EU passes far-reaching data-retention law.

European Union (EU) lawmakers recently passed new data-retention rules that will require telecom companies and Internet service providers (ISPs) to keep call and web data for up to two years.

Members of the European Parliament (MEP), the EU's directly elected assembly, voted overwhelmingly in December to require communications companies to store traffic and location information for a minimum of six months and a maximum of 24 months. Most member states are expected to opt for a retention period of two years; Ireland has already passed legislation requiring data retention for three years.

The vote in the Parliament follows a similar decision by representatives of the EU's 25 member governments in the Council of Ministers in early December. The common position of the two decision-making bodies means that the new rules will take effect in about 18 months for telephone data. The new rules for Internet data will come into force in 2008.

Telecom providers will be required to keep data, including the time of every landline and mobile phone call made in Europe, whether the call is answered, the duration of the call, and other details that can trace the caller. ISPs must track Internet activity, including times users connect to the web, their IP addresses, and details pertaining to emails and voice over Internet Protocol (VoIP) calls. The content of the communications will not be kept.

Law enforcement authorities in the country where data is collected will have an automatic right to access it. Authorities in countries outside the EU will have access if they have data-sharing agreements with a particular EU country.

The United Kingdom (UK) government, which is currently chairing EU meetings, made passing the rules a priority after the London subway bombings in July 2005. Police and intelligence services used mobile phone records and closed-circuit TV footage to identify and track down suspected perpetrators of the attacks that killed 55 people.

The legislation is being championed by the UK and other governments who said it will help trace terrorists through communications records. UK Home Secretary Charles Clarke said that the agreement sends a "powerful message that Europe is united against terrorism and organized crime."

However, the new rules have come under fire from civil liberties organizations and communications companies.

UK Liberal Democrat MEP Sarah Ludford told Silicon.com the new requirements were a "green light for mass surveillance, fishing expeditions, and profiling. Real terrorists escape detection by using foreign Internet service providers like Hotmail and Yahoo, Internet cafes, and pay-as-you-go phones while ordinary citizens could find details of their movement, acquaintances, and favorite web sites circulating [among government officials]."

She also warned that phone call prices may rise as telecom companies and ISPs pass on the cost of storing data and making it available to law enforcement authorities. Telecom companies and ISPs also have expressed concerns about the financial impact of the Parliament's decision as the new law will drastically increase companies' storage costs but makes no provision to compensate them.

Under the new law, data would have to be retained for "investigation, detection, and prosecution of serious crime:" Data on calls that are placed but not answered have to be retained only if the telecommunications company already stores such data. Reimbursement of costs to telecoms and ISPs will be up to each member state, and the rules will be reviewed three years after they come into force.

Clarke has acknowledged the fears of ISPs and called for a continuing dialogue between government and industry to "understand the business point of view." But he continues to resist calls to help the industry shoulder the increasing costs of compliance with the new law.

ISPs are concerned about the costs of both retention and retrieval, particularly because there is no codified model for paying them. One communications executive told Silicon.com: "There is a concern that the directive makes no provision for reimbursement to ISPs for extended data retention. Data retention is not simply about disk drives. The development, management, and security costings must be taken into account."