The latest full draft of the Council's proposal, dated 10 October 2005: 12894/1/05 - this shows that there were major reservations by many member states on issues of substance. For example:
Several delegations (IT/HU/ES/CZ) could accept or supported the Presidency proposal.
The European Commission says it will have a draft directive for data retention laws in Europe on the table by September, but early versions are already circulating among interested parties.
Lobby group European Digital Rights (EDRi), says that according to a draft it has seen, companies will be required to retain telephone data for one year, and internet data for just six months. Both periods are significantly lower than the three years suggested in the proposal, known as a draft Framework Decision, put forward by the UK, with backing from Ireland, Sweden and France.
The European Commission's rival proposal would need the backing of the European Parliament, and the Council of ministers if it is to become law, while the draft Framework Decision only needs the approval of Council of Ministers. However, it has been declared illegal, and MEPs have threatened to take Ministers to the European Courts of Justice, if they continue to push the draft through.
European Commission spokesman Friso Roscam Abbing said that the Commission's proposal would balance the need for data protection with the provision of adequate powers for law enforcement agencies to trace and track communications.
The proposals, which ministers argue will help police track down terrorists after attacks like the ones in Madrid and London, have been described by critics as being a case of putting the solution before the problem. After all, in London, all four suspected (failed) bombers have been apprehended without the need for these data retention laws. Similarly in Madrid, the police investigation did not appear to be hampered by lack of mobile phone data.
Critics, including many MEPs, argue that the proposals from the UK et al. could effectively force companies to breach existing European data protection laws. These state that data may only be retained for as long as is neccessary, except in unusual circumstances.
Indeed, none of the parties behind the draft Framework Decision has yet offered an explanation of why it would be necessary to retain the data. Indeed, Charles Clarke has acknowledged in a speech to MEPs that no case has yet been made for the laws but urged the parliament to press ahead with them regardless.
Congress fears European privacy standards Published: March 8, 2001, 3:25 PM PST By Patrick Ross
WASHINGTON--Members of Congress on Thursday sharply criticized European privacy laws, saying they will have global effects and will likely harm U.S. companies seeking to do business online.
Eleven of 15 European Union member states have implemented a Data Protection Directive, passed by the EU in 1995, that promises Europeans wide privacy protections, including requiring Web sites to only collect and use a Web surfer's personal information if that surfer explicitly gives the site permission. But at a House Commerce Trade Subcommittee hearing Thursday, many members and witnesses pointed out that the ramifications of such a directive go far beyond Europe.
The directive "certainly is an effort to impose the EU's will on the U.S.," said House Commerce Committee Chairman Billy Tauzin, R-La. "I am very concerned that U.S. companies, which have been the creators and the leaders of e-commerce, will be forced to deal with such a restrictive concept."
He estimated that the cost of the directive "would be in the multibillions, and all are costs that will be passed onto consumers."
Subcommittee Chairman Cliff Stearns, R-Fla., called on President Bush to take up the matter with the EU quickly before its fifteen member states draft and implement laws based on the directive.
EU on the defensive Stefano Rodota, Italian privacy commissioner and chairman of the EU Data Protection Working Party, told the subcommittee that Europe is merely trying to protect a fundamental right and a concept that the United States invented: privacy.
The directive "aims at protecting fundamental rights and freedoms," Rodota said, noting that the Charter of Fundamental Rights of the European Union contains one article calling for "respect for private and family life" and another stating that "everyone has the right to the protection of personal data concerning him or her."
Louisiana's Tauzin focused on the cultural differences between the United States and Europe, agreeing that "Europeans are instilled with the belief that privacy is a fundamental right," while "in the U.S., we take a different approach toward privacy (that largely relies) heavily on the private sector to protect consumer privacy."
To Rodota, however, "the European and U.S. systems are not mutually opposed or absolutely irreconcilable." He cited, among other things, a safe harbor that was created for U.S. companies wishing to conduct e-commerce in Europe, an arrangement negotiated by the Clinton administration.
Is the safe harbor mined? Privacy attorney Jonathan Winer noted that the only companies to join the safe harbor so far have been companies such as Hewlett-Packard and Dun & Bradstreet "who have comparatively limited needs for processing personal information."
"The tiny number of companies signing up for the safe harbor indicates that the vast preponderance of all U.S. companies remain subject to being treated by the EU as having inadequate protection of privacy," Winer said. "If the U.S. is not vigilant, (the European privacy laws) potentially place at risk U.S. competitiveness, U.S. trade and fundamental U.S. values, including protected rights under the First Amendment."
Tauzin questioned whether the safe harbor provisions were even legal, calling them "nonsense." Florida's Stearns added, "I am not convinced, nor is Corporate America, that the safe harbor provisions negotiated in the last administration will help mitigate the concern" over the potential cost of the EU directive.
Ambassador David Aaron, the Commerce Department official who negotiated the safe harbor provision last year, said it has prevented a far worse situation, however.
"The essence of that deal was that we accepted high standards (for privacy) and they accepted self-regulation" by U.S. companies, Aaron said. "Any federal standard should rely to the extent possible on self-regulation."
He also noted the advantage to a company of only having to deal with privacy policies for one united Europe rather than 15 separate countries.
What next? Tauzin said he fears "the EU privacy directive may act as a de facto privacy standard on the world."
"The EU privacy directive," he said, "could be the imposition of one of the largest free trade barriers ever seen."
The easiest way for the Congress to prevent that, said Fordham University law professor Joel Reidenberg, would be to enact privacy legislation of its own.
"The U.S. is rapidly on the path to becoming the world's leading privacy rogue nation," Reidenberg said. "Congress needs to act to establish a basic set of legal protections for privacy" that balance privacy and the commercial world's need for information.
Members of both parties in the House and Senate have vowed to pass privacy legislation this year, but many obstacles have surfaced that will make such an effort difficult.