The consultation from the European Commission on new EU plans for mandatory retention of telecom traffic data resulted in 65 answers, most of them negative about any regime of mandatory data retention. Two thirds of the answers came from industry (telephony and internet providers, both individual companies as well as associations) and almost one third from civil society, including the one from Privacy International and European Digital Rights.

Besides, 3 national Data Protection Authorities filed an answer, and 1 (unnamed) ministry of Justice. Philip Gerard, responsible for the regulatory framework within the Commission's DG Information Society, presented these results during an open workshop on data retention on 21 September in Brussels. In spite of the explicit and repeated requests to law enforcement authorities, none of them answered any of the specific questions about the need for which data to be retained for what period of time, Gerard said.

90 civil rights organisations across Europe, the United States and other countries around the world have signed a long statement against the recent EU plans for mandatory data retention. Also 89 companies (mostly specialised in IT) have endorsed the statement that calls the plans 'invasive, illusory, illegal and illegitimate'. The statement was an anwer to an EU consultation on mandatory data retention, and presented during the workshop described above.

The full list of endorsements includes international organisations like APC International, the Association europeenne pour la defense des droits de l'Homme (FIDH-AE) and the Transnational Party, with the personal endorsement of Marco Cappato. Cappato was rapporteur of the Directive on Privacy and Electronic Communication (2002/58/EC) and did his utmost best

Privacy International (PI) and European Digital Rights (EDRI) have published their joint answer to the consultation on mandatory data retention. The Directorate Generals on Information Society and on Justice and Home Affairs from the European Commission asked for public comments on a proposed retention regime across Europe between 12 and 36 months for all traffic data generated by using fixed and mobile telephony and Internet.

90 civil rights organisations across Europe, the United States and other countries around the world have responded rapidly in showing their concern about this trend of increasing surveillance in such a disproportionate way. Also 89 companies (mostly specialised in IT) have endorsed the statement.

The response can be found at http://www.privacyinternational.org/issues/terrorism/rpt/responsetoret...

The EU plans the wide-spread retention of personal data resulting from communications, or so-called traffic data. We argue that any such retention is necessarily a hazardously invasive act. With the progress of technology, this data is well beyond being simple logs of who we've called and when we called them. Traffic data can now be used to create a map of human associations and more importantly, a map of human activity and intention.

As technologies become more invasive, and as laws are increasingly reluctant to protect individual rights, the European Union should be fulfilling its role to uphold the rights of individuals. Data retention is an invasive and illegal practice with illusory benefits.

General background information

• http://www.privacyinternational.org/retention
• quintessenz EU Data Retention Doqubase

Privacy International and European Digital Rights have published their joint answer to the consultation on mandatory data retention. The Directorate Generals on Information Society and on Justice and Home Affairs from the European Commission asked for public comments on a proposed retention regime across Europe between 12 and 36 months for all traffic data generated by using telephony (fixed and mobile) and internet.

The retention of personal data resulting from communications, or of traffic data, is necessarily an invasive act. With the introduction of new technology like mobile telephony and internet, the extent of invasiveness has progressed enormously. It is no longer possible to distinguish clearly between the 'simple' traffic data generated by fixed telephony networks and the contents of the communication itself

The deadline is nearing for two important consultation rounds from the European Commission, on mandatory data retention and on copyright.

European Digital Rights is working hard on a thorough answer on the EU plans for mandatory retention of all internet and telephony traffic data. The document will be made publicly available on the EDRI website, and EDRI will participate in the public hearing following the consultation on 21 September 2004. But more input, both from the industry and civil society, is urgently needed in order to have any impact on the decision making process. EDRI calls on all readers of this newsletter to send in responses on the consultation and protest against the proposal to store extensive sensitive data about all EU citizens. At the request of Privacy International, the UK lawfirm Covington & Burlington has prepared an extensive legal argument against general data retention, for violating fundamental human rights. Please feel free to use any arguments from this document in your answer, with reference to the original document.

According to a publication in the Austrian e-zine Futurezone the USA have demanded extensive advance information from European postal services about packages before they are being shipped to the United States. The US border control system US-VISIT is already being fed with data about airline passengers before they enter the territory, but must now be extended with information about the origin and destination of all packages.

The federal German data protection authority Peter Schaar and chair of the workinggroup of European data protectioners has issued a fierce protest and told Futurezone: "I hold this proposal for highly problematic and have serious doubts about the admissibility of this data transfer." In a later statement to the German newschannel N24 Schaar added: "These data are subject to the postal secret, and may not be handed over to the German law enforcement. (...) The US must get used to the fact that their laws only apply to their own territory, and cannot oblige German companies on German territories."

On 24 March 2004 the Danish Ministry of Justice released a draft Administrative Order and a set of guidelines for mandatory retention of telecommunication traffic data. It is a follow-up to the 'anti-terror package' from 6 June 2002 (Act no. 378), that extended the minimum time for data retention to a year and allowed police and intelligence agents to look at such material with court permission where serious crimes were involved and to install on ISP servers software similar to the US Carnivore system to intercept e-mail.

The Administrative Order and the guidelines aim to regulate in detail the obligations of the Danish telecommunication providers (minor private ISPs included), specify how they must assist the Danish police interfering with the secrecy of communication, what data should be retained, and how it should be done. For internet, this means an obligation for providers to keep an extended mail server logfile with precise information who has been e-mailing whom, an extensive IP-registration of all incoming and outgoing IP-requests and an obligation to log all IP-addresses from visitors to chatrooms. Mobile telephony providers are to store all data about incoming and outgoing calls, including SMS and MMS, and all localisation data they generate for each call, even if the call is not successful.

The Dutch government is 'in principle positive' about the proposal to store the telecommunication traffic data of all 450 million EU citizens for a period of 12 to 36 months. This point of view is expressed in a letter to the Dutch parliament about the proposal. As president of the EU, the Netherlands wish to press ahead with the proposal: "The Netherlands have a vested interest that the proposal takes priority."

The proposal was made by the UK, Ireland, France and Sweden on 28 April 2004, and followed by a questionnaire to the 25 EU member states about their current and intended data retention laws. Answers to the questionnaire had to be given by 29 July 2004, but the results will probably only become available at or after the next meeting of the working party on co-operation in criminal matters on 27 and 28 September 2004.