European Court Opinion: Canada PNR deal cannot be signed

said Joe McNamee, Executive Director of European Digital Rights.

The European Commission has – again – failed in its basic function as the “guardian of the treaties”.

Passenger Name Record information, which generally contain data such as meal preferences and travel agent, is stored in order to use profiling to guess who might be a terrorist or a criminal. These data are separate from Advance Passenger Information data (the data passengers are required to provide to travel to or from certain countries) and the Visa Information System (database on visa applications to enter the Schengen area), which are also used for tracking of travellers.

Today’s Opinion, if followed by the Court, is expected to be significant for other EU legal acts, such as the recently adopted EU PNR Directive. Furthermore it will impact on planned international PNR agreements with other states. The ongoing negotiations with Mexico were put on hold, waiting for this assessment of the CJEU.

With an almost ideological determination, the European Commission has proposed and agreed measure after measure to stockpile personal data, creating privacy and security risks for every European at a cost of hundreds of millons of Euro. In relation to PNR, it has a deal with Canada for an arbitrary four-year period, with Australia for five and a half years, fifteen years for the EU-US agreement, and a newly-adopted EU PNR Directive that stores data for four years for serious crime and five years for terrorism. This creates a needless security risk, undermines privacy, and generates huge costs for taxpayers.

The specific points where the Agreement is out of line with EU law are detailed in the press release (PDF) from the Court.

Background:

In November 2014 the European Parliament referred the EU-Canada agreement on Passenger Name Records (PNR) to the European Court of Justice (CJEU), to assess the legality of the the agreement under EU law, in particular the Charter of Fundamental Rights of the European Union. In the Opinion of the CJEU declared that this retention of bulk data is being excessive and would therefore violates fundamental rights of EU citizens.

In its judgement in the case Digital Rights Ireland, the CJEU declared the EU Data Retention Directive invalid, for its violations of fundamental rights. In this ruling, the Court found that the data retention period, which was set between 6 and 24 months, “entails a serious interference with those fundamental rights in the legal order of the EU”. In the EU-Canada agreement retention periods of up to 5 years are planned, pending the outcome of this case.

The European Parliament decided to referred the Agreement to the CJEU before its final adoption, in order to prevent legal uncertainty and possible infringements of fundamental rights. Those concerns were also shared by many data protection analysts, including EDRi and the European Data Protection Supervisor (EDPS).

Read more:

EU-Canada agreement on PNR referred to the CJEU: What’s next? (03.12.2014)
https://edri.org/eu-canada-agreement-on-pnr-referred-to-the-cjeu-whats-next/

Electronic Privacy in danger

The ePrivacy Directive is there to protect our security and the confidentiality of our communications. The big telecoms lobby and online companies have launched a massive campaign for this legislation to be repealed.

Telecoms companies want to be able to use your phone’s location data and web browsing data generate revenue from advertisers, while online companies are keen to avoid limits on their ability to track individuals online.

Security under threat

The integrity, security and privacy of online communications relies on encryption. However, governments across the EU (for example in France, Germany and Hungary) are seeking to undermine it both at the national and the EU level through, for example, the ePrivacy Directive reform and the draft Terrorism Directive.

More and more surveillance

Unsurprisingly, proposals on surveillance are coming from every possible angle. The EU has just adopted its Directive on air passenger profiling (Passenger Name Records, PNR), and the “smart borders” proposal is moving forward. We are only starting to feel the scale of threat to our personal security by “internet of things” surveillance, and the EU is now working again on the thorny issue of export controls.

Legal safeguards for law enforcement data sharing may disappear

When the illegal data retention Directive was proposed over a decade ago, we were told that it was because urgent action was needed as a contingency measure, as international legal assistance treaties (Mutual Legal Assistance Treaties, MLATs) did not work. Now, mainly as a result of pressure from the USA, there are efforts to overturn this legal framework, and to replace it by a more informal and potentially dangerous system, with no tangible explanation as to why MLATs have not been reformed.

Private censorship and abandonment of the law

The European Union is encouraging “voluntary” projects to put (mostly American) companies into the role of free speech regulators. These are just a few examples:

• The draft Terrorism Directive demands arbitrary deletion of content by internet companies. It is now going in untransparent, rushed “trilogue” negotiations between the EU institutions.
• The European Commission will have to monitor the decisions of the four US online companies that committed to use their terms of service to take the lead in censoring ill-defined “hate speech”.
• A leak of the new Copyright Directive shows that the Commission wants to require companies to invest in “effective” tools to filter the upload of any copyrighted content, following YouTube’s model of allowing rightsholders to arbitrarily uploads, even if they are fully legal. Industrial-scale censorship.
• The European Commission is using “follow the money” efforts whereby companies like Paypal and Google will eliminate online services that they – as judge, jury and executioner – decide are allegedly breaching copyright (as envisaged in SOPA and ACTA).
• The proposal for reforming the “Audio Visual Media Services” Directive gives EU Member States the right to regulate the contracts agreed between online video sharing platforms and their customers. This is supposed to be a means of applying the law, but a recital (i.e. an explanatory note) says that alignment with the law is not necessary. The right of appeal for unjustified censorship provided for in the Directive is logically unimplementable. The “safeguard” that people can complain when their videos are censored will not be implementable in practice, as internet companies will always say that the files are in breach of terms of service rather than in breach of the law, as this option is easier, quicker, cheaper and less legally risky.

The open internet under threat by the Telecommunications Reform

If the European Commission keeps supporting the the big telco industry 5G Manifesto and integrate parts of it in the Telecoms Review proposal, net neutrality may be in danger again.

Trade agreements undermining data protection

Digital rights are also being discussed outside a democratic framework in international trade negotiations. In addition to the headline Transatlantic Trade and Investment Partnership (TTIP) discussions, the less well-known Comprehensive Economic Trade Agreement (CETA) between the EU and Canada will undermine your privacy, data protection and freedom of communication, if adopted. While there are rumours that TTIP might be dead, most of the risks highlighted for digital rights in TTIP are being reproduced in the catastrophic TiSA (Trade in Services Agreement), which is being negotiated by the European Union with 22 countries, including the USA, Turkey and Israel, as well as CETA.

EDRi: Data Protection Reform – Next stop: e-Privacy Directive (24.02.2016)
https://edri.org/data-protection-reform-next-stop-e-privacy-directive/

EDRi: Massive lobby against personal communications security has started (27.07.2016)
https://edri.org/massive-lobby-personal-communications-security-started/

EDRi: France and Germany: Fighting terrorism by weakening encryption (24.08.2016)
https://edri.org/france-germany-fighting-terrorism-by-weakening-encryption/

EDRi: Hungary: New government proposals raise concerns (18.05.2016)
https://edri.org/hungary-new-government-proposals-raise-concerns/

EDRi: Position paper on encryption: High-grade encryption is essential for our economy and our democratic freedoms (25.01.2016)
https://www.edri.org/files/20160125-edri-crypto-position-paper.pdf

EDRi: Rush to “fight terrorism” threatens our fundamental rights and security (04.07.2016)
https://edri.org/rush-fight-terrorism-threatens-our-fundamental-rights-security/

Secret report urges treaty forcing US web firms’ cooperation in data sharing (02.06.2015)
https://www.theguardian.com/world/2015/jun/02/web-firms-data-sharing-secret-treaty

Commissioner Jourová’s speech at the meeting of the EP’s Committee on Civil Liberties, Justice and Home Affairs (Libe) (28.04.2016)
https://ec.europa.eu/commission/2014-2019/jourova/announcements/commissioner-jourovas-speech-meeting-eps-committee-civil-liberties-justice-and-home-affairs-libe_cs

Guide to the Code of Conduct on Hate Speech (03.06.2016)
https://edri.org/guide-code-conduct-hate-speech/

Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market
https://drive.google.com/file/d/0B6d07lh0nNGNNjZpcGlsQ3pJN3M/view

EDRi: Towards a corporate copyright reform in the EU? (31.08.2016)
https://edri.org/towards-corporate-copyright-reform-eu/

EDRi: ENDitorial: Is 5G as terrible as the telecoms providers claim it is? (27.07.2016)
https://edri.org/enditorial-5g-terrible-telecoms-providers-claim/

EDRi: BREAKING: TTIP leaks confirm dangers for digital rights (02.05.2016)
https://edri.org/breaking-ttip-leaks-confirm-dangers-for-digital-rights/

EDRi: CETA will undermine EU Charter of Fundamental Rights (04.05.2016)
https://edri.org/ceta-will-undermine-eu-charter-of-fundamental-rights/

Trade in Services Agreement, EDRi’S position
https://edri.org/files/TiSA_Position_Jan2016e.pdf

(Contribution by Joe McNamee, Diego Naranjo and Maryant Fernández Pérez, EDRi)

The award in the corporate category was given to the S Group, a Finnish retailing cooperative organisation, for unilaterally announcing in July 2016 that all the future purchases done using the group’s loyalty card will be registered, detailing the products that were purchased. Even if the S Group, after significant pressure was put on it, gave its clients the possibility to decide whether or not their data will be collected, Effi considered it necessary to raise awareness on the issue. Various customer loyalty programmes are likely to include problems from a privacy perspective, and only few of these issues have been disclosed.

The award for individuals went to former Minister of the Interior Petteri Orpo, who has actively promoted giving the police extensive authority to conduct online surveillance, building on the fear raised by the Paris attacks to drive a political agenda. Orpo deserves the award also thanks to his clichéd statements: “A regular citizen has nothing at all to worry for.”

The award in the public organisation category was granted to the Market Court for handing over the personal data of thousands of individuals to law firms used by collecting societies and rightsholders. The Market Court has served as a rubber stamp in proceedings in which letters are sent to effectively “blackmail” those suspected for copyright infringements, with weak evidence.

“With the current uncertainties in the world, it’s easy to argue these violations of privacy are necessary. They, however, rarely foster citizens’ security, but are only contributing to the deterioration of data protection,” said Timo Karjalainen, the chairman of Effi.

We should now stay rational and demand our privacy and protection of our personal data to be preserved, rather than destroyed.

The positive Winston Smith award was given to Mikko Hyppönen, Chief Research Officer of F-Secure, a Finnish cyber security and privacy company, for his persistent work for data protection, and against the surveillance and hacking conducted by cybercriminals and states.

The Big Brother Awards are based on a concept created by Privacy International in the UK. The tradition started in 1998 in London, and the awards are given in about a dozen countries annually. The decisions on the 2016 awards were made by Effi’s board, and the trophies and the Winston Smith award painting were created by Noora Jantunen.

Press Release: Effi’s Big Brother Awards to Petteri Orpo, S Group, and the Market Court – positive awards to Mikko Hyppönen (only in Finnish, 02.09.2016)
https://effi.org/julkaisut/tiedotteet/isoveli-2016

EDRi: Finland: New surveillance law threatens fundamental rights (06.10.2015)
https://edri.org/finland-surveillance-law-threatens-fundamental-rights/

Finnish BB Awards to Commissioner Paatero, Police Board and Microsoft (11.02.2015)
https://edri.org/finnish-bigbrother-awards/

(Contribution by EDRi member Effi, Finland)

These are our main findings:

1. The Commission doesn’t believe in multistakeholderism

While the European Commission claims to support a multistakeholder internet governance model, it decided it did not want to include other parts of industry, civil society, academics or any other relevant stakeholder in the elaboration of the Code of Conduct against Hate Speech. Indeed, it only shared the Code with the 28 Member States a few days before its launch, which led to public authorities not having a possibility to suggest any changes to the text. Although EDRi and Access Now knocked on the Commission’s door several times, the European Commission only accepted to hold bilateral meetings, refusing to give us access to the negotiations and the drafts. As a result, on 28 April we asked the Commission to send us all the documents and conversations relevant for the adoption of the Code.

2. If you obey the law, we still won’t leave you alone

In the letter to CDT, Commissioner Jourová argues that the definition of hate speech is clear. She seems to believe that it agreed with companies to comply with the law (the Framework Decision on on Racism and Xenophobia).

The Commission claims that the law has “addressed the fragmentation” of what constitutes illegal hate speech among Member States. However, a recent project financed by the European Commission warned about the “huge disparities” on what constitutes illegal hate speech among Member States. A recent study of the European Parliament confirms this. The Commissioner tries to argue that the Framework Decision draws a “careful line” between illegal hate speech and freedom of expression. However, as EDRi member Article 19 demonstrated, this is sadly not true; international law standards are not respected.

In addition, documents obtained by EDRi show that Facebook, Google and Twitter repeatedly contended that all referrals would be assessed by their terms and conditions, not by the law. They would only review hate speech reports against the law when a potential violation is not identified as a terms of service violation. In short, companies did not commit to follow the criteria set out in the law. They committed to use their own criteria in deciding what is or is not hate speech. Contrary to the Commission’s assurances, the Code can lead to “undue restrictions” to freedom of expression and “excessive take downs also of legal content” because restrictions imposed by terms of service are, quasi by definition, much broader than the law.

According to the Commission, if an online company restricts your freedom of expression – even if they do so as a result of government pressure – you are not protected by the Charter of Fundamental Rights of the European Union. You would only be covered if the company was implementing a specific legal obligation. Does the Code impose a legal obligation on companies? No. What’s more, the terms and conditions of companies will not be reviewed by the Commission for this purpose. Despite the Commission’s assurances, there are no protections whatsoever for fundamental rights in this code. The Commission is, at least, consistent, as the same rights-destructive methodology can also be found in the leaked copyright Directive, the draft Audio-Visual Media Services Directive, the Europol Regulation, the “follow the money” copyright enforcement projects…

3. Root of the problem unsolved: there’s nothing new under the sun

The Commission claims that since hate speech is moving online, the enforcement of the law must be complemented by companies’ actions to be “quick”. While the Commission’s goal was for the companies to commit to remove clear cases of hate speech within 24 hours, the companies only committed to review (not remove) illegal hate speech (not term of service violations) within 24 hours.

These “complementary efforts” are however not new. The EDRi-gram reported about the flaws of privatised enforcement already over a decade ago. Sadly, the discussions keep running in circles: a public policy problem is identified; public authorities put pressure on companies to solve it (even after the adoption of the Code, countries like Germany keep putting pressure on social media companies to do the job of a public authority); the content is the target, not the author(s) of the content; Member states do not investigate or prosecute; the Commission does not take responsibility; the root of the problem is not solved. Only if the problem is the need to be seen to be doing “something”, the problem is solved.

As the Commission confirmed in its letter to CDT, “the Code does not deal with matters pertaining to criminal law proceedings against the authors of hate speech … or notification of illegal content to public authorities.” The actual problem becomes irrelevant in the Code.

The Code of Conduct is divided into two parts, a descriptive section and an operative section. The Commission “won” the negotiation with industry on what should be in the descriptive part. There are lots of nice words about concepts and about fighting “illegal” content. However, the Commission lost and the companies won on the operative part. In that section, references to “illegal” content suddenly become sparse, the companies undertake to review first on the basis of their terms of service and only, where necessary (i.e. never, as illegal content is banned by terms of service) on the basis of the law. The descriptive section does not describe what is in the agreement, it describes what the Commission wished for. The operative section describes the loss of those wishes. The Commission won the descriptive section, the companies won the operative section while the rule of law, free speech, internet users (especially victims of hate speech) lost in both sections.

EDRi’s Freedom of information request to DG Justice on the Code of Conduct against Hate Speech and responses from the Commission (28.04.2016 and 28.07.2016, respectively)
https://www.asktheeu.org/en/request/code_of_conduct_against_hate_spe

EDRi: Guide to the Code of Conduct on Hate Speech (03.06.2016)
https://edri.org/guide-code-conduct-hate-speech/

Commissioner Jourova’s response letter on the Code of conduct on illegal online hate speech (21.06.2016)
https://cdt.org/files/2016/09/Commissioner-Jourova-to-Mr-Jeppesen.pdf

Mandola Project: Intermediate report. Definition of illegal hatred and implications (20.07.2016)
http://mandola-project.eu/m/filer_public/7b/8f/7b8f3f88-2270-47ed-8791-8fbfb320b755/mandola-d21.pdf

Germany wants Facebook to take initiative in fight against online hate (29.08.2016)
http://www.reuters.com/article/us-germany-facebook-idUSKCN1141S6

European Parliament Study. The European legal framework on hate speech, blashemy and its interaction with freedom of expression (04.09.2015)
http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536460/IPOL_STU(2015)536460_EN.pdf

Press release: Counter-Extremism Bill, National Security Council Meeting (13.05.2015)
https://www.gov.uk/government/news/counter-extremism-bill-national-security-council-meeting

(Contribution by Maryant Fernández Pérez, EDRi)

When Edward Snowden in May 2013 exposed the global system of mass surveillance by secret services, including by the German foreign intelligence agency BND, the German government tried to avoid scrutiny and declared the case closed. Only one public authority held out: Then-Commissioner for Data Protection Peter Schaar sent his staff on an inspection visit to the joint BND/NSA-station in southern Germany. The visit resulted in an elaborate “situation report”, but it’s classified “top secret” and only accessible for few people.

Additionally, the new Data Protection Commissioner Andrea Voßhoff produced a legal analysis of the findings and sent it to the Federal Intelligence Service coordinator in the German Chancellery and former BND president Gerhard Schindler. This analysis is still classified “secret” and Netzpolitik.org’s freedom of information request has been denied. However, Netzpolitik.org received this legal analysis and have published the full text of the document (in German).

This report is embarrassing for BND and Chancellery: On 60 pages, the highest German Data Protection Commissioner lists 18 severe legal violations and files 12 formal complaints. Such a complaint under the German Data Protection Act is the Commissioner’s most severe legal instrument – forcing the authorities to issue a statement in response. This is the first time that a German authority has received this many complaints at once. Usually, the Commissioner files a similar amount of complaints in an entire year – to all federal authorities combined.

You can read Netzpolitik.org’s full analysis of the text here: https://netzpolitik.org/2016/secret-report-german-federal-intelligence-service-bnd-violates-laws-by-the-dozen/

Secret Report: German Federal Intelligence Service BND Violates Laws And Constitution By The Dozen (only in German, 01.09.2016)
https://netzpolitik.org/2016/geheimer-pruefbericht-der-bnd-bricht-dutzendfach-gesetz-und-verfassung-allein-in-bad-aibling/#Sachstandsbericht

Secret Report: German Federal Intelligence Service BND Violates Laws And Constitution By The Dozen (02.09.2016)
https://netzpolitik.org/2016/secret-report-german-federal-intelligence-service-bnd-violates-laws-by-the-dozen/

(Contribution by Andre Meister, Netzpolitik.org, Germany)

The new European data protection regulation is the most lobbied piece of legislation ever because the subject is very important and touches upon almost every aspect of our daily lives. Therefore EDRi member Bits of Freedom used the Dutch freedom of information act to ask the government to publicise all the lobby documents they received on this new law. These documents were published on the Bits of Freedom website, with analysis, in a series of blogs. What parties lobby? What do they want? What does that mean for you? These nine articles are now translated into English for the EDRi-gram. In the previous blogs you’ve been able to read about the privacy lobby: what parties lobbied, what they lobbied about, and what kind of arguments they used. This is part 9.

What will the Netherlands do?

The question that quickly arises is, “What was the attitude of the Netherlands?” There’s no simple answer. In the parliamentary papers there are letters from the government in which the state secretary periodically informed the Dutch parliament about any developments with regards to the negotiations. In a document dealing with data protection, he describes in general terms what has been discussed and what the Dutch position was. Apart from that, Statewatch (a non-profit organisation monitoring the state, justice and home affairs, security and civil liberties in the European Union) occasionally leaked preliminary reports of meetings.

From state secretary’s letter to the Dutch parliament in 2012, it’s for example clear that the Netherlands strongly supported a risk based approach (as seen in the lobby-tomy 7). This was the most lobbied point of view: in particular when it comes to the obligation to make an “impact assessment” before processing data, and that companies are required to have a data protection officer. About those obligations, the Dutch government says:

“Furthermore, article 22 in principle fully applies to all controllers, which includes small entrepreneurs and even in some circumstances to individual citizens. It will create a higher burden on supervisory authorities. A risk based approach would have been better.

Apart from that, according to a letter to the Dutch parliament from 2014, the Netherlands wanted to make it easier to process health data. This is justified by it’s importance for research. Many lobby letters were sent to the Dutch government on this topic, for example by medical research centers (see the lobby-tomy 6). The government also wanted broader exceptions for the processing of health data by other organisations, for example insurance companies. This topic was actively lobbied as well (in the case of anti-fraud, see the lobby-tomy 8).

There are many similarities between the contents of the lobby letters and what the Dutch government proposed. Although the Netherlands claims to be a proponent of strong protections in the field of profiling, they do ask for the a certain degree of flexibility for other forms of automated decision making. Apart from that, the Dutch state secretary argues in the letter to the Dutch parliament that companies should more often have a legitimate interest in cases of “less significant measures” like direct marketing. That means that companies in those cases do not require consent to collect and use data (see the lobby-tomy 4 and lobby-tomy 6).

How successful has the lobby been?

Although there are visible similarities between the lobby letters and the position of the Dutch government, it is difficult to produce evidence for the fact that representatives of the government have listened to lobbyists too much. We simply can’t know what has been said in meetings between government representatives and lobbyists. It’s also difficult to prove a causal link: maybe policymakers had already agreed on a specific position before the lobby letters arrived.

So… Is lobbying bad?

Looking at the amount of legislative texts circulating, being drafted and adapted back and forth, and looking at the amount of invitations for meetings and letters sent to the ministries, it’s clear that lobbying plays a large role in our decision making process. Lobbying is important. However, the revelations of the lobbyplag initiative shocked many.

That’s why we advocate for citizens’ in Brussels too. Lobbying can be very useful. It allows organisations to shed new light or to bring forward a unique problem that hasn’t been considered yet. You can’t expect that everyone shares the same expertise. It can therefore be very important and useful to offer it to policy-makers.

However, there are also worries. Looking at the letters, it’s clear that large companies are over-represented. How can we know that there has been a proper weighing of all the different interests in society? Also, the letters at times contain bad and misleading arguments.

Also, there are transparency issues: this is just the tip of the influence iceberg concerning a long and complicated legislative process. The scale and untransparency of the documents released by lobbyplag shows what is wrong. This can and should be better.

Read all our lobby-tomy blogposts:

Data Protection Lobby-tomy Part 1: Influencing the Dutch government
https://edri.org/data-protection-lobbyotomy-part-1-influencing-the-dutch-government/

The lobby-tomy 2: What was the lobbying about?
https://edri.org/the-lobby-tomy-2-what-was-the-lobbying-about/

The lobby-tomy 3: who are lobbying?
https://edri.org/the-lobby-tomy-3-who-are-lobbying/

The lobby-tomy 4: Innovation is the magic word
https://edri.org/the-lobby-tomy-4-innovation-is-the-magic-word/

The lobby-tomy 5: legal help or political choices?
https://edri.org/the-lobby-tomy-5-legal-help-or-political-choices/

The lobby-tomy 6: Not in my backyard
https://edri.org/the-lobby-tomy-6-not-in-my-backyard/

The lobby-tomy 7: Not all roads lead to privacy
https://edri.org/lobby-tomy-7-not-roads-lead-privacy/

The lobby-tomy 8: “Anti-fraud” – another magic word
https://edri.org/lobby-tomy-8-anti-fraud-another-magic-word/

We hope that our lobby-tomy series has given you a useful insider’s view of the lobby process concerning the new European privacy legislation.

(Contribution by Floris Kreiken, EDRi member Bits of Freedom, the Netherlands)

Today we introduce our Czech member Iuridicum Remedium (IuRe).

Helena Svatosova and Jan Vobořil, IuRe, with Big Brother Awards trophies

1. Who are you and what is your organisation’s goal and mission?

Iuridicum Remedium (IuRe) is a non-governmental, non-profit organisation promoting human rights. We address issues of infringements of individual rights resulting from legislative actions and also deal with specific cases of human rights violations. IuRe’s activities include current threats to human rights in the fields of Human Rights and Technology, but also Social Exclusion and Public Administration. IuRe is active in issues related to legislation and legal assistance. It disseminates information to both the professional community as well as general public.

Our programme Human Rights and Technology aims to create a barrier against the misuse of digital technologies in cases of unjustifiable breaches of individual privacy. Among other activities, IuRe organises the Big Brother Awards Czech Republic annually. Our regular public debates raise awareness about both actual and potential suppression of the right to be left alone. IuRe monitors and prepares comments on new legislation and also provides legal consultancy for individual cases. Within the scope of this programme, we also work on localising and promoting Creative Commons Licensing as an alternative to the traditional intellectual property schemes.

2. How did it all begin, and how did your organisation develop its work?

IuRe was founded in 2001 as a volunteer initiative of the students of the Faculty of Law, Charles University Prague. Our professionalisation started in 2003. In 2005, we organised Big Brother Awards evening for the first time.

3. The biggest opportunity created by advancements in information and communication technology is…

…simplification of communication between people, the possibility of free sharing of information, opinions and views on the world, regardless of distance or political regimes.

4. The biggest threat created by advancements in information and communication technology is…

…transfer of our private life to computers or mobile phones and monitoring of these devices by businesses or governments. Another threat is also life in filter bubbles, which prevents access to information that contradict our opinions. This is a paradox, in a way, considering the answer to the previous question…

5. Which are the biggest victories/successes/achievements of your organisation?

We appreciate the victory of 2011, when the Czech Constitutional court accepted our constitutional complaint supported by 53 Members of the Parliament and annulled national data retention regulation. Although we have data retention back in our Communication Act without governmental reaction on Data Retention Directive repeal, this ruling of the Constitutional Court is one of the key ones for the interpretation of the text when searching for the limits of right to privacy in the Czech Republic.

Our last victory was the decision of the Czech Data Protection Authority (DPA) in April 2016 based on our complaint, which ordered the destruction of about three million cards with the blood samples (meaning also DNA) of all newborns. These samples were collected and then unreasonably kept indefinitely in connection with the implementation of a predisposition test for some severe diseases since the 1980s.

6. If your organisation could now change one thing in your country, what would that be?

The Czech government has introduced a series of measures designed to monitor and control citizens over the past few years. They declare that it is not only justified by greater safety, but also by interests of transparency, the fight against corruption, and the need to control tax collection and public expenditures. The trust the state has to its own citizens is thus increasingly being replaced by control. We would be delighted if people had put more pressure on politicians and made them emphasise privacy.

7. What is the biggest challenge your organisation is currently facing in your country?

Generally, it’s often populist proposals that threaten privacy with particular reference to increasing safety in connection with terrorism or the refugee crisis. We think that in this area the number of challenges will increase in proportion to the growing fear in society. We also monitor with concern the continuous extension of the databases related to the health of citizens.

Specifically we now have now a lot of work with our campaign on DNA legislation. In 2015 we prepared new DNA act, which was supported by more than 25 percent of the members of the Czech parliament across almost all political parties. The government had unfavorable opinion, but the positive effect was, that they have started with own amendment of the Police Act, which regulates the use of DNA by the police and the existence of the forensic DNA database. We have prepared comments on the draft and enforce some of the changes that are necessary in our opinion.

8. How can one get in touch with you if they want to help as a volunteer, or donate to support your work?

We are very grateful for the work of all our volunteers and for donations that support our campaigns, because it is difficult to raise money for our issues in the Czech Republic. Information on how to support us is available here: http://www.iure.org/podporte-nas

Iuridicum Remedium (IuRe)
http://www.iure.org/EN

(Contribution by Jan Vobořil, EDRi member Iuridicum Remedium, Czech Republic)

In their joint press statement, the French Minister of Interior Bernard Cazeneuve stated that for law enforcement purposes, the conversations people have via apps such as Telegram have to be accessible to the police and secret services.

The approach of the Minister is perplexing. A day earlier, on 22 August, France’s domestic intelligence chief gave the Financial Times the lay of the land. He explained how countless gigabytes were confiscated following the Paris attacks, and how a big part of that information was encrypted and therefore unreadable. The Financial Times continued stating that many terrorists use WhatsApp and Telegram because those services offer end-to-end encryption. On second thought, it’s easy to see why the French minister would single out Telegram.

Telegram is a pretty clumsy application for those wanting to be completely sure their messages won’t be accessible to anyone but the intended recipient. When you open the app and start a new conversation, it won’t be encrypted by default. The end-to-end encryption only applies when you explicitly choose to start a “Secret Chat”. This means that when someone has an end-to-end encrypted conversation in Telegram, it is not an accident, but a conscious choice.

In a world where terrorists deliberately encrypt their connections, how big is the chance that a terrorist would (continue to) use a service that is known to be insecure? Our guess: as soon as the European Commission introduces legislation forcing services such as Telegram to decrypt secure communications, terrorists will turn to alternative tools. The “solution” offered by the French and German ministers will only work if all the alternative tools to communicate using encryption are outlawed. However, outlawing them would hardly prevent terrorists from using them.

The idea that the way to gain access to terrorists’ communications is by backdooring services such as Telegram, is preposterous. Let’s be clear, the French and German proposal will undermine the security of every single person, under the populist guise of improving security. Or, in the words of cryptographer Phil Zimmerman:

“When crypto is outlawed, only outlaws will have crypto.”

Franco-German initiative on Europe’s interior security (only in French, 23.08.2016)
http://www.interieur.gouv.fr/Le-ministre/Interventions-du-ministre/Initiative-franco-allemande-sur-la-securite-interieure-en-Europe

EDRi: France and Germany: Fighting terrorism by weakening encryption (24.08.2016)
https://edri.org/france-germany-fighting-terrorism-by-weakening-encryption/

(Contribution by Rejo Zenger and Evelyn Austin, EDRi member Bits of Freedom, the Netherlands)

Impact Assessments are an essential part in the decision making process. They are where the EC analyses the different options available when considering a policy initiative. Ahead of the official presentation of the final IA in September 2016, the leak hints the range of proposals that could be adopted in the European Union (EU) on copyright matters.

During our copyfails blogpost series we described how badly the EU copyright regime is broken, and how these failures could be fixed if the political will existed. However, after reading the draft IA, our conclusion is that EU policy-makers do not seem to think it is worth the effort to bring copyright to the XXI century. Ignoring the results of the copyright consultation of 2014, and despite not having published the analysis on the results on the public consultation on ancillary copyright and freedom of panorama, the Commission has a plan: Let’s ignore all facts (even those previously identified) and avoid a real reform at all costs.

The draft text shows:

First, the long-awaited copyright reform is likely to become a patchwork of concessions to lobbyists’ demands. If a ban on geo-blocking was something that had any chance to be discussed, the film industry fought that idea, and has prevailed in its demands to maintain the borders in Europe’s “digital single market”. If news publishers wanted an EU wide version of the failed ancillary copyright initiatives to “tax” Google in Spain and Germany, they they will be delighted with the even more extravagant and dangerous position being adopted by the Commission. While the national-level initiatives have been very controversial and have lead to serious consequences, the Commission is going much further. “Ancillary copyright on steroids” seem to the Commission to be the best option, despite publishers themselves admitting that this measure, in their most optimistic possible scenario, would only lead to a ten-percent increase in revenues. Finally, when the music industry giants started complaining about how little money they get from YouTube (despite the billions they do receive), they were given a proposal to fix the so-called “value gap” extending the same system to other online platforms.

Second, once the corporate wish list was diligently followed, the Commission felt creative and thought that extending the automatic identification of works, based on Google’s Content ID, and making it the new standard would be a good idea. And why not adopt a Google product as a standard? Why not adopt a Google product that is regularly used to delete perfectly legal content? Why not give rights-holder the power to de facto overturn legislators’ decisions on copyright flexibilities? Why not create another barrier for Europe’s online entrepreneurs? The developer of a similar product boasted recently “Facebook came today and said we no longer want photos of kittens on our website, we could do that.” Industrial scale, accountability-free censorship.

The draft says that the measures implemented must be “proportionate”. So, courts cannot impose disproportionate measures on companies – apart from a huge amount of legal certainty, they are safe. However, there is no protection for citizens from companies choosing to implement disproportionate filtering measures. The “values gap” of the Commission is clear – copyright industry lobbyists get exactly what they asked for. Internet companies get a degree of protection. Citizens… nothing.

Content ID tools cannot deal with the nuances of copyright law. This will inevitably lead into restrictions on uses of cultural content which are permitted under legally safeguarded copyright flexibilities (“exceptions and limitations”), for example, copyrighted works in teaching environments. Furthermore, the huge costs of creating such a system would impede small and medium enterprises from competing in the market with giants like Google and seriously undermine the possibilities to create new businesses in Europe.

Despite the bad news that this draft IA brings, not everything is lost yet. The European Commission has time and the duty to fix the draft Impact Assessment and prepare the copyright reform that the EU needs. At this stage a solid alliance of diverse stakeholders is needed in order to subvert the corporate copyright reform that could be announced this month.

European Commission Staff Working Document Impact Assessment on the modernisation of copyright rules
http://statewatch.org/news/2016/aug/eu-com-copyright-draft.pdf

European Copyright Leak Exposes Plans to Force the Internet to Subsidize Publishers
https://www.eff.org/deeplinks/2016/08/european-copyright-leak-exposes-plans-force-internet-subsidize-publishers

Google snippet tax, geoblocking, other copyright reform shunned in EU plan
http://arstechnica.co.uk/tech-policy/2016/08/geoblocking-google-tax-copyright-reform-shunned-eu-plan/

Commissioner Oettinger is about to turn EU copyright reform into another ACTA
https://juliareda.eu/2016/08/copyright-reform-another-acta/

Copyfails: Time to #fixcopyright!
https://edri.org/copyfails/

Automated systems fight ISIS propaganda, but at what cost? (06.09.2016)
www.theverge.com/2016/9/6/12811680/isis-propaganda-algorithm-facebook-twitter-google

(Contribution by Diego Naranjo, EDRi)

Europe is now a global standard-setter in the defence of the open, competitive and neutral internet. We congratulate BEREC on its diligent work, its expertise and its refusal to bend to the unreasonable pressure placed on it by the big telecoms lobby,

said Joe McNamee, Executive Director of European Digital Rights (EDRi).

“Based on a preliminary reading of the text, this is a triumph for the European digital rights movement. After a very long battle, and with the support of half a million people, the principles that make the internet an open platform for change, freedom and prosperity are upheld in the EU,” said net neutrality activist Thomas Lohninger from SaveTheInternet.eu.

“BEREC has completed the work started by the EU legislators and delivered what the public have been asking repeatedly for the past three years: robust and clear protection for net neutrality” added Estelle Massé, Senior Policy Analyst at Access Now. “The final guidelines are a true testament to BEREC’s hard work.”

The guidelines adopted today are the final step in the three-year process of adopting net neutrality legislation in the European Union. In June 2016, BEREC launched a public consultation on implementation of net neutrality rules approved by the European Parliament last year. This consultation led to over half a million responses in support of strong net neutrality rules that were sent with the help of the SaveTheInternet.eu campaign.

Civil society now has to stay vigilant to ensure the enforcement of these new rules.

Net neutrality is a global issue. Following huge victories in the USA, India and Latin America, Europe has now cemented a global trend towards strong net neutrality protection. This is a cause for celebration.

We thank everybody involved in helping to make this happen, especially Access Now, AK Vorrat Österreich, ApTI, Avaaz, BEUC, Bits of Freedom, Digitale Gessellstaff, Digitalcourage eV, Fastweb, FFDN, Fight for the Future, Initiative für Netzfreiheit, IT-Pol, Mozilla, La Quadrature du Net, OpenMedia, Start-ups For Net Neutrality and X-Net. If it wasn’t for their support, we would be stranded without net neutrality.

Background

Net neutrality is a principle that all the internet traffic has to be treated equally, without blocking or slowing down certain data. This is crucial for fair competition between online services, for innovation, and for freedom of expression online.

In September 2013, the European Commission proposed legislation (pdf) which would have destroyed the open and competitive internet in Europe and would have set a disastrous example on a global level.

Subsequently, in April 2014, the European Parliament adopted amendments to overturn the European Commission’s proposal.

In June 2015, negotiations between the EU Council and EU Commission (both opposed to net neutrality) and the European Parliament led to a compromise text which is ambiguous on some key points. It tasked BEREC with publishing guidelines, by 30 August 2016, to provide a common approach to implementing the Regulation in the EU Member States. This compromise text was adopted, following legal “scrubbing”.

On 6 June 2016, BEREC published the draft guidelines for how the net neutrality Regulation should be implemented, together with the launch of a public consultation. The consultation gave citizens and innovative businesses the opportunity to provide their input and support a free and open internet. EDRi responded to the consultation, and encouraged citizens to send their answer to the consultation through the SaveTheInternet.eu. More than half a million messages were sent to BEREC through the platform.

Key figures

• Seven versions of the campaign website (savetheinternet.eu) were prepared for every step of the legislative process.
• 40 000 fax messages were sent by individuals to Members of the European Parliament.
• Six marches in support of net neutrality were organised in cities across Europe.
• Over 500 000 responses to BEREC were sent by concerned internet users in support of the open, innovative and neutral internet.