13 May 2020

Austria’s biggest privacy scandal: residential addresses made public

By Epicenter.works

Nobody took data protection into account for the so-called “Supplementary Register for Other Concerned Parties” (Ergänzungsregister für sonstige Betroffene). The Ministry for the Economy and the Finance Ministry are responsible for a data breach to which the Austrian Economic Chambers were an accomplice.

Personal data of at least one million people have been publicly posted on the Internet for years without any protective measures, as NEOS and epicenter.works explained in a joint press conference on 8 May. This is a gift from the Republic to every data dealer and identity thief. “The technical and organisational measures necessary for protecting the rights of the affected persons according to GDPR are completely absent”, adds epicenter.works’ managing director Thomas Lohninger. In contrast to the Central Register of Residents (ZMR), all protective mechanisms are missing here, such as requiring identification of the querying person or charging a fee for the release of data, or the option to protect one’s own data with an informational release block.

Private residential addresses are particularly sensitive

“We do not yet know exactly how many people are affected by this data scandal and which groups are involved,” Lohninger continues. “According to our estimates, there must be about one million concerned people.” It could also be deduced from the data when tax returns were filed or whether, for example, state assistance was received. “What is even more dramatic is that the private residential addresses of these people are publicly available on the Internet and there is no way to defend oneself against it. From the Federal President downwards, almost everyone can be found there who has and has had income other than from non-self-employment”, the data protection expert adds.

No purpose, no information block, no protective measures

“The purpose of this public register is not apparent. Public registers regularly entail rights and obligations, such as Entries in the Civil Register, Register of Companies or Register of Associations. Although the internal provision of source numbers within the administration may be the reason for the creation of the supplementary register, this does not explain its years of public and barrier-free access,” says epicenter.works’ lawyer Lisa Seidl. In many cases, the scope of the accessible data goes beyond the data that can be retrieved from the ZMR and, in contrast, there are no protective mechanisms, such requiring the identification of the querying person, charging a fee for the release of information or providing the option of setting up an informational release block. Even if the 2009 regulation provides a legal basis for the publication of the register, this regulation could constitute a violation of the fundamental right to data protection, said Seidl.

On the basis of redacted excerpts from this database, we can show that the data of journalists, politicians and other persons who are particularly concerned about the confidentiality of their private data were included. For example, out of 183 members of Parliament, 100 were visible with their private addresses. You can find a corresponding list here. Furthermore, many Public Broadcasting (ORF) journalists could be found easily.

How is this different from the Commercial Register?

The Commercial Register is easily accessible, but it costs quite a lot – 12.90€ per extract – and is essential (i.e. it has an important purpose), because you have to and should know about the economic risk you are taking when you sign contracts with other companies. In any case, it does not contain private residential addresses, but the business addresses of the companies.

Is the regulation potentially even illegal or unconstitutional?

In principle, the Austrian state must comply with GDPR, but it is exempt from penalties. If data that are not already publicly accessible (e.g. tax data of private individuals – not companies!) are in the register, this needs its own legal basis (in this case a decree), and only then according to the GDPR the data can be processed. However, this decree could still be unconstitutional (§1 of the Data Protection Act (DSG) has constitutional status). Justified constraints of fundamental rights always require a legitimate objective that is necessary and proportionate. The register falls at this first hurdle, as making tax data accessible for the public is not a “legitimate objective”. Therefore, the constraint of fundamental rights is unjustified and a violation of the fundamental right to data protection. As long as the Austrian Constitutional Court has not repealed the regulation on the grounds of unlawfulness or unconstitutionality, it is to be applied.

Chronology of the register

  • Decision to establish this register publicly 2004/2009, Schüssel / Faymann
  • Register transferred to the Austrian Ministry for the Economy in December 2018 without question, no protective measures established, despite introduction of GDPR no enforcement of the rights of those affected
  • Austrian Finance Ministry continuously sends data to registers, unclear from which sources

Read more:

Größter Datenskandal der Republik: Über eine Million Wohnadressen öffentlich (08.05.2020)

Austrian government hacking law is unconstitutional (18.02.2019)

Austrian postal service involved in a data scandal (28.01.2019)

(Contribution by Thomas Lohninger, from EDRi Member epicenter.works)

06 Nov 2019

Portuguese ISPs ignore telecom regulator’s recommendations

By D3 Defesa dos Direitos Digitais

In 2018, the Portuguese telecom regulator ANACOM told the three major Portuguese mobile Internet Service Providers (ISPs) to change offers that were in breach of EU net neutrality rules. Among other things, the regulator recommended that ISPs publish their terms and conditions, and increase the data volume of their mobile data packs in order to bring it closer to their zero-rating offer. In Portugal, average mobile data volumes are small, yet among the most expensive in Europe. ANACOM’s net neutrality report that was published in June 2019 reveals how the ISPs reacted to the regulator’s intervention.

While operators have complied with ANACOM’s decision on differential treatment of traffic after the general data ceiling has been exhausted, that was as far as they went. Regarding the increase of data volume, all three major operators simply ignored ANACOM’s demand. None of them changed their offers. One of the operators claimed, instead, that “the current ceiling is adjusted to the demand”.

Then, ANACOM had asked the ISPs to publish the terms and conditions under which other companies and their applications can be included in the their zero-rating packages. The result: All operators ignored this recommendation, too.

Surprisingly, the regulator’s reaction was lukewarm, at best. Instead of strongly criticising the ISPs for not complying to its recommendations, it stated that it “will continue to monitor all matters concerning these recommendations”, and that this will be followed up with “further analysis in the context of net neutrality […]”.

Portuguese EDRi observer D3 Defesa dos Direitos Digitais regrets the lack of will and courage on the part of ANACOM to put an end to the harmful practices of ISPs. Zero-rating harms consumers and free competition by tilting the playing field in favour of a few selected, dominant applications, and it constitutes a threat to a free and neutral internet. By not acting against price discrimination practices between applications and restricting its action to technical discrimination of traffic, ANACOM shows no intention to act on the underlying problem of zero-rating offers.

The result is that in Portugal, mobile data volumes are on average small, and the prices are among the highest in Europe. Users suffer from an over-concentrated market – three major ISPs share 98% of the market. In this setting, the leading companies can afford to ignore the regulator’s public recommendations without practical consequences. The legislator has not introduced the fines for net neutrality infringements that are mandatory under EU law since 2015.

This article is an adaptation of an article published at:

D3 Defesa dos Direitos Digitais


Portuguese ISPs given 40 days to comply with EU net neutrality rules (07.03.1018)

Civil society urges Portuguese telecom regulator to uphold net neutrality (23.04.2018)

(Contribution by Eduardo Santos, EDRi observer D3 Defesa dos Direitos Digitais, Portugal)

05 Jun 2019

BEREC workshop: Regulatory action by NRAs and consumer empowerment

By IT-Pol

On 29 May 2019, EDRi was invited to participate in a workshop of the Body of European Regulators for Electronic Communications (BEREC) on the planned update of its Net Neutrality Guidelines. Thomas Lohninger from Austrian EDRi member Epicenter.works and Jesper Lund from Danish EDRi member IT-Pol represented our network. Lund provided the following input to the regulators on regulatory action by the National Regulatory Authorities (NRAs).

Epicenter.works published a report in January 2019 which, among other things, surveys regulatory action based on the annual net neutrality reports by the NRAs. Port blocking is a severe form of traffic management since entire services, such as hosting of email or web servers by the end-user, are suppressed. This may be justified in certain situations, but requires a rigorous assessment under Article 3(3) third subparagraph, point b (preserve the integrity of the network) of Europe’s Net Neutrality Regulation (2015/2120).

Port blocking is generally quite easy to detect with network measurement tools. This is also noted in section 4.1.1 of BEREC’s Net Neutrality Regulatory Assessment Methodology (BoR (17) 178). Other forms of discriminatory traffic management are harder to detect. Based on this, it seems a reasonable conjecture to take NRA enforcement action on port blocking as indicative of the rigorousness of wider enforcement practices regarding traffic management. Unfortunately, detailed information on port blocking cases is not contained in most NRAs’ net neutrality reports.

Since the publication of the Net Neutrality Guidelines in August 2016, BEREC has launched a project to create an EU-wide network measurement tool, expected in late 2019. The measurement tool is based on the core principles of open methodology, open data, and open source. This means that the tool can be deployed on many devices, used by many end-users, and that the data generated through “crowdsourcing” by end-users (subscribers of internet access services, IAS) can be analysed by NRAs and other interested parties. In the opinion of EDRi, effective use of the forthcoming measurement tool, with crowdsourced measurement by end-users, will be a milestone in supervision and enforcement actions for traffic management practices.

Among other things, the measurement tool can be used for detection of unreasonable traffic management practices, establishing the real performance and Quality of Service (QoS) parameters of an IAS, assessing whether IAS are offered at quality levels that reflect advances in technology, and assessing whether the provision of specialised services risks deteriorating the available or general quality of IAS for end-users.

All of these tasks are specific obligations for NRAs under the Open Internet Regulation. As EDRi has highlighted before, the crowdsourcing aspect of the deployment of the measurement tool is very important as single measurements can contain a large element of noise, for example because of characteristic of the specific testing environment. In the aggregate, the noisy element can be expected to “wash out”, leaving the effect of the IAS traffic management practices or other network design choices by IAS providers.

When a measurement tool developed by BEREC is freely available to NRAs, the Guidelines on Article 5 of the Regulation should be updated to contain specific requirements and recommendations for the use of network measurement tools in the NRA supervision tasks. NRAs should, of course, be free to choose between their own measurement tools and methodology and the one offered by BEREC to all NRAs.

The Regulation does not per se require NRAs to establish or certify a monitoring mechanism. Needless to say, the Guidelines cannot change that. Therefore, most provisions in the Guidelines related to network measurement tools will have to be recommendations for NRAs.

However, the Regulation specifically requires NRAs to closely monitor and ensure compliance with Article 3 and 4 of the Regulation. While NRAs should be free to choose their own regulatory strategies, allowing these strategies to be adapted to the local “market” conditions and need for enforcement action, some proactive element is required on behalf of NRAs. Simply responding to end-user complaints cannot be sufficient to satisfy the obligation under Article 5.

In the opinion of EDRi, it will be very difficult for NRAs to fulfil their monitoring obligations under Article 5 without some form of quantitative measurement from the IAS network. The last sentence of recital 17 of the Regulation oncretely requires network measurements of latency, jitter and packet loss by NRAs to assess the impact of specialised services.

BEREC’s Guidelines with recommendations on the use of crowdsourced network measurements will have two positive implications for the net neutrality landscape in Europe. For the NRAs that follow the recommendations, and actively use the BEREC measurement tool, we will have quantitative monitoring of the compliance with articles 3 and 4 that is harmonised and comparable across EU Member States. This will, in itself, be hugely beneficial, and contribute to a consistent application of the net Neutrality Regulation.

In Member States where the NRA decides not to use the BEREC measurement tool (or its own), the recommendations in the Net Neutrality Guidelines could potentially facilitate shadow monitoring reports by civil society or consumer organisations. Of course, this can also be done without recommendations in the BEREC Guidelines or even with alternative measurement tools (than the one developed by BEREC), but adhering to the BEREC recommendations would create results that can be more easily compared with for example NRA net neutrality reports in Member States where the BEREC measurement tools is actively used.

EDRi will be pleased to contribute draft amendments to the Guidelines in order to formally incorporate a network measurement tool and crowdsourced measurements in the IAS network by end-users.



BEREC Workshop on the update of its Net Neutrality Guidelines

Europe’s Net Neutrality Regulation (2015/2120)

BEREC Net Neutrality Regulatory Assessment Methodology

BEREC Guidelines on the Implementation by National Regulators of European Net Neutrality Rules

Two years of net neutrality in Europe – 31 NGOs urge to guarantee non-discriminatory treatment of communications (30.04.2019)

NGOs and academics warn against Deep Packet Inspection (15.05.2019)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)

22 May 2019

Passenger surveillance brought before courts in Germany and Austria

By Gesellschaft für Freiheitsrechte

EDRi members Gesellschaft für Freiheitsrechte (GFF, Society for Civil Rights) and Epicenter.works have taken legal action against the mass retention and processing of Passenger Name Records (PNR) before German and Austrian courts and authorities. The European PNR Directive (Directive 2016/681) requires airlines to automatically transfer their passengers’ data to state authorities. There, the data are stored and automatically compared with pre-determined “criteria” that describe, for example, the flight behavior of known criminals. The data will also be distributed to other authorities and even non-EU member countries.

The EU Member States have been, since May 2018, obliged by the European PNR Directive to have adopted legislation for the retention of passenger data from airlines. For each passenger who takes a flight, a record is created. It contains at least 19 data items, including data such as the date of birth, details of accompanying persons, payment information, and the IP address used for online check-in. Together with information on the flight time and duration, booking class and baggage details, PNR data provides a detailed picture of the trip and the passenger.

PNR data is stored centrally at the respective Passenger Information Unit (PIU). These PIUs are usually located at national police authorities. The data can then be accessed by numerous other authorities and even transmitted to other countries. In addition, an automated comparison of the data records with pre-determined “criteria” is conducted.

This is a way of identifying new suspects in the mass of previously unsuspicious passengers – and a new level of dragnet action by collecting data from all citizens to “catch a few fish”. Thus, each individual, whether previously suspected of a crime or not, can thus be subjected to stigmatising investigations, just for coincidentally having similar flight patterns to past offenders.

GFF and epicenter.works argue that the PNR Directive in its current form violates the Charter of Fundamental Rights of the European Union, in particular the right to respect for private and family life (Article 7), as well as the right to the protection of personal data (Article 8). The Court of Justice of the European Union (CJEU) already took a similar view in its 2017 Opinion on the draft PNR agreement between the EU and Canada.

Since it isn’t possible to appeal the case against the PNR Directive directly before the CJEU, GFF and epicenter.works have brought legal actions before courts and authorities, civil and administrative courts, as well as the data protection authorities (DPAs) in Germany and Austria. The complaints lodged argue that the storage and processing of data by the police authorities violates the Charter of Fundamental Rights. Due to the case’s evident implications of EU law and the CJEU’s aforementioned opinion, it is expected that national courts will eventually refer the question to the CJEU.

The basic funding for the project is provided by the Digital Freedom Fund.

Gesellschaft für Freiheitsrechte (GFF, Society for Civil Rights)


No PNR campaign

Directive 2016/681 (PNR Directive)

CJEU Opinion on the Draft PNR agreement between Canada and the European Union

(Contribution by EDRi member Gesellschaft für Freiheitsrechte, Germany)

08 May 2019

Austria: New “responsibility” law will lead to self-censorship

By Epicenter.works

Shortly after the EU gave green light to upload filters, two laws were proposed in Austria, with the alleged goal of tackling online hate speech, that rang the alarm bells.

The law “on care and responsibility on the net” forces media platforms with forums to store detailed data about their users in order to deliver them in case of a possible offence not only to police authorities, but also to other users who want to legally prosecute another forum user. Looking at the law in detail, it is obvious that they contain so many problematic passages that their intended purpose is completely undermined.

According to the Minister of Media, Gernot Blümel, harmless software will deal with the personal data processing. One of the risks of such a system would be the potential for abuse from public authorities or individuals requesting a platform provider the person’s name and address with the excuse to wanting to investigate or sue them − and then use the information for entirely other purposes. Rather than improving safety online, the resulting “chilling effect” will lead to individuals avoiding sharing their most controversial opinions on a forum that possesses their detailed personal data. In essence, this is a way of imposing self-censorship on individuals. The proposed laws would concern only a handful of platforms in Austria. The aim is quite clear: to diminish the public democratic discourse and to try to intimidate those who think differently politically.

This law is not alone in restricting online freedoms. During its EU Council presidency, Austria decided to not make a clear rejection of unlawful data retention − a concept that has already been judged several times as contrary to fundamental rights by the European Court of Justice. Furthermore, back at home, the Austrian Federal Government is trying to collect as much data as possible about citizens and with new surveillance laws and porn filters based on the British model. The goal is clear: To monitor people every step of the way on the internet and limit their leeway.

Austria’s Chancellor Sebastian Kurz argues that the internet is not a legal vacuum and that laws apply to the online world too. He’s right. The Charter of Fundamental Rights of the European Union also applies to the online world. We must not allow this creeping undermining and abolition of privacy, data protection, freedom of expression and participation in political discourse. It is time to stand up for these fundamental rights. Let us demand a transparent state instead of a transparent citizen!


EU Member States give green light for copyright censorship (15.04.2019)

New EU data retention at Austria’s initiative

(Contribution by Iwona Laub, EDRi member Epicenter.works, Austria)

13 Mar 2019

Record number of calls to the EU Parliament against upload filters

By Epicenter.works

With just two weeks to go until the final vote on upload filters in the European Parliament, one hundred MEPs have pledged to vote against Article 13 of the proposed Copyright Directive. Many citizens feel like their legitimate fears about the future of the internet are not taken seriously as lawmakers insult them as being “bots” or simply “a mob”. Public protests demanding the removal of Article 13 have been announced in 23 European cities.

Thousands of EU citizens have taken part in the pledge2019.eu campaign, picking up their phone and calling their representatives. Since the campaign was launched at the end of February, citizens have called their elected representatives more than 1200 times, and spent over 72 hours on the phone with them. This unprecedented number of phone calls to politicians demonstrates just how much people care about an open, uncensored internet. It also shows that citizens are interested in engaging in European political issues, if you let them. After previous attempts of citizens to reach out to policy makers via social media or e-mail have been discredited as originating from bots or being part of a mob, citizens are now going the extra mile and voice their concern directly to their elected representative.

The damage done to Europe’s democracy by claiming that citizens voicing their concerns are a manufactured campaign is immense. A whole generation of internet users learn that their legitimate fears about the consequences of the proposal on modern everyday cultural expression and media habits are being ignored and ridiculed. In reaction, the protest movement against Article 13 gave itself the slogan “We are no bots”.

Upload filters are quickly becoming a major issue in the upcoming EU elections as demonstrators are joined by a host of experts against Article 13: UN Special Rapporteur on freedom of expression David Kaye warns against the threat for our freedom of expression online, academics specialising in intellectual property law call the proposal “misguided”, the founder of the world wide web Sir Tim Berners-Lee together with other internet emincence warns about the imminent threat to the open internet, and the International Federation of Journalists calls on policy makers to rethink this unbalanced copyright Directive.

On 23 March 2019 several rallies and demonstrations will be organised against Article 13 all around Europe. Concerned citizens still have two weeks left to visit www.pledge2019.eu and make their voices heard.


Save Your Internet


Save Your Internet – Call for a Pan-European Day of Protests on 23 March!

(Contribution by Thomas Lohninger, EDRi member Epicenter.works, Austria)

13 Feb 2019

A study evaluates the net neutrality situation in the EU

By Epicenter.works

Two and a half years after the adoption of the guidelines confirming strong protection for net neutrality in Europe, Austrian EDRi member epicenter.works published a study on the enforcement and status quo of net neutrality. The study entitled “The Net Neutrality Situation in the EU: Evaluation of the First Two Years of Enforcement” examines whether telecom companies are violating net neutrality rules, how regulators are fulfilling their enforcement and supervision duties, and how this affects internet users across the continent.

The study focuses on the most common net neutrality violation in Europe, the practice of “zero-rating”. For this purpose, epicenter.works conducted a complete survey of all zero-rating offers in Europe, including the applications that benefit from the special treatment of having their data excluded from monthly data cap.

The study highlights two important findings:

  1. that zero rating offers cost consumers more, and do not lead to decreased prices as initially expected;
  2. that it’s mostly American online companies who benefit from zero-rated offers (with only three European exceptions).

For consumers, the most compelling finding was the fact that zero-rating offerings seem attractive, because they promise “free” services, but in the end they lead to an increase in the general price level. In markets with zero-rating practices, the price of data increased 2% year-over-year. In markets without zero-rating practices, the price of data decreased 8% year-over-year.

The study finds that since Europe’s net neutrality rules came into effect, zero-rating has spread to all but two EU countries with a total of 186 zero-rating offers in Europe. In some countries the price difference between the applications with special prices and the rest of the internet was up to 70-fold. Among the top 20 applications that benefit from zero-rating, only three are from Europe. Applications and services from EU countries are rarely zero-rated, which leads to the conclusion that the European Digital Single Market likely suffers from these net neutrality violations. The data indicates that most application providers only participate in one to three zero-rating offerings, which clearly shows that this system canot scale to a single market with over 200 mobile operators. In effect, the study shows how end-user choices are restricted and Europe’s Digital Single Market has been fragmented by the new market entry barriers that telecom companies have created.

Although regulators should have a coherent approach to the enforcement of net neutrality, wildly different approaches were found. Some of the rulings in Europe are even contradicting each other, for example in the area of port blocking or congestion management. In some countries the fines for telecom companies for net neutrality violations rise to nine-digit sums, and in others only to four-digit sums. In Portugal and Ireland there was no penalty provision to be found at all, while Ireland currently holds the chairmanship of the Body of European Regulators of Electronic Communication (BEREC) in charge of the net neutrality reform.

Another key finding of the study is that despite BEREC guidelines requiring telecom companies to provide at least a minimum level of transparency on internet speeds, companies are not publishing that information, and regulators are turning a blind eye.

The study also provides information about the upcoming discussion about 5G within the scope of net neutrality , as this argument the Internet Service Providers (ISPs) is already being laid on the table in the upcoming net neutrality review.

The report can be downloaded on epicenter.works’ website, and all of the data sets have been released as open data. The study was supported by Mozilla and the Austrian Chamber of Labour.


Report: The Net Neutrality Situation in the EU (29.01.2019)

Survey of all differential pricing offers in the EEA (29.01.2019)

Net neutrality wins in Europe! (29.08.2016)

Net Neutrality vs. 5G: What to expect from the upcoming EU review? (05.12.2018)

(Contribution by Iwona Laub, EDRi member Epicenter.works, Austria)



05 Dec 2018

Net Neutrality vs. 5G: What to expect from the upcoming EU review?

By Epicenter.works

Since 2016 the principle of net neutrality is protected in the European Union (EU). Net neutrality is a founding principle of the internet. It ensures the protection of the right to freedom of expression, the right to assembly, the right to conduct business, and the freedom to innovate on the internet. These protections came about in no small part due to the work of civil society. A coalition of 23 NGOs worked together for over three years to convince politicians and regulators of the importance of net neutrality. This victory may be called into question when the Body of European Regulators for Electronic Communications (BEREC) reviews its net neutrality guidelines in 2019.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The net neutrality protections in the EU consist of two layers, a legal and regulatory one. The legal basis for the protections is part of an EU Regulation, which takes precedence over national law and is directly applicable in all Member States as well as the further three countries in the European Economic Area (EEA) Norway, Iceland and Liechtenstein. This Regulation gives the independent national telecom regulators the power and the mandate to protect net neutrality in their respective countries. To ensure that these 31 independent regulators apply the Regulation uniformly throughout the EU and EEA, they must take “utmost account” of the guidelines on net neutrality that were issued by the European umbrella organisation of all telecom regulators, BEREC. These BEREC net neutrality guidelines present very detailed recommendations on what net neutrality actually means in Europe.

The Regulation prescribes that the European Commission has to submit an evaluation report by 30 April 2019. For this purpose, it has outsourced part of the work to the consultancy firm Ecorys and the law firm Bird & Bird, which is famous for assisting the telecom industry in resisting net neutrality protections. This has led to the peculiar situation that regulators and civil society have to answer questions about the strengths and weaknesses of the Regulation to the same office of Bird & Bird that EDRi member Bits of Freedom faces in court in a case based on the same Regulation. Several NGOs, including EDRi, EDRi member epicenter.works and others have sent an open letter to the Commission pointing out this conflict of interest, but the Commission has not fully addressed these concerns.

It seems the European Commission will not reopen the Regulation, considering the elections to the European Parliament in May 2019 and the following reshuffle of political power in the European Union. On the other hand, BEREC conducts itself transparently and has already announced on several occasions that it intends to review its net neutrality guidelines. Since the release of BEREC’s draft work programme for 2019, we also know that this review is planned to start in 2019 and will lead to new draft guidelines, followed by a public consultation process in late September 2019.

What is to be expected of this review? The telecom industry has made clear what they want to talk about: 5G. The new mobile network standard has not even been fully specified, but it is already the biggest talking point of the telecoms industry and is used to call into question existing net neutrality protections around the world. With the US having stepped away from their 2015 Open Internet rules, Europe is now the first major world region that tries to bring 5G in line with net neutrality. This debate has a technological and political side. Technologically, 5G brings a new option for telecom operators to deepen their control over the information flow. It is called “network slicing” and it brings differentiated Quality of Service policies to the radio access network. The scenarios range from preferential treatment for premium subscribers at the expense of everyone else to a complete segmentation of the internet with granular control of the network over every application.

Whether the application of this new industry standard has to follow existing telecom law or whether the law should adapt to the standard ought to be an easy question to answer, but this might not be the case. For example, at the recent global Internet Governance Forum (IGF) in Paris, representatives of telecom giants Vodafone and AT&T strongly argued for loosening existing net neutrality rules in order to make a 5G-rollout more economically viable.

5G offers providers far more control when it comes to giving preferential treatment to individual applications or internet subscribers, but it also brings interesting new features like specifying a low energy network slice, which could be used for example by solar powered Internet of Things (IoT) devices. BEREC has taken it upon itself to tackle this issue upfront. This means that regulators will decide if the strong protections against the abuse of exceptions to the net neutrality in the Regulation (so called “specialised services”) will be upheld.

If Europe follows the push of the telecom industry to water down the implementation and enforcement of its net neutrality rules and allows a two-tiered internet system built on a sliced up 5G network, this could have serious ripple effects in the rest of the world. Should the US and Europe allow 5G to become the exception to net neutrality, the end of the open internet will become a question of the roll-out of the next mobile network technology.

The final guidelines in Europe comes quite close to the US 2015 Federal Communications Commission (FCC) Open Internet rules. Particularly regarding the issue of zero-rating, the guidelines do not offer a so-called “bright-line rule”. This means that the final decision on the legality of commercial offers that discriminate between applications based on price is left to the regulator. While zero-rating offerings are now on the market in all but one European country, not a single regulator has prohibited such offer. Especially low income and young internet users are affected by this strong incentive to only use well-established internet services.

The reform of the net neutrality guidelines should tackle this issue. The Regulation clearly states that there are cases in which regulators have to intervene against zero-rating. While a bright-line rule banning zero-rating would be the best possible outcome, at the very least more guidance has to be given to regulators when it comes to different forms of economic discrimination that are clearly harmful to end-user rights. EDRi member epicenter.works will publish a report on the net neutrality situation in Europe in early 2019, including a mapping of zero-rating offers in the European market.

This article is an adaptation of an article previously published by EDRi member epicenter.works: https://en.epicenter.works/content/net-neutrality-vs-5g-what-to-expect-from-the-upcoming-reform-in-the-eu


BEREC Guidelines on the Implementation by National Regulators of European Net Neutrality Rules

How we saved the internet in Europe (04.10.2016)

(Contribution by EDRi member epicenter.works, Austria)

07 Nov 2018

NGOs urge Austrian Council Presidency to finalise e-Privacy reform

By Epicenter.works

EDRi member epicenter.works, together with 20 NGOs, is urging the Austrian Presidency of the Council of the European Union to take action towards ensuring the finalisation of the e-Privacy reform. The group, counting the biggest civil society organisations in Austria such as Amnesty International and two labour unions, demands in an open letter sent on 6 November 2018 an end to the apparently never-ending deliberations between the EU member states.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

It is today 666 days since the European Commission launched its proposal. The e-Privacy regulation is an essential aspect for the future of Europe’s digital strategy and a necessity for the protection of modern democracies from ubiquitous surveillance networks. Echoing European citizens rightful demands for protections of their online privacy, the organisations ask the Austrian Presidency to lead the way into a new privacy era by concluding the e-Privacy dossier by 2019.

The letter comes in a context in which a parliamentary inquiry from the Austrian Social Democratic party tries to shed light on the lobby connections of the Austrian government regarding the hampering of secure communications for its citizens. Right now, the Austrian government’s position is closely aligned with the interests of internet giants like Facebook and Google, big telecom companies and the advertisement industry.

The Austrian government has recently fast-tracked negotiations on the controversial e-evidence proposal, which would weaken the rule of law and foster further surveillance of citizens’ online behaviour. This is a stark contrast to the meager effort Austrian representatives put into negotiations around legislative proposals that aim to protect the fundamental right to privacy – a topic missing from the Austrian Council Presidency agenda.

In order to ensure that e-Privacy laws will not be used as excuse for the establishment of new repressive instruments, epicenter.works demands a clear commitment to the prohibition of data retention. Data retention has been found unconstitutional in different European countries, while epicenter.works was plaintiff in the 2014 proceedings of the European Court of Justice (ECJ) annulling the data retention directive. A circumvention of the ECJ’s ban through the e-Privacy regulation could expose EU citizens to indiscriminate mass-surveillance and severely undermine trust in EU institutions.

Open Letter sent to Austrian Government (in German only, 06.11.2018)

Parliamentary inquiry from the Austrian Social Democratic Party (in German only, 29.10.2018)

Council continues limbo dance with the ePrivacy standards (24.10.2018)

ePrivacy: Public benefit or private surveillance? (24.10.2018)

ECJ: Data retention directive contravenes European law (09.04.2014)

(Contribution by Thomas Lohninger, EDRi member epicenter.works)



07 Nov 2018

Brussels up close – Experiences from the EDRi exchange programme

By Epicenter.works

Learning and knowing abstractly how the EU works is one thing, seeing it up close and doing advocacy work right there is quite another! I am a Policy Advisor for the Austrian EDRi member organisation “epicenter.works – for digital rights” and, in October 2018, I spent two weeks with the EDRi office in Brussels. My aim was to get a better understanding of EU law making and advocacy.

Having a background in the field of criminology and law, I was excited to start right away with a rather new dossier on cross border access to data in police investigations: the e-Evidence Regulation. We will probably have to work on e-Evidence for a long time and I am glad to have had the opportunity to familiarise myself early on with this dossier and discuss its many flaws – several of which are quite intricate – with the EDRi policy team.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Working in Brussels in person has been a big step forward for me in understanding EDRi’s policy work and will enable me to make a better contribution to it in the future. I took part in developing a strategy for proposed amendments that I have started working on during my stay there. As part of EDRi’s e-Evidence working group, I will continue this work on both a national and EU level.

In what at times felt like quite a meeting-marathon, I have had the chance to accompany Maryant Fernandez Perez and Chloé Berthélémy to meetings on e-Evidence with several national Permanent Representations to the EU. I also attended an event organised by the German region North Rhine-Westphalia with German European Commission officials, the European Parliament, the German bar association and police forces on the topic.

As if all that was not enough, I was also briefed on and have familiarised myself with the Terrorism Regulation, and the current state of plans for an ePrivacy regulation. On these dossiers I joined Joe McNamee, Diego Naranjo, Yannic Blaschke and Estelle Massée (Access Now) in meetings with companies and stakeholders. It is an important experience to see how different such meetings can be shaped, depending on the strategy (our own or that of our interlocutors), the culture of the country, company or institution, the knowledge of the dossier and the extent of agreement and so on.

It was also instructive to experience EDRi’s coordination with its member organisations from the other side and see the planning and communication that goes into the adoption and execution of joint strategies among EDRi and its many members. I want to thank the entire EDRi team for welcoming me warmly and for making the exchange program a truly great experience. Many thanks also to the Digital Rights Fund for the financial support of my travel!

Finally, I want to recommend this exchange to any EDRi member. Sometimes it is small things that matter, like hearing Maryant say in her introductory words of a meeting: “We are here to represent 39 member organisations all over Europe” and see and experience what those words mean in practice. It is a fact I knew, of course, but its effect can seem elusive at times, when working on the fronts of national politics, having Brussels only in the back of one’s mind. Therefore, I recommend going to Brussels and seeing from up close how EU politics are made and experience what EDRi is and how it works. Spoiler: EDRi is important and it works best in close cooperation with its members.


12 days of digital rights in Brussels. Was it Christmas?

EDRi’s “Brussels Exchange Programme” – turning theory into practice (07.02.2018)

(Contribution by Angelika Adensamer, EDRi member epicenter.works, Austria)