21 Jan 2019

CULT: Fundamental rights missing in the Terrorist Content Regulation

By Diego Naranjo

The European Parliament (EP) Committee on Culture and Education (CULT), published on 16 January its Draft Opinion on the proposal for a Regulation preventing the dissemination of terrorist content online. Member of the European Parliament (MEP) Julie Ward, the Rapporteur for the Opinion, has joined Rapporteur for the IMCO Committee Julia Reda MEP, and civil rights group in criticising many aspects of the Commission original proposal. The Rapporteur expresses her concerns regarding threats for “fundamental rights, such as freedom of expression and access to information, as well as media pluralism.”

In the Draft Opinion, CULT proposes a number of changes:

  • Definition of terrorist content: The Opinion suggests aligning the definition of terrorist content with the Terrorism Directive 2017/541/EU and to carve-out educational, journalistic or research material.
  • Definition of hosting service providers: The CULT Committee acknowledges that the definition of these services is “too broad and legally unclear”, and that many services which are not the target of this Regulation would be unnecessarily covered. The Rapporteur suggests covering only those hosting service providers that make the content available to the general public.
  • Removal orders: According to the Opinion, the only authorities competent to issue removal orders should be judicial authorities, since they are the ones with the “sufficient expertise”. Furthermore, the “one hour” time frame to respond to the removal orders is replaced by “without undue delay”. This would allow for more flexibility for smaller service providers.
  • Pro-active measures: The obligation of pro-activity (in practice, to implement upload filters in hosting services) is deleted from the proposal.
  • Finally, the Rapporteur suggests removing the financial penalties in order to avoid smaller providers being overburdened, as well as to prevent the likely scenario “where companies may overly block and remove content in order to protect themselves against possible financial penalties.”

This constitutes, on a general level, a very welcome improvement of the dangerous pitfalls of the Commission’s original proposal. Of particular relevance is the Rapporteur’s assessment that an imposition of proactive measures would amount to a breach of Article 15 of the e-Commerce Directive (which contains the prohibition of general monitoring obligations), as well as the proposed deletion of pro-active measures (upload filters). However, it is unclear how the addition by the Rapporteur in Art. 3 (2) saying that hosting service providers “shall not store terrorist content” could be put in place without upload filters, even if as a safeguard the Rapporteur asks those measures to be “appropriate”.

Another shortcoming of the Draft Opinion is the lack of concern about the highly unaccountable instrument of providing referral capacities to national authorities. For some reason, the Rapporteur has decided not to address this trojan horse, which would directly implement privatised law enforcement in the European Union. Referrals from national authorities, even though with their intent to be just for “voluntary consideration” by private companies, are likely to become the way that pervasive Governments outsource the protection of Freedom of Expression to unaccountable private companies, who are outside of the scope of the Charter of Fundamental Rights.

Even though the Rapporteur has not addressed all of the key issues, there are many positive suggestions in the Draft Opinion. Some of them are in line with the IMCO Committee Draft Opinion, which provided an even more comprehensive proposal for improvement. Given the criticism from both Committees, three UN Special Rapporteurs and a large number of civil society groups, the lead committee, the Civil Liberties (LIBE) Committee, is expected to take all of this criticism on board and comprehensively amend the Regulation.

Draft Opinion of the Committee on Culture and Education on the proposal for a regulation on preventing the dissemination of terrorist content online (16.01.2018)

Terrorist Content Regulation: document pool

Terrorist Content: IMCO draft Opinion sets the stage right for EP (18.01.2019)

Terrorist Content Regulation: Warnings from the UN and the CoE (19.12.2018)

The EU Council’s general approach on Terrorist Content Online proposal: A step towards pre-emptive censorship (11.12.2018)

Terrorist Content Regulation: Civil rights groups raise major concerns (05.12.2018)

Terrorist content regulation – prior authorisation for all uploads? (21.11.2018)

(Contribution by Diego Naranjo, EDRi)


21 Jan 2019

Terrorist Content Regulation: Document Pool


Terrorist networks have grown highly prone to the use of the internet for spreading their propaganda and recruiting followers in recent years. Although the fear of the general public of terrorist attacks certainly puts considerable pressure on policy makers, politicians also strategically use the climate of diffuse anxieties to increase the securitisation of the internet and present themselves as capable, tough leaders. The latest example of such election-motivated policy making is the proposal for a Regulation on preventing the dissemination of terrorist content online, with which the European Commission continues its trend of producing a watershed of “solutions” to terrorist propaganda on the internet.

The proposal contains three main measures to address alleged “terrorist” content:

  1. First, it creates orders issued by (undefined) national authorities to remove or disable access to illegal terrorist content within an hour.
  2. Second, competent authorities can choose to make referrals of terrorist-related potential breaches of companies’ terms of service that would be subject to the voluntary consideration of the companies themselves.
  3. Third, it legislates on (undefined) proactive measures that can lead to an authority requesting a general monitoring obligation.

A major concern for the functioning and freedom of the internet is the extension of the upload filter regime the EU is currently about to introduce for copyright to terrorist content. Requiring internet companies to monitor everything we say on the web does not only have grave implications for the freedom of speech, but it also follows a dangerous path of outsourcing and privatising law enforcement.

EDRi will follow the developments of the Terrorist Content Regulation closely and critically in the next months and provide crucial input to policy makers to ensure that human rights are fully respected in the proposal.

EDRi’s analysis and recommendations
Legislative documents
EDRi’s blogposts and press releases
Key Policy Makers

EDRi’s analysis and recommendations:

Legislative documents:

EDRi’s blogposts and press releases:


  • Press Release: Commission announces the new Terrorist Content Regulation (12.09.2018)

Key Policy Makers:


18 Jan 2019

Terrorist Content: IMCO draft Opinion sets the stage right for EP

By Yannic Blaschke

On 16 January 2019, the European Parliament Committee on Internal Market and Consumer Protection (IMCO) published its draft Opinion on the Regulation to prevent the dissemination of terrorist content online. The Opinion challenges many of the issues from the original Commission proposal. The Opinion from IMCO should “inform” the main Report prepared by the the Civil Liberties Committee (LIBE).

IMCO’s draft Opinion addresses many of the high risks of a detrimental impact on the freedom of expression. In a nutshell, it:

  • deletes referrals and “proactive” measures
  • points out the need to refer to “illegal” terrorist content
  • re-defines the services covered and exclude some
  • clarifies that the competent authorities deciding on the measures implemented by the Regulation need to be judicial authorities
  • implements new wording on transparency and more reporting obligations for Law Enforcement Agencies

The original Commission proposal had previously been criticised by three United Nations Special Rapporteurs and a great number of civil society and human rights organisations.

The draft Opinion states the necessity of “terrorist content” to be “offences committed intentionally” and to be “illegal”. While this seems obvious at first, such wording is crucial for the exclusion of works that merely document or report on terrorist crimes, such as journalistic or human rights defender publications, from the scope of the Regulation . The Opinion further clarifies that only publicly available information should be covered by the legislation and that electronic communication services, blogs and data stored in cloud systems must be excluded.

In regards to the new competencies the legislation is supposed to give to national authorities, the draft Opinion makes clear that only judicial authorities should be able to issue removal orders. This is a significant improvement to ensure due process and much preferable compared to the vague reference to “competent authorities” in the original Commission text.

The Rapporteur Julia Reda MEP has also taken a strong stance on the highly sensitive measures of referrals and proactive measures. Referrals are the practice of forwarding a piece of content (which may or may not be illegal) to a hosting service provider for its “voluntary consideration”; proactive measures are obligations for companies to have measures in place to find and disable access to “terrorist content”. Both of these instruments have deeply problematic implications: There is, for instance, a substantial lack of accountability for public authorities as a result of unlawful deletions of content referred by them; in addition to this, the possibility to impose proactive measures (upload filters) on companies would amount to a general monitoring obligation, something prohibited in EU law. In the IMCO draft Opinion, both the referrals and the “proactive measures” are deleted from the text.

Finally, the draft Opinion highlights the need for extensive documentation: The IMCO Rapporteur proposes to collect information on the number of removals that led to successful detection, investigation and prosecution of terrorist offences. Currently, the Commission states that it has no information about the number of investigations that were initiated after referrals made by Europol under its mandate. Thus, it is reasonable that when introducing similar capacities for national law enforcement, the effectiveness and proportionality of measures against “terrorist content” to supporting the investigation of terrorist acts needs to be critically evaluated.

The IMCO Opinion, as proposed by the Rapporteur, brings many positive changes that should be taken into consideration by the LIBE Committee on its Report, for which Daniel Dalton MEP (ECR) is the Rapporteur. The Parliament is well advised to take into consideration the proposals in this draft Opinion because the improvements on aspects such as on Rule of Law principles, predictability, legality and fundamental rights safeguards.

Draft Opinion of the Committee on the Internal Market and Consumer Protection  on the proposal for a regulation of the European Parliament and of the Council on preventing the dissemination of terrorist content online(COM(2018)0640–C8-0405/2018–2018/0331(COD)) (13.12.2018)

Terrorist Content Regulation: Warnings from the UN and the CoE (19.12.2018)

The EU Council’s general approach on Terrorist Content Online proposal: A step towards pre-emptive censorship (11.12.2018)

Terrorist Content Regulation: Civil rights groups raise major concerns (05.12.2018)

Terrorist content regulation – prior authorisation for all uploads? (21.11.2018)

EU Parliament’s anti-terrorism draft Report raises major concerns (10.10.2018)


16 Jan 2019

Digital rights as a security objective: Abuses and loss of trust

By Yannic Blaschke

Violations of human rights online can pose a real threat to our societies, from election’s security to societal polarisation. In this series of blogposts, we explain how and why digital rights must be treated as a security objective. In this third and final blogpost, we discuss how digital rights violations can exacerbate breaches to the rule of law in EU Member States and risk to undermine the already fragile project of the EU, including the European security aspects.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

In our previous blogpost, we outlined how an unjustified reliance on algorithms can lead to unintentional censorship and new attack vectors for malicious actors. However, the upload filters that feature in the ongoing discussions for the Copyright Directive and the Terrorist Content Regulation also have a big potential for abuses by public authorities.

There’s a number of examples of state authorities misusing copyright for attacks on the freedom of expression and right to information: Chilling examples are for instance Ecuador, where critics of president Correa were flooded with copyright notices, and the recent attempt of the German government to curb quotes from an internal military report by claiming it as copyrighted material. In the context of counter-terrorism legislation, the situation looks even more severe; with the Commissioner for Human Rights of the Council of Europe recently decrying that “the misuse of anti-terrorism legislation has become one of the most widespread threats to freedom of expression, including media freedom, in Europe”. Laws that have given rise to this alarming assessment are for instance the Spanish “gag law”, which has been severely criticised by international human rights organisations, or the French counter-terrorism laws. The dangerous logic of prosecuting offences vaguely framed as “glorification of terrorism” has led to numerous convictions of citizens on the basis of arbitrariness or because of controversial, yet undoubtedly not terrorist opinions and ideas.

What will happen once such disputes about legitimate forms of expression do not go in front of courts any longer, but filter technologies prevent them from ever appearing in public debate in the first place? What if EU governments start to abuse the competences given to them to censor political journalists, human rights defenders, opponents or ideas they do not like, for instance by calling opposition parties or activists terrorists? What would such abuse mean for the Member States’ eroding trust into each other’s capacity to uphold the rule of law?

In the context of terrorism, the European Commission has proposed that law enforcement should have competences to demand from platforms the introduction of automated filtering technologies if they regard the companies’ own “proactive” measures of content moderation as not extensive enough. Furthermore, there shall be a possibility for the authorities to refer to specific pieces of content to internet companies for their “voluntary consideration”, with a high chance of such content to be taken down due to the hosting providers fear of being held liable for content stored on their servers. Such vague and imprecise measures are not only undermining the rule of law and freedom of expression – they are also bound to be misused. If national authorities with an established record of public interference with citizen’s digital rights start using the additional suppressive instruments provided by the EU in the same disproportionate way they do with their national measures, it will not take long until the courts in other Member States begin to question the extent to which the authorities in their jurisdiction can still cooperate with their abusive counterparts. This has already happened in other contexts: For instance, the CJEU’s decision that extraditions to Poland may be halted. In combination with very different interpretations of what constitutes an offence against the public (for instance, the case of Spanish rapper Valtonyc), cases in which the newly created tools will be deployed to censor voices that are seen as illegal one Member State but are seen as perfectly legal in other Member States can and will further divide the cohesion and integrity of the common area of freedom, security and justice. EU wide public security can only be reached through trust among European judiciaries and law enforcement that throughout cooperative cross-border actions, fundamental rights are respected in all Member States. Giving all EU Member State authorities new censorship powers will achieve nothing but the contrary of such trust – and will thus damage, not improve our security.

Despite some major steps ahead in digital freedoms such as the adoption of the General Data Protection Regulation GDPR , we are still far from realising that digital rights are not just fundamental civil liberties, but also a prerequisite for the security and pluralism of our societies. If we want disinformation to stop ravaging public debate, we should not allow that individuals are forced to automatically give waivers to tracking cookies because it gives publishers and the tracking industry some income. If we want to close the vulnerabilities of our public debate forums on the internet, we cannot impose new gateways for disinformation attacks on online platforms. If we want to prevent the new authoritarianism, we cannot give it more tools of censorship through copyright and the silent eroding of civil liberties in counter-terrorism pursuits.

EU citizens’ digital rights are first and foremost, but not only to the benefit of individuals: they must also be regarded as fundamental to the security of our democratic systems and societal cohesion, both within and across European Union countries. To keep our societies open, free and safe, we must place the rights of the individual at the heart of our internet policies.

Digital rights as a security objective: New gateways for attacks (19.12.2018)

Digital rights as a security objective: Fighting disinformation (05.12.2018)

(Contribution by Yannic Blaschke, EDRi intern)



16 Jan 2019

Advocate General issues two Opinions on “right to be forgotten”

By Yannic Blaschke

On 10 January 2019, the Advocate General (AG) Maciej Szpunar delivered two Opinions to the Court of Justice of the European Union (CJEU) that could have far-reaching implications for the “right to be forgotten”, which aims at enabling individuals to lead an autonomous life without stigmatisation from their past actions.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

A geographical limit to the “right to be forgotten”

In his first opinion, case Google v CNIL (C-507/17), AG Szpunar recommens the CJEU to limit the scope of application of search-engine de-referencing obligations to the territory of the EU. The case at hand was referred to the CJEU after a dispute between search engine operator Google and French Data Protection Authority CNIL. The CNIL had imposed a 100 000 euro fine on Google after the company refused to remove web pages relating to a natural person from all domains listed in its search engine (rather than just EU Member State domains).

In his Opinion, AG Szpunar held that the “right to be forgotten” must be balanced against other fundamental rights, such as the right to data protection and the right to privacy, as well as the legitimate public interest in accessing the information sought. The AG noted that, if worldwide de-referencing were permitted, the EU authorities would not be able to define and determine a right to receive information, especially since public interest in accessing information will necessarily vary from one third State to another, depending on its geographic location. There would thus be a risk that persons in third States would be prevented from accessing information and, in turn, that third States would prevent persons in the EU Member States from accessing information. The AG did, however, not rule out the principal possibility for the existence of cases in which worldwide de-referencing would be justified. He recommended the CJEU to rule that upon receiving a request for de-referencing, search engine providers should not be obliged to implement such measures on all its listed domains. Nevertheless, they should be obliged to implement all possible measures, including geo-blocking, to enforce effective de-referencing for all IP addresses located in the EU, regardless of the used domain.

Search engine operator’s processing of sensitive data

The second Opinion of the AG, case G.C. and Others v CNIL (C-136/17), referred to de-referencing obligations of search engine providers in regard to sensitive categories of data. Following a dispute between the French Data Protection Authority CNIL and the search engine operator Google, Szpunar argued that the prohibitions and restrictions regarding special categories of data (under the previous Data Protection Directive 95/46 EC) cannot apply to the operator of a search engine as if it had itself placed sensitive data on the web pages concerned. Since the activity of a search engine logically takes place only after (sensitive) data have been placed online, those prohibitions and restrictions can, in his opinion, therefore apply to a search engine only by reason of that referencing and, thus, through subsequent verification, when a request for de-referencing is made by the person concerned. Szpunar held, however, that where referencing of sources that store sensitive data occurs, search engine providers have an obligation to react to de-referencing requests after carefully balancing the the right to respect for private life and the right to protection of data with the right of the public to access the information concerned and the right to freedom of expression of the person who provided the information.

Opinions of the Advocates General are not legally binding, but often considerably influence the final verdict of the CJEU. The judgements in both preliminary rulings will be given at a later stage.

Advocate General Szpunar proposes that the Court should limit the scope of the dereferencing that search engine operators are required to carry out to the EU (10.01.2019)

Advocate General Szpunar proposes that the Court should hold that the operator of a search engine must, as a matter of course, accede to a request for the dereferencing of sensitive data (10.01.2019)

Google’s forgetful approach to the “right to be forgotten” (14.12.2016)

More “right to be forgotten” confusion (15.09.2015)

Google now supports AND opposes the “right to be forgotten” (27.08.2014)

Google and the right to be forgotten – the truth is out there (02.07.2014)

Google’s right to be forgotten – industrial scale misinformation? (09.06.2014)

(Contribution by Yannic Blaschke, EDRi intern)



16 Jan 2019

We can no longer talk about sex on Facebook in Europe

By Bits of Freedom

Sometime in late 2018, Facebook quietly added “Sexual Solicitation” to its list of “Objectionable Content”. Without notifying its users. This is quite remarkable, to put it mildly, as for many people sex is far from being a negligible part of life.

The company writes that it draws a line “when content facilitates, encourages or coordinates sexual contact between adults”. A selection of what isn’t allowed (translated from the Dutch-language Community Standards):

“Content that includes an implicit invitation for sexual intercourse, which can be described as naming a sexual act and other suggestive elements including (but not limited to):
– vague suggestive statements such as: ‘looking forward to an enjoyable evening’
– sexual use of language […]
– content (self-made, digital or existing) that possibly portrays explicit sexual acts or a suggestively positioned person/suggestively positioned persons.

Content in which other acts committed by adults are requested or offered, such as:
– commercial pornography
– partners that share fetishes or sexual interests”

It is unclear what the cause is for this change. The most obvious explanation is new legislation that went into force at the beginning of last year in the United States. The “Fight Online Sex Trafficking Act” and the “Stop Enabling Sex Traffickers Act” (FOSTA/SESTA) hold companies accountable for sex work ads on their platform. Craigslist, among others, took its “Personals” offline and Reddit blocked a couple of sex work-related subreddits. Facebook’s new policy can, as well, be seen as a response to this legislation. The broad formulation of the criteria for what isn’t allowed is a precaution. Facebook chooses to err on the side of caution and over-censor, rather than risk the consequences of hosting illegal content.

Facebook boasts about connecting people, but in reality, the company increasingly frustrates our communication. There’s no question that such vaguely formulated rules combined with automated content filters will lead to more arbitrary censoring. But what this incident illustrates, more than anything, is that Facebook is thwarted by the scale at which it operates, and chooses to offload the cost of scale, namely arbitrary censorship and diminished freedom of expression, onto European users. It’s inconceivable that new legislation passed in the US means that in many European countries, if not all, one consenting adult can no longer ask another consenting adult if they want to have sex. Or, for that matter, get in touch with other people over shared fetishes or fantasies, or exchange information about safe sex.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

This impacts all European citizens, and is particularly problematic in the case of people who don’t identify with the traditional, heteronormative perspective of sex and turn to the internet for alternatives. In addition, sex workers are affected disproportionately. Sex workers often use online platforms for contacting clients and in order to exchange tips and information. Proud, an interest group for Dutch sex workers, spoke out against the new legislation in 2018 because it would (further) marginalise sex work. Facebook’s new policy demonstrates that these fears weren’t unfounded.

European countries, like all others, work hard in order to uphold their values. Many of these countries find it important that one can speak openly about sex and sexuality. In the Netherlands, significant efforts are made in order to protect and improve sex workers’ rights. Facebook’s policy thwarts these endeavours. It is unacceptable that we find ourselves in a situation in which legislation from another country has such a big impact on our societies. Is Facebook’s bottom line so important to Europe that we are willing to part with the rights and freedoms we’ve fought so hard to achieve?

In Europe we can no longer talk about sex on Facebook (only in Dutch, 13.12.2018)

(Contribution by Evelyn Austin, EDRi member Bits of Freedom, the Netherlands; translation by Winnie van Nunen)



16 Jan 2019

EU Member States willing to retain illegal data retention

By IT-Pol

With its judgments in April 2014 (Digital Rights Ireland ) and December 2016 (Tele2 ), the Court of Justice of the European Union (CJEU) ruled that blanket data retention was illegal under EU law. Rather than repealing their illegal data retention laws, EU Member States have instead adopted a tactic of ignoring the highest court of the European Union under the pretence of a “common reflection process” with an expert data retention working group under the Working Party on Information Exchange and Data Protection (DAPIX).

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

At the Justice and Home Affairs (JHA) Council meeting on 6-7 December 2018, the state of play of the expert working group on data retention was discussed. Council document 14319/18 prepared for the meeting reveals that the common reflection process has produced no tangible results towards compliance with the Tele2 judgment: replacing general and indiscriminate (blanket) data retention with targeted data retention. Member States appear to be happy with their current and illegal data retention regimes and do not want to make any changes. A recurring element in the Council document is the unwillingness of Member States to accept the Tele2 judgment, often disguised under a very selective reading of the judgment.

The expert working group has considered the concept of “restricted data retention”, previously analysed in the EDRi-gram. The main novelty is that Member States are supposed to limit the data categories to be retained to what is strictly necessary. No limitation is foreseen with respect to the persons concerned, which means that data about the entire population is retained, as with the current data retention regimes. Therefore, restricted data retention cannot possibly comply with the Tele2 judgment. However, even the token gesture of limiting the data categories has no support among Member States. They claim that the data categories which are not necessary for law enforcement purposes are already excluded. Based on this premise, Member States even contend that “there is no general and indiscriminate retention of data as referred to in the Tele2 judgment”, which is rather remarkable since the CJEU has stated the exact opposite in the Tele2 judgment.

The renewable retention warrant (RRW) proposal is another attempt by Member States to circumvent the Tele2 judgment. While the warrant only covers a single provider of electronic communications services for a fixed period of validity, all providers are expected to be covered by different warrants that are constantly renewed because the RRW would be rendered ineffective for law enforcement purposes if not all providers are covered. In practice, the RRW will be indistinguishable from the current blanket data retention regimes. With the exception of one Member State, which uses a similar system (undoubtedly the United Kingdom), there is no support for the RRW since the system would be too complex and inefficient and would require changes to national laws on criminal procedure.

After two years of “reflection” on the Tele2 judgment, Member States and their expert working group have not come up with a single realistic alternative to the current blanket data retention regimes that the CJEU has ruled to be illegal under EU law. The Council document does not describe a single suggestion which would actually make the data retention scheme targeted and limit the persons concerned by the measure, even though this is expressly required by the CJEU in paragraph 110 of the Tele2 judgment.

The second part of Council document 14319/18 deals with access to the retained data. According to the Tele2 judgment, access to the retained data must be limited to investigations involving serious crime and must be subject to review by a court or an independent administrative authority. As a general rule, only data of individuals suspected of being involved or implicated in a crime can be accessed.

Once again, Member States are reluctant to accept the restrictions imposed by the CJEU. Since there is no EU law or CJEU guidance defining “serious crime”, this task is left to Member States. Some Member States have a very broad definition, even to the point of including crimes that cannot be regarded as serious because of their low maximum sentence, but are nonetheless claimed to be perceived as serious by the general public. It is also noted in the Council document that without access to retained data, criminal investigations in cybercrime cases would often “turn out to be futile because digital evidence would be unavailable”. However, when data retention of electronic communications metadata is a particularly serious interference with fundamental rights, as the CJEU has established (Tele2 paragraph 100), access to the retained data must be subject to strict rules and will not always be available for law enforcement authorities. Since more and more activities are related to the online environment, making a complete carve out for crimes committed online would deprive the privacy and data protection safeguards at the access level of almost any meaning.

The Council document notes that the judicial review regimes of most Member States are in line with the prerequisites set out by the CJEU, through a prior review by a court/judge, an independent administrative authority or the prosecution office. However, by silently adding the prosecution office, which is not an independent judicial authority, to the list, Member States are rather misleadingly overstating their compliance with the Tele2 judgment regarding the requirement of independent review of access requests.

Finally, Member States are very reluctant to limit the access to the retained data to persons that are suspects or accused persons, as required by the CJEU, except in special cases involving terrorism (paragraph 119 of the Tele2 judgment). The main reason for this is that “proceedings are commenced not against certain individuals, but against (at least in the beginning) unknown perpetrators.” This suggests that law enforcement authorities routinely use data retention to find possible suspects of a crime, for example through cell phone tower inquiries where information is obtained about all persons that are present in a certain area. Data-mining investigations like this affect a large number persons, some of whom may become suspects simply because of their presence in a certain area (location data). The Tele2 judgment only allows broad access to the retained data as an exception in particular cases involving terrorism, but Member States want to turn the exception into the general rule by only requiring a connection to criminal investigations when retained data is accessed.

At the JHA Council meeting in December, ministers agreed to continue “the work at experts level to explore avenues to develop a concept of data retention within the EU.” However, this is precisely what the expert working group has been doing for the past two years, without delivering a single proposal for data retention that respects the requirements of the Tele2 judgment.

This puts the European data retention situation at a stalemate. Member States refuse to even think of alternatives to their current blanket data retention regimes, but they cannot have blanket data retention, at least not legally, because the CJEU has ruled that it is illegal under EU law. The European Commission is the “guardian of the Treaties”, but appears unwilling to start infringement proceedings against Member States even if it is “monitoring” them. Legal action at the national level against data retention laws is, of course, a potential way out of the stalemate. Litigation is currently being pursued in some Member States, and in the past has been successful in a number of Member States.

However, Member States are fighting for their blanket data retention regimes at other levels than ignoring the Tele2 judgment. One possibility is that the future ePrivacy Regulation will present a more “favourable” environment for data retention than the current ePrivacy Directive – something that the Council is actively working on. This could give Member States a “fresh start” on data retention since the CJEU would have to assess the national data retention laws against the new ePrivacy Regulation, but still interpreted in light of the (unchanged) Charter of Fundamental Rights. There is also the risk that the CJEU could revise its stance on data retention in some of the new cases that are pending before the Court (C-623/17 from UK, C-520/18 from Belgium, and C-511/18 and C-512/18 from France). The first question in C-520/18 is very similar to the first question in the Tele2 case, that is whether Article 15(1) of the ePrivacy Directive, read in the light of the Charter of Fundamental Rights, precludes a general obligation to retain traffic data for providers of electronic communications services. Member States would undoubtedly see this as an opportunity to “retry” the Digital Rights Ireland and Tele2 cases before the CJEU.

Data retention – state of play. Council document 14319/18 (23.11.2018)

EU Member States plan to ignore EU Court data retention rulings (29.11.2017)

EU Member States fight to retain data retention in place despite CJEU rulings (02.05.2018)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



15 Jan 2019

Copyright Week 2019: Copyright as a tool of censorship

By Yannic Blaschke

EDRi member Electronic Frontier Foundation’s Copyright Week is running again from 14 until 20 January 2019. We are participating in the action week with a series of blogposts.

Copyright as a Tool of Censorship

Copyright, when implemented in a human rights compliant way, can be useful to contribute to the wealth of creators, so that they can continue participating in arts and sciences in our societies. To allow for cultural innovation and societal debates, it’s a well-established principle that re-adapting and re-purposing copyrighted material should be allowed in cases of so-called “exceptions”, such as fair comment, reporting, teaching, criticism, satire and parody. Unfortunately, there are too many ways to implement these exceptions in Europe, and it is impossible for the average citizen and most companies to decipher what use is allowed where.

There are frequent clashes of those who seek more restrictive rules to protect copyrighted works and those who fear such rules would limit citizens’ freedom of expression and specifically their right to access to culture. Because assessing which kind of uses are allowed often takes a careful, context-sensitive balancing act, any legislation aiming to enforce the rights of copyright holders needs to have robust and comprehensive provisions on how this balancing will be found and implemented. The balance tipping too much into the direction of restrictions potentially results in censorship – which then can be abused for instance to silence political opponents or to try to deny access to public documents.

This recurring tension between fundamental rights, with protection of intellectual property on the one side and freedom of expression and information on the other side, is exponentially exacerbated when it no longer relies on human judiciaries to verify or dismiss an allegation of infringement, but on technological solutions that pre-emptively filter out anything that matches a pattern stored in the algorithm’s database. The EU has taken an extremely controversial stance on enforcing copyright through such automated means (“upload filters”). The dangers that relying on this technology poses for the freedom of expression have been repeatedly highlighted by civil society, library, academic, business and consumer protection organisations. Even the United Nations Special Rapporteur on freedom of expression, David Kaye, has pointed out serious concerns on the Article 13 provisions of the planned Copyright Directive. The problem is: If algorithms are blatantly failing at recognising the fairly straightforward exceptions to a given policy (consider, for instance, blog hosting service’s tumblr takedowns of its own examples of acceptable nudity), how can we expect them to recognise the subtleties of parody and satire?

Copyright tilts towards censorship when it 1) does not provide for necessary exceptions and limitations, 2) reverses the burden of proof for an infringement and 3) creates direct or indirect measures of pre-emptive removal. The EU Copyright Directive, unfortunately, so far fulfils the latter two of those criteria, and the ongoing trilogues between the European Parliament and the Council of the EU do not raise high hopes that these shortcomings will be fixed in due time. Currently, it provides yet for another example of how the struggle to achieve fair remuneration for artists in the digital age can cause huge repercussions for the internet society as a whole. The copyright censorship to come might be less maliciously intentional than previous examples such as Ecuadorian president Correa’s misconduct, but “accidental” or “collateral damage” types of (automated) over-blocking will nevertheless prove to be detrimental tools of censorship.

Policy-makers world-wide should take the negligent EU copyright debate as a point of departure to explore flexible approaches to copyright that safeguard the fundamental rights and freedoms of citizens, and reject the dangerous trends of blind trust in technology and pre-emptive enforcement.

Copyright: Compulsory filtering instead of obligatory filtering – a compromise? (04.09.2018)

How the EU copyright proposal will hurt the web and Wikipedia (02.07;2018)

EU Censorship Machine: Legislation as propaganda? (11.06.2018)

(Contribution by Yannic Blaschke, EDRi intern)


09 Jan 2019

Bits of Freedom announces winner of privacy award

By Bits of Freedom

The Dutch Big Brother Awards will take place on 22 January 2019 in Amsterdam, the Netherlands.

This year’s distinguished winner of the Felipe Rodriguez Award is Kirsten Fiedler, Managing Director of European Digital Rights. With this award, a Dutch digital rights organisation, EDRi member Bits of Freedom recognises people and organisations who have made a remarkable contribution to our right to privacy in the digital age. Previous winners include Kashmir Hill, Open Whisper Systems, Max Schrems and Edward Snowden. The award ceremony will take place on 22 January 2019.

Photo: Jason Krüger

Kirsten Fiedler is Managing Director* of European Digital Rights (EDRi), an umbrella organisation of digital rights groups that advocates at the EU level for the protection of privacy, security and freedom of expression online. Thanks to Fiedler’s contribution, over the past eight years EDRi has grown into a highly regarded organisation with nine team members and 39 member organisations.

Increasingly, the rights and restrictions of European internetters are negotiated and decided at the EU level. Therefore it is essential that there is a strong organisation in Brussels that advocates for our human rights. Thanks to Fiedler, EDRi has become that organisation. Residents of all member states benefit from their work everyday.

– Hans de Zwart, Executive Director of Bits of Freedom.

Kirsten Fiedler will accept the award on Tuesday 22 January 2019 during a ceremony in Amsterdam. Besides the Felipe Rodriguez Award, Bits of Freedom will award the Audience Award and the Expert Award to the biggest privacy violators of 2018. Tickets can be obtained through www.bigbrotherawards.nl.

What others say about Fiedler’s nomination

“We have lived in Internet long enough to stop calling it ‘new technology’. Yet, we are facing new problems that cannot be solved with old narratives and corrupted political compromises. EDRi, co-led by Kirsten in recent years, is at the front line of all important political battles in Brussels, pushing new narratives and proposing solutions that can actually work.”

– Katarzyna Szymielewicz, Panoptykon Foundation

“EDRi is the first line of defense for digital rights in Europe and beyond. The decisions made by European policymakers have repercussions for individuals the world over, and so it is vital that we have a strong organization like EDRi working to protect our rights online. Since 2011, Kirsten’s contribution has been essential to that effort.”

– Jillian York, Electronic Frontier Foundation (EFF)

“Kirsten is the only person who ever worked for EDRi that didn’t apply for the job. Her passion and drive to fight for our human rights were so clear that I asked her – with zero job security and mediocre pay – to leave her secure job and come to work for EDRi. From that day to this, she was directly or indirectly key to all of EDRi’s successes.”

– Joe McNamee, former Executive Director of European Digital Rights (EDRi)


* From the beginning of 2019, Kirsten has taken over a new area of responsibilities, and now works as Senior Policy and Campaigns Manager.

20 Dec 2018

EDRi Awards 2018


For the first time and with great solemnity, EDRi presents the first ever 5th edition of our annual awards.

The “Humpty Dumpty Award” for the most silly “statistics”

This Award goes to IAB Europe for confusing the Google-Facebook duopoly with publishers to lobby against ePrivacy. Of course, both companies usually do everything they can to avoid being placed into the category of a publisher, but for the IAB it was nevertheless convenient to boast about the “economic value of behavioural advertising” (in other words unasked stalking) by including the revenues of their biggest clients in the larger statistic. Next time IAB, maybe let us know to whom the money goes?

The Springer Award for WTF

This prestigious Award goes to the EU Parliamentarians who are trying to introduce laws at EU level that have already dramatically failed at the national level and are doomed to be disapplied.

Another BREAKING NEWS from the CJEU: AG Hogan advises Court to rule that German press publishers’ right should be disapplied due to lack of preventive notification to EU Commission "Advocate General Hogan: the Court should rule that the new German rule prohibiting search engines from providing excerpts of press products without prior authorisation by the publisher must not be applied."

The cranial fracture facepalm Award

This year’s cranial fracture facepalm Award goes to…surprise… Facebook! Well deserved, because the company:

  • lost the data of hundreds of millions of people
  • ruined a few elections
  • had a data breach which let anyone into millions of people’s accounts
  • and still wants to put an online webcam in your kitchen

Need we say more?

"Today we're excited to introduce @PortalFacebook to everyone. Come say hi and check out http://portal.facebook.com to learn more."

The “rules of engagement” Award for outstanding courtesy in political discussions

Being blocked by the UN Special rapporteur on freedom of expression is surely an achievement to behold: This year’s first ever “rules of engagement Award” goes to David Lowery, writer for the copyright advocate website “The Trichordist” and highly vocal commentator on this year’s discussions on the Copyright Directive proposal. We value a good exchange of arguments. We are, however, sometimes more than a bit surprised about the tone and language that the rightsholder lobby deems appropriate.

"Academia? Experts? Yeah right. Don’t know jack shit about how copyright holders are exploited by internet firms. Don’t wanna know. I offered that UN Rapporteur to come and spend some time with me combatting illegal uploads with me. He blocked my twitter account. Fuck you all!"

Positive EDRi Awards

On a more serious note, we should also spare a thought for the wonderful people that are doing wonderful work at a difficult time.

The new “Old Hero” Award

This year, instead of granting the traditional New Hero Award, we’d like to introduce a new Old Hero Award, to show our thankfulness and respect to our old (young) Executive Director Joe McNamee for his tireless efforts and achievements protecting digital rights in Europe.

We know you are reading this (and quietly correcting our grammar in your mind), so we just want to tell you that, as such, we’ll do our very best to make sure that your spirit carries on!

The heroes who keep us energised Award

We cannot name everybody, including last year’s awardees, but here are some of the stars that are worth highlighting:

  • Female digital rights heroes in the Parliament: MEPs Sippel, in’t Veld, Schaake, Reda, Ernst, Sargentini
  • Wolfie Christl for his research
  • EDRi member Bits of Freedom for their work and contributions to the defence of digital rights in Europe:
  • The thousands of people who voiced their concerns against online censorship and contacted their Parliamentarians during the copyright votes – and were then insulted as being bots

Finally, we want to recognise the amazing work that all of our members and other digital rights activists are doing in Europe and around the world.

The Shortlist

The following Awards were shortlisted this year but did not quite make it to the top:

The Humpty Dumpty Award for unsuccessful filters

Tumblr for its launch of “adult content” filter – it’s so bad at its job that it flagged the company’s own examples of acceptable nudity… Algorithmic filtering just.never.works.

The WTF pop culture surveillance award

Taylor Swift fans who went to her Rose Bowl show on 18 May were unaware of one crucial detail: A facial-recognition camera inside the display was taking everyone’s photos. The images were being transferred to a server, where they were cross-referenced with a database of hundreds of the pop star’s known stalkers.

The cranial fracture facepalm Award

The cranial fracture facepalm Awards 2018 almost went to Axel Voss MEP again – for the third time – for commenting on the proposal on adopting extra rights for filming sports events: “This was a kind of a mistake by the JURI Committee, I think, someone amended these, nobody has been aware of these, and then all of a sudden…”

More shockingly, he does not even seem to know which companies will be covered by his proposals.

Notable Publications

Did you like them? Please, check previous EDRi awards:

EDRi awards 2017
EDRi awards 2016
EDRi awards 2015

EDRi awards 2014