27 Sep 2016

#1 Freedom to be different: How to defend yourself against tracking

By EDRi

This is the first blogpost of our series dedicated to privacy, security and freedoms. In the next weeks, we will explain how your freedoms are under threat, and what you can do to fight back.

01_freedom_to_be_different

Cookies: What are they and how do they work?

One of the ways you leave digital traces behind while surfing online are cookies. They are bits of information that get automatically installed into your device while visiting websites. Sometimes they are useful; for example, when shopping online, the website needs to remember what you have added to your shopping basket, so that you can later check out and do the payment.

But most of the times cookies are placed by advertisers that want to collect data about which websites you visit, to target ads at you. This could seem harmless, but it creates risks. For example, when you are categorised (“profiled”) as someone who earns a good salary, you are likely to see higher prices for the things you want to buy. Or on the contrary, if you are profiled as someone who hasn’t got much money, you could end up paying more for your insurance since an insurance company might considered you a “risk”. Online tracking limits your freedom to be different.

How to claim back your freedom to be different

These tools will enable you to wipe most of the digital traces of your browsing activity:

firefox_thumbnail
Install Firefox – a browser that is more secure than others and whose features can be enhanced by numerous add-ons. Start using it now!

Install the following add-ons in your browser:

privacy_badger_thumbnail
Privacy Badger: this add-on for your browser puts you back in control by spotting and then blocking third-party domains that seem to be tracking your browsing habits (that is, when advertisers and websites track your browsing activity across the web without your knowledge, control, or consent). Although it blocks many ads in practice, it is more a privacy tool than a strict ad blocker. You can easily download it here.

https_everywhere_thumbnail
HTTPS Everywhere: This tool is, again, an add-on for Firefox (both desktop and Android), Chrome, and Opera that makes your browser use HTTPS to encrypt its communication with websites to the greatest extent possible. You can easily download it here.

If you want to find out more tools to defend yourself online, check out the excellent Surveillance Self-defense instructions by the EFF.

John is also dealing with cookies and online tracking in this video, prepared by our member Association for Technology and Internet (ApTI) – Romania:

cookie_thumbnail

What can politicians do to safeguard your freedoms online?

The rules on online privacy in the EU (ePrivacy Directive) will be soon updated. This law is dealing with privacy and confidentiality of communications for the entire EU, and it affects tracking and other issues related to your freedoms online. Are politicians ready to fight for your protection?

Stay tuned to our next blogposts to know more about your freedoms online, and how they are threatened!


Read more:

Behavioural Sciences and the Regulation of Privacy on the Internet
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2513771

Article 29 Working Party: Opinion 04/2012 on Cookie Consent Exemption
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

Twitter_tweet_and_follow_banner

close
20 Sep 2016

EDRi invites you to the Big Brother Awards Belgium

By Kirsten Fiedler

On 6 October, the Belgian Big Brother Awards – a negative prize for the worst privacy abuser – will take place in Brussels. There are many other such award ceremonies around the globe, many of which are being organised by EDRi’s members. EDRi is proud to be one of the partners of the Belgian event, organised by its member Liga voor Mensenrechten.

We will be the organiser of a “Privacy Salon” – a panel discussion which will focus on online tracking activities and the upcoming reform of European privacy rules (ePrivacy Directive). You can register to attend the event by visiting this link.

The event will take place on:

When: 6 October.
Where: KVS , the Brussels City Theatre.

Doors open at 19:00, the program starts at 19:30.
The debate is scheduled from 19:45 until 21:00


Confirmed speakers:

Stephen Deadman (Facebook)
Matthias Matthiesen (IAB)
Brendan Van Alsenoy (Privacy Commission, DPA Belgium)
Estelle Massé (AccessNow)
Dr. Frederik Borgesius (University Amsterdam)
Moderator: Joe McNamee (EDRi)

Background on the nomination:

Facebook is engaging in the same type of mass surveillance that the US National Security Agency NSA is doing – its spying on people all around the world, just via different means. There are three main reasons for our nomination:

1. Facebook has access to a wide range of personal data; for example it accesses your phone number and gives out your name out to strangers.The social network started taking mobile numbers from other, less direct, sources (like WhatsApp) or from you phone to add them to profiles and use them as public identifiers for individuals.

2. Facebook tracks your movements across the web. It doesn’t matter if you are logged in or not. Every time you see a “like” button on a website, your internet browser is talking to Facebook. It tells the social network what pages you are visiting and what kind of browser you’re using in order to target advertising at you.

3. Last but not least, the devil is in the default: Facebook supposes you have nothing against your data being sold, and automatically opts you in. You are expected to navigate Facebook’s complex web of settings (which include “Privacy”, “Apps”, “Ads”, “Followers”, etc.) in search of possible opt-outs.

What can Facebook do with all this information?

Facebook has gained the power to control directly who you are, the social network can “engineer the public” without the users’ knowledge. For years, Facebook has been carrying out experiments, for example to influence the mood of its users, or to manipulate their voting behavior.

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
20 Sep 2016

Privacy Training Center empowers you to protect your online freedom

By Guest author

New non-profit organisation offers privacy workshops for everyone

Most people know that surfing the internet has serious privacy implications. What many don’t know is how to protect themselves, their family, colleagues and friends. Meet the Privacy Training Center in Brussels the new not-for-profit training organisation.

The PTC aims to fill the knowledge gap by providing regular workshops about online privacy and data protection. Think of it as a targeted and structured way of doing crypto parties. Workshop participants learn about intrusive online advertising, digital criminals and governments’ digital prying eyes – and how to better protect themselves online.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The curriculum ranges from raising beginners’ awareness for the privacy implications of using social media apps to supporting the roll-out of e-mail encryption in small organisations. Courses cover online security best practices and tons of useful apps and tools for things like secure file sharing, encrypted messaging and calls, anonymity and web tracking protection. We propose free software wherever possible.

As a non-profit, the PTC first and foremost targets are other non-profits, journalists and citizens, but the PTC also develops tailor-made staff training for businesses. After all, what good is the most secure software environment when employees post sensitive stuff on Facebook? Our workshops can also be embedded in conferences, public library programs, schools or universities. Feel free to ask!

The PTC is an initiative run by a group of IT consultants, programmers, privacy researchers and policy geeks and is the offspring of two Privacy Cafés held in the European Parliament together with EDRi and AccessNow in 2015. Our workshops continue to be available to policy makers from all institutions and political parties.

Website of the Privacy Training Center
https://www.privacytraining.org

EDRi announcement of 2015 European Parliament trainings
https://edri.org/privacy-cafe-2-0-improving-the-security-of-online-communications/

(Contribution by Jan Weisensee)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
14 Sep 2016

Your privacy, security and freedom online are in danger

By EDRi

We carry more intimate information on the devices in our pockets and on our wrists than most personal diaries. For instance, our browsing history alone can already tell a lot about us and who we are, where we are, what we do in our free time, our fears, our political views and our relationships.

Unscrupulous companies now want to water down European rules on the privacy of our communications. This also increases threats to our freedoms – our freedom to have secrets, our freedom to be different or our freedom to make mistakes.

The EU now has the opportunity to protect our rights and freedoms in an upcoming reform (ePrivacy) – or it can turn them into fresh meat for corporate sharks.

In the coming weeks, you can stay tuned to learn about how to defend your privacy and to keep enjoying your freedoms. Join our campaign, check our website for more information about each and every of these 6 threats below – and we’ll give you the tools to protect yourself online.

privacy_threats

… and we would like to introduce you to John, who is struggling with the same problems:

john00

The video was prepared by our member Association for Technology and Internet (ApTI) – Romania.


Read the blogposts:

Twitter_tweet_and_follow_banner

close
07 Sep 2016

What digital rights are at imminent risk? All of them.

By EDRi

Our civil rights in the digital environment are based on our rights to protect our personal security and data, our right to communicate freely, and our right for any restrictions to be necessary, predictable and proportionate. Every one of these rights is now under imminent threat.

Electronic Privacy in danger

The ePrivacy Directive is there to protect our security and the confidentiality of our communications. The big telecoms lobby and online companies have launched a massive campaign for this legislation to be repealed.

Telecoms companies want to be able to use your phone’s location data and web browsing data generate revenue from advertisers, while online companies are keen to avoid limits on their ability to track individuals online.

Security under threat

The integrity, security and privacy of online communications relies on encryption. However, governments across the EU (for example in France, Germany and Hungary) are seeking to undermine it both at the national and the EU level through, for example, the ePrivacy Directive reform and the draft Terrorism Directive.

More and more surveillance

Unsurprisingly, proposals on surveillance are coming from every possible angle. The EU has just adopted its Directive on air passenger profiling (Passenger Name Records, PNR), and the “smart borders” proposal is moving forward. We are only starting to feel the scale of threat to our personal security by “internet of things” surveillance, and the EU is now working again on the thorny issue of export controls.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

Legal safeguards for law enforcement data sharing may disappear

When the illegal data retention Directive was proposed over a decade ago, we were told that it was because urgent action was needed as a contingency measure, as international legal assistance treaties (Mutual Legal Assistance Treaties, MLATs) did not work. Now, mainly as a result of pressure from the USA, there are efforts to overturn this legal framework, and to replace it by a more informal and potentially dangerous system, with no tangible explanation as to why MLATs have not been reformed.

Private censorship and abandonment of the law

The European Union is encouraging “voluntary” projects to put (mostly American) companies into the role of free speech regulators. These are just a few examples:

  • The draft Terrorism Directive demands arbitrary deletion of content by internet companies. It is now going in untransparent, rushed “trilogue” negotiations between the EU institutions.
  • The European Commission will have to monitor the decisions of the four US online companies that committed to use their terms of service to take the lead in censoring ill-defined “hate speech”.
  • A leak of the new Copyright Directive shows that the Commission wants to require companies to invest in “effective” tools to filter the upload of any copyrighted content, following YouTube’s model of allowing rightsholders to arbitrarily uploads, even if they are fully legal. Industrial-scale censorship.
  • The European Commission is using “follow the money” efforts whereby companies like Paypal and Google will eliminate online services that they – as judge, jury and executioner – decide are allegedly breaching copyright (as envisaged in SOPA and ACTA).
  • The proposal for reforming the “Audio Visual Media Services” Directive gives EU Member States the right to regulate the contracts agreed between online video sharing platforms and their customers. This is supposed to be a means of applying the law, but a recital (i.e. an explanatory note) says that alignment with the law is not necessary. The right of appeal for unjustified censorship provided for in the Directive is logically unimplementable. The “safeguard” that people can complain when their videos are censored will not be implementable in practice, as internet companies will always say that the files are in breach of terms of service rather than in breach of the law, as this option is easier, quicker, cheaper and less legally risky.

The open internet under threat by the Telecommunications Reform

If the European Commission keeps supporting the the big telco industry 5G Manifesto and integrate parts of it in the Telecoms Review proposal, net neutrality may be in danger again.

Trade agreements undermining data protection

Digital rights are also being discussed outside a democratic framework in international trade negotiations. In addition to the headline Transatlantic Trade and Investment Partnership (TTIP) discussions, the less well-known Comprehensive Economic Trade Agreement (CETA) between the EU and Canada will undermine your privacy, data protection and freedom of communication, if adopted. While there are rumours that TTIP might be dead, most of the risks highlighted for digital rights in TTIP are being reproduced in the catastrophic TiSA (Trade in Services Agreement), which is being negotiated by the European Union with 22 countries, including the USA, Turkey and Israel, as well as CETA.

EDRi: Data Protection Reform – Next stop: e-Privacy Directive (24.02.2016)
https://edri.org/data-protection-reform-next-stop-e-privacy-directive/

EDRi: Massive lobby against personal communications security has started (27.07.2016)
https://edri.org/massive-lobby-personal-communications-security-started/

EDRi: France and Germany: Fighting terrorism by weakening encryption (24.08.2016)
https://edri.org/france-germany-fighting-terrorism-by-weakening-encryption/

EDRi: Hungary: New government proposals raise concerns (18.05.2016)
https://edri.org/hungary-new-government-proposals-raise-concerns/

EDRi: Position paper on encryption: High-grade encryption is essential for our economy and our democratic freedoms (25.01.2016)
https://www.edri.org/files/20160125-edri-crypto-position-paper.pdf

EDRi: Rush to “fight terrorism” threatens our fundamental rights and security (04.07.2016)
https://edri.org/rush-fight-terrorism-threatens-our-fundamental-rights-security/

Secret report urges treaty forcing US web firms’ cooperation in data sharing (02.06.2015)
https://www.theguardian.com/world/2015/jun/02/web-firms-data-sharing-secret-treaty

Commissioner Jourová’s speech at the meeting of the EP’s Committee on Civil Liberties, Justice and Home Affairs (Libe) (28.04.2016)
https://ec.europa.eu/commission/2014-2019/jourova/announcements/commissioner-jourovas-speech-meeting-eps-committee-civil-liberties-justice-and-home-affairs-libe_cs

Guide to the Code of Conduct on Hate Speech (03.06.2016)
https://edri.org/guide-code-conduct-hate-speech/

Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market
https://drive.google.com/file/d/0B6d07lh0nNGNNjZpcGlsQ3pJN3M/view

EDRi: Towards a corporate copyright reform in the EU? (31.08.2016)
https://edri.org/towards-corporate-copyright-reform-eu/

EDRi: ENDitorial: Is 5G as terrible as the telecoms providers claim it is? (27.07.2016)
https://edri.org/enditorial-5g-terrible-telecoms-providers-claim/

EDRi: BREAKING: TTIP leaks confirm dangers for digital rights (02.05.2016)
https://edri.org/breaking-ttip-leaks-confirm-dangers-for-digital-rights/

EDRi: CETA will undermine EU Charter of Fundamental Rights (04.05.2016)
https://edri.org/ceta-will-undermine-eu-charter-of-fundamental-rights/

Trade in Services Agreement, EDRi’S position
https://edri.org/files/TiSA_Position_Jan2016e.pdf

(Contribution by Joe McNamee, Diego Naranjo and Maryant Fernández Pérez, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
07 Sep 2016

Finnish Big Brother Award goes to intrusive loyalty card programme

By Guest author

On 2 September, EDRi member Electronic Frontier Finland (Effi) presented the 2016 Big Brother Awards. The Awards are given to individuals or organisations who have during the past year remarkably undermined citizens’ privacy and data protection. The goal is to draw attention to violations of privacy.

................................................................. Support our work with a one-off-donation! https://edri.org/donate/ .................................................................

The award in the corporate category was given to the S Group, a Finnish retailing cooperative organisation, for unilaterally announcing in July 2016 that all the future purchases done using the group’s loyalty card will be registered, detailing the products that were purchased. Even if the S Group, after significant pressure was put on it, gave its clients the possibility to decide whether or not their data will be collected, Effi considered it necessary to raise awareness on the issue. Various customer loyalty programmes are likely to include problems from a privacy perspective, and only few of these issues have been disclosed.

The award for individuals went to former Minister of the Interior Petteri Orpo, who has actively promoted giving the police extensive authority to conduct online surveillance, building on the fear raised by the Paris attacks to drive a political agenda. Orpo deserves the award also thanks to his clichéd statements: “A regular citizen has nothing at all to worry for.”

The award in the public organisation category was granted to the Market Court for handing over the personal data of thousands of individuals to law firms used by collecting societies and rightsholders. The Market Court has served as a rubber stamp in proceedings in which letters are sent to effectively “blackmail” those suspected for copyright infringements, with weak evidence.

“With the current uncertainties in the world, it’s easy to argue these violations of privacy are necessary. They, however, rarely foster citizens’ security, but are only contributing to the deterioration of data protection,” said Timo Karjalainen, the chairman of Effi.

We should now stay rational and demand our privacy and protection of our personal data to be preserved, rather than destroyed.

The positive Winston Smith award was given to Mikko Hyppönen, Chief Research Officer of F-Secure, a Finnish cyber security and privacy company, for his persistent work for data protection, and against the surveillance and hacking conducted by cybercriminals and states.

The Big Brother Awards are based on a concept created by Privacy International in the UK. The tradition started in 1998 in London, and the awards are given in about a dozen countries annually. The decisions on the 2016 awards were made by Effi’s board, and the trophies and the Winston Smith award painting were created by Noora Jantunen.

Press Release: Effi’s Big Brother Awards to Petteri Orpo, S Group, and the Market Court – positive awards to Mikko Hyppönen (only in Finnish, 02.09.2016)
https://effi.org/julkaisut/tiedotteet/isoveli-2016

EDRi: Finland: New surveillance law threatens fundamental rights (06.10.2015)
https://edri.org/finland-surveillance-law-threatens-fundamental-rights/

Finnish BB Awards to Commissioner Paatero, Police Board and Microsoft (11.02.2015)
https://edri.org/finnish-bigbrother-awards/

(Contribution by EDRi member Effi, Finland)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
24 Aug 2016

France and Germany: Fighting terrorism by weakening encryption

By Heini Järvinen

On 23 August, the French and German Ministers of Interior met in Paris to discuss an initiative that would extend surveillance in Europe and weaken encryption, in the name of the fight against terrorism.

Speaking at a joint press conference, French Minister of Interior Bernard Cazeneuve and his German counterpart Thomas de Maizière called for legislation that would force intermediaries to weaken encryption standards. This would, according to Cazeneuve, allow to “truly arm our democracies on the issue of encryption”. Cazeneuve also explained, failing to notice that the European e-Commerce Directive already contains this obligation, that they want to oblige internet companies to censor illegal content.

The French Ministry of Interior explained its intentions in a tweet: the country plans to ask the EU Commission to put forward an EU-wide measure that would oblige online companies, such as WhatsApp or Telegram, to decrypt communications within the context of police investigations – even if the company’s seat is not in Europe. The upcoming review of the ePrivacy Directive is very likely to become the next encryption battlefield.

These plans do not meet the approval of the French data protection authority CNIL which stated in an Op-Ed in the French newspaper Le Monde that the call for encryption backdoors “is not taking into account the importance of encryption for our security online”.

Cazeneuve first announced his intentions to “launch a European initiative, leading to a more international plan that will permit to face this new challenge” after a French government meeting on security on 11 August. Now Cazeneuve and de Maizière hope to have the issue on the agenda for the next meeting of European leaders in Bratislava on 16 September.

French intelligence services claim to be struggling with intercepting messages from Islamist extremists. However, many of the suspects of recent terrorist attacks were using unencrypted SMS, and were already known to the authorities. The investigation into the Brussels attacks in March 2016 revealed that inefficient intelligence and police work was one of the key factors that failed to prevent the attacks.

................................................................. Support our work with a one-off-donation! https://edri.org/donate/ .................................................................

Encrypted messaging services, such as Telegram, Whatsapp or Signal, can be used for sending text messages, videos and voice messages with a very high level of security. It’s extremely difficult for anyone else but the authorised recipient to read or view messages sent using end-to-end encryption. Today, encryption is used widely across the web to secure e-commerce, banking and many other online services, as well as by journalists, whistleblowers, civil rights defenders and others who need to maintain confidentiality of their communications. As the Report of the United Nations (UN) Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression David Kaye put it,

encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection.

France says fight against messaging encryption needs worldwide initiative (11.08.2016)
http://www.reuters.com/article/us-france-internet-encryption-idUSKCN10M1KB

Paris wants a global action on encrypted communications (only in French, 11.08.2016)
http://fr.reuters.com/article/topNews/idFRKCN10M0WC

Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye (22.05.2015)
http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session29/Documents/A.HRC.29.32_AEV.doc

Fraco-German initiative on the European interior security (only in French, 23.08.2016)
http://www.interieur.gouv.fr/Le-ministre/Interventions-du-ministre/Initiative-franco-allemande-sur-la-securite-interieure-en-Europe

Tweet by the French Ministry of Interior (only in French, 23.08.2016): https://twitter.com/Place_Beauvau/status/767998554153648129

Fight against terrorism: Cazeneuve and Maiziere meet in Paris (only in French, 23.08.2016)
http://fr.euronews.com/2016/08/23/lutte-contre-le-terrorisme-cazeneuve-et-maiziere-reunis-a-paris

French minister: Apps like Telegram must be decrypted for legal probes (23.08.2016)
http://arstechnica.co.uk/tech-policy/2016/08/french-minister-apps-telegram-decrypted-legal-proceedings/

Attacking encryption to fight terrorism is a wrong target (only in French, 23.08.2016)
http://www.lemonde.fr/idees/article/2016/08/22/en-nous-attaquant-au-chiffrement-contre-le-terrorisme-on-se-trompe-de-cible_4986277_3232.html

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
05 Jul 2016

PROCEED WITH CAUTION: Flexibilities in the General Data Protection Regulation

By Diego Naranjo

We regret that much of the ambition of the original data protection package was lost, due to one of the biggest lobbying campaigns in European history. However, we congratulate the European Parliament — for saving the essence of European data protection legislation.[1]

On 14 April 2016, the European Parliament adopted two legal instruments that will regulate the fundamental right to data protection of individuals: the General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LEDP).

Despite the overall positive outcome of the GDPR, we regret that many of the initial high expectations for the Regulation were not realised. Once the final text was passed, and ahead of the preparation of guidelines for its implementation, we have published two documents where we analyse the numerous national flexibilities contained in the text  of the Regulation. The results can be found here (the full analysis of all the flexibilities) and here (short document with the most dangerous flexibilities).

DP_GDPR_sharepic

The analysis looks at the key pitfalls to be avoided in transposing these national flexibilities into Member State law. The task is huge, bearing in mind that there are almost as many provisions in which Member States can implement the Regulation differently than there are articles were in the preceding Data Protection Directive. Some of the flexibilities are harmless, but many others could be perceived by governments as opportunities to allow them to ignore essential elements of the Regulation.

We hope that this analysis can help national governments and data protection authorities to implement the GDPR in a way which protects the essence of the right to data protection by implementing the most privacy friendly interpretation of these flexibilities.

Although this analysis is a shared effort of several EDRi members and EDRi staff, we would like to give our heartfelt thanks to Chris Pounder for the initial analysis of flexibilities in the Regulation and Douwe Korff for his extensive assessment of the options available.

[1] Press Release: Vote on Data Protection and Passenger Name Record package (13.04.2016)
https://edri.org/press-release-data-protection-and-passenger-name-record-package-to-be-voted-on-tomorrow/

Twitter_tweet_and_follow_banner

close
01 Jun 2016

The lobby-tomy 7: Not all roads lead to privacy

By Guest author

Within the privacy world, different schools of thought exist. Connecting different viewpoints to a seemingly positive ideology is also sales technique.

The new European data protection regulation is the most lobbied piece of legislation thus far. This is because the subject is very important and touches upon almost every aspect of our daily lives. Therefore EDRi member Bits of Freedom used the Dutch freedom of information act to ask the government to publish all the lobby documents they received on this new law. Bits of Freedom published these documents on their website with their analysis in a series of blogs. What parties lobby? What do they want? What does that mean for you? These nine articles are now translated into English for the EDRi-gram. This is part 7.

If one school of thought has successfully been put in the limelight, it is the “risk-based approach”. It means that when policy makers formulate obligations for industry, they should take the identifiable risks of data processing into account. Strict obligations should only accompany identified large risks. But that can’t be an excuse to create a lower level of protection for people.

................................................................. Support our work with a one-off-donation! https://edri.org/donate/ .................................................................

If we read the lobby letters correctly, one of the most important offices behind this approach is the ”Centre for Information Policy Leadership” of Hunton en Williams “LLP”. Although the term is older, they launched a “risk based approach framework” in January 2014, after which the subject has resurfaced repeatedly.

The data protection regulation creates new obligations for organisations that plan to process a certain quantity of data. An organisation is for example required to do a “privacy impact assessment” before processing data, in which it will have to evaluate the consequences of the processing for people’s privacy. In some cases, the processing should be notified to the data protection authority. Apart from that, organisations should have a data protection officer, who handles supervision of all privacy related issues internally. Furthermore, organisations are required to notify data breaches to anyone connected to the data.

Companies are not happy about this. We already mentioned in a previous blog that these are the themes that have been lobbied on the most. They say, briefly: allow us to only fulfill those obligations if it’s to mitigate large and already identified risks.

Support

It isn’t surprising that many of the “usual suspects” support this risk based approach. TechAmerica Europe, an organisation that represented the interests of European technology companies “with American parentage”, strongly supported this. Banks also welcome such an approach, as shown in their email to the Dutch embassy to the EU – the so-called “permanent representation”. Thuiswinkel.org, a Dutch e-commerce company, says in an email to the Dutch Ministry of Justice: “The current reforms are not adequate enough in the eyes of Thuiswinkel.org, in particular because the proposals lack a ‘risk-based’ approach.” Even the Royal Academy for Sciences seems to be a proponent of this approach.

Consistency

To strengthen their arguments, different parties use “commitment and consistency”. The trick with this is that people like to present one unambiguous image of themselves. So people will want to act in ways that are congruent with their statements. Therefore, the Centre for Policy Leadership uses statements of influential politicians from the group of people they are trying to influence, who have been positive about the risk based approach.

In a letter by the Centre for Information Policy Leadership to the Ministry of Justice European Commissioner Viviane Reding is quoted as a proponent of the risk based approach, just like the Council of Ministers that the letter aims to convince. You were in favor of a risk based approach right? Then you should also agree to our demands. The former European Data Protection Supervisor Peter Hustinx once made positive statements about this approach, and these are quoted quite happily in a letter by the Industry Coalition for Data Protection (ICDP) to the Ministry of Justice:
“ICDP strongly agrees with the European Data Protection Supervisor Peter Hustinx that data protection legislation is most effective when it follows a risk-based approach.”

Careful!

A risk based approach can’t be an excuse to evade important obligations, as the committee of privacy watchdogs in Europe stated. A well described liability based on agreed criteria can assure that companies keep privacy protection in mind at an early stage of data processing or planning. Those criteria should obviously be proportionate, so a sole trader that serves only fifty customers per year shouldn’t be required to send a privacy impact assessment to the data protection authority every week or to hire a data protection officer (not that anyone ever suggested that, it has to be said). But we should also be wary of abuse. For example, Digital Europe, a lobby organisation for digital businesses, wants to make sure that companies can decide for themselves what constitutes risk. That would make evading supervision very easy.

Privacy schools of thought

Connecting your viewpoints to clear schools of thought can help your cause. That’s why more schools of though than the “risk based approach” are mentioned in the lobby documents. Vodafone wants a more “principle based” approach, which means they want more flexibility. Yet other companies mention the “harm based approach”, the “use based approach”, the “precautionary based approach” and others.

Whatever school of thought one prefers, no one can currently predict the risks well, particularly in a world of “big data”. What we do know is that more data will be collected and will be increasingly used. This makes every choice we make now only more important for privacy protection in the future.

To be continued

Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. The next part will be about the anti-fraud argument.

Lobby-tomy series (only in Dutch)
https://www.bof.nl/category/lobby-tomie/

(Contribution by Floris Kreiken, EDRi member Bits of Freedom, The Netherlands)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
30 May 2016

EU Commission under investigation for EU Internet Forum documents

By Kirsten Fiedler

In the past year, EDRi made numerous formal requests to get more information about the EU Internet Forum. This Forum was set up by the EU Commission to persuade companies to do “more” to fight terrorism. After months of obstruction from the European Commission, EDRi made a maladministration complaint to the European Ombudsman. As a result, a formal inquiry has been launched.

Privatised censorship

The problem: The action points agreed with online companies in secret meetings of the Forum may have a direct negative impact on our freedom of expression. Why? Because one of the topics that is being discussed is the censoring of online content by private companies – without any judicial process.

Many case studies highlighted by onlinecensorship.org have shown that private companies regularly violate fundamental rights in the online space, flouting the principle that restrictions on civil and human rights must be based on law. This practice is now being encouraged and pushed by the EU Commission.

Additionally, the EU Commission repeatedly denied us access to the documents that are being discussed by the IT Forum. The reason for our requests is simple: The EU Commission has a very bad record of keeping such projects in line with fundamental rights.

Exclusion of civil society

Moreover, despite the fact that the Commission announced in its “Communication on the European Security Agenda” the need for an inclusion of civil society in such projects, no civil society organisation has been allowed to participate in the Forum’s meetings on terrorism.

We have raised this criticism on multiple occasions – in meetings with the department for Migration and Home Affairs (DG HOME) and in our position paper (pdf). This exclusion fails to respect the institutions’ responsibility to give citizens the opportunity to “publicly exchange their views in all areas of Union action” (Art. 11 of the Treaty on European Union).

EDRi’s complaint and Ombuds(wo)man investigation

The maladministration investigation has been launched following a complaint submitted by EDRi to Emily O’Reilly, the EU Ombudsman, on 17 February (Letter by the Ombudsman, pdf). The complaint points out that:

  1. The Commission systematically failed to respect the legal deadlines to respond to our requests.
  2. The Commissionʹs decision to merge (a process called “joining” in EU jargon) two of our access requests (GestDem 2015/6363 and GestDem 2016/0095) lacks any legal basis. By default the Commission should make non-confidential documents directly available.
  3. The Commission wrongly refused full access to the note of 10 June 2015 (pdf) and to the concept note (pdf).

The Ombudsman responded that she has decided to open an inquiry into the third and last claim. The letter states that she will be

carrying out an inspection of the relevant documents. I have therefore asked the Commission to facilitate, in accordance with Article 3(2) of the Statute of the European Ombudsman, my inspection of the Commission’s note of 10 June 2015 and the related concept note (to which only partial access was granted in the context of access request GestDem 2015/3658).

As regards the first claim, the letter states that Ombudsman is not opening an inquiry as this widespread practice is already the object of an own‐initiative inquiry. Regarding the second claim, the Ombudsman suggested we raise our request with the Commission again.

[Update 30 June 2016] We have received a letter by the EU Ombuds(wo)man informing us that she has carried out an inspection (pdf). The inspection report (pdf) finds that

The Commission transmitted copies of the unredacted documents to be inspected to the Ombudsmanʹs inquiry team by electronic means. It further classified them as confidential.

The Ombudsman invited the Commission to submit an opinion on the complaint by 30 September 2016.

We will continue to report on the EU Internet Forum and the inquiry on our website.

Twitter_tweet_and_follow_banner

close