The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

06 May 2015

Slovakia: Mass surveillance of citizens is unconstitutional

By Guest author

Slovakia’s data retention law is now history. On 29 April, the Constitutional Court of the Slovak Republic ruled that the mass surveillance of citizens is unconstitutional. The decision was made in the context of proceedings initiated by 30 Members of the Parliament on behalf of the European Information Society Institute (EISi), a Slovakia-based think-tank.

In a non-public session, the Grand Chamber of the Constitutional Court (PL. ÚS 10/2014) ruled that provisions of Act on Electronic Communications (Act No. 351/2011 Coll.), which until now required mobile network providers to track the communication of their users, as well as provisions of the Penal Code (Act No. 301/2005 Coll.), and the Police Force Act (Act No. 171/1993 Coll.), which allowed access to this data, to be in contradiction to the constitutionally guaranteed rights of citizens to privacy and personal data. As a consequence, these provisions lost their binding effect.

According to now invalid provisions of the Electronic Communications Act, the providers of electronic communications were obliged to store traffic data, location data and data about the communicating parties for a period of six months (in the case of Internet, email or Voice over IP (VoIP) communications) or for a period of 12 months (in case of other communications). Data about unsuccessful calls was also stored for the same periods. Moreover, the legal framework regulating the access to data retention data was completely arbitrary and considerably less stringent than comparable provisions on wire-tapping.

In the opinion of EISi, the introduction of these obligations constituted a substantial encroachment upon the private life of individuals – especially because this mandated a blanket monitoring of all inhabitants of Slovakia, regardless of their innocence or prior behaviour. The data retention requirements mandated that every day the data about every inhabitant of Slovakia must be collected, amassing a profile of who called whom, to whom someone sent an SMS or email, when the person sent it, from which location, using what type of device or service, how long the communication took, and many others details. It almost goes without saying that combining of all this information made it possible to perfectly analyse the movements of every inhabitant of Slovakia using a mobile phone or the internet. This allowed the behaviour, circle of acquaintances, hobbies, health, sexuality and other information that citizens might prefer to keep to themselves to be predicted.

The decision marks an end to EISi’s five-year battle against mass surveillance. Soon after the launch of the now unconstitutional data retention requirements, EISi authored a short report pointing out the basic discrepancies between the Act on Electronic Communications (“the Act”) and its data retention provisions, and the fundamental rights embodied in the Slovak constitution, the EU Charter of Fundamental Rights and Freedoms, and the Convention for the Protection of Human Rights and Fundamental Freedoms. This report was then presented in the form of a motion to two local authorities, which, despite the evidence, reached the view that the data retention provisions do not lead to an interference with the fundamental rights and freedoms of citizens. , and no proceedings before the Constitutional Court were initiated.

EISi then put together a submission for the Constitutional Court, and started asking for the support of the Members of the Parliament, who can also initiate such a constitutional review. The submission gained the support of the required number of MPs, 30 signatures, and a motion was filed before the Constitutional Court successfully.

The decision of the Constitutional Court of the Slovak Republic was issued almost a year after the Court of Justice of the European Union (CJEU) proclaimed the Data Retention Directive invalid in the spring of 2014. At that time, the Constitutional Court of Slovakia promptly reacted by suspending the collection of data through a preliminary measure. By the virtue of the decision on 29 April, data collection was completely cancelled.

So far, only the final outcome of the decision is known. The reasoning of the court is expected to be available within three months.

EISi’s press release: The Slovak Constitutional Court cancelled mass surveillance of citizens (29.04.2015)

Slovak Constitutional Court Suspends Data Retention Legislation (23.04.2015)

Data Retention before the Slovak Constitutional Court

The quest for privacy in Slovakia: The case of data retention

(Contribution by Matej Gera, European Information Society Institute – EISi, Slovakia)



22 Apr 2015

Hungarian data retention case: ORG, PI & scholars file amicus briefs

By Guest author

EDRi member Open Rights Group (ORG), Privacy International and a group of internationally acknowledged experts filed amicus curiae briefs with the Hungarian Constitutional Court. The case has been brought by the Hungarian Civil Liberties Union (HCLU) against two major service providers, in an attempt to force the Hungarian Constitutional Court to repeal the Hungarian Electronic Communications Act.

“A year ago, the Court of Justice of the European Union (CJEU) ruled that blanket data retention interferes with our fundamental rights to privacy and the protection of our personal data. ORG has already intervened in a case challenging data retention in the UK and hope to see other European countries repeal national legislation that forces companies to keep everyone’s personal communications data,”

said Elizabeth Knight, Legal Director of Open Rights Group.

The submissions focus on the importance of EU law and why the Hungarian law does not comply with it. Open Rights Group and Privacy International emphasise in particular in their submission the need for carefully calibrated EU rules in the field of surveillance and data protection, the significance of the retention of ”communications data” or “metadata”, the seriousness of data retention as an interference with human rights, and the need for effective remedies in national legal systems to address breaches of EU law.

The final ruling of the Hungarian Constitutional Court is expected in one month.

The amicus curiae submissions of Open Rights Group and Privacy International (08.04.2015)

The amicus curiae submissions of the group of international scholars (15.03.2015)

HCLU litigates Hungarian service providers to terminate data retention (13.10.2014)

Press Release: Open Rights Group files amicus brief in Hungarian data retention case

EDRi-gram: Hungarian Data Retention Law – challenged at the Constitutional Court (04.06.2008)

(Contribution by EDRi member Open Rights Group, United Kingdom)



25 Mar 2015

In Germany, Data Retention refuses to die

By Guest author

The debate is intensifying in Germany on whether telecommunications data retention should be reintroduced. At the centre of the controversy is Sigmar Gabriel, the leader of the Social Democrats (SPD, the smaller party in Germany’s “grand coalition” government since 2013), and consequently a government minister for the economy and chancellor Angela Merkel’s deputy. Gabriel’s role is pivotal because his party would be the focus of any hope of balancing calls for data retention from the larger coalition partner, the Christian Democrats (CDU/CSU).

Data retention has been judged, twice, to illegally violate fundamental rights under the German constitutioanl framework. In March 2010, a ruling by Germany’s Federal Constitutional Court struck down Germany’s national data retention law that had implemented the European Union’s Data Retention Directive since the end of 2007. In April 2014 the Directive itself was invalidated by the Court of Justice of the European Union (CJEU).

This U-turn has happened almost simultaneously with another major shift in policy for the SPD, which changed the party’s position on the transatlantic free-trade agreement TTIP, to which it was previously opposed.

On data retention, Gabriel has surprised many with the strange range of arguments he has used to defend his position. He says he never really opposed the measure, in fact he voted for its introduction in 2007. But since the European Commission gave up its plans to introduce a new Data Retention Directive after the CJEU’s ruling, it has become clear that the plan is to leave it to Member States to muddle their own ways through this question.

After the recent terrorist attacks in Paris and Copenhagen Gabriel has shown little restraint on using just any event or argument to portray data retention as indispensable. This includes the claim that data retention was an important means for Norway to deal with right-wing terrorist Anders Breivik’s attacks in 2011. This seems weird as Norway didn’t have a law for data retention in 2011 and still doesn’t have one today. After making this claim twice and being challenged on this, the latest statement from the SPD is that Norway used the instrument without legal basis, with support from US secret services. So, allegedly Norway’s authorities have disregarded their own country’s law and relied on organisations known to operate without any regard for legal boundaries, whose methods may or may not fall under the European definition of telecommunications data retention. How this should make Europeans accept a surveillance instrument whose effectiveness is questionable and which clearly requires strict legal controls is hard to imagine, probably even for Gabriel himself.

Other examples of fact bending include a claim that the previous data retention law had been the work of a Christian Democrat-Liberal government, when in fact it was introduced in 2007 by a previous CDU–SPD “grand coalition” (in which Gabriel himself served as environment minister), and misrepresentations of the points were the Constitutional Court ruling of 2010 had found fault with that previous law.

Sigmar Gabriel has now made up his mind that the time has come to work on a new German data retention law and push it through the Bundestag. He has recently instructed SPD’s Heiko Maas, Minister of Justice, previously an outspoken sceptic of data retention, to come up with a draft law in cooperation with the Interior Minister, CDU’s Thomas de Maizière. Getting a majority in Parliament will not be a problem, given the coalition’s almost 80-percent majority of seats. But what the true motives are and how the measure could be seen as constitutional after the court rulings, remains a mystery.

Data retention is Norway must actually be called NSA (only in German, 20.03.2015)

SPD leader Sigmar Gabriel calls for data retention to be reintroduced (only in German, 15.03.2015)

Sigmar Gabriel retains misapprehensions (only in German)!156871/

An almost impossible law (only in German, 23.03.2015)

(Contribution by Sebastian Lisken, EDRi-member Digitalcourage, Germany)



25 Mar 2015

Denmark plans to preserve illegally collected medical data

By Guest author

In Denmark, a controversial plan to prevent illegally collected medical data from being deleted has become a hot topic for the government. The plan involves transferring the data to the National Archives, which has an exemption in the Danish data protection act.

Under the Danish health care act, general practitioners can transfer medical data to a third party without consent from the patients if it is done for limited groups of patients and if analysis of the data can be used to improve the treatment of patients. This provision was used to create a central database known as Danish General Practice Database (DAMD) with the Region of Southern Denmark as the data controller.

DAMD was limited to the diagnosis for diabetes at the outset in 2007, but within a couple of years, all ICPC diagnosis data from general practice was being transferred to DAMD. This is clearly illegal, since the data collection without consent is no longer done only for limited groups of patients.

In November 2014, the Danish Minister for Health and the Region of Southern Denmark finally admitted that most of the medical data in DAMD is collected illegally. The natural next step would have been to delete the illegally collected data, but the Minister for Health stated publicly that he would prefer that this does not happen.

Within a week of the comment by the Minister for Health, the Danish National Archives suddenly decided that DAMD is a unique database which should be preserved at the National Archives. The data protection act has an exemption for transfer of personal data to the Danish National Archive, so that this can be done without consent. Based on an administrative authority in the national archive law, the Danish National Archives instructed the Region of Southern Denmark to retain the illegally collected medical data until further notice.

Privacy activists, including EDRi-member IT-Pol Denmark, object to this blatant abuse of the national archive law to essentially whitewash an illegal data collection of highly sensitive medical data. The Ministry of Culture has the responsibility for the National Archives. After an initial promise to delete the illegally collected data by mid February 2015, the culture minister Marianne Jelved decided to preserve DAMD at the National Archives.

Together with this decision, the minister proposed an amendment to the archive law which blocks access to illegally collected medical data for up to 230 years. However, these restrictions can always be removed by another amendment in a couple of years (the amendment law must be revised after no more than five years). Moreover, no assessment has been made of the costs of storing the highly sensitive medical data securely for 230 years, so that it could be used for historical research starting in 2245.

While the Danish government and parliament consider the fate of the DAMD database, Danish citizens can use their right under the data protection act to demand that their own illegally collected data is deleted. However, the order from the Danish National Archives prevents the data controller from deleting the entire DAMD database.

On 18 March, the Ministry of Culture was forced to admit that the Danish National Archives have used an inappropriate administrative order for demanding that DAMD is preserved. The correct administrative order for records held by the Danish regions places DAMD in the category of records to be discarded when no longer needed. The Ministry of Culture apparently sees this as a minor problem which can be solved simply by issuing an amended administrative order which places DAMD in the preservation category. However, before the new administrative order can take effect, there must be a formal consultation period. The deadline for consultation responses is set at 27 March, and the new administrative order will take effect from 7 April.

On 19 March, the Region of Southern Denmark found out that there is currently no proper legal basis for demanding the preservation of DAMD by the National Archives, and decided that the entire database will be deleted. Rather than just doing it, the region sent a letter to the Ministry of Culture stating that DAMD will be deleted on 24 March at noon.

The Danish National Archives and the Ministry of Culture responded almost immediately to this “threat” of restoring the rule of law by deleting illegally collected medical data. On 20 March, the deadline for the consultation was moved forward to March 23 (giving one working day for consultation responses), and the new administrative order will take effect on March 24, just in time to prevent the planned deletion of the entire DAMD database.

The only public comment from the Minister of Culture on these absurd developments is that the illegally collected medical data must be preserved in order to document illegal acts in the public administration for future generations. This is a rather strange argument since the illegal data collection has been documented extensively in several reports from government agencies. Moreover, the proposed blocked access wouldn’t allow any exceptions for the first 120 years, and this would also prevent using the data to document the illegalities.

Who wins the race for deletion of our medical data in DAMD? DenFri (only in Danish, 22.03.2015)

Illegally collected health data will not be deleted under Danish law, Medium (15.12.2014)

Danish General Practice Database

The Danish National Archives (Rigsarkivet)

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)



23 Mar 2015

EU trade secrets Directive: threat to free speech, health, environment and worker mobility

By Maryant Fernández Pérez

STATEMENT (pdf) 23 March 2015 (updated from 17 December 2014)

Multi-sectoral civil society coalition calls for greater protections for consumers, journalists, whistleblowers, researchers and workers

We strongly oppose the hasty push by the European Commission and Council for a new European Union (EU) directive on trade secrets because it contains:
– An unreasonably broad definition of “trade secrets” that enables almost anything within a company to be deemed as such;
– Far-reaching legal remedies for companies whose “trade secrets” have been “unlawfully acquired, used or disclosed”, including provisional and precautionary measures, damages and secrecy rights throughout the judicial process; and
– Inadequate safeguards that will not ensure that EU consumers, journalists, whistleblowers, researchers and workers have reliable access to important data that is in the public interest.

The proposal must be amended to ensure that only information acquired, disclosed or used by third parties with intention of commercial gain is protected under the directive.

Specifically, we share great concern that under the draft directive:

– The right to freedom of expression and information could be seriously harmed because the proposed directive does not guarantee the protection of journalists and whistleblowers. Under the proposed directive, journalists and whistleblowers must show that “…the alleged acquisition, use or disclosure of the trade secret was necessary for such revelation and that the respondent acted in the public interest”. Unfortunately, determining whether disclosure was necessary can often only be evaluated afterwards. In addition, the limitation of the right to disclose and use trade secrets to reveal “wrongdoing”, “misconduct” or to protect a “legitimate interest” would allow for sanctions to be applied even when the information ought to be in the public domain, such as planned redundancies and detrimental effects on health and the environment. The proposed directive should be amended to exempt information acquired, used or disclosed in the public interest.
– The mobility of EU workers could be undermined. The proposed directive poses a danger of lock-in effects for workers. It could create situations where an employee will avoid jobs in the same field as his/her former employer, rather than risking not being able to use his/her own skills and competences, and being liable for damages. This inhibits career development, as well as professional and geographical mobility in the labour market.
– Companies in the health, environment and food safety fields might use the directive to refuse compliance with transparency policies, even when the public interest is at stake. The proposed directive should be amended to ensure that (1) it does not cover information that must, by law (including international law), be disclosed by public authorities under public access to information legislation and (2) it excludes regulatory data of public interest that is needed for public scrutiny of regulatory authorities’ activities.

Health: Pharmaceutical companies argue that all aspects of clinical development should be considered a trade secret; however, access to biomedical research data by regulatory authorities, researchers, doctors and patients—particularly data on drug efficacy and adverse drug reactions—is critical to protecting patient safety and conducting further research and independent analyses. This information also prevents scarce public resources from being spent on therapies that are no better than existing treatments, do not work, or do more harm than good. Moreover, disclosure of pharmaceutical research is needed to avoid unethical repetition of clinical trials on people. The proposed directive should not obstruct recent EU developments to increase sharing and transparency of this data.
Environment: The directive must be amended to comply with the EU’s international obligations under the United Nations Aarhus Convention, which prevents public authorities from protecting the secrecy of information on emissions into the environment and requires active dissemination of information enabling consumers to make informed environmental choices. Therefore, the definition of “trade secret” should be amended to remove information on emissions from the scope of the proposed directive and companies should be prevented from using the directive to refuse disclosure of information on hazardous products, such as chemicals in plastics, clothing, cleaning products, and other activities that can cause severe damage to the environment and human health, including the dumping of chemicals and fracking fluids.
Food safety: Under EU law, all food products, genetically modified organisms and pesticides are assessed by the European Food Safety Authority (EFSA). EFSA assesses the risks associated with these products based on studies performed by manufacturers themselves. Scientific scrutiny of the EFSA’s assessments is only possible with complete access to these studies; therefore, this data must be removed from the scope of the directive.

Despite the Commission’s desire for a “magic bullet” that will keep Europe in the innovation game, without amendment, the proposed directive may make it more difficult for the EU to engage in open and collaborative forms of research. In fact, there is a risk that the measures and remedies provided in this directive will undermine legitimate competition and even facilitate anti-competitive behaviour. Unsurprisingly, the text is strongly supported by multinational companies.

Industry coalitions in the EU and the United States (US) are lobbying, through a unified Trade Secrets Coalition, for the adoption of trade secret protection. In the US, two new bills are pending before Congress. If passed, these texts would allow trade secret protection to be included in the Transatlantic Trade and Investment Partnership (TTIP)—something that will be incredibly difficult to repeal in the future through democratic processes. Given that TTIP is expected to set a new global standard, its potential inclusion of trade secret protection could have devastating consequences.

We urge the Council and the European Parliament to amend the directive by limiting the definition of what constitutes a trade secret and strengthening safeguards and exceptions to ensure that data in the public interest cannot be protected as trade secrets. The right to freely use and disseminate information should be the rule, and trade secret protection the exception.

For additional information or comment, please contact Walter van Holst (, representing EDRi and Vrijschrift.

12 Mar 2015

Dutch data retention law struck down – for now

By Guest author

Published originally by EDRi-member Bits of Freedom 

And then everything went BANG: from our Twitter-timeline to the champagne bottle at our office. This morning the court annulled the data retention law. Effective immediately. But what exactly did the judge say and what will happen now?

The data-retention law requires telecom providers to save communication- and location data from everyone in the Netherlands for as long as a year. The law, and the judges agreed, heavily impacts our freedom.

An infringement of this magnitude requires proper safeguards

The District court of The Hague decided we no longer have to blindly trust the Dutch government. The law’s underlying European directive was meant as a tool in the fight against serious crimes. The Dutch law, however, is much more expansive, including everything from terrorism to bike theft. During the hearing, the state’s attorneys avowed that the Public Prosecution does not take the law lightly, and would not call on the law to request data in case of a bicycle theft. The judge’s response: it doesn’t matter if you exploit the possibility or not, the fact that the possibility exists is already reason enough to conclude that the current safeguards are unsatisfactory.

Additionally, the court determined that insufficient thought has gone into how data is requested. Saving personal information for a lengthy amount of time is a huge infringement on privacy. Therefore, proper safeguards and guarantees are needed when it comes to acquiring access to this data. The judge deems it reasonable that before a request for information is granted, it is reviewed by a juridical entity or an independent administrative entity. During the hearing, a state’s attorney claimed that a district attorney counts as an independent entity. That claim was met with a wave of chuckles throughout the crowd, and now it turns out the court agrees that this is baloney – but you won’t catch a judge using smileys.

Furthermore, the court considered the substantiation of the necessity of the law. The State claims that the data retention law is necessary. This claim was illustrated during the hearing using a number of shocking criminal cases — but they failed to substantiate necessity. Regretfully, the court took this on board as a valid point, but mainly because during the preliminary injunction, this particular argument was not rebutted. Nonetheless, it is important to realize that necessity has not been proven: not in evaluations, not in the Parliament, and not during the preliminary injunction. The fact that no rebuttal was offered, doesn’t change that.

The question is: now what?

First of all, we have to wait for a response from the Ministry of Security and Justice. It is hard to predict what they’ll say. With the former Justice Minister Ivo Opstelten temporarly replaced by Stef Blok, all we can do is hope for the best, and prepare for the worst. We hope the ministry is finally convinced that the law, now and in the future, must be dissolved. And as far as the providers are concerned, they must part with the data they’ve been saving under the data retention law that has now been struck down. Update: KPN, Vodafone, Hi, XS4ALL, Telfort, BIT and Tweak have announced that they will cease to execute the data retention law.

What will happen on the long term is unclear. That is up to Parliament and Opstelten’s successor. As the law has already been struck down, it seems self-evident that the law in its entirety should be revoked. The political party GroenLinks has already submitted a proposal along these lines to Parliament. But one thing is clear: this is not a done deal.

Today the data retention law has been struck down. The government won’t leave it with that. Do you want us to continue to fight against the undirected and lengthy storage of our communication data? Support our cause!

Court ruling (only in Dutch, 11.03.2015)


06 Mar 2015

EU Council proposals on open internet – Episode 2, the clown wars

By Joe McNamee

After one year of negotiations, a second element of the telecoms regulation was also agreed by the EU Council: arbitrary, ad hoc law enforcement by internet companies. The Council has decided that this is something that internet companies may do, may not do and may do (Council text, pdf).

When the European Commission proposed its draft Regulation on a Telecoms Single Market in September 2013, it decided that it would be a good idea to allow internet companies to decide (or not) to block unspecified content to “prevent or impede” undefined “serious crime”. In order to excuse this reckless, potentially counterproductive meddling with the policing of serious criminal activity, it explained that such activities could be to address problems “including” child pornography.

As such arbitrary interferences with communications are in direct and obvious breach of our rights and freedoms (“Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law”, EU Charter of Fundamental Rights), the European Parliament did the only thing it could – and deleted this provision in April 2014.

On January 20, the Latvian Presidency of the EU, seeking to do carry out its function in a balanced, legal and reasonable way, noted both the legal limitations of such an approach (“this request appears to raise certain legal issues relating to the Charter of Fundamental Rights”) and the lack of support for the measure among Member States. It promised to add “appropriate text” if the legal issues could be resolved and if Member States supported such measures.

Then, however, things went horribly wrong. The UK kept insisting on the provisions being in the text, while other countries wanted the provisions being kept out. The deadlock was blocked when, behind the scenes, Sweden took incoherent, incomprehensible proposals about unspecified “measures” from the UK and presented them as their own. As time was running out, the Latvian Presidency felt that it had no option other than to include everyone’s contradictory proposals – meaning that the agreed text now says that internet providers can and can not block and filter traffic outside the rule of law.

The Article in the draft legislation is very clear:

comply with legal obligations to which the internet access service provider is subject

The explanatory “recitals”, which are supposed to clarify this text, allow everything and nothing. Recital 7 is a baffling salad of disconnected provisions:

Providers of internet access service may be subject to legal obligations requiring, for example, blocking of specific content, applications or services or specific categories thereof.

So far so clear… legal obligations to block content. This obviously does not need to be clarified, but okay… Then…

Those legal obligations should be laid down in Union or national legislation (for example, Union or national legislation related to the lawfulness of information, content, applications or services or legislation related to public safety), in compliance with Union law […]

It is strange that the Council feels the need to explain what “legal obligations” are, but okay…and then…

[…], or they should be established in measures implementing or applying such legislation, such as national measures of general application […]

So a measure applying such national measures? Does that include measures taken in the absence of a legal obligation to do so? As these “measures” or listed separately to court orders or decisions of a public authorities, this appears to be the case. This interpretation is reinforced by the next part of this surreal stream of consciousness, which explains that ISPs will have to comply with court orders or “other measures” which are, for example, court orders, but could also mean orders by public authorities and/or something else.

[…] courts orders, decisions of public authorities vested with relevant powers, or other measures ensuring compliance with such legislation (for example, obligations to comply with court orders or orders by public authorities requiring to block unlawful content).

The next sentence of recital 7, then says the direct opposite since Article 52 of the Charter of Fundamental Rights does not allow restrictions outside the rule of law:

The requirement to comply with Union law relates, among others, to the compliance with the requirements of the Charter of Fundamental rights of the European Union in relation to limitations of fundamental rights and freedoms.

If internet providers are only allowed to block, as the Charter says, this is “provided for by law”, what is the rest of the text for? The answer, sadly, is that this is legal text that is actively and deliberately drafted to be so unclear that it generates enough uncertainty to allow what the European Charter of Fundamental Rights prohibits.

The agreed text also says that “parental controls” are permitted. The only problem here is that there was never any doubt that parental controls are permitted because any service that actually offers control to parents would not in any way contradict the definition of “internet access service”:

“internet access service” means a publicly available electronic communications service that provides access to the internet, and thereby connectivity to substantially all* end points of the internet, irrespective of the network technology and terminal equipment used;

Which either means that the 28 legal experts that are negotiating a key piece of European legislation of global significance do not know what parental controls are, or they are trying to sneak in additional optional restrictions that can be imposed by internet companies and neither they or we can guess what these might be.

This ridiculous mess is a major problem for two reasons. Firstly, it represents an agreement of the EU Council to circumvent the primary law of the European Union, to the detriment of the rule of law, freedom of communication and privacy. Secondly, it undermines the implementation of net neutrality, because it will lead to a situation where internet access providers will be asked (for public policy reasons) to block and filter internet traffic and asked not to interfere with internet traffic for their own business purposes.

*No, we don’t know what “substantially all” means either.

25 Feb 2015

Did GCHQ spy on you? Find out now!

By Guest author

Since its launch on 16 February 2015, over 25 000 people have joined an international campaign to try to learn whether Britain’s intelligence agency, GCHQ, illegally spied on them.

This opportunity is possible thanks to court victory in the Investigatory Powers Tribunal (IPT), a secret court set up to hear complaints against the British Security Services. As previously reported in the EDRi-gram, Privacy International won the first-ever case against GCHQ in the Tribunal, which ruled that the agency acted unlawfully in accessing millions of private communications collected by the US National Security Agency (NSA), up until December 2014.

Because of this victory, now anyone in the world can try to ask if their records, as collected by the NSA, were part of those communications unlawfully shared with GCHQ. We feel the public has a right to know if they were spied on illegally, and Privacy International wants to help make that as easy as possible.

Unfortunately, the IPT can’t act by itself, and that’s why it needs people to come forward and file complaints. Privacy International plans to assist as many people as possible in jumping through the hoops the process will probably entail. It is going to be a long fight, and it will likely take months for the IPT to process all the complaints. However, it is important to bear in mind that if the IPT find that your communications were illegally shared with GCHQ, they will be obligated to tell you.

Through their secret intelligence-sharing relationship with the NSA, GCHQ has intermittently enjoyed unrestricted access to PRISM, the NSA’s means of directly accessing data and content handled by some of the world’s largest Internet companies, including Microsoft, Yahoo!, Google, Facebook, Skype, and Apple. GCHQ has also had access to other parts of the NSA’s Upstream collections, through which telephone and internet traffic data is accessed as it flows through communications infrastructure, including CO-TRAVELER, which collects five billion mobile phone locational records a day, and DISHFIRE, which harvests 194 million text messages daily. The top five programs within Upstream created 160 billion interception records in one month alone.

Chances are, at some point over the past decade, your communications were swept up by one of the NSA’s mass surveillance programs and passed onto GCHQ. We think you have a right to know whether that’s the case, and if so, to try and demand that data be deleted. Privacy International wants to help you assert those rights.

Privacy International’s campaign “Did GCHQ illegally spy on you?”

FAQ: Did GCHQ Spy On You?

(Contribution by Eric King, Privacy International)



11 Feb 2015

Macedonia: Massive surveillance revelation: 20 000 people wiretapped

By Guest author

On 10 February, EDRi-member Metamorphosis, expressed grave concern about the publicly announced allegations of mass and unauthorised surveillance of citizens. Invasions of privacy directly affect freedom of expression in Macedonia, and fuel the overall climate of fear and silence.

On 9 February 2015, the Macedonian opposition leader Zoran Zaev held a press conference in Skopje, announcing that his party, the Social Democratic Union of Macedonia (SDSM) had obtained evidence that over 20 000 Macedonian citizens were subject to unauthorized surveillance. He stated that he is pressing charges for the massive wiretapping against PM Nikola Gruevski and his cousin, the director of the Counterintelligence Service, and an associate. Zaev also revealed that the evidence was provided by whistleblowers working for the Security Service who are now seek an amnesty for their cooperation.

According to report from the 9 February conference, Zaev said that all persons of some significance in the society, “all the judiciary, the Synod of the Orthodox Church, NGOs, and journalists were tapped.” He played leaked conversations between current government ministers, indicating that surveillance also extended to officials of the ruling party, VMRO-DPMNE, and their coalition partners. He said that only the Prime Minister Nikola Gruevski and the Director of the Intelligence and Security Sasho Mijalkov were not tapped. They allegedly received daily reports from the 24/7 surveillance operation that especially targeted political opponents during elections. Zaev also implied complicity of the major telecom operators with this massive operation.

After the initial revelation, SDSM announced that they will continue to publish evidence of alleged government corruption, gradually showing the overall effects of the control by the leadership of VMRO-DPMNE on the society. The allegations incited number of reactions demanding impartial investigation by independent media, civil society and international community, as issues of independence of the judiciary have been noted as one of the main obstacles to building democracy and preserving human rights in Macedonia, within reports issued by the EU and the US.

“The right to privacy is an extremely important human right, and the threat to privacy is also a direct threat to our freedom. Authorities must make the decisions on wiretapping and surveillance in accordance with the applicable laws. Those decisions must not be arbitrary decisions made by individuals who have the power to do so. The allegations for mass eavesdropping of more than 20 000 citizens are very serious and the public must seek responsibility from the relevant institutions,” said Bardhyl Jashari, director of the Metamorphosis Foundation.

Metamorphosis reminded the public that the protection of privacy, the protection of personal data, and the protection of human rights related to freedom and dignity that may be violated by eavesdropping, are protected by the Constitution of the Republic of Macedonia and by number of laws, including the Law on Personal Data Protection, while the Criminal Code sanctions unauthorized wiretapping. On the other hand, the 2014 European Commission Progress Report on the Republic of Macedonia indicated that it is necessary to further adjust the sector-specific laws in order to fully comply with the European regulations on personal data protection.

Setting the protection of privacy as a priority in building an information society, Metamorphosis has, since 2004, publicly indicated, on a number of occasions, the possibility for abuse due to the lack of mechanisms for supervision over institutions that have the capacity to conduct eavesdropping. In 2008, 2010 and 2012 it advocated against increasing of that capacity without any accountability mechanisms for a number of state bodies, contesting amendments to the Law on Electronic Communications and the laws affecting investigative procedures.

Press Release: Unauthorized Eavesdropping is Unlawful and Unconstitutional (10.02.2015)

Macedonia PM accused of large-scale wire-tapping (09.02.2015)

The former Yugoslav Republic of Macedonia progress report, October 2014

2013 Human Rights Reports: Macedonia

Twitter: #Macedonia-related links in English

EDRi-gram: Macedonian investigative magazine fined in defamation case (22.10.2014)

(Contribution by by Filip Stojanovski and Bardhyl Jashari EDRi-member Metamorphosis, Macedonia)




11 Feb 2015

Yet another internet blocking law in Turkey

By Heini Järvinen

This article is also available in:
Deutsch: Neues Gesetz über Internetsperren in der Türkei

In recent years, online censorship and the deteriorating situation regarding the freedom of speech has raised serious concerns in Turkey. The large majority of the traditional mainstream media is either directly or indirectly under the government control, and the Internet remains one of the few channels for free speech. However, the government is repeatedly taking measures to control also the Internet.

On 2 October 2014 the Turkish Constitutional Court overturned an amendment to the Internet law that would have given additional censorship powers to the Turkish Telecommunications Authority (TIB). Among other things, the suggested amendment allowed the TIB (hence the government) to issue “preventive” website blocking orders to the Internet Service Providers (ISPs) without a court decision. The blocking was to be executed for “national security, public order or crime prevention”.

Unperturbed by the decision, the government prepared a nearly identical bill and brought it before parliament on 20 January 2015. Like the previous one, the suggested amendment would oblige the ISPs to execute the blocking of contents within four hours after receiving the order from the TIB, enabling the government to block web sites quickly and without due process of law. The parliamentary commission has already passed the bill, and it’s expected to come to the general assembly in the next few weeks.

The government might be counting on the Constitutional Court not annulling the amendment this time, because some of its key members are in the process of retiring. But the tug of war between the those defending freedom of speech online and those wanting to restrict it continues. As EDRi-member Electronic Frontier Foundation (EFF) recently stated in its press release:

“Turkey has been a bastion of Internet censorship for so long that EFF could write a regular feature called ‘This Week in Turkish Internet Censorship’ and never run out of content.”

Unlike in the past, the international community is not being helpful. The Turkish government has followed the UK model of putting pressure on private companies to censor content outside the rule of law, coercing Facebook into restricting content. Blocking on the basis of ad hoc decisions by the telecoms regulator is currently in place (subject to a constitutional court ruling) in Italy and the Council of Europe’s draft Recommendation on Net Neutrality still (after a new revision) says that it is acceptable for restrictions can be imposed by regulatory authorities (or simply “in cooperation with public authorities”).

Facebook caves to Turkish government censorship (29.01.2015)

Turkish parliamentary commission approves bill for tighter website blocking (05.02.2015)

Government defies constitutional court on website blocking (22.01.2015),47525.html

Turkey: Internet freedom, rights in sharp decline (02.09.2014)

Turkey proposes tighter internet law, pursues Twitter critic (22.01.2015)

EDRi-gram: Turkey: Constitutional Court overturns Internet law amendment (08.10.2014)