Europe Debates Data Security Policies

BRUSSELS--Telecommunication ministers of the 15 countries that make up the European Union are heading for a confrontation with the European Parliament over a new data-protection law under construction.

Experts working for the 15 ministers propose law enforcement authorities should have more scope to access phone and Internet traffic data. They also want to limit commercial spammers by banning unsolicited e-mail, according to an internal document that is to be presented Wednesday to ambassadors of the 15 member states by the Council of Ministers working party on telecommunication.

Last week, the European Parliament voted to make it more difficult for authorities to gain access to people's traffic data. They also agreed to remove e-mail from the list of communication technologies that should be free of unsolicited direct marketing messages, letting member state governments decide whether to ban spam.

The new position on data retention by ministers of the national governments is more hard-line than the one telecom ministers agreed on at a Council of Ministers meeting in Luxembourg in June. However, certain member states, including the U.K., are known to have wanted more access to traffic data for some time.

The recent terrorist attacks in the U.S. have toughened their resolve, said one E.U. diplomat, who requested anonymity. "We think this new version of the directive sends a powerful signal and it responds to the events of September 11," he said.

U.K. Eyes ISPs

The British Parliament is considering a new law setting rules for retaining data. One proposal, the Anti-Terrorism Crime and Security Bill, asks all British ISPs and telecommunication companies to retain all communications-traffic data for a month. Another part of the bill, intended to "safeguard national security," grants the Secretary of State the power to order ISPs to hold data communications for a set period. When the U.K. government initially requested the retention of data in September, it did so on a voluntary basis under the Data Protection Act.

Should the Anti-Terrorism Crime and Security Bill become law, any request from the government for information such as IP addresses and information on individual e-mails, such as size, destination, and author, would be legally binding. The U.K. government made its initial request for data retention through the National High-Tech Crime Unit, which said it needed to preserve data in case the U.S. Federal Bureau of Investigation needed it as part of investigations into the September 11 terrorist attacks.

The U.S. Congress is in the process of drafting similar legislation. Current bills before the House and Senate, such as the Critical Infrastructure Information Security Act, would not grant the U.S. government such sweeping powers as those being sought in the U.K., says Chris Mullins, the chair of the Home Affairs Select Committee.

Policy Poised to Pass

The 15 E.U. ambassadors are expected to rubber-stamp the new Council of Ministers version of the directive on data retention at their meeting Wednesday, to prepare the agenda for next week's meeting of telecom ministers. However, the ministers may make changes, the diplomat said.

"Some member states have problems with this new text," he said. "Austria especially, but also Germany and Denmark aren't entirely happy with it. There is still work to be done."

Opinion appears most divided on the spam question, with 11 countries in favor of a ban on unsolicited e-mail, and four--the U.K., Ireland, Luxembourg, and France--preferring a less stringent "opt-out" approach.

Other issues raised in the new directive include how to deal with cookies and short-message service text messages to mobile phones. The European Parliament voted to ban the sending of unsolicited commercial SMS messages. It also voted to ban all cookies other than those needed to operate a Web site.

The Council's telecom working group has changed the wording on the cookies article, but the diplomat said this did not mark a significant move away from the position adopted by the European Parliament. Nor did it differ on SMS messaging, he added.

Spam Lobby Rallies

The Council of Ministers and the European Parliament must agree on a text in order for this directive to become a law.

"Data retention and spam are the two issues the two Houses will negotiate around," the diplomat said.

A lobbyist for Internet service providers said they oppose stringent data-retention rules, but favor an all-out ban on spam.

"If the Council wins on data retention and the Parliament wins by allowing spam, then the only loser will be the customer--twice over," said Joe McNamee, E.U. affairs manager for EuroISPA, the association of ISPs in Europe.

ISPs are opposed to unsolicited e-mail for three main reasons. First, it is one of the main reasons people leave one ISP for another, in order to delete the trail they have left for spammers. Second, spam provokes people to complain to their ISPs, and dealing with these complaints adds to their costs. And third, it enforces the idea that the Internet is a Wild West full of crooks seeking to rip off users, so it harms the general perception of the Internet, McNamee said.

Laura Rohde of the IDG News Service contributed to this report.