Four major industry groups have published a joint statement against mandatory data retention. The coalition represents worldwide and European businesses including most major electronic communications service providers and manufacturers.

According to an article in the Irish Times of 26 May, the Irish Data Protection Commissioner Mr Joe Meade has twice threatened to begin High Court proceedings against the Government for using an "invalid" Ministerial Direction to unconstitutionally store citizens' phone, fax and mobile call data for 3 years.

As reported in EDRI-gram nr. 3, in April 2002 the Minister for Public Enterprise issued directions to telecommunication operators to keep detailed, non-anonymous traffic data for a three-year period.

Telecommunication companies in Austria have won an important court case against the federal government. Though in general the wiretapping provisions in the new Telecommunications Law were not deemed unconstitutional, from 2004 onwards, government will have to reimburse providers for the costs of procuring and maintaining surveillance equipment.

Full verdict in German (27.02.2003)
http://www.vfgh.gv.at/vfgh/presse/G37-16-02.pdf

The Danish ministry of science and technology has mandated a committee on citizens IT-rights. The committee has representatives from various ministries, consumer organisations, the IT-business sector and civil society. EDRi-member Digital Rights has participated in the committee since it started its work in September 2002. The aim of the committee is to give recommendations to areas where existing laws and practices in Denmark may hinder citizen's enjoyment of their IT-rights. Areas under scrutiny include: citizen's communication with the public sector, privacy and registration, freedom of expression and access to information.

Since 1 April, new legislation went into force that obliges Swiss Internet Service Providers (ISPs) to keep a 6 month email log file. That means they will have to store time, size and addresses of all emails sent by their customers (the SMTP envelope data). The authorities will be able to access these stored data with a search warrant only. Access is limited to a number of serious offences such as paedophilia and drug trafficking.

There is no general obligation to store the content of all emails, but providers can be ordered to keep the specific correspondence of a suspect (preservation) and forward it to a special new crime-investigating unit.

Internet service providers have resisted the new legislation, pointing at the high costs of storage and selection software.

The European data commissioners (through the Article 29 working group) have pleaded for a maximum storage period of half a year for traffic data that telecommunication companies store for billing purposes. With the opinion paper the working group tries to limit the duration and scope of traffic data storage.

"Traffic data should be kept for as long as necessary to enable bills to be settled, and disputes resolved. Ordinarily this involves a maximum storage period of 3-6 months and no longer in cases where bills have been paid and do not appear to have been disputed or queried (having regard to the privacy right of individual subscribers)".

The working group also pleas for the stored traffic data to be limited to the necessary data. The opinion paper does not point out which data is necessary for billing purposes and which not. It is a fact that many GSM providers justify the storage of location data for the sole use of billing purposes.

Ireland has had a secret data retention regime for almost a year, after the Cabinet confidentially instructed telecommunications operators to store traffic information about every phone, fax and mobile call for at least three years. The Irish Data Protection Commissioner Joe Meade revealed this last monday at a forum on data retention. Telcos even used to keep these data for a period of 6 years, the commissioner found out in January 2001, when he obliged ISPs and telcos to register with the Office for Data Protection. Following EU privacy-guidelines the Commissioner pressed for a maximum retention period of 6 months.

Meade said: 'While this period was eventually acceptable to most of the telcos and ISPs it raised legitimate concerns in the Department of Justice regarding access for security and crime investigations. Following discussions with me the Department indicated that a retention period of three years, rather than the then six years, was necessary for security purposes for telcos.'

In the UK, a parliamentary inquiry resulted in a firm rejection of governmental plans for general data retention. In one piece of proposed legislation Government expected phone companies, mobile operators and Internet service providers to voluntarily keep logging data for a period of up to 12 months. These data would reveal who has been calling and e-mailing whom, which websites they had visited, and even where people have been with their mobile phones. In their report, the All Party Internet Group (APIG) concludes that the Government had underestimated the costs of the scheme, that billing databases would migrate abroad to escape regulation and that there were few incentives for industry to help the government track technical change. To cap all this, the scheme appeared to be in breach of Human Rights legislation and despite a year of effort by the Home Office, no solution was in sight.