17 Jun 2015

EU continues push for travel surveillance by the back door

By Kirsten Fiedler

The European Commission has released its plans for providing financial support to national security measures. These plans, despite the absence of a legal basis, privacy concerns and a pending EU Court of Justice (CJEU) decision, include the financing of a European mass surveillance measure: namely the long-term storage and exchange of citizens’ air travel data, Passenger Name Record (PNR).

In 2013, the European Commission made 50 million euro available to fund the development of a PNR system in Europe. This sum was split between 14 of the EU’s 28 Member States for projects aimed at “setting up national passenger information units”. Now the Commission continues to introduce surveillance by the back door and announces to provide support to harmonise and “facilitate the exchange” between the individual national systems it previously helped to develop.

However, no legislative measure that would provide a sound legal basis for this EU-wide system has been adopted. For more than four years, the EU has been trying to introduce a Directive with a draft launched by the Commission in 2011 and extensive discussions in three European Parliament committees. In 2013, the key committee (Civil Liberties Committee, LIBE) rejected the proposal because it considered its measures to be disproportionate and privacy invasive – and now it is back in the Parliament. Following political charades and a subsequent referral back to the LIBE committee, the Parliament is expected to vote on the draft proposal before the end of 2015.

In the meantime, the EU Commission continues to release funds for a measure which has been considered in breach of fundamental rights by various bodies, including the European Data Protection Supervisor and the Fundamental Rights Agency.

The Commission’s 2013 grants for national systems contributed to a disharmony of the single market, instead of harmonising it. After releasing this first batch of money, the Commission argued that the development of the PNR system had nothing to do with the ongoing legislative discussions. Now, after having tried to use this fragmentation as a means to advance negotiations on the Directive, it moves on to resolve the problem it helped to create, by facilitating information exchange between the national systems – which is one of the main goals of the draft Directive. In this context, it would be interesting to hear the Commission’s justification of the new grant, as a selection criterion states that applicants must be able to demonstrate a “European added value of the proposed action”. The Parliament might soon be forced to recognise a fait accompli.

European Commission Annual Work Programme for 2015 for support to Union Actions under the Internal Security Fund, 8 June 2015

European Commission funds for national PNR systems, action grants 2012

Civil Liberties Committee rejects EU Passenger Name records proposal http://www.europarl.europa.eu/news/en/news-room/content/20130422IPR07523/html/Civil-Liberties-Committee-rejects-EU-Passenger-Name-Record-proposal

PNR is back in the European Parliament

Timeline of the proposal for A Directive on the retention and use of PNR data

The proposed EU passenger name records (PNR) directive Revived in the new security context

(Contribution by Kirsten Fiedler, EDRi)



17 Jun 2015

Microsoft’s new small print – how your personal data is (ab)used

By Heini Järvinen

Microsoft has renewed its Privacy Policy and Service Agreement. The new services agreement goes into effect on 1 August 2015, only a couple of days after the launch of the Windows 10 operating system on 29 July.

The new “privacy dashboard” is presented to give the users a possibility to control their data related to various products in a centralised manner. Microsoft’s deputy general counsel, Horacio Gutierrez, wrote in a blog post that Microsoft believes “that real transparency starts with straightforward terms and policies that people can clearly understand”. We copied and pasted the Microsoft Privacy Statement and the Services Agreement into a document editor and found that these “straightforward” terms are 22 and 23 pages long respectively. Summing up these 45 pages, one can say that Microsoft basically grants itself very broad rights to collect everything you do, say and write with and on your devices in order to sell more targeted advertising or to sell your data to third parties. The company appears to be granting itself the right to share your data either with your consent “or as necessary”.

A French tech news website Numerama analysed the new privacy policy and found a number of conditions users should be aware of:

By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example “web browser history, favorites, and websites you have open” as well as “saved app, website, mobile hotspot, and Wi-Fi network names and passwords”. Users can however deactivate this transfer to the Microsoft servers by changing their settings.

More problematic from a data protection perspective is however the fact that Windows generates a unique advertising ID for each user on a device. This advertising ID can be used by third parties, such as app developers and advertising networks for profiling purposes.

Also, when device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery key. The BitLocker recovery key for the user’s device is automatically backed up online in the Microsoft OneDrive account.

Microsoft’s updated terms also state that they collect basic information “from you and your devices, including for example “app use data for apps that run on Windows” and “data about the networks you connect to.”

Users who chose to enable Microsoft’s personal assistant software “Cortana” have to live with the following invasion to their privacy: “To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.” But this is not all, as this piece of software also analyses undefined “speech data”: “we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames.”

But Microsoft’s updated privacy policy is not only bad news for privacy. Your free speech rights can also be violated on an ad hoc basis as the company warns:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to”, for example, “protect their customers” or “enforce the terms governing
the use of the services”.

So much for clearly understandable and straightforward terms of service.

Microsoft Privacy Statement

Microsoft Services Agreement

Windows 10, Microsoft and your personal data: what you need to know (only in French, 11.06.2015)

Microsoft provides privacy dashboard ahead of Windows 10 launch (04.06.2015)

(Contribution by Kirsten Fiedler and Heini Järvinen, EDRi)



20 May 2015

EDRi-gram 300: Digital rights news from 2025

By Kirsten Fiedler

We are proud to present the 300th edition of the EDRi-gram as an eBook entitled “Digital rights news from 2025″!


Since 2003, the EDRi-gram is reporting on developments across Europe to raise awareness of attacks on freedom of expression and privacy as well as to highlight good news and best practice. The EDRi-gram publishes free speech and privacy advocates’ media stories from across Europe every two weeks. EDRi’s members, observers and guest authors frequently contribute with reports and analysis from their home countries.

To celebrate our 300th edition, we have collected articles from the brightest stars in the digital rights universe. In the articles, they imagine what they will be writing about in 2025.

Editors: Joe McNamee, Kirsten Fiedler, Heini Järvinen

With contributions by: Dunja Mijatović, Hans de Zwart, Simon Davies, Jillian C. York, Cory Doctorow, Katarzyna Szymielewicz, Joe McNamee, Jesper Lund, Kirsten Fiedler, Erich Moechel, Raegan MacDonald, Estelle Massé, Douwe Korff, Bogdan Manolea, Monica Horten and Annie Machon.

The anniversary edition is available in various formats, including a DRM-free ebook (.epub ), a .pdf version and is published under a CC-by-sa licence on our website and on all major retailers worldwide.

Get your copy:




06 May 2015

Privacy Cafés launched to improve secure communications in the EP

By Heini Järvinen

Ever since the publication of documents from the Snowden archive, which indicate that the US National Security Agency (NSA) and the UK Government Communications Headquarters (CGHQ) were behind the cyber-attacks on the European institutions, an improvement of the European Parliament’s IT security was to be expected. The report by Civil Liberties Committee Chair Claude Moraes on mass surveillance therefore called on Directorate-General for Innovation and Support (DG ITEC), the service in charge of security in the European Parliament, to carry out a thorough analysis, to make recommendations and to present a final report in June 2015. Unfortunately, the developments have been rather slow so far. Two years after the first revelations, Parliamentarians are still not able to receive or send encrypted communications.

Therefore, on 21 April 2015, EDRi organised, together with EDRi members Liga voor Mensenrechten and Access, the first Privacy Café in the European Parliament (EP). The goal of the Privacy Café was to give Members of the European Parliament (MEPs) and their assistants an overview on the importance of protecting their privacy, and to introduce a selection of practical tools to improve the privacy of their private and professional communications. After the introductory presentation, each participant could join one or several hands-on workshops, to learn about email encryption, mobile messaging or private browsing. The instructors went through the installation of the tools, and offered advice and practical help to the participants. Step-by-step instructions for each tool were also available in printed format.

The European Parliament has a lot to improve from the point of view of privacy and secure communications; the default solutions on the professional devices for browsing the Internet, document sharing and sending internal emails are often not privacy friendly, and installing add-ons or software enhancing privacy (such as GPG4Win) is made difficult or impossible.

The event raised a lot of interest and positive attention. To continue the work to increase awareness of privacy issues within the EP, more Privacy Cafés are being planned. Among the participants were representatives from the DG ITEC, the body responsible for providing IT support to MEPs and Political Groups, and for running of the European Parliament computing and network centre. EDRi is now in contact with them, to investigate the possibilities to discuss for improvements to the current tools and practices in place in the EP.

EDRi-gram: EDRi launches privacy trainings in the European Parliament (28.01.2015)

Belgacom Attack: Britain’s GCHQ Hacked Belgian Telecoms Firm (20.10.2013)

Parliamentary question: Regin malware used in cyber attacks on EU institutions and Belgacom (05.12.2014)
Hand-out: What Is Encryption?

Hand-out: How to use PGP on a Windows PC

Hand-out: How to use RedPhone on Android

Hand-out: How to use Signal – Private Messenger

Hand-out: How to use TextSecure on Android

Hand-out: How to leave fewer traces while you’re surfing



22 Apr 2015

Big Brother Awards Germany 2015

By Guest author

On 17 April 2015, EDRi member Digitalcourage held its annual Big Brother Awards gala in Bielefeld, Germany. Just two days earlier, politicians in Berlin had provided a very poignant context when the German Justice Minister Heiko Maas’ “grand coalition” had published “guidelines” for a draft bill to reintroduce telecommunications data retention in Germany.

At the gala itself, the plans for telecommunications data retention could not be reflected in one of the “core” awards, as these had been based on nominations received over the previous year. However, the “Newspeak” award for shifts in terminology covered the latest attempt to push ahead mass surveillance of communications data, as the Justice and Interior Ministers had “garnished” their new proposals with yet another new euphemistic term.

The award in the “Technology” category was given to the “Hello Barbie” doll and its makers Mattel and Toytalk (a new company specialising in language recognition for children). The doll comes with a microphone, speaker and Wi-Fi capability. It records conversations at the push of a button and sends the recordings to “the cloud”, where they are processed and stored – primarily to produce meaningful responses in subsequent conversations. This means that children are made to disclose their concerns to a server farm, and parents are let into their children’s secrets by means of a daily or weekly protocol that Mattel will send them via email.

The “Authorities and Administration” award went to Germany’s foreign intelligence agency, the Bundesnachrichtendienst (BND), for its entanglement with the US National Security Agency’s (NSA’s) surveillance network, for its surveillance activities of cross-border communications, for sharing vast amounts of constitutionally protected data with foreign partner agencies, and for obstructing the work of the German Parliament’s commission of inquiry which was set up after the Snowden revelations. However, the BND’s budget and competences are set to be given a further boost, as there are plans to increase its budget by 300 million Euros and give it further surveillance tasks, such as monitoring social networks.

The “Business” award went to two “crowdworking” or “crowdsourcing” platforms, Amazon Mechanical Turk and Elance-oDesk. These platforms parcel out work commissions submitted by clients to registered workers. The laudation detailed how these platforms try to portray the work model they create in a false sense of freedom, while any actual freedom is mainly in the sense of being “set free“: It’s low-paid work at short notice, with no reliability or (social) security. As a “bonus”, Elance-oDesk workers are being put under intrusive surveillance. Moreover, a frequent use of Amazon Mechanical Turk’s “workforce” is to add manipulated content in Internet forums, product reviews etc.

Amazon was pinpointed a second time in the “Workplace” category, this time for the way they treat their own employees in their German distribution centres. At least two Amazon subsidiaries in Germany ask their workers to sign declarations of consent that allow Amazon to store and process personal data, including health data. Also, storage and processing takes place in the US, but the declaration does not contain any information on how European data protection standards might be followed. These rules clearly break the limits set by German privacy and industrial legislation as well as the constitutionally protected principle of patient–physician confidentiality.

The “Consumer Protection” award was centred on Germany’s electronic health card. This project was given a Big Brother Award already in 2004, but the health card was only introduced in 2014, and it was time to take a broader view on the implementing “electronic health act” and the underlying developments. Digital data processing is getting more and more widely used in the health sector, and in the process, principles of medical secrecy are quietly undermined, and health budgets are being shifted from the actual provision of public health to private companies that provide electronic infrastructure or own hospital chains or pharmaceutical companies.

In the “Politics” category, the current German Interior Minister Thomas de Maizière and his predecessor Hans-Peter Friedrich were jointly awarded for systematically and fundamentally sabotaging the EU’s planned General Data Protection Regulation. The award speech was given by Austrian jury guest Max Schrems (known for his “Europe vs Facebook” lawsuit). His speech also raised the issue of entanglement between German ministry officials involved in the negotiations with industry lobbyists, quoting extracts from emails that point to a scandalous level of collusion between the two parties.

The Audience Award, in which the gala’s guests were asked to vote on which of the “winners” they found especially “impressive, surprising, shocking, or outrageous”, was won by the “Politics” award, slightly ahead of a fairly evenly placed “field” of almost all the other categories.

BigBrotherAwards 2015 “winners” (in English, full translations of the award speeches)

BigBrotherAwards 2015 media reactions (only in German)

EDRi-gram: In Germany, data retention refuses to die (25.03.2015)

(Contribution by Sebastian Lisken, EDRi member Digitalcourage, Germany)



22 Apr 2015

New Danish PNR system will rival the EU PNR Directive

By Guest author

For the second time in the parliamentary year 2014-15, the Danish government has made a legislative proposal for increased access to Passenger Name Records (PNR). The draft law, currently in public consultation, also sheds new light on the use of PNR data by Danish customs authorities. So far, the PNR discussion in Europe has mainly focused on police and intelligence services.

The main purpose of the new law is to give the Danish Security and Intelligence Service (PET) access to PNR data collected by the Danish Customs and Tax Administration (SKAT). Under Section 17 of the Danish Customs Act, SKAT can collect passenger information from airlines. Currently, SKAT is collecting all nineteen PNR elements in the Annex of the proposed PNR Directive, except the Advance Passenger Information (API) data in item 18. The new law will amend Section 17 so that SKAT has a legal basis to collect PNR data from airlines for itself as well as for the PET, and this can be done even if SKAT does not need the specific PNR data for its own operations.

The amended Section 17 will make it mandatory for airlines with flights to and from Denmark to provide PNR data (all 19 elements in the Annex, if available) to SKAT, which can use the data for customs purposes and share the data with PET for an entirely different purpose, namely prevention and prosecution of offences under Chapters 12 and 13 of the Danish Penal Code (mainly related to terrorism). Moreover, airlines will be required to provide the data in digital form to a new IT system under development by SKAT. The PNR data can be retained for up to two years by SKAT.

From the comments of the draft law, it appears that SKAT is already collecting PNR data from all airlines with flights to and from Denmark, including intra-EU flights. This is either done through information received from airlines on paper forms or direct access to booking systems. No airlines are named in the comments of the draft law, but a Danish Institute for International Studies (DIIS) report from 2011 about counter-terrorism in Denmark since 9/11 mentions that Scandinavian Airlines is giving SKAT free access to their database for customs control. SKAT is using the PNR information to actively profile all passengers, so that targeted customs checks can be performed at the gate before passengers leave the plane. The main objective is to find passengers smuggling narcotics and other illegal goods. The new IT system and mandatory digital transmission of PNR data will expand and streamline the PNR profiling done by SKAT.

Moreover, PET gets direct access to the PNR data collected by SKAT. PET is exempted from the Danish Data Protection Act, and PET can generally collect any information unless it can be completely ruled out beforehand that the information will be irrelevant to PET. This extremely vague criterion also applies to PNR data obtained from SKAT. PET can process the PNR data for as long as PET believes that the data is relevant for possible terrorist offences. This includes profiling of citizens’ travel patterns and data mining for unknown terrorist suspects. PET can also share the PNR data with the Danish Defence Intelligence Service (DDIS), and since DDIS is completely free to exchange data with other intelligence services, European PNR data collected by Danish customs authorities could end up in the hands of the United States National Security Agency (NSA).

The joint PNR operation of SKAT and PET is described as the Danish PNR system, and it shares many similarities with the highly controversial proposed EU PNR Directive. Currently, Denmark will not automatically be covered by the proposed EU PNR Directive due to an opt-out from EU Justice and Home Affairs (JHA) legislation, but this is likely to change in 2016 after a referendum on the JHA opt-out. The Danish government strongly supports adoption of the PNR Directive, but the excessive Danish PNR demands go much further than the PNR Directive; this indicates that the special Danish PNR system is meant to co-exist along with the EU PNR system.

For European citizens, the Danish PNR plans should be a cause for concern. The data protection safeguards of the proposed PNR Directive are quite weak, but they are even weaker in the Danish PNR system. For example, there is no right to access or rectification for PNR data held by PET. Furthermore, there is no maximum retention period or limitation on use for PNR data held by PET. The use of PNR data for customs profiling (by SKAT) is clearly incompatible with the principle of purpose limitation.

The draft law contains an interesting discussion of whether a national PNR law is subject to the EU Charter of Fundamental Rights. The Danish government argues that this is the case because the national PNR law regulates the freedom to provide services in the EU, which is guaranteed by Article 56 of the Treaty on the Functioning of the EU. The comments also mention the data retention judgment by the Court of Justice of the European Union (CJEU). However, the Danish government argues that the blanket collection of PNR data is much more limited in scope, and of a different character, than telecom metadata, and accordingly, the PNR provisions are necessary and proportionate. With respect to the legal basis in the Data Protection Directive 1995/46/EC, the proposed Danish PNR system relies on a combination of the public interest exemption in Article 7(e) for the initial collection by SKAT from airlines, and the general national security exemption for the subsequent data transfer to PET.

Draft law to amend the Customs Act and PET Act with PNR provisions (only in Danish, 10.04.2015)

Procedure file for 2011/0023(COD), EU PNR Directive

EDRi-gram: Denmark plans to use PNR data for increased Schengen border control (19.11.2014)

Counter-terrorism in Denmark since 11 September 2001, Danish Institute for International Studies, DIIS REPORT 2011:12 (only in Danish, 20.11.2011)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



21 Apr 2015

Citizens’ groups from around the world call on EC to defend privacy

By Joe McNamee

The institutions of the European Union are completing a reform of Europe’s Data Protection framework. Recognising the huge significance of the reform, the European Commission made an unequivocal promise when it launched the process. As an “absolute red line”, the level of protection of individuals’ data would not fall below existing levels. However, leaks show that this promise is not being kept.

Sixty-six NGOs from the European Union, North, Central and South America, Africa, Asia and Australia have joined forces to ask for a confirmation from European Commission President Jean-Claude Juncker that the promise will be respected.

“Without leadership from President Juncker, the right to privacy, not just in Europe but around the globe will be undermined”, said Joe McNamee, Executive Director of European Digital Rights, the organisation that initiated the letter. “We hope and expect that the Commission President will uphold the integrity and independence of his institution. We expect a short, rapid response to our question.”

In 2012, the European Commission made an initial legislative proposal to modernise and reform European privacy legislation. The proposal was amended by the European Parliament in 2014. This update is urgently needed, due to the challenges of new technology, the need to harmonise the law and ensure its effective enforcement in Europe. Faced with profiling, digitisation of health data and online tracking, every corner of our lives is increasingly being invaded by “big data”. Due to the amount of data being collected, businesses and governments increasingly know more about us than we know about ourselves – about our preferences, our health, our relationships and our politics. Without credible regulation citizens lose, businesses lose, society loses.

Read the letter here (PDF):

 21 April 2015

By email:
CC: First Vice-President Timmermans, Vice-President Ansip, Commissioner Jourová

Dear President Juncker,

The undersigned organisations, NGOs from the European Union and around the globe are deeply concerned at the changes to the data protection reform package being made in the Council of the European Union. Europe’s data protection framework is not just important for the protection of European citizens, it is not just important for building trust in European businesses, it is also crucial as an international gold standard for data protection and privacy on a global level.

On behalf of the College of Commissioners, former European Commission Vice-President Viviane Reding promised European citizens and businesses stronger, unified data protection rules, “bringing them into the digital age without compromising the high level of data protection which has been in place in Europe since 1995″. Dropping below the levels of protection in the 1995 Directive would be an “absolute red line” for the Commission, she promised. The Council has retreated beyond this line and is disappearing into the distance, as our recently published analysis demonstrates.

A failure of the European Commission to maintain levels of data protection in the 1995 Directive would be a breach of the promise made by the European Commission, it would be a breach of the promise of treaty-level protection of the right to personal data enshrined in Article 8 of the Charter of Fundamental Rights and it would be a crushing breach of trust for this, in your words, “last chance” Commission.

We write this letter with one simple question – will you take responsibility for ensuring that the Commission’s legal and political promise will be kept?

We look forward to your timely answer, before the Council completes its discussions ahead of the trialogue negotiations on this proposal.

Yours sincerely,
Joe McNamee
European Digital Rights – EDRi (Europe)
20 Rue Belliard, 1040 Brussels, Belgium

Access (International)
Association for Progressive Communications – APC (International)
Privacy International (International)
World Wide Web Foundation (International)

ALES – Alumni of European Studies (Croatia)
Aktion Freiheit statt Angst e.V. (Germany)
AKVorrat.at – Arbeitskreis Vorratsdaten Österreich (Austria)
Arbeitskreis Vorratsdatenspeicherung (Germany)
Asociatia pentru Tehnologie si Internet – ApTI (Romania)
BEUC – The European Consumer Organisation (Europe)
Bits of Freedom (Netherlands)
Consumentenbond (Netherlands)
Danish Consumer Council (Denmark)
Deutsche Vereinigung für Datenschutz e.V. (Germany)
DFRI (Sweden)
Digitalcourage (Germany)
Digitale Gesellschaft e.V. (Germany)
EU-Logos Athèna (Belgium)
European Information Society Institute – EISi (Slovakia)
FIfF – Forum InformatikerInnen für Frieden und gesellschaftliche Verantwortung e.V. (Germany)
Forum Datenschutz (Austria)
Fundamental Rights European Experts Group – FREE (Europe)
GeneWatch UK (United Kingdom)
GreenNet (United Kingdom)
Hungarian Civil Liberties Union (HCLU)
Initiative für Netzfreiheit (Austria)
International Modern Media Institute (Iceland)
Iuridicum Remedium (Czech Republic)
IT-Pol (Denmark)
Liberty – NCCL (United Kingdom)
medConfidential (United Kingdom)
Norwegian Consumer Council (Norway)
One World Platform (Bosnia Herzegovina)
Open Rights Group (United Kingdom)
Panoptykon Foundation (Poland)
SHARE Foundation (Serbia)
#StopWatchingUs Cologne (Germany)
VZBV – Federation of German Consumer Organisations (Germany)
VIBE – Verein für Internet-Benutzer Österreichs (Austria)

JONCTION (Senegal)
KICTANet (Kenya)
Unwanted Witness Uganda (Uganda)

Bytes for All (Pakistan)
CIS India (India)
Digital Rights Foundation (Pakistan)
Foundation for Media Alternatives (Philippines)

Australian Privacy Foundation (Australia)

Asociación para una Ciudadanía Participativa – ACI-Participa (Honduras)
Fundación Acceso (Costa Rica)
IPANDETEC – Instituto Panameño de Derecho y Nuevas Tecnologías (Panama)

British Columbia Civil Liberties Association (Canada)
Center for Digital Democracy (United States)
Consumer Federation of America (United States)
Consumer Watchdog (United States)
Electronic Privacy Information Center – EPIC (United States)
Horizontal (Mexico)
Open Government Project (Canada)
Red en Defensa de los Derechos Digitales – R3D (Mexico)
Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic – CIPPIC (Canada)

ADC – Asociación por los Derechos Civiles (Argentina)
DATA (Uruguay)
Fundacion Karisma (Colombia)
Fundación Vía Libre (Argentina)
Hiperderecho (Peru)
TEDIC (Paraguay)


08 Apr 2015

Report says Facebook tracking breaches EU law

By Guest author

On 31 March 2015, researchers of the University of Leuven and Vrije Univeristeit Brussel, Belgium, issued a report claiming that Facebook tracks online activity both of its users and non-users. According to the report, which was commissioned by the Belgian Privacy Commission, this type of tracking contravenes EU online privacy laws.

Facebook uses a tracking cookie to trace its users online activity whenever visiting a web page belonging to a facebook.com domain. Furthermore, users are being tracked across websites even when they are logged out or do not use social plug-ins. This means that Facebook receives data whenever someone visits a website with the Facebook “Like button”, even if a person does not use this plug-in. What is more, people who do not have a Facebook account are being tracked with the help of a “datre” cookie. “Datre” cookie contains a unique identifier which is placed onto the browsers of people in Europe who are not Facebook users. When placed, it takes two years before it expires.

The report argues that this kind of behaviour is clearly in violation of the EU e-Privacy Directive. In order for a website to use a cookie or perform tracking via social plug-ins it must require a prior consent, unless it is needed to connect to the service network or is specifically requested by the user.

According to an opinion of the Article 29 Data Protection Working Party, issued in 2012, Facebook’s tracking practices have no legal basis in the EU. Social plug-ins must have a consent before placing a cookie, unless one of the exceptions applies. Since social plug-ins are by definition for the member of a social network, the e-privacy directive exception cannot apply to non-users. Furthermore, the report argues that it is not legal to trace even Facebook users who are logged out at the time of browsing. The Article 29 Working Party document explains that logged-in users cannot be served a “datre” cookie but only a “session cookie” which expires when logged out or when the browser is closed.

Therefore, Facebook default settings that allow it to gather information about people for advertising purposes contravenes EU privacy policy. As explained by Brendan Van Alsenoy, one of the authors of the report: “To be legally valid, an individual’s consent towards online behavioural advertising must be opt-in.”

Facebook spokesperson commented the report by Belgian academics claiming that it contains factual inaccuracies, however he not specifying what he was referring to, and stating that Facebook completely complies with the EU Data Protection Directive. On the other hand, the authors of the study claim the opposite, saying the users have very little control over the data Facebook tracks and are unaware how exactly their data is used for advertising purposes.

Facebook ”tracks all visitors, breaching EU law” (31.03.2015)

Facebook tracking said to breach EU law (01.04.2015)

Facebook “violates Euro data law” say Belgian data cops’ researchers (01.04.2015)

ICRI/CIR and iMinds-SMIT advise Belgian Privacy Commission in Facebook investigation

(Contribution by Morana Perušić, EDRi intern)



08 Apr 2015

Data protection and privacy must be excluded from TTIP

By Maryant Fernández Pérez

Data protection is a contentious issue in the discussions about the Transatlantic Trade and Investment Partnership (TTIP) and other trade or investment agreements, such as the Trade in Services Agreement (TiSA). Now that the European Parliament is preparing to issue a non-legislative resolution on TTIP, various parliamentary committees are giving their input to the committee in charge, the Committee on International Trade (INTA).

The committee that takes the lead as regards fundamental rights and freedoms is the Committee on Civil Liberties, Justice and Home Affairs (LIBE). While everyone has one eye on the reform of data protection and one eye on TTIP developments, LIBE adopted a strong Opinion on 31 March 2015 for the European Commission to respect EU fundamental rights and freedoms, especially as regards data protection and privacy.

Led by its rapporteur, Member of the European Parliament (MEP) Jan Albrecht, the LIBE Opinion refers to the need for a binding and suspensive human rights clause; the exclusion of data protection and privacy; the respect of democracy and the rule of law; the fight against mass surveillance and the need for further transparency and accountability, among other important subjects.

Concerning data protection and privacy, the LIBE Committee asks the Commission to exclude these fundamental rights from both TTIP and TiSA negotiations. In fact, the EU and the United States are discussing data transfers and data protection in other fora, namely on the Safe Harbor and the Data Protection Umbrella Agreement. In relation to TiSA, the LIBE Committee rejects the draft chapter on e-commerce proposed by the US. When addressing data flows, LIBE asks for compliance of EU adequacy rules. This point is of particular importance since the European Commission “has conceded that it cannot guarantee EU citizens’ fundamental right to privacy when their data is transferred to the US”, as the Irish Times reported in relation to the case C-362/14, Schrems v Data Protection Commissioner.

Accordingly, one of the fundamental points of the Opinion is the inclusion of an enforceable horizontal clause based on Article XIV of the General Agreement on Trade in Services (GATS) to exempt “the existing and future EU legal framework for the protection of personal data from the agreement, without any condition that it must be consistent with other parts of the TTIP”.

The next round of the TTIP negotiations is going to take place in New York, between 20-24 April 2015. Now, it is crucial that the INTA committee takes the LIBE Opinion in full consideration for the Commission to follow Parliament’s advice.

TTIP Resolution: document pool (last update 08.04.2015)

TTIP: Trade agreements must not undermine EU data protection laws, say Civil Liberties MEPs (31.03.2015)

Do Facebook and the USA violate EU data protection law? The CJEU hearing in Schrems (29.03.2015)

EU cannot guarantee citizens’ privacy when transferring data to US, court told (25.03.2015)

Documents of CJEU case C-362/14, Schrems v Data Protection Commissioner (25.03.2015)

EDRi-gram: Revelations on Safe Harbour violations go to hearing at EU Court (11.03.2015)

EDRi’s red lines on TTIP (13.01.2015)

(Contribution by Maryant Fernández Pérez, EDRi)



25 Mar 2015

The evolution of the concept of privacy

By Guest author

In 1776, John Adams wrote that it had been the British right to search houses without justification that sparked the fight for independence. In other words, John Adams thought that it had been an unjustified violation of privacy that had kindled one of history’s most noteworthy revolutions.

More than two centuries later, those unruly colonies – now the United States of America – see themselves once again at the centre of a debate on privacy. Many of the world’s most data-intensive companies hail from the US – and are criticised for what is perceived to be an excessive accumulation and use of their users’ personal data. Piled on top of this, we know, as a result of Edward Snowden’s revelations, that the National Security Agency (NSA) of the United States has been at the forefront of a group of intelligence agencies that have been using that and other data to build massive databases containing information on millions of people living everywhere that today’s information and computer technologies reach.

Throughout modern history, from searches without just cause to big data and mass surveillance, , the notion of privacy has surfaced time and again. However, while the word has remained the same, its meaning never stopped evolving. We must be aware of that development if we are to effectively deal with future challenges, in particular the pressing issue of the regulation of the collection, access, and use of personal information both by private and public actors.

What John Adams deemed unacceptable was the groundless intrusion into people’s private sphere. It was his fellow Americans, Louis Brandeis – later a Supreme Court Judge – and Samuel Warren, who would put this conception of privacy most succinctly: Privacy is the right to “being let alone”. On this understanding, privacy is something that you have as long as people, organisations or institutions are denied access to you. However, this notion, inspired mainly by the idea of physical boundaries, sees itself confronted with insuperable difficulties in an age where the debate’s focus lies squarely on informational privacy.

The internet is one of the areas in which informational privacy, the protection of personal information, has become crucial. Internet users do not want to be left alone; they want to partake in the offerings of the internet and participate in what has become one of their most important social spheres. Privacy concerns are nowadays focused to a large extent on the information we share or generate on the internet, often publicly, rather than what we wish to conceal within the private confines of our homes.

The notion of privacy has adapted to those changing circumstances and today the focus lies mainly on users’ control of their personal data. This concept forms the foundation of many political arguments; the “right to be forgotten”, “notice and consent” systems and transparency requirements all aspire to give users control. While control is important, the evolution of technology already strains the ability of users to meaningfully control their personal data by means of informed choices. In fact, this notion’s capacity to protect people’s fundamental interests is failing even before the relevant policies have seen widespread adoption.

A first problem is that people are so overloaded by requests to consent to the use of their data that informed choice becomes illusory. If people want to engage in the cultural and social life offered in the digital sphere, they will not be able to assess all the terms of services and privacy notices they see themselves confronted with. And opting-out of the internet can no longer be called a real option. Secondly, privacy is no longer a purely personal matter. The information we choose to share or allow to be gathered affects not only our own privacy but also the privacy of all those we interact with.

The complementary limitation theory of privacy could help bridge some of these difficulties. According to this notion, a person has privacy when access to personal information is limited in certain contexts. While we can only have limited control as to how some of our personal information is used, there should be limits as to who can use information gathered in a certain context. In the age of big data, and even more so in the future of the Internet of Things, this notion is poised to become all the more important. Many users feel very uneasy if the information collected by, for instance, their car or metro card is used to target them with advertisements the next time they visit an online retailer. This phenomenon is taken to another level with “profiling”, the use of your data to guess about aspects of your personality, generating insights into your personality and habits that you may not even know are possible. To the extent that more and more spheres of people’s lives will generate digital personal data, separation of those spheres will become more and more important.

While helpful in resolving some of the problems associated with the regulation of privacy, the limitation concept of privacy brings with it its own host of difficulties. There is for example the argument that privacy is essential for freedom and autonomy. Would Darwin or Copernicus have been able to make their ground-breaking and controversial discoveries if the prevailing powers at the time had more insight into their activities? Probably not. However, if consent cannot be the only principle governing privacy matters, then mandatory privacy standards seem unavoidable. It is then essential to ensure that the privacy standards serve to guarantee freedom and autonomy rather than unduly restricting it.

While today’s citizens’ worries about privacy are very different from John Adams’, their concerns are legitimate. These worries must be taken into account when designing the rules that should regulate the use of personal data in the digital world. And one thing is certain: An adequate concept of privacy is essential for a good regulation of personal data. The tasks before us are not simple, but they cannot be escaped and become more pressing with each passing day.

Originally published in the Synergy Magazine:
The evolution of the concept of privacy: From the American revolution, to big data and the Internet of Things

Warren, Samuel D., and Louis D. Brandeis. “The Right to Privacy.” Harvard Law Review 4, no. 5 (December 15, 1890): 193–220.

Adams, John, Charles Francis Adams, and John Adams. Letters of John Adams, Addressed to His Wife. Boston, C.C. Little and J. Brown, 1848. 338.

Cohen, Julie E. “What Privacy Is For.” Harvard Law Review 126 (2013): 1904–33.

Tavani, Herman T. “Philosophical Theories of Privacy: Implications for an Adequate Online Privacy Policy.” Metaphilosophy 38, no. 1 (2007): 1–22.

(Contribution by Julian Hauser, EDRi intern)