On 17 May 2005 the highest court in France, the cour de Cassation, has destroyed an appeal verdict from November 2002 that allowed companies to search the computers of their employees for unwanted internet behaviour. At the very least, the employee must be warned before and be present if a search is conducted.

The medical supplies company Nycomed Amersham Medical System (later renamed Cathnet-Science) searched the computer of their employee after somebody had found erotic pictures in his drawer (in his absence). The highest court found the subsequent dismissal unacceptable and has referred the case back to the appeal court of Versailles, to decide on the fate of the employee and a possible reimbursement for damages.

It is the second time the French cour de Cassation upholds the privacy of employees. In an earlier case an employee of Nikon was dismissed after having used his workfloor computer for private activities. On 2 October 2001 the French cour de Cassation destroyed the decision validating this dismissal as well, similarly basing their condemnation of the computer search on article 8 of the ECHR, article 9 of the French Civil Code and articles 120-122 of the Working Code.

In stead of getting information on European passengers headed for the United States fifteen minutes after take-off, the US now want the information one hour before the plane departs. Michael Chertoff, chief of the Department of Homeland Security announced this on 23 May 2005 during a visit to the European Policy Centre in Brussels.

Under the current passenger name record (PNR) agreement between the EU and the US, the US can pull the information directly from the European airlines reservation systems. A push system in which the airlines send the information themselves still needs to be implemented. Chertoff believes that passengers and airlines will be positive about the new demand, to prevent any further incidents with planes sent back to the EU.

The European Parliament has taken the European Commission to court over the agreement with the US on the transfer of air passenger's personal data (PNR). The Strasbourg Court is examining whether the Commission, when making the deal, exceeded its powers and acted in breach of EU Data Protection legislation. In an interview with EUPolitix.com EU Commissioner for Justice Frattini said he expects a decision by the Court in September.

The district court of Helsinki, Finland, has decided telecommunication company Sonera seriously violated telecommunication privacy between 1998 and 2001. On 27 May 2005 the court handed down suspended sentences to five employees for their unauthorised use of mobile telephone records. Sonera executives ordered a detailed examination of the telephone behaviour of employees, to find out who had been leaking information to the press. But on another occasion the security staff also voluntarily and without any legal basis provided traffic data to the National Bureau of Investigation, the Security Police and the Helsinki Police to help investigate the murder of a prostitute.

The Finnish newspaper Helsingi Sanomat reports: "The harshest sentence was handed down to former Information Security Manager Juha E. Miettinen, who got a ten-month suspended jail term. (....) The defendants claimed that digging up the information was part of a legal investigation into suspected wrongdoing. (....But) the court did not believe the claims of Miettinen, generally seen as the main defendant, who said that he had misunderstood the law. The court noted that Miettinen had written books on data protection, spoken at seminars in the field, and taken part at least to some extent in legislative work on the matter."

Experts from the London School of Economics have calculated the true cost of the planned ID card in the UK and conclude it will be be three times as high as the government estimates. Introducing the card will cost over 18 billion pounds (26,6 billion euro), or 435 euro per inhabitant of the UK in stead of the estimated 93 pounds (almost 138 euro).

The LSE report mentions 3 issues seriously under-calculated by the Treasury; the cost of each reader, the lifetime of a card and the processing of individual changes. In stead of 250-750 pound per reader, 3.000-4.000 pound is more likely. The researchers find the assumed 10-year life span of a card equally dubious. In order to remain reliable, biometric data such as fingerprints and facial images need to be re-scanned every five years. Finally, the researchers point at hidden costs of 1 to 4 billion pounds for human resources to process a high number of changes in the register.

On 27 May 2005 the first Big Brother Award Ceremony in Italy, organised by the NGO Winston Smith Project, lead to an extremely unlikely winner. The Award for Lifetime Menace was given to Giuseppe Fortunato, appointed 2 months ago as new member of the Data Protection Authority. According to the jury, Fortunato is one of the very few Italians convicted with a final sentence (the case went all the way to the highest court) for grave offences against privacy. As legal council of the municipality of Naples Fortunato demanded the traffic data of the mobile phones of the Mayor and 5 members of the council. He organised a press conference about the results of his investigation and claimed the phones were used to make private calls. Fortunato obtained the traffic data from mobile operator SIP by claiming the request was authorised by the chair of a special municipal commission on transparency. In fact, in conspiracy with an employee of SIP, he anti-dated his letter a few months, to make it look as if the previous chair of the commission had approved. But even if that fraudulent act had not occurred, the Italian highest court notes separately, the commission didn't have the authority to demand such sensitive data anyway. The jury assigned the prize in consideration of the lack of explanations and for the silence of Fortunato on the topic.

In a press conference held on 26 May 2005 in Paris, 6 organisations have launched a campaign against the French project of mandatory biometric ID card. The French Human Rights League (LDH), the union of magistrates, the union of French barristers, EDRI-member IRIS, DELIS (a coalition of more than 60 French NGOs and trade unions for the defence of privacy and personal data protection) and the French Association of Democrat Lawyers have published a joint position statement and have started a petition demanding the withdrawal of the project of the French Ministry of the Interior to introduce a mandatory biometric ID card (see EDRI-gram Number 3.8).

The ministry aims to provide the whole population by 2007 with an ID card with a contactless chip containing not only the civil status of the citizen but also two biometric identifiers: photograph and fingerprints. These data would be filed in centralised databases. The card will be mandatory and would also include the address of the holder. According to historians of the French identity system, the combination of these last two features was last used in the dark times of the Vichy regime. After the liberation the civil status information of French citizens was never centrally stored until 1987, but even since then, the change of address should not be mandatorily reported to the administration, in addition to the fact that the ID card itself is not mandatory.

Tomorrow 3 June at 13.00 PM the ministers of Justice and Home Affairs (JHA Council) will give a press conference about their achievements with regards to the introduction of mandatory data retention, item B5 on the agenda. On 7 June 2005 the European Parliament will vote in plenary on the report from Alexander Alvaro. The report finds the proposal disproportionate and ineffective and not in compliance with the fundamental principle of the presumption of innocence. It is widely expected that the report will be adopted with a large majority, thus sending a clear signal to Council and Commission that the Parliament is angry about its advisory role and wishes a much stronger public debate about the need, necessity and costs of data retention. On 26 May 2005 the Europarl LIBE commission already adopted this report almost unanimously, with only 1 vote against.

Romania has adopted a new law to establish a data protection authority. In the last EU access progress report, Romania was severely criticised for failing to enforce privacy rules. "However, progress in implementing personal data protection rules has only been limited. There are grounds for concern regarding the enforcement of these rules: enforcement activities are far below levels in current Member States and additional posts have not been filled during the reporting period."

The new law was initiated by the Ministry of European Integration in October 2004 and submitted to a formal public consultation. The draft was sent to the Parliament in December 2004. The law was quickly adopted by both chambers of the Parliament (Senate and Chamber of Deputies) with minor changes.

Law 102/2005 was finally published in the Official Monitor on 9 May 2005 and will enter into force 30 days after the publication date. The new data protection authority will be created in 45 days after the entry into force.