The working party on co-operation in criminal matters (Justice ministry officials) has issued a new questionnaire about data retention to all member states. Answers have to be given by 29 July 2004, the results will be debated in the next meeting of the working party on 27 and 28 September 2004. Clearly the Dutch presidency of the EU is pushing the proposal ahead from the UK, Ireland, France and Sweden to create a framework decision on data retention. This proposal was introduced on 28 April 2004, to store the internet and telephony communication data from all 450 million European citizens for a period of 12 to 36 months, for law enforcement purposes. In the proceedings of the meeting, the ministers promise "An explanatory note on the proposal from the four Member States will follow."

According to the proceedings "A number of concerns were raised by different delegations, including: The exact scope and aim of the instrument and the exact kind of data covered needed to be examined/clarified. (...) The draft Framework Decision also concerned prevention, which went further than mutual assistance in criminal matters. The parts of the text on prevention needed clarification. The minimum period for retention of traffic data needed further examination, and was too long in the view of some delegations."

The data protection commissioners of 14 of Germany's 15 states (Laender) as well as the National commissioner, Peter Schaar, have severely criticised the EU plan for mandatory traffic data retention and called upon the German government to vote against the proposal in the EU council of ministers. "There are good reasons why the national legislator has just denied to introduce mandatory data retention", the official data protectors declared: "The confidentiality of telecommunications, which is guaranteed under the German constitution, only allows for the storage of data on the use of public telecommunication networks - and in particular of the internet - in cases of tangible evidence of a severe crime."

Nevertheless, Germany's minister of Interior Affairs, Otto Schily, is known to be the driving force behind a new law to introduce mandatory data retention in Germany and to also put pressure on other EU states' governments to introduce similar measures.

The European Court has condemned the kingdom of the Netherlands for a faulty implementation of the Privacy directive of 1997, also known as the ISDN-directive. In the Dutch telecommunication law of 1998 the obligation to erase or anonymise traffic data after termination of the call was not made specific enough, leaving ample room to the telecom operators to store sensitive data about their subscribers. Instead of just literally translating Article 6 of the directive, the Dutch inserted a reference to a decree that would specify which data had to be erased. The decree was never produced, and in October 2002, after plenty of warnings, the European Commission decided to take the issue to the European Court in Luxembourg.

On 19 May 2004, the new Dutch Telecommunication Law went into effect, with a revised article on traffic data in agreement with the new 2002 Privacy directive, that replaced the 1997 directive. The verdict is not insignificant though, in the light of new EU Council plans to introduce mandatory data retention for a period of 12 to 36 months. There is no legal obligation for data retention yet in the Netherlands, except for the location data of pre-paid mobile phones, for a period of 3 months. The new Telecom law obliges service providers to anonymise any historical data they might have kept.

An international agreement was signed on 28 May between the European Union and the United States that makes it possible to transfer air passenger data to the US, under certain conditions. It entered into force immediately. This agreement goes hand-in-hand with the Decision adopted two weeks ago by the European Commission, establishing the adequacy of US Bureau of Customs and Border Protection's personal data protection.

Under the agreement, Washington is allowed to collect 34 types of data from passengers' records flying to the US, which include name, address, phone number, credit cards and the identity of their travelling companions.

Since March 2003, airlines have faced the possibility of fines of 6,000 euro per passenger as well as potential loss of landing rights in the US if they failed to provide US security agencies with the data 15 minutes before the flight's departure. Carriers such as British Airways, Lufthansa and Air France already started sharing data with the US before the decision.

According to the German e-zine Heise there is a new proposal for mandatory data retention in Germany. Just a few weeks ago, a final compromise was reached on the new Telecommunications Act, without any obligations for systematic data retention. But the Minister of the Interior, Otto Schily, is now said to work on a law that would oblige telecom and service providers to store information about everybody's calling and internet behaviour for at least 1 year. The German Multimedia Federation (DMMV), with 1.000 members one of the largest professional digital economy associations in Europe, criticised the proposal. The proposal is not yet public, but according to their sources close to the Minister, Schily wants to introduce the law to facilitate the pursuit of criminal offences as well as the monitoring of persons suspected of terrorism.

On Wednesday 5 May, the Mediation Committee, a common organ of the two German legislative bodies, adopted a compromise regarding the new German Telecommunications Act. It brought back a number of privacy restrictions that were already contained in the Government's draft act (See EDRI-gram nr. 21), but had been rejected by the Deutsche Bundestag, the German parliament (See EDRI-gram nr. 2.5).

The exemption from the mandatory identification of customers that was granted with regard to pre-paid phone cards has been abolished. This means everybody who's selling prepaid cards, will probably have to ask for ID, to collect name, address and date of birth of each customer.

The Mediation Committee also removed the provision granting reimbursement for providers that hand over data to the law enforcement authorities through an automatic information procedure. Providers will now have to hand-over data without any reimbursement. In the context of the manual information procedure, it has been stressed that service providers have to hand over, upon request, passwords, PINs and similar data necessary to access terminal equipment or storage media used in terminal or network equipment (which includes, inter alia, hard-drives of servers and similar equipment). And, finally, the exception that providers with less than 1.000 subscribers do not have to allow the interception of telecommunications has also been abolished (again).

The Council of ministers of justice and interior affairs (JHA) accepted on 29 April 2004 the Spanish proposal to oblige European air carriers to transfer passenger data about non-EU passengers entering the EU. "At the request of the authorities responsible for carrying out checks on persons at external borders, carriers will be obliged to transmit, by the end of the check-in, information concerning the passengers they will carry to an authorised border crossing point through which these persons will enter the territory of a member state..

The European Parliament criticised the Spanish initiative severely for not taking data protection issues into account. Euractiv writes: "MEPs have done everything they could to make this initiative fall. Under rules set in the Amsterdam Treaty, the Council had until 1 May to adopt Member States' initiatives, after having consulted the Parliament. MEPs refused to deliver a formal opinion - despite being urgently requested by the Council to do so - in the hope that this would stop the Council from adopting the directive..

France, Ireland, the UK and Sweden have made a joint proposal to the Council of the European Union to store the telecommunication data of all 450 million EU citizens for a period of 12 to 36 months, for law enforcement purposes.

If the ministers of the member states accept the proposal for a framework decision, all traces of telephony of internet usage of all EU citizens will be stored for a long time. These so-called traffic data reveal who has been calling and e-mailing whom, which websites they have visited, and even where people were with their mobile phones.

The draft framework decision addresses providers of telephony and internet, both networks and services. They will have to store the traffic data of all their users, not just those of suspects. Since there are only few people in Europe without a telephone, gsm or internet, in the newly enlarged Europe this decision would affect the privacy and freedom of expression of 450 million citizens.