17 Jul 2019

Microsoft Office 365 banned from German schools over privacy concerns

By Jan Penfrat

In a bombshell decision, the Data Protection Authority (DPA) of the German Land of Hesse has ruled that schools are banned from using Microsoft’s cloud office product “Office 365”. According to the decision, the platform’s standard settings expose personal information about school pupils and teachers “to possible access by US officials” and are thus incompatible with European and local data protection laws.

The ruling is the result of several years of domestic debate about whether German schools and other state institutions should be using Microsoft software at all, reports ZDNet. In 2018, investigators in the Netherlands discovered that the data collected by Microsoft “could include anything from standard software diagnostics to user content from inside applications, such as sentences from documents and email subject lines.” All of which contravenes the General Data Protection Regulation (GDPR) and potentially local laws for the protection of personal data of underaged pupils.

While Microsoft’s “Office 365” is not a new product, the company has recently changed its offer in Germany: Until now, it provided customers with a special German cloud version hosted on servers run by German telecoms giant Deutsche Telekom. Deutsche Telekom served as a kind of infrastructure trustee, putting customer data outside the legal reach of US law enforcement and intelligence agencies. In 2018, however, Microsoft announced that in 2019 this special arrangement will be terminated and German customers are offered to move to Microsoft’s standard cloud offer in the EU.

Microsoft insists that nothing changes for customers because the new “Office 365” servers are also located in the EU or even in Germany. However, legal developments in the US have put the Hesse DPA on high alert: The newly enacted “US Cloud Act” empowers US government agencies to request access to customer data from all US-based companies no matter where their servers are located.

To make things even worse, Germany’s Federal Office for Information Security (BSI) recently expressed concerns about telemetry data that the Windows 10 operating system collects and transmits to Microsoft. So even if German (or European) schools stopped using the company’s cloud office, its ubiquitous Windows operating system also leaks data to the US with no control or stopping it for users.

School pupils are usually not able to give consent, Max Schrems from EDRi member noyb told ZDNet. “And if data is sent to Microsoft in the US, it is subject to US mass surveillance laws. This is illegal under EU law.” Even if that was legal, says the Hesse DPA, schools and other public institutions in Germany have a “particular responsibility for what they do with personal data, and how transparent they are about that.”

It seems that fulfilling those responsibilities hasn’t been possible when using Microsoft Office 365. In a next step, it is crucial that European DPAs discuss those findings within the European Data Protection Board to come to an EU-wide rule that protects children’s personal data from unregulated access by US agencies. Otherwise European schools would be well-advised to switch to privacy-friendly alternatives such as Linux, LibreOffice, and Nextcloud.

Statement of the Commissioner for Data Protection and Freedom of Information of the Land of Hesse regarding the use of Microsoft Office 365 in schools in Hesse (only in German, 09.07.2019)

Microsoft Office 365: Banned in German schools over privacy fears (12.07.2019)

Microsoft offers cloud services in new German data centers as of 2019 in reaction to changes in demand (only in German, 31.08.2018)

(Contribution by Jan Penfrat, EDRi)

11 Jul 2019

E-Commerce review: Technology is the solution. What is the problem?

By Kirsten Fiedler

This is the second article in our series on Europe’s future rules for intermediary liability and content moderation. You can read the introduction here.

When it comes to tackling illegal and “harmful” content online, there’s a major trend in policy-making: Big tech seems to be both the cause of and the solution to all problems.

However, hoping that technology would solve problems that are deeply rooted in our societies is misguided. Moderating content that people post online can only be seen as a partial solution to much wider societal issues. It might help us to deal with some of the symptoms but it won’t solve the root of the problems.

Secondly, giving in to hypes and trying to find “quick fixes” for trending topics occupying the news cycle is not good policy-making. Rushed policy proposals rarely allow for an in-depth analysis of the full picture, or for the consideration and mitigation of potential side-effects. Worse, such proposals are often counter-productive.

For instance, an Oxford Internet Institute study revealed that the problem of disinformation on Twitter during the EU elections had been overstated. Less than 4% of sources circulating on that platform during the researchers’ data collection period qualified as disinformation. Overall, users shared far more links to established news outlets than to suspicious online sources.

Therefore, before launching any review of the EU’s e-Commerce Directive, policy-makers should ask themselves: What are the problems we want to address? Do we have a clear understanding of the nature, scale, and evolution of those problems? What can be done to efficiently tackle them? Even though the Directive’s provisions on the liability of online platforms also impact content moderation, the upcoming e-Commerce review is too important to be hijacked by the blind ambition to eradicate all objectionable speech online.

In Europe, the decision about what is illegal is part of the democratic process in the Member States. Defining “harmful online content” that is not necessarily illegal is much harder and there is no process or authority to do it. Therefore, regulatory efforts should focus on illegal content only. The unclear and slippery territory of attempting to regulate “harmful” (but legal) content puts our democracy, our rights and our freedoms at risk. When reviewing the E-Commerce Directive, the EU Commission should follow its Communication on Platforms from 2016.

Once the problems are properly defined and policy-makers agree on what kind of illegal activity should be tackled online, any regulation of online platforms and uploaded content should take a closer look at the services it attempts to regulate, as well as assess how content spreads and at what scale. Regulating the internet as if it consisted only of Google and Facebook, will inevitably lead to an internet that does consist only of Google and Facebook. Unfortunately, as we’ve seen in the debate around upload filters during the copyright reform, political thinking around speech regulation is focused on a small number of very dominant players (most notably Facebook, YouTube, and Twitter). This political focus paradoxically turned out to reinforce the dominant market position of existing monopolies. It would be very unfortunate to repeat the mistakes that were made, in the context of legislation which has as far-reaching consequences as the EU’s e-Commerce Directive.

European Commission Communication on Online Platforms and the Digital Single Market Opportunities and Challenges for Europe (25.05.2016)

Junk News during the EU Parliamentary Elections (21.05.2019)

09 Jul 2019

Join EDRi as policy intern!


European Digital Rights (EDRi) is an international not-for-profit association of 42 digital human rights organisations from across Europe. We defend and promote rights and freedoms in the digital environment, such as the right to privacy, freedom of expression, and access to information.

Join EDRi now and become a superhero for the defence of our rights and freedoms online!

The EDRi office in Brussels is currently accepting applications for an intern to support our policy team. This is your opportunity to get first-hand experience in EU policy-making and contribute to a change in favour of digital rights and freedoms across Europe. The internship will go from 15 September (or 1 October) to 31 March and is remunerated minimum 750 EUR per month (according to “convention d’immersion professionnelle”).

Key tasks:

  • Conducting research and analysis on topics such as data protection, privacy, net neutrality, intermediary liability and freedom of expression, encryption, cross-border access to data and digital trade
  • Drafting regular internal policy updates for the EDRi network
  • Monitoring international, EU and national policy developments
  • Organising and participating in meetings and events
  • Supporting the creation of the EDRi-gram newsletter
  • Assisting in the preparation of draft reports, presentations and other internal and external documents
  • Supporting EDRi’s day-to-day office management
  • Developing public education materials


  • Demonstrated interest in and enthusiasm for human rights and technology-related legal issues
  • Good understanding of European policy-making
  • Excellent research and writing skills
  • Fluent command of spoken and written English
  • Computer literacy
  • Experience in the fields of data protection, privacy, copyright, net neutrality, intermediary liability and freedom of expression, surveillance and law enforcement, or digital trade is an asset

Read about previous internship experiences at EDRi here.

How to apply:

To apply please send a maximum one-page cover letter and a maximum two-page CV in English and only as pdf files (other formats such as doc and docx will not be accepted) to jan >dot< penfrat >at< edri >dot< org.

The closing date for applications is 22 July 2019. The interviews and written assignments will take place between 26-30 August 2019. Please note that due to limited resources only shortlisted candidates will be contacted.

We are an equal opportunities employer with a strong commitment to transparency and inclusion. People from all backgrounds are encouraged to apply and we strive to have a diverse and inclusive working environment.

04 Jul 2019

Real Time Bidding: The auction for your attention

By Andreea Belu

The digitalisation of marketing has introduced novel industry practices and business models. Some of these new systems have developed into crucial threats to people’s freedoms. A particularly alarming one is Real Time Bidding (RTB).

When you visit a website, you often encounter content published by the website’s owner/author, and external ads. Since a certain type of content attracts a certain audience, the website owner can sell some space on their website to advertisers that want to reach those readers.

In the earlier years of the web, ads used to be contextual, and the website would sell its ad space to a certain advertiser in the field. For example, ads on a website about cars would typically relate to cars. Later, ads have become more personalised, and they now focus on the unique website reader. They have become “programmatic advertising”. The website still sells its space, but now it sells it to advertisement platforms, “ad exchanges”. Ad exchanges are digital marketplaces that connect publishers (like websites) to advertisers by auctioning the attention you give that website. This automated auction process is called Real Time Bidding (RTB).

How does Real Time Bidding work?

Imagine auctions, stock exchange, traders, big screens, noise, graphs, percentages. Similarly, RTB systems facilitate the auction of website ad space to the highest bidding advertiser. How does it work?

A website rents its advertising space to one (or many) ad exchanges. In the blink of an eye, the ad exchange creates a “bid request” that can include information from the website: what you’re reading, watching or listening to on the website you are on, the categories into which that content goes, your unique pseudonymous ID, your profile’s ID from the ad buyer’s system, your location, device type (smartphone or laptop), operating system, browser, IP address, and so on.

From their side, advertisers inform the ad exchange about who they want to reach. Sometimes they provide detailed customer segments. These categories have been obtained by combining the advertisers’ data about (potential) customers, and the personal profiles generated by data brokers such as Cambridge Analytica, Experian, Acxiom or Oracle. The ad exchange has now a complex profile of you, made of information from the website supplying the ad space, and information from the advertiser demanding the ad space. When there is a match between a bid request and the advertiser’s desired customer segment, a Demand Side Platform (DSP) acting on behalf of thousands of advertisers starts placing bids for the website’s ad space. The highest bid wins, places its ad in front of a particular website viewer, and the rest is history.

Click to watch the animation


Every time you visit a website that uses RTB, your personal data is publicly broadcasted to possibly thousands of companies ready to target their ads. Whenever this happens, you have no control over who has access to your personal data. Whenever this happens, you have no way of objecting to being traded. Whenever this happens, you cannot oppose to being targeted as Jew hater, incest or abuse victim, impotent, or right wing extremist. Whenever this happens, you have no idea whether you are being discriminated.

Whenever this happens, you have no idea where your data flows.

EDRi’s members suing against RTB

Real time bidding poses immense risks for our human rights in the digital space, specifically for the rights recognised in the EU General Data Protection Regulation (GDPR). More, it puts you at high risks of being discriminated. For these reasons, several EDRi members and observers have taken action and filed lawsuits against RTB in different EU countries. Privacy International, Panoptykon Foundation, Open Rights Group, Bits of Freedom, Digitale Gesellschaft, digitalcourage, La Quadrature du Net and Coalizione Italiana per le Libertà e i Diritti civili are taking part in a wider campaign that urges the ad tech industry to #StopSpyingOnUs.

Support their effort in fighting for your rights and spread the word!

Read More:

Privacy International full timeline of complaints

GDPR Today: Ad Tech GDPR complaint is extended to four more European regulators

Prevent the Online Ad Industry from Misusing Your Data – Join the #StopSpyingOnUs Campaign

The Adtech Crisis and Disinformation – Dr Johnny Ryan

Blogpost series: Your privacy, security and freedom online are in danger (14.09.2016)

03 Jul 2019

EDRi is looking for a Communications Intern


European Digital Rights (EDRi) is an international not-for-profit association of 42 digital human rights organisations. We defend and promote rights and freedoms in the digital environment, such as the right to privacy, personal data protection, freedom of expression, and access to information.

Join EDRi now and become a superhero for the defense of our rights and freedoms online!

The EDRi Brussels office is currently looking for an intern to support Senior Communications Manager, Campaigns and Communications Manager, and Community Coordinator. The internship will focus on social media, publications, campaigning, press work, and the production of written materials. The intern will also assist in tasks related to community coordination.

The internship will begin in September 2019 and go on for 4-6 months. You will receive a monthly remuneration of minimum 750 EUR (according to “convention d’immersion professionnelle”).

Key tasks:

  • maintaining social media accounts: drafting posts, creating visuals, engaging with followers, monitoring
  • contributing to drafting and editing of press releases and briefings, newsletter articles, and supporter mailings
  • maintaining mailing lists for press distribution, newsletter and supporter mailings
  • layouts and editing of visual (and audiovisual) materials
  • updating and analysing communications statistics and visibility in media
  • assisting in event organisation

Must-have skills and qualifications:

  • experience in social media community management and publications
  • photo editing skills
  • excellent skills in writing and editing
  • fluent command of spoken and written English

Desired skills:

  • video editing skills
  • experience in journalism, media or public relations
  • interest in online activism and campaigning for digital human rights

How to apply:

To apply please send a maximum one-page cover letter and a maximum two-page CV (only PDFs are accepted) by email to heini >dot< jarvinen >at< edri >dot< org. Closing date for applications has been extended until 22 July 2019. Interviews with selected candidates will take place during the last two weeks of July.

We are an equal opportunities employer with a strong commitment to transparency and inclusion. We strive to have a diverse and inclusive working environment. We encourage individual members of groups at risk of racism or other forms of discrimination to apply for this post.

03 Jul 2019

Fighting online hatespeech: An alternative to mandatory real names

By Gesellschaft für Freiheitsrechte

The internet facilitates debates: People around the globe can connect at almost zero cost, and information and opinions that would otherwise hardly be noticed can go viral through social media. However, services like Twitter and Facebook can also be used for targeted defamation. Especially people who belong to minorities or endorse views outside the mainstream have described grave verbal attacks. Women who are active in politics often face rape threats. Such abuses of online communication should not be tolerated in a democracy.

An obligation for real names is not a solution

In response, “number plates” for the internet have been proposed – people should be required to disclose their real names before they can participate in forums and on social media. However, such a “real name obligation” would achieve very little in terms of protections against verbal abuse online, and at the same time, it would cause serious collateral damage.

The arguments against an obligation for real names are manifold: For example, its supporters fail to notice that there has been an obligation for real names on Facebook for many years, which many users simply ignore. It’s doubtful whether such an obligation would even be admissible under European law. In any case, such a policy would only apply at the national level. Should platforms simply hide all posts by users from other countries where real names are not required by law?

Everyday experience and recent studies show that a remarkable number of users do not shy away from criminal online activities, even if they are acting under their real names. This is because the problem with pursuing crimes online is not the anonymity of the offenders; it is the irritatingly low level of engagement from the responsible authorities. If it’s possible to commit such crimes without any risk of consequences, this will impact the popular sense of right and wrong.

The biggest disadvantage of a real name obligation is that it would silence those who depend on anonymous or pseudonymous communication. Conservatives often assume that such a need only exists in authoritarian states. However, even in a democracy many people have comprehensible reasons why they would not or cannot communicate openly. For example, people who engage against Nazis can hardly make this public in some regions of Germany without facing significant risk of physical harm. Interestingly, even almost all German judges and prosecutors who actively use Twitter prefer to do so under a pseudonym.

Better: Target the accounts

Introducing a real name obligation would be a dangerous error of judgement, but legislators do need to act. Because online bullies cannot always be identified, the focus should be on their weapons – their accounts, which they use to undertake verbal acts of violence. A judicial process should be introduced in which victims or victim protection organisations can request for accounts that are abused for unlawful speech to be blocked. Courts of law could impose blockages on individual accounts for a certain period of time – or permanently, especially in recurrent cases. The platforms would be barred from showing these accounts to users in a specific geographical location.

Such a judicial process would have many advantages: The identity of the people behind an account would not matter anymore. This would also be an effective course of action against account holders who are known but out of reach, for example because they are located abroad. Contrary to the approach of the Network Enforcement Act (NetzDG) it would not be the platforms who decide, often in dubious ways, which articles are illegal – this would be left to an independent court. Courts have demonstrated that they are capable of making such decisions – in particular, there are courts that specialise in press law and are accustomed to rule even on delicate freedom of speech questions within a few hours.

The NetzDG made social media platforms “addressable”

Of course, such a judicial process would raise questions: Who would be the subject of such a request if the responsible person is not known? With a bit of creativity, those details can be resolved. In the US a judicial petition against “John Doe” is filed in such cases. This anonymous party would be represented in court by the platform that would be responsible to implement any blockages.

Each of the large platforms has already registered a point of contact in Germany pursuant to § 5 NetzDG, so that they are always reachable for courts of law. This procedure could also ensure that the people behind an affected account can be heard in court, if the law would oblige platforms to forward the petition to them (via email for example). This would give the account holder the option to reveal their identity and take over the judicial process under their own name.

Legislative competence probably with the Federal Government

The law to create such a judicial process could be enacted by the German Federal Government. This is not about a new regulation on which content would be admissible online – this would be for the Federal States to enact and would require an arduous update of the Interstate Broadcasting Treaty (Rundfunkstaatsvertrag). The Federal Government could base this law on its competences to regulate judicial procedures as well as telemedia law. The Federal Government should urgently take this opportunity and create a “Protection against Digital Violence Act”, allowing for accounts that publish unlawful content to be blocked. The onus is still on the Federal States to become more effective in pursuing supposedly lesser online offences, which is within their legal purview.

A German version of this article was first published at https://background.tagesspiegel.de/statt-klarnamen-digitales-gewaltschutzgesetz

EU action needed: German NetzDG draft threatens freedom of expression (23.05.2017)

(Contribution by Ulf Buermeyer, EDRi member Gesellschaft für Freiheitsrechte – GFF, Germany; translation from German into English by EDRi volunteers Stefan and Sebastian)

03 Jul 2019

Open letter demands interoperability of the big online platforms

By La Quadrature du Net

On 21 May 2019, EDRi observer La Quadrature du Net, along with 70 other organisations, including some EDRi members, sent a letter asking the French government and members of the Parliament to force web giants (Facebook, Youtube, Twitter…) to be interoperable with other online services. The purpose is to allow users of these platforms to leave them for other services, while still being able to communicate with people that decided to stay on it – as, for example, this is already the case with emails, with which people are able to communicate regardless of whether they use different email providers like Protonmail, Gmail or RiseUp.

The letter coincides with the French Parliament preparing to vote on a law requiring online platforms to remove hate speech 24 hours after having received a notification. In case they repeatedly fail to do so, a French administration would have the power to impose a fine up to 4 % of their global revenue.

Criticising the dangers of censorship and centralisation of the internet that could result from such a law, the signatories of the open letter recommend that the Parliament does not address the symptoms but the causes of the dissemination of hate speech. One of the causes is the structure and the business model of these platforms that promotes and facilitates the dissemination of hate speech. As the platforms are built on the “attention economy”, it is in their interest to host as much of any kind of engaging content as possible.

The letter explains that forcing web’s giants to become interoperable, based on open standards, would allow people that are “captives” of these platforms to escape them. They would be able to join other services that are more respectful of users’ personal data and freedoms, and not making profits on surveillance and targeted advertising. Outside of these platforms, millions of people are already united across interoperable services such as Mastodon, Diaspora, and PeerTube — notably through ActivityPub, an interoperability protocol published by the World Wide Web Consortium (W3C) in 2018.

The proposition has been well received by experts, journalists, and some members of the French Parliament. Laetitia Avia, the rapporteur of this law, however, has refused to support it, preferring to promote the solution of fast removal of contents. The French government has also rejected the idea of interoperability presented in the letter, stating that it’s “excessively aggressive for the business model of large platforms”, and refusing to see the connection with hate speech. Nevertheless, as some members of the Parliament have proposed amendments on interoperability, the next session in Parliament on 3 July will clarify the results of this first campaign.

Should the Parliament reject the idea, La Quadrature du Net will, together with the signatories of the open-letter, continue to promote the idea of interoperability, in France and at a European level, with the help of EDRi members. It’s urgent to give everyone the ability to escape from the surveillance and toxicity of these giant platforms and to join free, decentralised and human-scale services  — without losing their social links by doing so.

The open letter remains open for signatures from organisations and companies. Individuals are strongly encouraged to spread and promote it widely. To sign the letter, please write at contact@laquadrature.net, with the email subject “Signing interoperability letter”, and noting the name of your organisation in the email.

La Quadrature du Net

For the interoperability of the web’s giants: An open letter from 70 organisations (14.06.2019)

French online hate speech bill aims to wipe out racist trolling (29.06.2019)

Report to strengthen the fight against racism and antisemitism online (only in French, 28.09.2018)


Imposing interoperability on platforms? Doubts and prudence of Cédric O (only in French, 05.06.2019)

(Contribution by EDRi observer La Quadrature du Net, France)

03 Jul 2019

EU worries over the possibility of losing wiretapping powers

By Statewatch

5G telecoms networks could render obsolete the “lawful interception” techniques that police is traditionally using, unless the European Union and national governments take action. This was revealed in internal EU documents obtained by EDRi member Statewatch, that has published a new analysis explaining the issues and calling for a public debate.

“It is unsurprising that EU officials are concerned about the possible loss of telephone-tapping powers,” said Chris Jones, a researcher at Statewatch. “However, the very same technologies they are worried about will give law enforcement and security agencies disturbing possibilities for accessing data on individuals in order to track their activities and behaviour. This has to be seen as part of the same issue as the possible loss of ‘traditional’ wiretapping powers. Rather than secretive attempts to influence standard-setting and law-making, a public discussion is required about the acceptable limits of surveillance and interception powers in light of emerging technologies.”

On 7 June 2019, the EU Justice and Home Affairs Council (JHA) held a discussion on implications of 5G in the area of internal security, a topic taken up in documents produced recently by Europol and the EU Counter-Terrorism Coordinator that Statewatch published alongside the analysis.

The documents warn that various aspects of the technology underpinning 5G communications networks could make traditional wiretapping methods far more complicated or even render them useless. For example, the IMSI code – used to identify an individual device – will be encrypted, meaning “the security authority authorities are no longer able to locate or identify the mobile device,” according to Europol. 5G networks will also be able to detect false “base stations” – making it impossible to use IMSI catchers (or “stingrays”), devices that imitate telecoms antennae in order to discreetly acquire user data. Other issues such as network slicing, edge computing, and network function virtualisation raise their own problems, leading to significant new challenges for law enforcement agencies wanting access to individuals’ data.

Proposals to overcome the limitation of traditional wiretapping methods range from trying to influence the international bodies responsible for establishing the relevant technical standards; passing new laws (at both national and EU level) to enforce police demands; and ensuring a broader discussion amongst officials both within the EU and beyond, for example with major surveillance powers such as the US, Australia and Canada.

However, although 5G technologies could limit law enforcement agencies’ access to certain types of data, if the hype is to be believed, one of 5G’s main functions will be to enable the generation, storage and sharing of vast tomes of data on individuals, objects, devices and the environment through the “internet of things”. In the US, for example, data from “smart” (i.e. internet-connected) water meters, pacemakers and in-car safety systems have been used in court proceedings. This presents significant new opportunities for police and security agencies, even if they lose access to other long-standing surveillance techniques.

The analysis argues that both the possibility of law enforcement agencies losing some of their current powers – at the same time as vast new surveillance possibilities are opened up – should be a matter for public debate.


Analysis: A world without wiretapping? Official documents highlight concern over effects 5G technology will have on “lawful interception” (05.06.2019)

Indicative programme – Justice and Home Affairs Council of 6 and 7 June 2019

EU Counter-Terrorism Coordinator: Law enforcement and judicial aspects related to 5G (06.05.2019)

Position paper on 5G by Europol (11.04.2019)

(Contribution by EDRi member Statewatch, the United Kingdom)

03 Jul 2019

Regulating online communications: Fix the system, not the symptoms

By Bits of Freedom

Our digital information ecosystem fails to deliver the communications landscape needed to sustain our democracies. In a problem analysis, EDRi member Bits of Freedom introduces and disentangles some of the key concepts and issues surrounding the dominant role of platforms and the resulting harms to our freedom of expression.

Freedom of expression is a human right enshrined in law. It includes the right to seek, receive and impart information and ideas, without undue interference or fear of retaliation. It is indispensable for both the development of individuals as well as for the protection and advancement of our democratic societies. It is essential for holding those in power to account.

Our current online communications landscape fails to deliver these opportunities. A few giant corporations dominate the ecosystem, leading to the obstruction of our communications, including that of journalists and civil society, undue control over our public debate, and extremely limited possibilities for market challengers.

Characteristics inherent to these giant platforms and the ecosystem in which they operate, make them nearly immune to political, societal and consumer pressure. Therefore it has proven to be difficult for our correctional mechanisms – self-regulation, the market, policy makers and civil society – to sufficiently address the biggest harms and weed out the most toxic practices.

With the paper “Fix the system, not the symptoms”, Bits of Freedom wishes to contribute to shifting the discussion from how we can adapt to these businesses and fix their platforms, towards what a healthy communications landscape looks like in an increasingly digitalised world – and how to get there.

Bits of Freedom

Regulating online communications: fix the system, not the symptoms

Fix the system, not the symptoms (19.06.2019)

(Contribution by EDRi member Bits of Freedom, the Netherlands)

24 Jun 2019

EU Commission discards criticism of net neutrality enforcement

By Jan Penfrat

On 30 April 2019, EDRi and 31 other civil rights organisations sent an open letter to the EU Commission and BEREC. The letter criticised the lack of enforcement of current net neutrality rules in Europe. The signatories also emphasised that the EU finally needs to act against the widespread use of zero-rating practices. Zero-rating favours internet traffic from certain companies by billing it to customers at a lower (zero) rate while discriminating against everybody else. The letter also highlighted that many EU member states do not impose effective penalties against infringers of net neutrality.

Only two weeks later, we addressed a second letter to the EU Commission, warning against the increased use of so-called Deep Packet Inspection (DPI) by telecom operators. DPI is a highly intrusive technology allowing telcos to scan and classify your online content with high granularity, for instance in order to slow down certain internet traffic or bill certain content differently. Of course the technology could also be used to block certain types of traffic such as video streaming or virtual private networks (VPNs).

Commission does not seem to plan action

Unfortunately, the EU Commission’s official responses to those letters have not addressed the points raised by civil society.

In its first response, the EU Commission acknowledges “that the types and levels of sanctions differ widely between Member States” and says it was “monitoring how the existing sanctioning powers are used in practice”. However, no concrete actions or plans are proposed that could tackle the lack of enforcement in Europe. In reality, almost no penalties against infringing telcos have been pronounced so far and those that were issued have been too low to lead to meaningful change. Worse, Portugal and Ireland still have not enacted any penalties for net neutrality infringements at all despite their obligation to do so under EU law.

In its second response, while acknowledging the illegality of slowing down or discriminating traffic in principle, the EU Commission does not seem to think that zero-rating as practised by European telcos today is a problem. Instead, the Commission says, this should be decided on a case-by-case basis – which in practice means that telcos can zero-rate as they please.

Net neutrality violations still happening

As a recent study carried out by EDRi member epicenter.works shows, net neutrality violations have spread across the EU in the past years, the response of national regulators is inconsistent or lacking, and the EU Commission seems to largely ignore the problem.

The European net neutrality guidelines are in the process of being updated and the EU Commission says it plans to publicly consult civil society during that process “so that their interpretation and their arguments will be expressed and taken into account”. EDRi and its member organisations will of course participate in these consultations and hope that they will indeed be taken into account.

Response of the EU Commission to our open letter on the lack of enforcement of 30 April 2019 (PDF)
https://edri.org/wp-content/uploads/2019/06/20190517_commission_ reply_open_internet.pdf

Response of the EU Commission to our open letter against Deep Packet Inspection of 15 May 2019 (PDF)
https://edri.org/wp-content/uploads/2019/06/20190618_commission_ reply_dpi.pdfR

Net neutrality wins in Europe! (29.08.2016)

Zero rating: Why it is dangerous for our rights and freedoms (22.06.2016)

A study evaluates the net neutrality situation in the EU (13.02.2019)

(Contribution by Jan Penfrat, EDRi)