22 Feb 2017

Consultation on multilateral investment court misses the point

By Guest author

The European Commission has launched a consultation on establishing a multilateral investment court, which would serve as a permanent body to decide investment disputes. The court would replace controversial investor-to-state dispute settlement (ISDS) mechanisms in existing and future trade and investment treaties. It would interpret the substantive rules in these treaties, which provide a high level of legal protection for investors. This would leave states no or a very limited right to regulate, as regulation would always happen under the (real or perceived) threat of supranational litigation.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The issue at hand is that the consultation has a narrow scope with no regard to social impacts, including fundamental rights. Therefore it is crucial to react. The deadline for submitting comments on the questionnaire on options for a multilateral reform of investment dispute resolution is 15 March 2017.

The multilateral investment court proposal is based on an Inception Impact Assessment which presents various scenarios. Its baseline scenario – what would happen without EU policy changes – is just one sentence long and doesn’t expect the court to have social (or environmental) impacts. The baseline scenario ignores existing impacts, a huge expansion, through new treaties, of covered foreign direct investment, and a greater scope, as EU trade and investment treaties bring EU decisions under the scope of investment mechanisms. A more comprehensive baseline scenario would address growing social impacts.

Compared to ISDS, a multilateral investment court would bring institutional improvements. Such improvements, however, do not solve systemic issues with specialised and supranational adjudications, which create a high risk of expansive interpretations of investors’ rights. Specialised courts tend to interpret expansively and the supranational level lacks effective instruments to correct expansive interpretations.

A multilateral investment court would shift the balance between investments on the one hand and democracy and fundamental rights on the other. This undermines our values, ability to reform, and ability to respond to crises.

Foreign investors would be able to use a multilateral investment court to challenge EU data protection enforcement measures. This could apply to, for instance, the suspension of cross-border data flows or fines imposed by supervisory authorities on data controllers and data processors under the General Data Protection Regulation (GDPR). A multilateral investment court would also impede reform of “intellectual property” rights.

The Commission’s consultation seems designed to keep social (and environmental) impacts out of the consultation’s results. In light of the need to protect fundamental rights, the EU cannot ignore, legitimise, or perpetuate increasing impacts. With a baseline scenario showing growing impacts on fundamental rights, the Commission should work out scenarios which will decrease them.

General Data Protection Regulation: Document pool

Questionnaire on options for a multilateral reform of investment dispute resolution

Multilateral investment court assessment obscures social and environmental impacts

Defend democracy: draft answers for new ISDS consultation

ENDitorial: EU Commission ISDS proposal – a threat to democracy

(Contribution by EDRi member Vrijschrift, The Netherlands)



25 Jan 2017

e-Privacy Regulation: Good intentions but a lot of work to do

By Diego Naranjo

On 10 January 2017, the European Commission published its long-awaited proposal for an e-Privacy Regulation (Regulation on Privacy and Electronic Communications, ePR) to replace the 2002 e-Privacy Directive (Directive 2002/58/EC, ePD).

EU legislation on data protection is divided between general legislation (the 1995 Directive, soon to be replaced by the General Data Protection Regulation) and legislation specifically covering privacy in the communications sector, the e-Privacy Directive.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The ePD has two functions. Firstly, it provides additional clarity and predictability to allow the principles in the general legislation to be implemented in the complex environment of communications. Secondly, it serves as the EU legislative instrument to give meaning to the fundamental right to freedom of communications.

The proposed draft Regulation contains a number of provisions which, if adopted and effectively implemented, should address some of the current gaps or lack of clarity in protection of the confidentiality of electronic communications and information stored on users devices. The process of consultation and polls have shown that citizens are concerned about their privacy and about how companies make use of their personal information online. Although the Commission has rightly identified and addressed most of the key issues and objectives in the proposal, strong forces seem to have watered down the text considerably, compared to the earlier version that was leaked in December 2016. For example, the reference to “privacy by design and by default” that was changed in Article 10 will need to be put back in order not to lower down the protections to the current “privacy by option”, options on the degree of online privacy that the browser would offer to the user.

Among the improvements needed, the European Parliament will need to make sure that the definitions of the text (cross-referenced to the European Electronic Communications Code, EECC, which is still being discussed) do not lead to a reduced scope of the e-Privacy Regulation. Furthermore, the scope of these definitions in the ePR relates to electronic communication networks, while in the leaked version it also referred to electronic communication services. This is a significant reduction in the scope of the proposed ePR.

Regarding the substance of the proposal, one of the key issues, the processing of content (“what we talk about”) and metadata (“when and with whom we communicate”), raise some concerns: both the content and the metadata, which can sometimes be more sensitive than content of our online interactions, could be used for additional purposes by, for example, our email providers, if the user has “consented” to this. The way this consent is obtained in practice will need to be carefully addressed. If the legislator cannot avoid that, in practice, the consent is considered valid if done for example under over-broad Terms and Conditions, or through pre-ticked boxes, the e-Privacy Regulation would be going below the standards needed to effectively protect our communications.

The section on access to devices is probably the one that has drawn the most attention to the proposal, since it regulates the use of tracking technologies such as tracking cookies. The text establishes that terminal equipment of end-users (smartphones, laptops but also, arguably, an e-fitness device or any other device that is part of what we call the “Internet of Things”) are part of the individual’s private sphere. Access to these devices and to any information stored in or emitted by such equipment would be under the scope of the ePR. However, here too, “consent” is the key that could give access to our personal devices, with the same risks commented above. Finally, the exceptions for Member States to restrict the same protections that the Regulation is trying to provide is one of the most worrying parts of the text, along with the unexpected absence of reference to collective redress in the article on remedies (Article 21).

Citizens have expressed repeatedly the need for strong protections for privacy and confidentiality of communications. However, there seems to be a lot of work ahead to complement and particularise the text presented by the Commission.

EDRi: e-Privacy document pool

Proposal for a Regulation on Privacy and Electronic Communications (10.01.2017)

Eurobarometer on ePrivacy (19.12.2016)

(Contribution by Diego Naranjo, EDRi)



11 Jan 2017

2017 – another extremely challenging year for digital rights


The agenda of the year 2016 for the protection of digital rights was filled with challenges, and it looks like 2017 is not going to be any easier.

Since the Digital Single Market is one of the priorities of the Maltese presidency of the Council of the European Union, we can expect more policy developments affecting citizens’ rights and freedoms online in 2017. In its work programme, Malta pledges to pursue talks on geoblocking, roaming fees, connectivity, high frequencies and cross-border portability.

While taking advantage of the single market to benefit the economies by scrapping trade barriers and providing European citizens access to services, it is crucial to keep the focus on improving data protection, freedom of expression and defending citizens’ right to privacy.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

What were the crucial policy developments in 2016? What we expect to happen in 2017, and what are our key priorities for the year ahead?

Data protection and privacy

In 2016, the European Parliament adopted the General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP), which are set to enter into force in 2018. EDRi welcomed the overall positive outcome of the GDPR, but regrets that the initial high expectations were not realised. The Commission adopted the Privacy Shield adequacy decision that has already been challenged in front of the Court of Justice of the European Union (CJEU) and rejected by the European Parliament. The EU/US Umbrella Agreement, which was judged to be incompatible with EU law by the European Parliament’s legal service, was also approved.

As for 2017, e-Privacy will be one of EDRi’s main priorities. On 10 January, the European Commission published its proposal for the e-Privacy Regulation. This legislation is crucial to provide clear rules on tracking individuals as they surf the web, and freedom of communication more generally. To promote trust, privacy and innovation, the proposal needs significant improvement.


In 2017, we will provide input on discussions around cross-border access to evidence and the protection of encryption. We will also provide input on discussions around the Council of Europe’s Budapest Convention on Cybercrime, also with a particular interest in the hot topic of “access to evidence”. Weakening of procedural rules for access to communications data by foreign governments would obviously have major implications for privacy and security.

Net neutrality

In 2016, the Body of European Regulators of Electronic Communications (BEREC) published its guidelines on the implementation of European net neutrality rules. Thanks to our hard and persistent work, the guidelines reflect our recommendations quite well.

In 2017 we will keep on campaigning for net neutrality by providing input to discussions around the BEREC regulation, and monitoring the Telecoms Package review. In December, we reported on the success of one of our Austrian members in ensuring the effective implementation of the new rules.


The current European copyright system is broken and must be changed. The European Commission has set in its agenda reforming copyright as one of the foundations to build the Digital Single Market. In 2016, the Commission issued a highly criticised draft legislation. The proposed Copyright Directive could not conceivably be worse, even including a proposal for upload filtering, despite the fact that the Court of Justice of the European Union has already rejected this approach.

In 2017, the European Parliament and Council will discuss the new proposal. We will closely follow the discussions and advocate for amendments to improve the parts of the text that can be improved and rejection of the parts that cannot.



23 Nov 2016

#5 Freedom not to be labelled: How to fight profiling


This is the fifth blogpost of our series dedicated to privacy, security and freedoms. In the next weeks, we will explain how your freedoms are under threat, and what you can do to fight back.


Profiling: What is it and how does it work?

Algorithms gather data from your social media activities, emails, browsing history and so on. Now that the Internet of Things is becoming more and more used, it adds its share to the amount of information collected and stored. As a result of all this data available about your personality, preferences and activities, you can be more and more easily labelled and placed in categories.

These categories may or may not be correct. You might end up “mislabelled” and put into a wrong category. For example, according to a French government website, you might be in the process of being radicalised if you change your eating habits, leave full-time education or stop your sporting activities and stop watching TV. Of course, you might just be a student writing your thesis.

Research has shown that for example a person’s ethnic group, sexual orientation, religion or relationship status can be surprisingly accurately guessed from simply assessing their Facebook “likes”. These insights are possible, even though many users avoid clicking on links that would obviously reveal these details.

Based on this “labelling”, decisions can be taken about you: if you will be selected for a job interview, or picked for a special security screening at the airport. Or you could be offered either a discount or higher prices for a service or a product.

How to claim back your freedom not to be labelled

If you believe that a profiling measure has produced legal effects or significantly affected you (credit worthiness, reliability, conduct) you can contact Data Protection Authorities (DPA) to exercise your rights, such as the right to object to automatic decision-making and the right access to the information collected about you. Unfortunately, not all the DPAs have a user-friendly approach, and issuing a request can be fairly complex in some countries, such as Belgium. However, in other countries like France, the authorities offer a template-based model to simplify the complaint system for their citizens. The new General Data Protection Regulation (GDPR), which is due to become binding law in all EU Member States in 2018, will strengthen and clarify both these rights and the ability of national data protection authorities to implement them.

Random Agent Spoofer is an add-on for Firefox browser. It hinders browser fingerprinting – collecting information that allows to identify you – by allowing you to automatically choose random browser profiles.

Self-Destructing Cookies is an add-on that removes the general purpose cookies when they are no longer used by open browser tabs. Also, it detects and removes the tracking cookies as soon as they are spotted.

$heriff allows you to know differential pricing in real time.

In the webseries “Do Not Track”, produced by ARTE TV in collaboration – with Mozilla, you can discover more about profiling, for example how much data you provide when “liking” things on Facebook, and how that affects not only you but also your friends and relatives. Watch the third episode, “Like mining” here:


What can politicians do to safeguard your freedoms online?

The rules on online privacy in the EU (ePrivacy Directive) will be soon updated. This law deals with privacy and confidentiality of communications for the entire EU, and it affects tracking and other issues related to your freedoms online. Are politicians ready to fight for your protection?

Read our previous blogposts here, and stay tuned to our next blogposts to know more about your freedoms online, and how they are threatened!

Read more:

6 times it’s more expensive to be a woman (12.04.2016)

Need a Reservation? That Could Depend On How Big You Are on Twitter (Really) (30.09.2010)

Is social profiling discrimination? (03.05.2012)

The dangers of high-tech profiling, using Big Data (07.08.2014)

Do Not Track: Episode 3 – Like Mining


12 Oct 2016

Corporate-sponsored privacy confusion in the EU on trade and data protection

By Maryant Fernández Pérez

After the “Privacy shield” was adopted on 12 July 2016, the European Commission started internal discussions about whether or not to include “data flows” and “data localisation” clauses in Transatlantic Trade and Investment Partnership (TTIP) and in the Trade in Services Agreement (TiSA). It appears that the European Commission Directorate-General for Justice and Consumers (DG Justice) initially accepted the inclusion of clauses on forced, unjustified “data localisation”, but not on transfers of data. However, according to EurActiv, DG Justice has backed down and accepted a weakening of its position on data protection and privacy in order to placate industry, after a campaign based on dubious assertions and backed up by the US government.

Now, the European Commission President Jean-Claude Juncker and the Vice-President Frans Timmermans seem to be prepared to defend core principles of EU law and the rights of EU citizens. They are allegedly blocking the “compromise” to water down protections because “the deal might poke holes in the EU data protection rules that are set to go into effect in 2018”. Weakening privacy and data protection of European citizens through the inclusion of “data flows” in trade agreements has global corporate sponsorship. The EU should resist. There are three main reasons for this:

1. Data flows must not be part of trade agreements

Trade negotiations are not suitable for shaping rules affecting the fundamental rights to privacy and data protection. If the EU was unable to ensure protections of fundamental rights in the Privacy Shield (see here, here and here), on what basis could it think that trade agreements would achieve a better result? Is the apparently ideological rush to include “data flows” in trade agreements worth the risk of making a dubious compromise that would put the whole agreement in doubt?

Data transfers are and can be ensured in other legal fora. Personal data flows are ensured in the EU legal framework by several mechanisms, such as binding corporate rules, modal clauses, adequacy decisions or special arrangements, of which the EU-US Privacy Shield is an example, albeit not a stellar one. The General Data Protection Regulation (GDPR) even provides more alternatives to transfer data of EU citizens abroad, such as self-certification. In addition, the European Commission is expected to issue a “Free flow of data initiative”, apparently only for commercial data.

2. Including data flows in trade agreements like TTIP or TiSA would have huge implications

On 13 July 2016, the University of Amsterdam issued an independent study that EDRi, BEUC, TACD and CDD commissioned in order to ascertain whether fears with regard to both privacy and data protection in trade agreements were founded. The study concluded the risks are real, and a great deal of effort needs to be put into making trade agreements data protection- and privacy-proof. This is our take:

Unless parties want to change their legal framework to truly protect human rights online, trade agreements’ vague commitments to protect data protection and privacy will be meaningless in practice.

Exceptions and safeguards protecting personal data and privacy are being suggested as a means to address the concerns about fundamental rights. However, these clauses can only be activated if certain conditions are complied with, such as:

  • that privacy and data protection measures cannot be inconsistent with other obligations of the agreement. Would the EU legal measures on data protection be inconsistent with the obligation to ensure “a free flow of data”? According to the lobby group CCIA, the response could well be “yes” (cf. “Europe might want to consider whether its 20th century localised data protection framework is well suited in the 21st century interconnected digital world”). To guard against such extreme positions, the European Parliament asked the Commission not to include such conditionality; or
  • that privacy and data protection measures should take “international standards” into consideration. As the EU is a standard setter in privacy and data protection, this creates the risk of a race to the bottom and could prevent other countries from adopting measures which defend privacy and data protection as much as (or more than) the EU.

Even if trade agreements had strong exceptions and safeguards, they could be undermined by:

  •  trade dispute settlement mechanisms of trade agreements, as the Charter of Fundamental Rights will obviously not be considered; and by
  • national security exceptions. Trade agreements contain exceptions on “essential security interests” that establish that nothing in the trade agreement shall prevent any Party to the agreement from adopting measures to protect “essential security interests”. This means that if a party to the agreement wanted to conduct mass surveillance, for example, the trade deal would not ensure the protection of the privacy and personal information of individuals. This is very worrisome, as the Snowden revelations and other scandals have shown. The European Parliament has warned the Commission that their consent to TTIP could be endangered if “US blanket mass surveillance activities are not completely abandoned”.

Conditions, suspensions or prohibitions of transfers of EU citizens’ personal data outside the EU must be possible if fundamental rights are violated or circumvented, as the European Parliament has proposed to the Commission. This position is absent from all of the clauses seen in current trade proposals. In fact, the EU is currently negotiating on trade agreements whose drafts include provisions on data protection that are fundamentally broken. The existence, application or enforcement of the laws adopted by the Parties to a trade agreement relating to their fundamental rights requirements must not be considered as a violation of any trade agreement.

3. Blackmail tactics of industry lobbyists

The hollow-sounding and specious arguments that the “global tech sector” use, such as that they take “the fundamental right to privacy very seriously”; and that without data flows (as if they would suddenly, mysteriously, stop), no trade agreements will be or can be concluded; or that the EU could be perceived as “data protectionist” are far from credible. Even some industry actors (e.g. eBay) had admitted to the Commission that the inclusion of data flows are not a priority for them because they rely on binding corporate rules to transfer data from EU citizens.

Having lobbied unsuccessfully against the General Data Protection Regulation (GDPR), having successfully lobbied for a flawed, inevitably temporary “Privacy Shield”, having incomprehensibly asked the Commission to repeal the e-Privacy Directive, it is understandable that industry lobbyists, backed by the US government want to:

  • ensure there are legal means available to challenge privacy and data protection measures, with the weak excuse that fundamental rights are barriers to trade;
  • prevent other countries to adopt high standards on data protection and privacy; and
  • make sure whatever protections on privacy and personal data are contingent on a nebulous and unpredictable understanding of “necessity” and “proportionality” in trade agreements, whereby fundamental rights will always be deprioritised compared with trade concerns.

It is also understandable that after hearing that the Commission was opposing to include data flows, they increased their lobbying and resorted to “independent” “think tanks” like ECIPE to multiply their message.

The European Commission should do better. As Evgeny Morozof argues, when policy is dictated by corporations, the protection of your privacy starts being seen as a barrier to economic growth. By defending the protection of privacy and personal information of all, the EU will gain influence and credibility. Data protection and privacy are not barriers to trade. Quite the opposite, privacy is an asset of economic growth; it’s a business opportunity to regain trust. Making void assurances and general statements that are not reflected in the actual text of the agreements would not be enough. The European Parliament has strongly reiterated this approach and even asked the Commission to “immediately and formally oppose the US proposals on movement of information”.

This is exactly what the EU should do.


05 Oct 2016

e-Privacy Directive: Frequently Asked Questions

By Diego Naranjo

What is the e-Privacy Directive?

The e-Privacy Directive (ePD) is a Directive covering specific privacy and data protection issues in the electronic communications sector. It was adopted in 2002 and revised in 2009. The official text of the current version can be found here.


Why do we need this instrument?

The ePD was created to ensure privacy and to protect personal data in the electronic communications sector by “complementing and particularising” matters covered in a general way by the main legal instrument, the Directive on Data Protection, now the General Data Protection Regulation (GDPR). For example, the confidentiality of the content of communications and information which is stored or accessed on an individual’s device is protected under the ePD. The GDPR does not specifically cover this.

Confidentiality of communications is very complex. It covers not just your right to privacy and data protection, but also your freedom of communication and freedom of expression. Without legislation providing clarity on what these fundamental rights mean in this complex environment, the protection of confidentiality and security of communications would be less predictable and less enforceable. Lack of precise rules also makes it more difficult for companies to develop new and innovative services.

Isn’t the General Data Protection Regulation (GDPR) enough?

Although the GDPR covers many issues related to data protection, it does not cover, directly and precisely, the right to privacy and, in particular, the right to freedom of communication, which are two distinct fundamental rights. Therefore, the ePD is a necessary layer of precision to ensure predictable, effective protection of rights that are not covered precisely enough in the GDPR. Furthermore, the ePD also covers activities for which the processing of personal data is not the main issue at stake, such as the sending unsolicited messages (for example email spam or direct marketing). It also provides a framework for protecting the security of information stored on an individual’s device. It is important to remember that the ePD is not about creating new rights, but complementing existing rules, for the good of individuals and businesses alike.

The need for legislation on privacy and security of personal data in the electronic communications sector is increasing. Online tracking and the monitoring of e-mails for advertising purposes are on the rise, while telecommunications companies try to emulate internet companies by cashing in on the masses of customer data they hold, including location information. Furthermore, the ePD needs to be updated to meet the latest technological developments, such as the use of instant messaging instead of SMS or e-mail.

Which fundamental rights are affected by the ePD?

  • The fundamental right to confidentiality of communications, enshrined in Article 7 of the Charter

The new instrument replacing or revising the ePD should expressly clarify that this principle applies fully to data relating to online activities and communications, including traffic and location data as currently defined in the e-Privacy Directive. Furthermore, it should also apply to any similar data created or used in the online environment, such as location data, browsing data, e-book usage patterns, mobile app use, search queries, etc. and any new data produced therefrom. The new instrument should also bring clarity  with regard to the implementation of privacy by design and by default in this context.

  • The fundamental rights to protection of personal data and freedom of expression, as enshrined in Article 8 of the Charter

For most people in the EU the easiest way to access information involves the internet. To protect this, the revised instrument should ban obligations to consent to tracking of one’s activities  and subsequent profiling and automated decision-making (for example by accepting cookies before being allowed to enter a website). This is particularly important when accessing information regarding issues linked to sensitive data or when accessing website or services provided by the public sector.

What activities are covered in the ePD?

  • the confidentiality and security of communications
  • traffic and location data produced by personal devices
  • tracking of users, including by using personal devices (e.g. for behavioural advertising purposes)
  • cookies
  • security measures in personal devices
  • itemised billing
  • calling line identification
  • public and private directories
  • spam and unsolicited calls for marketing purposes
  • data breach notifications (later specified by EU Regulation 611/2013)

Which aspects need an update?

All aspects of the eDP related to online activities – such as the confidentiality and security of communications and personal devices, and the tracking of users – need to be updated to correspond to new and potential future technological developments. The rules on itemised billing, directories of users, and unsolicited communications need to be reassessed, to check if they are in line with the GDPR. Some of its aspects, such as how data breaches should be dealt with, do not require a specific  legislation and can be removed. Therefore this could be solved by referring to the GDPR, to avoid redundancy.

I am tired of banners telling me to accept cookies. Will this bring more of these?

The ePD currently tries to give users some control over online tracking. However, it does so in a rather blunt way. In light of experience and technological developments, the provision regulating cookies in the ePD should be refined and allow for user friendly mechanisms for expressing consent.

As we have explained in a previous blogpost, one of the ways you leave digital traces behind while surfing online are cookies. They are bits of information that get automatically installed into your device while visiting websites. Revised rules regulating cookies in the ePD should allow smoother browsing by removing obligations for consent for cookies that do not involve the collection and further processing of personal data, such as the tracking of users and devices via third parties. This would apply, for example, to statistics related to which parts of a website are visited the most collected by the owner of a website (“first party analytic cookies”) that do not involve unnecessary processing of personal information. Generally, we refer to the guidelines on cookies issued by the Article 29 Working Party on this regard.

How is this connected to the protection from mass surveillance?

We can unquestionably expect an expanding use of personal electronic devices (like smartphones, tablets, personal computers) and related technologies that are connected to the Internet (for example the Internet of Things). This development creates new opportunities for communicating online, but also bears risks for confidentiality and other fundamental rights. Online communications often involve many parties and cross national borders, without users being fully aware of these facts.

We agree with the European Data Protection Supervisor (EDPS) that number and frequency of requests from governments to internet services (Twitter, Gmail and any others) should be made public so that individuals get a clearer picture on how these invasive powers by governments are used in practice. If the public is aware of the government’s conduct, it will be in a better position to hold the government accountable. More transparency in this context could therefore help with restoring people’s trust in the electronic communications sector.

How does it relate to the security of my electronic devices, such as my smart phone?

The GDPR includes security obligations when it comes to the processing of personal data, while the ePD allows for the inclusion of security obligations that are more specifically tailored to our online communications. These security obligations should not only apply to electronic communications providers (telecoms), but should also cover, for example, app developers and the suppliers of individuals’ electronic devices. The companies behind apps and devices are not always the main legally responsible actors. However, given their important role protecting the security and confidentiality of personal communications, they should also be subject to security requirements. More specifically, we refer to the recommendations about security and privacy requirements for operating system suppliers, device manufacturers and other relevant stakeholders issued by the Article 29 Working Party in its Opinion 8/2014 on the Internet of Things.


This FAQ has been prepared jointly by the EDRi Brussels office and EDRi members Open Rights Group, fIPR, Bits of Freedom, Access Now, Panoptykon and Privacy International.

27 Jul 2016

Massive lobby against personal communications security has started

By Joe McNamee

Since 2002, European citizens’ freedom of communication, the security of our communications devices, and the protection of our personal data in the online world have been safeguarded by the so-called e-Privacy Directive. This Directive is now up for renewal. Unsurprisingly, after the big online companies launched probably the biggest ever lobbying campaign to undermine the EU’s general privacy legislation, the General Data Protection Regulation (GDPR), they’re now attacking this legislation – this time joined by telecoms providers.

................................................................. Support our work with a one-off-donation! https://edri.org/donate/ .................................................................

The online companies want to protect their ability to track people as they use the internet. They want to protect their ability to use data from apps to discover where people are going in the offline world and to be able to use this data to create profiles. Already, with data from just three hundred clicks on Facebook “like” buttons, researchers have shown that they can develop a better insight into your personality than anybody you know – better than your spouse, your siblings or your family. Telecoms providers look at all of this information and the huge profits the online companies are making out of it. They look at the protection that the e-Privacy Directive gives to their customers and cry that this is unfair. They want to make money out of it too – they have information about our location, about our movements, about our friends, about the businesses we communicate with. Why can’t they spy on us too? It is for our own good, after all.

As a result, an impressive-sounding twelve trade associations signed a letter demanding that the protection to our freedom of expression and communication should be repealed. Apparently for comedy value, the letter calling for removal of the only EU legal instrument protecting the confidentiality of communications was entitled “Empowering trust and innovation by repealing the e-Privacy Directive”.

The list of signatories to the letter seems impressive until we realise that it is just a small number of companies mobilising them. This is very much in line with the lobbying on the General Data Protection Regulation: The key industry players used various methods to make sure their arguments were repeated by lots of different voices, to create the impression of a broad opposition against the legislation. In the case of this letter, for example Google is a member exactly half of the signatory associations – the App Developers Alliance, Interactive Advertising Bureau, Computer and Communications Industry Association (CCIA), Digital Europe, the European Digital Media Association (EDiMA) and the European Internet Service Providers Association (EuroISPA).

Shockingly, the European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry (COCIR) also signed up for the call for the repeal of the privacy rules. What interest do they have in removing rules on placing software on users’ devices? What aspect of protection of protection of confidentiality of communications worries them? We don’t know. We do know that its members include Deutsche Telekom’s subsidiary T-Systems. Deutsche Telekom is also a member of signatory associations European Telecommunications Network Operators’ Association (ETNO) and the GSM Association (GSMA).

Between now and November 2016, the European Commission will decide how it will update the e-Privacy Directive.

Joint Industry Statement: Empowering trust and innovation by repealing the e-Privacy Directive (05.07.2016)

EDRi: Data Protection Reform – Next stop: e-Privacy Directive (24.02.2016)

(Contribution by Joe McNamee, EDRi)



05 Jul 2016

PROCEED WITH CAUTION: Flexibilities in the General Data Protection Regulation

By Diego Naranjo

We regret that much of the ambition of the original data protection package was lost, due to one of the biggest lobbying campaigns in European history. However, we congratulate the European Parliament — for saving the essence of European data protection legislation.[1]

On 14 April 2016, the European Parliament adopted two legal instruments that will regulate the fundamental right to data protection of individuals: the General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP).

Despite the overall positive outcome of the GDPR, we regret that many of the initial high expectations for the Regulation were not realised. Once the final text was passed, and ahead of the preparation of guidelines for its implementation, we have published two documents where we analyse the numerous national flexibilities contained in the text  of the Regulation. The results can be found here (the full analysis of all the flexibilities) and here (short document with the most dangerous flexibilities).


The analysis looks at the key pitfalls to be avoided in transposing these national flexibilities into Member State law. The task is huge, bearing in mind that there are almost as many provisions in which Member States can implement the Regulation differently than there are articles were in the preceding Data Protection Directive. Some of the flexibilities are harmless, but many others could be perceived by governments as opportunities to allow them to ignore essential elements of the Regulation.

We hope that this analysis can help national governments and data protection authorities to implement the GDPR in a way which protects the essence of the right to data protection by implementing the most privacy friendly interpretation of these flexibilities.

Although this analysis is a shared effort of several EDRi members and EDRi staff, we would like to give our heartfelt thanks to Chris Pounder for the initial analysis of flexibilities in the Regulation and Douwe Korff for his extensive assessment of the options available.

[1] Press Release: Vote on Data Protection and Passenger Name Record package (13.04.2016)


01 Jun 2016

The lobby-tomy 7: Not all roads lead to privacy

By Guest author

Within the privacy world, different schools of thought exist. Connecting different viewpoints to a seemingly positive ideology is also sales technique.

The new European data protection regulation is the most lobbied piece of legislation thus far. This is because the subject is very important and touches upon almost every aspect of our daily lives. Therefore EDRi member Bits of Freedom used the Dutch freedom of information act to ask the government to publish all the lobby documents they received on this new law. Bits of Freedom published these documents on their website with their analysis in a series of blogs. What parties lobby? What do they want? What does that mean for you? These nine articles are now translated into English for the EDRi-gram. This is part 7.

If one school of thought has successfully been put in the limelight, it is the “risk-based approach”. It means that when policy makers formulate obligations for industry, they should take the identifiable risks of data processing into account. Strict obligations should only accompany identified large risks. But that can’t be an excuse to create a lower level of protection for people.

................................................................. Support our work with a one-off-donation! https://edri.org/donate/ .................................................................

If we read the lobby letters correctly, one of the most important offices behind this approach is the ”Centre for Information Policy Leadership” of Hunton en Williams “LLP”. Although the term is older, they launched a “risk based approach framework” in January 2014, after which the subject has resurfaced repeatedly.

The data protection regulation creates new obligations for organisations that plan to process a certain quantity of data. An organisation is for example required to do a “privacy impact assessment” before processing data, in which it will have to evaluate the consequences of the processing for people’s privacy. In some cases, the processing should be notified to the data protection authority. Apart from that, organisations should have a data protection officer, who handles supervision of all privacy related issues internally. Furthermore, organisations are required to notify data breaches to anyone connected to the data.

Companies are not happy about this. We already mentioned in a previous blog that these are the themes that have been lobbied on the most. They say, briefly: allow us to only fulfill those obligations if it’s to mitigate large and already identified risks.


It isn’t surprising that many of the “usual suspects” support this risk based approach. TechAmerica Europe, an organisation that represented the interests of European technology companies “with American parentage”, strongly supported this. Banks also welcome such an approach, as shown in their email to the Dutch embassy to the EU – the so-called “permanent representation”. Thuiswinkel.org, a Dutch e-commerce company, says in an email to the Dutch Ministry of Justice: “The current reforms are not adequate enough in the eyes of Thuiswinkel.org, in particular because the proposals lack a ‘risk-based’ approach.” Even the Royal Academy for Sciences seems to be a proponent of this approach.


To strengthen their arguments, different parties use “commitment and consistency”. The trick with this is that people like to present one unambiguous image of themselves. So people will want to act in ways that are congruent with their statements. Therefore, the Centre for Policy Leadership uses statements of influential politicians from the group of people they are trying to influence, who have been positive about the risk based approach.

In a letter by the Centre for Information Policy Leadership to the Ministry of Justice European Commissioner Viviane Reding is quoted as a proponent of the risk based approach, just like the Council of Ministers that the letter aims to convince. You were in favor of a risk based approach right? Then you should also agree to our demands. The former European Data Protection Supervisor Peter Hustinx once made positive statements about this approach, and these are quoted quite happily in a letter by the Industry Coalition for Data Protection (ICDP) to the Ministry of Justice:
“ICDP strongly agrees with the European Data Protection Supervisor Peter Hustinx that data protection legislation is most effective when it follows a risk-based approach.”


A risk based approach can’t be an excuse to evade important obligations, as the committee of privacy watchdogs in Europe stated. A well described liability based on agreed criteria can assure that companies keep privacy protection in mind at an early stage of data processing or planning. Those criteria should obviously be proportionate, so a sole trader that serves only fifty customers per year shouldn’t be required to send a privacy impact assessment to the data protection authority every week or to hire a data protection officer (not that anyone ever suggested that, it has to be said). But we should also be wary of abuse. For example, Digital Europe, a lobby organisation for digital businesses, wants to make sure that companies can decide for themselves what constitutes risk. That would make evading supervision very easy.

Privacy schools of thought

Connecting your viewpoints to clear schools of thought can help your cause. That’s why more schools of though than the “risk based approach” are mentioned in the lobby documents. Vodafone wants a more “principle based” approach, which means they want more flexibility. Yet other companies mention the “harm based approach”, the “use based approach”, the “precautionary based approach” and others.

Whatever school of thought one prefers, no one can currently predict the risks well, particularly in a world of “big data”. What we do know is that more data will be collected and will be increasingly used. This makes every choice we make now only more important for privacy protection in the future.

To be continued

Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. The next part will be about the anti-fraud argument.

Lobby-tomy series (only in Dutch)

(Contribution by Floris Kreiken, EDRi member Bits of Freedom, The Netherlands)



17 Dec 2015

EU Data Protection Package – Lacking ambition but saving the basics

By Heini Järvinen

Statement of European Digital Rights (EDRi), Bits of Freedom, Digitale Gesellschaft e.V, Open Rights Group (ORG)Digital Rights Ireland and Privacy International following the vote of the European Parliament’s Civil Liberties Committee on the Data Protection

In January 2012, the European Commission, following extensive consultations, published a draft Regulation and a Directive to create a strong framework for data protection in the EU. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU, and maintaining existing levels of protection. Underpinning this was an attempt to enhance individuals’ rights and put them more in control of their personal information, as well as to make enforcement more effective – both of which are major failures of the current legislation.

Faced with possibly the world’s biggest ever lobbying onslaught, this agreement appears to have saved the essential elements of data protection in Europe. Sadly, there is little left of the initial ambition of the proposals”, said Joe McNamee, Executive Director of European Digital Rights. “At several moments in the past four years, it appeared that the proposals were crumbling, so today’s vote represents an impressive achievement by politicians from all major political families and by civil society.

The objective of modernisation has been achieved only partially – resisted by industry groups who want to stay in the last century. One of the key elements of modernisation, profiling, has not been dealt with thoroughly. The differentiation of “explicit” consent for sensitive data and “consent” for other processing of personal data will not help when enforcing the Regulation. The failure to properly reform the foggy notion of processing of data on the basis of the “legitimate interest” of the controller is a missed opportunity, even though we are happy that some safeguards were added.

More importantly, harmonisation has become a parody of its original intentions. The existing Directive consisted of 34 articles. The final text has more permissible exceptions than the previous legislation had articles. In addition, Article 21 (on exceptions for public policy reasons) has broadened the list of articles that can be subject to a national opt-out.

Overall, the data protection package has achieved the bare minimum standards which were possible in the current political scenario. The final texts are somewhat better than what was proposed by the EU Council and some European Parliament Committees, but fall well short of the ambition of the initial proposals. EDRi, Bits of Freedom, Digitale Gesellschaft e. V , Open Rights Group, Digital Rights Ireland and Privacy International appreciate the work of the co-legislators to defend the proposals. We now must turn our attention to the next challenges – implementation of the new legislation, the reform of the e-Privacy Directive and preparing litigation, where necessary, to ensure that our fundamental rights are defended.

It is staggering that it was so hard to come up with essential rules of the road. All of this occurred at a time where there is increased concerns about surveillance and unprecedented levels of security breaches. Yet data-hungry companies and governments, and poor technology designs continue to make our personal data vulnerable”, Anna Fielder, Chair of Privacy International added. “Now we have a legal instrument to hold the powerful to account. We are going to use this legal regime to help empower citizens and consumers. And we are going to test it against emerging business models, ambitious and delusional government programmes, and any system that takes control away from the individual.


Read more:

General Data Protection Regulation: Document pool

Data Protection Directive on law enforcement: The loopholes (18.11.2015)

ENDitorial: The EU’s data protection reform – a lost opportunity? (04.11.2015)

European Commission will “monitor” existing EU data retention laws (29.07.2015)

For additional information, please contact:
Theresia Reinhold
Tel: +32 2 274 25 70