Data Retention Europe’s Plan to Track Phone and Net Use

A proposed law would require companies to keep detailed data about people’s Internet and phone use.
Von Victoria Shannon

European governments are preparing legislation to require companies to keep detailed data about people’s Internet and phone use that goes beyond what the countries will be required to do under a European Union directive.

In Germany, a proposal from the Ministry of Justice would essentially prohibit using false information to create an e-mail account, making the standard Internet practice of creating accounts with pseudonyms illegal.

A draft law in the Netherlands would likewise go further than the European Union requires, in this case by requiring phone companies to save records of a caller’s precise location during an entire mobile phone conversation.

Even now, Internet service providers in Europe divulge customer information — which they normally keep on hand for about three months, for billing purposes — to police officials with legally valid orders on a routine basis, said Peter Fleischer, the Paris-based European privacy counsel for Google. The data concerns how the communication was sent and by whom but not its content.

But law enforcement officials argued after the terrorist bombings in Spain and Britain that they needed better and longer data storage from companies handling Europe’s communications networks.

European Union countries have until 2009 to put the Data Retention Directive into law, so the proposals seen now are early interpretations. But some people involved in the issue are concerned about a shift in policy in Europe, which has long been a defender of individuals’ privacy rights.

Under the proposals in Germany, consumers theoretically could not create fictitious e-mail accounts, to disguise themselves in online auctions, for example. Nor could they use a made-up account to use for receiving commercial junk mail. While e-mail aliases would not be banned, they would have to be traceable to the actual account holder.

“This is an incredibly bad thing in terms of privacy, since people have grown up with the idea that you ought to be able to have an anonymous e-mail account,” Mr. Fleischer said. “Moreover, it’s totally unenforceable and would never work.”

Mr. Fleischer said the law would have to require some kind of identity verification, “like you may have to register for an e-mail address with your national ID card.”

Jörg Hladjk, a privacy lawyer at Hunton & Williams, a Brussels law firm, said that might also mean that it could become illegal to pay cash for prepaid cellphone accounts. The billing information for regular cellphone subscriptions is already verified.

Mr. Fleischer said: “It’s ironic, because Germany is one of the countries in Europe where people talk the most about privacy. In terms of consciousness of privacy in general, I would put Germany at the extreme end.”

He said it was not clear that any European law would apply to e-mail providers based in the United States, like Google, so anyone who needed an unverified e-mail address — for political, commercial or philosophical reasons — could still use Gmail, Yahoo or Hotmail addresses.

Mr. Hladjk said, “It’s going to be difficult to know which law applies.” Google requires only two pieces of information to open a Gmail account — a name and a password — and the company does not try to determine whether the name is authentic.

In the Netherlands, the proposed extension of the law on phone company records to all mobile location data “implies surveillance of the movement of large amounts of innocent citizens,” the Dutch Data Protection Agency has said. The agency concluded in January that the draft disregarded privacy protections in the European Convention on Human Rights. Similarly, the German technology trade association Bitkom said the draft there violated the German Constitution.

Internet and telecommunications industry associations raised objections when the directive was being debated, but at that time their concerns were for the length of time the data would have to be stored and how the companies would be compensated for the cost of gathering and keeping the information. The directive ended up leaving both decisions in the hands of national governments, setting a range of six months to two years. The German draft settled on six months, while in Spain the proposal is for a year, and in the Netherlands it is 18 months.

“There are not a lot of people in Germany who support this draft entirely,” said Christian Spahr, a spokesman for Bitkom. “But there are others who are more critical of it than we are.”

Die Wiedergabe wurde unterbrochen.
Speichern Sie Ihre Lieblingsartikel in der persönlichen Merkliste, um sie später zu lesen und einfach wiederzufinden.
Jetzt anmelden
Sie haben noch kein SPIEGEL-Konto? Jetzt registrieren