20 May 2015

EDRi-gram 300: Digital rights news from 2025

By Kirsten Fiedler

We are proud to present the 300th edition of the EDRi-gram as an eBook entitled “Digital rights news from 2025″!


Since 2003, the EDRi-gram is reporting on developments across Europe to raise awareness of attacks on freedom of expression and privacy as well as to highlight good news and best practice. The EDRi-gram publishes free speech and privacy advocates’ media stories from across Europe every two weeks. EDRi’s members, observers and guest authors frequently contribute with reports and analysis from their home countries.

To celebrate our 300th edition, we have collected articles from the brightest stars in the digital rights universe. In the articles, they imagine what they will be writing about in 2025.

Editors: Joe McNamee, Kirsten Fiedler, Heini Järvinen

With contributions by: Dunja Mijatović, Hans de Zwart, Simon Davies, Jillian C. York, Cory Doctorow, Katarzyna Szymielewicz, Joe McNamee, Jesper Lund, Kirsten Fiedler, Erich Moechel, Raegan MacDonald, Estelle Massé, Douwe Korff, Bogdan Manolea, Monica Horten and Annie Machon.

The anniversary edition is available in various formats, including a DRM-free ebook (.epub ), a .pdf version and is published under a CC-by-sa licence on our website and on all major retailers worldwide.

Get your copy:





06 May 2015

Privacy Cafés launched to improve secure communications in the EP

By Heini Järvinen

Ever since the publication of documents from the Snowden archive, which indicate that the US National Security Agency (NSA) and the UK Government Communications Headquarters (CGHQ) were behind the cyber-attacks on the European institutions, an improvement of the European Parliament’s IT security was to be expected. The report by Civil Liberties Committee Chair Claude Moraes on mass surveillance therefore called on Directorate-General for Innovation and Support (DG ITEC), the service in charge of security in the European Parliament, to carry out a thorough analysis, to make recommendations and to present a final report in June 2015. Unfortunately, the developments have been rather slow so far. Two years after the first revelations, Parliamentarians are still not able to receive or send encrypted communications.

Therefore, on 21 April 2015, EDRi organised, together with EDRi members Liga voor Mensenrechten and Access, the first Privacy Café in the European Parliament (EP). The goal of the Privacy Café was to give Members of the European Parliament (MEPs) and their assistants an overview on the importance of protecting their privacy, and to introduce a selection of practical tools to improve the privacy of their private and professional communications. After the introductory presentation, each participant could join one or several hands-on workshops, to learn about email encryption, mobile messaging or private browsing. The instructors went through the installation of the tools, and offered advice and practical help to the participants. Step-by-step instructions for each tool were also available in printed format.

The European Parliament has a lot to improve from the point of view of privacy and secure communications; the default solutions on the professional devices for browsing the Internet, document sharing and sending internal emails are often not privacy friendly, and installing add-ons or software enhancing privacy (such as GPG4Win) is made difficult or impossible.

The event raised a lot of interest and positive attention. To continue the work to increase awareness of privacy issues within the EP, more Privacy Cafés are being planned. Among the participants were representatives from the DG ITEC, the body responsible for providing IT support to MEPs and Political Groups, and for running of the European Parliament computing and network centre. EDRi is now in contact with them, to investigate the possibilities to discuss for improvements to the current tools and practices in place in the EP.

EDRi-gram: EDRi launches privacy trainings in the European Parliament (28.01.2015)

Belgacom Attack: Britain’s GCHQ Hacked Belgian Telecoms Firm (20.10.2013)

Parliamentary question: Regin malware used in cyber attacks on EU institutions and Belgacom (05.12.2014)
Hand-out: What Is Encryption?

Hand-out: How to use PGP on a Windows PC

Hand-out: How to use RedPhone on Android

Hand-out: How to use Signal – Private Messenger

Hand-out: How to use TextSecure on Android

Hand-out: How to leave fewer traces while you’re surfing



22 Apr 2015

Big Brother Awards Germany 2015

By Guest author

On 17 April 2015, EDRi member Digitalcourage held its annual Big Brother Awards gala in Bielefeld, Germany. Just two days earlier, politicians in Berlin had provided a very poignant context when the German Justice Minister Heiko Maas’ “grand coalition” had published “guidelines” for a draft bill to reintroduce telecommunications data retention in Germany.

At the gala itself, the plans for telecommunications data retention could not be reflected in one of the “core” awards, as these had been based on nominations received over the previous year. However, the “Newspeak” award for shifts in terminology covered the latest attempt to push ahead mass surveillance of communications data, as the Justice and Interior Ministers had “garnished” their new proposals with yet another new euphemistic term.

The award in the “Technology” category was given to the “Hello Barbie” doll and its makers Mattel and Toytalk (a new company specialising in language recognition for children). The doll comes with a microphone, speaker and Wi-Fi capability. It records conversations at the push of a button and sends the recordings to “the cloud”, where they are processed and stored – primarily to produce meaningful responses in subsequent conversations. This means that children are made to disclose their concerns to a server farm, and parents are let into their children’s secrets by means of a daily or weekly protocol that Mattel will send them via email.

The “Authorities and Administration” award went to Germany’s foreign intelligence agency, the Bundesnachrichtendienst (BND), for its entanglement with the US National Security Agency’s (NSA’s) surveillance network, for its surveillance activities of cross-border communications, for sharing vast amounts of constitutionally protected data with foreign partner agencies, and for obstructing the work of the German Parliament’s commission of inquiry which was set up after the Snowden revelations. However, the BND’s budget and competences are set to be given a further boost, as there are plans to increase its budget by 300 million Euros and give it further surveillance tasks, such as monitoring social networks.

The “Business” award went to two “crowdworking” or “crowdsourcing” platforms, Amazon Mechanical Turk and Elance-oDesk. These platforms parcel out work commissions submitted by clients to registered workers. The laudation detailed how these platforms try to portray the work model they create in a false sense of freedom, while any actual freedom is mainly in the sense of being “set free“: It’s low-paid work at short notice, with no reliability or (social) security. As a “bonus”, Elance-oDesk workers are being put under intrusive surveillance. Moreover, a frequent use of Amazon Mechanical Turk’s “workforce” is to add manipulated content in Internet forums, product reviews etc.

Amazon was pinpointed a second time in the “Workplace” category, this time for the way they treat their own employees in their German distribution centres. At least two Amazon subsidiaries in Germany ask their workers to sign declarations of consent that allow Amazon to store and process personal data, including health data. Also, storage and processing takes place in the US, but the declaration does not contain any information on how European data protection standards might be followed. These rules clearly break the limits set by German privacy and industrial legislation as well as the constitutionally protected principle of patient–physician confidentiality.

The “Consumer Protection” award was centred on Germany’s electronic health card. This project was given a Big Brother Award already in 2004, but the health card was only introduced in 2014, and it was time to take a broader view on the implementing “electronic health act” and the underlying developments. Digital data processing is getting more and more widely used in the health sector, and in the process, principles of medical secrecy are quietly undermined, and health budgets are being shifted from the actual provision of public health to private companies that provide electronic infrastructure or own hospital chains or pharmaceutical companies.

In the “Politics” category, the current German Interior Minister Thomas de Maizière and his predecessor Hans-Peter Friedrich were jointly awarded for systematically and fundamentally sabotaging the EU’s planned General Data Protection Regulation. The award speech was given by Austrian jury guest Max Schrems (known for his “Europe vs Facebook” lawsuit). His speech also raised the issue of entanglement between German ministry officials involved in the negotiations with industry lobbyists, quoting extracts from emails that point to a scandalous level of collusion between the two parties.

The Audience Award, in which the gala’s guests were asked to vote on which of the “winners” they found especially “impressive, surprising, shocking, or outrageous”, was won by the “Politics” award, slightly ahead of a fairly evenly placed “field” of almost all the other categories.

BigBrotherAwards 2015 “winners” (in English, full translations of the award speeches)

BigBrotherAwards 2015 media reactions (only in German)

EDRi-gram: In Germany, data retention refuses to die (25.03.2015)

(Contribution by Sebastian Lisken, EDRi member Digitalcourage, Germany)



22 Apr 2015

New Danish PNR system will rival the EU PNR Directive

By Guest author

For the second time in the parliamentary year 2014-15, the Danish government has made a legislative proposal for increased access to Passenger Name Records (PNR). The draft law, currently in public consultation, also sheds new light on the use of PNR data by Danish customs authorities. So far, the PNR discussion in Europe has mainly focused on police and intelligence services.

The main purpose of the new law is to give the Danish Security and Intelligence Service (PET) access to PNR data collected by the Danish Customs and Tax Administration (SKAT). Under Section 17 of the Danish Customs Act, SKAT can collect passenger information from airlines. Currently, SKAT is collecting all nineteen PNR elements in the Annex of the proposed PNR Directive, except the Advance Passenger Information (API) data in item 18. The new law will amend Section 17 so that SKAT has a legal basis to collect PNR data from airlines for itself as well as for the PET, and this can be done even if SKAT does not need the specific PNR data for its own operations.

The amended Section 17 will make it mandatory for airlines with flights to and from Denmark to provide PNR data (all 19 elements in the Annex, if available) to SKAT, which can use the data for customs purposes and share the data with PET for an entirely different purpose, namely prevention and prosecution of offences under Chapters 12 and 13 of the Danish Penal Code (mainly related to terrorism). Moreover, airlines will be required to provide the data in digital form to a new IT system under development by SKAT. The PNR data can be retained for up to two years by SKAT.

From the comments of the draft law, it appears that SKAT is already collecting PNR data from all airlines with flights to and from Denmark, including intra-EU flights. This is either done through information received from airlines on paper forms or direct access to booking systems. No airlines are named in the comments of the draft law, but a Danish Institute for International Studies (DIIS) report from 2011 about counter-terrorism in Denmark since 9/11 mentions that Scandinavian Airlines is giving SKAT free access to their database for customs control. SKAT is using the PNR information to actively profile all passengers, so that targeted customs checks can be performed at the gate before passengers leave the plane. The main objective is to find passengers smuggling narcotics and other illegal goods. The new IT system and mandatory digital transmission of PNR data will expand and streamline the PNR profiling done by SKAT.

Moreover, PET gets direct access to the PNR data collected by SKAT. PET is exempted from the Danish Data Protection Act, and PET can generally collect any information unless it can be completely ruled out beforehand that the information will be irrelevant to PET. This extremely vague criterion also applies to PNR data obtained from SKAT. PET can process the PNR data for as long as PET believes that the data is relevant for possible terrorist offences. This includes profiling of citizens’ travel patterns and data mining for unknown terrorist suspects. PET can also share the PNR data with the Danish Defence Intelligence Service (DDIS), and since DDIS is completely free to exchange data with other intelligence services, European PNR data collected by Danish customs authorities could end up in the hands of the United States National Security Agency (NSA).

The joint PNR operation of SKAT and PET is described as the Danish PNR system, and it shares many similarities with the highly controversial proposed EU PNR Directive. Currently, Denmark will not automatically be covered by the proposed EU PNR Directive due to an opt-out from EU Justice and Home Affairs (JHA) legislation, but this is likely to change in 2016 after a referendum on the JHA opt-out. The Danish government strongly supports adoption of the PNR Directive, but the excessive Danish PNR demands go much further than the PNR Directive; this indicates that the special Danish PNR system is meant to co-exist along with the EU PNR system.

For European citizens, the Danish PNR plans should be a cause for concern. The data protection safeguards of the proposed PNR Directive are quite weak, but they are even weaker in the Danish PNR system. For example, there is no right to access or rectification for PNR data held by PET. Furthermore, there is no maximum retention period or limitation on use for PNR data held by PET. The use of PNR data for customs profiling (by SKAT) is clearly incompatible with the principle of purpose limitation.

The draft law contains an interesting discussion of whether a national PNR law is subject to the EU Charter of Fundamental Rights. The Danish government argues that this is the case because the national PNR law regulates the freedom to provide services in the EU, which is guaranteed by Article 56 of the Treaty on the Functioning of the EU. The comments also mention the data retention judgment by the Court of Justice of the European Union (CJEU). However, the Danish government argues that the blanket collection of PNR data is much more limited in scope, and of a different character, than telecom metadata, and accordingly, the PNR provisions are necessary and proportionate. With respect to the legal basis in the Data Protection Directive 1995/46/EC, the proposed Danish PNR system relies on a combination of the public interest exemption in Article 7(e) for the initial collection by SKAT from airlines, and the general national security exemption for the subsequent data transfer to PET.

Draft law to amend the Customs Act and PET Act with PNR provisions (only in Danish, 10.04.2015)

Procedure file for 2011/0023(COD), EU PNR Directive

EDRi-gram: Denmark plans to use PNR data for increased Schengen border control (19.11.2014)

Counter-terrorism in Denmark since 11 September 2001, Danish Institute for International Studies, DIIS REPORT 2011:12 (only in Danish, 20.11.2011)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



08 Apr 2015

Report says Facebook tracking breaches EU law

By Guest author

On 31 March 2015, researchers of the University of Leuven and Vrije Univeristeit Brussel, Belgium, issued a report claiming that Facebook tracks online activity both of its users and non-users. According to the report, which was commissioned by the Belgian Privacy Commission, this type of tracking contravenes EU online privacy laws.

Facebook uses a tracking cookie to trace its users online activity whenever visiting a web page belonging to a facebook.com domain. Furthermore, users are being tracked across websites even when they are logged out or do not use social plug-ins. This means that Facebook receives data whenever someone visits a website with the Facebook “Like button”, even if a person does not use this plug-in. What is more, people who do not have a Facebook account are being tracked with the help of a “datre” cookie. “Datre” cookie contains a unique identifier which is placed onto the browsers of people in Europe who are not Facebook users. When placed, it takes two years before it expires.

The report argues that this kind of behaviour is clearly in violation of the EU e-Privacy Directive. In order for a website to use a cookie or perform tracking via social plug-ins it must require a prior consent, unless it is needed to connect to the service network or is specifically requested by the user.

According to an opinion of the Article 29 Data Protection Working Party, issued in 2012, Facebook’s tracking practices have no legal basis in the EU. Social plug-ins must have a consent before placing a cookie, unless one of the exceptions applies. Since social plug-ins are by definition for the member of a social network, the e-privacy directive exception cannot apply to non-users. Furthermore, the report argues that it is not legal to trace even Facebook users who are logged out at the time of browsing. The Article 29 Working Party document explains that logged-in users cannot be served a “datre” cookie but only a “session cookie” which expires when logged out or when the browser is closed.

Therefore, Facebook default settings that allow it to gather information about people for advertising purposes contravenes EU privacy policy. As explained by Brendan Van Alsenoy, one of the authors of the report: “To be legally valid, an individual’s consent towards online behavioural advertising must be opt-in.”

Facebook spokesperson commented the report by Belgian academics claiming that it contains factual inaccuracies, however he not specifying what he was referring to, and stating that Facebook completely complies with the EU Data Protection Directive. On the other hand, the authors of the study claim the opposite, saying the users have very little control over the data Facebook tracks and are unaware how exactly their data is used for advertising purposes.

Facebook ”tracks all visitors, breaching EU law” (31.03.2015)

Facebook tracking said to breach EU law (01.04.2015)

Facebook “violates Euro data law” say Belgian data cops’ researchers (01.04.2015)

ICRI/CIR and iMinds-SMIT advise Belgian Privacy Commission in Facebook investigation

(Contribution by Morana Perušić, EDRi intern)



08 Apr 2015

Data protection and privacy must be excluded from TTIP

By Maryant Fernández Pérez

Data protection is a contentious issue in the discussions about the Transatlantic Trade and Investment Partnership (TTIP) and other trade or investment agreements, such as the Trade in Services Agreement (TiSA). Now that the European Parliament is preparing to issue a non-legislative resolution on TTIP, various parliamentary committees are giving their input to the committee in charge, the Committee on International Trade (INTA).

The committee that takes the lead as regards fundamental rights and freedoms is the Committee on Civil Liberties, Justice and Home Affairs (LIBE). While everyone has one eye on the reform of data protection and one eye on TTIP developments, LIBE adopted a strong Opinion on 31 March 2015 for the European Commission to respect EU fundamental rights and freedoms, especially as regards data protection and privacy.

Led by its rapporteur, Member of the European Parliament (MEP) Jan Albrecht, the LIBE Opinion refers to the need for a binding and suspensive human rights clause; the exclusion of data protection and privacy; the respect of democracy and the rule of law; the fight against mass surveillance and the need for further transparency and accountability, among other important subjects.

Concerning data protection and privacy, the LIBE Committee asks the Commission to exclude these fundamental rights from both TTIP and TiSA negotiations. In fact, the EU and the United States are discussing data transfers and data protection in other fora, namely on the Safe Harbor and the Data Protection Umbrella Agreement. In relation to TiSA, the LIBE Committee rejects the draft chapter on e-commerce proposed by the US. When addressing data flows, LIBE asks for compliance of EU adequacy rules. This point is of particular importance since the European Commission “has conceded that it cannot guarantee EU citizens’ fundamental right to privacy when their data is transferred to the US”, as the Irish Times reported in relation to the case C-362/14, Schrems v Data Protection Commissioner.

Accordingly, one of the fundamental points of the Opinion is the inclusion of an enforceable horizontal clause based on Article XIV of the General Agreement on Trade in Services (GATS) to exempt “the existing and future EU legal framework for the protection of personal data from the agreement, without any condition that it must be consistent with other parts of the TTIP”.

The next round of the TTIP negotiations is going to take place in New York, between 20-24 April 2015. Now, it is crucial that the INTA committee takes the LIBE Opinion in full consideration for the Commission to follow Parliament’s advice.

TTIP Resolution: document pool (last update 08.04.2015)

TTIP: Trade agreements must not undermine EU data protection laws, say Civil Liberties MEPs (31.03.2015)

Do Facebook and the USA violate EU data protection law? The CJEU hearing in Schrems (29.03.2015)

EU cannot guarantee citizens’ privacy when transferring data to US, court told (25.03.2015)

Documents of CJEU case C-362/14, Schrems v Data Protection Commissioner (25.03.2015)

EDRi-gram: Revelations on Safe Harbour violations go to hearing at EU Court (11.03.2015)

EDRi’s red lines on TTIP (13.01.2015)

(Contribution by Maryant Fernández Pérez, EDRi)



25 Mar 2015

The evolution of the concept of privacy

By Guest author

In 1776, John Adams wrote that it had been the British right to search houses without justification that sparked the fight for independence. In other words, John Adams thought that it had been an unjustified violation of privacy that had kindled one of history’s most noteworthy revolutions.

More than two centuries later, those unruly colonies – now the United States of America – see themselves once again at the centre of a debate on privacy. Many of the world’s most data-intensive companies hail from the US – and are criticised for what is perceived to be an excessive accumulation and use of their users’ personal data. Piled on top of this, we know, as a result of Edward Snowden’s revelations, that the National Security Agency (NSA) of the United States has been at the forefront of a group of intelligence agencies that have been using that and other data to build massive databases containing information on millions of people living everywhere that today’s information and computer technologies reach.

Throughout modern history, from searches without just cause to big data and mass surveillance, , the notion of privacy has surfaced time and again. However, while the word has remained the same, its meaning never stopped evolving. We must be aware of that development if we are to effectively deal with future challenges, in particular the pressing issue of the regulation of the collection, access, and use of personal information both by private and public actors.

What John Adams deemed unacceptable was the groundless intrusion into people’s private sphere. It was his fellow Americans, Louis Brandeis – later a Supreme Court Judge – and Samuel Warren, who would put this conception of privacy most succinctly: Privacy is the right to “being let alone”. On this understanding, privacy is something that you have as long as people, organisations or institutions are denied access to you. However, this notion, inspired mainly by the idea of physical boundaries, sees itself confronted with insuperable difficulties in an age where the debate’s focus lies squarely on informational privacy.

The internet is one of the areas in which informational privacy, the protection of personal information, has become crucial. Internet users do not want to be left alone; they want to partake in the offerings of the internet and participate in what has become one of their most important social spheres. Privacy concerns are nowadays focused to a large extent on the information we share or generate on the internet, often publicly, rather than what we wish to conceal within the private confines of our homes.

The notion of privacy has adapted to those changing circumstances and today the focus lies mainly on users’ control of their personal data. This concept forms the foundation of many political arguments; the “right to be forgotten”, “notice and consent” systems and transparency requirements all aspire to give users control. While control is important, the evolution of technology already strains the ability of users to meaningfully control their personal data by means of informed choices. In fact, this notion’s capacity to protect people’s fundamental interests is failing even before the relevant policies have seen widespread adoption.

A first problem is that people are so overloaded by requests to consent to the use of their data that informed choice becomes illusory. If people want to engage in the cultural and social life offered in the digital sphere, they will not be able to assess all the terms of services and privacy notices they see themselves confronted with. And opting-out of the internet can no longer be called a real option. Secondly, privacy is no longer a purely personal matter. The information we choose to share or allow to be gathered affects not only our own privacy but also the privacy of all those we interact with.

The complementary limitation theory of privacy could help bridge some of these difficulties. According to this notion, a person has privacy when access to personal information is limited in certain contexts. While we can only have limited control as to how some of our personal information is used, there should be limits as to who can use information gathered in a certain context. In the age of big data, and even more so in the future of the Internet of Things, this notion is poised to become all the more important. Many users feel very uneasy if the information collected by, for instance, their car or metro card is used to target them with advertisements the next time they visit an online retailer. This phenomenon is taken to another level with “profiling”, the use of your data to guess about aspects of your personality, generating insights into your personality and habits that you may not even know are possible. To the extent that more and more spheres of people’s lives will generate digital personal data, separation of those spheres will become more and more important.

While helpful in resolving some of the problems associated with the regulation of privacy, the limitation concept of privacy brings with it its own host of difficulties. There is for example the argument that privacy is essential for freedom and autonomy. Would Darwin or Copernicus have been able to make their ground-breaking and controversial discoveries if the prevailing powers at the time had more insight into their activities? Probably not. However, if consent cannot be the only principle governing privacy matters, then mandatory privacy standards seem unavoidable. It is then essential to ensure that the privacy standards serve to guarantee freedom and autonomy rather than unduly restricting it.

While today’s citizens’ worries about privacy are very different from John Adams’, their concerns are legitimate. These worries must be taken into account when designing the rules that should regulate the use of personal data in the digital world. And one thing is certain: An adequate concept of privacy is essential for a good regulation of personal data. The tasks before us are not simple, but they cannot be escaped and become more pressing with each passing day.

Originally published in the Synergy Magazine:
The evolution of the concept of privacy: From the American revolution, to big data and the Internet of Things

Warren, Samuel D., and Louis D. Brandeis. “The Right to Privacy.” Harvard Law Review 4, no. 5 (December 15, 1890): 193–220.

Adams, John, Charles Francis Adams, and John Adams. Letters of John Adams, Addressed to His Wife. Boston, C.C. Little and J. Brown, 1848. 338.

Cohen, Julie E. “What Privacy Is For.” Harvard Law Review 126 (2013): 1904–33.

Tavani, Herman T. “Philosophical Theories of Privacy: Implications for an Adequate Online Privacy Policy.” Metaphilosophy 38, no. 1 (2007): 1–22.

(Contribution by Julian Hauser, EDRi intern)



11 Mar 2015

Danish anti-terror proposal expands surveillance

By Guest author

On 19 February 2015, the Danish government presented a 12-point plan for new anti-terror initiatives in response to the Charlie Hebdo attack in Paris and the shooting incident in Copenhagen on 14 February. This will become the third major anti-terror package since 2001 to be presented to the Danish Parliament.

The focus of the plan is on surveillance measures in Denmark and abroad through increased budgets, new IT-systems, and new powers for the intelligence services, the Danish Defence Intelligence Services (DDIS) and the Danish Security and Intelligence Service (PET), which is part of the Danish police.

The most controversial element is targeted surveillance and eavesdropping of communications of Danish citizens abroad. This will be done by DDIS without a court order. The head of DDIS will decide whether a Danish citizens can be targeted for surveillance. It is currently not clear whether an unspecified group, for example Danish citizens in Syria, can be targeted in this way. Statements in an interview given by the Danish Minister of Defence support the conjecture that this would indeed be possible.

Since 2006, DDIS can collect, analyse and retain information about Danish citizens if that information is discovered “by chance” in an operation directed against activities in a foreign country. This includes signal intelligence and mass collection of electronic communication, for example by tapping fibre-optic cables. Until it is analysed, the mass collection is referred to as “raw data”. DDIS is allowed to exchange this information with intelligence services in other countries, including raw data that may contain information about unknown Danish citizens. Information about Danish citizens, which DDIS has discovered “by chance”, can be shared freely with PET, and PET may use the information in criminal investigations and prosecutions.

Under the current rules (from 2006), DDIS is required to inform a supervisory committee if DDIS wants to retain information about a Danish citizen for more than six months. The number of cases in which DDIS retains information is kept secret. According to the annual report from the supervisory committee, it is only known that this number is increasing.

The report also says that roughly half of the information comes from DDIS’ own collection (mass surveillance), the other half from information sharing with other intelligence services. The information about Danish citizens mainly relates to terrorism, but computer hacking and organised crime are also mentioned in the annual report.

Because of the requirement that information has to be obtained “by chance”, DDIS cannot do targeted surveillance against Danish citizens. The new proposal, however, would allow DDIS to initiate targeted surveillance of Danish citizens outside Denmark as its own operation, and a court order would not be required for this. It is unclear how DDIS will do this in practice and it remains to be seen whether DDIS will be subjected to any real legal restrictions on the targeted surveillance of Danish citizens outside Denmark.

The new DDIS surveillance powers have been heavily criticised by legal experts in Denmark. A legal analysis from the Danish think tank Justitia concluded that the targeted surveillance powers of DDIS would exceed those of the US National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) as the NSA is required to obtain a court order in order to target a United States citizen.

On 8 March 2015, the Danish newspaper Politiken reported that DDIS has been seeking extended powers for targeted surveillance without a court order for several years, but until recently the Ministry of Justice opposed the idea.

A strong guard against terror, The Danish Government (in Danish only, 19.02.2015)

Justitia Analysis: DDIS surveillance of Danes abroad without a court order (in Danish only, 26.02.2015)

Danish intelligence to get more power than NSA, The Local (25.02.2015)

Greater powers for the spies in the Danish defence, Politiken (in Danish only, 08.03.2015)

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)



03 Mar 2015

Leaked documents: European data protection reform is badly broken

By Diego Naranjo

Brussels, Belgium. New leaked documents show that European countries, pushed by Germany, are systematically working to destroy the fabric of European privacy legislation. Under the current proposals, far from being provided with security fit for the digital age, Europe’s citizens right to data protection would be devoid of meaning.

The Regulation is becoming an empty shell”, said Joe McNamee, Executive Director of European Digital Rights. “Not content with destroying key elements of the proposal, the EU Member States are rigorously, systematically and thoroughly undermining the meaning of every article, every paragraph, almost every single comma and full stop in the original proposal.

Leaked documents from the Council
According to the leaked proposals, crucial privacy protections have been drastically undermined, including the right to be asked for consent, the right to know how your data are used and the right to object to your data being used, minimum standards of behaviour for companies exploiting individuals’ data. In several places, the text would not likely pass judicial scrutiny under Europe’s human rights framework.

In 2012, the European Commission made a proposal, which was amended and accepted by the European Parliament in 2014, to modernise and reform European privacy legislation. This update is urgently needed, due to the challenges of new technology.
Faced with profiling, digitisation of health data and online tracking, every corner of our lives is increasingly being invaded by “big data”. With enough data, a tracking company or government can know even more than we do about our own preferences, our motivations, our health, relationships and our politics than even our closest friends or family.

What happens next?
The Council is trying to complete its work by the summer, before negotiating with the Parliament on a compromise. Unless something is done urgently, the Council will simply complete its agreement, at which stage only an absolute majority of the European Parliament would be the only way of saving Europe’s data protection reform

Background documents:

Analysis produced by EDRi, Access, Panoptykon Foundation, and Privacy International of the leaked Council texts in one pagers highlighting the most problematic issues:


Direct download (pdf)

Comparison of European Parliament’s first reading text with Council document

Council documents:

6286/1/15 – The One-stop-shop mechanism 25.02.2015

6032/15 – Right to be forgotten – Dispute settlement 09.02.2015

17072/3/14 –  Further processing, consent 26.02.2015

17072/3/14 REV 3 ADD 1 – Information and right to object 26.02.2015

25 Feb 2015

Did GCHQ spy on you? Find out now!

By Guest author

Since its launch on 16 February 2015, over 25 000 people have joined an international campaign to try to learn whether Britain’s intelligence agency, GCHQ, illegally spied on them.

This opportunity is possible thanks to court victory in the Investigatory Powers Tribunal (IPT), a secret court set up to hear complaints against the British Security Services. As previously reported in the EDRi-gram, Privacy International won the first-ever case against GCHQ in the Tribunal, which ruled that the agency acted unlawfully in accessing millions of private communications collected by the US National Security Agency (NSA), up until December 2014.

Because of this victory, now anyone in the world can try to ask if their records, as collected by the NSA, were part of those communications unlawfully shared with GCHQ. We feel the public has a right to know if they were spied on illegally, and Privacy International wants to help make that as easy as possible.

Unfortunately, the IPT can’t act by itself, and that’s why it needs people to come forward and file complaints. Privacy International plans to assist as many people as possible in jumping through the hoops the process will probably entail. It is going to be a long fight, and it will likely take months for the IPT to process all the complaints. However, it is important to bear in mind that if the IPT find that your communications were illegally shared with GCHQ, they will be obligated to tell you.

Through their secret intelligence-sharing relationship with the NSA, GCHQ has intermittently enjoyed unrestricted access to PRISM, the NSA’s means of directly accessing data and content handled by some of the world’s largest Internet companies, including Microsoft, Yahoo!, Google, Facebook, Skype, and Apple. GCHQ has also had access to other parts of the NSA’s Upstream collections, through which telephone and internet traffic data is accessed as it flows through communications infrastructure, including CO-TRAVELER, which collects five billion mobile phone locational records a day, and DISHFIRE, which harvests 194 million text messages daily. The top five programs within Upstream created 160 billion interception records in one month alone.

Chances are, at some point over the past decade, your communications were swept up by one of the NSA’s mass surveillance programs and passed onto GCHQ. We think you have a right to know whether that’s the case, and if so, to try and demand that data be deleted. Privacy International wants to help you assert those rights.

Privacy International’s campaign “Did GCHQ illegally spy on you?”

FAQ: Did GCHQ Spy On You?

(Contribution by Eric King, Privacy International)