Revising the Polish Telecommunication Act to implement the EU e-communication directives, the Polish Ministry of Infrastructure introduced a new obligation for mandatory identification of buyers of pre-paid GSM-cards. The proposal is brought as an anti-terrorism measure. State officials immediately acknowledged that the ID-demand would not make pre-paid cards totally anonymous, referring to the vivid trade in stolen phones, but said it was necessary to make it more difficult to use GSMs for illegal purposes. The wording of the proposal was so general that a number of Polish internet portal-sites feared it would oblige them to register the ID of every free e-mail user. Reuters reported on 31 May they had sent a protest letter to the lawmakers. "The desire of Polish lawmakers to treat e-mail providers in the same way as telecoms operators is totally incomprehensible to us," said the letter from portals Interia, Onet and Agora's gazeta.pl service.

On Wednesday 5 May, the Mediation Committee, a common organ of the two German legislative bodies, adopted a compromise regarding the new German Telecommunications Act. It brought back a number of privacy restrictions that were already contained in the Government's draft act (See EDRI-gram nr. 21), but had been rejected by the Deutsche Bundestag, the German parliament (See EDRI-gram nr. 2.5).

The exemption from the mandatory identification of customers that was granted with regard to pre-paid phone cards has been abolished. This means everybody who's selling prepaid cards, will probably have to ask for ID, to collect name, address and date of birth of each customer.

The Mediation Committee also removed the provision granting reimbursement for providers that hand over data to the law enforcement authorities through an automatic information procedure. Providers will now have to hand-over data without any reimbursement. In the context of the manual information procedure, it has been stressed that service providers have to hand over, upon request, passwords, PINs and similar data necessary to access terminal equipment or storage media used in terminal or network equipment (which includes, inter alia, hard-drives of servers and similar equipment). And, finally, the exception that providers with less than 1.000 subscribers do not have to allow the interception of telecommunications has also been abolished (again).

With the approval on 17 May 2004 of the transfer of airline passenger's personal data to the U.S., the Commission and the Council of the European Union have bluntly bypassed the European Parliament and Court of Justice.

Daniel Cohn-Bendit, head of the Green/EFA Group in the European Parliament, said the decision was "ignoring the declared will of the Parliament in an unprecedented way". Commission and Council agreed on Monday to hand over up to 34 personal data items from the Passenger Name Record (PNR) for every passenger flying to the United States from an EU country. The Council, composed of the EU's 25 Foreign Affairs ministers, adopted the agreement without debate, only a few hours after the Commission had officially passed a so-called adequacy finding, claiming that the data would find sufficient protection once it has been transferred to the U.S. The agreement will be signed next week in Washington.

The OECD working party on information security and privacy have published a very informative but dry report about biometrics. The report analyses theory and practice of the following major biometric-based technologies: finger-scanning, hand geometry, facial recognition, iris scanning, retinal scanning, finger geometry, voice recognition and dynamic signature verification. A brief description of other, more obscure biometric-based technologies such as ear geometry, body odour measurement, keystroke dynamics and 'gait' recognition (specific perambulatory movement) is also provided.

Avoiding any grand statements about the desirability of some of these techniques, the report concludes: "The extent to which we are willing to incorporate statutory and policy and technological controls into these systems and technologies will determine the extent to which they will improve our quality of life; providing convenience and security or conversely, the extent to which they threaten our liberty and freedom via actual or potential surveillance and control."

EDRi member Privacy International has published an Interim Report on the link between identity cards and the prevention of terrorism. The report, the first of its kind, was initiated following attempts by the UK and Canadian governments to introduce biometric ID cards.

The report analysed the 25 countries that have been most affected by terrorism since 1986 and concluded that the presence of an ID card appears to have made no significant impact on prevention of these attacks. The report notes that while a link between identity cards and anti-terrorism is frequently suggested, the connection appears to be largely intuitive. Almost no empirical research has been undertaken to clearly establish how identity tokens can be used as a means of preventing terrorism.

The report comments: "The presence of an identity card is not recognised by analysts as a meaningful or significant component in anti-terrorism strategies. Five criteria are generally used to assess and benchmark the level of terrorist threat within a particular country: motivation of terrorists, the presence of terror groups, the scale and frequency of past attacks, efficacy of the groups in carrying out attacks, and prevention - how many attacks have been thwarted by the country".

A last effort of the EU Council to reach agreement with the European Parliament about the transfer of airliner passenger's personal data (Passenger Name Record; PNR) to the U.S. failed on Tuesday 4 May. With a 343 to 301 majority, Parliament decided not to vote on the Council's proposal to treat the matter as an 'urgency procedure'. Having lost already two votes in the Parliament on the transfer, the Council had hoped it could make use of the singular historic situation where 162 non-elected observers to the Parliament from the new member states had gained member status for one single session, extending the plenary session to 788 members.

By bringing forward the urgency request, the Council tried to turn over the former votes. They hoped they could convince the presumedly inexperienced MEPs from the new member states that the transfer was necessary to ensure transatlantic travel, and that it was protected by sufficient safeguards.

The Council of ministers of justice and interior affairs (JHA) accepted on 29 April 2004 the Spanish proposal to oblige European air carriers to transfer passenger data about non-EU passengers entering the EU. "At the request of the authorities responsible for carrying out checks on persons at external borders, carriers will be obliged to transmit, by the end of the check-in, information concerning the passengers they will carry to an authorised border crossing point through which these persons will enter the territory of a member state..

The European Parliament criticised the Spanish initiative severely for not taking data protection issues into account. Euractiv writes: "MEPs have done everything they could to make this initiative fall. Under rules set in the Amsterdam Treaty, the Council had until 1 May to adopt Member States' initiatives, after having consulted the Parliament. MEPs refused to deliver a formal opinion - despite being urgently requested by the Council to do so - in the hope that this would stop the Council from adopting the directive..

Romania has implemented the Cybercrime Convention with law nr. 64 from 24 March 2004. The law was published in the Official Monitor nr. 343, on 20 April 2004.

The main provisions of the Cybercrime Convention were already incorporated in Title III of the Anti-corruption law nr. 161/2003, published in the Official Monitor nr. 279 from 21 April 2003.

The Cybercrime Convention defines nine offences: illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and, notably, offences related to copyright and neighbouring rights. Signatory states have to establish a common minimum standard of relevant offences under their domestic law.

Under Romanian law, the first 2 offences are very broadly defined and will be punished severely: "The illegal access to a computer system is a crime and is punished with imprisonment from 6 months to 3 years. If access is gained by infringing security measures, the punishment is imprisonment from 3 to 12 years..