On 4 February 2005 the appeal court of Paris has extended the general obligations for data retention to companies. According to the verdict, like internet providers all companies are obliged to store traffic data originating from their employees, to allow identification of e-mails with illegal contents sent from company machines. The verdict is ominous since France does not have a specific law decreeing data retention.

The court decision follows proceedings from the company World Press Online (WPO) against the bank BNP Paribas. Two commercial partners from WPO received an litigious e-mail about the company at the end of 2003, sent from a Yahoo e-mail address. WPO tracked the IP-address back to a branch from the bank in France and demanded to know which employee had used the specific computer. BNP didn't reply at first. WPO instigated a case and BNP was ordered on 12 October 2004 by the commercial court of Paris to hand over the requested information. BNP appealed, but lost again and was forced to hand-over data about their employees.

The Netherlands National Commission for Unesco has published Recommendations on human rights and Internet, following a conference held on 4 and 5 February 2005. The recommendation focusses on privacy, the right of freedom of expression and the right to communicate, including access to the vast cultural, educational and scientific heritage of mankind.

On privacy, the recommendation calls on States to "Acknowledge that privacy is an indispensable prerequisite to the right of freedom of expression and the right to communicate. Online as well as off-line, readers, listeners and viewers have a right to the same high level of privacy and anonymity. If online access to information is tracked and tied to detailed personal profiles, self-censorship is imminent and - more important still - the public debate and the rule of law are eroded."

On 9 March the European Parliament debated in plenary in Strasbourg about the transfer of passengerdata (PNR) to the US and asked the Commission about the Council plans for mandatory data retention. EU Justice Commissioner Frattini for the first time stated in public that the Commission sees no legal basis for a framework decision from the Council and he personally 'will try to convince' the Council of Justice and Home Affairs to withdraw the proposal. "As a consequence, the Commission will present an alternative proposal on data retention based on Article 95 of the Treaty of the European Community by early spring 2005." Frattini also announced that the Commission will carry out "an impact assessment to determine to what extent the creation of obligations to retain data will have economic implications."

After pushing a framework decision on data retention at the EU, Ireland's Government has decided to focus on its national parliament and to pass a law on data retention there. Data retention was snuck into the Criminal Justice (Terrorist Offences) Act, first introduced in 2002, in the final hours before the Bill became law in February 2005.

The law now calls for three years data retention at all phone companies that provide fixed line and mobile services. The obligation does not extend to more complex information such as location data.

In April 2002, the Minister for Public Enterprise issued directions at the request of the Minister of Justice to oblige service providers to retain data for at least three years. The Government argued that this was a necessary temporary bridging of the gap between the transposition of the EU Directive on privacy and electronic communications into Irish law. This is misleading because the 2002 Directive did not require data retention.

The European Commission has made it clear to all the Ministers of Justice and Home Affairs in the EU that there is no legal basis for a framework decision on mandatory data retention in the third pillar. The draft framework decision on data retention was introduced in April 2004 by the governments of France, the UK, Ireland and Sweden in an attempt to bypass the Commission, the European Parliament and even national parliaments. In the third pillar, the ministers may agree unanimously on a decision to harmonise legislation on police and justice matters, without any co-decision right for the European Parliament and a very limited margin for national parliaments to amend such a decision. In the proposal for data retention this margin is clearly defined. National parliaments may choose a different timeframe for the retention, but only if they review their decision annually and report to the Commission why they are still differing.

The rapporteur from the European Parliament on telecommunication data retention, Alexander Alvaro, has presented his first views on the draft framework decision in a turbulent meeting from the Committee on Civil Liberties, Justice and Home Affairs (LIBE). Alvaro proposed on 1 February 2005 to split the proposal in two, and give the European Parliament full co-decision power on the decision where it affects the internal market, on the costs and the exact list of data. Currently, the European Parliament only has a 'consultation' right on this issue. It cannot veto or amend the proposed decision, since it is considered third pillar legislation (police and judicial cooperation in criminal matters). Only the ministers from the EU member states can decide about these matters, if they reach unanimity. Alvaro doubts whether the proposal can ever meet the demands of proportionality when it comes to the Internet. He finds the proposal lacks proportionality, is in possible violation of the assumption of innocence, and contrary to the spirit of Article 15 of the E-Privacy Directive of 2002, which only allows for specific and temporary legal measures by member states, not for a harmonising decision. Concluding, he demanded a maximum term of 6 months, a limitation to data already processed by companies for business purposes and rules for general cost reimbursement.

Berichterstatter des Europäischen Parlaments zu dem Entwurf eines Rahmenbeschlusses über die Vorratsspeicherung von Daten, die in Verbindung mit der Bereitstellung öffentlicher elektronischer Kommunikationsdienste verarbeitet und aufbewahrt werden, oder von Daten, die in öffentlichen Kommunikationsnetzen vorhanden sind, für die Zwecke der Vorbeugung, Untersuchung, Feststellung und Verfolgung von Straftaten, einschließlich Terrorismus (Ratsdokument 8958/04)

Note: This is a full-length version of Mr. Alvaro's Working Paper. A version which had to be abridged due to length limitations imposed by the translation service will be presented in the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee on February 1, 2005. Translations of the abridged version into all the EU's official languages will be made available on the LIBE website here, under agenda point 14. A machine translation of the full version, powered by systran, is available here.

The European Parliament's rapporteur on the retention of traffic data resulting from all kinds of electronic communications, Alexander Alvaro (Liberal, Germany) has asked the Parliament's legal service to look into the legal foundation for this report. His doubts are founded on the fact that the report contains obligations addressed to civil parties, which is a strong indication that it ought to be in co-decision. As Mr. Alvaro told EDRI-gram, he proposes to split the draft into two separate reports. The first part would contain the law-enforcement side of data retention and remain in the consultation procedure. The other part, dealing with the industry's obligations, would have to be in the co-decision procedure. Mr. Alvaro also considers going to the European Court of Justice to get a