18 Nov 2015

UK Draft Investigatory Powers Bill: Missed opportunity

By Guest author

The UK Government has published a draft of the long-awaited Investigatory Powers Bill.

Since the Snowden revelations, civil liberty groups have been calling for a new law that would restrain the UK intelligence and law enforcement agencies. The UK government, however, has been calling for increased surveillance powers since the failure of the draft Communications Data Bill in 2012. The Bill, which became known as the ”Snoopers’ Charter” proposed forcing Internet Service Providers (ISPs) and phone companies to keep data about UK citizens’ Internet browsing activity, emails and phone calls for 12 months. The Bill was defeated but there have been repeated calls to bring it back, and even an attempt to insert its provisions as amendments to a different Counter Terrorism Bill.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The draft Investigatory Powers Bills does not go as far as the draft Communications Data Bill, but it would oblige ISPs to keep data about websites visited by their customers for 12 months. EDRi member Open Rights Group (ORG) will make a submission to the Joint Committee that will now scrutinise the legislation.

The draft bill spells out the powers that the security services have for the collection of content and data in bulk. Although this had been done for years, no one really understood the extent of the UK Government Communications Headquarters’ (GCHQ’s) capabilities until the Snowden leaks. The government has acknowledged that secret agencies have been going even further, accessing data in bulk from UK internet providers, not “just” from international cables. The bill effectively endorses these previously secret – and at face value disproportionate – mass surveillance powers. This is in addition to powers to obtain bulk datasets, such as contact lists, driving licences, travel or banking records.

One of the most controversial parts of this new Bill is that ISPs will be forced to keep much more detailed data about their clients’ internet activities. To access this data, the police would need to get a court order – this seems to be a concession to the European Court of Justice (CJEU) ruling in April 2015 that said there must be safeguards for accessing retained data. In July 2015, the UK High Court (EWHC) said that parts of the Data Retention and Investigatory Powers Bill were unlawful for the same reason.

The new Bill proposes a new system of “double-lock”, where some warrants will be signed both by the Secretary of State or an authorised person, and additionally by a special judge. At face value this might seem an improvement on the current situation where judges do not have a role, but there are concerns that in practice this may simply amount to a rubber-stamp. Judges would have a very narrow role, only being allowed to check that there are grounds for the minister’s decision, and that procedures have been followed, but not to challenge the substance of the decision. Fully independent judicial authorisation would be a more meaningful guarantee of due process. Disappointingly, the draft new bill still allows police, councils and other agencies to obtain communications data without the need to involve a judge.

The Bill asks for powers to compel communications providers to assist with demands for interception. How companies do this will presumably be at their discretion. In some cases this might involve compromising their software to make the encryption less effective.

The Bill clarifies the powers of security agencies to break into individuals’ laptops and mobile phones, including worrying new powers for non targeted mass hacking. It also forces internet companies to help in hacking their customers.

What are the positives? On first reading the Bill seems to be very clear about the powers being given to the State. Transparency over these activities is very welcome, as it enables debate and challenges to specifics, including in the courts. There also seems to be improvements to redress, including the right to appeal rulings by the Investigatory Powers Tribunal. The new Investigatory Powers Commissioner may also bring improvements to democratic oversight.

ORG’s initial view is that the draft bill appears to be a missed opportunity to rein in the surveillance state. It mainly seems to legalise current practices, and add a veneer of human rights compliance without fundamentally changing what the police and secret agencies already do.

First take on the Investigatory Powers Bill (05.11.2015)

(Contribution by Pam Cowburn, EDRi member Open Rights Group, United Kingdom)



28 Oct 2015

Fundamental Rights are Fundamental

By Joe McNamee

Statement of Leading Digital Rights and Consumer NGOs

37th International Conference of Data Protection and Privacy Commissioners Amsterdam, The Netherlands

We join together this week in Amsterdam, celebrating the success of Max Schrems in the case before the European Court of Justice concerning Safe Harbor. NGO leaders around the world have expressed support for Max’s courageous legal battle, and we have praised the landmark judgment of the Court. The Court of Justice reaffirmed the fundamental rights of privacy and data protection in our modern information economy. The Court made clear the responsibility of national data protection agencies to safeguard fundamental rights.

We also recognize the important work underway by privacy officials, civil society, and innovators around the globe to safeguard personal freedoms. The challenges to privacy and data protection are never ending. We acknowledge and thank those who work to make our lives a little safer and a little more secure.

Within the NGO Community, we have worked for many years to advance the right to privacy. Beginning in 1999, the TransAtlantic Consumer Dialogue (TACD) first called attention to the weaknesses of the Safe Harbor regime. We urged lawmakers to update privacy laws and address growing concerns among consumers about data abuse. Ten years later, the Public Voice gathering at the Commissioners conference in Spain issued the Madrid Privacy Declaration, widely endorsed by NGOs and experts around the world. More recently, civil society leaders on both sides of the Atlantic have called for new legal protections to end mass surveillance and to restore trust and confidence in the digital economy.

It is against this background that we express concern about the conference this year in Amsterdam.

We were surprised and disappointed that the conference organizers this year focused on a report recommending actions that would do little to change the business or government behavior that threatens privacy and data protection. The report recommends no substantive changes in law. Particularly after the Safe Harbor decision, the “Bridges report” is remarkably out of touch with the current legal reality and what we need to do to address it.

The failure of the Amsterdam conference to engage with the many new chachallenges, from “Big Data” to drone surveillance, is also a lost opportunity. The practical consequence of focusing instead on failed policies, such as self-­regulation, will be to make more difficult the work of the privacy experts around the world who could have otherwise benefitted from a meaningful discussion about how to move forward on legislation, aggressive enforcement, and other steps that are long overdue. Yes, they are difficult; all the more reason why we need to act now.

Digital rights organizations and consumer NGOs call on the Data Protection Commissioners to refocus their attention on the need to update and enforce privacy law.

There is a long tradition of civil society engagement with the annual conference. There has always been a “constructive tension” between the Data Protection commissioners and civil society. But we have always shared a common goal – the strengthening of fundamental rights and the protection of privacy and data protection. Toward those objectives, we remain united.

We look forward to conferences that actively support and encourage discourse with civil society about the future of privacy and data protection.

Access Now
Asociatia pentru Tehnologie si Internet (APTi)
Bill of Rights Defense Committee
Bits of Freedom
Center for Digital Democracy (CDD)
Chaos Computer Club
Constitutional Alliance Consumer Action
Consumer Federation of America
Consumer Watchdog
Cyber Privacy Project
Defending Dissent Foundation
Electronic Frontier Foundation (EFF)
Electronic Privacy Information Center (EPIC)
European Consumer Organization(BEUC)
European Digital Rights (EDRi)
Friends of Privacy (US)
Hungarian Civil Liberties Union
IT‐Political Association of Denmark
Ligue des Droits de l’Homme
Norwegian Consumer Council
Patient Privacy Rights
Panoptykon Foundation
Privacy International
Privacy Rights Clearinghouse
Privacy Times
Transatlantic Consumer Dialogue (TACD)

(as of 27 October 2015, 1330 EDT)

TransAtlantic Consumer Dialogue
European Digital Rights
Madrid Privacy Declaration

30 Sep 2015

Civil rights groups condemn draft mass surveillance bill to be adopted in France

By Kirsten Fiedler

Today EDRi, together with 30 civil rights groups, sent the following letter to French parliamentarians to condemn a draft mass surveillance bill which is scheduled to be adopted on 1 October. You can download the letter in English (pdf) and in French (pdf). If your organisation wishes to sign, please contact us at brussels(at)edri.org.

Dear Member of the Assemblée Nationale,

The undersigned civil and human rights organisations call on French parliamentarians to reject the draft law on surveillance measures for international electronic communications (“Proposition de loi relative aux mesures de surveillance des communications électroniques internationales”). The bill fails to defend and protect the right to privacy of individuals worldwide.

With this new bill, parliament is about to approve new disproportionate surveillance measures to monitor international communications. Based on the principle of massive collections of data, the bill seeks to legitimise the civil and human rights abuses revealed by Edward Snowden about the practice of intelligence agencies such as the ones in the US and the UK. As a crucial part of the global Internet traffic goes through French submarine cables, this law would put France in the list of countries with sweeping surveillance capabilities. This bill follows from the Surveillance Law passed in June, which allows the French government, among other measures, to monitor people’s phone calls and emails without judicial approval; and to install black boxes on internet service providers’ infrastructure to collect metadata on millions of innocent individuals. Earlier this year, the French Constitutional Council struck down one of the provisions of the Surveillance bill, and the new proposal seeks to re-authorise the international surveillance programme impacted. The draft law will be voted on 1 October by the French National Assembly.

In particular, we are deeply concerned that

  • the bill would allow for indiscriminate mass surveillance of millions of people in France and abroad;
  • independent oversight and control mechanisms are completely lacking. The massive data collection scheme would be conducted under the sole authority of the French Prime Minister, with only ex post control from the oversight authority. This does not sufficiently guarantee the protection of privacy and the respect for rights and freedoms;
  • clearly excessive and unjustified retention periods for data (content for one year, metadata for six years, encrypted content for eight years) are foreseen, in contradiction with the principles laid out by the Court of Justice of the European Union (CJEU) in its ruling on 8 April 2014 invalidating the Data Retention Directive;
  • the justification of the measures is so broad as to be meaningless, such as the defence of “major interests of foreign policy” and “major economic and scientific interests of France”;
  • the broad language leaves room for the future use of undefined surveillance technologies which could lead to an extension of the scope of the bill without any involvement of democratic institutions;
  • only lawyers, journalists, representatives and magistrates established in France would theoretically be granted some form of protection, although, for instance, the private or professional nature of their communications can only be established during the data processing, and in any event the law does not protect them against bulk collection and exploitation of their communications.

We, the undersigned organisations urge the French Parliament to reject this international surveillance bill and protect the rights of individuals all around the world. The principle of universality of rights is a fundamental principle, especially the European Union. We call on you to strengthen civil liberties and human rights safeguards for all and reject this proposal. Thank you.


European Digital Rights (EDRi)
Electronic Frontier Foundation (EFF)
Chaos Computer Club (CCC)
Article 19
Code Red
Web We Want Foundation
Electronic Frontier Finland (EFFI)
AKVorrat.at (Working Group on Data Retention Austria)
Initiative für Netzfreiheit
Icelandic Modern Media Initiative (IMMI)
Global Voices
Amnesty International
Pen International
Digital Rights Foundation
Australian Privacy Foundation
CPJ (Committee to Protect Journalists)
Digitale Gesellschaft e. V.
Bits of Freedom
IT-Political Association
Panoptykon Foundation
Association for Progressive Communications
Privacy International
Reporters sans frontières (Reporter Without Borders)
Alternative Informatics Association
ACI-Participa (Honduras)


23 Sep 2015

AVG starts selling personal data to third parties

By Guest author

The Czech Republic based security software vendor AVG Technologies recently updated its privacy policy. The objective of the changes, according to the company, was to explain in a more transparent manner to their users how it intends to use what it calls ”non-personal information”. The new privacy policy will take effect on 15 October 2015.

The company defines “non-personal data” as data that cannot be linked to the identity of users in any way. The new privacy policy explains that the company might collect and sell this information to third parties, to allow their anti-virus product to stay free or charge to the users. AVG also notes that it might anonymise and aggregate data that could otherwise identify individual users. The text assures that the company does not sell or rent its clients’ personal data to third parties, but the next paragraph warns that certain personal data may be shared with any of their “affiliated AVG companies, search providers, selected AVG resellers, distributors and other partners”.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The changes for the final user are not significant from the previous version of AVG’s privacy policy which stated that the company could collect data on “the words you search”, but did not make it clear whether browser history data could also be collected and sold to third parties.

The reactions to the new privacy policy are diverse. Data protection and IT law expert Orla Lynskey from the London School of Economics welcomed the improved wording, but said that users can be justifiably concerned by the implications to their privacy. “Its privacy policy is written in clear and simple language,” adding that users might expect an anti-virus provider to be “more respectful” of their privacy and data security. Alexander Hanff, security expert and chief executive of Think Privacy, stated that AVG’s potential ability to collect and sell browser and search history data places the company “squarely into the category of spyware”.

AVG’s new privacy policy is on the one hand more transparent than its previous ones that intentionally blurred the line between collecting data for malware tracking and using it for profit, which can be considered as a step in the right direction. On the other hand, by making its privacy policy easier to understand, the company shows more openly how it is collecting and re-selling the data – which is an activity that many would consider unethical for a security software company with elevated privileges to the personal and “non-personal” data of its clients.

AVG Privacy Policy

AVG can sell your browsing and search history to advertisers (18.09.2015)

AVG’s new privacy policy is uncomfortably honest about tracking users (17.09.2015)

Is AVG planning to sell user data to advertisers following privacy policy change? (17.09.2015)

(Contribution by Pierre Christopher, EDRi intern)



23 Sep 2015

Germany dreams of security: An ID for every “thing” connected

By Kirsten Fiedler

New infrastructures often resemble untapped oil sources – everyone tries to get in as early as possible in order to grab the biggest share. The German newspaper Die Zeit Online revealed in September that a chip manufacturer has apparently been going to great lengths to ensure a large share of the growing market of the “Internet of things”.

The Dutch company NXP lobbied the German Ministry for Economic Affairs to push for the introduction of unique identifiers for every “thing” connected to the Internet. NXP is one of Europe’s biggest semiconductor manufacturers and specialises in the production of identification hardware, such as security chips that are used in electronic ID cards and passports. In the market for chips, this is rather a tiny part – but Die Zeit suspects that the company now wants to use its lobbying skills to grow this market and to conquer it.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

According to an investigation conducted by the newspaper, the German Ministry for Economic Affairs was already en route to transform the Internet for things into a big surveillance infrastructure. The idea of the manufacturer is that every “thing” that is connected to the internet, such as fridges, central heatings, laptops, cars etc., should be equipped with a chip that makes it uniquely identifiable. This would then function as some sort of a digital ID card for every single device connected to the Net.

A draft “identity security law” is supposed to provide the legal framework in the country for this infrastructure. Currently, the details only exist in form of a “key issues paper”, a type of document which often serves as a basis for draft laws. Die Zeit’s article seems to be based on this 15-page long internal paper called “identity security law for the Internet of Things”.

The newspaper also reports on a meeting between Ministry of the Economy, Sigmar Gabriel, and representatives of NXP. During the meeting, Gabriel was successfully convinced to support the measure. The key issues paper drafted by NXP was then circulated internally in the Ministry and in other companies in order to discuss the paper.

The paper was criticised by civil society, opposition parties and industry representatives. Harald Summa, head of the Association of the German Internet Industry eco, stated that the chip would be a huge barrier to innovation and counter-productive for Germany’s information technologies future.

Frank Rieger, spokesperson of the German EDRi-member Chaos Computer Club Chaos stated:

The text attempts to use the security problem of some components of the internet of things as a springboard for a universal governmental device ID, which would be a surveillance nightmare. Moreover, this does not fix the actual problem: the software of the devices on the internet of things are as poor as in our computers and cell phones. One should start here in order to change market dynamics to increase security.

Zeit Online, An ID card for every toaster? (only in German, 17.09.2015)

(Contribution by Kirsten Fiedler, EDRi)



23 Sep 2015

Safe Harbor: European Court Advocate General says Agreement should be declared invalid

By Heini Järvinen

This morning, the Advocate General of the Court of Justice of the European Union (CJEU), in his Opinion on the “Safe Harbor” Agreement with the United States, advised the Court to declare the entire Agreement invalid. The catalyst for the case was the mass surveillance practices of the United States.

Sixteen years ago, the EU and US concluded an agreement to allow personal data to be transferred into the US jurisdiction, which does not have comprehensive privacy laws. Literally from day one, it was quite clear that the agreement was unlikely to succeed. Now, after fifteen years of criticism from academics, from privacy advocates and from independent studies, the Advocate General of the European Court of Justice has confirmed what we already knew – the Agreement should be declared invalid. The Agreement has been kept alive by the European Commission’s refusal to accept the ever-growing mountain of evidence of the inadequacy of the Agreement.

“If confirmed by the full Court, this is a very important step for the right to privacy in Europe,” said Joe McNamee, Executive Director of European Digital Rights. “What happens next is crucial. It must never again happen, like in this case, like in the case of the Data Retention Directive, that obduracy from the Commission can keep agreements or laws in force that are patently illegal.”

We now await the ruling of the full Court, which we fully expect to uphold the opinion of the Advocate General.

Read more:

Press Release from the CJEU: http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf

Full text of the Opinion:

FAQ – Safe Harbor

1) What is the Safe Harbor agreement?

Under EU data protection legislation, personal data can only be transmitted outside the EU under number of specific circumstances. One of these is a recognition of adequate data protection rules in the country where the data is being sent.

Due to the fragmented, inadequate approach to data protection in the US, a specific arrangement, called “Safe Harbor” was designed to create a framework for transfer of data to the United States. This was adopted in 2000.

There have long been serious concerns about the real protection that Safe Harbour actually provided. For example the 2008 study by Galexa called “The US Safe Harbor – Fact or Fiction” identified numerous problems. Implementation reports demanded by a sceptical European Parliament also resulted in reports from the European Commission that pointed to problems, but refused to recognise the scale of the instrument’s problems.

2) Why is it suddenly a problem now?

Under the current framework of the EU Data Protection law (Directive 95//46/EC), transfers of personal data need to ensure “an adequate level of protection”. Given the revelations exposed by Edward Snowden on the mass surveillance activities performed by the US National Security Agency (NSA), serious concerns were raised about how the Safe Harbour agreement provides the adequate level of protection for European data. In particular the surveillance under NSA’s PRISM programme facilitated by mass exports of data raise serious concerns.

During questioning in the hearing in the Court, the European Commission representative reportedly admitted that adequate protection is not offered by the agreement.

3) What happens if it is revoked by the Court of Justice?

There are other options for legal transfer of data outside the EU. While some industry representatives claim that suspension of the agreement would be hugely costly from an economic perspective, this is not the case.

4) What has the Advocate General said today? Is this already a “decision” or a “judgement”?

The Advocate General’s role is to advise the Court on what it should do. In most cases the Court (which will make a final decision shortly) follows the Opinion of the Advocate General. So, today’s announcement is not the final ruling.

In his opinion, the Advocate General stated that if a Data Protection authority considers there is not enough protection in a given country, the national authority needs to have the “power to suspend that transfer, irrespective of the general assessment made by the Commission in its decision “. He also added that the US practices allow for “large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection” and that this lack of judicial protection is a disproportional interference with the right of EU citizens of the to an effective remedy, protected by the EU Charter of Fundamental Rights.


09 Sep 2015

Romania: After PNR, a proposal for retention of tourist data

By Guest author

On 15 July 2015, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament narrowly voted in favour of the EU Passenger Name Record (PNR) Directive proposal (32 in favour, 26 against, no abstentions), a mass surveillance measure to collect and process air traveller data for profiling purposes. This came after the rejection of a previous PNR proposal by the LIBE Committee in 2013 and the subsequent abandonment of that proposal in 2014.

Even so, in a worst case scenario of having the PNR Directive proposal fast-tracked through the legislative procedure, like the Data Retention Directive of 2006, it would still take some six months for the proposal to go through all the steps before becoming European law.

Roughly at the same time, the Romanian Government was having far fewer qualms about PNR than the European Parliament and its Committees. On 13 July 2015, the draft law “Government Statute no. 13” was silently adopted, thus creating a Romanian PNR system. No public debate was conducted, and the impact of the new law on fundamental rights was not assessed.

On 5 August 2015, another proposal for a governmental decision was published, mandating the implementation of a PNR-like system for people staying at any hotel, hostel or guest house in Romania. This means that personal identification data of everyone who is renting a room in Romania is entered by a hotel employee in a centralised computer system called “Integrated Tourist Record Computer System” (SIET). The system would be hosted and run by Special Telecommunications Service (STS), which is a militarised intelligence agency with almost no civilian oversight.

Access to the tourist data gathered and stored within this system raises even more questions. The purpose of the system is, ostensibly, to gather and analyse tourist data to improve the quality of the Romanian tourism industry. However, while the tourism industry is only going to get access to statistical data, various law enforcement organisations of the Internal Affairs Ministry (MAI) will have unrestricted access to all data based simply on an agreement between them and the STS.

The proposal’s authors and supporters justify the measure by explaining that it just brings in a computer system to do what was already being done with pen and paper. Romania is still using a system from the communist times, where all tourists who book a room at a hotel or hotel-like establishment are being asked for identification as a mandatory precondition for their stay. The personal data collected by the hotel is being forwarded on a daily basis to the local police station.

On 26 August, at EDRi member ApTI’s request, the Romanian Economy, Commerce and Tourism Ministry (MECT) organised a public debate about SIET. Unfortunately, any attempt to debate the issues of SIET on the basis of its impact on fundamental rights is futile.

EU PNR document pool (27.07.2015)

Statute no. 13/2015 regarding the use of some data from the passenger name registers for cross-border cooperation in order to prevent and combat terrorism, terrorism-related infractions and infractions against national security, as well as preventing and removing threats to national security (only in Romanian, 13.07.2015)

Governemt Decision for the adoption of the Integrated Tourist Record Computer System and the Norms regarding the access, record keeping and protection of tourists in establishments with accommodation facilities (only in Romanian)

Do you want the Police to know where you go on vacation? Join the public debate about the Integrated Tourist Record Computer System (SIET) (only in Romanian, 20.08.2015)

How we found out that we’ll all have “a chip under our skin” at the public debate about SIET (only in Romanian, 03.09.2015)

(Contribution by Matei Vasile, EDRi member ApTI, Romania)



08 Sep 2015

Privacy Café 2.0: Improving the security of online communications

By Kirsten Fiedler

In order to repeat the success of our previous Privacy Café in the European Parliament, we are organising another training session on how to protect communications and privacy online. The event will provide basic hands-on guidance for increased online privacy for Members of the European Parliament, their assistants and Parliament staff. Since it is a hands-on session for beginners and experts alike, participants are asked to bring their devices (smartphones, laptops, tablets etc).


What: Privacy Café
When: 17 September 2015, 6pm
Where: Room ASP05E1, European Parliament
RSVP: kirsten.fiedler[at]edri.org

The Snowden revelations of massive intrusions into Parliament infrastructures should have led to better security. They didn’t. More than two years after the first publications, Parliamentarians are still not able to receive or send encrypted communications, to enhance security when browsing the internet or to use privacy-friendly messaging and calling solutions. The event will also emphasise that learning personal security is just a small link of a bigger chain – we also need strong privacy protections for all.

The “Privacy Café” is co-organised by three civil society organisations, EDRi, Access and the Flemish League for Human Rights.


01 Sep 2015

EDRi launches a campaign for online privacy for kids

By Heini Järvinen


Today, we launched a crowdfunding campaign to create a textbook to raise awareness among kids for the protection of their privacy online.

“We want to teach children what they need to consider to protect themselves online,” said Kirsten Fiedler, Managing Director of European Digital Rights. “The goal is to create material, translated into as many languages as possible, that can be used in schools, at home and elsewhere.”

The internet offers children tremendous opportunities to learn and to explore new ideas. However, younger internet users often possess insufficient knowledge of how their reputations can be affected by their interactions online. Sometimes it is not easy to tell who someone really is online, and there are many reasons for which businesses might try to get personal information about kids or their families. Parents and teachers cannot always be on hand, which is why it is important to empower kids to also protect their own online privacy.

The campaign will continue until 15 September, and if it reaches its target of 5000 euro, a textbook to explain how the internet works, with practical examples, exercises and sample lessons, will be published, translated, and distributed around Europe.

You can find the campaign here:


05 Aug 2015

Our internships at EDRi: We made digital rights matter

By Guest author

During the last couple of months, as EDRi’s interns, through advocacy, campaigning and reporting, we were given a unique opportunity to challenge threats to fundamental rights posed in the context of net neutrality, privacy, personal data and copyright. It was a fruitful and rewarding experience that allowed us to put our theoretical skills into practice while promoting human values of freedom and dignity in the online world.

Here is a short summary of our wonderful journey at EDRi:


During my internship, I had the opportunity to work closely on three currently “hot issues”: data protection, copyright and Passenger Name Record (PNR). Since my arrival at EDRi, I was following the activities concerning these subjects and gained a lot of insight by participating in meetings, conferences and events, reading and analysing documents, as well as monitoring the work progress of three main EU institutions: the European Parliament, the European Commission and the Council of the European Union.

Thanks to the fact that I was following the Data protection reform developments, I have learnt what is behind the mystery known as “trialogue” and how it functions. The European Parliament’s early steps in reforming and modernising copyright was a great chance to see how the work of the Members of the European Parliament (MEPs) evolves and how a document can significantly change from the first draft to the final vote in plenary.

Some of the moments I enjoyed the most were visiting the European Parliament, the Commission and the Council for the first time, listening to different perspectives and interesting debates at the events I attended, contacting and meeting Permanent Representations of the EU Member States, analysing the Data retention legislation in Member States, and learning about encryption and basic tools which can protect my privacy online.

All in all, my time at EDRi has helped me enrich my understanding of the European institutions and their work significantly. Participating in the whole process was extremely beneficial to see and understand how the legislation is made at the EU level and how civil society can influence and be part of this process. I have also realised that advocating for citizens’ rights can sometimes be overwhelming and seem pointless, like in the case of the recently adopted EU PNR proposal. However, analysing Marietje Schaake’s Opinion on human rights in third countries, where the suggestions from EDRi were adopted by the Parliament, assured me that organisations like EDRi definitely play an important role in changing the future into a better one.


During my experience at EDRi, I mainly worked on the Telecom Single Market (TSM) package and on trade agreements. To be honest, I didn’t expect trade agreements to be that relevant to digital rights. Indeed, it was very challenging and interesting to deal with trade law and try to understand how a new generation of free trade agreements could affect fundamental rights such as privacy and data protection, which seemed to be completely unrelated to trade issues at first sight.

During these last months, I had the opportunity to follow the legislative procedure of the European Parliament’s own-initiative report on the Transatlantic Trade and Investment Partnership (TTIP). I participated in a whole range of advocacy activities, like contacting MEPs offices to arrange meetings and participating in these meetings, assisting in the analysis of amendments, contacting Committee secretariats to get information on the legislative procedure, preparing documents for internal use and help drafting documents and analyses. In this context, it was particularly challenging and gratifying to take part in writing the “TTIP and Digital Rights” booklet (pdf).

Along with the internal work of the association, the experience at EDRi also gave me the opportunity to participate in several external meetings. Particularly as regards TTIP, I took part in events organised by stakeholders and think tanks, civil society meetings and events organised by the European Commission.

Concerning the Telecoms Single Market (TSM) which is crucial for a potential legal safeguard of net neutrality, my internship gave me the opportunity to understand how important it is to have early contacts with MEPs and keep them informed with position papers and analyses on your positions. Following the TSM trialogue was fundamental to understand how the European institutions work in practice. Only knowing the ordinary legislative procedure can be useless in Brussels because informal meetings can deeply affect how policies are made. Besides the ups and downs of the trialogue negotiations, it was very thrilling and instructive to be involved in the net neutrality “fight”. On some days, this file taught me how institutions can be obscure, producing text that makes it difficult to orientate yourself in the details of legislation. On other days, it was great to see the results of our work, and to see how civil society associations like EDRi can make a difference at EU level.


Unfortunately, our joyful ride of protecting digital freedoms at EDRi has come to its last stop. It is time to take our suitcases, fully packed with new skills and knowledge, as well as our bursting confidence and even stronger determination to advocate for digital rights, and head off to a new destination where we can put into practice all the knowledge we gained here.

Last, but certainly not least, we want to thank the EDRi Brussels team for being our amazing guides on this journey, supporting us and making us smile even on a grey, cloudy Brussels day.

Off to some new and exciting adventures!

(Contribution by Morana Perušić and Aldo Sghirinzetti, EDRi interns)