retrieve the customer data has already begun. The telecom providers and ISPs fear they will be left with the costs, but neither can estimate what that cost would be.

“This compromise mentions data retention but it doesn’t define what ‘data’ is-it could include the content of people’s messages, as well as the time, duration and direction of the call or e-mail,” said Fiona Taylor, a senior adviser at the European telecom association ETNO.

“Until we know what we need to store we can’t say how much it will cost,” she said.

The European Parliament also signed up for a soft opt-in for spam. This will outlaw unsolicited and untargeted mass e-mail, but will continue to allow electronic commerce operations to communicate by e-mail with their existing customers.

“We are disappointed with the result,” said Axel Tandberg, director of government affairs at the direct marketing association FEDMA. “We also oppose spam, but introducing an opt-in on e-mails won’t prevent spammers because they don’t respect the law anyway,” he said.

He added that a majority of spam in the EU comes from the U.S., which does not fall under the jurisdiction of the data protection directive. “All this law will do is compromise the future of online targeted direct marketing,” he said.

EuroISPA’s McNamee welcomed the vote on spam. ISPs generally don’t like spam because it clogs up networks and servers, and prompts subscribers to change their provider in order to escape it.

He also welcomed the wording of the new law that relates to cookies, small files stored on users’ PCs and used by many Web sites to track user visits. There was pressure from the European Parliament to introduce an opt-in requirement for every single cookie as it entered a person’s PC, but this concept was dropped in favor of a system that allows Web sites free use of cookies as long as they display details about the cookies they plant in PCs and they give instructions how to delete the files.

Now that the European Parliament and the governments of the member states have agreed the shape of the new data protection directive, it remains for member states to transpose the law into their national statute books. This often takes up to two years.