The European Data Protection Authorities, convened in the European Working Party (Article 29 Data Protection Working Party), have published an opinion on the transfer of EU airline passenger data to the US. The Working Party also published a US Customs document dated 22 May 2003 that refines the US wishes and demands towards PNR data transfer and which the Working Party' opinion is commenting on.

Since 5 March U.S. authorities have access to most European airlines’ passenger data bases after an agreement between the European Commission and US Customs. The transfer of the so-called Passenger Name Record (PNR) data has outraged the European Parliament, Data Commissioners and privacy groups. The scope of the original agreement between the European Commission and US Customs is wide. The agreement states that data can be stored as long as necessary and that the use of the data is not limited to combating terrorism but any "legitimate law enforcement purposes". Ongoing talks between the EU and the US need to result in a final agreement that gives the transfer a legal basis which it currently lacks.

On 26 June, the Finnish Ministry of Labour released a draft new version of the law protecting privacy at the workplace. The proposal would make it legal to read employees' email under certain circumstances. It also contains new regulations on camera surveillance (allowed as long as a single employee is not singled out) and drug testing (widely allowed at work, but not as part of job interviews).

The proposal was sternly criticised in the Finnish media for giving too much leeway to how companies can monitor their employees. Many people are especially concerned about the fact that employers will be allowed to check all kind of emails employees receive while they are sick or on holiday.

The draft European Constitution was presented in May 2003. The proposed treaty contains a section on Fundamental Rights and Citizenship of the Union. The European Charter of Fundamental rights, which was adopted at the Nice summit, in 2000, will be an integral part of the treaty (section II, article 5, paragraph 1).

The right of every individual to the protection of his or her personal data will be stated twice in the treaty. In Article 36a, it says: "Everyone has the right to the protection of personal data concerning him or her", a phrase which is literally adopted from the European Charter of Fundamental Rights.

France has started the process of ratification of the Council of Europe cybercrime convention. On 11 June, Dominique de Villepin, the French minister of foreign affairs presented to the council of ministers a draft law for the ratification of the convention. France would be the first EU country to ratify the convention, which has only been ratified till now by 3 Council of Europe countries: Albania, Croatia and Estonia.

According to an article in the Irish Times of 26 May, the Irish Data Protection Commissioner Mr Joe Meade has twice threatened to begin High Court proceedings against the Government for using an "invalid" Ministerial Direction to unconstitutionally store citizens' phone, fax and mobile call data for 3 years.

As reported in EDRI-gram nr. 3, in April 2002 the Minister for Public Enterprise issued directions to telecommunication operators to keep detailed, non-anonymous traffic data for a three-year period.

Following a complaint from European parliament member Marco Cappato the Belgian data protection office is investigating a possible violation of European privacy law by the airline carriers Continental Airlines and United Airlines. Mr Cappato sent a letter to the Belgian data protection commissioner urging his office to investigate the transfer of his personal data to the US authorities. These so-called PNR data are sent to the US authorities by airlines following an agreement between US Customs and the European Commission.

Japanese electronics maker Hitachi has told the Japanese press that it has started talks with the European Central Bank (ECB) about the use of RFIDs in euro banknotes.

RFIDs (radio frequency identification) are very small radio chips that transmit a unique serial code when a reader is placed in their proximity. RFID were originally designed for logistic purposes; to track and trace items in transport or stored in warehouses. But the mini-tags are also getting embedded in consumer products, as described in the previous EDRI-gram. This raises great privacy-concerns, since the technology makes it possible to track and trace individual consumption-patterns. The RFIDs have no access control. Anyone with a reader can detect them and read the serial number. The only possibility to protect privacy would be to remove or disable the tag when buying the product in a store.

The list of candidates for the new post of EU Data Protection Supervisor and Deputy Supervisor is shrinking. Joaquín Bayo Delgado, the contested candidate of a Conservative-Social Democrat alliance in the European Parliament (EP) risks to get pushed out of it. Bayo Delgado, the Dean of the Judges of Barcelona, will, as it seems, not be accepted by the European Council’s Committee of Permanent Representatives (Coreper). On 20 May, Coreper came forward with a list of four candidates. They didn't indicate what candidate they preferred as Supervisor and which as Deputy. This list differed from the list of the EP Civil Liberties (LIBE) Committee (see EDRi-gram Number 9) only in one person: instead of Bayo Delgado it favours OECD Data Protection Commissioner Anne Carblanc. Despite the efforts of the chair of the LIBE Committee, Jorge Salvador Hernández Mollár, Coreper has up to now refused to redraft its list to include Bayo Delgado, who had won a test vote in the LIBE Committee with a margin of five votes. After its session on 28 May, when some members of parliament expected a redrafted list of Council candidates, Coreper remained remarkably tight-lipped on the issue.