The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

22 Apr 2014

Finishing my internship with EDRi

By Andrew

The last three months have provided a great opportunity to get first-hand experience observing digital policy in the European decision-making process. I have worked on a number of topics and assisted with the launch of the campaign. By far the most memorable (and successful) thing I’ve worked on has been the Telecoms Single Market Regulation, which saw net neutrality take a significant step forwards towards being enshrined in EU law.

Getting to this stage hasn’t been easy, and has largely been the result of a collaboration beween EDRi and its member organisations. This development proves that the EU has the capacity to be a world leader on the future of digital policy, and that digital rights will be central to the next parliamentary term. Not everyone was pleased. Telecoms representative ETNO lamented the fact that its ambitions for a two-tier internet designed to account for the loss of revenue that its members can charge on mobile roaming had been defeated. On Twitter, its chairman referred to the amendments as “populist” measures, a fair assessment given that they favour consumers and civil society over discriminatory networks.

Some of the other highlights of my internship have been attending events and meetings with key figures in EU digital policy. These events have been diverse, ranging from discussions on the Trans-Atlantic Trade Investment Partnership, to the ethics of civilian drones. Attending these events can provide a real advantage in getting up to speed with the latest developments. The panellists are often highly informed on the subject and can provide unique perspectives that are otherwise difficult to find. For example, the various occasions in which I saw MEP Marietje Schaake discuss internet governance gave real insight into the status of this issue in Europe. In another discussion, Jacob Appelbaum’s talk on the extent of government surveillance was highly informative and illustrated the threat of hardware-level backdoors in the future.

I would recommend the internship to anyone with a keen interest in digital policy. The office is located extremely close to the European Parliament, making it easy to attend events and meet with key individuals. Interns’ main task is to produce a weekly report – a summary of everything happening on an EU level that concerns digital rights. In producing this report you, gain an awareness of digital policy developments as they happen, which provides a sort of vantage point over the direction this policy will take in the future. This is of great benefit to anyone who wants to get involved with digital policy from the perspective of consumers and civil society.

Perhaps the greatest thing about working with EDRi lies with the fact that it is a European hub for its 36 member organisations, with many lively discussions occurring on a range of topics concerning digital policy. Following these discussions introduced me to a number of digital rights issues that I had not previously considered.

Andrew Walsh

09 Apr 2014

ECJ: Data retention directive contravenes European law

By Heini Järvinen

On 8 April, the European Court of Justice ruled that the EU legislation on mass surveillance contravenes European law. The case was brought before the Court by EDRi member Digital Rights Ireland, together with the Austrian Working Group on Data Retention.

While it will take some time to get a clear view of what is going to happen in this policy area, the initial comments from key players may give some clues.

Perhaps the most remarkable comment is from Commissioner Cecilia Malmstroem, who has legal obligation ensure that the Charter of Fundamental Rights is respected. She claimed that her services were fully aware of the incompatibility of the Directive with primary European law for at least three years but chose to do nothing:

“The judgment of the Court brings clarity and confirms the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive. The European Commission will now carefully assess the verdict and its impacts.”

The European Court of Justice didn’t provide any guidance on its ruling implications on national legislation. Luxembourg Minister of Justice Félix Braz annouced shortly after the ruling in his statement that “the national legislation, even though it was adopted in application of the invalidated Directive, will remain in place and continue to bind telecom operators”. He added that

“a deep analysis of the national legislation must be conducted to quickly establish whether the respect for fundamental rights in our legislation can be considered as adequate with respect to the ECJ requirements [...] particularly concerning issues related to access to data by judicial authorities and to the definition of serious crime”.

Braz urged the EU institutions to adopt the data protection Regulation as a starting point, in order to define “a general regime establishing a harmonised high level of protection prior to any definition of potential derogations that might include data retention”.

The Romanian Government had no reaction to the ECJ decision, but in the day after the ruling decided to extend the mass surveillance on its citizens in a new draft law: all the citizens that connect to free WiFis must identify themselves to the operators, that need to keep the personal data for at least 6 months. Also, all the pre-paid mobile cards owners have to be present an ID card if they want to buy such a card. All the current 7 million pre-paid card users in Romania need to register in 6 months, otherwise their cards will be de-activated. Impact on human rights? None, according the Ministry of Justice.

Finnish Minister of Education, Science and Communications Krista Kiuru welcomed the decision. She commented:

“Naturally, we must clean out the paragraphs enacted due to the directive. We will gladly adhere to this decision. If we want Finland to be a model country when it comes to data protection, our legislation has be be in accordance with the fundamental citizen rights,”

The ruling may have an impact on ongoing legislative projects in Finland, such as the preparatory work on the online surveillance law.

European Court overturns EU mass surveillance law (08.04.2014)

Data retention directive: Commissioner Malmström’s statement on today’s Court judgment (only in French, 08.04.2014)

Felix Braz: “The judgment of the ECJ clearly states that all the fundamental rights of EU citizens are to be respected” (08.04.2014)

Romanian new draft law (09.04.2014)

ECJ ruled data retention directive illegal (only in Finnish, 08.04.2014)

Finland must revise its data protection laws (08.04.2014)

09 Apr 2014

Data Retention ruled invalid: what does this mean for Kosovo?

By Heini Järvinen

The European Court of Justice published on on 8 April its verdict on the Data Retention Directive, ruling it invalid. The court’s decision follows years of strict enforcement by the Commission, which has gone so far as to seek financial penalties from a number of Member States that did not implement the measure on time. It is also worth considering, however, the impact of the Directive on other states and their citizens. The court ruling is likely to have a tangible impact elsewhere, particularly in candidate and “potential candidate” countries for EU membership, such as Kosovo. This is evident in an obscure Kosovan “Draft Law on Interception of Electronic Communication” that plans to enable dragnet data collection operations and enshrine murky legal boundaries for intelligence agencies’ activities.

The proposal in question would grant law enforcement agencies extensive powers of surveillance on the basis of “lawful authorisation”. Worryingly, the document states that “typically” “this refers to a court order or warrant issued by the competent court, and in certain cases the prosecution or the director of the Kosovo Intelligence Agency”. Problems with “competent courts” (let alone non-judicial safeguards) are well established. In the US, between 2010-2012 the NSA’s supposed oversight body FISA did not deny a single application and complained of being systematically misled. For the same reason, a UK Member of Parliament recently likened The Government Communications Headquarters’s (GCHQ) oversight mechanism to an episode of the satirical British comedy “Yes Prime Minister” in which a minister is manipulated into doing whatever his civil servants wanted – a tongue-in-cheek reference to the blanket approval of GCHQ’s proposals.

So it’s clear that a “competent court” doesn’t inspire much enthusiasm for meaningful oversight. What’s even more concerning is that the director of Kosovo’s intelligence agency appears to be granted extra-judicial authority in granting lawful authorisation for surveillance. The document defines “data” as “location data and other necessary data to identify the subscriber or user”. The intent to personally identify citizens through a process that does not even require judicial oversight should be a cause for alarm.

In terms of how this “lawful authorisation” can be used, the draft law would require network operators to, “without undue delay, make available to the Authorized Institution call-related data, such as … outgoing calls … incoming calls … [and] all signals emitted by the interception target”. It would give law enforcement agencies extensive powers to intercept telecommunications data of all forms. It also includes provisions for data retention established in Article 12.

What’s clear is that the impact of the Data Retention Directive has been to establish mass surveillance and the lack of due process as a precedent in the international sphere. Kosovo’s concern for European law stems from its application for accession to the European Union. For this reason, the Minister for European Integration Vlora Citaku responded to criticism of the draft law in a Tweet saying:

“the law was in Brussels for 6 months, council of Europe and EU commission made sure best EU practices are reflected.”

That is the legacy of the Data Retention Directive. As members of the European Parliament discuss taking the lead on digital rights, it is crucial that the Commission recognises the impact of its legislation on both Member States and their neighbours. We hope that, in keeping with what are now much better EU practices, the draft Kosovan legislation will be abandoned.

UPDATE: On 8 April the draft law was updated in response to the ECJ’s ruling. Minister Vlora Citaku has publicly stated that EU standards will apply, although the amendments to the draft law that would bring it into line with the ECJ ruling so far appear to be insufficient.

Draft Law on Interception of Electronic Communication

Tweet referenced (03.04.2014)

New draft legislation proposed 8 April 2014

Minister Vlora Citaku’s Tweet addressing changes to legislation (08.04.2014)

(Contribution by Andrew Walsh – EDRi intern)

26 Mar 2014

Extensive surveillance in the draft Finnish cyber intelligence law

By Heini Järvinen

Finnish government is in process of preparing of a new law on cyber intelligence. The draft by the Ministry of Defence working group preparing the law suggests giving the authorities such as Security Intelligence Service, National Bureau of Investigation, Communications Regulatory Authority and Defence Forces a mandate for a wide surveillance of online communications, including in situations where criminal activity is not suspected.

The plans have been criticised by Jyri Häkämies, the director of the Confederation of Finnish Industries, the largest business organisation in Finland, who expressed his concern about the law taking into consideration only the interest of the security authorities, forgetting the needs of business and industry. According to his statement, the law might seriously undermine Finland’s competitiveness and attractiveness for investors.

A member of parliament Oras Tynkkynen (Greens) pointed out in the government plenary session on 20 March that adapting the law as currently presented would enable mass surveillance, and could therefore affect Finland’s position as a hub of data traffic in the future.

The Finnish EDRi member Electronic Frontier Finland, a number of civil society representaatives and security experts, as well as Finnish Information Security Cluster (FISC) have also criticised the plan. “Mass surveillance would be used – sooner or later – to supervise the operations of organisations such as Greenpeace, who actively criticise the society”, comments Sini Harkki from Greenpeace in Finnish social democrat newspaper Demari. “The fact that such law is being prepared with closed doors shows strange consideration of democracy and ignorance towards civil rights”, she added.

Minister of Defence Carl Haglund explains that an evaluation of cyber security legislation is currently ongoing, and the measures it will lead into will most probably be discussed only in the next government programme, and not yet during the current term. Finland is often described as one of the few European countries where the security authorities have currently no possibility to carry out mass surveillance.

Confederation of Finnish Industries rejects the law on cyber intelligence in preparation (only in Finnish, 12.03.2014)

Greepeace surprises: “Jyri Häkämies from Confederation of Finnish Industries is right” (only in Finnish, 12.03.2014)

Minister of Defence Haglund: Finland might increase the online surveillance in the next term (only in Finnish, 21.03.2014)

Wide consultations on preparations of the network intelligence law during the spring (12.3.2014)

12 Mar 2014

Belgian NGO’s challenging the data retention law

By Heini Järvinen

At the end of 2013, Belgium passed a law forcing communication providers to retain certain data about the activities of their customers. This means information about each and every Belgian citizen that uses electronic communications services. Providers of fixed or mobile telephony and Internet access have a legal duty to retain data (who calls whom, for how long, from which device, from where…) for a year.

This massive collection of personal data endangers a series of fundamental rights and freedoms: the right to privacy, the freedom of assembly and association, the freedom of movement, the freedom of speech, the professional secrecy and confidentiality of sources. It treats each one of us as a potential criminal, substitutes the presumption of innocence with the one of guilt and undermines the basic human rights and liberties that are the foundation of a democratic society.

The Liga voor Mensenrechten, the Ligue des droits de l’Homme and the Net Users’ Rights Protection Association (NURPA) have decided to complain before the Constitutional Court to obtain the cancellation of this law. The legal battle that lies ahead of us is a long one. As a first step, the parties will have to submit their arguments in a written form, and will then plead before the twelve judges of the Belgian Constitutional Court. Finally, the latter will deliberate. However, their decision should not be expected before 2015.

If the Constitutional Court finds the data retention law to be in violation of the Belgian Constitution, the legislator will have to re-examine the issue.

Informative and crowfunding campaign by Liga voor Mensenrechten and NURPA

Loi portant modification des articles 2, 126 et 145 de la loi du 13 juin 2005 relative aux communications électroniques et de l’article 90decies du Code d’instruction criminelle

Arrêté royal portant exécution de l’article 126 de la loi du 13 juin 2005 relative aux communications électroniques

20 Jan 2014

Infographic: European Parliament votes on net neutrality

By Kirsten Fiedler

This week, three European Parliament committees will hold votes on the future of the open and neutral internet. You can make your voice heard by contacting your elected representatives before the votes and find more information on our campaign portal

Download full size – Infographic CC-by Ann-Kristin GoVeto


26 Nov 2013

European Parliament to decide on the future of the open Internet (Update)

By Kirsten Fiedler

The Internet has changed our society, enhanced our freedoms and our economy. One of the main reasons for this is the openness of the Internet – anyone has the potential to communicate with anyone, without permission and without discrimination. This is the essence of the neutral, open Internet. This is net neutrality.

This openness is now under threat, as telecoms operators seek to restrict Internet access and thereby boost their short-term profits – replacing neutrality with restrictions, barriers and complexity.

We have waited for years for concrete proposals to enshrine the net neutrality principle in European Union law. Since 2010, there has also been an increasing number of calls from the European Parliament to guarantee net neutrality. Finally, in September 2013, the European Commission has proposed a draft Regulation which aims at protecting the open internet in Europe. Vice President Neelie Kroes repeatedly stated that this proposal would include the “right to net neutrality”.

Unfortunately, the draft Regulation (pdf) proposed by Commissioner Kroes poses a serious threat to the internet as we know it.
We have analysed the three most important loopholes, which we have listed below.

The good news is that it only takes a few modifications to turn the Commission’s proposal into a meaningful means of protecting net neutrality, thereby ensuring that the Internet remains a barrier-free single market and a unique platform for social and cultural activity and democratic discourse.

We have also analysed the draft proposals made by the different Committees:

You can find our analysis of amendments tabled in the different Committees here:

  • IMCO: Our comments (pdf) on the amendments tabled in the Internal Market and Consumer Protection Committee
  • CULT: Our comments (pdf) on the amendments tabled in the Culture and Education Committee
  • ITRE: Our comments on the amendments tabled in the Industry, Research and Energy Committee – coming soon

1. What is net neutrality?

Net Neutrality is the principle that every point on the network can connect to any other point on the network, without discrimination on the basis of origin, destination or type of data. This principle is the central reason for the success of the Internet. Net Neutrality is crucial for innovation, competition and for the free flow of information. Most importantly, Net Neutrality gives the Internet its ability to generate new means of exercising civil rights such as the freedom of expression and the right to receive and impart information.

2. Specialised services

Internet companies, quite reasonably, claim the right to provide specialised network services – such as high definition video at guaranteed speeds for precise industrial applications. As long as these services are run separately from the Internet and do not interfere with internet quality, this is clearly not a problem.

Currently, the proposed Regulation does not give a clear definition of specialised services. It would allow for the possibility of a “specialised service” to be interpreted as meaning any kind of online service. This would lead to the creation of a two-tiered internet, where certain services would be prioritised and others would be pushed into the slow lane. As a consequence, this would restrict the freedom of communication and the possibilities and incentives for innovation. (Article 2.15)

Example: Many mobile operators already offer unmetered access to Facebook, with everything else being subject to a payment based on the volume of downloaded data. If the definition of a “specialised service” allows this kind of offer, it will restrict the possible market available to potential competitors, restricting choice and innovation in the long run.

What we need is a clarification to ensure that the “service” in question is not functionally identical to an online service and that it is run on a network that is entirely separate from the public internet. The Body of European Regulators (BEREC) definition states that such services have to be separate from the public best effort internet and shall be only provided within the European electronic communications provider’s network. Not alone is the Commission’s proposal less clear than this definition, but it adds qualifiers like “substantially”, “general” and “widely”, which are not defined and can clearly only generate legal uncertainty.

3. The “freedom” of end-users

The text proposed by the European Commission would give users the “freedom” to choose discriminatory services. This “freedom” will ultimately be negative for internet users and negative for the broader online innovative environment (Article 23).

Example: It has been estimated that British consumers alone pay approximately 5 billion pounds a year too much, due to their “freedom” to choose between numerous confusing service options.

What we need is to replace “shall be free” with “have the right” and to ensure that the text does not allow discriminatory services to be offered by internet access providers.

4. “Prevent or impede serious crime”

There is no definition of “serious crime”. It is also unclear what “measures to prevent” would entail. However, it is clear from the context that to “prevent or impede serious crime” means ad hoc interference with online communications by internet companies, without a legal basis or a court order. (Article 23.5).

Example: In the UK, for example, voluntary measures are already being carried out by ISPs to prevent individuals leading to lawless blocking of a range of legal online services. In 2012, this led to the accidental blocking of the website of the French civil rights group, La Quadrature du Net.

What we need is a deletion of the dangerous exception for arbitrary interferences in communications traffic flows of reasonable traffic management, as this provision is in obvious violation of Article 52 of the Charter of Fundamental Rights.

Timeline in the European Parliament and our analysis:

Draft report: 20/11 – Read our comment Draft report: 16/12Read our comment Draft report: 28/11Read our comment Draft report: 11/11 – Read our comment Draft report: 14/11 – Read our comment
Deadline for amendments: 04/12 Deadline for amendments: 18/12 Deadline for amendments: 16/01 Deadline for amendments: 03/12 Deadline for amendments: 17/12
Consideration of AMs: – Read our analysis Consideration of AMs: – Read our analysis Consideration of AMs: – Read our analysis Consideration of AMs: 09/01 – Read our analysis Consideration of AMs: 22-23/01 – Read our analysis
Vote: 21/01 Vote: 21/01 Vote: 12/02 Vote: 22/01 Vote: 24 or 27/02
25 Sep 2013

ENDitorial: The DNT ship is listing


The latest developments in the W3C working group on Do Not Track (euphemistically called the tracking preference working group) since the last time we wrote about this effort are not good, sadly. First in late July the departure of Jonathan Mayer, a graduate student at Stanford who fought tirelessly to ensure that the W3C process would have a meaningful outcome from a privacy-perspective. More recently the departure of the Digital Advertising Alliance (DAA) who declared the process “a colossal failure”.

It nonetheless is too early to declare the effort facilitated by the W3C as essentially over, but only for the reason that only the W3C can decide to end it at this stage. Given that the working group has only last June managed to decide that the standard is about gathering of personal data and not about use of personal data, a fairly basic issue that took it two years of fierce debate to settle, the amount of progress is negligible. And even that decision is not final, as has been indicated by the W3C co-chair.

Right now other advertising industry representatives have made it abundantly clear that they are only hanging on in the working group in order not to prevent it to formulate a standard that might force them to take internet users’ privacy into account. In that context it is increasingly worrisome that the W3C is trying to rush to something resembling a standard, regardless of its contents. As laudable the efforts by W3C to come to a truly multi-stakeholder process may be, it would be better for W3C and the wider internet if it were to acknowledge defeat.

By now it has become abundantly clear that several industry players value their short-term interest too much over their long-term interests to be able to come to self-regulation. It is time for W3C to call it quits and time for the European Commission to step in. Both for the sake of citizen’s privacy and European internet businesses for clarity on what constitutes consent for online tracking.

Tracking Preference Expression (DNT) – W3C Editor’s Draft 13 September 2013
Stanford privacy advocate gives up on ‘Do Not Track’ group (1.08.2013)
Do Not Track’s future in doubt as major ad group withdraws from talks (17.09.2013)
EDRi-gram: ENDitorial: Last Call for the W3C Do Not Track process (8.05.2013)

(Contribution by Walter van Holst, invited expert to the W3C DNT WG – EDRi member Vrijschrift – Netherlands)

25 Sep 2013

Surveillance scandal in discussion at the United Nations


The surveillance scandal has now reached the United Nation’s Human Rights Council, which opened its 24th session last week to a volley of questions about privacy and spying, many of them targeted at the United States and United Kingdom. (That’s perhaps not surprising, since U.N. representatives were among those listed as being monitored by the NSA and GCHQ).

The opening statement by the eminent South African human rights lawyer Navi Pillay (now the U.N.’s High Commissioner for Human Rights) warned of the “broad scope of national security surveillance in countries, including the United States and United Kingdom,” and urged all countries to “ensure that adequate safeguards are in place to prevent security agency overreach and to protect the right to privacy and other human rights.” On 13 September 2013 the German Ambassador Schumacher delivered a joint statement on behalf of Austria, Germany, Liechtenstein, Norway, Switzerland and Hungary expressing their concern about the consequences of “surveillance, decryption and mass data collection.”

The UN Human Rights Committee is also set to scrutinize the United States on their compliance with Article 17 (right to privacy) of the International Covenant on Civil and Political Rights. The United States’ written response to Human Rights Committee has already laid out a diplomatic response in favour of the Patriot and FISA provisions. It notably dodges the key question that is emerging from other countries regarding these programs: if the U.S. government cannot rein in its domestic surveillance program, riven as it is with constitutional and statutory problems, just how much worse are the controls on the surveillance of non-US persons?

This is not just a matter of the United States’ international reputation. The greatest risk to the Internet in the international arena right now lies in the formation of an unholy alliance between countries who are already seeking excuses to spy and censor the net and those, like the United States, who have previously argued against such practices, but are now having to defend their own surveillance excesses with similar language.

Without promising substantive reform at home, the U.S. and the U.K. risk alienating their own allies at the United Nations, while granting a carte blanche for other countries to pursue a repressive Internet agenda abroad. The Western countries implicated in the NSA scandal should grab onto the full set of principles as a liferaft: a way that they can show a commitment to transparency and proportionality in a way that obliges other countries to follow the same standards. Otherwise, the U.S. and the U.K. will be seen as having started a race to the bottom of privacy standards: a race too many other countries will be happy to join.

Full text: Surveillance at the United Nations (17.09.2013)

Joint Statement by Austria, Germany, Liechtenstein, Norway, Switzerland and Hungary to the Human Rights Council (13.09.2013)

Codename ‘Apalachee’: How America Spies on Europe and the UN (26.08.2013)

Opening Statement by Ms. Navi Pillay United Nations High Commissioner for Human Rights at the Human Rights Council 24th Session (9.09.2013)

Brazilian President Warns US On Surveillance, Calls For UN Reform (25.09.2013)

(Contribution by Danny O’Brien and Katitza Rodriguez – EDRi member Electronic Frontier Foundation EFF)

This article is also available in Deutsch.

25 Sep 2013

Spain: New penal sanctions proposed for alleged illegal linking


Spain plans to toughen its legislation by including penal sanctions for publishing links to alleged pirated content. From a very relaxed environment some years ago, Spain is, more and more, giving in to US pressure after having been threatened to be put on the blacklisted countries.

Since his election in December 2011, Prime Minister Mariano Rajoy has continued to increase its anti-piracy legislation, including the Sinde law. Now, on the 20 September 2013, the Spanish government approved an amendment to the penal code that introduces penalties to the admins of sites offering links to copyrighted works without the work owners’ permission. The infringers can face an up to six years jail sentence. Until now, the law would punish only those who copied or distributed copyrighted material.

The amendment will affect only those linking to copyrighted material “provided illegally by third parties, for commercial purposes”, including those that make “direct or indirect profit,” but not individual file-sharers, those operating P2P software or users of the link-hosting sites.

Media, legal specialists and even authors have doubts regarding the proportionality and efficiency of the new amendment. ”I don’t think the measures will solve the problem. One must make the final user aware of the fact that he is committing an infringement” said Sigrid Kraus, editor of Salamandra who believes its a question of education first.

Many, like local rock musician Sr Chinarro, believe his is just a pantomime as nobody would go to jail for just copying a disk or only for links. Also, in order to show that a file-sharing site operator has infringed the law, there must be a “significant breach of intellectual property rights” but there are no clear guidelines on what this really means.

The amendments approved by the government will be sent to the Parliament for debate and it remains to be seen if such a law will be really applied.

Spain readies hefty jail terms over internet piracy (20.09.2013)

New penalties against piracy, other hopes for the sector (only in Spanish, 21.09.2013)

Spain strengthens its anti-pirating policy under the USA eye (only in French, 21.09.2013)

The jurists, sceptical to the prison penalties for piracy (only in Spanish, 21.09.2013)

Pirate Admins Face Six Years in Jail After Spanish Govt. Approves New Bill (21.09.2013)

EDRi-gram: Spain: New draft law to increase copyright infringements penalties (27.03.2013)