16 Dec 2015

Data protection package concluded – 1420 days after being launched

By Joe McNamee

On 15 December 2015, three years and ten months after the package was launched, the General Data Protection Regulation (GDPR) and Directive on Data Protection in Police and Justice matters were finally completed.

The reform package was launched in order to enhance data protection rights and improve their enforcement. Up until now, data protection in police and justice matters was regulated by a narrow “framework Decision” adopted by the EU Council in 2008. General data protection was regulated by a Directive from 1995.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

Instead of a “framework Decision” that only covers data in relation to police and judicial “cooperation”, the new Directive covers data protection in police and justice matters more generally. Instead of a Directive, which is implemented by 28 different national laws, the new legislation is a Regulation, which will be directly applicable across all of the EU. This should greatly, but not completely, reduce disparities between interpretation of data protection law in the EU.

One of the biggest headline-grabbing innovations in the Regulation is a detailed explanation of the already-existing right to demand deletion of one’s own personal data. This right has now unfortunately been renamed the “right to be forgotten”, which gives a misleading impression of its meaning. It does not mean that your online history can be deleted or that newspapers can be obliged to change their archives. Individuals have no “right to be forgotten.” Within the limits of safeguards for freedom of expression, the new Regulation describes the conditions under which individuals can ask for deletion of their data.

Another innovation was the addition of obligations on notification of data breaches to the data protection authorities and to affected individuals. The necessity for such obligations has become very clear in recent months, with several major data breaches hitting the headlines, such as the Ashley Madison and TalkTalk cases. As with the rest of the proposal, this was subject to heavy lobbying. Individuals now only have to be notified if there is “likely” to be a “high risk” to their rights.

The concepts of “data protection by design” and “by default” were also added to the Regulation. The purpose here is to ensure that data protection is a priority that is included in the design phase of a new product and that, by default, only data which are necessary are processed for the particular task at hand.

Various attempts were made by the European Commission and the European Parliament to improve predictability of how and when data will be used. For example, explicit consent for data processing was initially suggested. While this was rejected, the text has added some improvements as regards the consent that does have to be provided.

The package, and the Regulation in particular, was subject to a huge amount of lobbying, much of which was based on misunderstandings and misrepresentations. The result is that the overall package is less clear and less protective of personal data than it could – and should – have been. However, compared with the potentially disastrous positions taken by some of the European Parliament’s committees and by the EU Member States in the Council of the European Union “general approach” adopted in June 2015, the outcome is vastly better than it could have been.

Council of the European Union: General Data Protection Regulation, general approach (11.06.2015)
data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf

Council of the European Union: Directive on Data Protection in Police and Justice matters, general approach (02.10.2015)
data.consilium.europa.eu/doc/document/ST-12555-2015-INIT/en/pdf

European Parliament: General Data Protection Regulation, first reading position (12.03.2014)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2014-0212+0+DOC+XML+V0//EN

European Parliament: Directive on Data Protection in Police and Justice matters, first reading position (12.03.2014)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2014-0219+0+DOC+XML+V0//EN

EDRi:General Data Protection Regulation: Document pool
https://edri.org/gdpr-document-pool/

EDRi: Everything you need to know about the Data Protection Regulation
http://protectmydata.eu

EDRi: Everything you need to know about the Data Protection Directive for Law Enforcement
http://policingprivacy.eu

(Contribution by Joe McNamee, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
18 Nov 2015

Data Protection Directive on law enforcement: The loopholes

By Diego Naranjo

The way some of your most sensitive data which, if processed carelessly, could lead to the most serious consequences for you, is being dealt with almost no attention of the media and the general public. Outside the spotlight of the General Data Protection Regulation (GDPR), the Directive for Law enforcement agencies (LEDP) seems not to have for some the charisma of the Regulation.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

However, the Directive contains numerous loopholes which, if not carefully addressed, will undermine the already fragile data protection regime. The Council of the European Union version of the text (the so-called “general approach” text) was published on 9 October 2015, and the (always opaque) trilogue negotiations are now underway. The goal of the trilogues is to reach an agreement at the end of December 2015, in line with the foreseen calendar for the GDPR.

The Directive’s original goal was the protection of personal data in the context of the use by “competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”. That was the scope until the Council added to its version a mention “safeguarding against and the prevention of the threats to public security”. Although this wider scope could be positive in the sense that it could fill some gaps provided by the exceptions in the GDPR, it is not clear what types of activities will be covered, within the limited EU legal competences in this matter. For example, it is not clear whether or how it will relate to any activities of intelligence agencies that fall outside of EU legal competence, but where the EU itself, for example through Europol, is increasing its activities. If these activities performed by intelligence agencies will be covered to any extent by the Directive, the question that follows is what the consequence would be for the data gathered pro-actively and/or in bulk on people who are not linked to any criminal activity, contrary to the protection of fair trial rights in Art. 6 ECHR and Art. 47 of the Charter of Fundamental Rights of the European Union. The Directive gives no hint to solve this, or other similar questions.

One of the most worrying aspects is that current articles on lawful processing (7 and 7a) could allow massive transfer of data from law enforcement agencies in the Member States (inside the Directive’s scope) to the respective national security agencies (outside the Directive’s scope). Bearing in mind that some national agencies have a tendency to engage in international data transfer practices with other agencies both inside and outside the EU, the alarms should be ringing already in the heads to those involved in the trilogue negotiations. As the European Parliament (EP) stated in its resolution on the surveillance of EU citizens that was passed on 29 October 2015, the Commission must “immediately take the necessary measures to ensure that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU”. These precautions need to be inserted in the Directive.

The recitals and the definitions do not bring the clarification that the text requires. For example, Recital 16 includes a reference to “data rendered anonymous in such a way that the data subject is no longer identifiable”, which by definition would not be personal data and therefore (obviously) would fall outside the Directive and the Regulation. Later on, in the definitions, health status relates in some parts of the Directive only to the current health status (Article 3), while in another part (recital 17) it relates to “past, current or future” health of the individual. More worryingly, the “national security” lacks the definition called for in the aforementioned resolution of the Parliament. Furthermore, the distinction between activities related to “public security” and “national security” should be clarified in the recital.

In line with what is happening in the Regulation, profiling protections are also weakened in the Directive. Although there is a general prohibition of using sensitive data when doing profiling, the provision lacks sufficient safeguards, and profiling is only covered under the Directive when this is done in a fully automated process. Anything that is not “fully” automated falls outside the protection of this safeguard.

The Directive, as it stands today, has a significant list of worrysome aspects that need to be re-defined and clarified. The negotiators in the trilogues need to decide now if they want to aim for a Directive that includes loopholes which could weaken the new data protection regime, or to strive for the data protection regime which is needed to guarantee the fundamental right to privacy in Europe.

EDRi analysis of the European Commission’s original proposal for the Directive
http://policingprivacy.eu/

EDRi: General Data Protection Regulation: Document Pool
https://edri.org/gdpr-document-pool/

EDRi: The Data Protection Archive
https://edri.org/eudatap-archive/

Mass surveillance: EU citizens’ rights still in danger, says Parliament (29.10.2015)
http://www.europarl.europa.eu/news/en/news-room/content/20151022IPR98818/html/Mass-surveillance-EU-citizens’-rights-still-in-danger-says-Parliament

(Contribution by Diego Naranjo, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
18 Nov 2015

EU and US NGOs propose privacy reforms post Schrems

By Guest author

On 12 November 2015, leading human rights and consumer organisations issued a letter to urge the US and the EU to protect the fundamental right to privacy. After the Schrems ruling by the Court of Justice of the European Union (CJEU) in October 2015, the parties are now attempting to negotiate a revised Safe Harbor arrangement, but civil society groups are sceptical that such an agreement by itself will be sufficient.

EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová recently travelled to Washington DC to discuss the possibilities to replace the invalidated Safe Harbor data transfer framework. While negotiating with American officials, Secretary of Commerce Penny Pritzker in particular, the Commissioner took the time to meet with US civil society organisations on 13 November 2015.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

On that occasion, the groups warned that without significant changes to “domestic law” and “international commitments” by the United States, a “Safe Harbor 2.0” will almost certainly fail. The NGOs recommended 13 proposals for the EU and the US that are necessary after the judgment.

Among other requirements, the NGO leaders have called for a comprehensive privacy framework in the US, which includes the establishment of an independent privacy agency and the modernisation of the Privacy Act of 1974, to provide for meaningful judicial redress for everybody, including non-US persons, whose data is stored by a US federal agency.

The paper argued that it is important to conclude the General Data Protection Reform (GDPR) by the end of 2015 and that the EU must keep or increase the level of protection for privacy and data protection. The EU should follow the opinion of the Article 29 Working Party, and ensure that “no portion of the GDPR lessens protections or reduces the rights of individuals within the EU” and that “harmonization of a high level of protection remains the goal.”

Additionally, the paper stated that the EU and the US should stand up for strong encryption, and reject any law or policy that would undermine the security of consumers and Internet users. Both parties should end the mass surveillance of people and the EU must ensure that fundamental human rights such as privacy are respected in the wake of political urgency for more intrusive surveillance laws and practices to generate false assumption of higher level of safety and security.

Finally, organisations propose that the EU and the US should commit to annual summit with the full participation of civil society organisations to assess progress toward these goals.

Commissioner Jourová welcomed the comments of the civil society organisations.

NGO letter to Commissioner Jourová and Secretary Pritzker (12.11.2015)
http://thepublicvoice.org/EU-US-NGO-letter-Safe-Harbor-11-15.pdf

Commissioner Jourova’s Speech at the Brookings Institute (16.11.2015)
http://europa.eu/rapid/press-release_SPEECH-15-6104_en.htm

Fortify New US-EU Data Transfer Pact, Privacy Groups Urge, Law360 (13.11.2015)
http://www.law360.com/privacy/articles/726820

Article 29 Working Party: Statement on Safe Harbor (16.10.2015)
https://epic.org/redirect/103015-article-29-harbor-statement.html

US House: Hearing on Safe Harbor (27.10.2015)
https://epic.org/redirect/103015-house-harbor-hearing.html

EU High Court: Press Release on Safe Harbor Decision (06.10.2015)
https://epic.org/redirect/101615-safe-harbor-release.html

EPIC: Max Schrems v Irish Data Protection Commissioner (Safe Harbor)
https://epic.org/privacy/intl/schrems/default.html

The New York Times: “Digital Privacy, in the U.S. and Europe,” by Marc Rotenberg, Anna Fielder, Jeff Chester (13.10.2015)
http://www.nytimes.com/2015/10/13/opinion/digital-privacy-in-the-us-and-europe.html

(Contribution by Fanny Hidvegi, EPIC, US)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
04 Nov 2015

ENDitorial: The EU’s data protection reform – a lost opportunity?

By Diego Naranjo

“Someone who knows things about us has some measure of control over us, and someone who knows everything about us has a lot of control over us. Surveillance facilitates control.”

– Bruce Schneier, cryptographer and security expert

When the European Union talks about modernising EU rules on data protection in the digital age, the most important challenge is unquestionably “big data”, and the most important challenge of big data is profiling.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

Big data is not “more data” – big data is the massive merging of data to generate more data, more assumptions and more knowledge about you and me. If you are this age, went to this website and bought that product, big data will predict that you can be offered higher prices, or you shouldn’t be offered insurance, or you might vote in a particular way. Innocuous morsels of personal data interact and become pregnant, producing offspring that could be anything but harmless. The “I’ve nothing to hide” argument never made much sense, but it makes no sense at all in a world where you have no idea what guesses are being made on the basis of the data that you know about.

Our devices are feeding information into large databases 24/7: Our mobile devices gather and send information about our movements while we walk.. Many of the apps installed in our phone demand unnecessary access to our contact list. Our home smart meters will know when we get home after work and if we have guests. Our search engine keeps records of our interests and fears. Facebook has successfully experimented with its power to make people happier or sadder, and even to make them more (or less) likely to vote. Professionals called “data brokers” collect and aggregate personal data from a wide range of sources to create detailed profiles of individuals which are then sold to third parties.

So, how do the proposed new EU rules (the General Data Protection Regulation, GDPR) address this huge new challenge? Not very well. First, the article dealing with profiling (Article 20) was weak in the European Commission’s initial proposal, was diluted by the European Parliament and eviscerated by the Council of the European Union. The current Council text says that data subjects, the individuals to whom the collected personal data relates, cannot oppose to the profiling itself only to “decisions based solely on automated processing, including profiling”. Therefore, if there is a profiling activity but no formal “decision” has been made, or if that automated processing and profiling is only part of the process and not the sole basis for the decision, there would be no specific right to object under EU data protection law.

Flanking protections, which could normally be relied upon, even if profiling and decision-making rules were weak, have also been diluted: Data-minimisation becomes “not excessive” data processing. Access and rectification become problematic when profilers can hide behind their algorithms as “trade secrets” or pseudonymisation. “Purpose limitation”, the principle that data must be collected for specified, explicit and legitimate purposes only, is undermined by watery compromises on what “compatible use” might be, while the need for the user’s consent can be bypassed by the open-ended “legitimate interest” loophole.

If this had not watered down the safeguards enough, profiling has been re-inserted into the list of exceptions for which Member States may restrict rights and obligations for purposes related to “national security”, “defence”, “public security” and, for fear that these provisions were not vague enough, “other important objectives of general public interests of the Union or of a Member State”. This, in practice, allows national governments to circumvent EU data protection law and allow profiling when the goal is allegedly linked to any of these ill-defined goals.

A harmonised, modernised legal instrument for the EU is more necessary than ever. The GDPR needs to be future-proof and needs to have strong safeguards without loopholes. The current negotiating text of the GDPR looks like set to fail its biggest test. If the ongoing negotiations between the European Parliament and EU Council do not resolve these and other problems, we might be facing the loss of a fundamental right, the loss of trust, and take-up of technologies based on big data. This should not be worrying for EU citizens only: The GDPR is crucial for global norm setting in the field of data protection and privacy. We have one opportunity – we must do better than this.

Surveillance-based manipulation: How Facebook or Google could tilt elections (26.12.2015)
http://arstechnica.com/security/2015/02/surveillance-based-manipulation-how-facebook-or-google-could-tilt-elections/

Facebook reveals news feed experiment to control emotions (30.06.2014)
http://www.theguardian.com/technology/2014/jun/29/facebook-users-emotions-news-feeds

General Data Protection Regulation: Document pool (25.06.2015)
https://edri.org/gdpr-document-pool/

Obfuscation: how leaving a trail of confusion can beat online surveillance (24.10.2015)
http://www.theguardian.com/technology/2015/oct/24/obfuscation-users-guide-for-privacy-and-protest-online-surveillance

Our obsession with explaining past atrocities could destroy our free speech (22.10.2015)
http://www.telegraph.co.uk/news/uknews/law-and-order/11947492/Our-obsession-with-explaining-past-atrocities-could-destroy-our-free-speech.html

(Contribution by Diego Naranjo and Joe McNamee, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
22 Jul 2015

EU Commission – finally – confirms that its promise on data protection will be respected

By Joe McNamee

Last April, EDRi, supported by other sixty-five NGOs from the European Union, North, Central and South America, Africa, Asia and Australia sent a letter (PDF) to the European Commission. The letter asked if the Commission would respect the “absolute red line” that the protection levels in the 1995 Data Protection Directive would be maintained.

This commitment is now critically important, as the EU institutions are currently involved in “trialogue discussions” (infographic), which are expected to finalise the data protection reform process started five years ago with a Commission Communication. A clear position from the leadership of the Commission on the protection of existing standards is crucial to ensure that some of the more extremist policies (PDF) proposed by some Member States can be definitively taken off the table, for the benefit of the coherence, trust and credibility that all stakeholders need from the final Regulation and Directive.

Today, we received a positive answer (PDF) from the European Commission, confirming that they will respect the commitment to respect the levels protection set in the Directive 95/46/EC:

The Commission has been and will continue to be true to this commitment.

Ahead of the next trialogue meetings starting again in September, this commitment sets important boundaries on what is, and what is not, acceptable as this process moves forwards.

All actors involved in these negotiations need not to be distracted with siren calls from a small number of private actors who, as they historically always do, mistake good regulation for constraints on business. As Paul Nemitz, Director for Fundamental rights and Union citizenship in the Directorate – General for Justice of the European Commission, explained to the Wall Street Journal: “The path toward trust through high levels of protection is good for the economy, good for growth and employment.”

Read the Commission’s response:
17072015-eudatap-Commission-95

close
15 Jun 2015

Press Release: Privacy and Data Protection under threat from EU Council agreement

By Heini Järvinen

Following today’s meeting of the Justice Ministers Council in Luxembourg where an agreement was reached on the proposal for a General Data Protection Regulation (GDPR), EDRi and Privacy International would like to present the following statement:

In January 2012, the European Commission, following extensive consultations, published a draft Regulation. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU (proposing a single Regulation rather than a Directive that is implemented via 28 national laws) and maintaining existing levels of protection. A stated purpose was also to enhance individuals’ rights and put them more in control of their personal information, and make enforcement more effective – both are major failures of the current legislation

The objective of modernisation has not been achieved. Key elements of modernisation have been weakened to the point of meaninglessness. Rules on data breaches, privacy by design and, especially profiling, are far too weak and unclear.

Harmonisation has become a parody of its original intentions. The existing Directive consists of 34 articles. The Council’s position has 48 exceptions where Member States can do what they want, not including the broadening of the list of exceptions provided for in Article 21. In fact, Article 21 has broadened government powers so much that they can effectively run a coach and horses through all the rights and protection in this piece of legislation and render it null and void.

The objective of maintaining the levels in the 1995 Directive has not been achieved, inter alia for the reasons below. The European Commission had previously said that, as an absolute red line, standards would not be allowed to slip.

“This agreement is quite simply a brazen effort to destroy Europe’s world leading approach to data protection and privacy,” said Joe McNamee, Executive Director of European Digital Rights. “The Council position is a mixture of reckless disregard for citizens’ fundamental rights and pandering to special interests that led to draft legislation where the number of exceptions is higher than the total number of articles in the previous Directive.”

Equally, citizens and consumers will lose effective control of their personal data as a result of this legislation; and continuing illegal activity by businesses will remain unpunished.

“If the purpose of this reform was to strengthen people’s control over their personal information and improve enforcement, our governments have achieved the exact opposite,” added Anna Fielder, Board Chair of Privacy International. “The Council revisions to the draft data protection Regulations have done their best to disembowel some of the fundamental principles and further disempower individuals and their representatives by weakening rights. Moreover, any notion of harmonised, predictable rules across the Union have gone out of the window; in over a quarter of all the articles of this Regulation individual governments can develop their own rules.”

KEY ELEMENTS OF THE AGREEMENT

  • The proposal undermines purpose limitation:
    The current text of the GDPR allows for the further processing of personal data “for archiving purposes in the public interest or scientific, statistical or historical purposes.” However, it is unclear what those statistical and scientific purposes are. Any large company that makes profit out of exploiting personal data could claim to be processing data for scientific purposes. This loophole is broadened further still by the new and controversial text of Article 6.4: “Further processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject.”
  • The proposal moves from data minimization to “non-excessive” data processing:
    The proposed Article 5(c) removes the obligation to keep processing to a minimum and weakens it to “non-excessive” processing. The Council amendment removes the obligation that the data “shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”. This provides room for data controllers to process more data than necessary.
  • The grounds for processing are increasingly vague:
    The “legitimate interest” justification for data processing without consent is the vaguest ground for processing, offering a lot of scope for industry to process data if they can claim a “legitimate interest” in doing so.
  • Weaker redress and enforcement provisions:
    Under the Council version, organisations defending citizen and consumer interests can no longer complain to authorities or take judicial actions on behalf of many individuals whose privacy rights have been breached. Data protection authorities do not have the resources to investigate every individual complaint and people to not take individual legal actions, particularly for privacy breaches that are not visible. Without this collective redress right, effective enforcement will continue to be weak.
  • Data transfers outside the EU: privacy regulation privatised or handed to unaccountable public bodies:
    The Regulation opens the gates to a massive Trojan horse in these provisions, by specifically amending the articles that refer to privacy seals/trust-marks (called “certification mechanisms”) and to codes of conduct. Privacy seals and codes of conduct can be useful in providing guidance to specific sectors and providing extra information to individuals using a service. But they cannot be a guarantee of adequate privacy protections in a country where privacy enforcement is weak, particularly if the envisaged systems of monitoring and oversight are delegated to some private body. Furthermore public authorities and bodies can transfer personal information at will to public bodies outside the EU without any reference to data protection authorities or need for cooperation across the EU (the so-called consistency mechanism).
  • Serious implications for people’s health and human rights:
    The Council proposals would allow further processing of health data, including genetic data on a massive scale; indefinite retention of health data including genetic data such as whole genomes without people’s knowledge or consent; and sharing of this data with third parties, including companies such as Google, without people’s knowledge or consent, usually with names stripped off (pseudo-anonymised) but in a way which allows results to be reconnected to individuals later on, or combined with other data sets (e.g. social care,education).

 


European Digital Rights (EDRi) is a not-for-profit association of 33 digital civil rights organisations from 19 European countries. Our objectives are to promote, protect and uphold civil rights in the field of information and communication technology.

Privacy International is a registered UK charity, defending privacy as a human right and advocating for strong laws that protect privacy round the world; it is celebrating its 25th anniversary this year.

Twitter_tweet_and_follow_banner

close
03 Jun 2015

General Data Protection Regulation: Moving forward, slowly

By Diego Naranjo

The discussions in the EU on the proposal for a General Data Protection Regulation (GDPR) are slowly advancing, but the final destination is still unknown. Commissioner Věra Jourová , who is responsible for Justice, Consumers and Gender Equality and has the task of ensuring the “swift adoption of the EU data protection reform”, has stated that EU Data Protection reform “is a win-win for consumers and businesses”, and that the red lines of the 1995 Data Protection Directive will remain untouched. However, latest developments in the Working Party on Information Exchange and Data Protection (DAPIX) have brought to the GDPR text new changes that may erode Jourová’s optimism.

In March 2015, EDRi published a set of leaked documents with the (then) latest texts from the EU Council. At the same time we published an analysis of the five main topics we thought were going below the safeguards that were set in the 1995 Data Protection Directive. Our analysis remains valid, unfortunately, for majority of the points we analysed, with some exceptions.

For example, Article 6 and recital 40 on lawfulness of processing of personal data have been touched in different ways. The list of requirements defining whether or not a further processing is compatible with the purpose the data was collected in Article 6 (3a) has become an open list with the insertion of the words “inter alia”. This makes it a broader definition which could add additional safeguards for the data subject. Going a bit further, Article 6.4 is likely to be deleted, since there seems to be a significant number of Member States that are pushing against it. This Article allows for “(f)urther processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject”.

The “one stop shop” mechanism is also a matter of concern. The original idea was to simplify complaints, creating a single point of contact for citizens and businesses bringing a transnational complaint. It would also ensure consistent application of the Regulation through the European Data Protection Board (EDPB), eliminating the current common practice of “forum shopping”. Based on the leaked documents, the current proposed text from the Council on the “one stop shop” mechanism would add several levels of bureaucracy. In the case of a transnational complaint, at least two data protection authorities would have to be involved and reach consensus to solve the case. This could lead to a fragmented implementation of the Regulation as the oversight role of the Board would be greatly reduced. Both citizens and businesses would then be left without the benefits of a swift, predictable and harmonised “one stop shop” mechanism. Finally, data Protection seals (certifications) and binding corporate rules should all be subject to the one-stop mechanism, at least in transnational cases. Otherwise they will offer the possibility to bypass the Regulation.

In the lead-up to the start of the trialogue meetings on this topic, we can only mention a few of the major issues here. In a meeting of the European Data Protection Supervisor with civil society actors (including EDRi, EDRi members Access and Bits of Freedom, as well as BEUC, Code Red, and Privacy International, see video below) on 27 May, we addressed also problems with the definitions contained in the GDPR, the seriousness of having profiling back in the exceptions of Art. 21 after it was taken out by the Parliament, the need for citizens to be able to have access to effective collective redress mechanisms, and problems with the transfer of data to third countries, including the Safe Harbour agreement.

Data protection reform timetable (01.06.2015)
http://www.eppgroup.eu/fr/news/Data-protection-reform-timetable

Latest consolidated text of the GDPR
https://edri.org/files/DPR2015feb/GDPR_consolidated1-June-2015.pdf

Statewatch: LIMITE document from the Council on Article 6 and recital 40 (26.05.2015)
http://www.statewatch.org/news/2015/may/eu-council-dp-reg-Art-6-ChapII-III-9082-15.pdf
Other documents obtained by Statewatch are available at
http://statewatch.org/news/2015/may/eu-dp-reg-may-2015.htm

EDPS meeting with civil society (EDRi, Access, BEUC, Bits of Freedom, Code Red, Privacy International)
https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/GDPR_civil_soc

Badly broken campaign: European data protection reform is badly broken (03.03.15)
https://edri.org/broken_badly/

(Contribution by Diego Naranjo, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
10 Sep 2014

Open letter to Google’s Advisory Council on the “right to be forgotten”

By Kirsten Fiedler

On 9 September, European and international civil rights organisations submitted an open letter (pdf) to Google’s Advisory Council on their assessment of the so-called “right to be forgotten”.

The groups urge the Council’s members to avoid inadvertently delaying the adoption of the data protection reform package. They remind the members of the urgent need for legal safeguards in cases where courts place unclear obligations on internet intermediaries to interfere with online communications (which cannot be replaced by the Council’s findings) and call on them to shed more light on the mission and objectives of this European tour.

As the ruling has been largely misrepresented by parts of the press, the letter first clarifies some of the misunderstandings that have circulated about the context and scope of the ruling:

When the CJEU ruled on the case, the press reported the decision as an example of a new “right to be forgotten,” even though such a right is not articulated in the legislation on which the ruling is based. The media coverage created the mistaken impression that Google would have to start deleting information from the internet (or its own index) whenever an EU citizens asked the search engine to do so, if information was irrelevant, inaccurate, outdated or excessive. The court specified that search results based on a person’s name are to be removed if the request meets the criteria laid out in the ruling. However, not only will the information remain on the internet, but it will remain in Google’s index.

The civil rights organisations then emphasise the need for a quick conclusion of the current data protection reform, not least because the Snowden revelations have shown that strong and reliable rules are crucial for citizens’ rights to privacy and data protection:

This need has been acknowledged by several companies, including Google, through their participation in the movement for global government surveillance reform. This movement recognises the need for governments to take action in order to protect their citizens’ safety and security and advises for the review of current laws and practices.

The full letter can be accessed here: https://edri.org/wp-content/uploads/2013/09/Open-Letter-to-Google-Advisory-Council.pdf

Signatories:
Access
ApTI
Bits of Freedom
Chaos Computer Club (CCC)
Digitalcourage
Digitale Gesellschaft
European Digital Rights (EDRi)
Initiative für Netzfreiheit
IT-Pol
Panoptykon Foundation
Vrijschrift

EDRi: Google’s right to be forgotten – industrial scale misinformation? (09.06.2014)
https://edri.org/forgotten/

EDRi: Google and the right to be forgotten – the truth is out there (02.07.2014)
https://edri.org/google-right-forgotten-truth/

EDRi: Good Lord! Lords forget their own right to be forgotten analysis (31.07.2014)
https://edri.org/good-lord-lords-forget-right-forgotten-analysis/

EDRi: Google now supports AND opposes the “right to be forgotten” (27.08.2014)
https://edri.org/google-now-supports-and-opposes-right-forgotten/

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close