13 May 2020

Austria’s biggest privacy scandal: residential addresses made public

By Epicenter.works

Nobody took data protection into account for the so-called “Supplementary Register for Other Concerned Parties” (Ergänzungsregister für sonstige Betroffene). The Ministry for the Economy and the Finance Ministry are responsible for a data breach to which the Austrian Economic Chambers were an accomplice.

Personal data of at least one million people have been publicly posted on the Internet for years without any protective measures, as NEOS and epicenter.works explained in a joint press conference on 8 May. This is a gift from the Republic to every data dealer and identity thief. “The technical and organisational measures necessary for protecting the rights of the affected persons according to GDPR are completely absent”, adds epicenter.works’ managing director Thomas Lohninger. In contrast to the Central Register of Residents (ZMR), all protective mechanisms are missing here, such as requiring identification of the querying person or charging a fee for the release of data, or the option to protect one’s own data with an informational release block.

Private residential addresses are particularly sensitive

“We do not yet know exactly how many people are affected by this data scandal and which groups are involved,” Lohninger continues. “According to our estimates, there must be about one million concerned people.” It could also be deduced from the data when tax returns were filed or whether, for example, state assistance was received. “What is even more dramatic is that the private residential addresses of these people are publicly available on the Internet and there is no way to defend oneself against it. From the Federal President downwards, almost everyone can be found there who has and has had income other than from non-self-employment”, the data protection expert adds.

No purpose, no information block, no protective measures

“The purpose of this public register is not apparent. Public registers regularly entail rights and obligations, such as Entries in the Civil Register, Register of Companies or Register of Associations. Although the internal provision of source numbers within the administration may be the reason for the creation of the supplementary register, this does not explain its years of public and barrier-free access,” says epicenter.works’ lawyer Lisa Seidl. In many cases, the scope of the accessible data goes beyond the data that can be retrieved from the ZMR and, in contrast, there are no protective mechanisms, such requiring the identification of the querying person, charging a fee for the release of information or providing the option of setting up an informational release block. Even if the 2009 regulation provides a legal basis for the publication of the register, this regulation could constitute a violation of the fundamental right to data protection, said Seidl.

On the basis of redacted excerpts from this database, we can show that the data of journalists, politicians and other persons who are particularly concerned about the confidentiality of their private data were included. For example, out of 183 members of Parliament, 100 were visible with their private addresses. You can find a corresponding list here. Furthermore, many Public Broadcasting (ORF) journalists could be found easily.

How is this different from the Commercial Register?

The Commercial Register is easily accessible, but it costs quite a lot – 12.90€ per extract – and is essential (i.e. it has an important purpose), because you have to and should know about the economic risk you are taking when you sign contracts with other companies. In any case, it does not contain private residential addresses, but the business addresses of the companies.

Is the regulation potentially even illegal or unconstitutional?

In principle, the Austrian state must comply with GDPR, but it is exempt from penalties. If data that are not already publicly accessible (e.g. tax data of private individuals – not companies!) are in the register, this needs its own legal basis (in this case a decree), and only then according to the GDPR the data can be processed. However, this decree could still be unconstitutional (§1 of the Data Protection Act (DSG) has constitutional status). Justified constraints of fundamental rights always require a legitimate objective that is necessary and proportionate. The register falls at this first hurdle, as making tax data accessible for the public is not a “legitimate objective”. Therefore, the constraint of fundamental rights is unjustified and a violation of the fundamental right to data protection. As long as the Austrian Constitutional Court has not repealed the regulation on the grounds of unlawfulness or unconstitutionality, it is to be applied.

Chronology of the register

  • Decision to establish this register publicly 2004/2009, Schüssel / Faymann
  • Register transferred to the Austrian Ministry for the Economy in December 2018 without question, no protective measures established, despite introduction of GDPR no enforcement of the rights of those affected
  • Austrian Finance Ministry continuously sends data to registers, unclear from which sources

Read more:

Größter Datenskandal der Republik: Über eine Million Wohnadressen öffentlich (08.05.2020)

Austrian government hacking law is unconstitutional (18.02.2019)

Austrian postal service involved in a data scandal (28.01.2019)

(Contribution by Thomas Lohninger, from EDRi Member epicenter.works)

13 May 2020

Xnet issues two complaints to improve data protection in Spain

By Xnet

Xnet highlights gaps in Spain’s adaptation of the EU General Data Protection Regulation (GDPR). The Spanish member of EDRi has opened two complaints to the European Commission related to the lack of effective adaptation of the data minimisation principle and the lack of conciliation between personal data protection and freedom of expression and information in the Spanish legislation.

The COVID-19 Crisis has forcefully put on the table the scope to which the extraction and use of citizens’ personal data may reach.

These problems had already been detected and explained in a February 2020 report by Xnet, “Privacy, Data Protection and Institutionalised Abuses” and with the campaign #DatosPorLiebre.

Xnet believes that the use of personal data in the general interest is necessary. However, it should never conflict with the respect for the fundamental rights to privacy and intimacy.

The procedures that Xnet is now starting are a consequence of the report, but the EDRi member believes that they will also be useful in the design of policies post-COVID-19. The European Commission has published a position that supports Xnet’s point of view. This could positively influence the new Spanish Secretary-General for Digital Transformation. This is why Xnet considers that this is a good moment to start these two procedures.

As Xnet explained in the report “Privacy, Data Protection and Institutionalised Abuses”, they consider that the “Organic Law on Data Protection and the Guarantee of Digital Rights”, which aims to adapt the GDPR to the Spanish system, contains gaps that are detrimental to fundamental rights.

The report and the procedures explain the collision between the principle of minimisation, which is fundamental in the GDPR, and other laws in force that prevent its enforcement and the control of personal data, their use and destination by individuals.

Specifically, the identification requirements of citizens when they want to carry out any type of procedure, however simple it may be, at a Public Administration or other companies, are abusive and disproportionate. These identification requirements of Spanish legislation are no longer justified in the new framework established by the GDPR. The principle of minimisation establishes that no one should ask or extract more data than necessary. The privacy must be by design and by default.

The second procedure highlights the lack of transposition of Article 85 of the Regulation into national law, thus failing to comply with the obligation that it establishes to reconcile the right to personal data protection with the freedoms of expression and information. This makes it difficult to uncover cases of abuse or corruption, which is very necessary in a situation such as this one.

Read more:

[In Spanish]: Xnet abre procedimientos ante la Comisión Europea para la mejora de la protección de datos en la legislación española (04.05.2020)

ApTI submits complaint on Romanian GDPR implementation (27.02.2019):

One Year Under the GDPR. An implementation progress report:

(Contribution by Simona Levi, from EDRi member Xnet)

04 May 2020

COVID-19 & Digital Rights: Document Pool


The Coronavirus (COVID-19) pandemic poses a global public health challenge of unprecedented proportions. In order to tackle it, countries around the world need to engage in coordinated, evidence-based responses grounded in solidarity, support and respect for human rights. This means that measures cannot lead to disproportionate and unnecessary actions. It is also vital that measures are not extended once we are no longer in a state of emergency. Otherwise, the actions taken under exceptional circumstances today can have significant repercussions on human rights both today and tomorrow.

In this document pool we will be listing relevant articles and documents related to the intersection of the COVID-19 crisis and digital rights. This will allow you to follow the developments of surveillance measures, content moderation, tracking and privacy-threatening actions in Europe as they relate to the coronavirus pandemic, as well as offer the set of perspectives and recommendations put forth by a host of digital rights watchdog organisations across Europe and the world. The document pool is updated regularly to ensure the delivery of the most up-to-date information.

  1. EDRi’s Analysis and Recommendations
  2. EDRi Articles, blog posts and press releases
  3. Mapping Exercise
  4. Official EU Documents
  5. Other Useful Resources

1. EDRi’s Analysis and Recommendations

Official EDRi statement on COVID-19 and Digital Rights

EDRi Members’ Responses and Recommendations on COVID-19

Analysing Tracking & Tracing Apps

2. EDRi’s Articles, blog posts and press release

EDRi Reporting

#COVIDTech – An EDRi Blog Series

3. Mapping Exercises

EDRi Members Mapping

Other Mapping Excercises

4. Official EU Documents

5. Other Useful Resources

With huge thanks to the individuals and organisations across the EDRi network who have shared resources for this document pool.

29 Apr 2020

#WhoReallyTargetsYou: DSA and political microtargeting

By Panoptykon Foundation

Europe is about to overhaul its 20-year-old e-Commerce Directive and it is a once-in-a-decade chance to correct the power imbalance between platforms and users. As part of this update, the Digital Services Act (DSA) must address the issue of political microtargeting (PMT).

Microtargeting, and PMT in particular, has the alarming power to derail democracy, and should be regulated. According to self-assessment reports, political advertisers spent €31 million (excluding the UK) on Facebook, and only €5 million on Google between March and September 2019. Facebook’s role in developing and targeted adverts goes far beyond a simple presentation medium — its tools for optimising ad delivery, targeting audiences and defining delivery criteria are far beyond the capacity of most political parties alone. A detailed report based on data collected during two Polish election campaigns in 2019 carried out by Panoptykon and partners, shed critical light on the role of the company, and what it revealed was extremely informative:

The study found that Facebook’s transparency and control tools that would explain how ad targeting works offered to both researchers and users are “insufficient and superficial.” Users are targeted by Facebook’s algorithm based on potentially thousands of distinct selectors following a a set of criteria that only the company knows. Advertisers on Facebook can opt to select audiences on obvious factors such as age, gender, language spoken and location. But the Facebook machine also steers them towards increasingly narrower criteria such as interests (political affiliation, sex orientation, musical tastes, etc…), “life events” and behaviour, as well as more than 250,000 free-text attributes including, for example, Adult Children of Alcoholics, or Cancer Awareness, which constitute a deeper privacy concern.

Facebook is not merely a passive intermediary; its algorithms interpret criteria selected by advertisers and deliver ads in a way that fulfils advertisers’ objectives, and actively curate the content that users see in their timelines based on those assumptions. In 2016, the company introduced a feature allowing them to target “lookalikes” – profiles similar to a target audience. It also allows A/B testing so advertisers can compare which ads are more effective.

But Facebook’s “why am I seeing this ad?” transparency tool can be misleading, revealing only the “lowest common denominator” attribute. For example, according to the report, during the European elections campaign in Poland in May 2019, a person who was pregnant saw a political ad referring to prenatal screenings and perinatal care. “Why am I seeing this ad?” informed her that she was targeted because she was interested in “medicine” (potential reach 668 million) rather than “pregnancy” (potential reach of 316 million). Users can only verify (check, delete, or correct) a short list of interests that the platform is willing to reveal.

Here is where upcoming regulation comes into play: At the very least, the Digital Services Act should prohibit PMT based on characteristics which expose our mental or physical vulnerabilities (e.g. depression, anxiety, addiction, illness). But if the EU wants to be ambitious and tackle many of the associated problems with the current business model, the DSA should go further and regulate any sort of advertising aimed at profiling users, particularly as there appears to be a gap between ads labelled as “political” by the platform, and ads perceived as political by researchers.

Regulating targeted ads, requiring greater transparency for researchers and users, opt-in rather than opt-out, tighter requirements for political advertising and recognising PMT as an application of AI that poses serious risks for human rights will not solve all the problems of political disinformation in society, but they would certainly eliminate some of the worst practices today.

Read more:

Who (really) targets you? Facebook in Polish election campaigns

Annual self-assessment reports of signatories to the Code of Practice on Disinformation 2019 (29.10.2019)

(Contribution by Karolina Iwańska, from EDRi member Panoptykon)

29 Apr 2020

Member in the spotlight: Homo Digitalis


This is the tenth article of the series “EDRi member in the Spotlight” in which our members introduce themselves and their work in an in-depth highlight in interview format.

Today we introduce our Greek member: Homo Digitalis.

1. Who are you and what is your organisation’s goal and mission?

Homo Digitalis is the only digital rights civil society organization in Greece. Our goal is the protection of human rights and freedoms in the digital age. We strive to influence legislators & policy makers on a national level, and to raise awareness amongst the people of Greece regarding digital rights issues. Moreover, when digital rights are jeopardized by public or private actors, we carry out investigations, conduct studies and proceed to legal actions.

2. How did it all begin, and how did your organisation develop its work?

Homo Digitalis was founded in 2018 by 6 tech lawyers with a strong passion about the protection and promotion of digital rights. No digital rights organisations existed in Greece before. So, we wanted to create an organisation that could bring like-minded people together and shake things up. After two years of voluntary work, we have managed to grow into an organization with more than 100 members, who bring together a wide variety of disciplines such as law, computer science, humanities and social sciences.

We aim to transform Homo Digitalis from an organization based on voluntary work to a strong watchdog with a long-term strategy and full-time personnel. It will be a long and difficult path, but we have started acquiring our first grants and we are confident that we will grow, gaining more recognition and support for us and our vision.

3. The biggest opportunity created by advancements in information and communication technology is…

…facilitating access to information all around the globe, and building bridges between people. These advancements constitute a driver for positive change in our societies, and could lead to enhanced equality and transparency.

4. The biggest threat created by advancements in information and communication technology is…

…mass surveillance of our societies and power asymmetry in the information economy.

5. Which are the biggest victories/successes/achievements of your organisation?

Becoming a full member of EDRi is certainly a great success of Homo Digitalis so far!

Additionally, Homo Digitalis has managed to achieve important accomplishments over the last two years. We have increased public awareness on digital rights issues by generating media interest in our actions, visiting educational institutions and participating in events, campaigns, and giving talks all around Greece. Moreover, we were instrumental in influencing the public debate around data protection reform in Greece by cooperating with related stakeholders, and by filing complaints and requests before EU and national authorities, respectively.

Also, through access to information requests, complaints, and investigations we have attained a high level of scrutiny regarding projects on technology-led policing and border management activities in Greece. In addition, we have collaborated with investigative journalists to reveal important facts. Even though we are an organization based solely on volunteers, we give our best to respond quickly to the challenges that arise.

Furthermore, we have been fortunate enough to participate shoulder to shoulder with powerful digital rights organisations in EU-wide projects and campaigns and to learn from their expertise and knowledge. Finally, we also had the great opportunity to present our views and opinions in important fora, such as the UN Human Rights Council 39th session in Geneva or the European Parliament in Brussels.

All these accomplishments over the last two years give us the strength to continue our work towards the protection and promotion of human rights in the digital age.

6. If your organisation could now change one thing in your country, what would that be?

Active participation of people in collective activities such as digital rights activism. If individuals could devote a part of their knowledge and time to such activities, we would have a stronger voice to influence policy makers and legislators towards political decisions that respect our rights and freedoms and not violate them, instead.

7. What is the biggest challenge your organisation is currently facing in your country?

After 10 years of financial crisis and austerity measures in Greece that limited public spending, we witness over the last years an increase in funds used for technology-led policing and border managements projects. Thus, we must stay wide-awake in order to challenge and fight back the implementation of intrusive tools and technologies in our societies that limit our rights and freedoms.

8. How can one get in touch with you if they want to help as a volunteer, or donate to support your work?

You can visit our website to help us as a volunteer or to donate and support our work.

Also, we always appreciate a good conversation, so feel free to reach out to info@homodigitalis.gr. Last but not least, you can subscribe to our newsletter here.

Read more:

EDRi member in the spotlight series

Join Homo Digitalis as member/supporter/volunteer

Donate to Homo Digitalis

29 Apr 2020

Why COVID-19 is a Crisis for Digital Rights

By Guest author

The COVID-19 pandemic has triggered an equally urgent digital rights crisis.

New measures being hurried in to curb the spread of the virus, from “biosurveillance” and online tracking to censorship, are potentially as world-changing as the disease itself. These changes aren’t necessarily temporary, either: once in place, many of them can’t be undone.

That’s why activists, civil society and the courts must carefully scrutinise questionable new measures, and make sure that – even amid a global panic – states are complying with international human rights law.

Human rights watchdog Amnesty International recently commented that human rights restrictions are spreading almost as quickly as coronavirus itself. Indeed, the fast-paced nature of the pandemic response has empowered governments to rush through new policies with little to no legal oversight.

There has already been a widespread absence of transparency and regulation when it comes to the rollout of these emergency measures, with many falling far short of international human rights standards.

Tensions between protecting public health and upholding people’s basic rights and liberties are rising. While it is of course necessary to put in place safeguards to slow the spread of the virus, it’s absolutely vital that these measures are balanced and proportionate.

Unfortunately, this isn’t always proving to be the case. What follows is an analysis of the impact of the COVID-19 pandemic on the key subset of policy areas related to digital rights:

a) The Rise of Biosurveillance

A panopticon world on a scale never seen before is quickly materialising.

“Biosurveillance” which involves the tracking of people’s movements, communications and health data has already become a buzzword, used to describe certain worrying measures being deployed to contain the virus.

The means by which states, often aided by private companies, are monitoring their citizens are increasingly extensive: phone data, CCTV footage, temperature checkpoints, airline and railway bookings, credit card information, online shopping records, social media data, facial recognition, and sometimes even drones.

Private companies are exploiting the situation and offering rights-abusing products to states, purportedly to help them manage the impact of the pandemic. One Israeli spyware firm has developed a product it claims can track the spread of coronavirus by analysing two weeks’ worth of data from people’s personal phones, and subsequently matching it up with data about citizens’ movements obtained from national phone companies.

In some instances, citizens can also track each other’s movements leading to not only vertical, but also horizontal sharing of sensitive medical data.

Not only are many of these measures unnecessary and disproportionately intrusive, they also give rise to secondary questions, such as: how secure is our data? How long will it be kept for? Is there transparency around how it is obtained and processed? Is it being shared or repurposed, and if so, with who?

b) Censorship and Misinformation

Censorship is becoming rife, with many arguing that a “censorship pandemic” is surging in step with COVID-19.

Oppressive regimes are rapidly adopting “fake news” laws. This is ostensibly to curb the spread of misinformation about the virus, but in practice, this legislation is often used to crack down on dissenting voices or otherwise suppress free speech. In Cambodia, for example, there have already been at least 17 arrests of people for sharing information about coronavirus.

At the same time, many states have themselves been accused of fuelling disinformation to their citizens to create confusion, or are arresting those who express criticism of the government’s response.

As well as this, some states have restricted free access to information on the virus, either by blocking access to health apps, or cutting off access to the internet altogether.

c) AI, Inequality and Control

The deployment of AI can have consequences for human rights at the best of times, but now, it’s regularly being adopted with minimal oversight and regulation.

AI and other automated learning technology are the foundation for many surveillance and social control tools. Because of the pandemic, it is being increasingly relied upon to fight misinformation online and process the huge increase in applications for emergency social protection which are, naturally, more urgent than ever.

Prior to the COVID-19 outbreak, the digital rights field had consistently warned about the human rights implications of these inscrutable “black boxes”, including their biased and discriminatory effects. The adoption of such technologies without proper oversight or consultation should be resisted and challenged through the courts, not least because of their potential to exacerbate the inequalities already experienced by those hardest hit by the pandemic.

d) Eroding Human Rights

Many of the human rights-violating measures that have been adopted to date are taken outside the framework of proper derogations from applicable human rights instruments, which would ensure that emergency measures are temporary, limited and supervised.

Legislation is being adopted by decree, without clear time limitations, and technology is being deployed in a context where clear rules and regulations are absent.

This is of great concern for two main reasons.

First, this type of “legislating through the back door” of measures that are not necessarily temporary avoids going through a proper democratic process of oversight and checks and balances, resulting in de facto authoritarian rule.

Second, if left unchecked and unchallenged, this could set a highly dangerous precedent for the future. This is the first pandemic we are experiencing at this scale – we are currently writing the playbook for global crises to come.

If it becomes clear that governments can use a global health emergency to instate human rights infringing measures without being challenged or without having to reverse these measures, making them permanent instead of temporary, we will essentially be handing over a blank cheque to authoritarian regimes to wait until the next pandemic to impose whatever measures they want.

Therefore, any and all measures that are not strictly necessary, sufficiently narrow in scope, and of a clearly defined temporary nature, need to be challenged as a matter of urgency. If they are not, we will not be able to push back on a certain path towards a dystopian surveillance state.

e) Litigation: New Ways to Engage

In tandem with advocacy and policy efforts, we will need strategic litigation to challenge the most egregious measures through the court system. Going through the legislature alone will be too slow and, with public gatherings banned, public demonstrations will not be possible at scale.

The courts will need to adapt to the current situation – and are in the process of doing so – by offering new ways for litigants to engage. Courts are still hearing urgent matters and questions concerning fundamental rights and our democratic system will fall within that remit. This has already been demonstrated by the first cases requesting oversight to government surveillance in response to the pandemic.

These issues have never been more pressing, and it’s abundantly clear that action must be taken.

If you want to read more on the subject, follow EDRi’s new series #COVIDTech here: https://edri.org/emergency-responses-to-covid-19-must-not-extend-beyond-the-crisis/

This article was originally published at: https://digitalfreedomfund.org/why-covid-19-is-a-crisis-for-digital-rights/

Read more:

Tracking the Global Response to COVID-19:

Russia: doctor who called for protective equipment detained (03.04.2020)

A project to demystify litigation and artificial intelligence (06.12.2019)

Making Accountability Real: Strategic Litigation (30.01.2020)

Accessing Justice in the Age of AI (09.04.2020)

(Contribution by Nani Jansen Reventlow, Digital Freedom Fund)

29 Apr 2020

Everything you need to know about the DSA

By Chloé Berthélémy

In her political guidelines, the President of the European Commission Ursula von der Leyen has committed to “upgrade the Union’s liability and safety rules for digital platforms, services and products, with a new Digital Services Act” (DSA). The upcoming DSA will revise the rules contained in the E-Commerce Directive of 2000 that affect how intermediaries regulate and influence user activity on their platforms, including people’s ability to exercise their rights and freedoms online. This is why reforming those rules has the potential to be either a big threat to fundamental rights rights or a major improvement of the current situation online. It is also an opportunity for the European Union to decide how central aspects of the internet will look in the coming ten years.

A public consultation by the European Commission is planned to be launched in May 2020 and legislative proposals are expected to be presented in the first quarter of 2021.

In the meantime, three different Committees of the European Parliament have announced or published Own Initiative Reports as well as Opinions in view of setting the agenda of what the DSA should regulate and how it should achieve its goals.

We have created a document pool in which we will be listing relevant articles and documents related to the DSA. This will allow you to follow the developments of content moderation and regulatory actions in Europe.

Read more:

Document pool: Digital Service Act (27. 04. 2020)

29 Apr 2020

Digital Services Act: Document pool


In her political guidelines, the President of the European Commission Ursula von der Leyen has committed to “upgrade the Union’s liability and safety rules for digital platforms, services and products, with a new Digital Services Act” (DSA). The upcoming DSA will revise the rules contained in the E-Commerce Directive of 2000 that affect how intermediaries regulate and influence user activity on their platforms, including people’s ability to exercise their rights and freedoms online. This is why reforming those rules has the potential to be either a big threat to fundamental rights rights or a major improvement of the current situation online. It is also an opportunity for the European Union to decide how central aspects of the internet will look in the coming ten years.

A public consultation by the European Commission is planned to be launched in May 2020 and legislative proposals are expected to be presented in the first quarter of 2021.

In the meantime, three different Committees of the European Parliament have announced or published Own Initiative Reports as well as Opinions in view of setting the agenda of what the DSA should regulate and how it should achieve its goals.

In this document pool we will be listing relevant articles and documents related to the DSA. This will allow you to follow the developments of content moderation and regulatory actions in Europe.

Last update: 27 April 2020

Table of content

EDRi’s analysis and recommendations
Legislative documents
Blogposts and press releases
EDRi members’ publications
Key policymakers
Key dates

EDRi’s analysis and recommendations

Legislative documents

European Commission

  • Public consultation announced for June 2020
  • Legislative proposals announced for Q1/2021

European Parliament

EDRi’s blogposts and press releases

EDRi members’ publications


Key policymakers

Key dates

  • European Commission’s consultation: June 2020
  • European Commission’s legislative proposal: Q1 2021
28 Apr 2020

COVID-19: A Commission hitchhiker’s tech guide to the App Store


“We’re being asked what do we want these systems to look like. If we don’t make the decision it will be made for us (…) This virus will pass, but the measures will last”

Edward Snowden

According to the World Health Organisation (WHO), closely watching contacts during a pandemic “will prevent further transmission of the virus”. In response to the COVID-19 crisis many technical responses (or acts of techno-solutionism) arose shortly after the pandemic was declared by the WHO. Contact–tracing applications are one of the notable solutions brought forward, and currently occupy the center of the public debate in the European space.

Whether contact-tracing technology will help or not, however, is still contested. Technology is not a silver bullet, as Carly Kind, director of AI research center Ada Lovelace Institute, puts it.  Moreover, Dr. Michael Ryan, a key advisor for the WHO, warned that “when collecting information on citizens or tracking their movements there are always serious data protection and human rights principles involved”. Several voices in the EDRi community also question whether the risks in using apps may outweigh the benefits (La Quadrature du Net) and if apps are just “we-did-something” political responses (FIPR – Ross Anderson).

That said, if apps (and technology in general) are proven to be useful in any significant way, they need to fully protect fundamental rights, since the risks created by these technologies could outlast the pandemic itself.

European Digital Rights, as the voice of 44 organisations working to advance and uphold human rights in the digital space, warned early on of the potential problems that a rushed technological solution could lead us to.

In reaction to the debate regarding the safeguards potential technical solutions must provide, the European Commission (EC) has published a toolbox and guidelines for ensuring data protection standards. The two instruments aim to guide the responses that Member States are already preparing nationally, sometimes in very different directions.

In this article, we aim to provide insight into European Commission’s proposals and how they fit with civil society views on this subject.

A techie toolbox

A fragmented and uncoordinated approach to contact tracing apps risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing adverse effects to the single market and to fundamental rights and freedoms”

European Commission Common EU Toolbox for Member State

The EC argued for the need of a toolkit as national authorities are developing mobile applications (apps) to monitor and mitigate the COVID-19 pandemic. The Commission agrees that contact tracing, as usually done manually by public health authorities, is a time-consuming process and that the “promising” technology and apps in particular could be useful tools for Member States.

However, the EC points out that, in order for apps to be efficient, they need to be adopted by 60-75% of population – a very high threshold for a voluntary app. As comparison, in the famous case of Singapore, only 20% of the population downloaded the app.

The toolbox calls for a series of concrete requirements for these apps: interoperability (apps must work well with each other in order to be able to trace transnational cases); voluntary; approved by the national health authorities; privacy-preserving and dismantled as soon as they are no longer needed.

The time principle was a key point in our statement laying out fundamental rights – based recommendations for COVID-19 responses. On apps in particular, EDRi member Access Now advocates that access to health data shall be limited to those who need information to conduct treatment, research, and otherwise address the crisis . Finally, EDRi members Chaos Computer Club (CCC), Free Software Foundation Europe (FSFE) and noyb are among those that agree on the need for the apps to be voluntary.

Decentralised or centralised, that is the question

The Toolbox describes two categories of apps: those that operate via decentralised processing of personal data, which would be stored only on a person’s own device; and those operating via a centralised back-end server which would collect the data. The EC argues that this data should be reduced to the “absolute minimum” necessary, with technical requirements compiled by ENISA (encryption, communications security, user authentication….) and “preferably” the Member State should be the controller for the processing of personal data. The Annexes list key recommendations, background information on contact tracing , background on symptom checker functionalities and an inventory of existing mobile solutions against COVID-19.

Our member noyb agrees with the Commission requiring strong encryption, an essential element of secure technologies for which we have also advocated before. More, EDRi member CCC sides with the decentralisation option rather than a centralised one, as well as with strong communication security and privacy requirements.

Readers who liked the Toolbox… also liked the Guidelines

People must have the certainty that compliance with fundamental rights is ensured and that the apps will be used only for the specifically-defined purposes, that they will not be used for mass surveillance, and that individuals will remain in control of their data.

European Commission Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection

The Commision guidance summarises some of the key points of the Toolbox but provides more insight on some of the features, as well details on ensuring data protection and privacy safeguards. The guidance focuses on apps which are voluntary and that offer one or more functionalities: provide accurate information to individuals about the pandemic or provide questionnaires for self-assessment and guidance for individuals (symptom checker). Other functionalities could include alerting individuals if they have been in close contact with an infected person (contact tracing and warning functionality) and/or provide means of communication between patients and doctors.

The guidance relies heavily on references to the ePrivacy Directive (currently blocked by EU Member States from becoming an updated Regulation for 3 years and 4 months) and the General Data Protection Regulation (GDPR) . The references include data minimisation, purpose limitation, time limitation (apps deactivated after the pandemic is over) and top-of the-art security protections.

Our member Access Now has thoroughly gone through the data protection and privacy requirements of purpose limitation, data minimisation and time limitation , largely coinciding with the Commission, while Bits of Freedom has also mentioned the minimal use of data needed and time limitation, in addition to the apps being based on scientific insight and demonstrable effectiveness.

Location data is not necessary, decentralisation is

The Commission states that location data is not necessary for the purpose of contact tracing functionalities and that it would even be “difficult to justify in light of the principle of data minimisation”, and that it can create “security and privacy issues”. Regarding the debate of centralisation vs decentralisation, the Commission believes that decentralisation is more in line with the minimisation principle and that, as Bits of Freedom, CCC and many other groups have suggested, only “health authorities should have access to proximity data [which should be encrypted]” and therefore no law enforcement agencies can access the data. What about the well-intended but risky use of data for “statistics and scientific research”? Commission says no, unless it is necessary and included in the general list of purposes and clearly communicated to users.

Get us some open code. And add good-old strong encryption to go with it, please

The Commission asks for the source code to be made public and available for review. In addition to this, the Commission calls for the use of encryption when transmitting the data to national health authorities, if that is one of the functionalities. Both of these conclusions have been some of the key requests from EDRi members such as FSFE, both for transparency and security purposes but also as a an appeal for solidarity. We consider the call for openness as a positive request from the Commission.

Finally, the guidance brings back the forgotten Data Protection Authorities (DPAs) who, as we have also suggested, should be the ones consulted and fully involved when developing and implementing the apps.

Moving forward

We have many uncertainties regarding the actual pandemic, especially regarding whether any technical solution will help or not. Furthermore, it is unclear how these technologies should be designed, developed and deployed in order to avoid mass surveillance of citizens, stigmatisation of those who are sick and reinforced discrimination of people living in poverty, people of colour and other individuals of groups at risks who are already disproportionately affected by the pandemic.

The voices of experts and civil society must be taken into consideration, before taking the road of an endless “war on virus” that normalises mass surveillance. If proven that technologies are indeed helpful to combat this crisis, technological solutions need to comply with very strong core principles. Many of these strong principles are already present in the Commission’s two documents and in many of the civil society views in this ongoing debate.

In the meantime, strong public health systems, strong human rights protections (including extra protections for key workers), a human-rights centric patent system that puts humans at its core and open access to scientific knowledge are key principles that should be implemented now.

Read more:

Press Release: EDRi calls for fundamental rights-based responses to COVID-19 (01.04.2020)

noyb Active overview of projects using personal data to combat SARS-CoV-2.

Privacy International Extraordinary powers need extraordinary protections. (20. 03. 2020)

Access Now Protect digital rights, promote public health: toward a better coronavirus response. (05. 03. 2020)

Ada Love Lace Institute: Exit through the App Store? (20. 04. 2020)

European Commission – Mobile applications to support contact tracing in the EU’s fight against COVID-19: Common EU Toolbox for Member States (15. 04. 2020)

European Commission (COMMUNICATION)- Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection (16. 04. 2020)

22 Apr 2020

EDRi is looking for a Communications and Media Manager (Permanent position)


European Digital Rights (EDRi) is an international not-for-profit association of 42 digital rights organisations from across Europe and beyond. We advocate for robust and enforced laws, inform and mobilise people, promote a healthy and accountable technology market and build a movement of organisations and individuals committed to digital rights and freedoms in a connected world.

EDRi is looking for an experienced Communications and Media Manager to join EDRi’s team in Brussels. This is a unique opportunity to help shape and lead on the communications of a well-respected network of NGOs at a time of numerous challenges to our rights and freedoms in the digital age. The deadline to apply is 22ndMay 2020. This is a full-time, permanent position and the start date is expected to be July 2020.

The Communications and Media Manager leads and is responsible for EDRi’s strategic communications and engagement with the media. We are looking for an individual that will bring a strategic and creative mindset to communicate about complex human rights and technology issues in a diverse, fast-changing political environment. The successful candidate will have a strong track record in working with European and national media, excellent storytelling and drafting skills, as well as the ability to establish a network of journalists.

We are an equal opportunities employer with a strong commitment to transparency and inclusion. We strive to have a diverse and inclusive working environment. We encourage individual members of groups at risk of discrimination to apply for this post.

Job title: Communications and Media Manager
Start date (expected): July 2020
Reports to: Executive Director
Location: EDRi Office, Brussels, Belgium

As Communications and Media Manager, working closely with EDRi’s Policy, Campaigns and Network colleagues, you will:

  • Develop EDRi’s communications and media engagement long term strategies and short term plans;
  • Promote EDRi’s work and narrative to the media, raising the profile of the EDRi network, including by helping to disseminate their work;
  • Establish and maintain a robust network of media contacts and relationships;
  • Support the production and secure the publication of EDRi op-eds and other materials in leading outlets;
  • Write, edit and send press releases and manage media inquiries;
  • Support the production and editing of content for EDRi’s website and of the EDRi-gram bi-monthly newsletter;
  • Oversee EDRi’s social media presence;
  • Oversee the editing and design of EDRi’s publications;
  • Analyse media coverage and contribute to report on EDRi’s media exposure and communication work.


  • Minimum 3 years of relevant experience in a similar role;
  • A university degree in journalism, communications, media studies, EU affairs, public relations or related field or equivalent experience;
  • Demonstrable knowledge of the European media landscape and of European institutions, and an interest in communicating about and framing of human rights, in particular privacy, surveillance and law enforcement, freedom of expression, as well as other internet policy issues;
  • Experience in media relations, leading networks of journalists and creating networks of influence;
  • Exceptional writing skills in particular for op-eds and press releases;
  • Ability to create visuals for social media, work on simple graphic designs and formatting.
  • Strong multitasking abilities and ability to manage multiple deadlines;
  • Experience of working with and in small teams;
  • Excellent level of English;
  • Knowledge of another European language is an advantage;
  • Knowledge of database management systems, mailing list and free and open software is an advantage.

To apply, please send a maximum one-page cover letter and a maximum two-page CV in English (including two professional references) and in .pdf format to applications(at)edri.org by 22ndMay 2020.

Please note that only shortlisted candidates will be contacted.