Euro Parliament data retention vote upsets ISPs, telcos

The European Parliament is expected to back a controversial new law on data protection in a vote on Thursday, amid fierce opposition from telecommunications companies, ISPs (Internet service providers) and civil rights groups.

Last December the 15 European national governments inserted a clause into the draft law calling on telecom companies and ISPs to retain information on their customers’ log of phone calls or e-mail and Internet connections, beyond the one or two month period the information is normally held for billing purposes, in order to assist police investigations.

Existing European data protection laws rule that so-called traffic data should be stored for no longer than the billing period. They also place greater restrictions on law enforcement officials’ rights of access to people’s data.

Having initially opposed the reshaping of the draft data protection law, the two biggest parties in the European Parliament, the Socialist Party and the centre-right European Peoples’ Party, this week agreed to a compromise that “goes a long way in granting the national governments what they want,” said Tony Bunyan, editor of Statewatch, an organization that monitors civil liberties issues in Europe.

The wording of the compromise language reached by the European Parliamentary parties states that online and telephone surveillance of citizens by law enforcement officials should be appropriate, proportionate and limited in length. They also succeeded in adding a reference to the European Convention on Human Rights in a footnote to the directive.

Bunyan warned, however, that in spite of these conditions the law will still “pave the way for blanket surveillance of individuals.” He added that it is “a myth to say this is needed in order to tackle terrorism.”

The terrorist attacks on the U.S. on Sept. 11 last year changed the attitude of many civil liberties advocates and officials toward surveillance.

Erkki Liikanen, the European Commissioner in charge of drafting the new data protection directive, said last December that policy must “look at the world differently” after Sept. 11, and dropped his opposition to extended data retention times.

He supported this week’s compromise, largely because without it the directive would have been killed off. But he also began a debate on how to cap data retention times. “We can live with this compromise. But we must have a position on the length of data retention, the maximum number of months it can be held,” he said on Wednesday.

Some law enforcement officials, including British police officers, have called for the storage of seven years of customer data by telecom providers and ISPs.

Liikanen said the discussion about who should pay to store and retrieve the customer data has already begun. The telecom providers and ISPs fear they will be left with the costs, but neither can estimate what that cost would be.

“This compromise mentions data retention but it doesn’t define what ‘data’ is-it could include the content of people’s messages, as well as the time, duration and direction of the call or e-mail,” said Fiona Taylor, a senior adviser at the European telecom association ETNO.

“Until we know what we need to store we can’t say how much it will cost,” she said.

“Data retrieval will be more costly than storage,” said Jo McNamee, European affairs manager for the association of European ISPs, EuroISPA. He too is concerned that there is no definition of data.

But his main concern about the data retention clause is that it establishes the principle that it is permissible to retain data. “This is the beginning, not the end of data retention. Member states will be able to pass national laws on the retention of data by ISPs and telecoms providers, and there is nothing here in this E.U. data protection directive to stop them,” McNamee said.

Taylor agreed that there is more to this than just the bottom line. “It is not just a business issue, there is an important principle here: we are not to play the role of the right hand of the law enforcement authorities. It is not our role to monitor the communications of our customers,” she said.

European Parliamentarians are also expected to fall into line with the wishes of the national governments on the question about whether to ban spam, or unsolicited e-mail. The socialist and EPP parties have agreed to the opt-in approach favoured by the member states. This approach forbids random spamming and marketers to get express permission from users before sending e-mail. However, online suppliers will still be able to send e-mails to existing customers.

The Parliament and the national governments are in broad agreement on how to treat cookies, small data files stored on users’ PCs and used by many Web sites to track user visits. The Parliamentarians are likely to vote in favour of permitting free use of cookies as long as clear information about their content and purpose are provided to users.

McNamee gave a guarded welcome to the agreed positions on spam and cookies. “The spam clause could still go the other way,” he said. That would happen if another European Parliament proposal for an amendment which favours the softer opt-out approach was adopted. ISPs generally don’t like spam because it clogs up the system, and prompts subscribers to change their provider in order to escape it.