22 Jan 2018

Press release: 6th annual Privacy Camp takes place on 23 January 2018


Tomorrow, on 23 January 2018, Privacy Camp brings together civil society, policy-makers and academia to discuss problems for human rights in the digital environment. In the face of what some have noted as a “shrinking civic space” for collective action, the event provides a platform for experts from across these domains to discuss and develop shared principles to address key challenges for digital rights and freedoms.

Themed “Speech, settings and [in]security by design”, the one-day conference at the Saint-Louis University in Brussels features panel discussions and privacy workshops led by experts in the fields of privacy, surveillance and human rights advocacy. The nonprofit, nonpartisan event draws privacy activists, civil society representatives, public servants and academia of all ages and backgrounds who are interested in improving privacy and security in communications and work towards the respect of human rights in the digital environment.

This year, Privacy Camp also features the “Civil Society Summit” of the European Data Protection Supervisor (EDPS).

Among others, speakers of the Privacy Camp 2018 are Giovanni Buttarelli, Wojciech Wiewiorowski, Fanny Hidvegi, Glyn Moody, Katarzyna Szymielewicz, Juraj Sajfert, Marc Rotenberg. The full programme can be accessed here.


10 Jan 2018

2018: Important consultations for your Digital Rights!


Public consultations are an opportunity to influence the future legislation at an early stage, in the European Union and beyond. They are your opportunity to help to shape a brighter future for digital rights, such as your right to an open internet, a private life, and data protection, or your freedom of opinion and expression.

Below you can find a list of public consultations we find important for digital rights. We will update the list on an ongoing basis, adding our responses and other information that can help you get engaged.

Public consultation on the evaluation of the activities of the EU Intellectual Property Office related to enforcement and the European Observatory on Infringements of Intellectual Property Rights (Regulation No 386/2012).

  • Deadline: 2 October 2018

Public consultation on the Proposal for a Regulation on European Production Orders for electronic evidence and a Directive on legal representation.

  • Deadline: 20 July 2018

Public consultation on digital ethics from the European Data Protection Supervisor.

  • Deadline: 15 July 2018

Public consultation on the Proposal for a Directive on EU whistleblower protection.

Public consultation towards a Protocol to the Convention on Cybercrime by the Council of Europe

Public consultation on measures to further improve the effectiveness of the fight against illegal content online.

Public consultation on the proposal for a Directive of the European Parliament and of the Council on the re-use of public sector information/ Data Package III.

  • Deadline: 22 June 2018

Public consultation on the evaluation of the application of Regulation (EU) 2015/2021 and the BEREC Net Neutrality Guidelines by BEREC

Public consultation for inputs to BEREC Work Programme 2019 by BEREC

Feedback on Inception Impact Assessment “Measures to further improve the effectiveness of the fight against illegal content online” by the European Commission

Online consultation Phase II on Internet universality indicators by UNESCO

Public consultation on fake news and online disinformation by the European Commission

Online consultation on ICANN’s compliance with the GDPR by ICANN

Feedback on the 2nd data package or proposal for a Regulation on the Free flow of non-personal data by the European Commission

You can find public consultations of importance to digital rights and EDRi’s responses from previous years here:


13 Dec 2017

What happens to our data on rental cars?

By Privacy International

On 6 December 2017, EDRi member Privacy International published research about data on connected cars. The report “Connected Cars: What Happens To Our Data On Rental Cars?” presents concerns about the way connected transportation facilitates the generation and collection of information about drivers in ways that most people are not able to understand, question, or access.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

When you rent a car at the airport or use a car-share for a family day trip, one of the first things you are likely to do before setting off on your journey, is to connect your phone to the car. Doing so can allow information such as your name and navigation history to be stored on the car. When the car is returned, this information is usually not deleted, and can therefore be accessible to the next driver. During the course of the research, Privacy International rented multiple cars and found that on every car past drivers’ personal information was readily accessible.

Beyond this information, connected cars can generate, collect, and store information about the car’s location and about how the driver interacts with the car – for example whether the driver often brakes suddenly. Privacy International is concerned that these types of information, which are of interest to third parties such as insurers, will be sold or shared with third parties without drivers being aware of it.

This first stage of Privacy International’s research focuses on data on rental cars, specifically the “infotainment system”, the in-car communications and entertainment system. Multiple rental companies, based in Europe, the UK, and the US, helped the researchers to understand their internal policies and procedures around driver data that is stored on infotainment systems, as well as how they view their position in data protection terms. The research was also conducted by renting a number of cars and looking at what data is collected and retained by the rental cars’ infotainment systems. Off the back of this research, Privacy International has written to rental companies to ask for further internal policies around data retention and deletion, as well to car manufacturers to ask about plans to build data deletion into cars. Various civil society organisations in the US and Europe joined in writing to the companies, including ANCE – The European Consumer Voice in Standardisation, Campaign for a Commercial-Free Childhood, Consumer Action, Consumer Federation of America, Consumer Watchdog, EPIC, Hermes Center for Transparency and Digital Human Rights, and the Norwegian Consumer Council. Privacy International has also written to the UK’s Information Commissioner’s Office.

Report: Connected Cars: What Happens To Our Data On Rental Cars? (06.12.2017)

Coalition of consumer and privacy-rights groups send letters to rental companies and car-share schemes mentioned in new Privacy International report (06.12.2017)

Video: Connected Cars: What Happens To Our Data On Rental Cars? (06.12.2017)

(Contribution by Sara Nelson, EDRi member Privacy International)



29 Nov 2017

e-Privacy: What happened and what happens next

By Anne-Morgane Devriendt

With the vote on the mandate for trilogues in the European Parliament Plenary session of 26 October 2017, the European Parliament confirmed its strong position on e-Privacy for the following inter-institutional negotiations, also called trilogues.

The e-Privacy Regulation aims at reforming the existing e-Privacy Directive to complement the General Data Protection Regulation (GDPR) regarding communication data and metadata, as well as device security. In order for the text to efficiently protect European citizens’ privacy, some key issues needed to be addressed in the Commission’s proposal.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

In October 2017, we encouraged citizens to contact Members of the European Parliament (MEPs) to make sure the entire e-Privacy proposal will not be watered down. We (very exceptionally) asked them to support the mandate being granted to continue the negotiations on the proposal text in the trilogues. Here is the outcome of our campaign:

Protection of communications in transit and at rest (Art. 5)

Communications data is always sensitive. This is why, for instance, there is no point in protecting your email while it is being sent if any company hosting your email can read it once it arrives to your inbox, for example to target you with advertising. Therefore EDRi supports the protection of communication data both when it is in transit and at rest. The proposed Article 5 in the European Parliament (EP) version of the e-Privacy Regulation proposal protects “any interference with electronic communications”, including “data related to or processed by terminal equipment”. This is an important step in the right direction.

Consent as the only legal basis for processing (Art. 6)

Informed and free consent should be the sole legal basis for non-necessary processing of such data. Because of the intricate way online tracking works, only users who are fully informed (and free to make the choice) could allow that by consenting to that feature, if it is in their interest.

Privacy and devices protected by design and by default (Art. 10)

As happens with any other device that may create risks for the user, safety and security need to be part of the design and not an after-thought.This is why we need privacy by design and by default. Article 10 of the proposal states that all software allowing electronic communication should, “by default, have privacy protective settings activated to prevent other parties from transmitting to or storing information on the terminal equipment of a user and from processing information already stored on or collected from that equipment”.

The security of devices are also covered by Article 8 that restricts the use of end-users’ terminal equipment to what is strictly necessary, subject to consent.

Restrictions of users’ rights (Art. 11)

Article 11 limits restrictions to vague general public interests such as national security, defence and public security, but the EP has done a better job at being specific in the three sub-articles. Furthermore, Article 11 also contains provisions to ask for mandatory documentation on the requests to access communications by Member States.

Protection of encryption (Art. 17)

In order to protect citizens’ privacy and the safety of their electronic communications, it is fundamental to ban any attempts to undermine encryption. Article 17, on security risks, states that Member States cannot weaken encryption, for example by forcing companies to include ”back-doors” in their products.

The European Parliament has done a good job with its improvements to the text. Thanks to the strong position of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) and citizens’ mobilisation, the European Parliament voted for a strong text that will protect citizens’ privacy and communication. However the fight is not over yet: the Commission, the Council and the Parliament have yet to reach an agreement during the obscure process called trilogues. The final text will be passed in the Plenary of the European Parliament in 2018, tentatively after the summer.

Tell the European Parliament to stand up for e-Privacy! (25.10.2017)

Report on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (23.10.2017)

EDRi’s position on the proposal of an e-Privacy regulation (09.03.2017)

Trilogues: the system that undermines EU democracy and transparency (20.04.2017)

(Contribution by Anne-Morgane Devriendt, EDRi intern)



15 Nov 2017

High time: Policy makers increasingly embrace encryption

By Bits of Freedom

Encryption is of critical importance to our democracy and rule of law. Nevertheless, politicians frequently advocate for weakening this technology. Slowly but surely, however, policy makers seem to start embracing it.

----------------------------------------------------------------- Support our work with a one-off-donation! https://edri.org/donate/ -----------------------------------------------------------------

Encryption is essential for the protection of our digital infrastructure and enables us to safely use the internet – without it, our online environment would be a more dangerous one. Thanks to encryption, companies can better protect our personal data online and internet users can safely communicate and exchange information. This makes encryption of the utmost importance not only for our democratic liberties, but also for innovation and economic growth.

Our governments should therefore stimulate the development and implementation of encryption, more than they currently do. It is without doubt undesirable when governments force companies to create backdoors in their encryption technologies, or to incorporate other ways of weakening it. Policy makers generally grapple with this position though, as they face pressure from police and security services.

Fortunately, in 2016, the Dutch government came to the same conclusion. It rightfully determined that “cryptography plays a key role in the technological security of the digital domain”. It further stated that there were “no viable options to weaken encryption technology in general without compromising the safety of digital systems that utilise it”. Put differently, creating a backdoor for the police also creates a backdoor for criminals. Because of this, the Dutch cabinet argues that it is “undesirable to implement legislative measures that would hamper the development, availability and use of encryption in the Netherlands”.

Then again, the Netherlands is only a small country and much of its legislation is determined by the decisions made at the European level. It is therefore heartening to see that the European Parliament passed a resolution in early November 2017, calling on the European Commission and the member states to “enhance security measures, such as encryption and other technologies, to further strengthen security and privacy”. The Parliament also explicitly asked EU Member States to refrain from “enforcing measures that may weaken the networks or services that encryption providers offer, such as creating or encouraging ‘backdoors’”.

The European Commission has also spoken out on the issue. It recently published “Eleventh progress report towards an effective and genuine Security Union”, which lists measures meant to make Europe safer. One of these measures entails supporting law enforcement in dealing with encrypted information. However, the report immediately adds that this should be done “without prohibiting, limiting or weakening encryption”, since “encryption is essential to ensure cybersecurity and the protection of personal data”.

This definitely does not mean it will be smooth sailing from here on. Political positions change rapidly. The Dutch government, for example, states explicitly that weakening encryption is undesirable “at this moment in time”. All it takes for our political leaders to collectively lose their resolve is one serious terrorist attack after which law enforcement and security services investigations are hindered by encryption. It is also hard to predict how Dutch and European lawmakers will respond when pressure mounts from France, Germany or the United States.

The biggest threat, however, is probably far more subtle. Businesses are often pressured to “take their social responsibility” in fighting whatever is seen to be evil at that particular time. They are told: “You don’t want to be seen as a safe haven for terrorists, do you?” The consequence of this is that far too often, these businesses agree to make their digital infrastructure more vulnerable, without any checks or balances. This cooperative attitude is of course adopted “willingly” – but not without pressure from legislation or fear of damage to their reputation. The proposal of the European Commission in its recent policy document to create a “better and more structured collaboration between authorities, service providers and other industry partners” should be read in this light.

The European Commission struggles to find a position on encryption (31.10.2017)

EU’s plans on encryption: What is needed? (16.10.2017)

EDRi delivers paper on encryption workarounds and human rights (20.09.2017)

EDRi position paper on encryption (25.01.2016)

Encryption – debunking the myths (03.05.2017)

(Contribution by Rejo Zenger, EDRi-member Bits of Freedom, the Netherlands; translation by David Uiterwaal)



31 Oct 2017

The privacy movement and dissent: Protest

By Guest author

This is the fourth blogpost of a series, originally published by EDRi member Bits of Freedom, that explains how the activists of a Berlin-based privacy movement operate, organise, and express dissent. The series is inspired by a thesis by Loes Derks van de Ven, which describes the privacy movement as she encountered it from 2013 to 2015.*

In order to describe, analyse, and understand the ways in which the privacy movement uses protest, it is important to bear in mind the internet plays an all-encompassing role. First, we can distinguish between actions that are internet-supported and actions that are internet-based. Protests that are internet-supported are traditional means of protest that the internet has made easier to coordinate and organise, whereas protests that are internet-based could not have happened without the internet. Second, there is the height of the threshold for people to become involved. A high threshold means that participating entails a high risk and level of commitment, while a low threshold means a low risk and level of commitment. In the privacy movement, internet-supported protest with a low threshold and internet-based protest with a high threshold are the most common forms of protest.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

Internet-supported protest with a low threshold

The most common types of internet-supported protest with a low threshold that we find in the privacy movement are asking for donations and organising legal protest demonstrations.

The internet has given an impulse to donations: whereas in the analogue age the costs to coordinate such actions would outweigh the benefits, in the digital age collecting money has become much more accessible and easier. The Courage Foundation, for instance, collects donations for the legal defense of whistleblowers such as Edward Snowden and Lauri Love. Many other European organisations similarly offer their members and supporters the opportunity to make donations. However, it is worth noting that specifically in the case of the privacy movement, the threshold for donating money is higher than usual, as whistleblowing is a politically sensitive subject and community members have a heightened knowledge of privacy concerns associated with online payments. It is not surprising that donating via the anonymous digital currency Bitcoin is an option many organisations offer.

When it comes to demonstrations, the internet has also been an enhancing factor, as it has made the spreading and exchanging of information about the goal and practical details of a demonstration much easier. This also proves to be the case for demonstrations organised by the privacy movement. A fitting example of how the internet can help rapidly spread information and the effect that has on protest is the Netzpolitik demonstration held in Berlin on 1 August 2015. The announcement by Netzpolitik, a German organisation concerned with digital rights and culture, that two of their reporters and one source had been charged with treason, made thousands of people gather in the streets of Berlin to protest for the freedom of the press.

Here, too, it is worth considering how low the threshold for demonstrating actually is for activists within the privacy movement. In the analogue age it was difficult for governments to get a clear image of who exactly took part in a demonstration. Modern technology, however, has changed and continues to change the game. For instance, after participating in a protest, protesters in the Ukraine received a text message from their government that stated, “Dear Subscriber, you have been registered as a participant in a mass disturbance”. Something similar happened in Michigan, USA, in 2010. After a labour protest the local police asked for information about every cellphone that had been near the protest. Thus, the height of the risk that is involved in these sorts of protest is definitely worth reconsidering, especially when reflecting on a movement with so much awareness of (digital) surveillance.

Internet-based protest with a high threshold

Internet-based actions with a high threshold include protest websites, alternative media, culture jamming, and hacktivism.

Protest websites are websites that “promote social causes and chiefly mobilise support”. The privacy movement is involved in a number of these sorts of websites, for example edwardsnowden.com and chelseamanning.org, which are dedicated to whistleblowers and explain how supporters can help them, and savetheinternet.com, which asks supporters to take action in protecting net neutrality.

Alternative media have proven to be a crucial part of how the privacy movement voices dissent and “bears witness”, as the internet has made it possible to circumvent mass media and has reduced the effort to spread information to a large audience. A well-known example of alternative media, emerging from the privacy movement, is The Intercept, an online news organisation co-founded by Glenn Greenwald, Laura Poitras, and Jeremy Scahill. This newspaper aims, according to its website, to “[produce] fearless, adversarial journalism” and focuses on stories that provide transparency about government and corporate institutions’ behaviour.

Culture jamming is a form of protest where corporate identity and communications is appropriated for the protesters’ own goals, using tactics such as “billboard pirating, physical and virtual graffiti, website alteration, [and] spoof sites”. An example for spoof sites is the Twitter account: @NSA_PR, or NSA Public Relations in full, a reaction to the actual official Twitter account the public relations department of the US National Security Agency that was launched at the end of 2013. The spoof account often responds to recent surveillance and security issues in a humorous way. For example, when WikiLeaks published documents about the NSA’s interception of French leaders, NSA Public Relations posted, “Parlez-vous Français?”.

Hacktivism is the last form of internet-based protest with a high threshold. It is defined as “confrontational activities like DoS attacks via automated email floods, website defacements, or the use of malicious software like viruses and worms”. These activities are not commonly used within the privacy movement. Instead a “”digitally correct” form of hacktivism is practised. Digitally correct hacktivism designs computer programs that help confirm and accomplish their political aims. Of the many programs that exist, two of the most well-known and widely used programs for this kind of protest are the Tor Project web browser and Pretty Good Privacy. Both programs are designed to secure the user’s privacy. Whereas it is debatable whether direct action hacktivism is legal or not, the use of the Tor browser and email encryption are, of course.

The digital age has undeniably affected the way in which social movements protest. Traditional forms of protest have become internet-supported, but additionally there are also forms of protest being used that cannot even exist without the internet. This is even more the case for the privacy movement. For a movement that is so intertwined with the internet, we see that it is difficult to even make the distinction between online and offline protest, and that it comes up with its own specific alterations to already existing forms of protest.

The series was originally published by EDRi member Bits of Freedom at https://www.bof.nl/tag/meeting-the-privacy-movement/

Dissent in the privacy movement: whistleblowing, art and protest (12.07.2017)

The privacy movement and dissent: Whistleblowing (23.08.2017)

The privacy movement and dissent: Art (04.10.2017)

(Contribution by Loes Derks van de Ven; Adaptation by Maren Schmid, EDRi intern)

* This research was finalised in 2015 and does not take into account the changes within the movement that have occurred since then.

Della Porta, Donatella, and Mario Diani. Social movements. An Introduction. Malden: Blackwell Publishing, 2006.
Van Aelst, Peter, and Jeroen van Laer. “Internet and Social Movement Action Repertoires. Opportunities and Limitations.” Information, Communication & Society 13:8 (2010): 1146-1171.



25 Oct 2017

Tell the European Parliament to stand up for e-Privacy!

By Diego Naranjo

On 26 October, the European Parliament (EP) will decide on a key proposal to protect your privacy and security online. This step consists in confirming (or not) the Parliament’s mandate to negotiate the e-Privacy Regulation with the Council of the European Union.

This vote has been demanded as part of an effort to either water down or completely destroy the proposal. As a result, we (very exceptionally) support the mandate being granted.

Do you want to protect the privacy of millions of people in the next generations? Then take action now and contact the Members of the European Parliament (MEP) from your country in order to be able to make sure that the European Parliament approves the mandate. You can:

  1. Call your MEP using the free call system (developed by La Quadrature Du Net) and ask them to vote on Thursday 26 October to support the mandate for the e-Privacy trilogues.
  2. Tweet to the MEPs from your own country now (and also other MEPs, ideally in their own language). Use the hashtag #ePrivacy! You could tweet for example along the lines:

Dear <@MEP>, please vote for a mandate for the #ePrivacy #trilogues. Good for citizens, for trust, for innovation, for competition!

You can find below the list of MEPs’ Twitter handles for each Member State:

The Regulation applies to confidentiality of communications, online and offline tracking and device security. It has been the subject of a huge lobbying campaign by industry associations peddling a range of outlandish claims including that the Regulation would ban advertising and would even be responsible for “killing the internet” (seriously).

e-Privacy Directive: Frequently Asked Questions

e-Privacy Mythbusting (25.10.2017)

Quick guide on the proposal of an e-Privacy Regulation (09.03.2017)

Last-ditch attack on e-Privacy Regulation in the European Parliament (24.10.2017)

Dear MEPs: We need you to protect our privacy online! (05.10.2017)


24 Oct 2017

Last-ditch attack on e-Privacy Regulation in the European Parliament

By Joe McNamee

The ECR, the right-wing, Eurosceptic political group in the European Parliament has joined forces with German Conservatives, Axel Voss and Monika Hohlmeier, as well as the Danish Liberal Morten Løkkegaard to try to overturn progress made on the e-Privacy Regulation.

The Regulation applies to confidentiality of communications, online and offline tracking and device security. It has been the subject of a huge lobbying campaign by industry associations peddling a range of outlandish claims including that the Regulation would ban advertising and would even be responsible for “killing the internet” (seriously).

As the myths and mythology that Members of the European Parliament (MEPs) are being confronted with every day are getting more and more ridiculous, on 24 October, we wrote to all 751 MEPs. However, to avoid the e-mail getting too long, we restricted ourselves to the six most outlandish myths:

  1. that e-Privacy bans online advertising (advertising existed before online surveillance)
  2. that e-Privacy is bad for democracy (tracking has manipulated elections)
  3. that e-Privacy is bad for media pluralism and quality of journalism (tracking is the business model of fake news)
  4. that e-Privacy prevents the fight against illegal content (the telecoms companies made this false argument about net neutrality. It wasn’t true and still isn’t)
  5. that e-Privacy helps Google and Facebook (no, seriously, the lobbyists are actually saying this)
  6. that we need a level playing field (actually that one is true, we need everyone to be regulated fairly)

You can read our letter here.

Tell your MEPs you want a strong e-Privacy Regulation – as agreed by the European Parliament Committee on Committee on Civil Liberties, Justice and Home Affairs (LIBE). Find your MEPs here.


18 Oct 2017

Extending the use of eID to online platforms – risks to privacy?

By Anne-Morgane Devriendt

On 10 October 2017, the European Commission published the “draft principles and guidance on eID interoperability for online platforms” on the electronic Identification And Trust Services (eIDAS) observatory. Building on the eIDAS Regulation, the Commission would like to extend the scope of use for the eIDs to online platforms, in addition to public services. This raises a number of issues, particularly on the protection of privacy.

The eIDAS Regulation, adopted in 2014, is part of the “European eGovernment Action Plan 2016-2020”. It aims at making all Member State issued eIDs recognisable by all Member States from 28 September 2017. By extending the scope of use of eIDs to “online platforms” in general and not only public services, the Commission is trying to make authentication easier and more secure, as the eID itself would allow logging in. It would answer some of the issues raised by the use of passwords as main authentication method. It would also be more convenient for the users who could use the same eID across different platforms.

However, as are presented in the Commission’s document, the guidelines raise a number of issues, such as the lack of definition of “online platforms”. As the eIDAS Regulation concerns access to public services throughout the EU with the same, government approved eID, it appears that “online platforms” refers to the private sector. “Online platforms” are defined, to a certain extent, in the Commission’s Communication on Online Platforms. However, the characteristics that are used are so wide they encompass both online sales websites and social media platforms.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The second issue is protection of privacy. Indeed, the draft document states that “users should be able to preserve a level of privacy and anonymity, e.g. by using a pseudonym”. The failure to understand the basic notion that anonymity and pseudonymisation are fundamentally different is worrying. It is, or should be, obvious that using one’s eID to authenticate oneself would allow the platform to link the pseudonym to the real identity and personal information. Furthermore, while it might be useful for online sale platforms to make sure transactions are taking place between real people, it defeats the purpose of using a pseudonym on social media to separate online activities to be linked to one’s real identity.

Finally, if the Commission sets the direction to make authentication easier for both platforms and users with the use of the eID, they do not provide guidelines on the implementation of privacy by default. This would make sure that online platforms only have access to authentication information and do not use it for other purposes. One of the safeguards for the use of eIDs to access public services is the ability to monitor which public servant accessed the data and when. However, regarding the use of eIDs for authentication on online platforms, there is no provision in the draft guidelines that would make sure that data are properly secured.

Bearing in mind the huge and varied damage caused to Facebook users by its “real names” policy, the risks of this project being used by certain online platforms are real and significant.

All interested stakeholders can communicate their opinion on this draft to the Commission before 10 november 2017 through the eIDAS observatory post or by email.

Draft principles and guidance on eID interoperability for online platforms – share your views! (10.10.2017)

Workshop: Towards principles and guidance on eID interoperability for online platforms (24.04.2017)

Communication from the Commission – Online Platforms and the Digital Single Market: Opportunities and Challenges for Europe (25.05.2016)

(Contribution by Anne-Morgane Devriendt, EDRi intern)



06 Oct 2017

ePrivacy : Foire Aux Questions


Original version here (English)

Qu’est-ce que le Réglement vie privée et communications électroniques ?

Le Réglement vie privée et communications électroniques ou e-Privacy est un Réglement qui couvre des problèmes spécifiques de la vie privée et de la protection des données dans le domaine des communications. Elle a été adoptée en 2002 et révisée en 2009. Le texte officiel de la version actuelle peut être trouvé ici.


Pourquoi avons-nous besoin de cet instrument ?

Le Réglement e-Privacy a été crée pour garantir la vie privée et protéger les données personnelles dans le domaine des communications électroniques, en “complétant et détaillant” les sujets abordés dans l’outil juridique principal, c’est-à-dire la Directive sur la Protection des Données, désormais appelée Règlement Général sur la Protection des Données (RGPD). Par exemple, l’e-Privacy protège la confidentialité du contenu des communications, des informations stockées et de leur accès sur l’appareil d’un individu. Le RGPD ne couvre pas cela spécifiquement.

La confidentialité des communications est très complexe. Elle couvre non seulement votre droit à la vie privée et à la protection des données, mais aussi votre liberté d’expression et de communication. Sans une législation qui définit clairement le sens de ces droits fondamentaux dans cet environnement complexe, la protection de la confidentialité et la sécurité des communications seraient moins prévisibles et plus difficilement applicables. Un manque de règles précises rend aussi plus difficile pour les entreprises le développement de nouveaux services innovants.

Le Règlement Général sur la Protection des Données (RGPD) ne suffit-il pas?

Même si le RGPD couvre de nombreux sujets en lien avec la protection des données, il ne couvre pas directement et précisément le droit à la vie privée et, plus particulièrement, le droit à la liberté de communication, qui sont deux droits fondamentaux distincts. Ainsi, l’e-Privacy est un niveau de précision nécessaire pour assurer une protection efficace et prévisible des droits qui ne sont pas couverts par le RGPD avec une précision suffisante. De plus, la e-Privacy couvre également des activités où le traitement des données personnelles n’est pas le sujet principal, comme l’envoi non sollicité de messages (par exemple les pourriels ou marketing direct). Elle fournit aussi une base pour la protection des informations stockées sur l’appareil d’un individu. Il est important de se souvenir que le but de l’e-Privacy n’est pas de créer de nouveaux droits, mais de compléter des règles existantes, à la fois pour le bien des individus et des sociétés.

Le besoin d’une législation sur la vie privée et la sécurité des données personnelles dans le domaine des communications électroniques augmente. Le suivi en ligne et la surveillance des e-mails à des fins publicitaires sont des pratiques de plus en plus courantes ; alors que les entreprises télécom tentent de copier les entreprises en ligne en tirant des profits des masses de données des clients qu’elles possèdent (y compris des données de localisation). De plus, l’e-Privacy doit être mise à jour pour rester en adéquation avec les dernières innovations technologiques, comme l’utilisation d’applications de messagerie instantanée (chat) à la place des SMS ou mails.

Quels droits fondamentaux sont touchés par le Réglement e-Privacy ?

  • Le droit fondamental à la confidentialité des communications, entériné dans l’article 7 de la Charte des Droits Fondamentaux de l’Union Européenne. Le nouvel instrument qui va remplacer ou réviser l’e-Privacy devrait clarifier de façon précise que ce principe s’applique totalement aux données des activités en ligne et aux communications, incluant le trafic et les données de localisation, comme définis actuellement dans le Réglement e-Privacy. De plus, il devrait aussi s’appliquer à toute donnée similaire créé ou utilisée en ligne, comme les données de localisation, de navigation, d’utilisation des e-books, d’utilisation des applications mobiles, de recherche, etc. et à toute autre nouvelle donnée en résultant. Le nouvel instrument doit aussi apporter de la clarté sur les conceptions techniques et l’application par défaut de la protection de la vie privée dans ce contexte.
  • Les droits fondamentaux à la protection des données personnelles et à la liberté d’expression, comme entérinés dans l’article 8 de la Charte citée plus haut. Pour la plupart des personnes dans l’UE, la façon la plus facile d’accéder à l’information implique l’internet. Pour protéger cela, l’instrument révisé devrait bannir l’obligation d’accepter le suivi de leurs activités, ainsi que le profilage et la prise de décision automatique qui s’ensuivent (par exemple, en acceptant les cookies avant de pouvoir accéder à un site internet). Cela est particulièrement important pour l’accès à des informations sur des sujets liés à des données sensibles, ou lors de l’accès à des services du secteur public.

Quelles activités sont couvertes dans l’e-Privacy ?

  • la confidentialité et la sécurité des communications ;
  • le trafic et les données de localisation produits par les appareils personnels ;
  • le suivi des utilisateurs, y compris lors de l’utilisation d’appareils personnels (comme pour des publicités par analyse comportementale) ;
  • les cookies ;
  • les mesures de sécurité des appareils personnels ;
  • la facturation détaillée ;
  • l’identification des numéros d’appel ;
  • les annuaires publics et privés ;
  • les pourriels et appels non sollicités à but de prospection commerciale ;
  • les notifications de violation de données (spécifiées plus tard dans le Réglement de l’UE 611/2013).

Quels sont les éléments qui doivent être mis à jour?

Tout ce qui à trait aux activités en ligne dans l’e-Privacy (comme la confidentialité et la sécurité des communications et des appareils personnels, ainsi que le suivi des utilisateurs) doit être mis à jour pour correspondre aux innovations technologiques présentes et futures. Les réglementations sur la facturation détaillée, les registres d’utilisateurs, et les communications non-sollicitées doivent être réévalués, pour vérifier si elles sont en accord avec le RGPD. Certains de ses aspects, comme la façon dont on doit traiter les violations de données, ne requièrent pas une législation spécifique. Ils peuvent donc être supprimés. Ainsi on pourrait résoudre cela en faisant référence au RGPD, afin d’éviter toute redondance.

J’en ai assez de voir des bannières qui me demandent d’accepter les cookies. Est-ce que cela va encore en rajouter ?

L’e-Privacy essaye actuellement de donner aux utilisateurs un peu de contrôle sur le suivi en ligne. En revanche, elle le fait d’une façon plutôt brutale. Les enseignements tirés de l’expérience et des évolutions technologiques suggèrent que la disposition qui régule les cookies dans l’e-Privacy devrait être améliorée, afin de permettre des mécanismes de consentement plus faciles à utiliser.

Comme nous l’avons expliqué dans un article précédent, les cookies sont une des façons de laisser des traces numériques derrière vous lorsque vous naviguez. Ce sont des bouts d’information qui s’installent automatiquement sur votre appareil lorsque vous visitez des sites web. Les règles révisées sur les cookies dans l’e-Privacy devraient permettre une navigation plus agréable en supprimant l’obligation de consentement pour les cookies qui ne concernent pas la collecte et le traitement de données personnelles (comme le traçage avec des services tiers des utilisateurs et des appareils). Cela s’appliquerait par exemple aux statistiques qui comptabilisent quelles sont les pages d’un site web les plus visitées. Ces statistiques collectées par le propriétaire d’un site (“cookies de premier parti” ou “cookies internes”) n’impliquent pas de traitement des données personnelles inutile. Généralement, nous faisons référence aux lignes directrices sur les cookies du Groupe de travail Article 29 sur la protection des données à ce propos.

Quel est le lien avec la protection contre la surveillance de masse ?

Sans aucun doute nous pouvons nous attendre à un usage croissant des appareils personnels électroniques (smartphones, tablettes, ordinateurs) ainsi que des technologies liées qui sont connectées à Internet (comme dans l’internet des objets). Ces évolutions créent de nouvelles opportunités pour la communication en ligne, mais comportent aussi des risques pour la confidentialité et d’autres droits fondamentaux. La communication en ligne implique souvent de nombreuses personnes au delà des frontières nationales, sans que les utilisateurs en soient pleinement conscients.

Nous sommes d’accord avec le Contrôleur européen de la protection des données (CEPD) sur l’idée que le nombre et la fréquence des requêtes gouvernementales faites aux services internet (Twitter, Gmail et autres) devraient être rendus publics, de façon à donner aux individus une vision plus claire sur la façon dont ces pouvoirs gouvernementaux envahissants sont utilisés, en pratique. Si le public est au courant de la conduite du gouvernement, il sera dans une position plus à même de lui demander des comptes. Dans ce contexte, plus de transparence pourrait permettre de restaurer la confiance que les personnes accordent au secteur des communications électroniques.

Quel est le lien avec la sécurité de mes appareils électroniques, comme mon smartphone ?

Le RGPD inclut des obligations en matière de sécurité sur le traitement des données personnelles, alors que l’e-Privacy permet l’inclusion d’obligations en matière de sécurité qui sont plus spécifiquement adaptées à nos communications en ligne. Ces obligations en matière de sécurité devraient non seulement s’appliquer aux fournisseurs de communications électroniques (les télécoms), mais aussi couvrir les développeurs d’application et les fabricants d’appareils électroniques, par exemple. Les entreprises derrière les applications et les appareils ne sont pas toujours les principaux responsables légaux. Pourtant, en raison de leur rôle important dans la protection de la sécurité et la confidentialité des communications personnelles, ils devraient aussi être soumis à des normes de sécurité. Nous faisons plus particulièrement référence aux recommandations sur les normes de sécurité et de vie privée pour les fournisseurs de systèmes d’exploitation, les fabricants d’appareils et autres acteurs principaux formulés par le Groupe de travail Article 29 sur la protection des données dans son Opinion 8/2014 sur l’Internet des Objets.

Cette FAQ a été préparé par l’office d’EDRi à Bruxelles et des membres Open Rights Group, fIPR, Bits of Freedom, Access Now, Panoptykon and Privacy International.

Translation by volunteers Pierre, Florian and Gilles.