18 Apr 2018

Hermes Center demands investigation of NAT-related data retention

By Hermes Center

On 27 March 2018, EDRi member Hermes Center for Transparency and Digital Human Rights filed a request with the Italian Data Protection Authority (DPA) to investigate on the widespread practice of logging Network Address Translations (NAT) by most of the telecommunication operators.

To better understand the issue, we must first study, from a technical point of view, the operation and allocation of IP addresses by telecommunications companies, in particular, the practice of Carrier-Grade NAT (CGN), an approach used by telecommunications companies – and especially mobile operators – to manage the allocation of IPv4 addresses. Due to the shortage of available IPv4 addresses, it has become necessary to assign private IP addresses to customers, and then translate them into public IP addresses through a NAT procedure performed by devices connected to the internet operator network. In this way, a single public IP address can shield several private IP addresses: the direct identification of the unequivocal user that on “that day and at that time” was assigned to that internet identifier — similar to telephone numbers identification — is more difficult.

According to the statements of law enforcement authorities (LEA), this practice complicates the operations of identification of those who commit crimes because, given a public IP address, there may be dozens of different users. A practice widely used by telecommunication operators to deal with requests for identification by the judicial authority is that of recording and storing all NAT operations between private IP addresses of its customers and public IP addresses: like this, all the connections of the various IP addresses to the internet are recorded.

The Hermes Center demanded that the Italian Data Protection Authority perform a timely verification and inspection of all the main mobile and fixed operators in relation to the practices of data collection of internet traffic, publicly reporting the results, to verify which is the information collected for the purpose of providing compulsory services to the judicial authorities.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

A recently introduced Italian law on data retention has extended the retention time period by telecoms providers by up to six years. This data retention concerns both phone traffic and internet connections and clearly goes against the European data retention principles.

On 13 October 2017, Europol and the Estonian Presidency of Council of European Union organised a workshop with 35 policy-makers and law enforcement officials from all around Europe, in order to discuss the “increasing problem of non-crime attribution associated with the widespread use of Carrier Grade Network Address Translation (CGN) technologies by companies that provide access to the internet”.

The Hermes Center filed a Freedom of Information (FOI) request to Europol and the documents are available here: https://www.documentcloud.org/public/search/projectid:37909-Carrier-Grade-NAT-workshop-by-EUROPOL. In Italy, the Hermes Center has appealed to the Data Protection Authority, asking for inspection across all telecommunication operators in order to verify in great details which are the exact information elements logged to comply with data retention laws.

Italy extends data retention to six years (29.11.2017)

Europol’s FOIA on data retention with carrier grade NAT (22.01.2018)

Documents related to the Hermes Center’s FOI request to Europol

(Contribution by Riccardo Coluccini, EDRi-member Hermes Center for Transparency and Digital Human Rights, Italy)



18 Apr 2018

Internet protocols and human rights

By Guest author

Recently, a lot of thought has been devoted to the issue of human rights and internet protocols.

Internet protocols in this context are not about content. Using email as an example, internet protocols define how your computer or device locates and communicates with your email service and how that email service locates and communicates with other email services. They define how one email service may authenticate another email service. They are not about what you put in your mail. It is about how the technology works.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

However, even if protocols are agnostic about what is being communicated, they can sometimes make more data than necessary visible to intermediaries. Any use of the internet requires services to be located. One current area of interest concerns how much information you need to give, and when, to locate another service. As an example, imagine going to a medical appointment. You do not start by asking about how to get to a specific department in the hospital. You start by asking how to get to a particular metro station, and when there, how to get to the hospital – and only within the hospital do you seek directions to the specific department. There is work going on to replicate that style within core internet services. For more information, see the presentation on Domain Name System (DNS) and privacy by Sara Dickinson of Sinodun at Afnic’s Open Day in 2017: https://www.youtube.com/watch?v=gQfjEFZNlLg

The Internet Engineering Task Force (IETF) is the place where internet protocols are defined. It is probably the most important standardisation body regarding the internet. It does not deal with the “whole internet”, though. Its focus is on the Internet Protocol (IP) layer. It does not deal with user interfaces or content. It does not deal with what happens in particular computers or devices. It does not develop the lower layer technologies, such as Bluetooth, WiFi, 5G and the like. But it does define many of the protocols that allow machines and networks to interoperate.

The IETF met in London from 18 to 23 March 2018. There were over 1200 participants. These included people from all the major technology players, EDRi member Article 19, Europol, the US National Security Agency (NSA), and more.

The IETF is an open evolving community of engineers that basically produces advice for engineers. The “advice” tends to be in the form of Requests for Comments ( RFCs) of which there are now over 8000. They come in various flavours from ”internet standards” to “informational” to “jokes”. The “joke” RFCs are important. They are fun, help maintain the sense of community, and they also stop organisations simply saying they follow “all IETF RFC’s” in their products.

The IETF is unlike many other standardisation bodies. It is very open. There is no membership fee and no membership list, which in turn means no community-wide voting. There are no significant barriers to participation; all people really need is the ability to work on a mailing list. Even for the big meetings more and more people are participating remotely. Decisions, however, are then “made on the list”. People participate because they find it useful; people use the standards because they find them useful.

Over the years the IETF community has taken positions on how to deal with property rights claims in developing standards, and on how to take into account security and privacy considerations – including work on the permanence of identifiers, and on law-enforcement interception and security agency mass surveillance.

The IETF also has a sister organisation: the Internet Research Task Force (IRTF) which met in London, the same venue and time. The two communities overlap to a significant extent. While IETF Working Groups focus on the shorter term issues of engineering and standards, IRTF Research Groups focus on longer-term research issues.

While some Research Groups are clearly technical there are at least two with clear policy dimensions.

Many people believe that internet access should be considered a basic human right. The Global Access to the Internet for All Research Group (GAIA) addresses the challenge of the growing digital divide between those with functional access to the Internet and those who simply cannot afford access. One of their objectives is to develop a longer-term perspective on IETF standardisation efforts and this could include recommendations to protocol designers and architects.

The Human Rights Protocol Considerations Research Group (HRPC) is chartered to research whether standards and protocols can enable, strengthen or threaten human rights, including the right to freedom of expression and the right to freedom of assembly.

Everything about these two Research Groups, well everything except the coffee and cookies, is available online – their charters, their working documents, their mail archives, instructions on how to join the mailing lists and all the meeting materials: https://irtf.org/gaia and https://irtf.org/hrpc. You are welcome to participate.

Global Access to the Internet for All Research Group (GAIA)

The Human Rights Protocol Considerations Research Group (HRPC)

Video: Domain Name System (DNS) and privacy

(Contribution by Gordon Lennox, Technologies, Droits, Responsabilités, Société association – TDRS and EDRi Advisory Board Member)



18 Apr 2018

Fighting for migrants’ data protection rights in the UK

By Guest author

Since 2014, the United Kingdon (UK) government has steadily rolled out policies to make the country a “hostile environment”  for migrants, in the words of Prime Minister Theresa May.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

This has involved turning various ordinary institutions into border protection agencies. Banks have to collect and supply data to the Home Office (the UK’s interior ministry) on their customers’ immigration status. Landlords are required to check immigration documents before rental. Schools were checking pupils’ nationality and also sharing information with the Home Office, before a boycott campaign put an end to the practice in April 2018. Hospitals, too, must process immigration paperwork before they can deliver any non-urgent treatment. The police, in some regions, are piloting a handheld biometric ID device that instantly gives street officers access to an immigration database.

In the “hostile environment”, migrants are losing the right to live free of pervasive monitoring. They’re also losing the right to basic data protection. This is particularly evident in the case of a data-sharing agreement between the National Health Service (NHS), the Department of Health, and the Home Office. This agreement, established through a Memorandum of Understanding (MoU) in late 2016, without any consultation of professionals or the public, allows immigration enforcement officers to request patient data held by NHS Digital, the database manager for public health in the UK.

The Migrants’ Rights Network (MRN) has been at the forefront of civil society responses to this scheme. MRN, together with Doctors of the World UK, Docs not Cops (a group of professionals resisting the implementation of “hostile environment” measures in the health sector), and civil rights organisation Liberty, argues that sharing data between health services and immigration control officers violates migrants’ fundamental right to patient confidentiality. Such a breach of fundamental privacy rights is all the more worrying that the Home Office has error margins of 10 percent in its decisions to target “immigration offenders” – meaning they would routinely request data for the wrong individuals.

Crucially, introducing the possibility that health services might hand over patient data to the Home Office will make many vulnerable migrants afraid to seek care. This is already a reality. During a parliamentary hearing in January 2018, elected representatives heard the tragic story of an undocumented domestic worker who avoided treatment out of fear that she could be deported, and died of otherwise preventable complications.

MRN argues that such a situation dismantles the very principles of public health, starting with duty of care and public trust in health providers. The Home Office and NHS Digital have denied this, and argue that data-sharing for immigration enforcement is “in the public interest.” Yet the only other reason NHS Digital normally supplies confidential patient data to the Home Office is in the case of serious crime, such as child abuse or murder. By putting immigration and serious crime on a similar level, this data-sharing arrangement contributes to the dramatic criminalisation of undocumented existence (already exemplified in everyday language by the expression “illegal migrant”).

The UK Parliament’s Health Committee and the British Medical Association have both asked for data-sharing to stop. The Home Office have responded by saying they need to gather more evidence of the scheme’s impact, which could take more than a year. MRN believe this is unacceptable, as lives are currently at risk. MRN is thus challenging the data-sharing agreement in court. The organisation has obtained permission for judicial review (after appeal), likely to take place during the summer 2018, and is currently raising funds to cover its potential court costs.

MRN’s legal challenge is rooted in a desire to protect public health principles and vulnerable lives, but it also has broader implications for data protection in the UK. It aims to send a clear signal that data rights cannot be stripped on the basis of nationality. This is absolutely crucial at a moment when the UK’s latest data protection law, currently being debated in Parliament, includes an exemption clause for immigration enforcement, which would prevent migrants from exercising their full rights under the EU General Data Protection Regulation (GDPR). MRN thus hopes to set a positive precedent for judicial activism on these matters, and make a strong case for non-discrimination as a pillar of data justice.

Against Borders for Children campaign: We won! DfE are ending the nationality school census!

Crowdjustice fundraiser: Stop data-sharing between the NHS and the Home Office

Making the NHS a ‘hostile environment’ for migrants demeans our country (24.10.2017)

‘Hostile environment’: the hardline Home Office policy tearing families apart (28.11.2017)

NHS accused of breaching doctor-patient confidentiality for helping Home Office target foreigners (09.11.2017)

Migrants’ Rights Network granted permission for judicial review of patient data-sharing agreement between NHS Digital and the Home Office (01.03.2018)

MRN legal challenge against NHS data-sharing deal (29.11.2017)

(Contribution by Fabien Cante, LSE Media & Communications / Migrants’ Rights Network, the United Kingdom)


18 Apr 2018

Privacy at ICANN: WHOIS winning?

By Guest author

The Internet Corporation for Assigned Names and Numbers (ICANN) has struggled over the publication of the name, address, phone number, and email address of domain name registrants since its inception in 1998. That registry is called WHOIS.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

WHOIS might have worked well during the 1980s when only a few researchers had domain names, but now it exposes millions of individuals to harassment and spam. So far, neither the efforts of civil society who volunteer at this multi-stakeholder organisation (notably the Noncommercial Users Constituency), nor the repeated interventions of the Data Commissioners of the world have had a lot of impact. However, there is a huge struggle going on now over compliance with the European General Data Protection Regulation (GDPR). Registrars who collect registrant data and provide it according to their contracts with ICANN have obtained legal advice that indicates they are vulnerable to significant fines.

ICANN continues to try to maintain a registrant directory that permits the continued access of many third parties, notably law enforcement agencies, trade mark and copyright holders, and private sector cybercrime investigators and reputational “blacklisters”. There has been a flurry of activity to address long-neglected privacy rights, and CEO Goran Marby has been asking for advice from the Article 29 Working Party. They answered on 11 April 2018 in a letter which was quite clear about ICANN’s failure to comply.

According to the Non-Commercial Stakeholder Group (NCSG), key issues that remain are:

  1. There is no multistakeholder process at the moment, and in recognition of the work which was going on in the WHOIS policy development process has been temporarily suspended. The CEO and the Board will make a decision, claiming it to be based on advice from the Article 29 Working Party and on “community input”. That interim policy is good for a year, during which time the community can propose changes, through a normal policy development process. Once the year is over (and the process takes a couple of months in itself to vote through a policy) the interim policy will become the final policy unless there is an agreed replacement. Given the recent history of the Registration Directory Services Policy Development Process (RDS PDP), it is highly unlikely that consensus to change the interim solution in less than a year would be achieved. This appears to be abandonment of the multi-stakeholder process, and requires close scrutiny. A multi-stakeholder process needs to remain in place to reach some kind of consensus on the biggest policy debate that ICANN has confronted in its history.
  2. The purpose of the collection, use and disclosure of registrant data is being construed to include feeding the third party actors who have always had free access to the data (in the NCSG view, often illegally).
  3. The issue of public safety and consumer protection as a reason to permit widespread access to data is unsupported by recent accurate data.
  4. The risks to individuals and small organisations have never been measured.
  5. The proposed tiered access model depends for its efficacy on a serious accreditation process. Because there is no time to develop one before 25 May, of the day the General Data Protection Regulation becomes law, an interim self-accreditation process is proposed. There may not be an appetite to work on proper standards that engage the data protection authorities, and the interim solution will not simply expose individuals to marketing, domain expropriation, spam, and risk from political adversaries. Self-accreditation risks setting up an anti-competitive regime where registrant data is held by dominant players.
  6. ICANN is still not clear as to whether it regards itself as a data controller, although a long-serving member of the ICANN community challenged them publicly on this matter at ICANN61 meeting in March 2018.It has also thus far refused to appoint a privacy officer for any registrant data related issues. What is clear to the NCSG is that ICANN is the only contracting party who has access to all escrowed data of registrants, and that they set the terms for that escrow arrangement. They also set the terms for the contracts with registries and registrars, and enforce their compliance through the Global Domains Division (compliance branch). It is worth noting that one of the recommendations of the business community proposal is that ICANN must retain access to all registrant data at all times, whatever the solution selected.
  7. For those not following the GDPR closely, the issue of who is the controller may be extremely important in terms of liability.
  8. NCSG is working on a standards development project led by a University of Toronto team, to develop proper accreditation standards for third parties to whom personal data is released by data controllers and processors. There must be strong management practices in place to ensure that the entities asking for the data are indeed who they say they are, and that their purported reasons to request the data are legitimate, limited, and proportionate. There should also be standards to ensure proper safeguarding and eventual destruction of the data, and access rights for individuals, as well as transparency except in exceptional circumstances. The Article 29 Working Party released a paper in February detailing their expectations and their own involvement in the accreditation of various processors under the GDPR; this standards proposal is working in the same vein, to explore what best management practices look like.

Working Paper International Working Group on Data Protection in Telecommunications

Working Paper on Privacy and Data Protection Issues with Regard to Registrant data and the WHOIS Directory at ICANN (27-28.11.2017)

Non-Commercial Stakeholder Group (NCSG) Positions on Whois Compliance with GDPR (16.04.2018)

ICANN: Data Protection/Privacy – Latest Announcements, Updates & Blogs

ICANN Receives Data Protection/Privacy Guidance from Article 29 Working Party (12.04.2018)

(Contribution by Stephanie Perrin, University of Toronto, NCSG Councilor)



18 Apr 2018

Cambridge Analytica access to Facebook messages a privacy violation

By Gemma Shields

Less than one month after Cambridge Analytica Whistleblower Christopher Wiley exposed the abuse of (so far) 87 million Facebook users’ data, Facebook Co-Founder, Chairman, and CEO Mark Zuckerburg testified before the US Congress.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

On 10 and 11 April, Zuckerberg provided testimony in a joint hearing of the Senate Judiciary and the Senate Committee on Commerce, Science, and Transportation, and then to the House Energy and Commerce Committee. He faced questions on a number of democracy-disrupting and privacy-violating issues to which the social media giant has been a party, not least the composition – and use – of personally identifiable data as part of the Facebook-Cambridge Analytica scandal.

This scrutiny gave rise to uncertainty over what Facebook user data Cambridge Analytica had access to, and of just what this personal data comprised. What began as the personality app “This is Your Digital Life”, designed by researcher Aleksander Kogan and installed by 270 000 Facebook users (which in turn provide access to the data of at least 87 million users), resulted in data consulting firm Cambridge Analytica having access to the private inbox messages of users.

This revelation, whilst a part of the unfolding exposé, was confirmed in the notifications that began appearing at the top of users News Feeds which read “a small number of people who logged in to ‘This is Your Digital Life’ also shared their own News Feed, timeline, posts, and messages which may have included posts and messages from you.”

With a global reach, the scandal has implications for users worldwide. In the European Union, such access to personal data would be prohibited by the proposed ePrivacy Regulation. Current ePrivacy rules on access to the content of communications do not cover Facebook, although this would change under the proposed ePrivacy Regulation.

So far, lobbyists from Facebook and its allies have lobbied Member States in the EU Council successfully to slow down the adoption of the new Regulation – and not even this scandal has been able to persuade EU Ministers (many of whom signed a letter arguing that our fundamental rights should be “balanced” with “digital products and services” of the need that Facebook’s access to private communications needs to be restricted.

On how such abuse could happen, a Facebook spokesperson said: “In 2014, Facebook’s platform policy allowed developers to request mailbox permissions but only if the person explicitly gave consent for this to happen. At the time when people provided access to their mailboxes – when Facebook messages were more of an inbox and less of a real-time messaging service – this enabled things like desktop apps that combined Facebook messages with messages from other services like SMS so that a person could access their messages all in one place. According to our records only a very small number of people explicitly opted into sharing this information. The feature was turned off in 2015.”

Conditions for consent – as per Article 7 of the General Data Protection Regulation (GDPR) – cannot have been met, however, and in particular, the explicit consent of 87 million users to access to and repurposing of their personal data has not been obtained.

Users can check if their personal data was harvested and misused by Cambridge Analytica here: https://www.facebook.com/help/1873665312923476?helpref=search&sr=1&query=cambridge

Transcript of Zuckerberg’s appearance before the House committee (11.04.18)

Facebook scandal: I am being used as scapegoat – academic who mined data (21.03.18)

Revealed: Aleksandr Kogan collected Facebook users’ direct messages (13.04.18)

Cambridge Analytica Could Have Also Accessed Private Facebook Messages (04.10.18)

How can I tell if my info was shared with Cambridge Analytica?

(Contribution by Gemma Shields, EDRi intern)



18 Apr 2018

DPAs require urgent action on air passenger surveillance

By Maria Roson

The Working Party 29 (WP29) is an advisory body composed of representatives from the data protection authority of each EU Member State, the European Data Protection Supervisor (EDPS) and the European Commission.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

On 11 April, the WP29 has requested the Commission to take action and revise Passenger Name Records (PNR), policies based on the Opinion 01/15 of the Court of Justice of the European Union (CJEU). The CJEU found in its opinion on the EU PNR agreement with Canada that the envisaged agreement is in part not compatible with Articles 7, 8, 21 and 52 of the Charter of Fundamental Rights of the European Union. However, no relevant progress has been made concerning this agreement, nor with the PNR agreements with Australia and the US, nor the EU PNR Directive.

The WP29 expressed the concern that there were a number of issues highlighted by the CJEU that need urgent review:

1. Need for clear and precise description of the personal data collected
The PNR Directive, and particularly the PNR agreements with Australia and the US, contain language which is not specific enough and which does not sufficiently describe what kind of data will be collected. This can lead to excessive amounts of data which are not necessary or proportionate for the purposes of the Directive.

2. Exclusion of sensitive data
The Court points out that the transfer of sensitive data requires a precise and particularly solid justification, based on grounds other a simple reference to the protection of public security against terrorism and serious transnational crime. The processing of sensitive data has been prohibited by the EU legislator regarding the PNR Directive, but the agreement with the US allows for sensitive data to be retained and processed.

3. An independent authority needed to monitor disclosure of personal data
The retention of the data for as long as the passengers are in the third country has been considered to be in compliance with the Charter. However, the CJEU held that the access to the retained PNR data must be subject to a prior review either by a court or by an independent administrative body. Neither the PNR agreement with the US nor with Australia includes an obligation in line with the Court’s holding. With regard to the EU PNR Directive, Article 12 (3) makes disclosure of the full PNR data subject to approval by a judiciary authority or an undefined “another national authority competent under national law” after a period of six months.

4. Deletion of PNR data after departure if there is no evidence of risks
The CJEU stated that PNR data could not be stored after the passengers’ departure from the third country except for specific cases for which objective evidence can demonstrate a risk of a passenger. However, none of the instruments includes an obligation to delete it after the departure of the passenger if no objective evidence demonstrates this potential risk. Furthermore, the data retention periods are different in the Directive and PNR agreements for no obvious reason.

5. Limits to disclosures to third countries
The CJEU held that third country authorities which have received PNR data may only transfer that data to another country if the EU has made a PNR agreement with that country or if it has found it to uphold adequate data protection norms. Nonetheless, in the cases of the agreements with Australia and the U, there are no such limitations.

6. Oversight by an independent supervisory authority
The CJEU stressed the necessity of independent oversight of the PNR data protection safeguards of the EU/Canada agreement. This issue does not appear as problematic with a view to the PNR directive and the agreement with Australia, but it is particularly relevant for the agreement with the US. This agreement provides that compliance with the data protection safeguards is primarily subject to review by the Privacy Officers of the Department of Homeland Security, and thus not by an independent administrative body.

Therefore, further protection of passengers’ privacy must be ensured. The PNR agreements with the US and with Australia suffer from a range of deficiencies. As for the EU PNR Directive, it seems clear that it is at least partly not in compliance with the requirements expressed by the CJEU. The European Commission, as Guardian of the Treaties, needs to take urgent action in order to ensure compliance with the Charter of Fundamental Rights, of both the EU PNR Directive and the agreements.

Letter of the Chair of the Article 29 Working Party to EU Commissioners (11.04.2018)

Charter of Fundamental Rights of the European Union

EU PNR Directive (27.04.2018)

FAQ: Passenger Name Records (PNR) (09.12.2015)

Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)

(Contribution by María Roson, EDRi intern)



16 Apr 2018

EU “e-evidence” proposals turn service providers into judicial authorities


Today, 17 April, the European Commission unveiled two proposals: a Regulation on cross-border access to and preservation of electronic data held by service providers and a Directive to require service providers to appoint a legal representative within the EU.

The core of the Commission’s “e-evidence” initiative is that national judicial or administrative bodies can ask a service provider, such as Facebook, based in another EU Member State, to produce and to preserve data for the investigation or prosecution of a crime. Currently, national judicial authorities receive and authorise foreign requests, in order to ensure that fundamental rights are protected. The European Union very recently adopted the European Investigation Order to improve the efficiency and speed of cross-border criminal investigations within the EU. Member States had until 22 May 2017 to implement it. Before any proper assessment of this measure has been possible, the EU now seems to be rushing into making these new proposals, following in the steps of the United States.

“The Commission is proposing dangerous shortcuts to allow national authorities to obtain people’s data directly from companies, basically turning them into judicial authorities”, said Maryant Fernández Pérez, Senior Policy Advisor at European Digital Rights (EDRi). “States have legal obligations to respect and defend people’s fundamental rights. Companies do not have such legal obligations. If companies are coerced into handing over citizens’ data, our existing rights are put at risk.”

EDRi is concerned that, if adopted, this Regulation would be putting companies at the same level as a court or a state. In fact, companies would be exempted from liability if they hand over data in response to an illegal or incorrect order. This means that if there is an invalid order which the company complies with (due to fear of sanctions for non-compliance), and if an exception to user-notification is used to keep this order secret, it will be very difficult for the user to defend her/his rights.

The only way to credibly propose any legislation in the area of cross-border access to data would have been to comprehensively improve and enhance the existing judicial cooperation framework. The current framework is based on “mutual legal assistance treaties” (MLATs) for cooperation with countries outside the EU. Inside the EU, the recently adopted European Investigation Order (EIO) facilitates efficient cross-border access to data. The European Commission chose to propose a new legal shortcut to bypass existing measures, maximising risks for fundamental rights violations. The proposals will now be subject to the scrutiny of the European Parliament and Member States gathered in the Council of the European Union.

EDRi’s response and annex to the European Commission’s consultation on cross-border access to e-evidence (16-27.10.2017)

Statement of the ART 29 WP on e-Evidence (07.12.2017)

CLOUD Act: Civil society urges US Congress to consider global implications (19.03.2018)

The U.S. CLOUD Act and the EU: A Privacy Protection Race to the Bottom (10.04.2018)

European Commission proposals on cross-border access to data (17.04.2018)



12 Apr 2018

We are looking for a new Executive Director

By Kirsten Fiedler

European Digital Rights (EDRi) is an international not-for-profit association of 35 digital human rights organisations from across Europe. We defend and promote rights and freedoms in the digital environment, such as the right to privacy, freedom of expression, and access to information. This job announcement is part of the upcoming leadership change and transition that we are currently preparing for.

The Executive Director provides overall leadership and management of the strategy, policy, resources, operations and communications of EDRi. The Executive Director is responsible for the management of the organisation and all aspects of its operations. S/he should be deeply committed to the organisation’s values and mission and drive forward a joint vision for the organisation in line with the organisation’s objectives. While the Executive Director is not expected to be a specialist in specific operations (campaigns, fundraising, HR, administration, finance, etc), s/he has a sufficient grasp of all domains to ensure that staff members can achieve their objectives and that they and the EDRi members can work well together to achieve the organisation’s mission.

We are an equal opportunities employer with a strong commitment to transparency and inclusion. People from all backgrounds are encouraged to apply and we strive to have a diverse and inclusive working environment.

Job title: Executive Director
Start date: 1 July 2018
Reports to: Board of Directors, the Executive Director’s work is evaluated by the Board on a yearly basis.
Line-manages: policy, advocacy, campaigning, communications, fundraising and organisational support.
Scope: staff members 7, annual budget of approx. 800k euro.


1. Leadership, organisation mission and strategy

  • steer the organisation in its learning, growth and development
  • provide leadership and management for the organisation
  • lead strategic planning processes
  • implement strategic plans and ensure rigorous evaluation
  • prepare general assemblies (GAs) and attend in an advisory capacity
  • support the Board, and prepare quarterly financial and narrative reports
  • formulate annual objectives for all work areas and evaluate them
  • represent the organisation at events
  • support development of policy strategy and taking of tactical decisions

2. Financial sustainability and oversight

  • prepare the yearly budget, oversee expenditure
  • oversee and contribute to the raising of funds from foundations corporations and individual donors
  • maintain good relations with donors and oversee reporting to them
  • oversee fiscal management operating within the approved budget
  • ensure that sound bookkeeping and accounting procedures are followed
  • ensure that the organisation complies with relevant legislation and grant contracts

3. Organisation operations

  • ensure the implementation of Board decisions
  • ensure that the Board is made aware of all matters requiring a Board decision
  • inform the Board of all developments of major significance to the organisation
  • hire staff members,
  • oversee internal human resources policies and ensure staff retention,
  • provide oversight of all staff and organise weekly meetings with staff,
  • foster effective team work and establish a positive work environment,
  • set up and evaluate the individual objectives with staff members,
  • undertake regular one to one meetings with all staff,
  • undertake annual appraisal and identify training needs and opportunities for staff, in order to develop their skills and ensure they do the same with the staff or interns/trainees they oversee,
  • sign contracts and other agreements on behalf of EDRi,
  • give or refuse final approval for any unforeseen use of resources.


  • A bachelor’s degree or higher
  • senior management experience would be a plus
  • solid, hands-on financial and budget management skills
  • strong organisational abilities, especially for planning, delegation and project management
  • ability to develop and convey the vision of EDRi’s strategic future to staff, Board, network and donors
  • ability to build trusted relationships with, and to collaborate with and oversee all staff
  • knowledge of EU policy-making processes
  • knowledge and/or experience in understanding the NGO sector
  • awareness and knowledge of the EU’s political environment
  • knowledge of the digital rights field and affinity with EDRi’s values and mission,
  • knowledge and/or experience in the field of human resources management
  • knowledge and/or experience in fundraising unique to nonprofit sector
  • knowledge and/or experience in conflict resolution
  • public speaking skills
  • ability to interface and engage EDRi’s main stakeholders


  • Passionate, idealistic, enduring, team player, diplomatic, discreet, patient, mission-driven, self-directed, and committed to knowledge-sharing and high-integrity leadership.


  • fluency in written and spoken English,
  • fluency in written and spoken second language (ideally French or Dutch),
  • strong written and verbal communication skills,
  • budgeting (oversight, presenting, monitoring),
  • knowledge of free and open source operating systems and software are a plus.


To apply please send a maximum one-page cover letter and a maximum two-page CV (only PDFs are accepted) by email to julien.bencze[at]edri.org. Closing date for applications is 3 June 2018. Interviews with selected candidates will take place around mid-June, with a start date of (ideally) 1 July.


10 Apr 2018

We urgently need a policy intern to join our team of superheroes!

By Diego Naranjo

European Digital Rights (EDRi) is an international not-for-profit association of 35 digital human rights organisations from across Europe. We defend and promote rights and freedoms in the digital environment, such as the right to privacy, freedom of expression, and access to information.

Join EDRi now and become a superhero for the defense of our rights and freedoms online!

The EDRi office in Brussels is currently looking for one intern to support our policy team. This is your opportunity to get first-hand experience in EU policy-making and contribute to a change in favour of digital rights and freedoms across Europe. The selected candidate should be able to start as soon as possible. The contract will last until 21 July 2018. The internship is paid 750,- EUR per month.

Key tasks:

  • Research and analysis on data protection, privacy, copyright;
  • Monitoring international, EU and national related policy developments;
  • Organising and participating in meetings and events;
  • Assisting with writing of the EDRi-gram newsletter;
  • Assisting with preparing draft reports, presentations and other internal and external documents;
  • Assisting with preparing communication tasks;
  • Development of public education materials;
  • Find out more about internships at EDRi.


  • A demonstrated interest in and enthusiasm for human rights and technology-related legal issues;
  • Good understanding of European decision-making;
  • Experience in the fields of data protection, privacy, copyright would be an asset;
  • Excellent research and writing skills;
  • Fluent command of spoken and written English;
  • Computer literacy.

How to apply:

To apply please send a maximum one page cover letter and a maximum two page CV in English and only in .pdf files (other formats – such as doc and docx – will not be accepted) to diego.naranjo(at)edri.org.

We are an equal opportunities employer with a strong commitment to transparency and inclusion. People from all backgrounds are encouraged to apply and we strive to have a diverse and inclusive working environment.

The closing date for applications is 27 April 2018 but we will select candidates as soon as possible as we receive their submissions. Please note that due to scarce resources, only shortlisted candidates will be contacted.

10 Apr 2018

Stop the #CensorshipMachine!


In September 2016 the European Commission proposed a controversial Copyright Directive that, if accepted, will threaten our freedoms online.

The European Parliament Committee on Legal Affairs (JURI) is set to vote on the issue in June, and your action is needed to stop the “censorship machine”!

What can you do?

See the list of JURI Committee members and follow the instructions on savethememe.net to contact an MEP through the free calling tool.

Don’t know what to tell them? Use our script to have a few speaking points at hand when you make the call!

#CensorshipMachine – How will the decision be taken? (19.03.2018)

Time to stop the #CensorshipMachine: NOW! (30.11.2017)

The Civil Liberties Committee rejects #censorshipmachine (21.11.2017)

Proposed internet filter will strip citizens of their rights: Your action is needed! (28.03.2018)

Copyright reform: Document pool

Our Freedom of Speech Is Threatened by the European Copyright Proposal – Here’s How

Say No to Online Censorship in Europe! (09.03.2018)

5 Devastating Effects of the EU’s Copyright Proposal (29.03.2018)