02 Jul 2015

European Digital Rights asks the European Commission to investigate illegal data retention laws in the EU

By Heini Järvinen

European Digital Rights (EDRi) this morning sent a letter to European Commission First Vice-President Frans Timmermans, asking the European Commission to investigate the data retention laws in EU Member States which appear to be illegal in light of the Court of Justice of the European Union (CJEU) ruling on this issue from 8 April last year.

Looking superficially at a cross-section of 14 EU Member States’ approaches to data retention, EDRi identidied strong similarities between the provisions in force and those ruled illegal by the European Court. We therefore carried out case studies in relation to six countries (Croatia, Denmark, Finland, Italy, Poland and the United Kingdom) and sent them to the Commission as compelling proof that action needs to be taken.

“Over a year after the Court ruling, it is finally time for the Commission to act,” said Joe McNamee, Executive Director of European Digital Rights. “EU Member States cannot be allowed to break European law with impunity.”

The focus of EDRi’s analysis is:

  1. if EU Member States have provisions which link the data being retained with a particular time period, location, group of people or a serious crime;
  2. the procedures to access the retained data, and who can access it, and
  3. the conditions and the period during which the data is kept.

Although there are differences between the selected Member States, EDRi concluded that the existing laws in these six countries appear to be contravention to the Charter of Fundamental Rights, following the analysis of the CJEU.

EDRi calls on the European Commission, as the Guardian of the Treaties, to investigate further these and any other national laws that may be in breach of EU case law.

Read more:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights ruft die Europäische Kommission dazu auf, illegale Gesetze zur Vorratsdatenspeicherung in der EU zu prüfen

European Digital Rights (EDRi) hat heute Morgen einen Brief an den Ersten Vizepräsidenten der Europäischen Kommission geschickt. In dem Schreiben wird die EU-Kommission dazu aufgerufen, die Gesetze zur Vorratsdatenspeicherung in den Mitgliedstaaten der EU zu untersuchen, da diese vor dem Hintergrund der Entscheidung des Europäischen Gerichtshofs vom 8. April letzen Jahres illegal erscheinen.

EDRi hat nach einer kusorischen Betrachtung der Regulierungen zur Vorratsdatenspeicherung von 14 EU-Mitlgiedstaaten festgestellt, dass grosse Ähnlichkeiten zwischen den momentan geltenden Bestimmungen und jenen, die der Gerichtshof als illegal befunden hat, bestehen. Daher haben wir Fallstudien über sechs Länder (Kroation, Dänemark, Finnland, Italien, Polen und Grossbritannien) angefertigt und diese der Kommission übermittelt, um klar aufzuzeigen, dass entsprechende Massnahmen ergriffen werden müssen.

“Über ein Jahr nach dem Gerichtsbeschluss ist es endgültig an der Zeit, dass die Kommission handelt,” sagt Joe McNamee, Geschäftsführer von European Digital Rights. “Es darf EU-Mitgliedstaaten nicht erlaubt sein, ungestraft EU Recht zu brechen.”

Die Schwerpunkte der Analyse sind:

  1. Ob die Bestimmungen der Mitgliedstaaten die auf Vorrat gespeicherten Daten mit einem spezifischen Zeitpunkt, Ort, Gruppe oder einem schweren Verbrechen in Verbindung setzen;
  2. Die Verfahren zum Zugriff auf die auf Vorrat gespeicherten Daten sowie wer auf diese Daten Zugriff hat;
  3. Die Bedingungen zur Speicherung der Daten sowie die Dauer der Speicherfrist.

Obwohl es Unterschiede zwischen den untersuchten Mitgliedstaaten gibt, ist EDRi auf Grundlage des EuGH-Urteils zu der Schlussfolgerung gekommen, dass die Gesetze, die in diesen sechs Ländern existieren, gegen die Charta der Grundrechte verstossen.

EDRi ruft die Europäische Kommission als Hüterin der Verträge dazu auf, zu untersuchen, ob diese und andere nationale Gesetze zur Vorratsdatenspeicherung gegen EU-Recht verstoßen.

Mehr dazu:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights chiede alla Commissione Europea di aprire un’indagine all’interno dell’UE sulle leggi illegittime in materia di data retention

Questa mattina European Digital Rights (EDRi) ha inviato una lettera al Primo Vice-Presidente della Commissione Europea Frans Timmermans, nella quale ha chiesto di aprire un’indagine, all’interno degli Stati Membri dell’UE, riguardo alle norme in materia di data retention che risultano illegali alla luce della decisione adottata dalla Corte di Giustizia dell’Unione Europea (CGUE) lo scorso 8 Aprile.

Dopo una prima analisi dell’approccio intrapreso in materia di data retention nelle legislazioni di 14 Stati Membri, EDRi ha individuato delle profonde somiglianze tra le norme in vigore e quelle dichiarate illegali dalla Corte di Giustizia. Abbiamo quindi studiato la situazione riguardante sei Paesi (Croazia, Danimarca, Finlandia, Italia, Polonia e Regno Unito) e inviato i risultati della nostra ricerca alla Commissione, come prova evidente della necessità di prendere provvedimenti.

“A piu di un anno di distanza dalla decisione della Corte, è giunto il momento di agire per la Commissione,” ha dichiarato Joe McNamee, Direttore Esecutivo di European Digital Rights. “Non si puo’ permettere agli Stati Membri dell”UE di violare il diritto Europeo impunemente.”

Gli elementi su cui si concentra l’analisi effettuata da EDRi sono:

  1. se le norme in vigore negli Stati Membri dell’UE mettono in relazione i dati che vengono conservati ad un certo periodo di tempo, ad un luogo o un gruppo di persone particolari, o ad un reato grave;
  2. le procedure di accesso ai dati conservati, e chi puo’ accedervi;
  3. le condizioni e la durata del periodo di conservazione dei dati.

Nonostante ci siano differenze tra gli Stati Membri selezionati, EDRi ha concluso che, in seguito all’analisi effettuata dalla CGUE, le norme vigenti in questi sei paesi risultano essere in contrasto con la Carta dei Diritti Fondamentali.

EDRi lancia un appello alla Commissione Europea, in quanto Custode dei Trattati, affinchè investighi piu’ a fondo queste leggi, e ogni altra legge nazionale che possa violare la giurisprudenza dell’UE.

Approfondisci:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights anmoder Europa-Kommissionen om at undersøge ulovlige logningslove i EU

European Digital Rights (EDRi) har her til morgen sendt et brev til 1. næstformand for Europa-Kommissionen Frans Timmermans, der beder Europa-Kommissionen undersøge logningslovene i EUs medlemsstater, som synes at være ulovlige i lyset af dommen fra EU-domstolen om logningsdirektivet den 8. april 2014.

Ud fra en indledende analyse af logningsreglerne i 14 EU medlemsstater, har EDRi identificeret stærke ligheder mellem de gældende lovbestemmelser og de bestemmelser som blev kendt ulovlige af EU-domstolen. Vi har derfor udført casestudier på seks lande (Kroatien, Danmark, Finland, Italien, Polen og Storbritannien) og sendt dem til Kommissionen som et overbevisende argument for at der er behov for handling.

“Et år efter EU-domstolens afgørelse er det endelig tid for Kommissionen til at handle,” siger Joe McNamee, Executive Director for European Digital Rights. “EUs medlemsstater skal ikke ustraffet kunne bryde europæisk lov.”

Fokus for EDRi’s analyse er:

  1. om EUs medlemsstater i deres nationale lovbestemmelser har begrænset dataindsamlingen til bestemte perioder eller bestemte forbrydelser;
  2. proceduren for at få adgang til de indsamlede data, og hvem der kan få adgang, og
  3. betingelserne for opbevaring af logningsdata og opbevaringsperioden.

Selv om der er forskelle mellem de udvalgte medlemsstater, konkluderer EDRi at de eksisterende love i disse seks lande ser ud til at være i strid med Charter om Grundlæggende Rettigheder, jf. analysen fra EU-domstolen.

EDRi opfordrer Europa-Kommissionen, som vogter af traktaterne, til at undersøge lovgivningen i disse seks lande og andre nationale love, som kan være i strid med retspraksis fra EU-domstolen.

Læs mere:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights traži Europsku Komisiju da istraži ilegalne zakone ozadržavanju podataka u Europskoj Uniji

European Digital Rights (EDRi) poslao je danas ujutro pismo prvom potpredsjedniku Europske Komisije, Fransu Timmermansu, u kojem traži da Europska Komisija provede istragu o zakonima o zadržavanju podataka u državama članicama EU, za koje se smatra da nisu u skladu s presudom Suda pravde Europske Unije (CJEU) na tu temu, donesene 8. travnja prošle godine.

Površno pregledavajući presjek pristupa zadržavanju podataka 14 država članica EU, EDRi je uočio snažne sličnosti između odredaba na snazi i onih proglašenih nezakonitima od strane Europskog suda. Iz tog razloga proveli smo analizu stanja u šest država (Hrvatska, Danska, Finska, Italija, Poljska i Ujedinjeno Kraljevstvo) koju smo proslijedili Komisiji kao neoboriv dokaz da je djelovanje nužno.

“Nakon više od godinu dana nakon što je presuda donesena, krajnje je vrijeme da Komisija počne djelovati”, izjavio je Joe McNamee, izvršni direktor European Digital Rights. “Državama članicama Europske Unije ne smije biti dopušteno nekažnjeno kršiti Europske zakone.”

Provodeći analizu EDRi se usredotočio na sljedeće glavne točke:

  1. imaju li države članice u svojim nacionalnim zakonodavstvima odredbe koje povezuju zadržane podatke s određenim razdobljem, zemljopisnim područjem, skupinom ljudi ili teškim kaznenim djelom;
  2. postupak pristupa zadržanim podacima i tko im može pristupiti;
  3. uvjete i razdoblje unutar kojeg su podaci zadržani.

Unatoč razlikama koje postoje između spomenutih država, prema zaključku EDRi-ja čini se da postojeći zakoni u ovih šest država predstavljaju kršenje Povelje o ljudskim pravima, imajući u vidu analizu Suda pravde (CJEU).

EDRi poziva Europsku komisiju, kao Čuvara Europskih ugovora, da podrobnije istraži navedene kao i bilo koje druge nacionalne zakone koji potencijalno predstavljaju kršenje sudske prakse Europske Unije.

Pročitajte više:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights vaatii Euroopan komissiota tutkimaan laittomat teletunnistetietojen säilyttämistä koskevat lait EU:ssa

Tänä aamuna European Digital Rights (EDRi) lähetti Euroopan komission varapuheenjohtaja Frans Timmermansille kirjeen, jossa vaaditaan komissiota käynnistämään tutkinta EU-jäsenmaiden teletunnistetietojen säilyttämistä koskevista laeista, jotka Euroopan unionin tuomioistuimen (ECJ) viime vuoden huhtikuun 8. päivän päätöksen valossa vaikuttavat lain vastaisilta.

EDRi havaitsi vertaillessaan 14 EU-jäsenmaan kantoja teletunnistetietojen säilyttämiseen selkeitä yhtäläisyyksiä eri jäsenmaissa voimassa olevien säännösten ja tuomioistuimen laittomiksi julistamien säännösten välillä. Kuuden jäsenmaan (Kroatia, Tanska, Suomi, Italia, Puola ja Iso-Britannia) tilanteesta tehdyt tarkemmat analyysit lähetettiin Euroopan komissiolle vakuuttavana todisteena siitä, että komission on ryhdyttävä pikaisesti toimiin asian korjaamiseksi.

“Yli vuosi tuomioistuimen päätöksen jälkeen komission olisi vihdoin aika toimia”, sanoi Joe McNamee, EDRi:n toiminnanjohtaja. “Jäsenmaiden ei voi antaa rikkoa EU:n lainsäädäntöä rangaistuksetta.”

EDRi:n analyysi keskittyy seuraaviin kohtiin:

  1. onko EU-jäsenmaissa on voimassa säännöksiä, jotka yhdistävät tietyn ajanjakson, sijannin tai ihmisryhmän tietoja tai tietoja jotka liittyvät vakaviin rikoksiin
  2. menettelytavat liittyen siihen, kuinka ja kenellä on pääsy säilytettyihin tietoihin
  3. tietojen säilyttämisen ehdot ja ajanjakso, joka tiedot säilytetään

Vaikka jäsenmaiden laeissa on eroja, voimassa olevat lait kuudessa tutkitussa jäsenmaassa vaikuttavat olevan ristiriidassa Euroopan unionin perusoikeuskirjan kanssa, perustuen ECJ:n päätökseen ja analyysiin.

EDRi kehottaa Euroopan komissiota perussopimusten vartijana tutkimaan kyseisten maiden teletunnistetietojen säilyttämistä koskevat lait, sekä muut kansalliset lait, jotka saattavat rikkoa EU:n oikeuskäytäntöä.

Lisätietoa:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


Twitter_tweet_and_follow_banner

close
01 Jul 2015

Belgian coalition demands suspension of the TTIP negotiations

By Heini Järvinen

On 26 June 2015, the Belgian EDRi member Liga voor Mensenrechten, together with a wide coalition of other Belgian human rights and consumer organisations, trade union confederations, and environmental and development NGOs, published a declaration asking for an immediate suspension of the negotiations for the Transatlantic Trade and Investment Partnership (TTIP) that are currently ongoing between the United States (US) and the European Union (EU).

The declaration calls for the suspension of the negotiations above all for the defence of fundamental freedoms and rights. One of the main concerns mentioned in the declaration is the risk of suppression of existing European regulation concerning data protection, which would mean undermining the respect of privacy, for economic reasons. The text also mentions a number of other threats that TTIP is posing to Belgian and European citizens, such as the potential negative impact on employment, the healthcare sector, consumer safety, and social and environmental standards.

The coalition emphasises that the negotiations simply cannot continue within the current framework, and that if the negotiations were to be restarted, a fundamentally different mandate has to be adopted. The mandate should not include clauses for Investor-State Dispute Settlement (ISDS), an instrument of public international law giving multinational companies the right to sue states and challenge legislation before special tribunals, if they believe their expected profits are being undermined. There should not be harmonisation of regulations that could lead into lower social standards or consumer and environmental protection, and the highest priority should be given to promoting public services, general interest and citizens’ rights, rather than trade and financial interests.

The need for a truly transparent and democratic process is also highlighted in the declaration. This would require that the negotiation texts and agenda are shared with national governments and civil society organisations, and that they are regularly consulted for their views. Also precise impact assessments to evaluate the effects of the negotiated measures should be conducted.

Lastly, the declaration points out that TTIP is not the only trade agreement under discussion, but that other similar agreements, such as the Comprehensive Trade and Economic Agreement (CETA), a draft treaty between EU and Canada, likely to come up for ratification before to TTIP, that are similarly undermining European citizens’ fundamental rights and our democracy.

Transatlantic trade agreements: Belgian civil society united against deregulating and non democratic trade agreements (only in French, 26.06.2015)
http://www.cncd.be/IMG/pdf/declarationcommunettip-ceta-be.pdf

Immediate suspension of the TTIP negotiations (only in Flemish, 26.06.2015)
http://www.mo.be/opinie/onmiddellijke-opschorting-van-de-onderhandelingen-over-ttip

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
01 Jul 2015

Google admits it was wrong on “right to be forgotten”

By Joe McNamee

In the widely publicised “Google/Spain” ruling of the European Court of Justice (CJEU), it was decided that the results of Google searches sometimes infringe the rights of individuals. In such circumstances, individuals can complain – to Google in the first instance – and ask for searches involving their name to be de-linked from the unfair results.

Google reacted furiously to the ruling, arguing that “the balance that was struck was wrong”. This was followed by the publication of comparatively low (bearing in mind the huge amount of publicity) numbers of complaints to Google to de-link content. On 29 June 2015, the total number of requests received by Google was 276 580, which is approximately three percent of the total number of copyright-related removal requests that Google approves every week.

Subsequently, at a meeting of Liberal Member of European Parliament (MEP) Sophie In’t Veld’s “Privacy Platform”, Google’s Privacy Counsel Peter Fleischer got himself into a tangle where he simultaneously argued:

  • that it is “obvious” that Google should act on some of the complaints it receives, as it is clear that the rights of individuals are being undermined;
  • that Google should de-link only relevant results in the national search engines (such as google.nl or google.de for instance), but not on Google.com and;
  • by implication, therefore, that the “obvious” damage to the individuals in question should be allowed to continue via searches carried out via its gobal .com domain.

On June 19, however, Google changed its policy and now grants a specific “right to be forgotten” to victims of “revenge porn” – and it does this on a global level. So, Google now agrees with basic principle that it argued against so passionately. Yes, there are obvious cases of individuals’ rights being damaged by Google search results. Yes, Google should react to complaints by those individuals and take measures to mitigate this damage. Yes, Google should implement its measures on its .com domain. The only question that Google hasn’t answered is whether and why it really believes that “revenge porn” is globally the only example of where this is true.

Eric Schmidt: Europe struck wrong balance on right to be forgotten (15.05.2014)
http://www.theguardian.com/technology/2014/may/15/google-eric-schmidt-europe-ruling-right-to-be-forgotten

Online searching and privacy in the EU (19.11.2014)
https://alde.livecasts.eu/online-searching-and-privacy-in-the-eu

Google Public Policy Blog: “Revenge porn” and Search
http://googlepublicpolicy.blogspot.be/2015/06/revenge-porn-and-search.html

(Contribution by Joe McNamee, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
01 Jul 2015

WiFi tracking and the ePrivacy Directive in Denmark

By Guest author

Citizens are increasingly being monitored and tracked by public authorities and commercial interests. Many carry digital devices which, by design, emit a unique identifier, such as the WiFi Media Access Control (MAC) address of a smartphone. Even though the MAC address does not directly reveal the identity of a person, the fact that it is constant over time and easy to intercept (all you need is a WiFi network adapter), means that it can be used for recognising individuals between different sensor points and tracking their movements. With a sufficient number of sensors, an almost complete profile of a person’s movement in a city can be obtained without consent.

WiFi tracking can be used for a number of purposes, ranging from tracking repeat customers in a shop to measuring road congestion and travel times. At Copenhagen Airport, the technology is used for tracking the movement of passengers, including measuring waiting times at the security checkpoint. Vendors of this type of technology generally claim that they “encrypt” the MAC address in order to alleviate privacy concerns, for example by using a one-way hash function.

Ultimately, the privacy challenge is to give different data to each sensor. Even encryption does not provide a full solution; if the encryption algorithm is shared between two sensor points, citizens can still be recognised from previous sensors and tracked. Complete randomisation of MAC addresses at the collection point will defeat the purpose of tracking, so this will not be done by the vendors. However, certain smartphones can do this before their MAC address is broadcast in the first place. A compromise solution is to change the encryption algorithm regularly, which will allow for tracking within a limited time period only, assuming that information about the previous encryption algorithms is effectively discarded.

In Europe, WiFi tracking is regulated by the Data Protection Directive 1995/46/EC, to the extent that the collected data is regarded as personal data, and by the ePrivacy Directive 2002/58/EC. In Opinion 9/2014 on device fingerprinting from the Article 29 Working Party (WP29), accessing the MAC address of a WiFi device is considered to be covered by Article 5(3) of the ePrivacy Directive, the so-called cookie provision (see section 7.3 of the Opinion). Article 5(3) states that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user” is only allowed if informed consent has been obtained from the user. In the present context, the MAC address is the information stored in the user’s terminal equipment. The exceptions for consent in Article 5(3) do not cover the purpose of tracking, according to the WP29 Opinion.

The WP29 Opinion, published in November 2014, caused some concern among Danish municipalities which were using, or planning to use, WiFi MAC tracking for either traffic monitoring or “smart city” projects. The Danish Business Authority, which is the regulatory authority for the Danish transposition of the ePrivacy Directive, initially indicated in media comments that these systems were subject to Article 5(3) and that consent was required. There is no practical way that the required consent could be obtained, so this would effectively have forced the Danish municipalities to stop their traffic monitoring projects.

In January 2015, Blip Systems, a Danish company developing and selling tracking technology, submitted a formal request to the Danish Business Authority about the collection of MAC addresses in the Bliptrack system which is used for traffic monitoring by Danish municipalities. On 26 March 2015, the Danish Business Authority rendered a formal decision on the matter which reversed its initial position that the consent requirement of Article 5(3) applies to these systems.

The decision that Article 5(3) does not apply to the collection of MAC addresses is based on the following factors:

  1. The location data is collected in a way that makes it impossible for Bliptrack to monitor individual citizens. An analogy to anonymised data in the Data Protection Directive 95/46 is made here, but the decision does not mention that first-party cookies used for anonymous web statistics (web analytics) are not exempt from the consent requirement in Article 5(3);
  2. The MAC addresses are anonymised with a hashing algorithm which is changed every 24 hours, so citizens cannot be tracked for a period longer than 24 hours as the hash value of the MAC address has changed;
  3. It is not possible for the Bliptrack system to communicate with users in order to obtain consent.

Overall, the March 2015 decision by the Danish Business Authority seems fairly limited in scope, so that it would not necessarily apply to WiFi tracking over longer periods than one day and for other purposes than aggregated statistics like traffic monitoring.

The European Commission has recently published a study of the national transposition of the ePrivacy Directive, but the work for this study was completed before the WP29 Opinion 9/2014 was made. Interception of WiFi MAC addresses is only briefly mentioned in the study, and only in the context of breaches of confidentiality of communications, a separate issue from Article 5(3).

The cookie provision in Article 5(3) has been heavily criticised by the web industry and internet users alike, because of the annoying cookie popups which ask for consent to place tracking cookies on the user’s device, often with no possibility to refuse. Therefore, it seems likely that Article 5(3) will be changed in the planned revision of the ePrivacy Directive. Needless to say, this will also have implications for the legality of using WiFi tracking in the physical space.

How tracking customers in-store will soon be the norm, The Guardian (10.01.2014)
http://www.theguardian.com/technology/datablog/2014/jan/10/how-tracking-customers-in-store-will-soon-be-the-norm

Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting, Article 29 Data Protection Working Party (25.11.2014)
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp224_en.pdf

Widely used system for traffic monitoring is illegal, Version2 (only in Danish, 26.01.2015)
http://www.version2.dk/artikel/udbredt-trafikovervaagningssystem-er-ulovligt-76565

Traffic monitoring system not covered by the cookie provision, Danish Business Authority (only in Danish, 26.03.2015)
https://erhvervsstyrelsen.dk/trafikovervaagningssystem-ikke-omfattet-af-cookie-reglerne

ePrivacy Directive: assessment of transposition, effectiveness and compatibility with proposed Data Protection Regulation, The European Commission (10.06.2015)
https://ec.europa.eu/digital-agenda/en/news/eprivacy-directive-assessment-transposition-effectiveness-and-compatibility-proposed-data

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
01 Jul 2015

AFET Committee adopts its Report on Human rights and technology

By Guest author

The European Parliament Committee on Foreign Affairs (AFET) adopted its Report on “Human rights and technology: the impact of intrusion and surveillance systems on human rights in third countries” on 26 May 2015. The Rapporteur, Marietje Schaake (ALDE, Netherlands) welcomed the adoption of the Report and stressed that “the European Union must assess the impact on human rights when it comes to the use and trade of harmful technologies, and where needed develop regulations urgently”. The Report will be voted at the plenary session of the European Parliament on 9 July.

The Report aimed at providing input in order to help create smart European legislation which deals adequately with all the concerns, but at the same time takes into account new technological solutions. Appropriate technology tools could generate enormous opportunities in helping to strengthen human rights. However, some of those tools can also be used to try to maintain or reinforce injustices. Thus, there is a growing need to ensure the safety and security of citizens, bearing in mind the fact we are living in a world of globalised surveillance. Specifically, human rights defenders and whistleblowers are usually the main targets of surveillance by state authorities, but also by non-state actors.

“Technologies can help advance human rights such as access to information and freedom of expression. Yet, too many surveillance and intrusion technologies are being produced in Europe and sold to enable human rights violations,” said Schaake. European companies are selling mass surveillance or censorship equipment to third countries, like Bahrain, Syria or Egypt, where their technology is being used to oppress human rights defenders and political activists. In 2014 Privacy International filed a complaint against Gamma International, a British-German company, calling for an urgent investigation of the unlawful surveillance of three Bahraini activists by Bahrain authorities using surveillance technology provided by Gamma International. Similarly, in 2012, a French company Qosmos was accused of selling surveillance products to the Syrian government, in a complaint lodged by International Federation for Human Rights (FIDH).

The Rapporteur invited a wide group of stakeholders including hackers, journalists, activists and lawyers to contribute to the Draft Report with their comments. EDRi was among this group of stakeholders. We provided input suggesting, among other things, the use of open source software, the need for net neutrality and clarifying the role of Internet intermediaries (privatised law enforcement). The Report, as adopted in the AFET Committee, presents a vital element in creating European regulatory and policy framework that controls the trade of surveillance technologies and prevents human rights violations related to it. Therefore, we are pleased to see that EDRi’s analysis and suggestions were included in the final text.

Report on ‘Human rights and technology: the impact of intrusion and surveillance systems on human rights in third countries’ (03.06.2015)
http://www.marietjeschaake.eu/wp-content/uploads/2015/05/REPORT-on-Human-rights-and-technology-the-impact-of-intrusion-and-surveillance-systems-on-human-rights-in-third-countries-20142232INI.pdf

MEP Marietje Schaake calls for input on report Human rights and technology (09.02.2015.)
http://www.marietjeschaake.eu/2015/02/call-for-input-on-report-human-rights-and-technologies/

MEP: EU needs smart policies to strenghten human rights while technologies proliferate (26.05.2015)
http://www.marietjeschaake.eu/2015/05/mep-eu-needs-smart-policies-to-strengthen-human-rights-while-technologies-proliferate/

Privacy International files criminal complaint on behalf of Bahraini activists targeted by spyware FinFisher (13.10.2014)
https://www.privacyinternational.org/?q=node/451

Surveillance technologies “Made in Europe”: Regulation needed to prevent human rights abuses, Position paper, FIDH
https://www.fidh.org/IMG/pdf/surveillance_technologies_made_in_europe-1-2.pdf

(Contribution by Morana Perušić, EDRi intern)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
01 Jul 2015

An open letter to Mark Zuckerberg from suspended user Giz

By Guest author

I am confused. When your Chief of Personal Products, Chris Cox was speaking with the Sisters of Perpetual Indulgence he said that Facebook’s policy never required anyone to use their legal name. He said that Facebook wants users to use our authentic identities, the names our people call us, like Sister Roma and Little Miss Hot Mess.

Since I opened my account, that’s what I have done. I’ve been active for nearly a decade now, and I have been known to all of my friends as “Giz” since I was a teenager, for over 20 years now. When I told my mother about this her answer was “But you ARE Giz, that’s even how I have you in my phone!”

The only people who call me by my legal name are clients and the government. And I would rather not be added as a friend by clients, given the nature of my work and the fact that I am female. My female friends have enough trouble with unsolicited sexual advances on Facebook, I’ve been spared all of this because my name was gender neutral.

My legal name is my business name. I really don’t see why I need to use my business name on my profile when it’s not how my friends call me. It could also leave my livelihood at risk as my name is not particularly common. I have witnessed a public page being used in defamation of a friends character – they were accused of being a paedophile because they supported marriage equality. There is no way for my friend to know how many people saw that post, how many could have given it credence. He’s only lucky it didn’t find its way to his work as it would cost him his career working with vulnerable individuals.

So what can I do to ensure that my personal politics or beliefs are not used to defame me and destroy my livelihood? Simple! I use the name my friends call me on my personal profile, like I had been, until Facebook decided I was using what they consider a “fake name”.

I have to admit the irony of Facebook accusing me of being a fake user while sending me automated emails that pretend to be from a human is laughable. This is my connection to those I love. The very fact that I have attempted to engage should alert you to the fact that I am a real person. If I was a troll I doubt the deactivation of my account would matter, a troll will merely set up a new account – and they do not need government ID to do so. If they wish to circumvent the real name policy, then they will just use a real sounding name – because unless you have asked every single user to provide their ID then you cannot claim that every user is using their true name.

If Facebook were to require government ID for registration, or indeed to suddenly require it from all users, how do you think that would affect your site’s traffic? I would imagine it would lead to a massive defection from the platform, purely because Facebook has its chequered past with privacy issues, social experiments and there’s a sizable chunk of the population who would consider Facebook to be working for the NSA.

If I use my legal name on Facebook it makes me more likely to receive unwanted sexual advances from strangers, including graphic photographs, if my female friends experiences are anything to go by. It also makes my business vulnerable to attack by those who cannot seem to separate a difference of opinion from a reason for vengeful attack (they exist, although, at present, with a gender neutral name, the worst I get is generalised attacks, the abuse women receive online is quite different to that which men receive).

I would like my profile back, please. Or at least for someone in Facebook to engage with me. Like I said when you first asked for my ID, why would I want to prove my identity to a company that can’t even do me the basic courtesy of engaging with me as a human?

Yours, Exiled.

Giz

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
01 Jul 2015

JURI Committee adopts disastrous Trade Secrets provisions

By Guest author

The proposed Trade Secrets Directive, previously reported in EDRi-gram, was adopted on 16 June by the European Parliament Committee on Legal Affairs (JURI). To put it briefly, this proposal would create a new pseudo-intellectual property right for businesses to protect information that is not covered by traditional intellectual property rights. Commercially sensitive information is now typically protected through non-disclosure agreements between business partners. Such agreements that do not extend to third parties to which information may have been leaked. This directive would change that by providing remedies against such third parties.

The adopted Draft Resolution pays at best lip service to the serious concerns raised about the impact on freedom of expression, transparency and the free flow of information necessary in a democratic society. By classifying goods whose conception is based on unlawfully acquired trade secrets, the JURI Committee has created a de facto pseudo-patent without much in the way of mitigating measures of the patent system. Moreover, the JURI Committee has accepted as a principle that access to trade secrets is by definition unlawful. This is harmful because even the fact that fundamental rights can preclude the application of the Directive’s remedies against the use of trade secrets does not preclude its chilling effects. Chilling effects will have a negative impact on whistleblowers, journalists, IT-security researchers, free software developers and competition in general. This principle taints any leaked or reverse engineered information used by anyone other than the original trade secrets holder. Anything that the original trade secrets holder considers to be contrary to their interest (legitimate or not, the text does not differentiate on this), becomes actionable under this proposal. Faced with the expense and difficulty of proving that information leaked or reverse engineered serves an overriding public interest, many actors in the fields affected will just stay away from any information that might turn the ire of (large) businesses on them. Especially in the field of IT-security, this has the makings of a great tool to suppress the disclosure of weaknesses in the products of large vendors.

The Committiee’s adoption of this Draft Resolution is in stark contrast to the new calls of the Parliamentary Assembly of the Council of Europe on more whistleblower protections. Thus, while the EP has made untouchable so-called “trade secrets”, regardless if those secrets are real efforts made by a company after investing, or if it is a cover up for human rights violations, the Council of Europe has taken a step forward in its Resolution by calling for new legally binding instruments for whistleblower protection. The step forward has been of such magnitude that Edward Snowden, who analysed the text and spoke at the PACE meeting, saw it as a “incredibly strong text”. At the time of writing, no vote in the Plenary of the European Parliament has been scheduled on this dossier yet.

EU trade secrets Directive: threat to free speech, health, environment and worker mobility (23.032015)
https://edri.org/trade-secrets-directive-statement/

Improving the protection of whistle-blowers
http://assembly.coe.int/nw/xml/XRef/X2H-Xref-ViewPDF.asp?FileID=21931&lang=en

(Contribution by Walter van Holst, EDRi member Vrijschrift, Netherlands)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
30 Jun 2015

Blurry, ambiguous “net neutrality” deal is an abdication of responsibility

By Joe McNamee

Fifteen months after the European Parliament voted in favour of clear protection for net neutrality in Europe, a messy, ambiguous “deal” was reached around 2am in the morning on 30 June. In the coming days, negotiators will finalise explanatory notes (known as “recitals”) which may add some clarity. However, the apparently deliberate ambiguity of the text agreed so far does not create much hope.

If approved by the Member States in the Council and the European Parliament, we will have to wait for at least a full year before courts and regulators will start giving meaning to the agreement.

“What is the point of agreeing to adopt legislation that makes the legal situation less clear than it was before? Now we have text which could mean almost anything – we did not need more legal uncertainty,”

said Joe McNamee, Executive Director of European Digital Rights.

Key points of confusion:

  • Distinction between “specialised services” and the public internet. The “fast lane” services can only get this status if this is “necessary”. However, the current draft explanatory recital defines “necessary” so broadly that anything that is not a “general prioritisation” of traffic could, in principle, be covered. (Recital 11, Article 3.5)
  • The scope of the Regulation is defined in a way that does not fully cover the key issue of “specialised services”. (Article 1)
  • Not alone does the Regulation seek to define what a “legal obligation” for blocking/filtering might be (does this really need to be explained?), the definition is so badly drafted that it could cover activities that are not legal obligations – “measures giving effect to such Union or national legislation, in compliance with Union law, including [i.e. not limited to] with orders by courts or public authorities vested with relevant powers;” (Article 3.3.a). The current draft recital contains a 90-word sentence that has no obvious meaning.
  • Even though a draft recital explains that “specialised services” are only possible if they do not have a “negative impact of the provision of such services on the availability or quality of internet access services”, there is an obligation for Internet access providers to provide details of the “impact on the same end-user’s internet access services”. What is the agreement – that they can have an impact or they can’t? (Recital 11a and Article 4.3.c)

The “deal” was achieved after three months of “negotiations” between the EU Council (the Member States of the EU) and the European Parliament. At every stage, the Council simply refused to engage in a dialogue. Then, racing to meet the arbitrary deadline created by the end of the Latvian Presidency of the EU Council, this chaotic, sub-standard text was provisionally agreed.

Now that our political “leaders” have decided that they cannot make a decision, we must wait for unelected judges and regulators to do the hard work.

This is “just” a provisional agreement. First, the explanatory recitals need to be finalised. Then, the EU institutions need to decide if they are really prepared to create such legal uncertainty for European citizens and business. This will become clear in the coming weeks.

Please find our summary of recent developments here:
https://edri.org/net-neutrality-document-pool-2/
https://edri.org/net-neutrality-primary-document-source/

Twitter_tweet_and_follow_banner

close
26 Jun 2015

Press release: Father of net neutrality warns EU’s proposals may “guarantee US dominance” online

By Heini Järvinen

Following high-level meetings with the European Commission this week, leading US Professor Tim Wu said he was “worried that the Internet in Europe will never recover if these proposals are adopted.” He added that, in relation to online services, the proposals may guarantee the dominance of US online services in Europe for years to come.

With regard to his meetings with the Commission, Professor Wu commented:

I don’t think the Commission should have a preference for a bad agreement rather than no agreement at all.

Joe McNamee, Executive Director of European Digital Rights said:

Professor Wu is a leading expert on the issue of net neutrality. It is crucial that European policy-makers take these warnings seriously.

The current situation in the European Union is critical. After the European Parliament adopted a strong first reading text in 2014, it is being subject to pressure from Member State governments represented in the Council and from the Commission. The Parliament has the democratic support not to concede to pressure and deliver net neutrality. You can help save the Internet through https://savetheinternet.eu/.

Background information:

  • In 2013, Prof. Wu was named to National Law Journal’s “America’s 100 Most Influential Lawyers.”
  • In 2006 he was named one of Scientific American’s 50 people of the year.
  • In 2007, he was named one of Harvard University’s 100 most influential graduates by 02138 magazine.
  • From 2011 to 2012, Wu served as a Senior Advisor to the Federal Trade Commission.
  • Notably, Prof. Wu was the first person to coin the term “net neutrality”.

Tim_Wu
Photo by Sagmanbennettrobbins at English Wikipedia, CC BY-SA 3.0

Twitter_tweet_and_follow_banner

close
25 Jun 2015

Democratic support for net neutrality is clear, as is Council’s stubbornness

By Maryant Fernández Pérez

All political groups in the European Parliament have made their support for net neutrality clear. Not alone did the European Parliament adopt a strong text in favour of non-discrimination on the Internet in 2014, but political groups representing the vast majority of the Parliament have made clear statements in favour of a neutral, innovative, democratic internet.

However, in three months of “negotiations” with 28 EU Member States represented in the Council of the European Union, the Council completely refused to show any openness to honest compromise. Even worse, in the last public Council meeting, nobody, either from the Commission or the Member States, was even prepared to say the words “net neutrality”.

Democratic support for net neutrality exists. It’s clear. Citizens want net neutrality, start-ups want net neutrality, civil society wants net neutrality, consumers groups want net neutrality, the youth wings of European political parties want net neutrality, online companies want net neutrality. And our representatives in the Council? The EU Council wants protectionist measures for a few ex-monopolies. Contact your MEPs to offer your support at https://savetheinternet.eu and contact your national Telecommunications Ministry to find out why they are not representing you.

20150625_EP_groups_quotes

Twitter_tweet_and_follow_banner

close