21 Mar 2018

Control of sorts over personal data for UK healthcare patients

By Gemma Shields

NHS Digital, the provider of data and IT systems for the National Health Service (NHS) in the United Kingdom, has announced plans to roll out a new system by March 2018 as part of the national data opt-out. This is intended to allow patients to choose whether or not their personal identifiable data is used for reasons other than their personal health care, such as for planning and research purposes.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

It will purportedly involve patients making an “informed decision” about how their data is used via an online application and “additional mechanisms”, namely the ability to opt-out offline by registering their choices with their General Practitioner (GP). Significantly, NHS Digital notes that patients will be able to “change their mind anytime”. This will replace the existing opt-outs whereby a patient has to register with their GP to prevent their data leaving NHS Digital.

The National Data Opt-out Programme is the result of a review published by the UK National Data Guardian Dame Fiona Caldicott entitled “Data Security, Consent and Opt-out” which suggests that there needs to be an increase in the public understanding of how health data is collected, protected and used. The review also notes that the use of personal data is essential to providing high-quality care, and that any new system would benefit from “high degree of trust in NHS organisations to look after people’s data”. This is despite the UK public health service having experienced both huge data losses, (e.g. the 864 000 pieces of data that were mislaid between GPs and hospitals between 2011 and 2016), ransomware attacks (i.e. WannaCry in 2017), and unregulated data donations (i.e. Google DeepMind deal). Indeed, the National Data Guardian also urged caution over the security of data management systems, offering 10 suggestions on data security standards.

The UK Government responded to these with the report “Your Data: Better Security, Better Choice, Better Care”.

On the value of the use of patients data generally, both the UK Government and NHS Digital cite improved quality of care, facilitating medical research breakthroughs, and increased efficiency of healthcare systems as the main drivers for re-purposing the information gleaned from health and care records.

This sentiment is echoed by the European Commission Taskforce on Health and Digital policies which envisions a system which “would harness the power of data exchange across different ecosystems (digital and health), in a way that generates new knowledge and translates this knowledge into better care services, early diagnosis and treatment of disease all across the EU”.

As in other economic sectors, it is important not to overlook and properly address the risks of digitalising the health sector. For instance, the collection and processing of health data should comply with existing data protection provisions of the General Data Protection Regulation (GDPR). In the case of mobile health (m-health), for example, a strong ePrivacy regulation is required that would protect electronic communications content.

In addition, any data-driven project should be designed unambiguously, with users’ meaningful and informed consent in mind, and in a secure way. Poorly executed data gathering, analytics, and handling may present security risks and result in breaches which have the effect of lowering trust; thereby dissuading individuals from seeking treatment.

NHS Digital: National Data Opt-out Programme

National Data Guardian for Health and Care Review of Data Security, Consent and Opt-Outs

NHS data loss scandal deepens with further 162,000 files missing (16.10.2017)

NHS could have avoided WannaCry hack with “basic IT security”, says report (27.10.2017)

Google DeepMind and healthcare in an age of algorithms

Taskforce to take Health and Digital policies further (27.02.2017)

(Contribution by Gemma Shields, EDRi intern)



21 Mar 2018

EU Council indecision on ePrivacy is bad for Europe

By Joe McNamee

In 2017, the United States National Telecommunications and Information Administration (NTIA), which is part of the Department of Commerce, warned of the “chill on discourse and economic activity” caused by privacy and security fears. With the recent revelations about Facebook and Cambridge Analytica, and news about even more extensive abuses likely to appear, the damage caused by weak legislation continues to grow.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

While the US is unable to pass privacy legislation that solves this problem, the European Union’s (EU’s) world-leading General Data Protection Regulation (GDPR) enters into force on 25 May 2018. The one piece of the jigsaw that remains to be put in place to is the ePrivacy Regulation. It complements the GDPR by providing clear and specific rules on issues such as tracking of individuals online, tracking of individuals offline (for example by recording the wifi or bluetooth networks to which your phone automatically connects) and the use of communications metadata (such as location data).

The European Commission launched its ePrivacy proposal in January 2017. The legislation needs to be approved by the European Parliament and the EU Member States in the Council of the European Union. The response was a barrage of negative lobbying. Despite this, the European Parliament adopted a strong position in defence of electronic privacy rights in October 2017. However, lobbying by the Google/Facebook online tracking duopoly in national capitals has proven more successful. Today, 435 days since the proposal was launched, the Council appears no closer to protecting European citizens and businesses with clear rules on privacy of communications.

On 7 March 2018, the Bulgarian presidency of the Council published a new discussion paper on the ePrivacy Regulation. This file should be now among the top priorities of the Bulgarian presidency ahead of the implementation of the GDPR in May 2018. However, there is little real progress to report For example and quite amazingly, the document indicates that “some” Member States are still arguing, contradicting rulings of the Court of Justice of the EU, to allow communications companies to use individuals’ metadata without consent.

Once the Council finally prioritises the ePrivacy Regulation and agrees on its “General Approach”, negotiations can finally start with the European Parliament. This would allow a final agreement to be reached, so that European businesses and companies can get the full benefit of a comprehensive privacy and confidentiality regime fit for the 21st century.

Bulgarian discussion paper (07.03.2018) https://www.parlament.gv.at/PAKT/EU/XXVI/EU/01/38/EU_13835/imfname_10792028.pdf

ePrivacy proposal undermined by EU Member States (10.01.2018)

Quick guide on the proposal of an e-Privacy Regulation (09.03.2017)

(Contribution by Joe McNamee, EDRi and Margaux Rundstadler, EDRi intern)



19 Mar 2018

CLOUD Act: Civil society urges US Congress to consider global implications

By Maryant Fernández Pérez

On 19 March 2018, European Digital Rights (EDRi) co-signed a letter with three other civil society organisations, asking the US Congress to ensure that the “Clarifying Lawful Overseas Use of Data Act” (the US “CLOUD Act”) is not attached to the omnibus bill.

If the CLOUD Act is attached to the omnibus bill, it would mean it would be passed without discussion or modification of very problematic provisions that will impact individuals’ rights worldwide. The US legislator would give up its power to the executive branch of government. The CLOUD Act would authorise the US Government to unilaterally issue executive agreements with a “qualifying foreign government”, such as the European Union and/or its Member States, without “following each other’s privacy laws” and without review by Congress. This decision would have global implications that we urge the US Congress to consider:

First, executive decisions of this kind would facilitate law enforcement access to individuals’ data directly from companies. They, however, would seriously weaken and erode privacy and other rights of citizens around the world, including Europeans. For instance, under the CLOUD Act, a US police department could request access to “the contents of a wire or electronic communication and any record or other information” about a European citizen without necessarily following EU privacy laws. If the EU enters into an agreement with the US, European citizens would have to rely on the company subject to the data access request to challenge the order before a US court within 14 days following a complicated “comity” procedure whereby a US court would decide to modify or quash the legal process.

Second, as currently drafted, the US CLOUD Act has no review mechanism in the event of democratic backsliding in a third country. This means that, once a government has entered into an agreement with the US Government, it would be almost impossible for the US to revoke this status. In the letter, we point out US Congress about the procedures that the European Commission initiated against Hungary and Poland and ongoing legal proceedings due to rule of law and human rights violations, including threats to judicial independence and civil society organisations. It would be problematic for the US legislator to allow such agreements to be entered into, particularly without robust mechanisms for withdrawing from them.

Giant tech companies such as Microsoft have been lobbying for the CLOUD Act. However, the bill does not adequately protect individuals’ rights – including those of US persons. In addition, the bill ignores the current, long-established system for dealing with cross-border access to data requests, Mutual Legal Assistance Treaties (MLATs). MLATs are often misrepresented as never being suitable for dealing with electronic evidence. The reality is that significant improvements to MLAT procedures are possible and, indeed some have already been made – as evidenced by the recent major improvements in the efficiency of the US Department of Justice (DoJ). Thanks to the “MLAT Reform” programme, the US DoJ recently reduced the amount of pending cases by a third.

On 19-21 March 2018, the European Commissioner Věra Jourová will be in Washington to discuss the CLOUD Act and cross-border access to data in general. We hope she will raise concerns about the global implications of the CLOUD Act for people around the world.

You can read the letter here.



19 Mar 2018

#CensorshipMachine – How will the decision be taken?

By Joe McNamee

The European Union (EU) is currently reforming its copyright legislation. In September 2016, the European Commission proposed its controversial draft for the new Copyright Directive that includes de facto mandatory upload filters (Article 13).

This is how the process to approve this “censorship machine” will advance, from the Commission’s proposal until the adoption of the Directive:

European Commission

The European Commission launched its dreadful proposal in September 2016. This was done under the responsibility of a Commissioner who called net neutrality activists “Taliban-like”, a Commission Vice-President who called anti-acta activists tin-hat wearing mushroom eaters and a head of Unit that is a former music industry lobbyist. The proposal was then sent to the Council of the European Union (the 28 EU Member States) and the European Parliament.

Council of the European Union

In the Council work is underway, under extreme pressure from the Commission, to find a “general approach” with which it can negotiate with the European Parliament. The proposals for a “general approach” that have been put forward have all been the same, and sometimes even worse, than the European Commission’s initial proposal.

European Parliament

In the European Parliament, the Committee on Legal Affairs (JURI) appointed hard-working Maltese Member of the European Parliment (MEP) Therese Comodini Cachia to manage the process. Ms Comodini went far beyond the call of duty to meet all stakeholders (she published a list of 104 meetings with various interests in her draft report), to go to every possible conferences and work to produce a fair outcome for Europe. She produced a draft position in March of 2017 that was an honest – albeit incomplete – effort to find a reasonable compromise. She was then elected to the Maltese Parliament and left Brussels. She was replaced by Axel Voss MEP, a German conservative, who is a fan of upload filtering, restrictions of linking online, and so on. This sudden change of direction has slowed down progress in the Parliament.

In the European Parliament, instead of voting for amendments tabled by Parliamentarians, there are closed-door “shadows meetings”, without minutes, that seek to merge amendments to reach a broader consensus. Exceptionally, the draft compromises are being made available, albeit unofficially, by Parliamentarians in the copyright discussions. Once these “compromise amendments” receive enough support, they are finalised and, in the Committee vote, they are then voted first, meaning that it is almost impossible for them not to be adopted. The Committee then votes to give itself a mandate to negotiate directly with the Council in the so-called “trilogue” process. This vote is expected on 23-24 April 2018.

“Trilogues” – reaching a final deal

Once the Parliament and Council have their respective positions (the Council “general approach” and the Parliament committee “report”), another round of closed-door meetings take place, this time between the institutions. These happen under the “neutral” guidance of the European Commission. These meetings continue for an indeterminate amount of time. Often, the end of the rotating six-month Council Presidency is used to create false urgency to push both sides to reach a compromise, commonly involving late-night meetings.

Once the agreement has been reached, some months pass while the agreed text is put into more correct legal language and translated into all official languages. Then, months after negotiations have finished, the Parliament and Council get to formally vote to adopt the agreed text.

Trilogues and democracy

Even though “trilogues” started off by being the exception rather than the rule for EU decision-making, most of the legislation of the European Union (EU) is now adopted using this process. This is worrisome, because the process lacks accountability and transparency. Trilogues squeeze democracy out of the EU decision-making process because…

  • Despite being hugely important in the decision-making process, the European Parliament Committee vote seems too minor and early for citizens to become motivated to get involved, and to express their opinion to the Parliamentarians.
  • The trilogue process is secret (although, more documents than usual are being released in this case) and has no clear end-date around which to mobilise. It is too nebulous for people to become motivated to get involved, by talking to their MEPs or parliamentarians, for example.
  • The conclusion of the trilogue is “just an informal agreement”. It is not firm enough for people to become motivated and get involved. For the same reason, it is not likely to generate press interest and get visibility in the media. At this stage, if the agreement is bad, it is time to make sure that Parliamentarians know that the deal is controversial – and not wait for months until the final vote is scheduled.
  • The final vote in Parliament takes place months after the deal was done. It is definitely exciting enough for people to mobilise and have their say, but overturning a months-old agreement that has already been discussed and approved by the majority of EU political groups is a gargantuan task, so it is more than probable that the trilogue deal is there to stay.

Not least because there are European Parliament elections in May 2019, it is valuable for citizens to make their feelings known to their MEPs at every stage of the process. The coming weeks are crucial – the European Parliament’s Committee on Legal Affairs (JURI) will be voting on the upload filter on 23-24 April. Check out here who are your representatives that are part of the Committee and how to contact them: https://edri.org/proposed-internet-filter-will-turn-platforms-against-users/

Deconstructing the Article 13 of the Copyright proposal of the European Commission

New Estonian Presidency “compromise” creates copyright chaos (03.11.2017)

(Contribution by Joe McNamee, EDRi)


14 Mar 2018

Proposed internet filter will turn platforms against users: Your action is needed!


Policy makers want to make online platforms responsible for your content. They’ll be forced to use automatic filters to screen the content you upload and decide what you’re allowed to post to the internet and what will be censored. To limit their risk, if there’s even the tiniest doubt about the legality of your contents, platforms will block your upload automatically if it is identified as a copyrighted material, regardless of your potential right to use it for, for example, parody or citation purposes. This will restrict your freedom of speech.

Filtering is hard. When it comes to copyright, filters don’t recognise the “grey areas”: things like exceptions for educational purposes and parody. Filters don’t understand the difference between discussing racial slurs, and using them. However, if websites are forced to monitor all your uploads, they’ll also be held responsible when a filter fails and lets through content it shouldn’t have. It will no longer be a user in breech of copyright, but the platform in breech of copyright.

That leaves platforms with two choices:

  1. minimise their own risk and block everything that falls within these grey areas; or
  2. take the risk to allow for parody, quotations, critique, and so on.

The companies’ reaction to this new responsibility comes as no surprise: they’d rather block too much than open themselves up to the risk of blocking too little. Your right to express yourself will always be less important than a website’s business interests.

What can you do?

The following weeks are crucial. Tweet or e-mail your representatives that are part of the European Parliament’s Committee on Legal Affairs (JURI). On 23-24 April they will be deciding on the upload filter. Use the hashtag #CensorshipMachine or #FilterFail and let your representatives know you’re against the internet filter (Article 13)! You can find the Members of the European Parliament (MEPs) relevant to you here:

We’ve written some tweets to inspire you, but feel free to compose your own!

  • .@MEP Stand up for our freedom of expression online. Please oppose the #censorshipmachine in the #copyright Directive proposal.
  • .@MEP Stand up for our privacy online. Please oppose the #censorshipmachine in the #copyright Directive proposal.”
  • .@MEP Show that you care about culture and free speech: oppose the #censorshipmachine in the #copyright Directive proposal.”
  • .@MEP Internet filters don’t work. Please delete article 13 of the #copyright Directive proposal! #filterfail

Time to stop the #CensorshipMachine: NOW! – Members of the Committee on Legal Affairs (JURI)

Contact your representatives in the Legal Affairs (JURI) Committee of the European Parliament


07 Mar 2018

New copyright compromise text: Filter or be filtered

By Diego Naranjo

Discussions on the censorship machine continue at the level of the Council of the European Union. After the “compromise” text that Member of the European Parliament (MEP) Axel Voss presented to the European Parliament Committee on Legal Affairs (JURI), the Bulgarian Presidency of the Council held a meeting after which they published new text on Article 13 of the copyright Directive.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The new Presidency text follows the same path towards a censorship machine as the previous “compromise” text. First, it states that an online content sharing service provider “is capable” of performing acts of “communication to the public” or “making available” − two specific copyright concepts meaning in essence publishing copyrighted works − and therefore requires authorisation for this activity. This definition encompasses any service that gives access to copyright protected works “or other subject matter” uploaded by its users. These services would be liable for unlawfully “communicating or making available to the public” when they do not “prevent the availability” of unauthorised works, which technically translates to the obligation to install upload filters. They could also be held liable for failing to remove this unauthorised content once it is notified of its existence in their platform, which is not so far removed from the current legal framework. This brings nothing new to the discussion. If you are one of the many online platforms that would fall under that definition of liable companies, the slogan for Article 13 is still “Filter or be filtered”.

The Presidency proposal includes, again, the mention to appropriateness and proportionality in light of different characteristics of the services. However, this provision will be ineffective and unenforceable in practice. The Copyright Directive will be implemented by Member States that are subject to EU law, including the Charter of Fundamental Rights as primary law of the European Union. However, the proposed Directive still leaves it to companies to decide to what extent and how to “prevent the availability” of unauthorised content. Companies are not bound by the Charter, and therefore it will be up to them to decide which measure to put in place. Furthermore, it is also theoretically possible that, despite the evidence against the efficiency of filters and of their necessity and proportionality, Member State law implementing the Copyright Directive may consider the use of filters and necessary and proportionate. In this case, it will be up to citizens to take their national laws to the courts. If they have the means to do so and the years it will take to reach a final decision of the Court of Justice on the definitive meaning of this chaotic text.

Paragraph 6 of the Presidency text addresses the issue of how individuals can enjoy the rights to use copyrighted works when they do not harm the normal exploitation of the work: these are the exceptions and limitations to the general rules on copyright that both optional and different in every EU Member State. In order to ensure that these freedoms are still enjoyed in an after-filter copyright scenario, a complaint mechanism is proposed. The efficiency of this mechanism will be limited or simply not available. Every time an uploaded meme or home-video is subject to a (dis-harmonised) exception in their country, it will be left to individual uploading the contents to challenge the filter, but only if the internet company chooses not to categorise the deletion as a terms of service violation. Good luck with that!

The text of recital 37a in the Presidency text has aimed at clarifying which services will not be covered. This recital takes out internet access providers, cloud services such as cyberlockers, online marketplaces and scientific or educational repositories. In practice, this aims at leaving services such as GitHub, Amazon and Wikimedia (among others) outside the scope of this Directive. It is less clear how this will work. For example, Wikimedia is both a company and a foundation, so it will be difficult for them to ascertain their non-for-profit aspect to not having to implement upload filters on Wikipedia. Furthermore, recital 37b states that in order to have the final decision about which service will be under these obligations to monitor content, a case-by-case analysis needs to be done (not clear by whom) taking into consideration the number of protected files available on that service. Hardly a level of legal security that is in line with a notion of “better regulation”.

After setting up the case where all sort of online content sharing services will be covered, it obliges to engage into mandatory licensing − mandatory licensing when services are de facto the same as services that are licensed. However, it is less clear how that will not affect other lawful online content sharing services that could end up under the same scope and how many new services will not be created in Europe because of the uncertainty created by this Article 13. Why would anyone choose to set up a service in Europe, faced with such a chaotic legal framework, rather than seeking refuge in part of the world where the laws actually make some form of sense?

General monitoring of communications to block “undesirable” content (21.02.2018)

European internet filter will destroy your freedom of expression: Stop it now! (27.02.2018)

Final Copyright “compromise”: Upload filters for everyone but Google & Co (23.02.2018)

In the making: The largest internet filter Europe has ever seen (22.02.2018)

(Contribution by Diego Naranjo, EDRi)



07 Mar 2018

Portuguese ISPs given 40 days to comply with EU net neutrality rules

By Guest author

On 28 February 2018, Portuguese Telecom Regulator ANACOM issued a decision notice, which gives 40 working days for the three major Portuguese mobile Internet Service Providers (ISPs) to change their offers that are in breach of EU net neutrality and roaming rules.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

It is a positive step that ANACOM came to this decision to bring the Portuguese market in line with the current status quo in Europe on its own. However, it is still a decision that falls short of what would be necessary to safeguard the interests of Portuguese and European citizens.

As ANACOM’s decision documents, operators like MEO have commercial offers that in certain situations only allow access to a selection of applications (such as Youtube or Netflix), instead of the full internet. This blatant violation of the European Net Neutrality Regulation will not cost the big telecom companies a single euro, because the Portuguese legislature has failed to enact fines for net neutrality violations. According to the Regulation, such fines would have had to be introduced by April 2016, and Portugal is one of the four countries in the European Economic Area (EEA) to have failed to follow this provision. To our knowledge, the European Commission has not inquired why Portugal has failed to establish penalties for net neutrality violations.

In its decision, ANACOM has missed the chance prohibit the core of the net neutrality violation that MEO’s “Smart Net” and other similar offers represent: price discrimination, be it through application-specific data volumes or through not counting the use of specific applications towards the data cap (“zero rating”). Instead of breaking new ground by ensuring that Portuguese consumers pay the same price for data no matter which applications they use, ANACOM’s decision falls short of this important aspect. We hope that the upcoming consultation on this decision can correct this egregious mistake.

What now follows is a process of public consultation and prior hearing for 25 working days. Comments are accepted until 5 April, by e-mail to zero-rating@anacom.pt, only in Portuguese. The final decision is expected in about 4 to 5 months.

In its 52-page document, ANACOM explains in detail the 14 ISP offers which are in breach of the EU Net Neutrality Regulation (2015/2120) of 25 November 2015, regarding Net Neutrality rules and Regulation 531/2012 of 13 June 2012, regarding international roaming rules. Nonetheless, the decision is not limited to these offers, but applies to all offers that do not comply with the EU regulations and fall into the problems described in the document of the proposed decision.

Although the EU Regulations are interpreted by the telecom regulators to require a case by case assessment of questionable economic practices like zero rating, not a single regulator has so far come to the decision to prohibit a zero rating offer. According to the Body of European Regulators for Electronic Communications (BEREC), from 25 countries with zero rating offers, only 11 have even started a formal assessment of those offers. What happened in Portugal goes even beyond zero rating. Operators like MEO have sold illegal sub-internet offers which only give access to hand-picked applications. Yet, ANACOM has not prohibited this blatant violation. Instead, the companies that violated consumer rights under EU law will get away with a slap on the wrist and not even pay for the wrongfully acquired profits.

ANACOM gives MEO, NOS and Vodafone 40 working days to amend offers which are in breach net neutrality and roaming rules (28.02.2018)

BEREC Guidelines on the Implementation by National Regulators of European Net Neutrality Rules (30.08.2016)

(Contribution by Nuno, Associação D3 – Defesa dos Direitos Digitais, Portugal, and Thomas Lohninger, – EDRi member Epicenter.works, Austria)



07 Mar 2018

Czech BBA for Ministry of Industry and Trade for data retention

By Iuridicum Remedium

The winners of the 13th edition of the Czech Big Brother Awards were announced on 15 February 2018 in Prague. The awards are intended to draw public attention to privacy issues and related alarming trends. The Big Brother Awards are based on a concept created by EDRi member Privacy International. In the Czech Republic, the contest is organised by EDRi member Iuridicum Remedium (IuRE) since 2005.

An eight-member jury comprising of experts on new technologies, lawyers, human rights defenders as well as journalists chose the winners out of forty nominations sent in by the general public. The awards in four different categories went to the Ministry of Industry and Trade, Member of the Parliament (MP) Jiří Běhounek, Equa bank, and the Office of the Government. Non-profit organisation Open Whisper Systems won the positive award, named after Edward Snowden.

The award for the biggest privacy intruder in the long-term perspective went to the Ministry of Industry and Trade – the Ministry in charge of the Electronic Communications Act containing legislation related to data retention, which defines the obligation of providers of electronic communication services to collect metadata and store it for the needs of police and other authorities over a period of six months. Such data is very sensitive as it reveals who was involved in the communication as well as the whereabouts of the users of communication services. The Court of Justice of the European Union (CJEU) has already twice identified such data collection as unacceptable and unconstitutional. In addition, statistics show that this massive collection of data does not result in the decrease of the number of crimes committed nor in the increase in cases successfully solved by the police. Moreover, as is often the case, this measure is most likely to hit all others but the intended group of people – individuals involved in organised crime know how to avoid it. “The jury decided to award the Ministry for its inactivity in a situation where fundamental rights of all citizens are being undermined,” said Jan Vobořil, executive director of IuRe.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The award for the biggest business privacy intruder went to Equabank for forcing its clients to agree to provide the so-called TelcoScore – which is based on the data from mobile phone operators. A typical use of TelcoScore is to verify the client’s credibility. The bank requests it from a telecoms company providing such information. The score is calculated based on 60 different data that the operator has about the client. Although clients are asked to agree with this procedure, in practice they cannot avoid it. This trend is dangerous, as it leads to a situation where clients will have no other option than to agree. “The score is calculated based on unrelated data, such as the client’s whereabouts, mobile phone use, number of journeys abroad, frequency of exchanging the telephone, and so on. “This can mean that in the future our actions can have unexpected impacts in other unrelated areas of life – and this could lead to permanent stress, conformism, and self-censorship,” explained Voboril. All three biggest mobile phone operators present on the Czech market do currently sell customer data in this way.

The award for biggest administrative privacy intruder went to MP Jiří Běhounek for his proposal for an amendment to the Act on Health Services that introduced an unrestricted access to electronic healthcare documentation. As part of the Electronic Identification Act, it passed through the legislative process. It establishes a so-called National Contact Point, through which broad access to electronic medical documentation, including access from abroad, should be facilitated. Alarmingly, there are no limits to this, nor does the legislative text mention whether the patient can influence which data is shared and how.

Last but not least, the positive awards named after Edward Snowden goes to Open Whisper Systems which developed Signal application for encrypted mobile communication. Signal is an encrypted communicator designed primarily for mobile platforms (Android, iOS) for messaging and voice messaging. It can encrypt text messages, pictures as well as phone calls. Signal is now generally regarded as the most secure communication platform in terms of encryption. It has two major advantages. The communication is end-to-end encrypted, which means that only the end users themselves have access to its content. The second advantage is that Signal is an open source application meaning everyone can check what happens with the data.

Czech Big Brother Awards

(Contribution by Jan Vobořil, EDRi member Iuridicum Remedium – IuRE, Czech Republic)



07 Mar 2018

Data retention “reflection process”: Council working documents

By Statewatch

A number of “working documents” discussed as part of the Council of the EU’s “reflection process” on the mandatory retention of telecommunications data have been released following an access to documents request submitted to the Council by EDRi member Statewatch.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The documents provide an insight into some of the issues that have been discussed by Member States’ representatives and EU agencies who, since March 2017, have participated in a sub-group of the Council’s Working Party on Information Exchange and Data Protection (DAPIX) to “facilitate a common reflection process at EU level on data retention in light of the recent judgments of the Court of Justice of the European Union”.

The documents include overviews of the legal framework for telecommunications data retention in the Member States, a presentation from Europol on the possibility of introducing a new measure on “targeted data retention”, and proposals for using the forthcoming ePrivacy Regulation to make possible some form of data retention.

It can be observed that the use of working documents does not serve the interests of transparency, as they are not automatically listed in the Council’s register of documents and will likely only become available to the public through dedicated requests or leaks.

Statewatch requested access to all minutes/“outcome of proceedings” produced by the Council working group “DAPIX (Friends of Presidency) – Data retention” and all working papers/non-papers/other documentation submitted to that working group. Some documents were released in full, others were released in censored form while others could not be released at all, on the basis of argumentation from the Council’s transparency department.

Working documents produced and discussed during the Council’s “reflection process” on data retention:

1. Europol Study on the data retention regime applying in the EU Member States (WK 3570/2017 INIT, LIMITE, 4 April 2017, pdf):

2. European Judicial Cybercrime Network (EJCN) on the effects of the CJEU judgement (WK 3596/2017 INIT, LIMITE, 4 April 2017, pdf):

3. Data Retention – State of play in the Member States (WK 5206/17, LIMITE, 8 May 2017, pdf):

4. A submission from Europol that has been censored: Data categories to be retained for law enforcement purposes (WK 5380/2017 INIT, LIMITE, 11 May 2017, pdf):

5. Not a working document, but not previously published: Note from the Presidency: Targeted data retention – Exchange of views (9558/17, LIMITE, 23 May 2017, pdf):

6. Censored document from the Council Presidency: Ensuring the availability of data for the purposes of prevention and prosecution of crime = Presentation of options and exchange of views (WK 9380/17 INIT, LIMITE, 12 September 2017, pdf):

7. Europol: Proportionate data retention for law enforcement purposes (WK 9957/2017 INIT, LIMITE, 21 September 2017, pdf):

8. Censored document from the Presidency: Availability of data and issues related to data retention – elements relevant in the context of e-Privacy = Exchange of views (WK 11127/2017 INIT, LIMITE, 10 October 2017, pdf):

This is a shortened version of an article originally published by EDRi member Statewatch :

(Contribution by EDRi member Statewatch, the United Kingdom)



07 Mar 2018

Portugal: Data retention sent to the Constitutional Court

By Guest author

A new chapter is expected to soon be written in the long battle between lawmakers and the Constitutional Court in Portugal, regarding the intelligence services’ access to data retention. In January 2018, 35 Members of the Parliament (MP) from three parties officially requested the Constitutional Court to provide a rule on the constitutionality of the new law that grants intelligence services access to retained data.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The Constitutional Court has already declared the unconstitutionality of a similar law in 2015, after the president requested a preventive ruling by the Court, before signing the law. However, given that the bigger political parties continue to agree on the matter, in 2017, a new law was written that tried to address the main problems raised by the Constitutional Court. Despite the previous Constitutional Court ruling, the new president chose not to request a preventive decision by the Court and approved the new law that then came into force.

Now, the Constitutional Court will finally have a chance to provide a new decision. The main issue is that the Portuguese Constitution forbids public authorities from accessing citizen’s correspondence and telecommunications, except in the context of a criminal procedure. Given that the intelligence services have no criminal procedure competences, it is unclear if such access can be granted within the current constitutional framework.

Sadly, the same MPs have failed short on seeing the bigger picture and accept the full consequences of the Court of Justice of the European Union’s (CJEU’s) case law in Digital Rights Ireland and Tele2/Watson cases. The exact same arguments used by the CJEU to strike down the EU Data Retention Directive can be used regarding the Portuguese data retention law, as the Charter of Fundamental Rights of the European Union and the Portuguese Constitution have a similar proportionality requirement for the restriction of fundamental rights.

A few weeks earlier, EDRi observer member Associação D3 – Defesa dos Direitos Digitais had presented a complaint to the Justice Ombudsman, requesting the local data retention law to be sent to the scrutiny of the Constitutional Court – as the citizens have no other way to take a specific law to the Constitutional Court. However, it is entirely up to the Ombudsman to decide if she should take the matter to the court. It looks like Portuguese lawmakers will continue to ignore the CJEU’s case law on data retention.

MPs from three left wing parties join forces to take intelligence services’ access to data retention to the Constitutional Court (only in Purtuguese, 11.01.2018)

D3 asks Justice Ombudsman to take data retention to the Constitutional Court (only in Purtuguese, 27.12.2017)

Eurojust: No progress to comply with CJEU data retention judgements (29.11.2017)

EU Member States plan to ignore EU Court data retention rulings (29.11.2017)

European Digital Rights asks the European Commission to investigate illegal data retention laws in the EU (02.07.2015)

ECJ: Data retention directive contravenes European law (09.04.2014)

(Contribution by Eduardo Santos, Associação D3 – Defesa dos Direitos Digitais, Portugal)