The European Court has condemned the kingdom of the Netherlands for a faulty implementation of the Privacy directive of 1997, also known as the ISDN-directive. In the Dutch telecommunication law of 1998 the obligation to erase or anonymise traffic data after termination of the call was not made specific enough, leaving ample room to the telecom operators to store sensitive data about their subscribers. Instead of just literally translating Article 6 of the directive, the Dutch inserted a reference to a decree that would specify which data had to be erased. The decree was never produced, and in October 2002, after plenty of warnings, the European Commission decided to take the issue to the European Court in Luxembourg.

On 19 May 2004, the new Dutch Telecommunication Law went into effect, with a revised article on traffic data in agreement with the new 2002 Privacy directive, that replaced the 1997 directive. The verdict is not insignificant though, in the light of new EU Council plans to introduce mandatory data retention for a period of 12 to 36 months. There is no legal obligation for data retention yet in the Netherlands, except for the location data of pre-paid mobile phones, for a period of 3 months. The new Telecom law obliges service providers to anonymise any historical data they might have kept.

This resolution comes from the TransAtlantic Consumer Dialogue TACD, a coalition of more than 60 consumer organizations in America and Europe. It calls the EU and US governments to suspend a recent agreement disclosing passengers' data to US government agencies until much stronger privacy safeguards are adopted. The letter will be directly submitted to EU and US government representatives at the EU-US Summit in Dublin today. Read the resolution in English, French (PDF) or German (PDF) language.

Under rules established by ICANN, any entity that registers a domain name has to provide contact information that can be queried through the WHOIS service - by any data user and for any legitimate purpose. Data users remain anonymous, and there is no enforcement of the few limitations imposed on using the data.

This policy is currently up for review. Three separate task forces are dealing with access modes to WHOIS data, with a review of data elements, and with data accuracy enforcement. Preliminary reports from these Task Forces are open for public comment, until 5 July 2004.

On access and data elements, representatives from ICANN's Non-Commercial Users Constituency (NCUC, representing non-commercial domain name holders) and At-Large Advisory Committee (ALAC, advocating the interests of individual Internet users) have worked to replace unaccountable and anonymous access to sensitive data by a model that is designed to balance data users' and data subjects' interests. Core design goals here are to enable accountability of data users, and to make sure that WHOIS does not become a tool exclusively available to intellectual property-holders and other corporate interests.

EDRI-member IRIS and the French Human Rights League (LDH) have sent a brief to the French Constitutional council regarding the unconstitutionality of the French transposition of the E-commerce Directive (Loi pour la confiance dans l'economie numerique or LEN). On 18 May 2004 the French socialist MPs submitted the finalised law to the Constitutional Council, following the public advice from the two organisations.

The parliamentary opposition uses three of the four provisions pointed out by IRIS and LDH: status of email (not defined as private correspondence), privatisation of justice (through notice and take down procedure) and the introduction of different periods of limitation for on-line and off-line content. In the proposed law there is no time bar for offences identified in the press law (defamation, racist speech, holocaust denial, etc.) if they result from an on-line publication, while the statute of limitations is three months if previously published in any other medium.

Advocates, politicians and lawyers from across the political spectrum met in London on 19 May 2004 to debate UK ID card legislation. EDRi members Privacy International and FIPR organised the meeting, which heard resounding criticism of the government's ID card plans.

Highlights included the Shadow Home Secretary asking "how on earth can ID cards prevent terrorism if foreign visitors can wander around the streets for three months", alongside the Assistant Information Commissioner's concerns that "a whole identity system is being proposed for the UK".

The meeting also saw the launch of the No2ID campaign. Privacy International, FIPR, Liberty, Stand, the Liberal Democratic party, the 1990 Trust and Statewatch are co-ordinating their opposition to the ID card plans, and are planning to derail the government's legislation when it is introduced later this year.

The EU Network of Independent Experts on Fundamental Rights published their 2003 report. The network has been set up by the European Commission, upon request of the European Parliament. Since 2002, it monitors the situation of fundamental rights in the Member States and in the Union, on the basis of the Charter of Fundamental Rights. The report covers a wide range of fundamental rights and raises for example concern about the use of biometric identifiers and the transmission of Passenger Names Records. It also criticises control over state media in Italy and Poland. The section on freedom of expression however, lacks reference to the internet and notice-and-takedown procedures.

Report on the situation of fundamental rights in the European Union in 2003 (01.2004)
http://www.europa.eu.int/comm/justice_home/cfr_cdf/doc/report_eu_2003_...

An international agreement was signed on 28 May between the European Union and the United States that makes it possible to transfer air passenger data to the US, under certain conditions. It entered into force immediately. This agreement goes hand-in-hand with the Decision adopted two weeks ago by the European Commission, establishing the adequacy of US Bureau of Customs and Border Protection's personal data protection.

Under the agreement, Washington is allowed to collect 34 types of data from passengers' records flying to the US, which include name, address, phone number, credit cards and the identity of their travelling companions.

Since March 2003, airlines have faced the possibility of fines of 6,000 euro per passenger as well as potential loss of landing rights in the US if they failed to provide US security agencies with the data 15 minutes before the flight's departure. Carriers such as British Airways, Lufthansa and Air France already started sharing data with the US before the decision.

According to the German e-zine Heise there is a new proposal for mandatory data retention in Germany. Just a few weeks ago, a final compromise was reached on the new Telecommunications Act, without any obligations for systematic data retention. But the Minister of the Interior, Otto Schily, is now said to work on a law that would oblige telecom and service providers to store information about everybody's calling and internet behaviour for at least 1 year. The German Multimedia Federation (DMMV), with 1.000 members one of the largest professional digital economy associations in Europe, criticised the proposal. The proposal is not yet public, but according to their sources close to the Minister, Schily wants to introduce the law to facilitate the pursuit of criminal offences as well as the monitoring of persons suspected of terrorism.