26 Mar 2015

EDRi needs an intern!

By Heini Järvinen

European Digital Rights (EDRi) is an international not-for-profit association of 33 digital civil rights organisations from 19 European countries. We defend and promote rights and freedoms in the digital environment, such as the right to privacy, freedom of expression, communication and access to information.

The internship will go from the 1st of September to the 18th of December 2015.

Key tasks:

  • Assisting with writing of the EDRi-gram newsletter;
  • Research and analysis on a range of policy topics;
  • Monitoring international, EU and national related policy developments;
  • Organising and participating in meetings and events;
  • Assisting with preparing draft reports, presentations and other internal and external documents;
  • Assisting with communication tasks;
  • Development of public education materials.


  • A demonstrated interest in and enthusiasm for civil liberties or technology-related legal issues;
  • Excellent research and writing skills;
  • Fluent command of spoken and written English;
  • Computer literacy.

How to apply:

To apply please send a maximum one page cover letter and a maximum two page CV by email, to michela.petruzzo[at]edri.org

The closing date for applications is 10 April 2015.

25 Mar 2015

Patriot Act à la française: France to legalise unlawful surveillance

By Guest author

In recent years, France has increasingly tightened its laws on crimes committed on the Internet. From the LOPPSI law voted in 2012 to the latest anti-terror law voted in November 2014, the bill on Intelligence announced on 19 March by the French Prime Minister, Manuel Valls, is fully consistent with a history of repressive Internet legislation.

The LOPPSI law is the keystone of a comprehensive framework of administrative blocking of websites. This law, adopted in 2012, still needed its decree so that websites hosting child pornographic content could be blocked, but the decree was late to be published. Meanwhile, two more laws concerning terrorism and security were adopted: the 2014-2019 Defence Law (Loi de Programmation Militaire) in December 2013 and the latest anti-terror law in November 2014. The first one allow real-time wire tapping of phone calls without the need of a judicial authorisation and the retention of metadata of any type of terminals. The anti-terror law allows administrative blocking of websites considered as condoning to violent acts of terrorism.

Those three laws have already sparkled a great deal of criticism among civil society and private actors for being too repressive and destroying the balance of powers, a pillar of every democratic regime, by weakening the role of the judiciary with regard to surveillance. Also the measures were attacked on the basis that they can be easily bypassed.

After the tragic events in Paris in January 2015, Manuel Valls announced a new law on Intelligence, while French people were gathering around the democratic values of French Republic to stand against terror. At the same time, the processes of the publication of the LOPPSI and the anti-terror decrees were accelerated, resulting in their publication in late February 2015, and allowing administrative blocking of website without the intervention of a judge. The failure to differentiate information, and thus free speech, from propaganda in the blocking orders demonstrated the importance of a judge in the decision-making process for blocking websites. Restricting free speech is so important that it demands a fair and transparent process.

Unsurprisingly, the Bill on Intelligence presented in the Council of Ministers on 19 March 2015 goes further in the logic of weakening the judicial control, and formally permits a number of previously illegal practices used by the Intelligence services. Among the measures presented in the bill are IMSI-catchers, geolocalisation of cars, wiretapping of private places and vehicles, requests to access networks of private Internet Service Providers (ISPs) and more disturbingly, if possible, black boxes put on the network in order to guess at the identity of terrorists through a matching algorithm. All of those would be allowed without any judicial authorisation. There would be a possibility for a “a posteriori” control – a measure that can be considered too weak as a guarantee for human rights, privacy and democracy, comparing to the scope of intrusion.

The announcement of this bill was welcomed by heavy criticism by a large number associations defending civil liberties, as well as by private companies. The bill is widely considered to legalise mass-surveillance and constitute a French Patriot Act. It will be studied in April by the French Parliament. La Quadrature du Net, a French organisation promoting digital rights, will campaign to communicate to French parliamentiarians and citizens, that after Snowden’s revelations this type of state-organised mass-surveillance is unacceptable for a democracy.

Intelligence reform & the French government’s disastrous drift on surveillance (17.03.2015)

Intelligence law: The black box reveals its shadows (only in French, 20.03.2015)

Islamic-news.info blocked without court order for endorsing or inciting to terrorism (only in French, 16.03.2015)

France pushes for scrubbing Internet of terrorism-related content (19.01.2015)

The lonely battle of the opponents of the bill on Intelligence (only in French, 23.03.2015)

(Contribution by Christopher Talib, La Quadrature du Net, France)



25 Mar 2015

Copyright exceptions and limitations – back to the future

By Joe McNamee

The noise around the non-legislative report of the European Parliament on the Copyright in the Information Society Directive (also known as the InfoSoc Directive and Directive 2001/29/EC) in Brussels is deafening. With one Committee still to table its amendments, the total number of amendment has already reached 759.

Part of the reason for this is that one of the issues being discussed is exceptions and limitations to copyright. Any suggestion of harmonisation, predictability or flexibility is met by energetic opposition by those who claim to speak on behalf of authors. To assess how credible this opposition is, we should look back at some of the lobbying against the only mandatory exception in the Directive – for temporary technical copies.

In the Directive, the European Commission proposed an exception to copyright for copies that are made in networks. Every transfer of a file on a network makes a copy of some description – to get from a to b, the file needs to be in the network for at least a moment. For this reason, it was obvious that temporary, technical copies should not be subject to a separate authorisation from rightsholders. This was clearly uncontroversial – or it should have been.

There was a huge lobby against this exception. The European Publishers Council (EPC) raised several major concerns. Firstly, they argued that only authorised files should be subject to this exception. So, if you accessed an unauthorised file online, this would automatically make your internet access provider guilty of a copyright infringement.

The EPC went on to argue that the exception would create a “a gaping hole in rightsholders’ protection under the reproduction right”, which it explained was a “core right in both the analogue and digital worlds”. It said, but did not explain, that the restriction that such copying could have “no independent economic significance” was not enough to stop the copying of files that were of independent economic significance.

Overall, the text of Article 5.1 (as well as article 5.2b and Article 6) represented “an unacceptable threat to rightsholders”.

So, what happened when this “unacceptable threat” to rightsholders was transposed into national law in the European Union? Absolutely nothing.

The definition proved fully adequate. The safeguards proved fully adequate. No “gaping hole in rightsholders’ protection under the reproduction right was created”. Nothing. After all of the warnings. Nothing.

The damage that would have been caused by heeding the EPC’s warnings, on the other hand, is easier to demonstrate. Canadian legislators failed to implement a clear exception for temporary technical copies. The copyright industries did what one would have expected – they demanded royalty payments to authorise internet providers to do their jobs. This created an extended period of legal uncertainty for internet service providers at a crucial moment in broadband rollout, which only ended when the case was appealed to the Supreme Court, which ruled on the case in 2004.

Position Paper on the Proposal for a European Parliament and Council Directive (97/0359 COD) on the harmonisation of certain aspects of copyright and related rights in the Information Society

Canadian High Court takes copyright heat off ISPs (07.01.2004)

Parltrack summary of non-legislative work on Copyright in the Information Society Directive

(Contribution by Joe McNamee, EDRi)



25 Mar 2015

In Germany, Data Retention refuses to die

By Guest author

The debate is intensifying in Germany on whether telecommunications data retention should be reintroduced. At the centre of the controversy is Sigmar Gabriel, the leader of the Social Democrats (SPD, the smaller party in Germany’s “grand coalition” government since 2013), and consequently a government minister for the economy and chancellor Angela Merkel’s deputy. Gabriel’s role is pivotal because his party would be the focus of any hope of balancing calls for data retention from the larger coalition partner, the Christian Democrats (CDU/CSU).

Data retention has been judged, twice, to illegally violate fundamental rights under the German constitutioanl framework. In March 2010, a ruling by Germany’s Federal Constitutional Court struck down Germany’s national data retention law that had implemented the European Union’s Data Retention Directive since the end of 2007. In April 2014 the Directive itself was invalidated by the Court of Justice of the European Union (CJEU).

This U-turn has happened almost simultaneously with another major shift in policy for the SPD, which changed the party’s position on the transatlantic free-trade agreement TTIP, to which it was previously opposed.

On data retention, Gabriel has surprised many with the strange range of arguments he has used to defend his position. He says he never really opposed the measure, in fact he voted for its introduction in 2007. But since the European Commission gave up its plans to introduce a new Data Retention Directive after the CJEU’s ruling, it has become clear that the plan is to leave it to Member States to muddle their own ways through this question.

After the recent terrorist attacks in Paris and Copenhagen Gabriel has shown little restraint on using just any event or argument to portray data retention as indispensable. This includes the claim that data retention was an important means for Norway to deal with right-wing terrorist Anders Breivik’s attacks in 2011. This seems weird as Norway didn’t have a law for data retention in 2011 and still doesn’t have one today. After making this claim twice and being challenged on this, the latest statement from the SPD is that Norway used the instrument without legal basis, with support from US secret services. So, allegedly Norway’s authorities have disregarded their own country’s law and relied on organisations known to operate without any regard for legal boundaries, whose methods may or may not fall under the European definition of telecommunications data retention. How this should make Europeans accept a surveillance instrument whose effectiveness is questionable and which clearly requires strict legal controls is hard to imagine, probably even for Gabriel himself.

Other examples of fact bending include a claim that the previous data retention law had been the work of a Christian Democrat-Liberal government, when in fact it was introduced in 2007 by a previous CDU–SPD “grand coalition” (in which Gabriel himself served as environment minister), and misrepresentations of the points were the Constitutional Court ruling of 2010 had found fault with that previous law.

Sigmar Gabriel has now made up his mind that the time has come to work on a new German data retention law and push it through the Bundestag. He has recently instructed SPD’s Heiko Maas, Minister of Justice, previously an outspoken sceptic of data retention, to come up with a draft law in cooperation with the Interior Minister, CDU’s Thomas de Maizière. Getting a majority in Parliament will not be a problem, given the coalition’s almost 80-percent majority of seats. But what the true motives are and how the measure could be seen as constitutional after the court rulings, remains a mystery.

Data retention is Norway must actually be called NSA (only in German, 20.03.2015)

SPD leader Sigmar Gabriel calls for data retention to be reintroduced (only in German, 15.03.2015)

Sigmar Gabriel retains misapprehensions (only in German)

An almost impossible law (only in German, 23.03.2015)

(Contribution by Sebastian Lisken, EDRi-member Digitalcourage, Germany)



25 Mar 2015

Denmark plans to preserve illegally collected medical data

By Guest author

In Denmark, a controversial plan to prevent illegally collected medical data from being deleted has become a hot topic for the government. The plan involves transferring the data to the National Archives, which has an exemption in the Danish data protection act.

Under the Danish health care act, general practitioners can transfer medical data to a third party without consent from the patients if it is done for limited groups of patients and if analysis of the data can be used to improve the treatment of patients. This provision was used to create a central database known as Danish General Practice Database (DAMD) with the Region of Southern Denmark as the data controller.

DAMD was limited to the diagnosis for diabetes at the outset in 2007, but within a couple of years, all ICPC diagnosis data from general practice was being transferred to DAMD. This is clearly illegal, since the data collection without consent is no longer done only for limited groups of patients.

In November 2014, the Danish Minister for Health and the Region of Southern Denmark finally admitted that most of the medical data in DAMD is collected illegally. The natural next step would have been to delete the illegally collected data, but the Minister for Health stated publicly that he would prefer that this does not happen.

Within a week of the comment by the Minister for Health, the Danish National Archives suddenly decided that DAMD is a unique database which should be preserved at the National Archives. The data protection act has an exemption for transfer of personal data to the Danish National Archive, so that this can be done without consent. Based on an administrative authority in the national archive law, the Danish National Archives instructed the Region of Southern Denmark to retain the illegally collected medical data until further notice.

Privacy activists, including EDRi-member IT-Pol Denmark, object to this blatant abuse of the national archive law to essentially whitewash an illegal data collection of highly sensitive medical data. The Ministry of Culture has the responsibility for the National Archives. After an initial promise to delete the illegally collected data by mid February 2015, the culture minister Marianne Jelved decided to preserve DAMD at the National Archives.

Together with this decision, the minister proposed an amendment to the archive law which blocks access to illegally collected medical data for up to 230 years. However, these restrictions can always be removed by another amendment in a couple of years (the amendment law must be revised after no more than five years). Moreover, no assessment has been made of the costs of storing the highly sensitive medical data securely for 230 years, so that it could be used for historical research starting in 2245.

While the Danish government and parliament consider the fate of the DAMD database, Danish citizens can use their right under the data protection act to demand that their own illegally collected data is deleted. However, the order from the Danish National Archives prevents the data controller from deleting the entire DAMD database.

On 18 March, the Ministry of Culture was forced to admit that the Danish National Archives have used an inappropriate administrative order for demanding that DAMD is preserved. The correct administrative order for records held by the Danish regions places DAMD in the category of records to be discarded when no longer needed. The Ministry of Culture apparently sees this as a minor problem which can be solved simply by issuing an amended administrative order which places DAMD in the preservation category. However, before the new administrative order can take effect, there must be a formal consultation period. The deadline for consultation responses is set at 27 March, and the new administrative order will take effect from 7 April.

On 19 March, the Region of Southern Denmark found out that there is currently no proper legal basis for demanding the preservation of DAMD by the National Archives, and decided that the entire database will be deleted. Rather than just doing it, the region sent a letter to the Ministry of Culture stating that DAMD will be deleted on 24 March at noon.

The Danish National Archives and the Ministry of Culture responded almost immediately to this “threat” of restoring the rule of law by deleting illegally collected medical data. On 20 March, the deadline for the consultation was moved forward to March 23 (giving one working day for consultation responses), and the new administrative order will take effect on March 24, just in time to prevent the planned deletion of the entire DAMD database.

The only public comment from the Minister of Culture on these absurd developments is that the illegally collected medical data must be preserved in order to document illegal acts in the public administration for future generations. This is a rather strange argument since the illegal data collection has been documented extensively in several reports from government agencies. Moreover, the proposed blocked access wouldn’t allow any exceptions for the first 120 years, and this would also prevent using the data to document the illegalities.

Who wins the race for deletion of our medical data in DAMD? DenFri (only in Danish, 22.03.2015)

Illegally collected health data will not be deleted under Danish law, Medium (15.12.2014)

Danish General Practice Database

The Danish National Archives (Rigsarkivet)

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)



25 Mar 2015

Bad analogies and the threat to “cybersecurity”

By Guest author

In policy discussions about the online world a general pattern repeats: The online sphere is differentiated from its offline equivalent by adding the prefix “cyber”, giving it both immediacy and generating a fear of the unknown “cyberworld”. Then, in order to explain “cyberspace”, practitioners draw analogies between cyber and non-cyber, often being blissfully unaware of, or indifferent to, the invalidity of the comparisons.

Often, simplistic distinctions are made only to be “bridged” by means of equally simplistic – and politically expedient – analogies, leading to poor or even dangerous policies. Here we will focus on two clear examples stemming from recent news, namely Germany’s and Switzerland’s capability to hack computer systems and networks located abroad.

In Switzerland, the National Council, the higher chamber of the parliament and, in this case, the first to vote on the issue, has approved the plans of the defence minister that envisage an extensive broadening of the Federal Intelligence Service’s competences. Not only will the Service have increased surveillance capabilities – both concerning Swiss and foreign citizens – but it will also be given the option to attack foreign computer systems and networks.

The legislative proposal states the Swiss executive can in – undefined – “special circumstances and to preserve national interests” allow the Federal Intelligence Service to hack foreign systems. Defence Minister Ueli Maurer specifically mentioned economic espionage as one of the threats on which the service could act, hinting thus at a broad interpretation of “national interest”. What is more, such attacks can be undertaken not only to fulfil intelligence agencies’ classical goal of collecting information: they can also disrupt foreign systems if these are used to attack Swiss infrastructure. It is important to note that these decisions are not taken by the parliament but the executive, which can in “minor cases” (again lacking a clear definition) delegate decision-making power to the director of the federal intelligence service.

The analogy here runs of course between the standard “offline” field of operations in which national intelligence agencies have worked for years and the new field and threats they perceive in the digital world. Foreign spies in Switzerland could be stopped when they snooped on Switzerland’s soil, why not do the same online?

Well, for one these activities now require actively disrupting systems located abroad. What is more, the Swiss defence minister and parliament seem not to have paid sufficient attention to the fact that in the online sphere one cannot easily distinguish between acts perpetrated by states and those of private entities. The tools and methods used to compromise systems online are essentially the same for everyone, which makes it difficult to ascertain who did what. This can be observed after each major hacking incident, when conspiracy theories and (often false) accusations abound. What would for example happen if a functionary of a Swiss state institution by accident decided to disrupt the computer systems of an innocent state?

A similar case in Germany shows us something else – what is framed as active (counter-)intelligence work in the Swiss case can just as easily be defined as “cyberwarfare”. The German Federal Defence (“Bundeswehr”) has recently shed more light on its “Computer Network Operation” unit, which is developing its ability to wage war using the Internet. The unit has the stated goal of infiltrating, exploring, manipulating and destroying foreign networks – a scope of actions very similar to the Swiss case. However, unlike in Switzerland, it is Germany’s armed forces that act, and attacks are only allowed in a state of war and thus require a mandate by the German Bundestag.

The German government intends its “Computer Network Operation” unit to be able to act without ever making it known that the German army was behind the attacks. The argument here is that the identification requirement for soldiers only extends to the actual persons (“cyber soldiers” will have to wear official uniforms, too) but not to the technologies they use. Ground troops do not need to announce that it was them who shot a rocket, and thus Germany’s “cyber-troops” do not have to sign their hacks either.

The analogy of course conveniently forgets that military activities in the offline world cannot usually be confused with civilian activities, whereas the digital world makes it very difficult to distinguish the two. Consequently, retaliation might very likely strike the wrong target – either not the state that actually perpetrated the attack or possibly even a civilian actor.

The digital rights and hacker community has long criticised the obsession with “cyber” that many policy-makers seem to have fallen victim to or actively exploit. The fact that the same activity can be framed as either an intelligence operation or “cyberwarfare” in these examples shows the arbitrariness of the analogies that many policy-makers draw between the analogue and digital world.

More importantly, these analogies are also dangerous: An action by the Swiss Federal Intelligence Service might be interpreted as an act of war by a government looking at the same incident through a different prism. Adding to this the fact that perpetrators – and thus potential targets – cannot be easily identified, the danger to what is commonly called “cybersecurity” is clear indeed.

Secret service will be able to disrupt foreign computer networks (only in German, 17.03.2015)

Government proposes allowing army to hide their involvement in cyber attacks (only in German, 12.02.2015)

Swiss secret service should protect the financial market like a “Mini-NSA” (only in German, 18.03.2015)

(Contribution by Julian Hauser, EDRi intern)



25 Mar 2015

Parliament’s work on copyright enforcement – not worth copying

By Joe McNamee

The European Parliament’s Committee on Culture and Education (CULT) adopted an Opinion on Intellectual Property Rights (IPR) enforcement, in response to the European Commission’s Communication entitled “Towards a renewed consensus on the enforcement of Intellectual Property Rights: an EU Action Plan”.

It starts by offering support for “the” “follow the money” approach. The only problem here is that there is no “the” follow the money approach. The Commission’s Communication does not describe it, referring instead to “a” follow the money approach, that could be used to deprive “commercial scale” infringers of revenue streams. This might be an expansion of the US model, where US companies like Visa, MasterCard, PayPal and Google (who have been lobbying extensively for this) would act as a world police, removing services from companies around the world that are accused of breaching US copyright or trademark law. It might also be a rule-of-law based approach, whereby European courts could apply orders requiring payment or advertising services to withdraw payments on a case-by-case basis. It is not clear whether the Culture Committee does not know or does not care that “the” approach it supports does not exist, or could mean so many different things.

The report then goes on to mash together two different studies – one on “IP intensive industries”, whose methodology has been comprehensively shown to be inadequate, and one on “cultural and creative sectors” which is widely quoted but rarely referenced, either on the Commission or Parliament websites. Also its methodology and assumptions have shown to be dubious.

Worries are also expressed about the physical dangers of digital infringements, with Parliamentarians concerned about the potential health and safety risks associated with commercial scale IPR infringements, particularly among the younger generations growing up in the digital era.

The Opinion also places huge hope in private companies suddenly deciding that they are motivated, without any possible anti-competitive reasons, to enforce IPR. The Committee supports the Commission’s call for “due diligence” in the supply chain. The issue of privatised law enforcement is so simple in the eyes of the Committee that this can be described in one sentence. The approach covers the supply of physical goods and of digital goods and in every part of the supply chain, including internet companies and even end users. This approach is so enthusiastically supported that, having demanded this once, the Opinion then demands it again, in the context of voluntary “self-regulation” of everyone, including end users.

It seems just a little fanciful that ordinary citizens (“end users”) will develop “due diligence” and “self-regulatory” mechanisms. It seems equally fanciful that private companies will spontaneously do this in a way which is simultaneously proportionate, competitively neutral, not counterproductive and effective – and that this unlikely coincidence is going to remain stable in a digital environment which is constantly changing.

Finally, the Opinion does recognise the dangers of excessive IP enforcement measures and calls for remedies to be put in place for “platforms that are adversely affected by any measures”. Citizens that are adversely affected are, however, not mentioned.

The Opinion was adopted with 20 votes in favour, 9 against and two abstentions.

Opinion of the Committee on Culture and Education on “Towards a renewed consensus on the enforcement of Intellectual Property Rights: an EU action plan” (2014/2151(INI)(05.03.2015)

IPR intensive industries: Contribution to economic performance and employment in the EU, Industry-level analysis report, September 2013

EPO and OHIM publish misleading report on intellectual property rights intensive industries in EU economy (01.10.2013)

Building a digital economy: The importance of saving jobs in the EU’s creative industries, March 2010

A note on TERA’s “The economic contribution of the creative industries to EU GDP and employment” (23.10.2014)

(Contribution by Joe McNamee, EDRi)



25 Mar 2015

The evolution of the concept of privacy

By Guest author

In 1776, John Adams wrote that it had been the British right to search houses without justification that sparked the fight for independence. In other words, John Adams thought that it had been an unjustified violation of privacy that had kindled one of history’s most noteworthy revolutions.

More than two centuries later, those unruly colonies – now the United States of America – see themselves once again at the centre of a debate on privacy. Many of the world’s most data-intensive companies hail from the US – and are criticised for what is perceived to be an excessive accumulation and use of their users’ personal data. Piled on top of this, we know, as a result of Edward Snowden’s revelations, that the National Security Agency (NSA) of the United States has been at the forefront of a group of intelligence agencies that have been using that and other data to build massive databases containing information on millions of people living everywhere that today’s information and computer technologies reach.

Throughout modern history, from searches without just cause to big data and mass surveillance, , the notion of privacy has surfaced time and again. However, while the word has remained the same, its meaning never stopped evolving. We must be aware of that development if we are to effectively deal with future challenges, in particular the pressing issue of the regulation of the collection, access, and use of personal information both by private and public actors.

What John Adams deemed unacceptable was the groundless intrusion into people’s private sphere. It was his fellow Americans, Louis Brandeis – later a Supreme Court Judge – and Samuel Warren, who would put this conception of privacy most succinctly: Privacy is the right to “being let alone”. On this understanding, privacy is something that you have as long as people, organisations or institutions are denied access to you. However, this notion, inspired mainly by the idea of physical boundaries, sees itself confronted with insuperable difficulties in an age where the debate’s focus lies squarely on informational privacy.

The internet is one of the areas in which informational privacy, the protection of personal information, has become crucial. Internet users do not want to be left alone; they want to partake in the offerings of the internet and participate in what has become one of their most important social spheres. Privacy concerns are nowadays focused to a large extent on the information we share or generate on the internet, often publicly, rather than what we wish to conceal within the private confines of our homes.

The notion of privacy has adapted to those changing circumstances and today the focus lies mainly on users’ control of their personal data. This concept forms the foundation of many political arguments; the “right to be forgotten”, “notice and consent” systems and transparency requirements all aspire to give users control. While control is important, the evolution of technology already strains the ability of users to meaningfully control their personal data by means of informed choices. In fact, this notion’s capacity to protect people’s fundamental interests is failing even before the relevant policies have seen widespread adoption.

A first problem is that people are so overloaded by requests to consent to the use of their data that informed choice becomes illusory. If people want to engage in the cultural and social life offered in the digital sphere, they will not be able to assess all the terms of services and privacy notices they see themselves confronted with. And opting-out of the internet can no longer be called a real option. Secondly, privacy is no longer a purely personal matter. The information we choose to share or allow to be gathered affects not only our own privacy but also the privacy of all those we interact with.

The complementary limitation theory of privacy could help bridge some of these difficulties. According to this notion, a person has privacy when access to personal information is limited in certain contexts. While we can only have limited control as to how some of our personal information is used, there should be limits as to who can use information gathered in a certain context. In the age of big data, and even more so in the future of the Internet of Things, this notion is poised to become all the more important. Many users feel very uneasy if the information collected by, for instance, their car or metro card is used to target them with advertisements the next time they visit an online retailer. This phenomenon is taken to another level with “profiling”, the use of your data to guess about aspects of your personality, generating insights into your personality and habits that you may not even know are possible. To the extent that more and more spheres of people’s lives will generate digital personal data, separation of those spheres will become more and more important.

While helpful in resolving some of the problems associated with the regulation of privacy, the limitation concept of privacy brings with it its own host of difficulties. There is for example the argument that privacy is essential for freedom and autonomy. Would Darwin or Copernicus have been able to make their ground-breaking and controversial discoveries if the prevailing powers at the time had more insight into their activities? Probably not. However, if consent cannot be the only principle governing privacy matters, then mandatory privacy standards seem unavoidable. It is then essential to ensure that the privacy standards serve to guarantee freedom and autonomy rather than unduly restricting it.

While today’s citizens’ worries about privacy are very different from John Adams’, their concerns are legitimate. These worries must be taken into account when designing the rules that should regulate the use of personal data in the digital world. And one thing is certain: An adequate concept of privacy is essential for a good regulation of personal data. The tasks before us are not simple, but they cannot be escaped and become more pressing with each passing day.

Originally published in the Synergy Magazine:
The evolution of the concept of privacy: From the American revolution, to big data and the Internet of Things

Warren, Samuel D., and Louis D. Brandeis. “The Right to Privacy.” Harvard Law Review 4, no. 5 (December 15, 1890): 193–220.

Adams, John, Charles Francis Adams, and John Adams. Letters of John Adams, Addressed to His Wife. Boston, C.C. Little and J. Brown, 1848. 338.

Cohen, Julie E. “What Privacy Is For.” Harvard Law Review 126 (2013): 1904–33.

Tavani, Herman T. “Philosophical Theories of Privacy: Implications for an Adequate Online Privacy Policy.” Metaphilosophy 38, no. 1 (2007): 1–22.

(Contribution by Julian Hauser, EDRi intern)



25 Mar 2015

EDRi joins the Document Freedom Day

By Kirsten Fiedler

Today, we are celebrating the Document Freedom Day to raise awareness for Open Standards. Open Standards allow us to share all kinds of data freely. They ensure availability, transparency and interoperability of software and document formats – and prevent us from being locked in to using a particular software or service.

We believe that the European Commission should lead by example – unfortunately in many communications that citizens have with the institutions this is not yet the case. We have therefore joined an open letter to the European Commission to request that it maximise inclusiveness and engagement through the use of Open Standards. Here is our joint letter (pdf) to the Commission:


Today is Document Freedom Day, the international day to celebrate and raise awareness of Open Standards. On this occasion, we would like to reflect on the importance for public institutions in general, and for the European Commission in particular, considering its leadership role, of using Open Standards in all their digital communication and services.

Open Standards are formats and protocols which everybody can use free of charge and restriction and for which no specific software from a particular vendor is required. They are essential for interoperability and freedom of choice based on the merits of different software applications. For a public institution such as the European Commission, this is especially important because every EU citizen and company should have the right to communicate and interact with its administration using Open Standards exclusively, and not be forced to install and use software from any specific vendor. That is why we take this opportunity of Document Freedom Day, to voice our concerns on the improper use of standards in the context of applying for EU programmes.

Nowadays, when applying for most EU programmes, applicants are typically required to fill in PDF forms that use elements only implemented in proprietary software from a particular vendor (Adobe), software that is currently not available on all platforms. This is a problem for many applicants who end up bereft of choice or excluded from the process altogether. It does not have to be this way, when a number of efficient alternatives exist that are entirely based on Open Standards. Generally, we would advise against the use of PDF for online forms, and would instead recommend solutions based Open Web Standards like HTML5 and XForms. With this joint statement, we call on the European Commission to address this situation and ensure that all interactions with the public can be performed entirely using Open Standards, thereby ensuring maximum inclusiveness and freedom of choice for all European citizens. »

Jean-Christophe Becquet

Karsten Gerlof
Free Software Foundation Europe (FSFE)

Andreas Krisch
European Digital Rights (EDRi)

Graham Taylor
OpenForum Europe (OFE)

Peter Ganten
Chairman of the board
Open Source Business Alliance (OSBA)

23 Mar 2015

EU trade secrets Directive: threat to free speech, health, environment and worker mobility

By Maryant Fernández Pérez

STATEMENT (pdf) 23 March 2015 (updated from 17 December 2014)

Multi-sectoral civil society coalition calls for greater protections for consumers, journalists, whistleblowers, researchers and workers

We strongly oppose the hasty push by the European Commission and Council for a new European Union (EU) directive on trade secrets because it contains:
– An unreasonably broad definition of “trade secrets” that enables almost anything within a company to be deemed as such;
– Far-reaching legal remedies for companies whose “trade secrets” have been “unlawfully acquired, used or disclosed”, including provisional and precautionary measures, damages and secrecy rights throughout the judicial process; and
– Inadequate safeguards that will not ensure that EU consumers, journalists, whistleblowers, researchers and workers have reliable access to important data that is in the public interest.

The proposal must be amended to ensure that only information acquired, disclosed or used by third parties with intention of commercial gain is protected under the directive.

Specifically, we share great concern that under the draft directive:

– The right to freedom of expression and information could be seriously harmed because the proposed directive does not guarantee the protection of journalists and whistleblowers. Under the proposed directive, journalists and whistleblowers must show that “…the alleged acquisition, use or disclosure of the trade secret was necessary for such revelation and that the respondent acted in the public interest”. Unfortunately, determining whether disclosure was necessary can often only be evaluated afterwards. In addition, the limitation of the right to disclose and use trade secrets to reveal “wrongdoing”, “misconduct” or to protect a “legitimate interest” would allow for sanctions to be applied even when the information ought to be in the public domain, such as planned redundancies and detrimental effects on health and the environment. The proposed directive should be amended to exempt information acquired, used or disclosed in the public interest.
– The mobility of EU workers could be undermined. The proposed directive poses a danger of lock-in effects for workers. It could create situations where an employee will avoid jobs in the same field as his/her former employer, rather than risking not being able to use his/her own skills and competences, and being liable for damages. This inhibits career development, as well as professional and geographical mobility in the labour market.
– Companies in the health, environment and food safety fields might use the directive to refuse compliance with transparency policies, even when the public interest is at stake. The proposed directive should be amended to ensure that (1) it does not cover information that must, by law (including international law), be disclosed by public authorities under public access to information legislation and (2) it excludes regulatory data of public interest that is needed for public scrutiny of regulatory authorities’ activities.

Health: Pharmaceutical companies argue that all aspects of clinical development should be considered a trade secret; however, access to biomedical research data by regulatory authorities, researchers, doctors and patients—particularly data on drug efficacy and adverse drug reactions—is critical to protecting patient safety and conducting further research and independent analyses. This information also prevents scarce public resources from being spent on therapies that are no better than existing treatments, do not work, or do more harm than good. Moreover, disclosure of pharmaceutical research is needed to avoid unethical repetition of clinical trials on people. The proposed directive should not obstruct recent EU developments to increase sharing and transparency of this data.
Environment: The directive must be amended to comply with the EU’s international obligations under the United Nations Aarhus Convention, which prevents public authorities from protecting the secrecy of information on emissions into the environment and requires active dissemination of information enabling consumers to make informed environmental choices. Therefore, the definition of “trade secret” should be amended to remove information on emissions from the scope of the proposed directive and companies should be prevented from using the directive to refuse disclosure of information on hazardous products, such as chemicals in plastics, clothing, cleaning products, and other activities that can cause severe damage to the environment and human health, including the dumping of chemicals and fracking fluids.
Food safety: Under EU law, all food products, genetically modified organisms and pesticides are assessed by the European Food Safety Authority (EFSA). EFSA assesses the risks associated with these products based on studies performed by manufacturers themselves. Scientific scrutiny of the EFSA’s assessments is only possible with complete access to these studies; therefore, this data must be removed from the scope of the directive.

Despite the Commission’s desire for a “magic bullet” that will keep Europe in the innovation game, without amendment, the proposed directive may make it more difficult for the EU to engage in open and collaborative forms of research. In fact, there is a risk that the measures and remedies provided in this directive will undermine legitimate competition and even facilitate anti-competitive behaviour. Unsurprisingly, the text is strongly supported by multinational companies.

Industry coalitions in the EU and the United States (US) are lobbying, through a unified Trade Secrets Coalition, for the adoption of trade secret protection. In the US, two new bills are pending before Congress. If passed, these texts would allow trade secret protection to be included in the Transatlantic Trade and Investment Partnership (TTIP)—something that will be incredibly difficult to repeal in the future through democratic processes. Given that TTIP is expected to set a new global standard, its potential inclusion of trade secret protection could have devastating consequences.

We urge the Council and the European Parliament to amend the directive by limiting the definition of what constitutes a trade secret and strengthening safeguards and exceptions to ensure that data in the public interest cannot be protected as trade secrets. The right to freely use and disseminate information should be the rule, and trade secret protection the exception.

For additional information or comment, please contact Walter van Holst (walter@vrijschrift.nl), representing EDRi and Vrijschrift.