23 Nov 2016

#5 Freedom not to be labelled: How to fight profiling


This is the fifth blogpost of our series dedicated to privacy, security and freedoms. In the next weeks, we will explain how your freedoms are under threat, and what you can do to fight back.


Profiling: What is it and how does it work?

Algorithms gather data from your social media activities, emails, browsing history and so on. Now that the Internet of Things is becoming more and more used, it adds its share to the amount of information collected and stored. As a result of all this data available about your personality, preferences and activities, you can be more and more easily labelled and placed in categories.

These categories may or may not be correct. You might end up “mislabelled” and put into a wrong category. For example, according to a French government website, you might be in the process of being radicalised if you change your eating habits, leave full-time education or stop your sporting activities and stop watching TV. Of course, you might just be a student writing your thesis.

Research has shown that for example a person’s ethnic group, sexual orientation, religion or relationship status can be surprisingly accurately guessed from simply assessing their Facebook “likes”. These insights are possible, even though many users avoid clicking on links that would obviously reveal these details.

Based on this “labelling”, decisions can be taken about you: if you will be selected for a job interview, or picked for a special security screening at the airport. Or you could be offered either a discount or higher prices for a service or a product.

How to claim back your freedom not to be labelled

If you believe that a profiling measure has produced legal effects or significantly affected you (credit worthiness, reliability, conduct) you can contact Data Protection Authorities (DPA) to exercise your rights, such as the right to object to automatic decision-making and the right access to the information collected about you. Unfortunately, not all the DPAs have a user-friendly approach, and issuing a request can be fairly complex in some countries, such as Belgium. However, in other countries like France, the authorities offer a template-based model to simplify the complaint system for their citizens. The new General Data Protection Regulation (GDPR), which is due to become binding law in all EU Member States in 2018, will strengthen and clarify both these rights and the ability of national data protection authorities to implement them.

Random Agent Spoofer is an add-on for Firefox browser. It hinders browser fingerprinting – collecting information that allows to identify you – by allowing you to automatically choose random browser profiles.

Self-Destructing Cookies is an add-on that removes the general purpose cookies when they are no longer used by open browser tabs. Also, it detects and removes the tracking cookies as soon as they are spotted.

$heriff allows you to know differential pricing in real time.

In the webseries “Do Not Track”, produced by ARTE TV in collaboration – with Mozilla, you can discover more about profiling, for example how much data you provide when “liking” things on Facebook, and how that affects not only you but also your friends and relatives. Watch the third episode, “Like mining” here:


What can politicians do to safeguard your freedoms online?

The rules on online privacy in the EU (ePrivacy Directive) will be soon updated. This law deals with privacy and confidentiality of communications for the entire EU, and it affects tracking and other issues related to your freedoms online. Are politicians ready to fight for your protection?

Read our previous blogposts here, and stay tuned to our next blogposts to know more about your freedoms online, and how they are threatened!

Read more:

6 times it’s more expensive to be a woman (12.04.2016)

Need a Reservation? That Could Depend On How Big You Are on Twitter (Really) (30.09.2010)

Is social profiling discrimination? (03.05.2012)

The dangers of high-tech profiling, using Big Data (07.08.2014)

Do Not Track: Episode 3 – Like Mining


12 Oct 2016

Corporate-sponsored privacy confusion in the EU on trade and data protection

By Maryant Fernández Pérez

After the “Privacy shield” was adopted on 12 July 2016, the European Commission started internal discussions about whether or not to include “data flows” and “data localisation” clauses in Transatlantic Trade and Investment Partnership (TTIP) and in the Trade in Services Agreement (TiSA). It appears that the European Commission Directorate-General for Justice and Consumers (DG Justice) initially accepted the inclusion of clauses on forced, unjustified “data localisation”, but not on transfers of data. However, according to EurActiv, DG Justice has backed down and accepted a weakening of its position on data protection and privacy in order to placate industry, after a campaign based on dubious assertions and backed up by the US government.

Now, the European Commission President Jean-Claude Juncker and the Vice-President Frans Timmermans seem to be prepared to defend core principles of EU law and the rights of EU citizens. They are allegedly blocking the “compromise” to water down protections because “the deal might poke holes in the EU data protection rules that are set to go into effect in 2018”. Weakening privacy and data protection of European citizens through the inclusion of “data flows” in trade agreements has global corporate sponsorship. The EU should resist. There are three main reasons for this:

1. Data flows must not be part of trade agreements

Trade negotiations are not suitable for shaping rules affecting the fundamental rights to privacy and data protection. If the EU was unable to ensure protections of fundamental rights in the Privacy Shield (see here, here and here), on what basis could it think that trade agreements would achieve a better result? Is the apparently ideological rush to include “data flows” in trade agreements worth the risk of making a dubious compromise that would put the whole agreement in doubt?

Data transfers are and can be ensured in other legal fora. Personal data flows are ensured in the EU legal framework by several mechanisms, such as binding corporate rules, modal clauses, adequacy decisions or special arrangements, of which the EU-US Privacy Shield is an example, albeit not a stellar one. The General Data Protection Regulation (GDPR) even provides more alternatives to transfer data of EU citizens abroad, such as self-certification. In addition, the European Commission is expected to issue a “Free flow of data initiative”, apparently only for commercial data.

2. Including data flows in trade agreements like TTIP or TiSA would have huge implications

On 13 July 2016, the University of Amsterdam issued an independent study that EDRi, BEUC, TACD and CDD commissioned in order to ascertain whether fears with regard to both privacy and data protection in trade agreements were founded. The study concluded the risks are real, and a great deal of effort needs to be put into making trade agreements data protection- and privacy-proof. This is our take:

Unless parties want to change their legal framework to truly protect human rights online, trade agreements’ vague commitments to protect data protection and privacy will be meaningless in practice.

Exceptions and safeguards protecting personal data and privacy are being suggested as a means to address the concerns about fundamental rights. However, these clauses can only be activated if certain conditions are complied with, such as:

  • that privacy and data protection measures cannot be inconsistent with other obligations of the agreement. Would the EU legal measures on data protection be inconsistent with the obligation to ensure “a free flow of data”? According to the lobby group CCIA, the response could well be “yes” (cf. “Europe might want to consider whether its 20th century localised data protection framework is well suited in the 21st century interconnected digital world”). To guard against such extreme positions, the European Parliament asked the Commission not to include such conditionality; or
  • that privacy and data protection measures should take “international standards” into consideration. As the EU is a standard setter in privacy and data protection, this creates the risk of a race to the bottom and could prevent other countries from adopting measures which defend privacy and data protection as much as (or more than) the EU.

Even if trade agreements had strong exceptions and safeguards, they could be undermined by:

  •  trade dispute settlement mechanisms of trade agreements, as the Charter of Fundamental Rights will obviously not be considered; and by
  • national security exceptions. Trade agreements contain exceptions on “essential security interests” that establish that nothing in the trade agreement shall prevent any Party to the agreement from adopting measures to protect “essential security interests”. This means that if a party to the agreement wanted to conduct mass surveillance, for example, the trade deal would not ensure the protection of the privacy and personal information of individuals. This is very worrisome, as the Snowden revelations and other scandals have shown. The European Parliament has warned the Commission that their consent to TTIP could be endangered if “US blanket mass surveillance activities are not completely abandoned”.

Conditions, suspensions or prohibitions of transfers of EU citizens’ personal data outside the EU must be possible if fundamental rights are violated or circumvented, as the European Parliament has proposed to the Commission. This position is absent from all of the clauses seen in current trade proposals. In fact, the EU is currently negotiating on trade agreements whose drafts include provisions on data protection that are fundamentally broken. The existence, application or enforcement of the laws adopted by the Parties to a trade agreement relating to their fundamental rights requirements must not be considered as a violation of any trade agreement.

3. Blackmail tactics of industry lobbyists

The hollow-sounding and specious arguments that the “global tech sector” use, such as that they take “the fundamental right to privacy very seriously”; and that without data flows (as if they would suddenly, mysteriously, stop), no trade agreements will be or can be concluded; or that the EU could be perceived as “data protectionist” are far from credible. Even some industry actors (e.g. eBay) had admitted to the Commission that the inclusion of data flows are not a priority for them because they rely on binding corporate rules to transfer data from EU citizens.

Having lobbied unsuccessfully against the General Data Protection Regulation (GDPR), having successfully lobbied for a flawed, inevitably temporary “Privacy Shield”, having incomprehensibly asked the Commission to repeal the e-Privacy Directive, it is understandable that industry lobbyists, backed by the US government want to:

  • ensure there are legal means available to challenge privacy and data protection measures, with the weak excuse that fundamental rights are barriers to trade;
  • prevent other countries to adopt high standards on data protection and privacy; and
  • make sure whatever protections on privacy and personal data are contingent on a nebulous and unpredictable understanding of “necessity” and “proportionality” in trade agreements, whereby fundamental rights will always be deprioritised compared with trade concerns.

It is also understandable that after hearing that the Commission was opposing to include data flows, they increased their lobbying and resorted to “independent” “think tanks” like ECIPE to multiply their message.

The European Commission should do better. As Evgeny Morozof argues, when policy is dictated by corporations, the protection of your privacy starts being seen as a barrier to economic growth. By defending the protection of privacy and personal information of all, the EU will gain influence and credibility. Data protection and privacy are not barriers to trade. Quite the opposite, privacy is an asset of economic growth; it’s a business opportunity to regain trust. Making void assurances and general statements that are not reflected in the actual text of the agreements would not be enough. The European Parliament has strongly reiterated this approach and even asked the Commission to “immediately and formally oppose the US proposals on movement of information”.

This is exactly what the EU should do.


05 Oct 2016

e-Privacy Directive: Frequently Asked Questions

By Diego Naranjo

What is the e-Privacy Directive?

The e-Privacy Directive (ePD) is a Directive covering specific privacy and data protection issues in the electronic communications sector. It was adopted in 2002 and revised in 2009. The official text of the current version can be found here.


Why do we need this instrument?

The ePD was created to ensure privacy and to protect personal data in the electronic communications sector by “complementing and particularising” matters covered in a general way by the main legal instrument, the Directive on Data Protection, now the General Data Protection Regulation (GDPR). For example, the confidentiality of the content of communications and information which is stored or accessed on an individual’s device is protected under the ePD. The GDPR does not specifically cover this.

Confidentiality of communications is very complex. It covers not just your right to privacy and data protection, but also your freedom of communication and freedom of expression. Without legislation providing clarity on what these fundamental rights mean in this complex environment, the protection of confidentiality and security of communications would be less predictable and less enforceable. Lack of precise rules also makes it more difficult for companies to develop new and innovative services.

Isn’t the General Data Protection Regulation (GDPR) enough?

Although the GDPR covers many issues related to data protection, it does not cover, directly and precisely, the right to privacy and, in particular, the right to freedom of communication, which are two distinct fundamental rights. Therefore, the ePD is a necessary layer of precision to ensure predictable, effective protection of rights that are not covered precisely enough in the GDPR. Furthermore, the ePD also covers activities for which the processing of personal data is not the main issue at stake, such as the sending unsolicited messages (for example email spam or direct marketing). It also provides a framework for protecting the security of information stored on an individual’s device. It is important to remember that the ePD is not about creating new rights, but complementing existing rules, for the good of individuals and businesses alike.

The need for legislation on privacy and security of personal data in the electronic communications sector is increasing. Online tracking and the monitoring of e-mails for advertising purposes are on the rise, while telecommunications companies try to emulate internet companies by cashing in on the masses of customer data they hold, including location information. Furthermore, the ePD needs to be updated to meet the latest technological developments, such as the use of instant messaging instead of SMS or e-mail.

Which fundamental rights are affected by the ePD?

  • The fundamental right to confidentiality of communications, enshrined in Article 7 of the Charter

The new instrument replacing or revising the ePD should expressly clarify that this principle applies fully to data relating to online activities and communications, including traffic and location data as currently defined in the e-Privacy Directive. Furthermore, it should also apply to any similar data created or used in the online environment, such as location data, browsing data, e-book usage patterns, mobile app use, search queries, etc. and any new data produced therefrom. The new instrument should also bring clarity  with regard to the implementation of privacy by design and by default in this context.

  • The fundamental rights to protection of personal data and freedom of expression, as enshrined in Article 8 of the Charter

For most people in the EU the easiest way to access information involves the internet. To protect this, the revised instrument should ban obligations to consent to tracking of one’s activities  and subsequent profiling and automated decision-making (for example by accepting cookies before being allowed to enter a website). This is particularly important when accessing information regarding issues linked to sensitive data or when accessing website or services provided by the public sector.

What activities are covered in the ePD?

  • the confidentiality and security of communications
  • traffic and location data produced by personal devices
  • tracking of users, including by using personal devices (e.g. for behavioural advertising purposes)
  • cookies
  • security measures in personal devices
  • itemised billing
  • calling line identification
  • public and private directories
  • spam and unsolicited calls for marketing purposes
  • data breach notifications (later specified by EU Regulation 611/2013)

Which aspects need an update?

All aspects of the eDP related to online activities – such as the confidentiality and security of communications and personal devices, and the tracking of users – need to be updated to correspond to new and potential future technological developments. The rules on itemised billing, directories of users, and unsolicited communications need to be reassessed, to check if they are in line with the GDPR. Some of its aspects, such as how data breaches should be dealt with, do not require a specific  legislation and can be removed. Therefore this could be solved by referring to the GDPR, to avoid redundancy.

I am tired of banners telling me to accept cookies. Will this bring more of these?

The ePD currently tries to give users some control over online tracking. However, it does so in a rather blunt way. In light of experience and technological developments, the provision regulating cookies in the ePD should be refined and allow for user friendly mechanisms for expressing consent.

As we have explained in a previous blogpost, one of the ways you leave digital traces behind while surfing online are cookies. They are bits of information that get automatically installed into your device while visiting websites. Revised rules regulating cookies in the ePD should allow smoother browsing by removing obligations for consent for cookies that do not involve the collection and further processing of personal data, such as the tracking of users and devices via third parties. This would apply, for example, to statistics related to which parts of a website are visited the most collected by the owner of a website (“first party analytic cookies”) that do not involve unnecessary processing of personal information. Generally, we refer to the guidelines on cookies issued by the Article 29 Working Party on this regard.

How is this connected to the protection from mass surveillance?

We can unquestionably expect an expanding use of personal electronic devices (like smartphones, tablets, personal computers) and related technologies that are connected to the Internet (for example the Internet of Things). This development creates new opportunities for communicating online, but also bears risks for confidentiality and other fundamental rights. Online communications often involve many parties and cross national borders, without users being fully aware of these facts.

We agree with the European Data Protection Supervisor (EDPS) that number and frequency of requests from governments to internet services (Twitter, Gmail and any others) should be made public so that individuals get a clearer picture on how these invasive powers by governments are used in practice. If the public is aware of the government’s conduct, it will be in a better position to hold the government accountable. More transparency in this context could therefore help with restoring people’s trust in the electronic communications sector.

How does it relate to the security of my electronic devices, such as my smart phone?

The GDPR includes security obligations when it comes to the processing of personal data, while the ePD allows for the inclusion of security obligations that are more specifically tailored to our online communications. These security obligations should not only apply to electronic communications providers (telecoms), but should also cover, for example, app developers and the suppliers of individuals’ electronic devices. The companies behind apps and devices are not always the main legally responsible actors. However, given their important role protecting the security and confidentiality of personal communications, they should also be subject to security requirements. More specifically, we refer to the recommendations about security and privacy requirements for operating system suppliers, device manufacturers and other relevant stakeholders issued by the Article 29 Working Party in its Opinion 8/2014 on the Internet of Things.


This FAQ has been prepared jointly by the EDRi Brussels office and EDRi members Open Rights Group, fIPR, Bits of Freedom, Access Now, Panoptykon and Privacy International.

27 Jul 2016

Massive lobby against personal communications security has started

By Joe McNamee

Since 2002, European citizens’ freedom of communication, the security of our communications devices, and the protection of our personal data in the online world have been safeguarded by the so-called e-Privacy Directive. This Directive is now up for renewal. Unsurprisingly, after the big online companies launched probably the biggest ever lobbying campaign to undermine the EU’s general privacy legislation, the General Data Protection Regulation (GDPR), they’re now attacking this legislation – this time joined by telecoms providers.

................................................................. Support our work with a one-off-donation! https://edri.org/donate/ .................................................................

The online companies want to protect their ability to track people as they use the internet. They want to protect their ability to use data from apps to discover where people are going in the offline world and to be able to use this data to create profiles. Already, with data from just three hundred clicks on Facebook “like” buttons, researchers have shown that they can develop a better insight into your personality than anybody you know – better than your spouse, your siblings or your family. Telecoms providers look at all of this information and the huge profits the online companies are making out of it. They look at the protection that the e-Privacy Directive gives to their customers and cry that this is unfair. They want to make money out of it too – they have information about our location, about our movements, about our friends, about the businesses we communicate with. Why can’t they spy on us too? It is for our own good, after all.

As a result, an impressive-sounding twelve trade associations signed a letter demanding that the protection to our freedom of expression and communication should be repealed. Apparently for comedy value, the letter calling for removal of the only EU legal instrument protecting the confidentiality of communications was entitled “Empowering trust and innovation by repealing the e-Privacy Directive”.

The list of signatories to the letter seems impressive until we realise that it is just a small number of companies mobilising them. This is very much in line with the lobbying on the General Data Protection Regulation: The key industry players used various methods to make sure their arguments were repeated by lots of different voices, to create the impression of a broad opposition against the legislation. In the case of this letter, for example Google is a member exactly half of the signatory associations – the App Developers Alliance, Interactive Advertising Bureau, Computer and Communications Industry Association (CCIA), Digital Europe, the European Digital Media Association (EDiMA) and the European Internet Service Providers Association (EuroISPA).

Shockingly, the European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry (COCIR) also signed up for the call for the repeal of the privacy rules. What interest do they have in removing rules on placing software on users’ devices? What aspect of protection of protection of confidentiality of communications worries them? We don’t know. We do know that its members include Deutsche Telekom’s subsidiary T-Systems. Deutsche Telekom is also a member of signatory associations European Telecommunications Network Operators’ Association (ETNO) and the GSM Association (GSMA).

Between now and November 2016, the European Commission will decide how it will update the e-Privacy Directive.

Joint Industry Statement: Empowering trust and innovation by repealing the e-Privacy Directive (05.07.2016)

EDRi: Data Protection Reform – Next stop: e-Privacy Directive (24.02.2016)

(Contribution by Joe McNamee, EDRi)



05 Jul 2016

PROCEED WITH CAUTION: Flexibilities in the General Data Protection Regulation

By Diego Naranjo

We regret that much of the ambition of the original data protection package was lost, due to one of the biggest lobbying campaigns in European history. However, we congratulate the European Parliament — for saving the essence of European data protection legislation.[1]

On 14 April 2016, the European Parliament adopted two legal instruments that will regulate the fundamental right to data protection of individuals: the General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP).

Despite the overall positive outcome of the GDPR, we regret that many of the initial high expectations for the Regulation were not realised. Once the final text was passed, and ahead of the preparation of guidelines for its implementation, we have published two documents where we analyse the numerous national flexibilities contained in the text  of the Regulation. The results can be found here (the full analysis of all the flexibilities) and here (short document with the most dangerous flexibilities).


The analysis looks at the key pitfalls to be avoided in transposing these national flexibilities into Member State law. The task is huge, bearing in mind that there are almost as many provisions in which Member States can implement the Regulation differently than there are articles were in the preceding Data Protection Directive. Some of the flexibilities are harmless, but many others could be perceived by governments as opportunities to allow them to ignore essential elements of the Regulation.

We hope that this analysis can help national governments and data protection authorities to implement the GDPR in a way which protects the essence of the right to data protection by implementing the most privacy friendly interpretation of these flexibilities.

Although this analysis is a shared effort of several EDRi members and EDRi staff, we would like to give our heartfelt thanks to Chris Pounder for the initial analysis of flexibilities in the Regulation and Douwe Korff for his extensive assessment of the options available.

[1] Press Release: Vote on Data Protection and Passenger Name Record package (13.04.2016)


01 Jun 2016

The lobby-tomy 7: Not all roads lead to privacy

By Guest author

Within the privacy world, different schools of thought exist. Connecting different viewpoints to a seemingly positive ideology is also sales technique.

The new European data protection regulation is the most lobbied piece of legislation thus far. This is because the subject is very important and touches upon almost every aspect of our daily lives. Therefore EDRi member Bits of Freedom used the Dutch freedom of information act to ask the government to publish all the lobby documents they received on this new law. Bits of Freedom published these documents on their website with their analysis in a series of blogs. What parties lobby? What do they want? What does that mean for you? These nine articles are now translated into English for the EDRi-gram. This is part 7.

If one school of thought has successfully been put in the limelight, it is the “risk-based approach”. It means that when policy makers formulate obligations for industry, they should take the identifiable risks of data processing into account. Strict obligations should only accompany identified large risks. But that can’t be an excuse to create a lower level of protection for people.

................................................................. Support our work with a one-off-donation! https://edri.org/donate/ .................................................................

If we read the lobby letters correctly, one of the most important offices behind this approach is the ”Centre for Information Policy Leadership” of Hunton en Williams “LLP”. Although the term is older, they launched a “risk based approach framework” in January 2014, after which the subject has resurfaced repeatedly.

The data protection regulation creates new obligations for organisations that plan to process a certain quantity of data. An organisation is for example required to do a “privacy impact assessment” before processing data, in which it will have to evaluate the consequences of the processing for people’s privacy. In some cases, the processing should be notified to the data protection authority. Apart from that, organisations should have a data protection officer, who handles supervision of all privacy related issues internally. Furthermore, organisations are required to notify data breaches to anyone connected to the data.

Companies are not happy about this. We already mentioned in a previous blog that these are the themes that have been lobbied on the most. They say, briefly: allow us to only fulfill those obligations if it’s to mitigate large and already identified risks.


It isn’t surprising that many of the “usual suspects” support this risk based approach. TechAmerica Europe, an organisation that represented the interests of European technology companies “with American parentage”, strongly supported this. Banks also welcome such an approach, as shown in their email to the Dutch embassy to the EU – the so-called “permanent representation”. Thuiswinkel.org, a Dutch e-commerce company, says in an email to the Dutch Ministry of Justice: “The current reforms are not adequate enough in the eyes of Thuiswinkel.org, in particular because the proposals lack a ‘risk-based’ approach.” Even the Royal Academy for Sciences seems to be a proponent of this approach.


To strengthen their arguments, different parties use “commitment and consistency”. The trick with this is that people like to present one unambiguous image of themselves. So people will want to act in ways that are congruent with their statements. Therefore, the Centre for Policy Leadership uses statements of influential politicians from the group of people they are trying to influence, who have been positive about the risk based approach.

In a letter by the Centre for Information Policy Leadership to the Ministry of Justice European Commissioner Viviane Reding is quoted as a proponent of the risk based approach, just like the Council of Ministers that the letter aims to convince. You were in favor of a risk based approach right? Then you should also agree to our demands. The former European Data Protection Supervisor Peter Hustinx once made positive statements about this approach, and these are quoted quite happily in a letter by the Industry Coalition for Data Protection (ICDP) to the Ministry of Justice:
“ICDP strongly agrees with the European Data Protection Supervisor Peter Hustinx that data protection legislation is most effective when it follows a risk-based approach.”


A risk based approach can’t be an excuse to evade important obligations, as the committee of privacy watchdogs in Europe stated. A well described liability based on agreed criteria can assure that companies keep privacy protection in mind at an early stage of data processing or planning. Those criteria should obviously be proportionate, so a sole trader that serves only fifty customers per year shouldn’t be required to send a privacy impact assessment to the data protection authority every week or to hire a data protection officer (not that anyone ever suggested that, it has to be said). But we should also be wary of abuse. For example, Digital Europe, a lobby organisation for digital businesses, wants to make sure that companies can decide for themselves what constitutes risk. That would make evading supervision very easy.

Privacy schools of thought

Connecting your viewpoints to clear schools of thought can help your cause. That’s why more schools of though than the “risk based approach” are mentioned in the lobby documents. Vodafone wants a more “principle based” approach, which means they want more flexibility. Yet other companies mention the “harm based approach”, the “use based approach”, the “precautionary based approach” and others.

Whatever school of thought one prefers, no one can currently predict the risks well, particularly in a world of “big data”. What we do know is that more data will be collected and will be increasingly used. This makes every choice we make now only more important for privacy protection in the future.

To be continued

Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. The next part will be about the anti-fraud argument.

Lobby-tomy series (only in Dutch)

(Contribution by Floris Kreiken, EDRi member Bits of Freedom, The Netherlands)



17 Dec 2015

EU Data Protection Package – Lacking ambition but saving the basics

By Heini Järvinen

Statement of European Digital Rights (EDRi), Bits of Freedom, Digitale Gesellschaft e.V, Open Rights Group (ORG)Digital Rights Ireland and Privacy International following the vote of the European Parliament’s Civil Liberties Committee on the Data Protection

In January 2012, the European Commission, following extensive consultations, published a draft Regulation and a Directive to create a strong framework for data protection in the EU. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU, and maintaining existing levels of protection. Underpinning this was an attempt to enhance individuals’ rights and put them more in control of their personal information, as well as to make enforcement more effective – both of which are major failures of the current legislation.

Faced with possibly the world’s biggest ever lobbying onslaught, this agreement appears to have saved the essential elements of data protection in Europe. Sadly, there is little left of the initial ambition of the proposals”, said Joe McNamee, Executive Director of European Digital Rights. “At several moments in the past four years, it appeared that the proposals were crumbling, so today’s vote represents an impressive achievement by politicians from all major political families and by civil society.

The objective of modernisation has been achieved only partially – resisted by industry groups who want to stay in the last century. One of the key elements of modernisation, profiling, has not been dealt with thoroughly. The differentiation of “explicit” consent for sensitive data and “consent” for other processing of personal data will not help when enforcing the Regulation. The failure to properly reform the foggy notion of processing of data on the basis of the “legitimate interest” of the controller is a missed opportunity, even though we are happy that some safeguards were added.

More importantly, harmonisation has become a parody of its original intentions. The existing Directive consisted of 34 articles. The final text has more permissible exceptions than the previous legislation had articles. In addition, Article 21 (on exceptions for public policy reasons) has broadened the list of articles that can be subject to a national opt-out.

Overall, the data protection package has achieved the bare minimum standards which were possible in the current political scenario. The final texts are somewhat better than what was proposed by the EU Council and some European Parliament Committees, but fall well short of the ambition of the initial proposals. EDRi, Bits of Freedom, Digitale Gesellschaft e. V , Open Rights Group, Digital Rights Ireland and Privacy International appreciate the work of the co-legislators to defend the proposals. We now must turn our attention to the next challenges – implementation of the new legislation, the reform of the e-Privacy Directive and preparing litigation, where necessary, to ensure that our fundamental rights are defended.

It is staggering that it was so hard to come up with essential rules of the road. All of this occurred at a time where there is increased concerns about surveillance and unprecedented levels of security breaches. Yet data-hungry companies and governments, and poor technology designs continue to make our personal data vulnerable”, Anna Fielder, Chair of Privacy International added. “Now we have a legal instrument to hold the powerful to account. We are going to use this legal regime to help empower citizens and consumers. And we are going to test it against emerging business models, ambitious and delusional government programmes, and any system that takes control away from the individual.


Read more:

General Data Protection Regulation: Document pool

Data Protection Directive on law enforcement: The loopholes (18.11.2015)

ENDitorial: The EU’s data protection reform – a lost opportunity? (04.11.2015)

European Commission will “monitor” existing EU data retention laws (29.07.2015)

For additional information, please contact:
Theresia Reinhold
Tel: +32 2 274 25 70


16 Dec 2015

Data protection package concluded – 1420 days after being launched

By Joe McNamee

On 15 December 2015, three years and ten months after the package was launched, the General Data Protection Regulation (GDPR) and Directive on Data Protection in Police and Justice matters were finally completed.

The reform package was launched in order to enhance data protection rights and improve their enforcement. Up until now, data protection in police and justice matters was regulated by a narrow “framework Decision” adopted by the EU Council in 2008. General data protection was regulated by a Directive from 1995.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

Instead of a “framework Decision” that only covers data in relation to police and judicial “cooperation”, the new Directive covers data protection in police and justice matters more generally. Instead of a Directive, which is implemented by 28 different national laws, the new legislation is a Regulation, which will be directly applicable across all of the EU. This should greatly, but not completely, reduce disparities between interpretation of data protection law in the EU.

One of the biggest headline-grabbing innovations in the Regulation is a detailed explanation of the already-existing right to demand deletion of one’s own personal data. This right has now unfortunately been renamed the “right to be forgotten”, which gives a misleading impression of its meaning. It does not mean that your online history can be deleted or that newspapers can be obliged to change their archives. Individuals have no “right to be forgotten.” Within the limits of safeguards for freedom of expression, the new Regulation describes the conditions under which individuals can ask for deletion of their data.

Another innovation was the addition of obligations on notification of data breaches to the data protection authorities and to affected individuals. The necessity for such obligations has become very clear in recent months, with several major data breaches hitting the headlines, such as the Ashley Madison and TalkTalk cases. As with the rest of the proposal, this was subject to heavy lobbying. Individuals now only have to be notified if there is “likely” to be a “high risk” to their rights.

The concepts of “data protection by design” and “by default” were also added to the Regulation. The purpose here is to ensure that data protection is a priority that is included in the design phase of a new product and that, by default, only data which are necessary are processed for the particular task at hand.

Various attempts were made by the European Commission and the European Parliament to improve predictability of how and when data will be used. For example, explicit consent for data processing was initially suggested. While this was rejected, the text has added some improvements as regards the consent that does have to be provided.

The package, and the Regulation in particular, was subject to a huge amount of lobbying, much of which was based on misunderstandings and misrepresentations. The result is that the overall package is less clear and less protective of personal data than it could – and should – have been. However, compared with the potentially disastrous positions taken by some of the European Parliament’s committees and by the EU Member States in the Council of the European Union “general approach” adopted in June 2015, the outcome is vastly better than it could have been.

Council of the European Union: General Data Protection Regulation, general approach (11.06.2015)

Council of the European Union: Directive on Data Protection in Police and Justice matters, general approach (02.10.2015)

European Parliament: General Data Protection Regulation, first reading position (12.03.2014)

European Parliament: Directive on Data Protection in Police and Justice matters, first reading position (12.03.2014)

EDRi:General Data Protection Regulation: Document pool

EDRi: Everything you need to know about the Data Protection Regulation

EDRi: Everything you need to know about the Data Protection Directive for Law Enforcement

(Contribution by Joe McNamee, EDRi)



18 Nov 2015

Data Protection Directive on law enforcement: The loopholes

By Diego Naranjo

The way some of your most sensitive data which, if processed carelessly, could lead to the most serious consequences for you, is being dealt with almost no attention of the media and the general public. Outside the spotlight of the General Data Protection Regulation (GDPR), the Directive for Law enforcement agencies (LEDP) seems not to have for some the charisma of the Regulation.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

However, the Directive contains numerous loopholes which, if not carefully addressed, will undermine the already fragile data protection regime. The Council of the European Union version of the text (the so-called “general approach” text) was published on 9 October 2015, and the (always opaque) trilogue negotiations are now underway. The goal of the trilogues is to reach an agreement at the end of December 2015, in line with the foreseen calendar for the GDPR.

The Directive’s original goal was the protection of personal data in the context of the use by “competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”. That was the scope until the Council added to its version a mention “safeguarding against and the prevention of the threats to public security”. Although this wider scope could be positive in the sense that it could fill some gaps provided by the exceptions in the GDPR, it is not clear what types of activities will be covered, within the limited EU legal competences in this matter. For example, it is not clear whether or how it will relate to any activities of intelligence agencies that fall outside of EU legal competence, but where the EU itself, for example through Europol, is increasing its activities. If these activities performed by intelligence agencies will be covered to any extent by the Directive, the question that follows is what the consequence would be for the data gathered pro-actively and/or in bulk on people who are not linked to any criminal activity, contrary to the protection of fair trial rights in Art. 6 ECHR and Art. 47 of the Charter of Fundamental Rights of the European Union. The Directive gives no hint to solve this, or other similar questions.

One of the most worrying aspects is that current articles on lawful processing (7 and 7a) could allow massive transfer of data from law enforcement agencies in the Member States (inside the Directive’s scope) to the respective national security agencies (outside the Directive’s scope). Bearing in mind that some national agencies have a tendency to engage in international data transfer practices with other agencies both inside and outside the EU, the alarms should be ringing already in the heads to those involved in the trilogue negotiations. As the European Parliament (EP) stated in its resolution on the surveillance of EU citizens that was passed on 29 October 2015, the Commission must “immediately take the necessary measures to ensure that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU”. These precautions need to be inserted in the Directive.

The recitals and the definitions do not bring the clarification that the text requires. For example, Recital 16 includes a reference to “data rendered anonymous in such a way that the data subject is no longer identifiable”, which by definition would not be personal data and therefore (obviously) would fall outside the Directive and the Regulation. Later on, in the definitions, health status relates in some parts of the Directive only to the current health status (Article 3), while in another part (recital 17) it relates to “past, current or future” health of the individual. More worryingly, the “national security” lacks the definition called for in the aforementioned resolution of the Parliament. Furthermore, the distinction between activities related to “public security” and “national security” should be clarified in the recital.

In line with what is happening in the Regulation, profiling protections are also weakened in the Directive. Although there is a general prohibition of using sensitive data when doing profiling, the provision lacks sufficient safeguards, and profiling is only covered under the Directive when this is done in a fully automated process. Anything that is not “fully” automated falls outside the protection of this safeguard.

The Directive, as it stands today, has a significant list of worrysome aspects that need to be re-defined and clarified. The negotiators in the trilogues need to decide now if they want to aim for a Directive that includes loopholes which could weaken the new data protection regime, or to strive for the data protection regime which is needed to guarantee the fundamental right to privacy in Europe.

EDRi analysis of the European Commission’s original proposal for the Directive

EDRi: General Data Protection Regulation: Document Pool

EDRi: The Data Protection Archive

Mass surveillance: EU citizens’ rights still in danger, says Parliament (29.10.2015)

(Contribution by Diego Naranjo, EDRi)



18 Nov 2015

EU and US NGOs propose privacy reforms post Schrems

By Guest author

On 12 November 2015, leading human rights and consumer organisations issued a letter to urge the US and the EU to protect the fundamental right to privacy. After the Schrems ruling by the Court of Justice of the European Union (CJEU) in October 2015, the parties are now attempting to negotiate a revised Safe Harbor arrangement, but civil society groups are sceptical that such an agreement by itself will be sufficient.

EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová recently travelled to Washington DC to discuss the possibilities to replace the invalidated Safe Harbor data transfer framework. While negotiating with American officials, Secretary of Commerce Penny Pritzker in particular, the Commissioner took the time to meet with US civil society organisations on 13 November 2015.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

On that occasion, the groups warned that without significant changes to “domestic law” and “international commitments” by the United States, a “Safe Harbor 2.0” will almost certainly fail. The NGOs recommended 13 proposals for the EU and the US that are necessary after the judgment.

Among other requirements, the NGO leaders have called for a comprehensive privacy framework in the US, which includes the establishment of an independent privacy agency and the modernisation of the Privacy Act of 1974, to provide for meaningful judicial redress for everybody, including non-US persons, whose data is stored by a US federal agency.

The paper argued that it is important to conclude the General Data Protection Reform (GDPR) by the end of 2015 and that the EU must keep or increase the level of protection for privacy and data protection. The EU should follow the opinion of the Article 29 Working Party, and ensure that “no portion of the GDPR lessens protections or reduces the rights of individuals within the EU” and that “harmonization of a high level of protection remains the goal.”

Additionally, the paper stated that the EU and the US should stand up for strong encryption, and reject any law or policy that would undermine the security of consumers and Internet users. Both parties should end the mass surveillance of people and the EU must ensure that fundamental human rights such as privacy are respected in the wake of political urgency for more intrusive surveillance laws and practices to generate false assumption of higher level of safety and security.

Finally, organisations propose that the EU and the US should commit to annual summit with the full participation of civil society organisations to assess progress toward these goals.

Commissioner Jourová welcomed the comments of the civil society organisations.

NGO letter to Commissioner Jourová and Secretary Pritzker (12.11.2015)

Commissioner Jourova’s Speech at the Brookings Institute (16.11.2015)

Fortify New US-EU Data Transfer Pact, Privacy Groups Urge, Law360 (13.11.2015)

Article 29 Working Party: Statement on Safe Harbor (16.10.2015)

US House: Hearing on Safe Harbor (27.10.2015)

EU High Court: Press Release on Safe Harbor Decision (06.10.2015)

EPIC: Max Schrems v Irish Data Protection Commissioner (Safe Harbor)

The New York Times: “Digital Privacy, in the U.S. and Europe,” by Marc Rotenberg, Anna Fielder, Jeff Chester (13.10.2015)

(Contribution by Fanny Hidvegi, EPIC, US)