10 Oct 2018

Independent study reveals the pitfalls of “e-evidence” proposals

By Chloé Berthélémy

On 21 September 2018, the European Parliament released an independent study written by Professor Martin Böse assessing the European Commission’s proposals for law enforcement authorities to have cross-border access to data (“e-evidence”). If adopted, these proposals would introduce European Production and Preservation Orders (EPO) for criminal matters. In order to inform the legislative process of this proposal, the study looks at the different aspects of the draft Regulation and the legal implications for the territoriality and sovereignty principles as well as for fundamental rights.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The conclusion of the study could not be clearer: “The added value of the new cooperation regime (quick and effective access to provider data) is mainly based on the abolition of cooperation obstacles and procedures ensuring effective protection of fundamental rights.” In this article, we summarise the main findings of the study.

1. Mutual cooperation should not mean lower level of protection for individuals

The study recalls the current framework for accessing data in a cross-border situation and existing instruments such as the European Investigation Order (EIO) that was only recently implemented. The study points out that the EIO, introduced in 2017, was designed to speed up the procedure for the enforcement of preservation and production orders by limiting the grounds for refusal for issuing and executing such orders. It was the opinion of the Commission that traditional investigation tools are not always adapted to the digital era because internet data is not easily traceable. Thus, it decided to find another tool for judicial authorities to simplify their cross-border access to “evidence”, including electronic data. Comparing the EIO with the EPO, the study finds that there are two main differences: the first is that the EIO requires prior validation by an independent authority in the executing Member State, and the second is the still further reduced number of refusal grounds both at the issuing and enforcement stages.

While “the EIO Directive has maintained traditional rules of cross-border cooperation such as the double criminality requirement and the analogous application of thresholds for particularly intrusive investigative measures”, the new draft Regulation removes all of these.

On top of that and “contrary to the Commission’s explanatory memorandum”, the minimum maximum penalty threshold does not exclude petty offences, such as theft or fraud, from the scope of the Regulation. The study is unequivocal on that matter: these new thresholds do not reach a similar level of protection than requirements provided by individual Member States in the Union to access sensitive data. As a result, an EPO can be executed in a Member State even if has has higher national protection standards in place than the issuing state. It can also cover alarger range of crimes.

2. Unilateral enforcement is not a good idea

The study raises concerns about the approach of the European Commission allowing the unilateral extension of enforcement jurisdiction.

First, the study shows there is a problem with the legality assessment of an order. According to the draft Regulation, if law enforcement authorities of Country A order the production of data to a service provider whose services are offered in Country B, it means that Country A is the issuing Member State and Country B the executing Member State. The proposal shifts the competence of assessing legality of the order from the executing authority in Country B to the issuing authority in Country A. In particular, law enforcement authorities in Country A are required to verify if the data requested is not protected under the law of Country B. According to the study, there are good reasons to believe that the law enforcement authorities will bypass this obligation as they are serving their own national interests in a criminal investigation and have little or no incentive to seriously consider the sovereign interests of the other State.

Second, direct “cooperation” with service providers affects the territorial sovereignty of Member States in which the new cooperation instruments should be executed. The executing State cannot effectively fulfill its responsibility to protect fundamental rights. Why? Because under the proposals it is either not aware or notified of foreign orders or it can only act once the service provider refuses to execute the order.

Third, this model could be copied by third countries, which could put in place extraterritorial enforcement rules to access data stored in the EU. The study recalls that moving away from a jurisdiction based on the data storage location as in the Commission’s proposal, opens the way for third countries to access EU citizens’ data in turn. There is a risk of clash with the General Data Protection Regulation (GDPR). This would leave service providers and citizens alike with legal uncertainty, which is precisely one of the drawbacks the Commission is trying to remedy.

Lastly, the study questions the validity of the legal basis used by the proposal – Article 82(1) of the Treaty on the Functioning of the European Union (TFEU) establishing the principle of mutual recognition. Article 89 of the TFEU says that law enforcement operations should be carried out in liaison and in agreement with the Member State authorities whose territorial sovereignty is affected. In this case, the principle of direct cooperation with service providers goes against limitations to extraterritorial operations. It is to be underlined that the notification requirement could only be a solution to this problem if the executing State is not just informed but explicitly agrees with the order.

3. The narrow window for contesting a European Production order is problematic

The service provider is responsible for carrying out a first assessment of the order. This does not include the possibility to challenge the legality of an order in the issuing Member State. The provider only benefits from procedural safeguards in the enforcement process as it can appeal sanctions. The study expresses doubts on the quality of the protective function of a service provider as regards fundamental rights. “The limited number of grounds for non-execution suggests that the addressee must not refuse to produce […] the requested data for other reasons; for instance if the formal and substantial requirements for issuing an EPOC […] are not met (e.g. proportionality, comparable domestic case).”

In the case of the service provider refuses to execute the order, it is then referred to the executing Member State authorities which become the enforcing authorities. There again, “the effectiveness of judicial protection in the enforcing MS […] is compromised by the limited number of refusal grounds. The draft regulation provides for a rather far-reaching obligation of the enforcing authority to recognise and enforce of an [EPO].”

When it comes to the rights of the individuals whose data have been collected and transferred, there is no mention when they will be informed about the order and the possible legal remedies to contest it. The only possibility to contest arises during the criminal proceedings, which comes very late in the process – if criminal proceedings take place, of course.

4. Upholding of usual mutual recognition safeguards is essential

The study sees in the proposal a strong imbalance between the interests of service providers for legal certainty and the “legitimate expectations of users and customers”. “The objective to enhance legal certainty for service providers in the Union should not be pursued at the expense of the fundamental rights of users”, the study highlights.

The study concludes with recommendations, including a preference for using and improving the EIO to better protect fundamental rights, as well as reestablishing mutual recognition principles such as traditional restrictions, a notification mechanism, and effective legal remedies. Hopefully the study influences the co-legislators, the Council of the European Union and the European Parliament.

An assessment of the Commission’s proposals on electronic evidence (24.09.2018)

EU “e-evidence” proposals turn service providers into judicial authorities (17.04.2018)

New Protocol on cybercrime: a recipe for human rights abuse? (25.07.2018)

Wiretapping & data access by foreign courts? Why not! (13.06.2018)

As of today the “European Investigation Order” will help authorities to fight crime and terrorism (22.05.2017)

(Contribution by Chloé Berthélémy, EDRi intern)



10 Oct 2018

Openness Index: Decrease of openness in Western Balkans

By Metamorphosis

Openness of institutions of executive power from the Western Balkans (WB) region is not at a satisfactory level. Only approximately 47% of indicators from the Regional Openness Index are currently being achieved.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Openness is a key element of democracy, since it allows citizens to receive the information and knowledge necessary for participation in political life, effective decision-making and for holding institutions accountable for their policies. The Regional Openness Index measures the degree to which institutions of Western Balkan countries are open for citizens and society. It is based on the principles of 1) transparency, 2) accessibility, 3) integrity and 4) effectiveness. It is a tool designed for citizens to examine the openness of public administration and other public bodies. It also helps managers and politicians in evaluating their work towards the better openness. The Index was created in the framework of the Regional network Accountability, Technology and Institutional Openness Network in Southeast Europe (ActionSEE), founded by leading Western Balkans NGOs working on transparency and accountability: EDRi member Metamorphosis Foundation from Macedonia, CA Why not from Bosnia and Herzegovina, Center for Democratic Transition from Montenegro, and Center for Research Transparency Accountability (CRTA) from Serbia.

The founding members of the Regional network are organisations that use information and communications technology in their work on promoting democracy. ActionSEE conducts an EU-funded project providing a platform for dialogue between significant stakeholders, and a concrete tool to measure the degree to which state institutions uphold principles and standards of open governance. It aims to increase the inclusion of civil society and media organisations in decision making processes in informing public opinion and policies, as well as to raise the capacity of civic societies to address sensitive issues.

In the first measurement conducted in 2016 the results from six countries measured 642 institutions, and more than 25 000 indicators and research findings were published. International standards, recommendations given in multiple EU reports on countries in the region as well as good practices were followed during the measuring of the level of institutional openness. The institutions were assessed by using specific quantitative and qualitative indicators, such as access to information on institutions’ official websites, legal framework’s quality in individual cases, other sources of public information, published data regarding the work of institutions, public procurement, and information on spending of public spending.

The situation in the region regarding the openness of the government differs from country to country, but one of the important factors is whether the given country is a member of the Open Government Partnership (OGP). Albania, Croatia, Macedonian, Montenegro and Serbia are members, while Bosnia and Herzegovina joined in September 2014. However, while the OGP is mostly focused on national policy making and its implementation, the Regional Openness Index deals with all the levels and all the public bodies.

The 2017 Index was conducted between December 2017 and late February 2018. It showed that clear, consistent and policies of openness grounded in strategic documents do not exist. Instead of the expected progress in the area of openness, institutions of executive power had even worse results in comparison to previous year. Openness amounts to only approximately 38% of fulfilled indicators, whereas the percentage for the previous year was higher, at 41%.

A lack of a strategic approach to openness is still evident in the regional countries. The data obtained suggest that, in a large number of cases, there is still no expression of openness and transparency of institutions of executive power in relevant documents (strategies, procedures or policies related to the issues). Not even the presence of international initiatives advocating openness contributed to increase in openness and transparency.

Only the Macedonian government’s top executive body shows an obvious increase of the level of openness. An example of the practices leading to this increase is the prime minister’s cabinet and general secretariat starting to publish session agendas, minutes from sessions held, as well as regular press releases after the sessions. The implementation of the recommendations given by the civil society sector on advancing the institutional openness made a valuable contribution to this, for instance the recommendations laid down in the Regional Roadmap for the Western Balkans countries.

Regional Openness Index

The Openness Index 2016

The Openness Index 2017

Roadmap on good governance for state institutions in the Republic of Macedonia (08.08.2017)

ActionSEE: Roadmaps for institutions

(Contribution by EDRi member Metamorphosis, Macedonia)



10 Oct 2018

The Facebook breach – a GDPR test-case

By Yannic Blaschke

On 28 September, Facebook notified the Irish Data Protection Commissioner (DPC) about a massive data breach affecting more than 50 million of its users. The hack of the “view as” feature, which allowed users to see their profile from the perspective of an external visitor or friend, exploited an interaction of several bugs on Facebook and allowed the intruders to acquire so called “access tokens”. With these tokens, the attackers had access to personal data from the affected accounts, potentially including personal messages.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The incident is a highly salient test-case for the application of the General Data Protection Regulation (GDPR) in practice, specifically for:

1) Notification and provision of information: Under Article 33 of the GDPR, an entity facing a breach must notify the relevant data protection authority (DPA) within 72 hours, “where feasible”. As the vulnerability was discovered on 26 September, Facebook complied with this provision, unlike other companies (Uber being one of them) have done in the past. However, the information provided by Facebook so far seems to only have delivered the very basics of what is required under the GDPR. The Irish DPC publicly urged the enterprise to submit more details so the authorities could properly assess the nature of the breach and the risk to users. Article 34 of the GDPR further requires that individuals whose personal data might have been compromised during the breach are notified without undue delay of the incident and the counter-measures that have been taken so far. Facebook implemented this by displaying a message in the feed of the affected accounts. The information provided included an initial overview on the “view as” weakness, as well as the statements that the function has been turned off and that accounts who had used it in since July 2017 had their access tokens removed, requiring a new login.

2) Sanctions: The GDPR allows for sanctions against the entity that faced the breach, which depend on the sensitivity of the compromised information and the degree to which appropriate safeguards were not implemented. Since approximately five million of the affected users come from the EU, Facebook could be liable for a 1,63 billion US dollar fine if that was found to be the case. Since the exact nature of the breach is still investigated by the Irish DPC, it remains unclear to which extent the hacking was a result of negligence. In any case, the investigation might bring some further clarification on how the responsibility for the security of processing is allocated in practice, and how strictly infringements of this obligation are sanctioned. Cases like this thus offer an opportunity for other companies processing users’ personal data to learn in more detail about their security obligations under the GDPR, and provide them with examples on how to respond to a data breach. For users, the investigation also serves an important purpose: It shows them whether the security of their data is actually taken seriously. If it is not and they suffer adverse effects from that, they have the possibility to demand compensation – and since the Irish implementation of the GDPR allows for collective redress, they could even be represented by civil society in court. On the other hand, the incident also emphasises that, even if Facebook did not act carelessly, caution about uploading personal data is always advised, as absolute safety of personal information is never certain.

This data breach is yet another example of the importance of secure and confidential storing of personal data on the internet. While the news show that the GDPR has successfully obliged Facebook to communicate in a more comprehensive and timely manner about its breach than other big tech companies previously did, it is now of utmost importance to follow up on the incident with an in-depth investigation: Users’ rights under the GDPR should be fully and effectively enforced by the Irish DPC.

A Digestible Guide to Individual’s Rights under GDPR (29.5.2018)

GDPRexplained Campaign: the new regulation is here to protect our rights (29.5.2018)

General Data Protection Regulation: Document pool (25.6.2015)

Your ePrivacy is nobody else’s business (30.5.2018)

Cambridge Analytica access to Facebook messages a privacy violation (18.4.2018)

(Contribution by Yannic Blaschke, EDRi intern)



26 Sep 2018

Anatomy of an AI system – from the Earth’s crust to our homes

By SHARE Foundation

The Internet of Things (IoT) and the numerous devices that surround us and let us get through our daily routine with more convenience are becoming more advanced. A “smart” home is not a futuristic notion anymore – it is reality. However, there is another side to this convenient technology: the one that exploits material resources, human labor, and data.

In their latest research, Kate Crawford from New York University AI Now Institute, a research institute examining the social implications of artificial intelligence (AI), and Vladan Joler from EDRi member SHARE Foundation’s SHARE Lab have analysed the extraction of resources across time – represented as a visual description of the birth, life and death of a single Amazon Echo unit. The interlaced chains of resource extraction, human labor and algorithmic processing across networks of mining, logistics, distribution, prediction and optimisation make the scale of this system almost beyond human imagining. The whole process is presented on a detailed large-resolution map.

It is easy to give Alexa a command – you just need to say “play music”, “read my last unread email” or “add milk to my shopping list” – but this small moment of convenience requires a vast planetary network, fuelled by the extraction of non-renewable materials, labour, and data. The scope is overwhelming: hard labour in mines for extracting the minerals that form the physical basis of information technologies, strictly controlled and sometimes dangerous hardware manufacturing and assembly processes in Chinese factories, outsourced cognitive workers in developing countries labelling AI training data sets, all the way to the workers at toxic waste dumps. All these processes create new accumulations of wealth and power, which are concentrated in a very thin social layer.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

These extractive processes have an enormous toll in terms of pollution and energy consumption, although it is not visible until you scratch the surface. Also, many aspects of human behaviour are being recorded, quantified into data and used to train AI systems and enclosed as “intellectual property”. Many of the assumptions about human life made by machine learning systems are narrow, normative and laden with errors, yet they are inscribing and building those assumptions into a new world, and will increasingly play a role in how opportunities, wealth, and knowledge are distributed.

Anatomy of an AI system

Map: Anatomy of an AI system

(Contribution by Bojan Perkov, EDRi member SHARE Foundation, Serbia)



26 Sep 2018

UK counter-terrorism law would restrict freedom of expression

By Guest author

Freedom of expression campaigners, human rights groups and legal experts are raising concerns that proposed new counter-terrorism legislation in the United Kingdom would restrict freedom of expression and limit access to information online.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The UK Parliament is currently considering the Counter-Terrorism and Border Security Bill, which could become law within a few months. The government aims to build on existing laws to fill gaps and close perceived loopholes. However, in doing so, the bill goes very far, including restricting online activity, which undermines fundamental rights to freedom of expression.

For example, the bill would make it a crime to view online content that is likely to be useful for terrorism, even if you have no terrorist intent (and even if you are watching over someone else’s shoulder). The crime would carry a prison sentence of up to 15 years. It would make the work of investigative journalists and academic researchers difficult and risky – as mistakenly landing on an offending page could have major consequences. The first version of this clause required a person to access the wrong content three times, but the government has amended this to become a “one-click rule” rather than the original “three-click rule”.

The bill would criminalise publishing (for example, posting on social media) a picture or video clip of clothes or a flag in a way that raises “reasonable suspicion” that the person doing it is a member or supporter of a terrorist organisation. Parliament’s Joint Committee on Human Rights recommended that this clause be withdrawn or amended because it “risks a huge swathe of publications being caught, including historical images and journalistic articles” and because of its potentially very wide reach and interference with Article 10 of the European Convention on Human Rights. The government has not taken this recommendation into account.

United Nations special rapporteur Professor Fionnuala Ní Aoláin has expressed concerns that the proposed clause “runs the risk of criminalizing a broad range of legitimate behaviour, including reporting by journalists, civil society organizations or human rights activists as well as academic and other research activity”. She has expressed concerns about several parts of the bill and emphasised that it should be brought in line with the UK’s obligations under international human rights law.

EDRi member Index on Censorship believes that the bill is not fit for purpose and should go back to the drawing board. It would significantly impact freedom of expression online, damage journalism and academic research, and signal the wrong direction for future online regulation in the UK.

Counter-Terrorism and Border Security Bill 2017-19

“Reckless” counter-terror bill a threat to academic research (17.09.2018)

Joint Committee on Human Rights Legislative Scrutiny: Counter-Terrorism and Border Security Bill – Ninth Report of Session 2017–19

Mandate of the Special Rapporteur on the promotion and protection of human rights and
fundamental freedoms while countering terrorism (17.07.2018)

Counter-Terrorism and Border Security Bill not fit for purpose (10.09.2018)

(Contribution by Joy Hyvarinen, EDRi observer Index on Censorship, the United Kingdom)



26 Sep 2018

Will the evaluation of the net neutrality rules be balanced?

By Bits of Freedom

In August 2018, EDRi, together with nine other NGOs, at the initiative of our Dutch Member Bits of Freedom, asked the European Commission if it is possible to do independent research on the implementation of EU rules on net neutrality without being independent. The letter followed the award of a research contract to a law firm involved in net neutrality litigation. The Commission claims there is nothing to worry about. On 18 September 2018, a letter to follow up on the request was sent to the Commission.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

(In)dependent researchers

The European Commission intends to issue an implementation report on the EU rules on net neutrality by April 2019. As previously reported in the EDRi-gram, the study on which the evaluation will rely on has been awarded to the law firm Bird & Bird, in consortium with the research and consultancy company Ecorys. In EU Member States like the Netherlands, Bird & Bird represents most major telecom operators on matters related to the telecommunications regulatory framework, including net neutrality. For example, Bird & Bird represents T-Mobile in the pending court case that EDRi member Bits of Freedom has initiated against the decision of the Dutch Regulatory Authority ACM not to take action against T-Mobile’s zero-rating offer.

In our open letter to the European Commission, we expressed our concerns about the study of the implementation of the net neutrality rules. Our letter focused on the possible conflicts of interest of the lawyers in charge of the study, as well as the risk of an unbalanced report.

European Commission: “Nothing to worry about”

The European Commission’s reply was surprisingly speedy and extensive. In its reaction, the Commission tried to convince us that all is well; there are all sorts of rules that the researchers are bound by and which should guarantee their independence and impartiality. For instance, the documents that are central to the study should be stored safely, the lawyers should be transparent about the court cases they’re involved in, and regulators should be able to check that “all the facts, cases and case law have been represented fully and correctly”.

Better to exclude risks in advance

We appreciate the letter by the Commission, but we think that they can do better. We have therefore sent a new letter to the European Commission in which we offer two solutions to prevent potential conflicts of interest in the future. First of all, we urge not to commission a study covering specific rules to a law firm like Bird & Bird, which is involved in a court case about those same rules, at the time of the study. The Commission seems to believe that this solution would limit them to only using researchers with solely theoretical knowledge. We think this an exaggeration as Europe can take pride of having a choice between a wide range of experts, including experts on net neutrality.

If this solution cannot be implemented, we suggested that the Commission should at least make sure that the lawyers who are involved in a particular study work be located in a different office than their colleagues working on an ongoing case that touches on the same subject. Regarding the study into the net neutrality rules, it just so happens that several of the lawyers involved in the study for the Commission, work from Bird & Bird’s offices in The Hague. This happens to be the same office where the lawyer who represents T-Mobile in the case on zero-rating.

Curious about the report

Even though our suggestions deal mainly with how to sensibly conduct research into the effects of European law, we are most of all curious about the study that will evaluate EU net neutrality rules. It is not completely clear when the Commission will publish the study, but we will examine it closely. There is one thing that should be obvious from the evaluation: the current rules do not protect citizens and businesses from harmful practices like zero rating.

This article is an adaptation of the article published by EDRi-member Bits of Freedom and translated from Dutch by Bits of Freedom volunteer Tim Rijk.

Can you do independent research without being independent? (29.08.2018)

Bits of Freedom: Open Letter to the European Commission on net neutrality study (29.08.2018)

Is the evaluation of the net neutrality rules balanced? The European Commission thinks so (20.09.2018)

Open Letter replying to the response of the European Commission on net neutrality study (18.09.2018)

Bits of Freedom’s court case about zero rating (06.08.2018)

(Contribution by Rejo Zenger, EDRi member Bits of Freedom, the Netherlands)



26 Sep 2018

ECtHR gives a half-hearted victory against UK mass surveillance

By Chloé Berthélémy

On 13 September 2018, the European Court of Human Rights (ECtHR) delivered its ruling on the case brought by EDRi members Privacy International, Open Rights Group and other NGOs against the United Kingdom. The Court found several violations of the European Convention on Human Rights in three UK mass surveillance programmes.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

The Court’s judgment is that is the “quality of law” criterion for such interferences was not respected and that the procedures were incapable of keeping the interference with fundamental rights to what was “necessary in a democratic society”. It also acknowledges the value of bulk interception of data as a means for national authorities to “achieve the legitimate aim of protecting national security”. Some analysis of the ruling seems to echo previous concerns that the European Court of Human Rights has a more permissive approach towards indiscriminate data storage compared with the Court of Justice of the European Union (CJEU).

One of the many Snowden’s legacies

The present case was brought before the Court after the disclosures by Edward Snowden of surveillance and intelligence sharing programmes operated by the intelligence services of the United States and the UK. A coalition of human rights and journalists associations including two EDRi members, Privacy International and Open Rights Group, challenged three secret surveillance regimes introduced by the UK’s Regulation of Investigatory Powers Act (RIPA) in 2000. The case was originally referred to the UK’s Investigatory Powers Tribunal (IPT), a specialised court which was set up by the RIPA as a remedy for victims of unlawful interception of their communications by security and intelligence agencies. The IPT only found technical breaches. An appeal was therefore filed in 2015 before the ECtHR to challenge its findings.

The Court examined the three types of surveillance regimes:

  1. the bulk interception of communications data;
  2. the intelligence sharing regime allowing the UK’s authorities to obtain data intercepted by foreign governments, for instance the US National Security Agency; and
  3. the acquisition of communications data from Communication Service Providers (CSPs), such as telecommunications operators.

What’s positive about the Court’s ruling?

The Court held that both the bulk interception regime and its provisions for obtaining communications data from CSPs violated Article 8 (right to privacy) and 10 (freedom of expression) of the European Convention on Human Rights. After intercepting communications traffic flowing through British cables, the intelligence services use search criteria and other selecting tools to filter the data and to examine the most relevant material. The Court found that there were not enough safeguards governing this selection process, pointing notably to the lack of independent oversight.

When assessing the UK’s mass interception regimes in light of Article 10, the Court considered that the absence of restrictions for intelligence services in the handling of intercepted and selected confidential journalistic material was a violation of the right to freedom of expression. Indeed, the Court further recognised that this unlimited power to search journalists’ communications, including with their sources, could have a “potential chilling effect…on the freedom of the press” (cf. paragraph 495). In addition, the Court considered that having access to journalist communications data and content under RIPA was not subject to prior review by an independent or judicial body, thus infringing Article 8 of the European Convention on Human Rights.

Another important contribution of the judgement to the general debate on data protection is also its treatment of metadata in comparison to the communications content. Metadata gather all the information around the communication except its content, that is to say the source (name, location, IP address), the destination, the date, the time and the type of communications (messaging service). The Court emphasises that collecting metadata is no less intrusive than collecting content data as it can well reveal a lot about a person’s life and infringe her/his right to privacy. As a result, metadata deserves an equivalent level of protection.

This conclusion was already reached by the CJEU in its Digital Rights Ireland and Tele 2-Watson cases, as metadata could reveal information “that is no less sensitive, having regard to the right to privacy, than the actual content of communications” (Paragraph 99, Tele2 ruling).

The conclusions of both courts will certainly help in future disputes over data collection, retention and access, such as for the current European Commission’s proposal on cross-border access to data. Where the two courts appear to diverge in opinion is the nature of the data collection – bulk or targeted – and its compatibility with fundamental rights.

Time to update the safeguarding criteria

Despite the positive aspects of the ruling, the Court describes the value of bulk interception, given the current threat level from global terrorism and serious crime. This was criticised by judges Koskelo and Turković in their partly concurring partly dissenting opinion recalling the “enormous risks of abuse” this type of surveillance involves. This position also departs from the CJEU ruling which stated that the data retention regime in question in the Tele2 ruling exceeded “the limits of what is strictly necessary”.

Worse still, the criteria that the ECtHR used to analyse the three UK surveillance regimes to ensure there are enough safeguards against abuse in place have been criticised for being outdated. These criteria, developed 12 years ago, are arguably outdated considering the emergence of new technologies and surveillance techniques. Pointing out to the shortcomings of the criteria, judges Koskelo and Turković question the reason why “prior independent control by a judicial authority should not be a necessary requirement in the system of safeguards” in the Court’s examination.

This is not the end of the story

The judgment is not final because the parties to the case can ask for a referral to the ECtHR Grand Chamber. In addition, the RIPA is actually no longer valid as it was replaced 2016 by the Investigatory Powers Act (IPA), meaning that the Court did not take into consideration the new legal text. In light of this judgment, the British government will have to revise the IPA, as the law substantially extended the intelligence services’ powers and their demands on service providers.

UK mass interception law violates human rights – but the fight against mass surveillance continues (13.09.2018)

Big Brother Watch v UK – implications for the Investigatory Powers Act? (13.09.2018) https://www.cyberleagle.com/2018/09/big-brother-watch-v-uk-implications-for.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+Cyberleagle+%28Cyberleagle%29

Blanket data retention is illegal under EU law, court says (21.12.2017)

Analysis of the ECtHR judgment in Big Brother Watch: part 1 (16.09.2018) https://eulawanalysis.blogspot.com/2018/09/analysis-of-ecthr-judgment-in-big.html

Mass surveillance in the CJEU: forging a European consensus (07.2017)

(Contribution by Chloé Berthélémy, EDRi intern)



26 Sep 2018

Five reasons to be concerned about the Council ePrivacy draft

By IT-Pol

On 19 October 2017, the European Parliament’s LIBE Committee adopted its report on the ePrivacy Regulation. The amendments improve the original proposal by strengthening confidentiality requirements for electronic communication services, and include a ban on tracking walls, legally binding signals for giving or refusing consent to online tracking, and privacy by design requirements for web browsers and apps. Before trilogue negotiations can start, the Council of the European Union (the Member States’ governments) must adopt its “general approach”. The Council Presidency, currently held by Austria, is tasked with securing a compromise among the Member States. This article analyses the most recent draft text from the Austrian Council Presidency 12336/18.

Further processing of electronic communications metadata

The current ePrivacy Directive only allows processing of electronic communications metadata for specific purposes given in the Directive, such as billing. The draft Council ePrivacy text in Article 6(2a) introduces further processing for compatible purposes similar to Article 6(4) of the General Data Protection Regulation (GDPR). This further processing must be based on pseudonymous data, profiling individual users is not allowed, and the Data Protection Authority must be consulted.

Despite these safeguards, this new element represents a huge departure from the current ePrivacy Directive, since the electronic communications service provider will determine what constitutes a compatible purpose. The proposal comes very close to introducing “legitimate interest” loophole as a legal basis for processing sensitive electronic communications metadata. Formally, the further processing must be subject to the original legal basis, but what this means in the ePrivacy context is not entirely clear, since the main legal basis is a specific provision in the Regulation, such as processing for billing or calculating interconnection payments or maintaining or restoring the security of electronic communications networks.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

An example of further processing could be tracking mobile phone users for “smart city” applications such as traffic planning or monitoring travel patterns of tourists via their mobile phone. Even though the purpose of the processing must be obtaining aggregate information, and not targeting individual users, metadata will still be retained for the individual users in identifiable form in order to link existing data records with new data records (using a persistent pseudonymous identifier). Therefore, it becomes a form of voluntary data retention. The mandatory safeguard of pseudonymisation does not prevent the electronic communications service provider from subsequently identifying individual users if law enforcement authorities obtain a court order for access to retained data on individual users.

Communications data only protected in transit

Whereas the text adopted by the European Parliament specifically amends the Commission proposal to ensure that electronic communications data is protected under the ePrivacy Regulation after it has been received, the Council text clarifies that the protection only applies in transit. After the communication has been received by the end-user, the GDPR applies, which gives the service provider much greater flexibility in processing the electronic communication data for other purposes. For a number of modern electronic communications services, storage of electronic communication data on a central server (instead of on the end-user device) is an integral part of the service. An example is the transition from SMS (messages are stored on the phone) to modern messenger services such as WhatsApp or Facebook Messenger (stored on a central server). This makes it important that the protection under the ePrivacy Regulation applies to electronic communications data after it has been received. The Council text fails to address this urgent need.

Tracking walls

The European Parliament introduced a ban on tracking walls, that is the practice of denying users access to a website unless they consent to processing of personal data via cookies (typically tracking for targeted advertising) that is not necessary for providing the service requested.

The Council text goes in the opposite direction by specifically allowing tracking walls in Recital 20 for websites where the content is provided without a monetary payment if the website visitor is presented with an alternative option without this processing (tracking). This could be a subscription to an online news publication. The net effect of this is that personal data will become a commodity that can be traded for access to online news media or other online services. On the issue of tracking walls and coerced consent, the Council ePrivacy text may actually provide a lower level of protection than Article 7(4) of the GDPR, which specifically seeks to prevent that personal data can become the counter-performance for a contract. This is contrary to the stated aim of the ePrivacy Regulation.

Privacy settings and privacy by design

The Commission proposal requires web browsers to offer the option of preventing third parties from storing information in the browser (terminal equipment) or processing information already stored in the browser. An example of this could be an option to block third party cookies. The Council text proposes to delete Article 10 on privacy settings. The effect of this is that fewer users will become aware of privacy settings that protect them from leaking information about their online behaviour to third parties and that software may be placed on the market that does not even offer the user the possibility of blocking data leakage to third parties.

Data retention

Article 15(1) of the current ePrivacy Directive allows Member States to require data retention in national law. Under the case law of the Court of Justice of the European Union (CJEU) in Digital Rights Ireland (joined cases C-293/12 and C-594/12) and Tele2 (joined cases C-203/15 and C-698/15), this data retention must be targeted rather than general and undifferentiated (blanket data retention). In the Commission proposal for the ePrivacy Regulation, Article 11 on restrictions is very similar to Article 15(1) of the current Directive.

In the Council text, Article 2(2)(aa) excludes activities concerning national security and defence from the scope of the ePrivacy Regulation. This includes processing performed by electronic communications service providers when assisting competent authorities in relation to national security or defence, for example retaining metadata (or even communications content) that would otherwise be erased or not generated in the first place. The effect of this is that data retention for national security purposes would be entirely outside the scope of the ePrivacy Regulation and, potentially, the case law of the CJEU on data retention. This circumvents a key part of the Tele2 ruling where the CJEU notes (para 73) that the protection under the ePrivacy Directive would be deprived of its purpose if certain restrictions on the rights to confidentiality of communication and data protection are excluded from the scope of the Directive.

If data retention (or any other processing) for national security purposes is outside the scope of the ePrivacy Regulation, it is unclear whether such data retention is instead subject to the GDPR, and must satisfy the conditions of GDPR Article 23 (which is very similar to Article 11 of the proposed ePrivacy Regulation), or whether it is completely outside the scope of EU law. The Council text would therefore create substantial legal uncertainty for data retention in Member States’ national law, undoubtedly to the detriment of the fundamental rights of many European citizens.

Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC – Examination of the Presidency text (20.09.2018)

e-Privacy: What happened and what happens next (29.11.2017)

EU Member States fight to retain data retention in place despite CJEU rulings (02.05.2018)

EU Council considers undermining ePrivacy (25.07.2018)

Civil society letter to WP TELE on the ePrivacy Regulation (24.09.2018)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



12 Sep 2018

How the online tracking industry “informs” policy makers

By Yannic Blaschke

Following the entry into force of the General Data Protection Regulation (GDPR), the online advertising industry’s lobbying efforts moved to undermining the ePrivacy Regulation proposal. The Regulation, building on the GDPR, is designed to provide more specific provisions related to privacy and confidentiality of communications in the context of e-communications.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

For example, the ePrivacy Regulation will regulate the way in which online tracking companies operate and how the privacy of individuals can be further protected. In this context, lobbying groups for the booming online stalking industry are doing everything they can to label the protection of citizen’s privacy rights as harmful for the digital economy. As recent evidence shows, these efforts do not even stop at providing European Union policy makers with information that appears designed to mislead.

In a Euractiv.com op-ed, Dr. Johnny Ryan (Chief Policy & Industry Relations Officer at Brave Software), explained that “research” circulated by lobby group IAB Europe was dubious, at best. The “research” misleadingly misrepresented the revenues collected by European publishers from behavioural advertising, by including the advertising revenues of Google and Facebook – two powerful members of IAB (Google is a direct member, Facebook is taking part through its subsidiary company Atlas) who, in relation to this activity, are clearly not “publishers” in the sense of traditional news outlets.

In this context, it is all the more misleading that the research report spread by the IAB in September 2017 crams tech-giants and media-outlets together into the category of ‘publishers’. In an earlier position paper, the IAB stated that the proposed ePrivacy regulation would “derail European digital media outlets by significantly undermining their ability to generate enough revenue to create and provide free online content and services”. However, as Dr. Ryan reports, only a fraction of the claimed 10,6 billion euro revenue that European publishers allegedly made with behavioural advertising in 2016 actually goes to journalists and creative content providers.

Actively confusing the revenue of these actual publishers with the vast sums harvested by Google and Facebook through stalking online browsing behaviour (and, we have since learned, staking people’s location offline also), appears more than a little cynical. It is also a critical omission of information that reflects badly on the IAB’s respect for its oath to provide complete and non-misleading information, which they made as part of their registration for the EU Transparency Register. While the main advocate for companies whose aim it is to monitor European citizens’ every step on the internet has proved a flexible attitude to factual reporting in the past, this incident reaches a new level of flexibility with the truth.

EU parliamentarians and EU Member States need to question the supposed ‘economic value’ of ubiquitous monitoring on their voters. All the more, the evidence should also serve as a warning to the Austrian Council Presidency, which has pledged to “ensure strong privacy protection in electronic communications while also taking into account development opportunities for innovative services”. As it has been demonstrated, the alleged ‘development opportunities’ of behavioural advertising in the EU are mainly to the benefit of advertising duopoly. Will the Austrian presidency live up to its motto of a “Europe that protects” by supporting a strong ePrivacy regime?

Read more:

ePrivacy: Over-regulation or opportunity? (07.09.2018)

EU Council considers undermining ePrivacy (25.07.2018)

Your ePrivacy is nobody else’s business (30.05.2018)

Five things the online tracking industry gets wrong (13.09.2017)

Massive lobby against personal communications security has started (27.07.2016)

(Contribution by Yanic Blaschke, EDRi intern)



12 Sep 2018

Big Brother Awards 2018 Italy

By Hermes Center

The 2018 Italian edition of the Big Brother Awards was held in Bologna on 8 June 2018, with the support of a grant from the European Digital Rights Fund. The award ceremony took place during the 23rd edition of the E-privacy conference.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The winners of the Italian Big Brother Awards 2018

Technological Threat:

The award was shared among:
● Amazon AWS IoT Services
● Google Cloud IoT
● Particle Industries, Inc.

The above companies sell IoT (internet of things) development and management services to IoT device developers and sellers. By doing so they create “walled gardens” where adopters and their users are captive, and they become a hub of data transmission from all devices.

National threat: Italian Parliament.

With no discussion at all, the Parliament silently inserted mandatory 6-year storage of telecommunications data and extended provisions on internet traffic data storage into a law pertaining to elevator safety rules.

International Threat: and Lifelong Threat: (Surprise, surprise!) Facebook

The win comes thanks to the Cambridge Analytica affair. Skipping technicalities, here is an extract from the prize explanation:

Is this a credible representation of the original: The recent scandals have led its founder [Mark Zuckerberg] to show disarming honesty. In a public hearing in the US Congress he showed the true nature of Facebook, which is not a social one but “Senator, we run ads”.”

Privacy Hero: Altroconsumo
The Italian consumer advocacy organization Altroconsumo that started the first consumer class action
against Facebook, asking for compensation due to unauthorized use of their personal data.

The full video of the ceremony (in Italian) can be accessed on the e-privacy site or directly on this link.

Read more:

Big Brother Awards – tips and materials for organisers (02.05.2018)

(Contribution by Hermes Center, EDRi member, Italy)