The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

02 May 2018

EU Member States fight to retain data retention in place despite CJEU rulings

By IT-Pol

EU Member States are still working to adopt their position on the ePrivacy Regulation proposed by the European Commission in January 2017. A number of draft compromise texts have been published by the Council Presidency before discussions in the Working Party on Telecommunications and Information Society (WP TELE).

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

Unfortunately, the Council transparency in publishing those documents does not extend to the part of the ePrivacy Regulation that concerns data retention. This means mainly Article 11, which allows Member States to restrict the rights to data protection and confidentiality of electronic communication under certain conditions, in a similar way to Article 15(1) of the current ePrivacy Directive. This part of the ePrivacy Regulation is being discussed jointly by WP TELE and the Working Party on Information Exchange and Data Protection – Friends of the Presidency on Data Retention (DAPIX FoP), which is also tasked with analysing the implications of the Tele2 judgment (joined cases C-203/15 and C-698/15) from the Court of Justice of the European Union (CJEU).

Documents from these discussions are marked “LIMITE” and therefore not generally available to the public. An incomplete picture of the work is available through a combination of Freedom of Information (FOI) requests and leaked documents. It is known that DAPIX FoP has developed the concept of ”restricted data retention” which is a deliberately crafted attempt to circumvent the Tele2 ruling of the highest court of the European Union (the CJEU) with a data retention scheme that is, in reality, general and undifferentiated (and therefore illegal) while officially claiming not to be.

Recently, the working document WK 11127/2017 of 10 October 2017 was released in full through a FOI request by Corporate Europe Observatory. This document provides another piece of the puzzle regarding the secret data retention discussions in Council working groups by outlining two different strategies for storage of electronic communications metadata for law enforcement purposes.

The first strategy is based on data retained by providers of Electronic Communication Services (ECS) for business purposes. Article 6(2)(b) of the Commission proposal for the ePrivacy Regulation allows ECS providers to process electronic communications metadata for purposes of billing, calculating interconnection payments as well as stopping fraudulent or abusive use of ECS. The working document proposes to expand Article 6(2)(b) to include ”illicit use” of ECS, which would allow processing for a broader purpose than abuse or fraudulent use of the communications service itself. Potentially, ”illicit use” could include any crime or illegal behaviour committed by the subscriber with the assistance of the electronic communications service, even if the ECS provider is not the victim of the offence (such as through fraudulent use of the service). The working document further proposes a minimum six month retention period for electronic communications data processed under the broadened purposes of Article 6(2)(b).

In effect, this is mandatory blanket data retention disguised as storage of communications data processed for voluntary business purposes, like billing. When ECS providers process communications data for business purposes, the processing, and in particular any storage of personal data, should be limited to the duration necessary for this purpose. Setting a minimum mandatory retention period for communications data processed under Article 6(2)(b) will mean weakening the level of protection guaranteed under the General Data Protection Regulation (GDPR), which is not only unacceptable but also contradictory to the ePrivacy Regulation being lex specialis to the GDPR. If Member States want to “ensure” the availability of electronic communications data for law enforcement, this should be done by appropriately restricting the rights to data protection and confidentiality of communications in accordance with Article 11 of the ePrivacy Regulation and, in particular, in accordance with the CJEU case law which prescribes targeted data retention rather than blanket data retention.

The second consideration in working document WK 11127/2017 is to exclude processing for law enforcement purposes from the scope of the ePrivacy Regulation in Article 2(2). Under the current ePrivacy Directive, both the retention of electronic communications data and access to retained data by competent authorities is within the scope of the Directive. The working document suggests that excluding processing for law enforcement purposes from the scope of the ePrivacy Regulation could ”bring more clarity to the legal context of data retention”. This would put national legislation for mandatory data retention outside the scope of the ePrivacy Regulation and possibly even outside the scope of EU law, which would be very dangerous for fundamental rights. It could also be considered that it does not put this activity outside the scope of EU law (or at least not fully), as data retention could be considered an exception to the GDPR. So much for “clarity”.

The current ePrivacy Directive provides legal clarity for the retention of electronic communications data and access to the retained data since both types of processing are covered by Article 15(1) of the Directive. Furthermore, CJEU case law provides specific conditions for retention and access to electronic communications data, which ensure appropriate safeguards for fundamental rights. Excluding processing for law enforcement purposes from the scope of the ePrivacy Regulation would bring less legal clarity, not more. In addition, a Regulation aimed at protecting personal data and confidentiality of electronic communications would be deprived of its purpose if certain types of processing (such as “processing for law enforcement purposes”) are completely excluded from its scope. This was also noted by the CJEU in paragraph 73 of the Tele2 judgment.

On 25 April 2018, EDRi member Statewatch published a recent document from the Bulgarian Council Presidency on data retention. Working document WK 3974/2018 looks at the “renewable retention warrant” (RRW). The intention is that competent authorities can issue data retention orders (warrants) to ECS providers under certain conditions. The legal basis for issuing RRWs will have to be national law as no EU legal basis currently exists. It is suggested by the Presidency that ECS providers could appeal the warrant, which would give private companies the job of safeguarding citizens’ fundamental rights. Even though the data retention requirements for RRWs could differ among ECS providers, the Presidency notes that the RRW would be rendered ineffective for law enforcement purposes if not all providers are covered. This will make the RRW approach identical to blanket data retention for all practical purposes and, therefore, a clear circumvention of CJEU rulings.

The patchwork of Council documents (only some of which are available) from DAPIX FoP on data retention shows that some Member States governments are exploring every possible option to uphold their current data retention requirements, despite two very clear CJEU rulings in 2014 and 2016 that blanket data retention is illegal under EU law. These efforts often take place behind closed doors in Council working groups, and the discussions only receive input from Member States’ governments and EU institutions in the law enforcement area, such as Europol and the EU Counter-Terrorism Coordinator. The European public, civil society organisations and data protection authorities are excluded from most of the critical discussions around data retention. In the past, this approach has repeatedly produced legislation such as the Data Retention Directive which was later overturned by the CJEU.

After working document WK 11127/2017 was published in full, European Digital Rights and EDRi members Access Now, Privacy International and IT-Pol Denmark, sent an open letter to EU Member States on the ePrivacy reform. The letter calls upon EU Member States to ensure privacy and reject data retention.

ePrivacy: Civil society letter calls to ensure privacy and reject data retention (24.04.2018)

Freedom of Information request by CEO for WP TELE ePrivacy documents (17.04.2018)

“Renewable retention warrants”: a new concept in the data retention debate, Statewatch (25.04.2018)

EU Member States plan to ignore EU Court data retention rulings (29.11.2017)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



24 Apr 2018

ePrivacy: Civil society letter calls to ensure privacy and reject data retention


On 23 April 2017, EDRi, together with other civil society organisations, sent a follow up to our previous open letter to the permanent representations of EU Member States in Brussels. The letter highlighted the importance of the ongoing reform of Europe’s ePrivacy legislation for strengthening individuals’ rights to privacy and freedom of expression and for rebuilding trust in online services, in particular in the light of the revelations of the Cambridge Analytica scandal.

Open letter to European member states on the ePrivacy reform

23 April 2018

Dear Minister,
Dear Member of the WP TELE,

We, the undersigned organisations, support the ongoing and much-needed efforts to reform Europe’s ePrivacy legislation. As we mentioned in our recent open letter, the reform is essential in order to strengthen individuals’ rights to privacy and freedom of expression across the EU and to rebuild trust in online services, in particular given the revelations of the Cambridge Analytica scandal.1

Despite the urgent need to protect the confidentiality of communications, we are aware of the political difficulties that were met during debates in Council and at Working Party level, specifically regarding Article 11 of the proposed ePrivacy Regulation.

Given these difficulties and following the recent publication of the full document WK 11127/2017,2 we would like to highlight a number of legal points that may help move the discussion forward:

– The Court of Justice of the European Union (CJEU) clarified, in two different judgements (Digital Rights Ireland – joined cases 293/12 and 594/12 and Tele2-Watson, joined cases C-203/15 and C-698/15), that mandatory bulk retention of communications data breaches the Charter of Fundamental rights. Any attempt to subvert CJEU case law by adding “clarity to the legal context” without a legal basis that respects the Charter is a direct attack on the most basic foundations of the European Union and should be dismissed. In fact, the current legal framework (the e-Privacy Directive, Directive 2002/58) provides legal clarity since mandatory retention of metadata for the purpose of prevention, investigation, detection or prosecution of criminal offences, as well as access to retained metadata for this purpose, is regulated in its Article 15(1).

– A Regulation aimed at protecting personal data and confidentiality of electronic communications would be deprived of its purpose if certain types of processing (“processing for law enforcement purposes”) are completely excluded from its scope. This was also noted by the Court of Justice in paragraph 73 of the Tele2-Watson judgment. Furthermore, such processing requires specific safeguards defined by the Court and must be necessary and proportionate.

– Finally, we have also noted certain attempts by a number of delegations to introduce a minimum storage period (of 6 months) for all categories of data processed under Article 6(2)(b). If approved, this would impose indiscriminate retention of personal data in a way that has already been ruled as unlawful by the Court of Justice of the European Union in Tele2/Watson. If Article 6(2)(b) establishes a legal basis for processing communications data in order to maintain or restore security of electronic communications networks and services, or to detect errors, attacks and abuse of these networks/services, the processing should still be limited to the duration necessary for this purpose. On top of this, the general principles of GDPR Article 5 should apply, e.g. storage limitation in Article 5(1)(e). If the technical purpose can be achieved with anonymised data, this is no justification for processing data for identified or identifiable end-users. Setting a minimum mandatory retention period for communications data processed under Article 6(2)(b) will mean weakening the level of protection guaranteed under the GDPR, which is not only unacceptable but also contradictory to the concept of lex specialis.

We are aware of the political difficulties raised in Council around the issue of data retention, however the clarity provided by the CJEU in two landmark rulings on that matter can not and must not simply be ignored. We strongly encourage you to keep in mind all of the legal points above in the ongoing debates. We count on the Council to swiftly conclude a general approach on the ePrivacy Regulation, which should include a legally sound Article 11 rooted in respect for the EU Charter and the CJEU case law, to provide law enforcement authorities with the legal certainty needed to accomplish their duties.3

Yours faithfully,

European Digital Rights




Privacy International


IT-Political Association of Denmark and


18 Apr 2018

Hermes Center demands investigation of NAT-related data retention

By Hermes Center

On 27 March 2018, EDRi member Hermes Center for Transparency and Digital Human Rights filed a request with the Italian Data Protection Authority (DPA) to investigate on the widespread practice of logging Network Address Translations (NAT) by most of the telecommunication operators.

To better understand the issue, we must first study, from a technical point of view, the operation and allocation of IP addresses by telecommunications companies, in particular, the practice of Carrier-Grade NAT (CGN), an approach used by telecommunications companies – and especially mobile operators – to manage the allocation of IPv4 addresses. Due to the shortage of available IPv4 addresses, it has become necessary to assign private IP addresses to customers, and then translate them into public IP addresses through a NAT procedure performed by devices connected to the internet operator network. In this way, a single public IP address can shield several private IP addresses: the direct identification of the unequivocal user that on “that day and at that time” was assigned to that internet identifier — similar to telephone numbers identification — is more difficult.

According to the statements of law enforcement authorities (LEA), this practice complicates the operations of identification of those who commit crimes because, given a public IP address, there may be dozens of different users. A practice widely used by telecommunication operators to deal with requests for identification by the judicial authority is that of recording and storing all NAT operations between private IP addresses of its customers and public IP addresses: like this, all the connections of the various IP addresses to the internet are recorded.

The Hermes Center demanded that the Italian Data Protection Authority perform a timely verification and inspection of all the main mobile and fixed operators in relation to the practices of data collection of internet traffic, publicly reporting the results, to verify which is the information collected for the purpose of providing compulsory services to the judicial authorities.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

A recently introduced Italian law on data retention has extended the retention time period by telecoms providers by up to six years. This data retention concerns both phone traffic and internet connections and clearly goes against the European data retention principles.

On 13 October 2017, Europol and the Estonian Presidency of Council of European Union organised a workshop with 35 policy-makers and law enforcement officials from all around Europe, in order to discuss the “increasing problem of non-crime attribution associated with the widespread use of Carrier Grade Network Address Translation (CGN) technologies by companies that provide access to the internet”.

The Hermes Center filed a Freedom of Information (FOI) request to Europol and the documents are available here: In Italy, the Hermes Center has appealed to the Data Protection Authority, asking for inspection across all telecommunication operators in order to verify in great details which are the exact information elements logged to comply with data retention laws.

Italy extends data retention to six years (29.11.2017)

Europol’s FOIA on data retention with carrier grade NAT (22.01.2018)

Documents related to the Hermes Center’s FOI request to Europol

(Contribution by Riccardo Coluccini, EDRi-member Hermes Center for Transparency and Digital Human Rights, Italy)



27 Mar 2018

Europol: Delete criminals’ data, but keep watch on the innocent

By Joe McNamee

It is almost impossible to believe, but the European Union Agency for Law Enforcement Cooperation (Europol) simultaneously:

  1. has policies that lead to evidence related to possible crimes being deleted (a data indifference regime) and
  2. supports laws requiring the data of innocent people to be stored (a data retention regime).

Worse still, most of this is not necessarily Europol’s fault. The contradiction is supported, or more precisely demanded, by the European Commission and some EU Member States.

1. Data indifference regime

Under the Europol Regulation, the agency must “support Member States’ actions in preventing and combating forms of crime” such as terrorism and racism. However, much of the criminality that Europol works on is not harmonised on a EU level. Indeed, Member States have little interest in actually enforcing much of the relevant law. For the sake of being seen to be doing “something”, the EU has given Europol the job of putting pressure on internet companies to delete content that may or may not be illegal. In the absence of an accusation that a crime was committed, everyone can quietly look the other way.

Under the Regulation, Europol is given the task of referring “internet content, by which […] forms of crime are facilitated, promoted or committed, to the online service providers concerned for their voluntary consideration of the compatibility of the referred internet content with their own terms and conditions”. (emphasis added)

Once Europol identifies and refers illegal content associated with serious crime or terrorism to the relevant internet service providers, how many times does this lead to investigations?

The answer is unknown. Neither Europol nor the European Commission knows if any reports are referred to national law enforcement or judicial authorities nor if there are any investigations.

If there are actual investigations, what happens to the evidence associated with the content? Well, when referring content to service providers, Europol confirmed to EDRi in an e-mail that they give no instructions whatsoever to the internet companies as to whether data should be retained for law enforcement purposes. However, they consider whether the associated personal data can be considered to be “sensitive data” from a legal perspective and treat it accordingly. This assessment is not shared with the providers. If the providers feel that it is “sensitive data”, then they would normally be expected to delete all data not needed for business purposes. Indeed, one of the major social media platforms told us that, when they delete accounts on the basis of referrals, all associated data are deleted after 30 days.

That needs to be said again: in the absence of any instructions whatsoever from Europol, data that is allegedly associated with serious crime or terrorism is deleted.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

2. Data retention regime

While data related to content where Europol has acted due to potential serious crime or terrorism is not considered interesting, it is busy supporting measures to require the storage to data related to perfectly innocent people. “We don’t want to use the data we have, but we want more” appears to be the message.

They want more data, even if the mandatory storage of the data has already been deemed illegal by the Court of Justice of the European Union (CJEU) . In addition, numerous EU Member States have laws requiring communications companies to store communications data related to every individual within their territory. They have these laws despite two CJEU rulings against this activity. The European Commission failed and continues to fail to take court action against those countries, in breach of its legal obligation to uphold the treaties of the European Union.

Worse still, the European Commission, Member States (represented in the Council of the EU) and Europol are engaged in a “reflection process” that is seeking to implement new mandatory communications data retention rules. The institutions are attempting to bypass the CJEU rulings through exercises of legal sophistry to exploit imaginary loopholes. Europol even prepared a presentation to support this effort to break the law in the name of ostensibly enforcing the law.

In short, Europol, the Commission and Member States are promoting action by private companies with no obligations for their own law enforcement authorities. The European Commission keeps publishing press releases boasting increasingly restrictive demands on what action internet companies can take to prevent and act on crimes. All of this is done, no doubt, in order to give the impression that somebody is doing something, without actually doing what needs to be done.

A good European Commission would confront law enforcement agencies on their failure to cooperate and start looking into solutions to address this. At the very least it would demand that Member States and Europol to publish consistent and reliable statistics. Right now this Commission is acting against its own mandate by hiding unpleasant facts and actively promoting practices that have repeatedly been found in violation of the Charter of Fundamental Rights of the European Union, of which the Commission supposedly is a Guardian.

(Contribution by Joe McNamee, EDRi)



07 Mar 2018

Czech BBA for Ministry of Industry and Trade for data retention

By Iuridicum Remedium

The winners of the 13th edition of the Czech Big Brother Awards were announced on 15 February 2018 in Prague. The awards are intended to draw public attention to privacy issues and related alarming trends. The Big Brother Awards are based on a concept created by EDRi member Privacy International. In the Czech Republic, the contest is organised by EDRi member Iuridicum Remedium (IuRE) since 2005.

An eight-member jury comprising of experts on new technologies, lawyers, human rights defenders as well as journalists chose the winners out of forty nominations sent in by the general public. The awards in four different categories went to the Ministry of Industry and Trade, Member of the Parliament (MP) Jiří Běhounek, Equa bank, and the Office of the Government. Non-profit organisation Open Whisper Systems won the positive award, named after Edward Snowden.

The award for the biggest privacy intruder in the long-term perspective went to the Ministry of Industry and Trade – the Ministry in charge of the Electronic Communications Act containing legislation related to data retention, which defines the obligation of providers of electronic communication services to collect metadata and store it for the needs of police and other authorities over a period of six months. Such data is very sensitive as it reveals who was involved in the communication as well as the whereabouts of the users of communication services. The Court of Justice of the European Union (CJEU) has already twice identified such data collection as unacceptable and unconstitutional. In addition, statistics show that this massive collection of data does not result in the decrease of the number of crimes committed nor in the increase in cases successfully solved by the police. Moreover, as is often the case, this measure is most likely to hit all others but the intended group of people – individuals involved in organised crime know how to avoid it. “The jury decided to award the Ministry for its inactivity in a situation where fundamental rights of all citizens are being undermined,” said Jan Vobořil, executive director of IuRe.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The award for the biggest business privacy intruder went to Equabank for forcing its clients to agree to provide the so-called TelcoScore – which is based on the data from mobile phone operators. A typical use of TelcoScore is to verify the client’s credibility. The bank requests it from a telecoms company providing such information. The score is calculated based on 60 different data that the operator has about the client. Although clients are asked to agree with this procedure, in practice they cannot avoid it. This trend is dangerous, as it leads to a situation where clients will have no other option than to agree. “The score is calculated based on unrelated data, such as the client’s whereabouts, mobile phone use, number of journeys abroad, frequency of exchanging the telephone, and so on. “This can mean that in the future our actions can have unexpected impacts in other unrelated areas of life – and this could lead to permanent stress, conformism, and self-censorship,” explained Voboril. All three biggest mobile phone operators present on the Czech market do currently sell customer data in this way.

The award for biggest administrative privacy intruder went to MP Jiří Běhounek for his proposal for an amendment to the Act on Health Services that introduced an unrestricted access to electronic healthcare documentation. As part of the Electronic Identification Act, it passed through the legislative process. It establishes a so-called National Contact Point, through which broad access to electronic medical documentation, including access from abroad, should be facilitated. Alarmingly, there are no limits to this, nor does the legislative text mention whether the patient can influence which data is shared and how.

Last but not least, the positive awards named after Edward Snowden goes to Open Whisper Systems which developed Signal application for encrypted mobile communication. Signal is an encrypted communicator designed primarily for mobile platforms (Android, iOS) for messaging and voice messaging. It can encrypt text messages, pictures as well as phone calls. Signal is now generally regarded as the most secure communication platform in terms of encryption. It has two major advantages. The communication is end-to-end encrypted, which means that only the end users themselves have access to its content. The second advantage is that Signal is an open source application meaning everyone can check what happens with the data.

Czech Big Brother Awards

(Contribution by Jan Vobořil, EDRi member Iuridicum Remedium – IuRE, Czech Republic)



07 Mar 2018

Data retention “reflection process”: Council working documents

By Statewatch

A number of “working documents” discussed as part of the Council of the EU’s “reflection process” on the mandatory retention of telecommunications data have been released following an access to documents request submitted to the Council by EDRi member Statewatch.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The documents provide an insight into some of the issues that have been discussed by Member States’ representatives and EU agencies who, since March 2017, have participated in a sub-group of the Council’s Working Party on Information Exchange and Data Protection (DAPIX) to “facilitate a common reflection process at EU level on data retention in light of the recent judgments of the Court of Justice of the European Union”.

The documents include overviews of the legal framework for telecommunications data retention in the Member States, a presentation from Europol on the possibility of introducing a new measure on “targeted data retention”, and proposals for using the forthcoming ePrivacy Regulation to make possible some form of data retention.

It can be observed that the use of working documents does not serve the interests of transparency, as they are not automatically listed in the Council’s register of documents and will likely only become available to the public through dedicated requests or leaks.

Statewatch requested access to all minutes/“outcome of proceedings” produced by the Council working group “DAPIX (Friends of Presidency) – Data retention” and all working papers/non-papers/other documentation submitted to that working group. Some documents were released in full, others were released in censored form while others could not be released at all, on the basis of argumentation from the Council’s transparency department.

Working documents produced and discussed during the Council’s “reflection process” on data retention:

1. Europol Study on the data retention regime applying in the EU Member States (WK 3570/2017 INIT, LIMITE, 4 April 2017, pdf):

2. European Judicial Cybercrime Network (EJCN) on the effects of the CJEU judgement (WK 3596/2017 INIT, LIMITE, 4 April 2017, pdf):

3. Data Retention – State of play in the Member States (WK 5206/17, LIMITE, 8 May 2017, pdf):

4. A submission from Europol that has been censored: Data categories to be retained for law enforcement purposes (WK 5380/2017 INIT, LIMITE, 11 May 2017, pdf):

5. Not a working document, but not previously published: Note from the Presidency: Targeted data retention – Exchange of views (9558/17, LIMITE, 23 May 2017, pdf):

6. Censored document from the Council Presidency: Ensuring the availability of data for the purposes of prevention and prosecution of crime = Presentation of options and exchange of views (WK 9380/17 INIT, LIMITE, 12 September 2017, pdf):

7. Europol: Proportionate data retention for law enforcement purposes (WK 9957/2017 INIT, LIMITE, 21 September 2017, pdf):

8. Censored document from the Presidency: Availability of data and issues related to data retention – elements relevant in the context of e-Privacy = Exchange of views (WK 11127/2017 INIT, LIMITE, 10 October 2017, pdf):

This is a shortened version of an article originally published by EDRi member Statewatch :

(Contribution by EDRi member Statewatch, the United Kingdom)



22 Feb 2018

In the making: The largest internet filter Europe has ever seen


European policy makers are working on the largest internet filter we’ve ever seen. That might sound a tad dramatic, but it’s really not an overstatement. If the proposal is accepted, websites such as Soundcloud, eBay, Facebook and Flickr will be forced to filter everything you want to upload. An algorithm will be the boss over which of your uploads will be seen by the rest of the world and which won’t.

Why haven’t I heard about this before?

This internet filter is tucked away in a proposal for new European copyright regulation. Internet filters can’t and shouldn’t be used to regulate copyright. They don’t work. But there’s a much bigger problem: once it’s installed, the internet filter can -and will- be used for a myriad of other purposes. We bet you anything that policy makers are gleefully awaiting the internet filter in order to use it in their latest battle, be it fake news, terrorism or undesirable political opinions.

Main issues

There are a lot of reasons not to want an internet filter. These are the three most important ones:

  1. It’s an attack on your freedom of expression. You will have to get permission to speak.
  2. Filters like these tend to make lots of mistakes and it will be up to you to fight them. (Spoiler alert: you can’t.)
  3. Platforms will be incentivised to avoid risk – at the cost of your freedom.

What can you do?

The following weeks are crucial. Tweet or e-mail your representatives that are part of the JURI committee. On 20-21 June they will be deciding on the upload filter. Use the hashtag #CensorshipMachine or #filterfail and let your representatives know you’re against the internet filter (Article 13)! You can find the Members of the European Parliament (MEPs) relevant to you here:

We’ve written some tweets to inspire you, but feel free to compose your own!

  • .@MEP Stand up for our freedom of expression online. Please oppose the #censorshipmachine in the #copyright Directive proposal.
  • .@MEP Stand up for our privacy online. Please oppose the #censorshipmachine in the #copyright Directive proposal.”
  • .@MEP Show that you care about culture and free speech: oppose the #censorshipmachine in the #copyright Directive proposal.”
  • .@MEP Internet filters don’t work. Please delete article 13 of the #copyright Directive proposal! #filterfail

We already tweeted at MEPs in their own language, check it out.


29 Jan 2018

EDRi-gram – 15 years of digital rights news (and counting)


15 years ago this day, on 29 January 2003, we published our very first EDRi-gram. To celebrate this occasion, we are looking back at the articles in this first newsletter.

If you are feeling nostalgic, you can read the original EDRi-gram Number 1 here:

A lot has changed, a lot stays the same.

Copyright Directive

Implementing the European Copyright Directive
(Click the link to read the original article)

In 2003, we had just escaped one of the biggest threats to the internet in Europe, the so-called “web caching ban”. Copyright fundamentalists tried to ban the incidental copies made by networks, unless they were separately authorised.

In 2018, we are facing one of the biggest threats to the internet in Europe. Copyright fundamentalists are trying to force everything uploaded to the internet to be subject to prior authorisation and/or upload filtering by internet hosting services.

Data retention

Rally Members European Parliament against data retention
(Click the link to read the original article)

In 2003, we were at the start of a long campaign by certain EU Member States to impose mandatory data retention, using the proposed ePrivacy Directive as a tool to achieve this goal.

In 2018, and despite two European Court rulings rejecting mandatory data retention, we are faced with a campaign from certain EU Member States to impose mandatory data retention, using the proposed ePrivacy Regulation as a tool to achieve this goal.

Software patents

New patent law on software threatens innovation
(Click the link to read the original article)

In 2003, European activists were faced by a massive, lobby-driven, well-financed attempt to impose software patents in Europe. The proposal was ultimately rejected, in one of the most unlikely of all “David and Goliath” successes of European activists.

Entitlement cards

Update: United Kingdom
(Click the link to read the original article)

In 2003, the UK government was trying to impose national ID cards through the back door via a national public service “entitlement” card.

In 2018, the Irish government is trying to impose national ID cards via a (“mandatory but not obligatory”) national public service entitlement card.

German censorship

Action against governmental censorship in Germany
(Click the link to read the original article)

In 2003, the German authorities were pushing censorship through the demonstrably ineffective use of blocking by internet access providers.

In 2018, the German authorities are pushing censorship through the coercion of internet services to delete content more quickly.

Recommended reading

“The Human Rights Network in Moscow has just released a very useful online report about online privacy in Russia. According to the introduction fundamental human rights and freedoms – freedom of speech, freedom of information, privacy – are apparently unprotected on the Net. While Russian Internet is growing these rights and freedoms suffer from frequent and widespread invasion.”

In 2003, our recommended reading was a study about online restrictions in Russia:

In 2018, the story continues:

Oh no! Did you miss the 363 previous editions of the EDRi-gram? No worries, you can read all of them here and here.

And it’s of course never too late to subscribe to our newsletter!



10 Jan 2018

Proposal to revoke data retention filed with the Czech Court

By Iuridicum Remedium

On 20 December 2017, EDRi member Iuridicum Remedium (IuRe) filed a request with the Constitutional Court of the Czech Republic to revoke the Czech data retention related legislation.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The filing of the request was achieved in close cooperation with the Czech Pirate Party, whose 22 deputies were for the first time elected to the Chamber of Deputies of the Czech Parliament in October 2017. Apart from the Czech Pirate Party, the proposal also won the support of Members of the Parliament across five other parties represented in the Chamber of Deputies. Altogether, 58 signatures were gathered.

The proposal was prepared also thanks to means granted by the Digital Rights Fund. It builds on a similar successful proposal filed by IuRe with the Constitutional Court of the Czech Republic in 2011. In 2012, a new data retention system was adopted that implemented the EU Data Retention Directive that was in force at that time. The recent proposal aims at revoking this new law.

The proposal challenges, in particular, the Electronic Communication Act, the Police Act and the Criminal Procedure Act as well as the implementing legislation which defines the range of data to be kept. Currently, operational and localisation data on electronic communications are stored for six months. Apart from the police and other law enforcement bodies, intelligence agencies, as well as the Czech National Bank, may use the data. According to the Czech Telecommunication Office, for example, mobile phone data were requested in over 470 000 cases in 2016 alone.

The complaint to the court considers the principle of general and indiscriminate data collection a fundamental problem. It relies on two key decisions made by the Court of Justice of the European Union (CJEU) – in cases Digital Rights Ireland and Watson/Tele 2. In both cases, this measure was rejected. The proposal also explains that Czech and German statistical data demonstrates that the absense of data retention did not affect the level of criminality nor the number of criminal cases solved. The proposal also suggests revoking of selected sections of the Police Act that allow data to be requested without court permission. Furthermore, it suggests revocation of selected parts of the Code of Criminal Procedure, which do not sufficiently limit the possibility of requiring data related to serious crimes only.

Based on IuRe’s experiences from 2011, the decision of the Constitutional Court of the Czech Republic can be expected in approximately one year time.

IuRe and Pirate party send complaint on general surveillance of citizens to the Constitutional Court (only in Czech, 20. 12. 2017)

Czech Republic: Data retention – almost back in business (01.08.2012)

Czech Constitutional Court rejects data retention legislation (06.04.2011)

Czech Parliament – close in implementing data retention directive (04.06.2008)

European fund for digital rights launched (08.02.2017)

(Contribution by Jan Vobořil, EDRi member Iuridicum Remedium, Czech Republic)



29 Nov 2017

EU Member States plan to ignore EU Court data retention rulings

By IT-Pol

Documents made publicly available through EDRi member Statewatch reveal that EU Member States are exploring all possible options to keep, and in fact expand, their current data retention regimes. The general plan is based on a new concept of ”restricted data retention”, which is really blanket data retention with a new name, along with amendments to the draft e-Privacy Regulation to facilitate blanket data retention. Member States are considering whether these new elements should be introduced through an EU instrument or through national law in each Member State.

On 15 September 2017, the EU Counter-Terrorism Coordinator (EU CTC) submitted a new data retention proposal to Member States. The proposal was discussed at a meeting of the Working Party on Information Exchange and Data Protection (DAPIX) Friends of the Presidency (FoP) on 18 September 2017. A partial report of the discussions at the DAPIX FoP meeting can be found in Council document 13845/17.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

The judgement of 21 December 2016 by the Court of Justice of the European Union (CJEU) in the Tele2 case (joined cases C-203/15 and C-698/15) concerned the national data retention laws that are still in place after the annulment of the Data Retention Directive in 2014. The EU CTC notes that data retention cannot be ”general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” since this would violate paragraph 134 of the Tele2 judgement. In the Tele2 judgement (paragraphs 108-111), the CJEU outlines a targeted data retention regime which does not include every subscriber.

The EU CTC, considering input received from Member States, makes it clear that he is not at all interested in targeted data retention. Instead, the EU CTC proposes the concept of ”restricted data retention” on the basis that it is necessary to fight terrorism and serious crime, including cyber attacks. This measure has to be limited to the strictly necessary and be based on objective evidence. However, according to the EU CTC, the measure can cover the entire population, even though this is quite obviously blanket data retention.

The justification for this is claimed to be paragraph 106 of Tele2, which states that data retention must be restricted to (i) particular time periods and/or geographical and/or a group of persons likely to be involved, in one way or another, in a serious crime or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime. In essence, the EU CTC argues that the entire population, perhaps with an opt-out for persons bound by a legal obligation of professional secrecy (such as lawyers, journalists and doctors), could fall under the second category, ”persons who could, for other reasons, contribute, through their data being retained, to fighting crime”.

While deliberately covering the entire population, the EU CTC emphasises that other aspects of the data retention measure must be limited to what is absolutely necessary. What this means is not clear from the proposal, but it could include some differentiation with respect to categories of data and service providers. Minor operators, such as WiFi access points at pizza restaurants could be excluded since that data ”may potentially not be indispensable for retention”, as the EU CTC carefully notes. As far as the purpose limitation is concerned, there is nothing novel about the reinvention of restricted data retention. The annulled Data Retention Directive also limited data retention to the purpose of investigation, detection and prosecution of serious crime.

The critical aspect of restricted data retention is obviously that the entire population is covered. The EU CTC argues that this can meet the necessity test. However, the CJEU has ruled twice that a data retention measure which covers all subscribers exceeds the limits of what is strictly necessary. Referring to the entire population as ”persons who could, for other reasons, contribute, through their data being retained, to fighting crime” clearly fails to satisfy the requirement of objective criteria that establish a connection between the personal data to be retained and the objective pursued. The CJEU has referred to this principle several times, most recently in paragraph 191 of opinion 1/15 on the EU-Canada PNR agreement. Moreover, paragraph 110 of the Tele2 judgment specifically says that ”conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected.”

The DAPIX FoP meeting report mentions that, while the CJEU rules out general data retention, it “does not solely permits” (sic) targeted data retention (which appears to mean that data retention that is not forbidden by the ruling may be permitted). Therefore, there are other legally possible regimes for non-general data retention. This is undoubtedly true, but largely irrelevant. Since the proposed unrestricted yet “restricted” data retention covers the entire population, it cannot possibly be classified as non-general data retention. The DAPIX FoP report refers to the proposed concept as ”restricted data retention and targeted access”, but the Tele2 judgment makes it very clear that safeguards and limitations at the access stage are not sufficient and cannot justify blanket (general) data retention.

The proposal from the EU CTC contains some general comments about the data categories (communication services) to be retained. It is claimed that approaches in some Member States show that a number of data categories are indeed not necessary (and, by implication, illegal).

The new focus on cyber attacks, where data retention is claimed to be key for attribution and investigation, could easily lead to more retention of internet traffic data, in particular, perhaps even internet connection records as in the UK Investigatory Powers Act (information about every internet packet, including all destination IP-addresses). Moreover, Europol has recently complained about the unavailability of data from internet service providers that use Carrier Grade network address translation (CG-NAT) since a large number of subscribers may share the same IP address. Data retention requirements to address the technical limitations caused by CG-NAT would, in most cases, substantially increase the amount of data collected. The DAPIX FoP report describes a matrix with categories of data to be retained, for example content data, traffic data, location data, and subscribers’ data. Except for content data (where generalised data retention would, incidentally, not respect the essence of the fundamental rights), this is simply the list of data categories in the annulled Data Retention Directive and the current data retention laws in Member States. In summary, the proposal of the EU CTC could easily lead to more data being retained per subscriber, despite the claim that a “peeling off” approach is taken to limit the data categories.

Data retained for business purposes, such as billing data, will be complementary to the data covered by the mandatory data retention regime. The EU CTC foresees that the new mandatory data retention regime will also cover over-the-top (OTT) service providers like Google and Facebook, and it is noted in the proposal that OTT operators collect much more data for business purposes than traditional telecommunications operators. In this connection, the EU CTC fails to mention (or, possibly, understand) that the proposed e-Privacy Regulation seeks to create a level playing field by subjecting all electronic communications service providers, whether OTT or telecommunications providers, to the same privacy rules.

The proposal from the EU CTC respects the strict access conditions set out in the second part of the Tele2 ruling. Access to retained data must be solely for the purpose of fighting terrorism and serious crime and must be subject to a prior court review. With the exception of terrorism cases, access can only be granted to data of individuals suspected of involvement in serious crime (Tele2 paragraph 119). The EU CTC also mentions pseudonymisation and encryption, and that this could facilitate searches of the retained encrypted data with decryption only on the basis of a warrant. The purpose of this is not entirely clear, since the retained data, as the general rule, can only be accessed with a prior court review for a specific person. It could perhaps mean that searches of encrypted or pseudonymised data are not intended to count as access to the retained data, and that such searches can be used to find persons of interest who can then, under certain substantive conditions, be depseudonymised subject to a court review. If data on specific persons could only be accessed after a prior court review, there would not really be a need for encrypted searches. Encryption is, of course, a useful security measure for the stored data, but that is an entirely different issue.

In the final part of the proposal, the EU CTC considers the role of the draft e-Privacy Regulation in relation to restricted data retention. The EU CTC notes that the Tele2 judgment is stricter than the annulment of the Data Retention Directive since Article 15(1) of the e-Privacy Directive makes data retention an exception to the main rule of erasure once the communication is completed. The EU CTC hypothesises that the draft e-Privacy Regulation could be amended to make blanket data retention easier. According to the EU CTC, it should be considered to allow storage of communications data in Article 7 of the draft e-Privacy Regulation if legally required to assist governments to fight serious crime and terrorism. However, a provision of this type would still be a restriction on the fundamental rights to privacy and data protection of subscribers, and the restriction would have to satisfy the conditions of Article 52(1) of the Charter of Fundamental Rights. This would not necessarily be different from the current situation with Article 15(1) of the e-Privacy Directive or Article 11 of the draft e-Privacy Regulation.

Working document on contributions to the discussion on data retention, EU Counter-Terrorism Coordinator, WK 9699/2017 INIT, LIMITE (15.09.2017)

Retention of communication data for the purpose of prevention and prosecution of crime, Council document 13845/17, LIMITE (30.10.2017)

Carrier-Grade Network Address Translation (CGN) and the Going Dark Problem, Council document 5127/17, LIMITE (16.01.2017)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)