04 Nov 2015

ENDitorial: The EU’s data protection reform – a lost opportunity?

By Diego Naranjo

“Someone who knows things about us has some measure of control over us, and someone who knows everything about us has a lot of control over us. Surveillance facilitates control.”

– Bruce Schneier, cryptographer and security expert

When the European Union talks about modernising EU rules on data protection in the digital age, the most important challenge is unquestionably “big data”, and the most important challenge of big data is profiling.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

Big data is not “more data” – big data is the massive merging of data to generate more data, more assumptions and more knowledge about you and me. If you are this age, went to this website and bought that product, big data will predict that you can be offered higher prices, or you shouldn’t be offered insurance, or you might vote in a particular way. Innocuous morsels of personal data interact and become pregnant, producing offspring that could be anything but harmless. The “I’ve nothing to hide” argument never made much sense, but it makes no sense at all in a world where you have no idea what guesses are being made on the basis of the data that you know about.

Our devices are feeding information into large databases 24/7: Our mobile devices gather and send information about our movements while we walk.. Many of the apps installed in our phone demand unnecessary access to our contact list. Our home smart meters will know when we get home after work and if we have guests. Our search engine keeps records of our interests and fears. Facebook has successfully experimented with its power to make people happier or sadder, and even to make them more (or less) likely to vote. Professionals called “data brokers” collect and aggregate personal data from a wide range of sources to create detailed profiles of individuals which are then sold to third parties.

So, how do the proposed new EU rules (the General Data Protection Regulation, GDPR) address this huge new challenge? Not very well. First, the article dealing with profiling (Article 20) was weak in the European Commission’s initial proposal, was diluted by the European Parliament and eviscerated by the Council of the European Union. The current Council text says that data subjects, the individuals to whom the collected personal data relates, cannot oppose to the profiling itself only to “decisions based solely on automated processing, including profiling”. Therefore, if there is a profiling activity but no formal “decision” has been made, or if that automated processing and profiling is only part of the process and not the sole basis for the decision, there would be no specific right to object under EU data protection law.

Flanking protections, which could normally be relied upon, even if profiling and decision-making rules were weak, have also been diluted: Data-minimisation becomes “not excessive” data processing. Access and rectification become problematic when profilers can hide behind their algorithms as “trade secrets” or pseudonymisation. “Purpose limitation”, the principle that data must be collected for specified, explicit and legitimate purposes only, is undermined by watery compromises on what “compatible use” might be, while the need for the user’s consent can be bypassed by the open-ended “legitimate interest” loophole.

If this had not watered down the safeguards enough, profiling has been re-inserted into the list of exceptions for which Member States may restrict rights and obligations for purposes related to “national security”, “defence”, “public security” and, for fear that these provisions were not vague enough, “other important objectives of general public interests of the Union or of a Member State”. This, in practice, allows national governments to circumvent EU data protection law and allow profiling when the goal is allegedly linked to any of these ill-defined goals.

A harmonised, modernised legal instrument for the EU is more necessary than ever. The GDPR needs to be future-proof and needs to have strong safeguards without loopholes. The current negotiating text of the GDPR looks like set to fail its biggest test. If the ongoing negotiations between the European Parliament and EU Council do not resolve these and other problems, we might be facing the loss of a fundamental right, the loss of trust, and take-up of technologies based on big data. This should not be worrying for EU citizens only: The GDPR is crucial for global norm setting in the field of data protection and privacy. We have one opportunity – we must do better than this.

Surveillance-based manipulation: How Facebook or Google could tilt elections (26.12.2015)

Facebook reveals news feed experiment to control emotions (30.06.2014)

General Data Protection Regulation: Document pool (25.06.2015)

Obfuscation: how leaving a trail of confusion can beat online surveillance (24.10.2015)

Our obsession with explaining past atrocities could destroy our free speech (22.10.2015)

(Contribution by Diego Naranjo and Joe McNamee, EDRi)



22 Jul 2015

EU Commission – finally – confirms that its promise on data protection will be respected

By Joe McNamee

Last April, EDRi, supported by other sixty-five NGOs from the European Union, North, Central and South America, Africa, Asia and Australia sent a letter (PDF) to the European Commission. The letter asked if the Commission would respect the “absolute red line” that the protection levels in the 1995 Data Protection Directive would be maintained.

This commitment is now critically important, as the EU institutions are currently involved in “trialogue discussions” (infographic), which are expected to finalise the data protection reform process started five years ago with a Commission Communication. A clear position from the leadership of the Commission on the protection of existing standards is crucial to ensure that some of the more extremist policies (PDF) proposed by some Member States can be definitively taken off the table, for the benefit of the coherence, trust and credibility that all stakeholders need from the final Regulation and Directive.

Today, we received a positive answer (PDF) from the European Commission, confirming that they will respect the commitment to respect the levels protection set in the Directive 95/46/EC:

The Commission has been and will continue to be true to this commitment.

Ahead of the next trialogue meetings starting again in September, this commitment sets important boundaries on what is, and what is not, acceptable as this process moves forwards.

All actors involved in these negotiations need not to be distracted with siren calls from a small number of private actors who, as they historically always do, mistake good regulation for constraints on business. As Paul Nemitz, Director for Fundamental rights and Union citizenship in the Directorate – General for Justice of the European Commission, explained to the Wall Street Journal: “The path toward trust through high levels of protection is good for the economy, good for growth and employment.”

Read the Commission’s response:

15 Jun 2015

Press Release: Privacy and Data Protection under threat from EU Council agreement

By Heini Järvinen

Following today’s meeting of the Justice Ministers Council in Luxembourg where an agreement was reached on the proposal for a General Data Protection Regulation (GDPR), EDRi and Privacy International would like to present the following statement:

In January 2012, the European Commission, following extensive consultations, published a draft Regulation. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU (proposing a single Regulation rather than a Directive that is implemented via 28 national laws) and maintaining existing levels of protection. A stated purpose was also to enhance individuals’ rights and put them more in control of their personal information, and make enforcement more effective – both are major failures of the current legislation

The objective of modernisation has not been achieved. Key elements of modernisation have been weakened to the point of meaninglessness. Rules on data breaches, privacy by design and, especially profiling, are far too weak and unclear.

Harmonisation has become a parody of its original intentions. The existing Directive consists of 34 articles. The Council’s position has 48 exceptions where Member States can do what they want, not including the broadening of the list of exceptions provided for in Article 21. In fact, Article 21 has broadened government powers so much that they can effectively run a coach and horses through all the rights and protection in this piece of legislation and render it null and void.

The objective of maintaining the levels in the 1995 Directive has not been achieved, inter alia for the reasons below. The European Commission had previously said that, as an absolute red line, standards would not be allowed to slip.

“This agreement is quite simply a brazen effort to destroy Europe’s world leading approach to data protection and privacy,” said Joe McNamee, Executive Director of European Digital Rights. “The Council position is a mixture of reckless disregard for citizens’ fundamental rights and pandering to special interests that led to draft legislation where the number of exceptions is higher than the total number of articles in the previous Directive.”

Equally, citizens and consumers will lose effective control of their personal data as a result of this legislation; and continuing illegal activity by businesses will remain unpunished.

“If the purpose of this reform was to strengthen people’s control over their personal information and improve enforcement, our governments have achieved the exact opposite,” added Anna Fielder, Board Chair of Privacy International. “The Council revisions to the draft data protection Regulations have done their best to disembowel some of the fundamental principles and further disempower individuals and their representatives by weakening rights. Moreover, any notion of harmonised, predictable rules across the Union have gone out of the window; in over a quarter of all the articles of this Regulation individual governments can develop their own rules.”


  • The proposal undermines purpose limitation:
    The current text of the GDPR allows for the further processing of personal data “for archiving purposes in the public interest or scientific, statistical or historical purposes.” However, it is unclear what those statistical and scientific purposes are. Any large company that makes profit out of exploiting personal data could claim to be processing data for scientific purposes. This loophole is broadened further still by the new and controversial text of Article 6.4: “Further processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject.”
  • The proposal moves from data minimization to “non-excessive” data processing:
    The proposed Article 5(c) removes the obligation to keep processing to a minimum and weakens it to “non-excessive” processing. The Council amendment removes the obligation that the data “shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”. This provides room for data controllers to process more data than necessary.
  • The grounds for processing are increasingly vague:
    The “legitimate interest” justification for data processing without consent is the vaguest ground for processing, offering a lot of scope for industry to process data if they can claim a “legitimate interest” in doing so.
  • Weaker redress and enforcement provisions:
    Under the Council version, organisations defending citizen and consumer interests can no longer complain to authorities or take judicial actions on behalf of many individuals whose privacy rights have been breached. Data protection authorities do not have the resources to investigate every individual complaint and people to not take individual legal actions, particularly for privacy breaches that are not visible. Without this collective redress right, effective enforcement will continue to be weak.
  • Data transfers outside the EU: privacy regulation privatised or handed to unaccountable public bodies:
    The Regulation opens the gates to a massive Trojan horse in these provisions, by specifically amending the articles that refer to privacy seals/trust-marks (called “certification mechanisms”) and to codes of conduct. Privacy seals and codes of conduct can be useful in providing guidance to specific sectors and providing extra information to individuals using a service. But they cannot be a guarantee of adequate privacy protections in a country where privacy enforcement is weak, particularly if the envisaged systems of monitoring and oversight are delegated to some private body. Furthermore public authorities and bodies can transfer personal information at will to public bodies outside the EU without any reference to data protection authorities or need for cooperation across the EU (the so-called consistency mechanism).
  • Serious implications for people’s health and human rights:
    The Council proposals would allow further processing of health data, including genetic data on a massive scale; indefinite retention of health data including genetic data such as whole genomes without people’s knowledge or consent; and sharing of this data with third parties, including companies such as Google, without people’s knowledge or consent, usually with names stripped off (pseudo-anonymised) but in a way which allows results to be reconnected to individuals later on, or combined with other data sets (e.g. social care,education).


European Digital Rights (EDRi) is a not-for-profit association of 33 digital civil rights organisations from 19 European countries. Our objectives are to promote, protect and uphold civil rights in the field of information and communication technology.

Privacy International is a registered UK charity, defending privacy as a human right and advocating for strong laws that protect privacy round the world; it is celebrating its 25th anniversary this year.


03 Jun 2015

General Data Protection Regulation: Moving forward, slowly

By Diego Naranjo

The discussions in the EU on the proposal for a General Data Protection Regulation (GDPR) are slowly advancing, but the final destination is still unknown. Commissioner Věra Jourová , who is responsible for Justice, Consumers and Gender Equality and has the task of ensuring the “swift adoption of the EU data protection reform”, has stated that EU Data Protection reform “is a win-win for consumers and businesses”, and that the red lines of the 1995 Data Protection Directive will remain untouched. However, latest developments in the Working Party on Information Exchange and Data Protection (DAPIX) have brought to the GDPR text new changes that may erode Jourová’s optimism.

In March 2015, EDRi published a set of leaked documents with the (then) latest texts from the EU Council. At the same time we published an analysis of the five main topics we thought were going below the safeguards that were set in the 1995 Data Protection Directive. Our analysis remains valid, unfortunately, for majority of the points we analysed, with some exceptions.

For example, Article 6 and recital 40 on lawfulness of processing of personal data have been touched in different ways. The list of requirements defining whether or not a further processing is compatible with the purpose the data was collected in Article 6 (3a) has become an open list with the insertion of the words “inter alia”. This makes it a broader definition which could add additional safeguards for the data subject. Going a bit further, Article 6.4 is likely to be deleted, since there seems to be a significant number of Member States that are pushing against it. This Article allows for “(f)urther processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject”.

The “one stop shop” mechanism is also a matter of concern. The original idea was to simplify complaints, creating a single point of contact for citizens and businesses bringing a transnational complaint. It would also ensure consistent application of the Regulation through the European Data Protection Board (EDPB), eliminating the current common practice of “forum shopping”. Based on the leaked documents, the current proposed text from the Council on the “one stop shop” mechanism would add several levels of bureaucracy. In the case of a transnational complaint, at least two data protection authorities would have to be involved and reach consensus to solve the case. This could lead to a fragmented implementation of the Regulation as the oversight role of the Board would be greatly reduced. Both citizens and businesses would then be left without the benefits of a swift, predictable and harmonised “one stop shop” mechanism. Finally, data Protection seals (certifications) and binding corporate rules should all be subject to the one-stop mechanism, at least in transnational cases. Otherwise they will offer the possibility to bypass the Regulation.

In the lead-up to the start of the trialogue meetings on this topic, we can only mention a few of the major issues here. In a meeting of the European Data Protection Supervisor with civil society actors (including EDRi, EDRi members Access and Bits of Freedom, as well as BEUC, Code Red, and Privacy International, see video below) on 27 May, we addressed also problems with the definitions contained in the GDPR, the seriousness of having profiling back in the exceptions of Art. 21 after it was taken out by the Parliament, the need for citizens to be able to have access to effective collective redress mechanisms, and problems with the transfer of data to third countries, including the Safe Harbour agreement.

Data protection reform timetable (01.06.2015)

Latest consolidated text of the GDPR

Statewatch: LIMITE document from the Council on Article 6 and recital 40 (26.05.2015)
Other documents obtained by Statewatch are available at

EDPS meeting with civil society (EDRi, Access, BEUC, Bits of Freedom, Code Red, Privacy International)

Badly broken campaign: European data protection reform is badly broken (03.03.15)

(Contribution by Diego Naranjo, EDRi)



10 Sep 2014

Open letter to Google’s Advisory Council on the “right to be forgotten”

By Kirsten Fiedler

On 9 September, European and international civil rights organisations submitted an open letter (pdf) to Google’s Advisory Council on their assessment of the so-called “right to be forgotten”.

The groups urge the Council’s members to avoid inadvertently delaying the adoption of the data protection reform package. They remind the members of the urgent need for legal safeguards in cases where courts place unclear obligations on internet intermediaries to interfere with online communications (which cannot be replaced by the Council’s findings) and call on them to shed more light on the mission and objectives of this European tour.

As the ruling has been largely misrepresented by parts of the press, the letter first clarifies some of the misunderstandings that have circulated about the context and scope of the ruling:

When the CJEU ruled on the case, the press reported the decision as an example of a new “right to be forgotten,” even though such a right is not articulated in the legislation on which the ruling is based. The media coverage created the mistaken impression that Google would have to start deleting information from the internet (or its own index) whenever an EU citizens asked the search engine to do so, if information was irrelevant, inaccurate, outdated or excessive. The court specified that search results based on a person’s name are to be removed if the request meets the criteria laid out in the ruling. However, not only will the information remain on the internet, but it will remain in Google’s index.

The civil rights organisations then emphasise the need for a quick conclusion of the current data protection reform, not least because the Snowden revelations have shown that strong and reliable rules are crucial for citizens’ rights to privacy and data protection:

This need has been acknowledged by several companies, including Google, through their participation in the movement for global government surveillance reform. This movement recognises the need for governments to take action in order to protect their citizens’ safety and security and advises for the review of current laws and practices.

The full letter can be accessed here: https://edri.org/wp-content/uploads/2013/09/Open-Letter-to-Google-Advisory-Council.pdf

Bits of Freedom
Chaos Computer Club (CCC)
Digitale Gesellschaft
European Digital Rights (EDRi)
Initiative für Netzfreiheit
Panoptykon Foundation

EDRi: Google’s right to be forgotten – industrial scale misinformation? (09.06.2014)

EDRi: Google and the right to be forgotten – the truth is out there (02.07.2014)

EDRi: Good Lord! Lords forget their own right to be forgotten analysis (31.07.2014)

EDRi: Google now supports AND opposes the “right to be forgotten” (27.08.2014)