19 Nov 2014

UN calls for balance between privacy and security

By Heini Järvinen

In a special discussion at the Human Rights Council in Geneva, Flavia Pansieri, the United Nations (UN) Deputy High Commissioner for Human Rights, expressed her concern about increasing mass surveillance programs conducted by states and private corporations. Ms. Pansieri highlighted the importance of demonstrating that interferences with an individual’s right to privacy are both necessary and proportionate to address the specific identified security risk.

“Mandatory third-party data retention – where telephone companies and internet service providers are required to store metadata about communications by their customers, for subsequent access by law enforcement and intelligence agencies – appears neither necessary nor proportionate,” she said.

Ms. Pansieri’s call is one of the several attempts by the UN to tackle the issue. In June 2014, the High Commissioner for Human Rights published a report “The right to privacy in the digital age”, to respond to the global concern at certain surveillance practices and the threat they pose for human rights. The report gives examples of digital surveillance used to target political opponents or dissidents, and cases in which governments have demanded the access to traffic on the networks of telecom companies, threatening to otherwise ban their services. It recognises the necessity for surveillance of electronic communications, conducted in compliance with the law, for legitimate law enforcement or intelligence reasons, but points out that mass surveillance programs “raise questions around the extent to which such measures are consistent with international legal standards and whether stronger surveillance safeguards are needed”.

Another report, published in September 2014, focuses on the implications of mass digital surveillance for counter-terrorism purposes to the right to privacy. Ben Emmerson, the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, presented the report in the UN General Assembly on 23 September, saying that

“states need to squarely confront the fact that mass surveillance programmes effectively do away with the right to online privacy altogether”.

In the report Mr. Emmerson draws attention to the fact that states are able to easily maintain an overview of Internet activity of specific individuals or organisations, and that it’s possible without any prior suspicion related to them. He reminded that this kind of surveillance “amounts to a systematic interference with the right to respect the privacy of communications and requires a correspondingly compelling justification”. The report concludes that “merely to assert – without particularisation – that mass surveillance technology can contribute to the suppression and prosecution of acts of terrorism does not provide an adequate human rights law justification for its use”.

In 2013, the UN General Assembly adopted a resolution (68/167) on the right to privacy in the digital age. The final report prepared by the High Commissioner for Human Rights is expected to be presented at the UN General Assembly in 2015. It will be contributing to the development of an international convention on surveillance issues by giving recommendations and clarifying principles, standards and best practices to allow states to defend their safety respecting the international human right laws.

UN against mass surveillance on the Internet (only in French, 17.11.2014)

Mass surveillance: exceptional measure or dangerous habit? (13.11.2014)

UN General Assembly: Promotion and protection of human rights and fundamental freedoms while countering terrorism (23.09.2014)

The right to privacy in the digital age – Report of the Office of the United Nations High Commissioner for Human Rights (30.06.2014)

UN special rapporteur slams US, UK spying on Internet users (24.10.2014)

Right to online privacy at risk as governments engage in mass surveillance – UN expert (23.10.2014)



22 Oct 2014

Balancing rights (unless we are talking about copyright)

By Diego Naranjo

Recently Google was asked (spiced up with a threat of a 100 million dollar lawsuit) by an attorney representing “over a dozen” celebrities to take down pictures of his clients which had been hacked from their respective iCloud accounts and published in different websites.

Google quickly reacted removing those pictures from its blogging and social media services, although the attorney still complained saying it took too long and that the delay had led to Google making millions “profiting from the victimisation of women”. It is to be noted that Google’s explanation to remove the pictures was because of the “community guidelines and policy violations (e.g. nudity and privacy violation) on YouTube, Blogger and Google+”. In reality, nothing really matters except copyright – because Google will always automatically delete content, if they receive a valid notice under US law. Unsurprisingly, therefore, Google added that, concerning the search engine, they remove images when they receive “valid copyright (DMCA) notices”.

When a copyright complaint was made about illegally copied naked pictures of celebrities, Google, consistent with its policy, rapidly de-indexed the content in question. When Google received a Tweet indicating that a trade-mark was the subject of an unfair search result in Google image search, it resolved the problem within 59 minutes. When Mario Costeja González reported an unfair search result, it took over four years and appeals to the highest EU court before Google could be persuaded to take action.

Sadly, the concept is spreading that, if you cannot assert their rights through copyright or trademark rights, you are a second class citizen. The current Italian Presidency of the Council of the European Union also follows this logic. A “paper” sent by the Presidency on 11 September to Member States on enforcement of copyright and other rights suggested various measures that could be imposed by intermediaries – such as “know your customer”, “follow the money” and a more expansive use of injunctions. So, when such measures are used to enforce copyright, they are acceptable and collateral damage to fundamental rights of citizens can be ignored.

But the Italian Presidency decided to follow Groucho Marx’ famous statement “these are my principles; if you don’t like them I have others”. In a subsequent communication from 29 September, the Italian Presidency urged a balancing of rights when dealing with Data Protection matters in the so-called “right to be forgotten”. Delegations worried, it explained, that the “interest of the public at large to have access to information may end up being “underweighted” in the balancing process by the controller in particular where the latter is a search engine”. It is definitely important to ensure that fundamental rights are not “underweighted”, but it is important that this happen in relation to all fundamental rights. Otherwise when laws need to be enforced in the EU we would end up with two different categories of rights.

Enforcement of intellectual property rights – Presidency paper (11.09.2014)

Comments from the Italian Presidency on the right to be forgotten and the Google judgment (29.09.2014)



08 Oct 2014

Despite compromising document, Malmström is here to stay

By Guest author

On 29 September the public hearing on Cecilia Malmström, the EU Commissioner-designate for Trade took place. The day before, Der Spiegel published an article revealing an email exchange indicating that Malmström and/or her cabinet had been covertly working with the US at an early stage in the development of the European Commission’s General Proposal for Data Protection Regulation – even before a draft had been officially communicated to any elected European politician.

According to the document in question, Malmström’s private office was subverting data protection reform from within the Commission, sharing with the US information about internal procedures and appropriate times to push for the publication of a US lobbying paper. The claims were brought up three times by Members of the European Parliament (MEP) during the hearing. Malström initially dismissed the claims as “false allegations” or “lies” based on “leaked emails,” even though the document in question had been acquired by Access through a formal Freedom of Information Act request. The morning after the hearing, Access sent an open letter to Malmström asking the Commissioner-designate to clarify her stance on the authenticity of the document. In response, she recognised the document as legitimate, but didn’t address its implications or acknowledge the need for an investigation. Her relaxed approach to evidence that, at the very least, one of her most senior staff was conspiring against the European Commission is baffling.

The content of this email raises serious concerns regarding Malmström’s suitability as Trade Commissioner. As Home Affairs Commissioner, she had already curtailed an investigation into the US’s unlawful usage of the SWIFT banking database as part of the Terrorist Finance Tracking Program. After it was made explicit that data pulled by the US was being used for coercion outside of terrorist investigations (like blocking a Germany-to-Cuba private transaction), the Parliament called for an inquiry; Malmström halted the probe based only on “written reassurance” by the US that the data was used for legitimate purposes. As Trade Commissioner, she would be in charge of the Transatlantic Trade and Investment Partnership (TTIP) negotiations, an already controversial and completely non-transparent process. Potentially the world’s biggest trade agreement, the TTIP could likewise impact multiple industries and strongly affect the rights of the EU citizens. In this context, concerns about Malmström’s extreme deference to the US is frightening.

Despite those concerns, after receiving a letter from the future Commissioner asserting that she had never shared information with the US during the development of the Data Protection Regulation and that “to her knowledge” no-one in her cabinet did either, the International Trade Committee of the European Parliament decided to confirm Malmström as Commissioner for Trade on 30 September.

Response to Access’ Freedom of Information Act request

Big brother’s little helper inside the European Commission (27.09.2014)

Malmstrom’s response to the INTA committee (30.09.2014)

Access’ open letter to Commissioner-designate for Trade, Cecilia Malmström (30.09.2014)

Malmström’s answer to Access’ open letter (30.09.2014)

S&Ds accept Malmström nomination but call on Juncker to clarify his stand on ISDS (30.09.2014)

(Contribution by Alix Ladent, EDRi-member Access, International)



24 Sep 2014

Romania: Mandatory prepaid SIM registration ruled unconstitutional

By Guest author

The Romanian Constitutional Court (CCR) ruled on 16 September 2014 that a law that required the mandatory registration of all prepaid SIM cards and free WiFi users, is unconstitutional, as a whole.

The Court reviewed the law as a result of the Romanian Ombudsman’s objection concerning its possible unconstitutionality. Several human rights NGOs asked the Ombudsman in July 2014 to notify the CCR regarding the law which had been recently adopted, and to ask the Court to rule on the law’s constitutionality before its promulgation by the President.

Also, on 15 September 2014, a Romanian association for the defence of human rights APADOR-CH and EDRi-member ApTI submitted an amicus curiae requesting the CCR to rule the law unconstitutional, as it breaches the right to privacy.

The Court ruled that

“the law’s provisions are not precise and predictable, and the manner in which the necessary data regarding the registration of prepaid SIM cards and WiFi hotspot users is retained and stored does not provide sufficient means to guarantee the necessary efficient protections for these personal data against abuse or any other kind of unlawful access to and use of these data.”

The full argumentation on this case will be published in approximately one month in the Official Journal.

This is the second important ruling of the CCR on privacy issues, after its decision from 8 July 2014 that declared the second data retention law unconstitutional.

The decisions triggered quick and aggressive reactions in the media from the Romanian Intelligence Service (SRI), Romanian Ministry of Internal Affairs, and politicians from the Committees supervising the SRI activity, all claiming that the CCR decisions have made a “legal vacuum” and now the terrorists will flood Romania to buy prepaid SIM cards.

In an unprecedented move, the CCR issued a press release counterattacking those arguments and reiterating the legal arguments used in their decisions. The SRI came back the following day with a press release with more allegations that in these circumstances the institution may not defend the national security and that now anonymity is allowed in communications.

But one should not be fooled by the smoke, as all this “security-forces-alleged-drama” has some real interests behind it.

First, as the full argumentation behind the unconstitutionality of the prepaid law was not published yet, it is meant to pressure the CCR to water down the decision, so that another law could be initiated.

Secondly, the security institutions in Romania want to push a new data retention law and another attempt (it would be the fifth one now) for mandatory prepaid SIM cards as quick as possible.

Thirdly, all this talk hides the interests on another draft law – on cybersecurity – that was quietly adopted by the Chamber of Deputies and received just two days prior to the debate in the Senate (which is the decisive chamber for this law). As reported earlier in EDRi-gram, that law will give the right for SRI and other nine public institutions to have access to the computer data held by those companies, at a simple “motivated request” from these institutions in their own attributions.

Romania: The law mandating the registration of prepaid SIM cards has been ruled unconstitutional (19.09.2014)

SRI Press release on the legal vaccum created by the CCR decisions (only in Romanian, 20.09.2014)

CCR press release on the decision on law on the pre-pay cards (only in Romanian, 16.09.2014)

CCR press release answering the SRI allegations (only in Romanian, 18.09.2014)

EDRi-gram: Romania: No communication without registration (02.07.2014)

ApTI: Amicus Curiae to the CCR (only in Romanian, 15.09.2014)

(Contribution by Bogdan Manolea, EDRi-member ApTI, Romania)



15 Sep 2014

FNF 2014: Brussels privacy advocates summit to tackle surveillance, censorship, net discrimination

By Kirsten Fiedler

header-fnf14Between 26 and 29 September, the annual Freedom not Fear (FNF) conference and barcamp will take place in Brussels. As every year, the action days are challenging the false dichotomy that better security comes at a price: the abandonment of our privacy rights.

On Friday evening, the event will be kicked off with a keynote speech by Simon Davies, publisher of the Privacy Surgeon and founder of Privacy International, who recently released the first global analysis of the impact of the Snowden revelations. He will be joined by Paul Nemitz, Director at DG Justice of the European Commission, for a discussion of the data protection reform and the future of the EU-US umbrella and Safe Harbor agreements.

During the weekend, there will be speakers and workshops on a wide range of topics including Glyn Moody on the Trans-Atlantic Trade Agreement (TTIP/TAFTA) and Jillian York on surveillance. The barcamp style event will allow participants to propose additional ad-hoc presentations or workshops in an open environment. On Sunday evening, there will be a screening of the documentary “The Internet’s Own Boy: The Story of Aaron Swartz”. See the full schedule .

On Monday, participants of the conference will have the possibility to experience EU policy-making first-hand with a visit of the European Parliament. On that day, the Parliament will be very busy with the first hearings of the “Juncker team” and a meeting of the Civil Liberties, Justice and Home Affairs committee.

Supporters of this year’s Freedom not Fear are, among many others, European Digital Rights, the Electronic Frontier Foundation, Digitale Gesellschaft, Access, NURPA, digitalcourage…

Download the poster (PDF):


10 Sep 2014

Open letter to Google’s Advisory Council on the “right to be forgotten”

By Kirsten Fiedler

On 9 September, European and international civil rights organisations submitted an open letter (pdf) to Google’s Advisory Council on their assessment of the so-called “right to be forgotten”.

The groups urge the Council’s members to avoid inadvertently delaying the adoption of the data protection reform package. They remind the members of the urgent need for legal safeguards in cases where courts place unclear obligations on internet intermediaries to interfere with online communications (which cannot be replaced by the Council’s findings) and call on them to shed more light on the mission and objectives of this European tour.

As the ruling has been largely misrepresented by parts of the press, the letter first clarifies some of the misunderstandings that have circulated about the context and scope of the ruling:

When the CJEU ruled on the case, the press reported the decision as an example of a new “right to be forgotten,” even though such a right is not articulated in the legislation on which the ruling is based. The media coverage created the mistaken impression that Google would have to start deleting information from the internet (or its own index) whenever an EU citizens asked the search engine to do so, if information was irrelevant, inaccurate, outdated or excessive. The court specified that search results based on a person’s name are to be removed if the request meets the criteria laid out in the ruling. However, not only will the information remain on the internet, but it will remain in Google’s index.

The civil rights organisations then emphasise the need for a quick conclusion of the current data protection reform, not least because the Snowden revelations have shown that strong and reliable rules are crucial for citizens’ rights to privacy and data protection:

This need has been acknowledged by several companies, including Google, through their participation in the movement for global government surveillance reform. This movement recognises the need for governments to take action in order to protect their citizens’ safety and security and advises for the review of current laws and practices.

The full letter can be accessed here: https://edri.org/wp-content/uploads/2013/09/Open-Letter-to-Google-Advisory-Council.pdf

Bits of Freedom
Chaos Computer Club (CCC)
Digitale Gesellschaft
European Digital Rights (EDRi)
Initiative für Netzfreiheit
Panoptykon Foundation

EDRi: Google’s right to be forgotten – industrial scale misinformation? (09.06.2014)

EDRi: Google and the right to be forgotten – the truth is out there (02.07.2014)

EDRi: Good Lord! Lords forget their own right to be forgotten analysis (31.07.2014)

EDRi: Google now supports AND opposes the “right to be forgotten” (27.08.2014)



27 Aug 2014

Europe vs. Facebook class action attracts over 60 000 plaintiffs

By Guest author

Privacy activist Max Schrems, founder of the “Europe-v-Facebook” initiative, is known for his battles involving Internet social network giant Facebook. However, all the lawsuits he filed in Ireland haven’t led to meaningful outcomes, so far.

Therefore, Mr. Schrems now takes a different approach, by suing Facebook Ireland Ltd. This time he has filed suit in front of a court in his home country, Austria, and he asked the public to join him: it was possible for any Facebook user of age who is not located in the USA or Canada to join the legal battle against Facebook’s numerous alleged violations of European privacy laws. This is due to the fact that every Facebook user worldwide, living outside of the US or Canada, has a contract with Facebook Ireland Ltd. Mr. Schrems is claiming 500 Euro in symbolic damages per contributing joint plaintiff for alleged privacy violations such as Facebook contributing to NSA´s PRISM program, Graph Search, the Facebook app or third party tracking via “Like Buttons”.

Within just a few days, more than 25 000 people signed up at www.fbclaim.com in order to participate in the class action suit. This turned the initiative, almost overnight, into the largest privacy class action throughout Europe. It also forced Europe-v-Facebook to close the registration early, as every joint plaintiff has to be reviewed separately. However, one can still register as an interested person. Max Schrems and his team may later decide to add more registered users to the class action. Also, an increasing number of people who indicate they want to take part in the class action may strengthen the public position of Mr. Schrems and his team.

On 21 August, the group took their first successful step in the legal proceedings: the Vienna Regional Court ordered Facebook Ireland to respond to the class action within four weeks, with a possibility that thedeadline could get extended by four further weeks.

At the time as the court order was announced, already more than 35 000 additional individuals had registered at www.fbclaim.com.

Facebook class action: Registration for interested parties

Class action against Facebook attracts 60,000 users (21.08.2014)

Facebook needs to defend Austrian privacy violation case (22.08.2014)

Press Announcment: Class Action: Facebook ordered to submit counterstatement (21.08.2014)

Vienna Regional Court: Request for Facebook to respond (19.08.2014)

Facebook class action – FAQ

(Contribution by Josef Irnberger, EDRi-member Initiative für Netzfreiheit, Austria)



16 Jul 2014

Slovenia: Data retention unconstitutional, deletion of data ordered

By Guest author

The Constitutional Court of the Republic of Slovenia abrogated the data retention provisions of the Act on Electronic Communications (ZEKom-1) in its judgement U-I-65/13-19 of 3 July 2014 following the constitutional request lodged by the Information Commissioner in March 2013 and ECJ judgment of 8 April 2014 in Joined Cases C-293/12 and C-594/12.

The Court abrogated ZEKom-1 articles 162, 163, 164, 165, 166, 167, 168 in 169 and instructed operators of electronic communications to delete retained data immediately after the judgment is published in the Official Gazette. The Court holds data retention as disproportionate for the following reasons:

  • unselective retention of data iconstitutes a breach of rights of a large proportion of population that did not provide any reason tj justify such this; – blanket data retention does not provide for anonymous use of communications, which is particularly important in cases where untraceable use is necessary (e.g. calling for help in mental distress);
  • arguments for the selected retention periods (8 months for internet related and 14 months for telephony related data) were not provided nor explained in the legislative preparatory documents;
  • the use of retained data was not limited to serious crime.

The Slovenian Information Commissioner Nataša Pirc Musar welcomed the ruling and sees it as an important step in protection of the right to privacy and data protection. The Court recognised the importance of personal data protection in relation to the use of modern information and communication technologies, particularly when used by law enforcement as repressive bodies of the state.

The Commissioner has been regularly warning about the problems of major breaches of privacy by law enforcement created by introduction of surveillance technologies. These tend to be used indiscriminately on large proportions of population, thereby encroaching on their right to privacy and data protection. The availability of new technologies such as drones, IMSI catchers and similar has, in several cases, led to requests by the police to the Ministry of Justice to legislate their use and to provide legal grounds enabling their deployment. Unfortunately these requests have often not been backed by sufficient assessments as regards their impact on human rights. In order to allow for transparency and to ensure that new law enforcement powers respect the principles of necessity and proportionality, the Commissioner has issued guidelines on privacy impact assessments (PIA) for the introduction of new police measures, representing a methodological framework for a prudent, reasonable and legitimate introduction of new measures.

The Information Commissioner Pirc Musar emphasised that this is one of her most important achievements during her 10-year mandate which is now ending. The decision of the Court represents an important part in the debate about the necessity and proportionality of the use of surveillance measures and technologies in the context of law enforcement and intelligence agencies.

Request to the Constitutional Court (only in Slovenian)

Decision of the Constitutional Court (only in Slovenian, 03.07.2014)

Electronic Communications Act (ZEKom-1)

Information Commissioner of the Republic of Slovenia (only in Slovenian)

Privacy Impact Assessment (PIA) Guidelines for the Introduction of new Police Powers

(Contribution by Andrej Tomšič, Deputy Information Commissioner, Information Commissioner, Republic of Slovenia)




16 Jul 2014

Code Red, global initiative to support a reform of security services

By Heini Järvinen

More than two-dozen civil society activists from fourteen countries have joined the steering group of an ambitious global initiative to accelerate police and security services accountability.

The project, Code Red, was conceived during the preparation of a report “A Crisis of Accountability” that was published in June 2014 on developments in the twelve months since the start of Edward Snowden’s disclosures. The report concluded that despite a substantial and potent response from civil society, there was also a clear need for greater strategic support, resources and communication between activists working in different disciplines.

The steering group includes many well-known figures in civil society, among them MI5 whistleblower Annie Machon, former Wikimedia General Counsel Mike Godwin, Sunil Abraham head of CIS India Sunil Abraham, OpenMedia Canada’s David Christopher, Access Now’s Raegan McDonald, the Electronic Frontier Foundation’s International Rights Director Katitza Rodriguez and the former editor of Index on Censorship Judith Vidal-Hall. Also influential figures in the tech sector, including Jacob Appelbaum, the celebrated hacker who works at the core of Wikileaks, the Tor project and the Snowden disclosures, Whitfield Diffie, one of the pioneers of public key cryptography, and Bruce Schneier, possibly the world’s most influential security expert, have joined in. It’s expected that more people will join the group over the next two weeks.

In mid July 2014, Code Red kicked off a four-month global consultation to identify options for its objectives and structure. Currently the working group members have an open mind on how the initiative may develop, but the overriding view is that it should aim to be a clearinghouse and resource centre for groups working on security reform.

In the UK, civil right groups such as Privacy International and Big Brother Watch have launched legal challenges that have forced the government to make unprecedented disclosures about security activities. Code Red aims to support and promote such actions through a global communications and resource platform.

The initiative was founded by EDRi observer Simon Davies, who is regarded as one of the pioneers of the international privacy arena. Davies has wide experience of founding successful global initiatives, including the Big Brother Awards and Privacy International. In a summary of the initiative posted on Davies’ Privacy Surgeon blog on 10 July, he emphasised the need for cross-border and cross-disciplinary relationships, and declared: “It’s time to raise the stakes for secretive agencies that refuse to embrace accountability – and to do so fearlessly and relentlessly.”

“The many communities involved in this struggle – free speech, whistleblowing, anti-censorship, law reformers, policy reformers, privacy and the tech communities – must find a way to work together. A bridge of some sort should also be attempted with companies that are genuinely working to improve privacy and security,”

Davies told to EDRi-gram, highlighting that his intention was not to create a new NGO, but to help support a “platform that supports a network of networks”.

Accoring to Davies, many people involved in the initial dialogue around Code Red felt that the Snowden disclosures are just the tip of the iceberg. The involvement of law enforcement agencies, the military, international police organisations and other government authorities is largely unknown. “Snowden told us what security agencies do, but not what happens to this mass of information, which organisations use it or for what purposes. Police use of information – and international disclosure of that information – has largely escaped scrutiny in most countries. How civil society finds the means to counter this vast activity is a crucial challenge.”

“My personal view is that we need to look beyond the security services to understand the bottom-feeders in the data chain. We already have adequate evidence that police services are immersed in corrupt and unlawful practices, as evidenced by the use by Dutch police of “Stealth SMS” technology to circumvent legal safeguards, and the unlawful disclosure of personal information to journalists by London’s Metropolitan Police, uncovered during the News of the World phone hacking inquiries,” Davies added.

The steering group membership will be published in full on the privacysurgeon.org website in the fourth week of July 2014.

Global security analysis reveals widespread government apathy following Snowden disclosures (10.06.2014)

UK intelligence forced to reveal secret policy for mass surveillance of residents’ Facebook and Google use (17.06.2014)

Code Red, a global initiative to support national security reform (10.07.2014)

Dutch parliament wants clarification on using “Stealth” SMS in espial (21.08.2013)

Metropolitan Police role in the news media phone hacking scandal




02 Jul 2014

Denmark about to implement a nationwide ANPR system

By Guest author

The Danish police is planning to implement a nationwide automatic number plate recognition (ANPR) system over the next couple of years. The Danish newspaper Berlingske obtained the project description for the IT system through a Freedom of Information Act (FOIA) request, and reported about the ANPR plans.

The ANPR system will consist of mobile units in police cars and handheld devices. The units are designed to automatically register all number plates encountered on the road. The number plates are checked against a pre-compiled hotlist, for example because the vehicle or number plate is reported stolen, or because the owner has skipped a mandatory inspection of the vehicle. If there is a match on the hotlist, the police officers will get a signal from the ANPR device, so that they can decide whether to pursue the vehicle or not.

However, the mobile ANPR units will also store all number plates that are scanned, together with the location. Additionally, the system will store the number plates of all cars that pass the unit since no immediate police action is possible in case of a match on the hotlist.

The Danish police has studied ANPR systems in other European countries, but the United Kingdom is mentioned as the main inspiration for the Danish system. During a test period, a Danish police car equipped with ANPR was able to register about 50,000 cars in a single month, with a “hit rate” on the hotlist of 2%. It is estimated that the ANPR system will allow the police to check 30 times as many number plates compared to the current manual system.

The main privacy concern comes from the location data that is registered for all cars encountered on the road by the ANPR units, whether mobile or stationary. The police will retain that data for 30 days, and the documents from the Berlingske FOIA request show that they intend to use the data actively for investigations and data analysis; there are plans to employ 10-15 data analysts for the latter task. Since the police is the data controller, there is direct “data mining” access to the entire database, without the need for a court order.

The ANPR system will be implemented in all police districts in Denmark, but the project has a particular focus on cross-border crimes, including organised home burglaries. The funding for the ANPR project comes from a political agreement to prioritise police efforts against cross-border crimes. Cars that pass the Danish border with other EU member states are thus more likely to be scanned than other cars, even though there is no border control since Denmark is part of the Schengen Area. Violations of EU cabotage rules (local trucking transports after unloading of the international transport) are also a special priority in Denmark, and scanning number plates at the border has been discussed as one of the initiatives against these violations.

The ANPR data will be shared with the tax authorities and other authorities in Denmark. Their intended use of the data is not clearly indicated in the documents, but the tax authorities have previously tried (mostly unsuccessfully) to get access to the information stored by the telephone companies under the data retention law.

The Danish ANPR system will not be as massive as the one in the UK, but this is mainly for budgetary reasons. The initial budget for ANPR is 4 million euros, so not all police cars will be equipped with ANPR units. The Danish police estimates that “only” 30 million number plates will be scanned and registered every year. Needless to say, this number will increase if more public funds are allocated to the project.

According the documents obtained through the FOIA request by Berlingske, the legal basis for the ANPR project is the Danish video surveillance law (CCTV law) and the Danish Data Protection Act (transposing directive 1995/46/EC). The Danish CCTV law places no direct restrictions on video surveillance in public spaces (such as roads) when done by public authorities, and the police is exempted from the requirement to inform the public through clearly visible signs. Under the Data Protection Act, data processed from video surveillance systems must be deleted no later than 30 days after capture, and the Danish police interprets that as a legal basis for retaining the data for 30 days.

However, even though there are no direct restrictions on video surveillance in public spaces by public authorities, the video surveillance and the subsequent data processing are subject to general requirements of necessity and proportionality. The same principles must apply to ANPR, even though only number plates and not personal faces are registered and processed. Usually, CCTV is employed in areas with an increased risk of criminality, but the ANPR project effectively makes every Danish road an area suitable for CCTV monitoring in order to prevent crime.

The 30-day retention period, and the plans for active data-mining analysis by the police, make it even more questionable whether the ANPR project satisfies the necessity and proportionality requirements. This question must also be viewed in light of the recent judgement on the Data Retention Directive by the European Court of Justice (CJEU). A nationwide ANPR system clearly constitutes mass surveillance, and since the police is the data controller of the ANPR data, there are no judicial safeguards limiting the access to the retained data. The location data from ANPR can be compared to location data collected from mobile telephones.

On 2 June 2014, the Danish government published a legal analysis which said that the Danish data retention law does not violate the Charter of Fundamental Rights because the law has appropriate judicial safeguards for access to the retained data. No such access restrictions exist for the ANPR data. The fact that the Danish ANPR system will be limited (in the beginning) due to budgetary reasons can hardly be regarded as an effective judicial safeguard for this type of mass surveillance.

So far, there has been limited political discussion of the ANPR plans in Denmark, and the privacy implications have not been discussed at all. The documents from the Berlingske FOIA request also outline the PR strategy that the police intends to use for the ANPR project. The police will emphasise that most of the monitoring is done automatically by computers which only “react” when there is a hit. Clearly, the purpose here is to downplay the massive privacy invasion that the ANPR system will impose on Danish (and European) citizens.

Police will check millions of number plates, Berlingske (only in Danish, 21.06.2014)

EDRi-gram: Denmark: Data retention is here to stay despite the CJEU ruling (02.06.2014)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)