The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

22 Oct 2014

ENDitorial: Malmström – Always there to protect US

By Joe McNamee

Now that Commissioner Cecilia Malmström will be taking over as the EU’s Trade Commissioner, and as the Commissioner in charge of negotiating the controversial TTIP trade deal with the USA, it is a useful time to cast our minds back to her achievements as Commissioner with responsibility for Home Affairs in the European Union.

Commissioner Malmström’s generosity when negotiating with the United States is, to say the least, very consistent. The deal she reached with Australia on processing and storing of passenger name records (PNR) allows processing with regard to crimes that have a minimum four year jail term. She agreed to only three years in a similar deal with the United States. In the deal with Australia, the data must be deleted after five and a half years. She generously agreed to the data being stored for a full ten years in the agreement with the United States. This does leave one question, however: If storing the data for five years is all that is needed, how can it be necessary, proportionate and, therefore, legal, to agree to 10-year data retention with the USA? Now, despite the lack of evidence of usefulness and proportionality, and despite the European Court’s ruling that long-term, suspicionless storage of EU citizen’s data is contrary to EU law, a new Directive on EU PNR Data has been proposed by Malmström’s services and a push is expected shortly to have it adopted by the European Parliament.

Malmström’s reaction to allegations of abuse of financial data of EU citizens shared with the US authorities was perfectly consistent with her generosity in the PNR agreement. In 2013, reports revealed by the German news magazine Der Spiegel indicated that the USA was tapping European data stored by the inter-bank financial telecommunication company SWIFT. Subsequently, the European Parliament voted by majority to suspend the agreement for financial data sharing (“TFTP agreement”) with the United States. The Commissioner leapt into action, politely asking the US if they had breached the agreement. As the US denied the claims, the Commissioner felt that no further action was needed, and so none was taken.

In 1999, US President George W. Bush asked the EU to introduce mandatory retention of communications data “to permit the retention of data for a reasonable period”. Thanks to the tireless work of the UK government in the subsequent seven years, the US got its wish and the EU introduced the Data Retention Directive. In 2009, Commissioner Malmström took responsibility for the Directive. Before her services had a chance to collect any analysis from Member States, without any evidence to back up her position, Commissioner Malmström, who took a personal oath to uphold the European Charter of Fundamental Rights, made her position very clear: “We have to recognise that data retention is here to stay, and for good reasons. Access to telecommunications data are, at least in some cases, the only way of detecting and prosecuting serious crime. And in some cases it can be vital to exclude individuals from crime scenes and clearing them of suspicion. We do need data retention as an instrument to maintain security in our Member States.” Subsequently, Commissioner Malmström, who took a personal oath to act independently in her function as Commissioner, added that she believed that Member States would “not accept any proposal to abolish it.”

It subsequently transpired that she ignored specific legal advice from inside the Commission that the Directive was illegal. Having chosen not to propose either repeal or reform of the Directive, once the Court of Justice of the European Union (CJEU) ruled this year that the data retention directive was incompatible with European law, Malmström inexplicably declared that the judgment confirmed “the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive”.

More worryingly, bearing in mind her new function as Commissioner responsible for negotiating with the USA on the TTIP proposals, documents recently made public by EDRi-member Access indicate that Malmström actively conspired with the US authorities to undermine or delay the draft reform of the EU’s data protection reform package – weeks before any elected European politician received an official copy of the proposals.

Finally, Malmström’s cooperation with the USA on internet blocking deserves a mention. In 2012, she was convinced by the US to jointly launch a “global alliance against child pornography”. This encourages, among other things, the promotion of “voluntary” internet blocking, outside any legal framework, by the governments involved. Turkey, that has repeatedly been condemned for excessive and unclear blocking obligations accepted the invitation to join. Malmström confirmed at the press conference launching the event that Russia had been invited, but declined to join. Coincidentally, Netclean, one of the leading internet blocking/filtering companies is heavily promoted by Swedish politicians (and the Swedish Queen). Coincidentally, Turkey has agreed to invest heavily in Netclean products and has, even since signing up to the Global Alliance, been condemned again by the European Court of Human Rights for its excessive, disproportionate blocking practices.

Agreement between the EU and Australia on the processing and transfer of PNR data (13.09.2011)

Agreement between the USA and the EU on the use and transfer of PNR to the US Department of Homeland Security (08.12.2011)

European Union set to vote on data law – George W. Bush’s request for data retention (13.11.2001)

Legal advice against data retention (23.08.2012)

European Commission Press Release: EU-US agreements: Commission reports on TFTP and PNR (27.11.2013)

A global alliance against child sexual abuse online

Malmström acknowledges validity of compromising document (08.10.2014)



22 Oct 2014

Macedonian investigative magazine fined in defamation case

By Heini Järvinen

On 27 September, 2014, the Skopje Court of Appeals, Macedonia, confirmed the decision of a lower court, and ordered a critical independent magazine “Fokus” to pay a nearly ten thousand euro fine to a high government official for defamation. The ruling was another setback to country’s media freedom.

Sasho Mijalkov, the Director of the Security and Counter-Intelligence Directorate, and a cousin of Macedonia’s Prime Minister Nikola Gruevski, sued Fokus in January 2013 for defamation after it had published an article including a statement by Igor Ilievski, Macedonia’s former ambassador to the Czech Republic, suggesting Mijalkov’s involvement in various forms of corruption. The court ruled the magazine’s editor-in-chief Jadranka Kostova to pay 5000 euro, and journalist Vlado Apostolov 1000 euro to Mijalkov for non-pecuniary damages, and to jointly cover court costs of 3300 euro. The average monthly net salary in the country is around 350 euro.

The Association of Journalists of Macedonia (AJM) condemned the verdict, arguing that that it is unfair, directed against critical journalism, and in breach of the Defamation Law in Macedonia. AJM pleaded with Mijalkov to waive the 6000 euro fine. He did not respond directly to the appeal, but announced through his lawyer that the money he would receive from the journalists would be donated to an orphanage.

On 8 October, AJM started a fundraising appealing to journalists and citizens to help the two journalists to pay the fine, which is risking to cause financial ruin both for the journalists and their families, as well as the magazine. Fokus is one of the few publications in the country continuing to publish investigative pieces. The editor-in-chief of the magazine has publicly stated that they have been forced to institute self-censorship, to avoid lawsuits for defamation, such as this one, that threaten to destroy the its finances. The call for solidarity highlights the importance of the support of the press and public to safeguard the freedom of expression in the country. On 21 October, less than two weeks after the launch of the fundraising, AJM announced that the target sum covering the fine and the court costs had been nearly reached.

Macedonian investigative magazine “Fokus” fined thousands of euros in defamation case (16.10.2014)

Call for solidarity for journalists of Macedonian weekly “Focus” (08.10.2014)

Macedonian appellate court confirms defamation verdict for independent magazine (07.10.2014)

Macedonian Court Fines Journalist and Magazine for Quoting Source (23.02.2014)

Critical Macedonian weekly faces “draconian” fine (20.01.2014)

EDRi-gram: Macedonian media freedom in freefall (12.03.2014)



08 Oct 2014

Romania: The aftermath of the second CCR data retention ruling

By Guest author

As previously reported in the EDRi-gram, the Romanian Constitutional Court (CCR) ruled in its decision no. 440 on 8 July 2014 that the second Romanian data retention law (no. 82/2012) was not constitutional. The full reasoning for this was published in the Official Journal on 4 September 2014 in Romanian. EDRi-member ApTI is working on the translation of the text, and an English version will follow soon.

The first data retention law (298/2008) was declared unconstitutional by the CCR decision 1258/2009. The case of the second data retention law was put on the agenda of the CCR after two judges from two different lower courts (from the towns of Targoviste and Constanta) questioned ex officio whether the second Romanian data retention law 82/2012 was unconstitutional. The second data retention law could not be challenged directly in front of the CCR because of a political decision that the measure was a major obligation from the EU.

The reasoning of the decision declaring the second data retention law unconstitutional is based on the previous decision of the CCR, but also follows closely the ECJ decision from 8 April 2014 that nullified the Data retention Directive. It also quotes the similar decisions from Constitutional Courts of Germany, Czech Republic and Bulgaria.

There are at least three novelties compared to the 2009 data retention decision of the CCR that need to be mentioned:

Firstly the new CCR decision states clearly that access to the retained data by the secret services must be made only with a judicial approval. The judicial approval is seen as a guarantee of an efficient protection of retained data against any risk of abuse. The lack of this judicial approval (see paragraph 63-67 of the decision) is a breach of the right to privacy, as enshrined in the Romanian Constitution. This has been one of the key issues in the debate in the past, at least from a civil society standpoint – and, until now, the secret services had unlimited access to all retained data, without any real restrictions.

Secondly, CCR follows closely the ECJ decision on proportionality issues and rules that the first step – retaining and storing the data – is not, of itself, a breach of the right to privacy, as the Romanian Constitution does not forbid “the preventive storing, without a specific justification, of traffic and location data”. However the access to such data and its usage must be proportionate and this is where the Romanian law fails to meet its purpose (see paragraph 58-61 of the decision).

Thirdly, the CCR decision does not oblige the telecom companies and Internet Service Providers (ISP) to delete the retained data, but they have an obligation not to collect it any more. The ruling only limits the access of judicial authorities and secret services until a new law that meets the necessary safeguards is in place. However, the ruling goes even further by prohibiting the access of judicial authorities and secret services to data retained even for billing and interconnection. (see paragraph 78-80 of the decision). The CCR declared as constitutional the text of the Penal Procedural Code (art 152), which mandates a judicial approval for access to retained data, but just considered it “inapplicable” until a new data retention law will be in place.

The last point was actually an open invitation to adopt a new data retention law, but – as already reported in the EDRi-gram – it triggered a lot of critical comments from secret services and the prosecutors’ office, who said they are now in a “legal vacuum”.

Up until this point the authorities haven’t publicly announced any details regarding a new data retention law, but it is widely suspected that they are working on drafting it behind closed doors. A new data retention law will most probably be back on the agenda very soon. Whether lessons will be learned, both regarding the need for meaningful safeguards and the need for a public debate will be seen.

Full CCR decision 440/2014 (only in Romanian, 04.09.2014)

EDRi-gram: Romanian Parliament adopts the data retention law. Again. (23.05.2012)

EDRi-gram: Romania: Mandatory prepaid SIM registration ruled unconstitutional (24.09.2014)

EDRi-gram: Romanian NGOs demand stopping data retention in Europe (26.01.2011)

(Contribution by Bogdan Manolea, EDRi-member ApTI, Romania)



24 Sep 2014

The Turkish government tightens its grip over the Internet

By Heini Järvinen

On 8 September 2014, the Turkish parliament passed an amendment to the already draconian Internet law. The amendment allows the Turkish Telecommunication Authority (TIB) to block (without a court order) any website that appears to threaten “national security or public order”. Internet Service Providers (ISPs) are required to execute the blocking order of the TIB within four hours. This enables the government to block content quickly and without due process of law.

In addition to allowing blocking of websites without a court ruling, the law also obliges ISPs to store all data on web users’ activities, such as browsing history, for two years, and make it available to the authorities upon request, without a court order.

The new law, as well as other recent actions of the Turkish government, have raised concerns about freedom of speech in the country. The large majority of the traditional mainstream media is either directly or indirectly under the government control, and the Internet remains one of the few channels for free speech in Turkey, but the government is continuously increasing the measures to control also the Internet.

During the last few years, the Turkish government has blocked sites which broadcast recordings that appear to indicate corruption of government officials and appear to show dubious relationships with the fundamentalist organisations in Syria and Iraq. In spring 2014, social media platform Twitter and a video-sharing website YouTube remained blocked for several weeks. “National security and maintaining public order” were used as justifications also to this blocking.

Turkey becoming intelligence state with new Internet law (09.09.2014)

Turkey tightens Internet controls, weeks into new government (09.09.2014)

Turkey tightens grip over the internet (09.09.2014)

Turkey: Internet freedom, rights in sharp decline (02.09.2014)



17 Sep 2014

Public Oversight and The Rule of Law

By Joe McNamee

Between 15th-19th of September, in the week leading up the first year anniversary of the 13 Necessary and Proportionate Principles, EDRi, the EFF and the coalition behind the Principles will be conducting a Week of Action explaining some of the key guiding principles for surveillance law reform. Every day, we’ll take on a different part of the principles, exploring what’s at stake and what we need to do to bring intelligence agencies and the police back under the rule of law. You can read the complete set of posts at: The Principles were first launched at the 24th Session of the United Nations Human Rights Council in Geneva on 20 September 2013.

Let’s send a message to Member States at the United Nations and wherever else folks are tackling surveillance law reform: surveillance law can no longer ignore our human rights. Follow our discussion on twitter with the hashtag: #privacyisaright

One of the most striking elements of the surveillance practices is the extent to which laws and judicial procedures have been breached, ignored and undermined by agencies whose tasks it is to uphold the rule of law.

Before the Snowden revelations, the world had drifted into an unconscious acceptance that existing and unquestioned principles of law were somehow no longer valid. The most striking example of this was the report on the “use of the Internet for terrorism purposes“ (PDF) that was published by the United Nations Office on Drugs and Crime in 2012. That report actively encourages United Nations member states to establish “informal relationships or understandings with ISPs (both domestic and foreign) that might hold data relevant for law enforcement purposes about procedures for making such data available for law enforcement investigations.” These “informal relationships” seem to be exactly what the International Covenant on Civil and Political Rights (ICCPR) prohibits in Article 17, which states that “no one shall be subjected to arbitrary or unlawful interference with his privacy”.

The same UNODC report called for long-term storage of communications data of innocent individuals. It did this despite the fact that there is no evidence that such an extensive intrusion into the privacy of innocent individuals is necessary or proportionate. Indeed, since the report was published by the UNODC, the European Court of Justice has ruled (PDF) that such measures are contrary to the primary law of the European Union. As a result, the EU’s Data Retention Directive was declared invalid. This Directive was adopted in 2006, even though no evidence of necessity or proportionality was provided when the legislation was proposed. More shockingly, EU Member States that did not consider the measures to be necessary in a democratic society were taken to court by the European Commission to force them to transpose the legislation in their jurisdictions.

The impunity that led to the EU Directive to be adopted and enforced was also evident in an “evaluation report“ (PDF) adopted by the European Commission in 2012. That report was forced to recognise that one of the three main reasons for proposing the legislation in the first place – ensuring cross-border access to historical records – was statistically insignificant in practice. The European Commission felt that it was politically safe to take the position that this could be explained by cross-border access being facilitated by “domestic operators” “rather than launching mutual legal assistance procedure [sic] which may be time consuming without any guarantee that access to data will be granted”. No Member State – and no press publication – publicly raised any concern that data was being extracted about citizens, across borders, without authorisation, in situations where national judiciaries would not necessarily grant access to the data.

We cannot uphold the law by breaking the law. We cannot fight lawlessness by undermining the rule of law with impunity.

10 Sep 2014

The Principles Week of Action: A world without mass surveillance

By Guest author

Between 15 and 19 September, several digital rights organisations, including EDRi and many of its members, will be celebrating the first anniversary of the 13 International Principles on the Application of Human Rights to Communications Surveillance. The Principles were first launched in the Palais des Nations in Geneva on 20 September 2013.

Drawing on international law and jurisprudence, the Principles articulate the obligations of governments under international human rights law in the digital age. The Principles are a product of a collaborative effort of privacy experts, human rights lawyers and civil society groups. They provide a tool to evaluate and help reform governments’ surveillance practices.

On the occasion of their first anniversary, a series of blog posts will be published in order to raise awareness on global mass surveillance issues such as metadata, data retention, transparency and the integrity of communications. EDRi member Access is also hoping to publish an implementation guide providing more details on how to apply the Principles into law.

Finally, as part of this week of action, Access will be coordinating the presentation of awards to those who have championed the Principles and a negative prize for those who have worked against the Principles. The public can participate in nominating the candidates – individuals, government officials, agencies, or companies – for these awards before 12 September. Awards’ winners will be announced during the Week of Action.

The 13 Necessary and Proportionate Principles

Principles Questionnaire Form: Help us celebrate the one-year anniversary of the Principles!

(Contribution by Estelle Massé, EDRi member Access, International)



27 Aug 2014

Online freedoms in Serbia still under threat, analysis shows

By Guest author

SHARE Foundation, an organisation dedicated to protecting digital rights in Serbia, analysed the state of online media freedoms in the country. Examples of technical attacks on media websites, threats and insults to online journalists show a worrying trend of pressure in the digital environment.

During the devastating floods that hit Serbia and the region in May 2014, many cases were witnessed where freedom of expression and information online were endangered. Websites that published information criticising the actions of the Serbian government during the floods were attacked and the entire blog section on a popular daily newspaper website was taken down after a satirical post. Also, citizens were questioned by the police because they expressed their opinion on social media. In the following two months, the situation did not improve to an appreciable extent.

These issues caused reactions from the international community. OSCE Representative on Freedom of the Media, Dunja Mijatovic, expressed her concerns because of the incidents, while the Head of the European Union Delegation in Serbia, Michael Davenport, and the United States Ambassador to Serbia, Michael Kirby, called for the respect of the right to free speech on the Internet. Member of the European Parliament Marietje Schaake sent a letter to European Commissioner Stefan Füle regarding the media situation in Serbia.

Several Serbian media websites, as well as a blog written by two journalists, could not be accessed on multiple occasions due to offensive technical measures, such as distributed denial-of-service (DdoS) attacks. For example,, a web portal of an independent radio station promoting civil society values, was attacked during June 2014 after it published articles about the allegedly plagiarised PhD thesis of the Serbian Minister of Internal Affairs and the allegedly non-existent London PhD of the former rector of a well-known private university in Serbia. One of the authors of the articles about the PhD scandals claimed that her private email correspondence has been illegally accessed. Another example is the website of the daily newspaper Kurir, which was also attacked and made inaccessible several times, the most recent attack occurring on 10 August 2014. It should be noted that these are not the first cases of media websites being under attack. Last December, the website of the Center for Investigative Journalism of Serbia (CINS) was hacked after it published a story about self-censorship in the Serbian online media. They suffered technical attacks again this February.

Pressure on journalists has also become frequent in Serbia, especially on the local level. Natalija Miletic, a Serbian journalist working in Germany, asked Prime Minister of Serbia Aleksandar Vucic questions about alleged media censorship and plagiarism during a joint press conference in Berlin with German Chancellor Angela Merkel. She did not receive answers. After the conference the Serbian Embassy in Berlin told her not to request press passes in the future. RTV journalist Mladenovac Dragan Nikolic was arrested because of a post on his Facebook profile about the recent floods – because he allegedly “damaged the reputation” of a high-ranking official of the ruling Serbian Progressive Party (SPP).

These examples taken from the analysis by the SHARE Foundation show that the state of freedom of expression and media in the Serbian online sphere is of considerable concern. The great number of different cases that happened during the past two months highlights that state bodies need to be more active in solving problems and reacting to violations of digital rights and freedoms. Tendencies of different actors to discourage citizens and media to express themselves freely on the Internet create a “chilling effect” and we must continue our struggle for the Internet as a place of open access, as well as free and decentralised exchange of information. It is very important to openly speak about all problems that endanger freedom of speech and information on the Internet so they do not become “business as usual”.

To create awareness for freedom of speech and other digital civil rights issues in the region, EDRi, the SHARE Foundation and Wikimedia are organising an event “Energise! Network! Mobilise!” on 4-5 September in Belgrade, Serbia. The two-day event consisting of panels and workshops will gather activists, civil society organisations and citizens interested in learning more about these issues to exchange their experiences, share knowledge and network.

Analysis of Internet freedoms in Serbia

Energise! Network! Mobilise! in Belgrade, 4-5 September

Internet remembers everything

Government online censorship in Serbia worrying trend, says OSCE media freedom representative (27.05.2014)

Letter to Štefan Füle concerning censorship in Serbia (11.06.2014)

The big Serbian information shutdown (07.07.2014)

Online and citizen media on a turning point: if they wish, web platforms can be equalled with media (06.08.2014)

(Contribution by Bojan Perkov, SHARE Foundation, Serbia)



27 Aug 2014

Ukraine: Sanctions against Russia to result in media censorship?

By Heini Järvinen

On 12 August, the Ukrainian parliament (Verkhovna Rada) approved in first reading a draft law (No. 4453) to impose sanctions on Russian companies and individuals over their alleged support and financing of separatism in Ukraine. The draft law included provisions to allow the Ukrainian National Security and Defence Council (RNBO) to shut down or block any website or TV or radio station without a court order on the grounds of national security.

The draft law was submitted to the parliament by Prime Minister Arseniy Yatsenyuk on 8 August, only four days before the first reading, with no input from outside advisers. It was made available to the public only once it had passed the first reading, with an impact study stating that

“the bill does not require consultation with civil society”.

Local journalists and media activists as well as international press freedom organisations immediately criticised the draft law, calling it a “major setback for freedom of information in Ukraine”, and accusing the government of using concerns about national security as an excuse to introduce censorship.

As a response to the quick reaction from civil society, Mykola Tomenko, parliamentary deputy and head of the parliament’s committee on freedom of speech, announced on 13 August that the parliament was working to remove the media censorship elements from the draft law.

Tetiana Semiletko, a lawyer working for the Kyiv-based Media Law Institute stated that

“we also see that our own media might be banned, shut down or restricted, with nothing more than a decision by the security council and a presidential decree.”

On 14 August, the parliament voted to adopt the national security law. 244 parliamentarians out of 450 supported its adoption. The law establishes a legal right to implement sanctions against 172 individuals and 65 entities in Russia and other countries for supporting “terrorism” in Ukraine. The sanctions include a provision to halt natural gas transit from Russia through Ukrainian territory, and to target Russia’s defence, financial and transport sectors.

Compared to the draft law approved on first reading, most of the censorship measures were removed or softened, and the law will not have impact on the freedom of media. However, even if the suggested media provisions were finally dropped, the parliament has proposed moving some of them into existing media laws to achieve more control over media and to simplify imposing bans. The threat is therefore very much alive.

Ukrainian parliament approves very dangerous draft law on first reading (12.08.2014),46793.html

Ukrainian law would allow authorities to block websites, along with other media (13.08.2014)

New sanctions bill raises free-press fears in Ukraine (13.08.2014)

Ukraine approves bill to impose sanctions on Russia (14.08.2014)

In the fight against Russia, Ukraine flirts with kremlinesque Internet censorship (14.08.2014)

Ukraine passes law on Russia sanctions, gas pipelines (14.08.2014)



30 Jul 2014

Spain: Why you should care about the Citizens’ Security Bill

By Guest author

On 11 July 2014, the Spanish Council of Ministers adopted the Bill on the Protection of Citizens’ Security. The draft law comes under the authority of the Ministry of Interior which, after “hearing” the opinions of several public authorities and civil society in response to a preliminary text, adopted the bill. The legislation is intended to repeal an existing law of 1992. The proposals are strikingly and disturbingly similar to rules that have been adopted in China and which were proposed, subsequently deemed unconstitutional, in Chile.

Before becoming law, the bill has to go through the two chambers of the Spanish Parliament and, if enacted, some of the provisions of the law would be further developed by implementing regulations (cf. Article 41 and the Third Final Provision of the Bill).

So far, the Government’s proposal has been strongly criticised. Restrictions to the freedoms of assembly and expression in protests received a lot of attention in the media, but some provisions of the bill have barely been discussed.

Measures which have been overlooked in the media include Article 25, which would oblige cybercafés and similar establishments to keep records of their clients’ IDs because these establishments “exercise activities which are relevant for citizens’ security”. Non-compliance with Article 25 would result in fines ranging from 100 to 30 000 Euro. In addition to the pecuniary sanctions, the bill foresees the suspension of licenses, authorisations or permits and even the closing down of facilities (cf. Articles 36 (22), 37(9) and 39). As expressed in the report issued by the General Council of the Spanish Judiciary (a constitutional body that exercises governing functions within the judiciary), this provision broadens the scope of its predecessor, Article 12 of Law 1/1992. Both Article 25 and other provisions described below are likely to restrict data protection, privacy rights, freedom of expression, the right to information or the presumption of innocence, if adopted in their current form.

Other provisions of the Spanish Citizens’ Security Bill raise similar concerns, such as Article 26, which foresees the possibility for certain establishments (including cybercafés) to adopt physical, electronic, IT, organisational or personal security measures (cf. Article 52 of Law 4/2014 on Private Security); Article 43, which creates a Central Register of Infringements against Citizens’ Security “to appreciate recidivism”, i.e. to keep records of repeat offenders; or Article 46, which would allow the authorities that are “competent to impose sanctions in accordance with the [bill]” to have access to the data of the alleged offenders , with the sole safeguard that this access must be linked to an ongoing investigation.

Article 36(26) merits special attention. It establishes that “the non-authorised use of pictures, personal or professional data” of security forces’ officers would be categorised as a serious offence. This Article would complement Article 559 of the Criminal code proposed by the Bill on the reform of the Criminal Code, which is currently going through the Congress. If adopted, Article 559 would also criminalise the “public distribution or dissemination, by any means, of messages or orders inciting the commission of any crimes for disturbance of public order (…) or supporting the decision of committing them”, punishable by up to one year of imprisonment. This provision would, in principle, mean that taking photographs or videos, for example, of misbehaviour of security service staff would incur the risk of prosecution.

Spain is not the first country that tries to implement this type of policies. It is worth remembering that China implemented a similar policy on cybercafés a few years ago. Chinese cybercafés must require their customers’ IDs in order to access their services. As evidenced by an investigation conducted by ‘Information Times’, it resulted in a “significant loss of business”. Chile is another example. The Chilean Parliament intended to impose registration of cybercafé users, but the proposal was declared unconstitutional by the Constitutional Court in 2011.

Bill on the Protection of Citizens’ Security Law (only in Spanish, 25.07.2014)

Spanish government tones down its controversial Citizen Safety Law (28.05.2014)

Report of the General Council of the Spanish Judiciary on the Preliminary Draft Organic Law on the Protection of Citizens’ Security (only in Spanish, 27.03.2014)

The Security Law shall impose ID identification to be able to use phone booths and cybercafés (only in Spanish, 07.04.2014)

Bill on the amendment of the Spanish Criminal Code (only in Spanish, 04.10.2013)

The Constitutional Court in Chile finds a provision on cybercafé users’ register unconstitutional (only in Spanish, 12.07.2011)

China’s Internet Cafes Respond to ID Check Rules (26.07.2010)

(Contribution by Maryant Fernandez Perez, EDRi intern)



16 Jul 2014

UK: Emergency legislation on data retention pushed through

By Guest author

Faced with a lawsuit from NGOs challenging the legality of its data retention regulations (which are based on the data retention directive the European Court of Justice found unlawful in April 2014), the UK government brought in emergency legislation, a Data Retention and Investigatory Powers Bill (DRIP), to not only declare data retention to be still lawful but also expand the scope of both retention and lawful intercept in a number of ways.

For example, the UK government has awarded itself the extra-territorial power to demand assistance with surveillance of UK persons from foreign companies that provide communications services to people in Britain. This means that the UK security and intelligence services can demand that Google UK wiretap someone associated with Britain, rather than filing an application via the relevant mutual legal assistance treaty.

UK civil society campaigned actively against the new legislation. Many Members of Parliament (MP) received hundreds of emails each from EDRi member Open Rights Group’s (ORG) and a campaigning community 38 Degrees’ supporters, as well as phone calls from concerned constituents.

The law was pushed through the House of Commons on 15 July, while the press were distracted by a reshuffle of the Cabinet. Following secret negotiations, it was supported by all three main parties. They claimed untruthfully that the new law creates no new powers. The government was claiming it was an emergency and without it the powers needed by the police to fight terrorists and paedophiles would be lost.

“This fast track legislation contains sweeping surveillance powers that will affect every man, woman and child in the UK. The Bill contains the powers for Government to continue to mandate the blanket retention of the communications data of the whole population for 12 months,”

concludes the briefing on the fast-track Data Retention and Investigatory Powers Bill by Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and English PEN.

“This is in direct contradiction of a Court judgement which held that blanket indiscriminate retention of communications data breached human rights.”

Liberty, Privacy International, Open Rights Group, Big Brother Watch, Article 19 and English PEN briefing on the fast-track Data Retention and Investigatory Powers Bill

#DRIP heroes, round one (15.07.2014)

The DRIP myth list (14.07.2014)

(Contribution by Ross Anderson, EDRi member Foundation for Information Policy Research, United Kingdom, and Jim Killock, EDRi member Open Rights Group, United Kingdom)