According to a recent Dutch study into the costs of mandatory data retention, internet providers will face investments of millions of Euro. The Dutch study is the only governmental study in Europe made public so far about the costs of data retention. The EU proposal from April 2004 is very vague about the specific data internet providers will have to store, but has a very broad scope, including all kinds of new protocols and communication technologies. In November 2004, the Council of Ministers of Justice and Home Affairs (JHA) announced they would even expand that scope, and oblige providers to collect data they normally do not process. The Dutch research company KPMG has just assumed the obligation will be about e-mail log-files and about all connection data to all internet services. How providers, especially large ones, should actually deduct these kinds of data from their data streams remains a mystery.

The Council of Europe is working on a new declaration or recommendation on human rights and internet. An ad-hoc committee of experts on the information society has been meeting for the first time in November 2004, and will have a second meeting in Strasbourg on 3 and 4 February 2005. The Council does not provide any information about the proceedings or specific members of the committee, but has recently published the terms of reference. The aim of the committee is to provide "a draft political statement on the principles and guidelines for ensuring respect for freedom of expression and opinion, for human rights and for the rule of law in the Information Society, with a view to its use as a Committee of Ministers' contribution to the Third Summit of Heads of State and Government of the Council of Europe (16-17 May 2005) and the 2005 Tunis

The European Commission has published the contributions to the public consultation on the copyright and related right directives. 126 contributions are available, ranging from all kinds of right-holders to civil society. Most contributions are available in English, some in French and German. The contributions from the right-holders provide interesting insight in the arguments used to convince the Commission to extend the term of related rights from 50 to 95 years, claiming Europe should harmonise with the United States. The MPA contribution (United States Motion Picture Association) is especially worth close-reading, insisting Europe should introduce mandatory data retention for law enforcement purposes (where the United States themselves have no such obligation). "There is, thus, a need for harmonized, proportionate data retention rules that apply to all relevant service providers, together with additional measures to streamline the process for ensuring access to data on a cross-border basis. It is also essential that the adoption of new data retention rules does not undermine the rights of access to data provided in the Enforcement Directive."

The European Commission has adopted, on 7 December 2004, its annual report on the implementation of the EU electronic communications regulatory package. The report states that 20 of the EU's present 25 Member States have notified the Commission that they have adopted primary legislation transposing the package, which became law in 2002. The Commission has launched infringement proceedings against Belgium, the Czech Republic, Estonia, Greece, and Luxembourg, who have so far failed to notify transposition. All of these countries have failed to transpose the 2002 e-Privacy Directive, which is part of the package.

The Staff Working Paper attached to the report examines in particular three issues from the e-Privacy Directive, which are according to the Commission "most debated in the market and by national authorities, and which may have a significant impact on the consumer": Data retention, spam, and cookies.

The draft Framework Decision on the retention of traffic data resulting from electronic communication has been sent to the European Parliament at the beginning of December. This started the public part of the lawmaking process. But the Council of the European Union has still failed to declassify the very document that the Parliament is supposed to vote on next spring.

On 2 December 2004 the ministers of Justice and Home Affairs, united in the JHA Council, decided to focus on an extended obligation to store telecom traffic data. Instead of an obligation to store traffic data already processed by companies for billing or internal company purposes, a majority in the Council is now in favour of an obligation to collect and store all traffic data for law enforcement purposes. This includes for example location data collected when using a mobile phone, history of web sites visited, IP numbers of partners contacted in Instant Messaging services, as well addressees and senders of all e-mails sent and received. This data will have to be collected by ISPs and telecom providers, but standardised interfaces will facilitate access for law enforcement and intelligence services. With methods of data mining, the data can be assembled into detailed personality profiles, including contacts, travels, shopping habits, political, religious and sexual likes and dislikes, for all users of electronic communication.

Extensive research commissioned by BITKOM, the German industry association for information technology, telecommunications and new media, into the current practices in the telecom sector shows that there are no grounds for the proposed regime of mandatory traffic data retention. The study compares the legal obligations and practices in Austria, France, Italy, the Netherlands, Sweden, Spain, the UK and the US. The main two conclusions are that the EU proposal to store all traffic data for a period of at least 12 months is disproportional, and that there is no evidence that law enforcement needs data older than 3 months.

Few countries have a legal obligation to store traffic data for purposes of law enforcement and national security. None of the examined countries have an obligation to store 'all traffic data'. In the USA there is no legal obligation at all for mandatory data retention. The US authorities believe data preservation of individual suspects is adequate. Some attempts to introduce data retention were dismissed by Congress as too far reaching. In the UK, Sweden and Austria there is no obligation to store traffic data. In France, Italy and Spain general framework legislation was introduced, but not yet translated into a specific list of data. In Italy the retention period of 2 years only applies to telephony (fixed and mobile). In the Netherlands, there is only a specific obligation for operators of prepaid mobile phones to store location data for a period of 3 months.

Three top officials in Finland’s Security Police (SUPO) and the former head of the security unit of the telecommunications service provider Sonera are to be charged in a case involving suspected illegal telecommunications surveillance, according to the Finnish journal Helsingin Sanomat. The case dates back to November 2000, when Juha E. Miettinen, the head of Sonera's security unit, handed over the traffic data records of 5 mobile phone customers to the SUPO without just cause. The illegal hand-over was brought to light in yet another painful incident compromising the privacy of Sonera staff and customers. Miettinen had personally led an operation to collect telephone records of Sonera employees and outsiders in 2000 and 2001, to investigate which employee had possibly leaked information about internal company affairs to the press.

The European Commission is preparing a Framework Decision on 'Access to information by law enforcement agencies'. Commission services have authored a Communication on enhancing such access, which was sent to the Council and the European Parliament in June 2004.

The issue is closely linked to discussions currently under way on the introduction of data protection rules for issues that are dealt with under the Third Pillar of EU Legislation, which is mainly about police and judicial co-operation. At present, this whole topical area is exempt from EU Data Protection legislation, including the EU Data Protection Directive 95/46.

In the classic view on data protection, access to information is seen as a complementary condition for the protection of data. This was reflected at an expert's meeting in Brussels on 23 November 2004, where Gus Hosein of Privacy International and Andreas Dietl of EDRI were invited, along with a small number of speakers from other civil rights organisations.