11 Jan 2017

2017 – another extremely challenging year for digital rights


The agenda of the year 2016 for the protection of digital rights was filled with challenges, and it looks like 2017 is not going to be any easier.

Since the Digital Single Market is one of the priorities of the Maltese presidency of the Council of the European Union, we can expect more policy developments affecting citizens’ rights and freedoms online in 2017. In its work programme, Malta pledges to pursue talks on geoblocking, roaming fees, connectivity, high frequencies and cross-border portability.

While taking advantage of the single market to benefit the economies by scrapping trade barriers and providing European citizens access to services, it is crucial to keep the focus on improving data protection, freedom of expression and defending citizens’ right to privacy.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

What were the crucial policy developments in 2016? What we expect to happen in 2017, and what are our key priorities for the year ahead?

Data protection and privacy

In 2016, the European Parliament adopted the General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP), which are set to enter into force in 2018. EDRi welcomed the overall positive outcome of the GDPR, but regrets that the initial high expectations were not realised. The Commission adopted the Privacy Shield adequacy decision that has already been challenged in front of the Court of Justice of the European Union (CJEU) and rejected by the European Parliament. The EU/US Umbrella Agreement, which was judged to be incompatible with EU law by the European Parliament’s legal service, was also approved.

As for 2017, e-Privacy will be one of EDRi’s main priorities. On 10 January, the European Commission published its proposal for the e-Privacy Regulation. This legislation is crucial to provide clear rules on tracking individuals as they surf the web, and freedom of communication more generally. To promote trust, privacy and innovation, the proposal needs significant improvement.


In 2017, we will provide input on discussions around cross-border access to evidence and the protection of encryption. We will also provide input on discussions around the Council of Europe’s Budapest Convention on Cybercrime, also with a particular interest in the hot topic of “access to evidence”. Weakening of procedural rules for access to communications data by foreign governments would obviously have major implications for privacy and security.

Net neutrality

In 2016, the Body of European Regulators of Electronic Communications (BEREC) published its guidelines on the implementation of European net neutrality rules. Thanks to our hard and persistent work, the guidelines reflect our recommendations quite well.

In 2017 we will keep on campaigning for net neutrality by providing input to discussions around the BEREC regulation, and monitoring the Telecoms Package review. In December, we reported on the success of one of our Austrian members in ensuring the effective implementation of the new rules.


The current European copyright system is broken and must be changed. The European Commission has set in its agenda reforming copyright as one of the foundations to build the Digital Single Market. In 2016, the Commission issued a highly criticised draft legislation. The proposed Copyright Directive could not conceivably be worse, even including a proposal for upload filtering, despite the fact that the Court of Justice of the European Union has already rejected this approach.

In 2017, the European Parliament and Council will discuss the new proposal. We will closely follow the discussions and advocate for amendments to improve the parts of the text that can be improved and rejection of the parts that cannot.



23 Nov 2016

#5 Freedom not to be labelled: How to fight profiling


This is the fifth blogpost of our series dedicated to privacy, security and freedoms. In the next weeks, we will explain how your freedoms are under threat, and what you can do to fight back.


Profiling: What is it and how does it work?

Algorithms gather data from your social media activities, emails, browsing history and so on. Now that the Internet of Things is becoming more and more used, it adds its share to the amount of information collected and stored. As a result of all this data available about your personality, preferences and activities, you can be more and more easily labelled and placed in categories.

These categories may or may not be correct. You might end up “mislabelled” and put into a wrong category. For example, according to a French government website, you might be in the process of being radicalised if you change your eating habits, leave full-time education or stop your sporting activities and stop watching TV. Of course, you might just be a student writing your thesis.

Research has shown that for example a person’s ethnic group, sexual orientation, religion or relationship status can be surprisingly accurately guessed from simply assessing their Facebook “likes”. These insights are possible, even though many users avoid clicking on links that would obviously reveal these details.

Based on this “labelling”, decisions can be taken about you: if you will be selected for a job interview, or picked for a special security screening at the airport. Or you could be offered either a discount or higher prices for a service or a product.

How to claim back your freedom not to be labelled

If you believe that a profiling measure has produced legal effects or significantly affected you (credit worthiness, reliability, conduct) you can contact Data Protection Authorities (DPA) to exercise your rights, such as the right to object to automatic decision-making and the right access to the information collected about you. Unfortunately, not all the DPAs have a user-friendly approach, and issuing a request can be fairly complex in some countries, such as Belgium. However, in other countries like France, the authorities offer a template-based model to simplify the complaint system for their citizens. The new General Data Protection Regulation (GDPR), which is due to become binding law in all EU Member States in 2018, will strengthen and clarify both these rights and the ability of national data protection authorities to implement them.

Random Agent Spoofer is an add-on for Firefox browser. It hinders browser fingerprinting – collecting information that allows to identify you – by allowing you to automatically choose random browser profiles.

Self-Destructing Cookies is an add-on that removes the general purpose cookies when they are no longer used by open browser tabs. Also, it detects and removes the tracking cookies as soon as they are spotted.

$heriff allows you to know differential pricing in real time.

In the webseries “Do Not Track”, produced by ARTE TV in collaboration – with Mozilla, you can discover more about profiling, for example how much data you provide when “liking” things on Facebook, and how that affects not only you but also your friends and relatives. Watch the third episode, “Like mining” here:


What can politicians do to safeguard your freedoms online?

The rules on online privacy in the EU (ePrivacy Directive) will be soon updated. This law deals with privacy and confidentiality of communications for the entire EU, and it affects tracking and other issues related to your freedoms online. Are politicians ready to fight for your protection?

Read our previous blogposts here, and stay tuned to our next blogposts to know more about your freedoms online, and how they are threatened!

Read more:

6 times it’s more expensive to be a woman (12.04.2016)

Need a Reservation? That Could Depend On How Big You Are on Twitter (Really) (30.09.2010)

Is social profiling discrimination? (03.05.2012)

The dangers of high-tech profiling, using Big Data (07.08.2014)

Do Not Track: Episode 3 – Like Mining


12 Oct 2016

Corporate-sponsored privacy confusion in the EU on trade and data protection

By Maryant Fernández Pérez

After the “Privacy shield” was adopted on 12 July 2016, the European Commission started internal discussions about whether or not to include “data flows” and “data localisation” clauses in Transatlantic Trade and Investment Partnership (TTIP) and in the Trade in Services Agreement (TiSA). It appears that the European Commission Directorate-General for Justice and Consumers (DG Justice) initially accepted the inclusion of clauses on forced, unjustified “data localisation”, but not on transfers of data. However, according to EurActiv, DG Justice has backed down and accepted a weakening of its position on data protection and privacy in order to placate industry, after a campaign based on dubious assertions and backed up by the US government.

Now, the European Commission President Jean-Claude Juncker and the Vice-President Frans Timmermans seem to be prepared to defend core principles of EU law and the rights of EU citizens. They are allegedly blocking the “compromise” to water down protections because “the deal might poke holes in the EU data protection rules that are set to go into effect in 2018”. Weakening privacy and data protection of European citizens through the inclusion of “data flows” in trade agreements has global corporate sponsorship. The EU should resist. There are three main reasons for this:

1. Data flows must not be part of trade agreements

Trade negotiations are not suitable for shaping rules affecting the fundamental rights to privacy and data protection. If the EU was unable to ensure protections of fundamental rights in the Privacy Shield (see here, here and here), on what basis could it think that trade agreements would achieve a better result? Is the apparently ideological rush to include “data flows” in trade agreements worth the risk of making a dubious compromise that would put the whole agreement in doubt?

Data transfers are and can be ensured in other legal fora. Personal data flows are ensured in the EU legal framework by several mechanisms, such as binding corporate rules, modal clauses, adequacy decisions or special arrangements, of which the EU-US Privacy Shield is an example, albeit not a stellar one. The General Data Protection Regulation (GDPR) even provides more alternatives to transfer data of EU citizens abroad, such as self-certification. In addition, the European Commission is expected to issue a “Free flow of data initiative”, apparently only for commercial data.

2. Including data flows in trade agreements like TTIP or TiSA would have huge implications

On 13 July 2016, the University of Amsterdam issued an independent study that EDRi, BEUC, TACD and CDD commissioned in order to ascertain whether fears with regard to both privacy and data protection in trade agreements were founded. The study concluded the risks are real, and a great deal of effort needs to be put into making trade agreements data protection- and privacy-proof. This is our take:

Unless parties want to change their legal framework to truly protect human rights online, trade agreements’ vague commitments to protect data protection and privacy will be meaningless in practice.

Exceptions and safeguards protecting personal data and privacy are being suggested as a means to address the concerns about fundamental rights. However, these clauses can only be activated if certain conditions are complied with, such as:

  • that privacy and data protection measures cannot be inconsistent with other obligations of the agreement. Would the EU legal measures on data protection be inconsistent with the obligation to ensure “a free flow of data”? According to the lobby group CCIA, the response could well be “yes” (cf. “Europe might want to consider whether its 20th century localised data protection framework is well suited in the 21st century interconnected digital world”). To guard against such extreme positions, the European Parliament asked the Commission not to include such conditionality; or
  • that privacy and data protection measures should take “international standards” into consideration. As the EU is a standard setter in privacy and data protection, this creates the risk of a race to the bottom and could prevent other countries from adopting measures which defend privacy and data protection as much as (or more than) the EU.

Even if trade agreements had strong exceptions and safeguards, they could be undermined by:

  •  trade dispute settlement mechanisms of trade agreements, as the Charter of Fundamental Rights will obviously not be considered; and by
  • national security exceptions. Trade agreements contain exceptions on “essential security interests” that establish that nothing in the trade agreement shall prevent any Party to the agreement from adopting measures to protect “essential security interests”. This means that if a party to the agreement wanted to conduct mass surveillance, for example, the trade deal would not ensure the protection of the privacy and personal information of individuals. This is very worrisome, as the Snowden revelations and other scandals have shown. The European Parliament has warned the Commission that their consent to TTIP could be endangered if “US blanket mass surveillance activities are not completely abandoned”.

Conditions, suspensions or prohibitions of transfers of EU citizens’ personal data outside the EU must be possible if fundamental rights are violated or circumvented, as the European Parliament has proposed to the Commission. This position is absent from all of the clauses seen in current trade proposals. In fact, the EU is currently negotiating on trade agreements whose drafts include provisions on data protection that are fundamentally broken. The existence, application or enforcement of the laws adopted by the Parties to a trade agreement relating to their fundamental rights requirements must not be considered as a violation of any trade agreement.

3. Blackmail tactics of industry lobbyists

The hollow-sounding and specious arguments that the “global tech sector” use, such as that they take “the fundamental right to privacy very seriously”; and that without data flows (as if they would suddenly, mysteriously, stop), no trade agreements will be or can be concluded; or that the EU could be perceived as “data protectionist” are far from credible. Even some industry actors (e.g. eBay) had admitted to the Commission that the inclusion of data flows are not a priority for them because they rely on binding corporate rules to transfer data from EU citizens.

Having lobbied unsuccessfully against the General Data Protection Regulation (GDPR), having successfully lobbied for a flawed, inevitably temporary “Privacy Shield”, having incomprehensibly asked the Commission to repeal the e-Privacy Directive, it is understandable that industry lobbyists, backed by the US government want to:

  • ensure there are legal means available to challenge privacy and data protection measures, with the weak excuse that fundamental rights are barriers to trade;
  • prevent other countries to adopt high standards on data protection and privacy; and
  • make sure whatever protections on privacy and personal data are contingent on a nebulous and unpredictable understanding of “necessity” and “proportionality” in trade agreements, whereby fundamental rights will always be deprioritised compared with trade concerns.

It is also understandable that after hearing that the Commission was opposing to include data flows, they increased their lobbying and resorted to “independent” “think tanks” like ECIPE to multiply their message.

The European Commission should do better. As Evgeny Morozof argues, when policy is dictated by corporations, the protection of your privacy starts being seen as a barrier to economic growth. By defending the protection of privacy and personal information of all, the EU will gain influence and credibility. Data protection and privacy are not barriers to trade. Quite the opposite, privacy is an asset of economic growth; it’s a business opportunity to regain trust. Making void assurances and general statements that are not reflected in the actual text of the agreements would not be enough. The European Parliament has strongly reiterated this approach and even asked the Commission to “immediately and formally oppose the US proposals on movement of information”.

This is exactly what the EU should do.


05 Oct 2016

Die ePrivacy-Reform: Häufig gestellte Fragen


Original version here (English)

Was ist die ePrivacy-Reform?

Die Datenschutzrichtlinie für elektronische Kommunikation (auch: ePrivacy-Richtlinie) ist eine Richtlinie, die sich mit bestimmten, die Privatsphäre und den Datenschutz betreffenden Themen im Bereich der elektronischen Kommunikation auseinandersetzt. Sie wurde 2002 verabschiedet und im Jahre 2009 überarbeitet. Der offizielle Wortlaut der aktuellen Version kann hier abgerufen werden. Sie ist nun erneut in Überarbeitung und wird in Form einer Verordnung vom EU-Parlament, Kommission und Rat aktualisiert.

Wofür brauchen wir diese Verordnung?

Die ePrivacy-Richtlinie wurde ursprünglich geschaffen, um die Privatsphäre und persönliche Daten im Bereich der elektronischen Kommunikation zu schützen, indem die Bereiche, die bisher von der maßgeblichen gesetzlichen Weisung, der Richtlinie für Datenschutz (welche nun als neue Datenschutz-Grundverordnung, kurz DSGVO, gilt), abgedeckt wurden, „ergänzt und spezifiziert“ werden. Beispielsweise wird durch die ePrivacy-Richtlinie die Vertraulichkeit des Inhalts von Kommunikation und die Daten, die auf privaten Geräten gespeichert oder verarbeitet werden, geschützt. Dies wurde durch die DSGVO bisher nicht explizit gewährleistet.

Die Vertraulichkeit von Kommunikationswegen ist ein sehr komplexes Thema, denn es betrifft nicht nur dein Recht auf Privatsphäre und Kommunikation, sondern auch die Kommunikations- und Meinungsfreiheit generell. Werden diese Grundrechte nicht in einen gesetzlichen Rahmen gegossen, so besteht die Gefahr, dass aufgrund der Komplexität der Materie, der Schutz der Vertraulichkeit und die Sicherheit der Kommunikationswege unberechenbar und letztendlich nur unter großen Schwierigkeiten durchsetzbar sein werden. Das Fehlen explizit formulierter Regeln gestaltet es auch für Unternehmen schwieriger, neue und innovative Dienstleistungen anzubieten.

Reicht denn die Datenschutz-Grundverordnung (DSGVO) nicht aus?

Es werden in der DSGVO zwar bereits einige Themen rund um den Datenschutz umrissen, es fehlen jedoch konkrete und präzise Formulierungen, welche das Recht auf Privatsphäre und speziell das Recht auf Kommunikationsfreiheit – beides zwei unveräußerliche Grundrechte – gewährleisten. Es erfordert also die ePrivacy-Verordnung, um überprüfbaren und effektiven Schutz dieser Rechte zu gewährleisten, da diese durch die bestehende Weisung nicht eindeutig abgedeckt werden. Des Weiteren werden in der ePrivacy-Verordnung auch Aktivitäten, bei denen die Weitergabe personenbezogener Daten nicht direkt im Vordergrund steht, wie das Versenden unerwünschter Nachrichten (beispielsweise Spam und personalisierte Werbung), behandelt. Außerdem soll ein Rahmen geschaffen werden, so dass auch die Sicherheit der auf privaten Geräten abgespeicherten Informationen gewährleistet werden kann. Es ist wichtig, sich immer wieder ins Gedächtnis rufen, dass es bei dem Entwurf für die ePrivacy-Verordnung nicht darum geht, neue Gesetze zu schaffen, sondern lediglich die bereits bestehenden Gesetze zu ergänzen – zum Wohle von Privatpersonen und Unternehmen.

Es besteht ein wachsender Bedarf, einen gesetzlichen Rahmen zum Schutze der Privatsphäre und privater Daten im Bereich der elektronischen Kommunikation zu schaffen. Denn es florieren Praktiken, wie das Zurückverfolgen von Online-Aktivitäten oder die Überwachung des E-Mail-Verkehrs zu Marketingzwecken, während Telekommunikationsunternehmen den Internetkonzernen im Sammeln der ihnen anvertrauten Kundendaten, unter anderem Standortinformationen, nacheifern und in bares Geld verwandeln. Es ist außerdem notwendig, die ePrivacy-Regeln regelmäßig zu aktualisieren, um mit den technischen Neuerungen, wie etwa dem Gebrauch von „Instant Messengers“ anstelle von SMS und E-Mail, überhaupt mithalten zu können.

Welche Grundrechte sind von dem Entwurf für eine ePrivacy-Verordnung betroffen?

  • Das im Artikel 7 der Charta verankerte Grundrecht wahrt das Recht auf Vertraulichkeit der Kommunikation. Der neue Text, der die ePrivacy-Richtlinie aktualisieren und verbessern wird, sollte ausdrücklich klarstellen, dass dieses Grundrecht auch all jene Daten betrifft, die durch Online-Aktivitäten und Kommunikation im Internet anfallen. Dies betrifft auch Verkehrs- und Standortdaten, so wie es zurzeit in der ePrivacy-Richtlinie definiert ist. Zudem sollte es auch auf alle anderen Daten angewendet werden können, die durch Internetaktivitäten entstehen. Dies schließt Standortdaten, Browsing-Daten, E-Book-Nutzungsdaten, Apps, Suchverläufe etc. und jedwede im weiteren daraus entstehenden Daten mit ein. Zudem soll durch die neue Verordnung Klarheit darüber geschaffen werden, was es mit der standardmäßigen und strukturellen Implementierung von Privatsphäre auf sich hat.
  • Artikel 8 der Charta wahrt das Grundrecht auf Meinungsfreiheit und Schutz personenbezogener Daten. Der einfachste Weg für EU-Bürger im heutigen Zeitalter Zugang zu Informationen zu erhalten, ist vor allem das Internet. Um diese Möglichkeit auch weiterhin sicherzustellen, sollte die überarbeitete Verordnung Einwilligungszwänge für die Zurückverfolgung von Online-Aktivitäten, sowie die daraus resultierende Profilerstellung und automatisierten Entscheidungen verboten werden (beispielsweise ist es oft nicht möglich Inhalte von Webseiten abzurufen, ohne Cookies im Browser zuzulassen). Dies ist insbesondere dann von großer Wichtigkeit, wenn man bei Zugriff auf Information zugreift, die empfindliche Daten beinhalten, oder beim Gebrauch von Seiten von öffentlichen Behörden.

Welche Themengebiete werden von der ePrivacy-Reform abgedeckt?

  • Vertraulichkeit und Sicherheit von Kommunikationswegen
  • Verkehrs- und Standortdaten, die beim Gebrauch von privaten Geräten entstehen
  • Zurückverfolgung von Nutzern, auch durch den Gebrauch privater Geräte (z. B. zum Zweck aktivitäts- und personenbezogener Werbung)
  • Cookies
  • Sicherheitsmaßnahmen auf Privatgeräten
  • Einzelgebührenerfassung
  • Identifizierung von Rufnummern
  • Öffentliche und private Verzeichnisse
  • Spam und unerwünschte Telefonanrufe zu Marketingzwecken
  • Benachrichtigungen über Datenschutzverstöße (später spezifiziert durch die Regelung 611/2013 der EU)

Welche Bereiche sollten aktualisiert werden?

Alle Aspekte der ePrivacy-Richtlinie, die Online-Aktivitäten betreffen – etwa Vertraulichkeit und Sicherheit der Kommunikationswege und privater Endgeräte, sowie die Zurückverfolgung von Nutzern – müssen auf den neuesten Stand gebracht werden, um neuen und möglicherweise zukünftigen technologischen Entwicklungen gerecht zu werden. Die Regelungen für Einzelentgeldnachweise/ Einzelverbindungsnachweise, Nutzerdatenbanken und unerwünschte Kommunikation müssen neu veranschlagt bewertet werden, um sicherzustellen, dass sie noch mit der GDPR übereinstimmen. Einige der Aspekte, etwa der Umgang mit Verstößen gegen den Datenschutz, benötigen keine spezifische Gesetzgebung und können gestrichen werden. Dies kann durch Vergleiche mit der GDPR erzielt werden, um dadurch Redundanzen zu vermeiden.

Ich bin jetzt schon genervt von Cookie-Hinweisen auf Webseiten. Wird es durch die neue Verordnung noch mehr davon geben?

Im Moment versucht die ePrivacy-Richtlinie mehr Kontrolle über Online-Tracking zu geben, dies jedoch auf relativ rudimentäre Art und Weise. Erfahrung und technologische Entwicklungen haben gezeigt, dass die bisherigen regulatorischen Vorkehrungen der ePrivacy-Richtlinie nachgebessert werden sollten, um höhere Nutzerfreundlichkeit und damit größere Akzeptanz zu generieren.

Cookies sind nur eine der Möglichkeiten, Spuren beim Surfen im Internet zu hinterlassen. Cookies sind sozusagen kleine Informationshäppchen, die beim Aufrufen von Websites automatisiert auf deinem Gerät gespeichert werden. Die nachgebesserten Regelungen in der ePrivacy-Verordnung bezüglich dieser Cookies sollen ein komfortableres Surfen ermöglichen, indem die Einwilligungsverpflichtung für Cookies, welche nicht die Sammlung und Weiterverarbeitung personalisierter Daten, wie beispielsweise die Zurückverfolgung von Usern und Geräten durch Dritte, beseitigt wird. Dies würde zum Beispiel auf durch den Eigentümer der Website erhobene Statistiken zur Nutzung seiner Seite („first party analytic cookies“), welche nicht unnötig personellen persönliche Daten weiterleiten, zutreffen. Grundsätzlich beziehen wir uns hierzu auf die Richtlinien bezüglich Cookies, die die Artikel 29-Arbeitsgruppe vorschlägt.

Wie hängt das Ganze mit dem Schutz vor Massenüberwachung zusammen?

Man kann unbestrittenermaßen davon ausgehen, dass die Nutzung elektronischer Geräte (etwa Smartphones, Tablets, private Computer) und damit verbundene Technologien mit Internetnutzung (etwa das Internet der Dinge) in Zukunft weiterhin zunehmen wird. Diese Entwicklung bringt zwar neue Möglichkeiten zur Onlinekommunikation auf der einen Seite, birgt aber auf der anderen Seite Risiken für die Vertraulichkeit und andere Grundrechte. Zumeist sind viele Unternehmen und Anbieter in Online-Kommunikationen involviert und sie finden über viele Landesgrenzen hinweg statt, ohne dass sich die meisten Nutzer dessen voll bewusst sind.

Wir stimmen mit dem europäischen Datenschutzbeauftragten (EDSB) darin überein, dass die Zahl und Häufigkeit mit der Regierungen bei Internetdienstleistern (Twitter, Gmail und allen anderen) Anfragen tätigen, öffentlich gemacht werden sollten, um Einzelpersonen die Möglichkeit zu bieten sich ein klareres Bild davon machen zu können, in welchem Ausmaß von diesen Verfahren in der Praxis Gebrauch gemacht wird. Wenn die Öffentlichkeit mehr über das Verhalten ihrer Regierung diesbezüglich Bescheid wüsste, würde sie sich leichter tun, diese dafür zur Verantwortung/Rechenschaft heranzuziehen. Eine größere Transparenz wäre in diesem Kontext hilfreich, um das Vertrauen der Menschen in den Sektor der elektronischen Kommunikation wiederzugewinnen.

Inwiefern ist die Sicherheit meiner elektronischen Geräte, wie etwa die meines Smartphones, davon betroffen?

Die Verpflichtungen, die in der DSGVO verankert sind, beziehen sich vor allem auf die Weitergabe von persönlichen Daten, während die ePrivacy-Richtlinie ganz spezifisch darauf abzielt, die Sicherheit unserer Online-Kommunikation zu gewährleisten. Nicht nur die Anbieter von elektronischer Kommunikation (z. B. Telekommunikationsunternehmen) sollten in die Pflicht genommen werden, sondern eben auch beispielsweise App-Entwickler und der Einzelhandel mit elektronischen Geräten. Die Unternehmen, welche hinter den Apps und Geräten stehen, sind zwar oft nicht die einzigen gesetzlich belangbaren Akteure, jedoch sollten sie aufgrund ihrer wichtigen Bedeutung für den Schutz der Sicherheit und Vertraulichkeit von Privatkommunikation Gegenstand von Sicherheitsbestimmungen werden. Genau genommen beziehen wir uns hierbei auf die Empfehlung der Artikel 29-Arbeitsgruppe, Hersteller von Betriebssystemen und Endgeräten sowie andere relevante Interessenvertreter, Sicherheits- und Privatsphärenbestimmungen zu unterwerfen, wie sie im August 2014 in dem Gutachten 8/2014 zum Internet der Dinge veröffentlicht wurde.

05 Oct 2016

e-Privacy Directive: Frequently Asked Questions

By Diego Naranjo

(This article is available as well in German and French)

What is the e-Privacy Directive?

The e-Privacy Directive (ePD) is a Directive covering specific privacy and data protection issues in the electronic communications sector. It was adopted in 2002 and revised in 2009. The official text of the current version can be found here.


Why do we need this instrument?

The ePD was created to ensure privacy and to protect personal data in the electronic communications sector by “complementing and particularising” matters covered in a general way by the main legal instrument, the Directive on Data Protection, now the General Data Protection Regulation (GDPR). For example, the confidentiality of the content of communications and information which is stored or accessed on an individual’s device is protected under the ePD. The GDPR does not specifically cover this.

Confidentiality of communications is very complex. It covers not just your right to privacy and data protection, but also your freedom of communication and freedom of expression. Without legislation providing clarity on what these fundamental rights mean in this complex environment, the protection of confidentiality and security of communications would be less predictable and less enforceable. Lack of precise rules also makes it more difficult for companies to develop new and innovative services.

Isn’t the General Data Protection Regulation (GDPR) enough?

Although the GDPR covers many issues related to data protection, it does not cover, directly and precisely, the right to privacy and, in particular, the right to freedom of communication, which are two distinct fundamental rights. Therefore, the ePD is a necessary layer of precision to ensure predictable, effective protection of rights that are not covered precisely enough in the GDPR. Furthermore, the ePD also covers activities for which the processing of personal data is not the main issue at stake, such as the sending unsolicited messages (for example email spam or direct marketing). It also provides a framework for protecting the security of information stored on an individual’s device. It is important to remember that the ePD is not about creating new rights, but complementing existing rules, for the good of individuals and businesses alike.

The need for legislation on privacy and security of personal data in the electronic communications sector is increasing. Online tracking and the monitoring of e-mails for advertising purposes are on the rise, while telecommunications companies try to emulate internet companies by cashing in on the masses of customer data they hold, including location information. Furthermore, the ePD needs to be updated to meet the latest technological developments, such as the use of instant messaging instead of SMS or e-mail.

Which fundamental rights are affected by the ePD?

  • The fundamental right to confidentiality of communications, enshrined in Article 7 of the Charter

The new instrument replacing or revising the ePD should expressly clarify that this principle applies fully to data relating to online activities and communications, including traffic and location data as currently defined in the e-Privacy Directive. Furthermore, it should also apply to any similar data created or used in the online environment, such as location data, browsing data, e-book usage patterns, mobile app use, search queries, etc. and any new data produced therefrom. The new instrument should also bring clarity  with regard to the implementation of privacy by design and by default in this context.

  • The fundamental rights to protection of personal data and freedom of expression, as enshrined in Article 8 of the Charter

For most people in the EU the easiest way to access information involves the internet. To protect this, the revised instrument should ban obligations to consent to tracking of one’s activities  and subsequent profiling and automated decision-making (for example by accepting cookies before being allowed to enter a website). This is particularly important when accessing information regarding issues linked to sensitive data or when accessing website or services provided by the public sector.

What activities are covered in the ePD?

  • the confidentiality and security of communications
  • traffic and location data produced by personal devices
  • tracking of users, including by using personal devices (e.g. for behavioural advertising purposes)
  • cookies
  • security measures in personal devices
  • itemised billing
  • calling line identification
  • public and private directories
  • spam and unsolicited calls for marketing purposes
  • data breach notifications (later specified by EU Regulation 611/2013)

Which aspects need an update?

All aspects of the eDP related to online activities – such as the confidentiality and security of communications and personal devices, and the tracking of users – need to be updated to correspond to new and potential future technological developments. The rules on itemised billing, directories of users, and unsolicited communications need to be reassessed, to check if they are in line with the GDPR. Some of its aspects, such as how data breaches should be dealt with, do not require a specific  legislation and can be removed. Therefore this could be solved by referring to the GDPR, to avoid redundancy.

I am tired of banners telling me to accept cookies. Will this bring more of these?

The ePD currently tries to give users some control over online tracking. However, it does so in a rather blunt way. In light of experience and technological developments, the provision regulating cookies in the ePD should be refined and allow for user friendly mechanisms for expressing consent.

As we have explained in a previous blogpost, one of the ways you leave digital traces behind while surfing online are cookies. They are bits of information that get automatically installed into your device while visiting websites. Revised rules regulating cookies in the ePD should allow smoother browsing by removing obligations for consent for cookies that do not involve the collection and further processing of personal data, such as the tracking of users and devices via third parties. This would apply, for example, to statistics related to which parts of a website are visited the most collected by the owner of a website (“first party analytic cookies”) that do not involve unnecessary processing of personal information. Generally, we refer to the guidelines on cookies issued by the Article 29 Working Party on this regard.

How is this connected to the protection from mass surveillance?

We can unquestionably expect an expanding use of personal electronic devices (like smartphones, tablets, personal computers) and related technologies that are connected to the Internet (for example the Internet of Things). This development creates new opportunities for communicating online, but also bears risks for confidentiality and other fundamental rights. Online communications often involve many parties and cross national borders, without users being fully aware of these facts.

We agree with the European Data Protection Supervisor (EDPS) that number and frequency of requests from governments to internet services (Twitter, Gmail and any others) should be made public so that individuals get a clearer picture on how these invasive powers by governments are used in practice. If the public is aware of the government’s conduct, it will be in a better position to hold the government accountable. More transparency in this context could therefore help with restoring people’s trust in the electronic communications sector.

How does it relate to the security of my electronic devices, such as my smart phone?

The GDPR includes security obligations when it comes to the processing of personal data, while the ePD allows for the inclusion of security obligations that are more specifically tailored to our online communications. These security obligations should not only apply to electronic communications providers (telecoms), but should also cover, for example, app developers and the suppliers of individuals’ electronic devices. The companies behind apps and devices are not always the main legally responsible actors. However, given their important role protecting the security and confidentiality of personal communications, they should also be subject to security requirements. More specifically, we refer to the recommendations about security and privacy requirements for operating system suppliers, device manufacturers and other relevant stakeholders issued by the Article 29 Working Party in its Opinion 8/2014 on the Internet of Things.


This FAQ has been prepared jointly by the EDRi Brussels office and EDRi members Open Rights Group, fIPR, Bits of Freedom, Access Now, Panoptykon and Privacy International.

27 Jul 2016

Massive lobby against personal communications security has started

By Joe McNamee

Since 2002, European citizens’ freedom of communication, the security of our communications devices, and the protection of our personal data in the online world have been safeguarded by the so-called e-Privacy Directive. This Directive is now up for renewal. Unsurprisingly, after the big online companies launched probably the biggest ever lobbying campaign to undermine the EU’s general privacy legislation, the General Data Protection Regulation (GDPR), they’re now attacking this legislation – this time joined by telecoms providers.

................................................................. Support our work with a one-off-donation! https://edri.org/donate/ .................................................................

The online companies want to protect their ability to track people as they use the internet. They want to protect their ability to use data from apps to discover where people are going in the offline world and to be able to use this data to create profiles. Already, with data from just three hundred clicks on Facebook “like” buttons, researchers have shown that they can develop a better insight into your personality than anybody you know – better than your spouse, your siblings or your family. Telecoms providers look at all of this information and the huge profits the online companies are making out of it. They look at the protection that the e-Privacy Directive gives to their customers and cry that this is unfair. They want to make money out of it too – they have information about our location, about our movements, about our friends, about the businesses we communicate with. Why can’t they spy on us too? It is for our own good, after all.

As a result, an impressive-sounding twelve trade associations signed a letter demanding that the protection to our freedom of expression and communication should be repealed. Apparently for comedy value, the letter calling for removal of the only EU legal instrument protecting the confidentiality of communications was entitled “Empowering trust and innovation by repealing the e-Privacy Directive”.

The list of signatories to the letter seems impressive until we realise that it is just a small number of companies mobilising them. This is very much in line with the lobbying on the General Data Protection Regulation: The key industry players used various methods to make sure their arguments were repeated by lots of different voices, to create the impression of a broad opposition against the legislation. In the case of this letter, for example Google is a member exactly half of the signatory associations – the App Developers Alliance, Interactive Advertising Bureau, Computer and Communications Industry Association (CCIA), Digital Europe, the European Digital Media Association (EDiMA) and the European Internet Service Providers Association (EuroISPA).

Shockingly, the European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry (COCIR) also signed up for the call for the repeal of the privacy rules. What interest do they have in removing rules on placing software on users’ devices? What aspect of protection of protection of confidentiality of communications worries them? We don’t know. We do know that its members include Deutsche Telekom’s subsidiary T-Systems. Deutsche Telekom is also a member of signatory associations European Telecommunications Network Operators’ Association (ETNO) and the GSM Association (GSMA).

Between now and November 2016, the European Commission will decide how it will update the e-Privacy Directive.

Joint Industry Statement: Empowering trust and innovation by repealing the e-Privacy Directive (05.07.2016)

EDRi: Data Protection Reform – Next stop: e-Privacy Directive (24.02.2016)

(Contribution by Joe McNamee, EDRi)



05 Jul 2016

PROCEED WITH CAUTION: Flexibilities in the General Data Protection Regulation

By Diego Naranjo

We regret that much of the ambition of the original data protection package was lost, due to one of the biggest lobbying campaigns in European history. However, we congratulate the European Parliament — for saving the essence of European data protection legislation.[1]

On 14 April 2016, the European Parliament adopted two legal instruments that will regulate the fundamental right to data protection of individuals: the General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP).

Despite the overall positive outcome of the GDPR, we regret that many of the initial high expectations for the Regulation were not realised. Once the final text was passed, and ahead of the preparation of guidelines for its implementation, we have published two documents where we analyse the numerous national flexibilities contained in the text  of the Regulation. The results can be found here (the full analysis of all the flexibilities) and here (short document with the most dangerous flexibilities).


The analysis looks at the key pitfalls to be avoided in transposing these national flexibilities into Member State law. The task is huge, bearing in mind that there are almost as many provisions in which Member States can implement the Regulation differently than there are articles were in the preceding Data Protection Directive. Some of the flexibilities are harmless, but many others could be perceived by governments as opportunities to allow them to ignore essential elements of the Regulation.

We hope that this analysis can help national governments and data protection authorities to implement the GDPR in a way which protects the essence of the right to data protection by implementing the most privacy friendly interpretation of these flexibilities.

Although this analysis is a shared effort of several EDRi members and EDRi staff, we would like to give our heartfelt thanks to Chris Pounder for the initial analysis of flexibilities in the Regulation and Douwe Korff for his extensive assessment of the options available.

[1] Press Release: Vote on Data Protection and Passenger Name Record package (13.04.2016)


01 Jun 2016

The lobby-tomy 7: Not all roads lead to privacy

By Guest author

Within the privacy world, different schools of thought exist. Connecting different viewpoints to a seemingly positive ideology is also sales technique.

The new European data protection regulation is the most lobbied piece of legislation thus far. This is because the subject is very important and touches upon almost every aspect of our daily lives. Therefore EDRi member Bits of Freedom used the Dutch freedom of information act to ask the government to publish all the lobby documents they received on this new law. Bits of Freedom published these documents on their website with their analysis in a series of blogs. What parties lobby? What do they want? What does that mean for you? These nine articles are now translated into English for the EDRi-gram. This is part 7.

If one school of thought has successfully been put in the limelight, it is the “risk-based approach”. It means that when policy makers formulate obligations for industry, they should take the identifiable risks of data processing into account. Strict obligations should only accompany identified large risks. But that can’t be an excuse to create a lower level of protection for people.

................................................................. Support our work with a one-off-donation! https://edri.org/donate/ .................................................................

If we read the lobby letters correctly, one of the most important offices behind this approach is the ”Centre for Information Policy Leadership” of Hunton en Williams “LLP”. Although the term is older, they launched a “risk based approach framework” in January 2014, after which the subject has resurfaced repeatedly.

The data protection regulation creates new obligations for organisations that plan to process a certain quantity of data. An organisation is for example required to do a “privacy impact assessment” before processing data, in which it will have to evaluate the consequences of the processing for people’s privacy. In some cases, the processing should be notified to the data protection authority. Apart from that, organisations should have a data protection officer, who handles supervision of all privacy related issues internally. Furthermore, organisations are required to notify data breaches to anyone connected to the data.

Companies are not happy about this. We already mentioned in a previous blog that these are the themes that have been lobbied on the most. They say, briefly: allow us to only fulfill those obligations if it’s to mitigate large and already identified risks.


It isn’t surprising that many of the “usual suspects” support this risk based approach. TechAmerica Europe, an organisation that represented the interests of European technology companies “with American parentage”, strongly supported this. Banks also welcome such an approach, as shown in their email to the Dutch embassy to the EU – the so-called “permanent representation”. Thuiswinkel.org, a Dutch e-commerce company, says in an email to the Dutch Ministry of Justice: “The current reforms are not adequate enough in the eyes of Thuiswinkel.org, in particular because the proposals lack a ‘risk-based’ approach.” Even the Royal Academy for Sciences seems to be a proponent of this approach.


To strengthen their arguments, different parties use “commitment and consistency”. The trick with this is that people like to present one unambiguous image of themselves. So people will want to act in ways that are congruent with their statements. Therefore, the Centre for Policy Leadership uses statements of influential politicians from the group of people they are trying to influence, who have been positive about the risk based approach.

In a letter by the Centre for Information Policy Leadership to the Ministry of Justice European Commissioner Viviane Reding is quoted as a proponent of the risk based approach, just like the Council of Ministers that the letter aims to convince. You were in favor of a risk based approach right? Then you should also agree to our demands. The former European Data Protection Supervisor Peter Hustinx once made positive statements about this approach, and these are quoted quite happily in a letter by the Industry Coalition for Data Protection (ICDP) to the Ministry of Justice:
“ICDP strongly agrees with the European Data Protection Supervisor Peter Hustinx that data protection legislation is most effective when it follows a risk-based approach.”


A risk based approach can’t be an excuse to evade important obligations, as the committee of privacy watchdogs in Europe stated. A well described liability based on agreed criteria can assure that companies keep privacy protection in mind at an early stage of data processing or planning. Those criteria should obviously be proportionate, so a sole trader that serves only fifty customers per year shouldn’t be required to send a privacy impact assessment to the data protection authority every week or to hire a data protection officer (not that anyone ever suggested that, it has to be said). But we should also be wary of abuse. For example, Digital Europe, a lobby organisation for digital businesses, wants to make sure that companies can decide for themselves what constitutes risk. That would make evading supervision very easy.

Privacy schools of thought

Connecting your viewpoints to clear schools of thought can help your cause. That’s why more schools of though than the “risk based approach” are mentioned in the lobby documents. Vodafone wants a more “principle based” approach, which means they want more flexibility. Yet other companies mention the “harm based approach”, the “use based approach”, the “precautionary based approach” and others.

Whatever school of thought one prefers, no one can currently predict the risks well, particularly in a world of “big data”. What we do know is that more data will be collected and will be increasingly used. This makes every choice we make now only more important for privacy protection in the future.

To be continued

Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. The next part will be about the anti-fraud argument.

Lobby-tomy series (only in Dutch)

(Contribution by Floris Kreiken, EDRi member Bits of Freedom, The Netherlands)



17 Dec 2015

EU Data Protection Package – Lacking ambition but saving the basics

By Heini Järvinen

Statement of European Digital Rights (EDRi), Bits of Freedom, Digitale Gesellschaft e.V, Open Rights Group (ORG)Digital Rights Ireland and Privacy International following the vote of the European Parliament’s Civil Liberties Committee on the Data Protection

In January 2012, the European Commission, following extensive consultations, published a draft Regulation and a Directive to create a strong framework for data protection in the EU. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU, and maintaining existing levels of protection. Underpinning this was an attempt to enhance individuals’ rights and put them more in control of their personal information, as well as to make enforcement more effective – both of which are major failures of the current legislation.

Faced with possibly the world’s biggest ever lobbying onslaught, this agreement appears to have saved the essential elements of data protection in Europe. Sadly, there is little left of the initial ambition of the proposals”, said Joe McNamee, Executive Director of European Digital Rights. “At several moments in the past four years, it appeared that the proposals were crumbling, so today’s vote represents an impressive achievement by politicians from all major political families and by civil society.

The objective of modernisation has been achieved only partially – resisted by industry groups who want to stay in the last century. One of the key elements of modernisation, profiling, has not been dealt with thoroughly. The differentiation of “explicit” consent for sensitive data and “consent” for other processing of personal data will not help when enforcing the Regulation. The failure to properly reform the foggy notion of processing of data on the basis of the “legitimate interest” of the controller is a missed opportunity, even though we are happy that some safeguards were added.

More importantly, harmonisation has become a parody of its original intentions. The existing Directive consisted of 34 articles. The final text has more permissible exceptions than the previous legislation had articles. In addition, Article 21 (on exceptions for public policy reasons) has broadened the list of articles that can be subject to a national opt-out.

Overall, the data protection package has achieved the bare minimum standards which were possible in the current political scenario. The final texts are somewhat better than what was proposed by the EU Council and some European Parliament Committees, but fall well short of the ambition of the initial proposals. EDRi, Bits of Freedom, Digitale Gesellschaft e. V , Open Rights Group, Digital Rights Ireland and Privacy International appreciate the work of the co-legislators to defend the proposals. We now must turn our attention to the next challenges – implementation of the new legislation, the reform of the e-Privacy Directive and preparing litigation, where necessary, to ensure that our fundamental rights are defended.

It is staggering that it was so hard to come up with essential rules of the road. All of this occurred at a time where there is increased concerns about surveillance and unprecedented levels of security breaches. Yet data-hungry companies and governments, and poor technology designs continue to make our personal data vulnerable”, Anna Fielder, Chair of Privacy International added. “Now we have a legal instrument to hold the powerful to account. We are going to use this legal regime to help empower citizens and consumers. And we are going to test it against emerging business models, ambitious and delusional government programmes, and any system that takes control away from the individual.


Read more:

General Data Protection Regulation: Document pool

Data Protection Directive on law enforcement: The loopholes (18.11.2015)

ENDitorial: The EU’s data protection reform – a lost opportunity? (04.11.2015)

European Commission will “monitor” existing EU data retention laws (29.07.2015)

For additional information, please contact:
Theresia Reinhold
Tel: +32 2 274 25 70


16 Dec 2015

Data protection package concluded – 1420 days after being launched

By Joe McNamee

On 15 December 2015, three years and ten months after the package was launched, the General Data Protection Regulation (GDPR) and Directive on Data Protection in Police and Justice matters were finally completed.

The reform package was launched in order to enhance data protection rights and improve their enforcement. Up until now, data protection in police and justice matters was regulated by a narrow “framework Decision” adopted by the EU Council in 2008. General data protection was regulated by a Directive from 1995.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

Instead of a “framework Decision” that only covers data in relation to police and judicial “cooperation”, the new Directive covers data protection in police and justice matters more generally. Instead of a Directive, which is implemented by 28 different national laws, the new legislation is a Regulation, which will be directly applicable across all of the EU. This should greatly, but not completely, reduce disparities between interpretation of data protection law in the EU.

One of the biggest headline-grabbing innovations in the Regulation is a detailed explanation of the already-existing right to demand deletion of one’s own personal data. This right has now unfortunately been renamed the “right to be forgotten”, which gives a misleading impression of its meaning. It does not mean that your online history can be deleted or that newspapers can be obliged to change their archives. Individuals have no “right to be forgotten.” Within the limits of safeguards for freedom of expression, the new Regulation describes the conditions under which individuals can ask for deletion of their data.

Another innovation was the addition of obligations on notification of data breaches to the data protection authorities and to affected individuals. The necessity for such obligations has become very clear in recent months, with several major data breaches hitting the headlines, such as the Ashley Madison and TalkTalk cases. As with the rest of the proposal, this was subject to heavy lobbying. Individuals now only have to be notified if there is “likely” to be a “high risk” to their rights.

The concepts of “data protection by design” and “by default” were also added to the Regulation. The purpose here is to ensure that data protection is a priority that is included in the design phase of a new product and that, by default, only data which are necessary are processed for the particular task at hand.

Various attempts were made by the European Commission and the European Parliament to improve predictability of how and when data will be used. For example, explicit consent for data processing was initially suggested. While this was rejected, the text has added some improvements as regards the consent that does have to be provided.

The package, and the Regulation in particular, was subject to a huge amount of lobbying, much of which was based on misunderstandings and misrepresentations. The result is that the overall package is less clear and less protective of personal data than it could – and should – have been. However, compared with the potentially disastrous positions taken by some of the European Parliament’s committees and by the EU Member States in the Council of the European Union “general approach” adopted in June 2015, the outcome is vastly better than it could have been.

Council of the European Union: General Data Protection Regulation, general approach (11.06.2015)

Council of the European Union: Directive on Data Protection in Police and Justice matters, general approach (02.10.2015)

European Parliament: General Data Protection Regulation, first reading position (12.03.2014)

European Parliament: Directive on Data Protection in Police and Justice matters, first reading position (12.03.2014)

EDRi:General Data Protection Regulation: Document pool

EDRi: Everything you need to know about the Data Protection Regulation

EDRi: Everything you need to know about the Data Protection Directive for Law Enforcement

(Contribution by Joe McNamee, EDRi)