The EU's Internet plan takes liberties with personal rights

PARIS Since experiencing the horrors of World War II, Europeans have been extremely vigilant in protecting personal privacy and resisting state intrusions into private life.

They were so concerned about protecting a zone of privacy against the power of the state that they enshrined it as a fundamental principle in the Universal Declaration of Human Rights in 1948, in the European Convention of Human Rights in 1950 and in the Charter of Fundamental Rights of the European Union in 2000.

Those ideals have been repeatedly backed by tough legislation, including the Data Protection Directive of 1995, which drew a curtain around personal data, its retention and the uses to which it could be put.

But since Sept. 11, civil liberties, including privacy, have clashed with the goal of security, and security has consistently won. "The principle of protecting the people's personal data must not stand in the way of fighting crime and terrorism," Otto Schily, the German interior minister, said a week after the attacks.

The European Parliament agrees with him. Under a directive it adopted at the end of last month, Parliament reversed itself and gave European law enforcement agencies sweeping powers to monitor Internet use and telephone and e-mail communication and to require Internet service providers and phone companies to indefinitely retain logs of what their customers say and do. Under the 1995 rules, those records could be kept only for a short time for billing purposes and then had to be discarded.

Once the new rules are adopted by the 15 countries in the European Union - which typically takes from two to five years - everyone in Europe who uses the Internet or a telephone will be subject to surveillance. In their commendable desire to watch what a few people do, the authorities will be able to watch what everyone does.

To protect society as a whole from terrorists, Parliament has undone more than a half-century of individual protection. Personal privacy is becoming a casualty of the war on terrorism.

Ironically, the new data protection rules were slipped in as an amendment to a bill that was intended to give Internet users more protection online: from spam (junk e-mail) and from cookies (the little bits of computer code that many Web sites put on your hard drive to identify you and keep track of your interests and behavior).

Those measures on spam and cookies were also adopted, though it is an open question of how effective they will or can be. The main, and seemingly insurmountable, problem is that the regulations clamping down on spam and cookies are enforceable only against spam and cookies that are sent from within the EU. Brightmail Inc., which makes spam-filtering software, estimates that that accounts for about 10 percent of the avalanche of spam that clogs our mailboxes. Another group, the Mail Abuse Prevention System, says more than half of spam is sent through Asia.

The Internet is everywhere, and messages that blanket the globe can be sent from anywhere. The Web knows no political boundaries, which strains the ability of law and legal institutions to regulate it. It's not even clear who could enact global legislation and how it could be enforced.

"These regulations will only apply to companies that are based in the European Union," said Robin Jezek of the Interactive Advertising Bureau/Europe in Brussels. "You can't do anything about what's coming in from outside the EU."

But the European parliamentarians at least took action, which puts these rules out there as a statement of what people must and must not do on the Internet and as a model for other jurisdictions to enact.

With regard to spam, Parliament adopted the "soft-in" approach, which means that companies that already send you junk e-mail can continue doing so until you tell them to stop. But new companies must get your permission first. That's the "opt-in" approach.

The Japanese Parliament tackled spam this year by enacting a law requiring senders of junk e-mail to show their real e-mail address and to tell recipients how they could stop receiving the unsolicited messages. That's "opt-out."

With regard to cookies, the European Parliament had similarly intended to require companies to get your permission before depositing a cookie on your computer. But under heavy lobbying from the Interactive Advertising Bureau, representing online advertisers, it dropped that plan.

Instead, Web sites that send cookies must give you "clear and comprehensive information" about what cookies are and what they're being used for, and it must offer you the opportunity to opt out.

The provisions on cookies and spam were put forward by Marco Cappato, an independent member of Parliament from Italy. But after the amendment on data retention was adopted on May 30, Cappato opposed the full bill and voted against it. "This amounts to a large amount of restriction of privacy and increases the powers of the state," Cappato said after the vote.

Parliament's rules go beyond what the U.S. Congress enacted in the U.S.A. Patriot Act in October. Congress considered requiring full data retention, but there was so much opposition that it did not.

On cookies and spam, Parliament gets a B for trying. They can't really do anything about spam, and on cookies, they gave up too much.

But what they did on data retention is much more troubling and dangerous. The law has the potential of creating massive electronic data banks of information about everyone's communications - whom you called, whom you e-mailed, what Web sites you visited and perhaps the full texts of messages that you sent and received. As surely as night follows day, law enforcement will use that database to investigate things other than terrorism. This is a system for universal surveillance.