The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

19 May 2016

Copyfail #1: Chaotic system of freedoms to use copyrighted works in the EU

By Diego Naranjo

This article is the first one in the series presenting Copyfails. The EU is reforming its copyright rules. We want to introduce to you the main failures of the current copyright system, with suggestions on how to fix them. You can find the nine key failures here.


How has it failed?

The current EU Copyright Directive outlines 21 different optional freedoms to use copyrighted works. These freedoms, called “exceptions and limitations”, specify how strict copyright rules can avoided in certain useful circumstances, as long as this does not interfere with the exploitation of the work by the creator. This would include, for example, using copyrighted material for educational purposes, adapting it for people with disabilities, making copies of music or films for personal use, or using it for academic quotations.

Each EU country putting the Directive into practice can choose to either include or exclude any of these optional exceptions. As a result, there are literally over two million ways to implement the Directive! In a borderless, open Internet, it is crazy that a simpler solution to implement flexibilities that do not interfere with the normal exploitation of the copyrighted material is not implemented.

However, copyright lobbyists are vehemently opposed to any flexibility. Indeed, in 2001, when the Directive was adopted, lobbyists argued that the one mandatory exception (for incidental copies in networks) was absolutely unworkable and would “a gaping hole in rightsholders’ protection under the reproduction right“. Fifteen years later, it is very obvious that no such “gaping hole” was created. Now, they warn again against a more flexible regime. Now, as then, they are wrong.


Why is this important?

People across the EU should be able enjoy the same rights. Harmonisation of the copyright rules is needed for creating a Digital Single Market – not 28 EU markets as we currently have.

The implications of the copyfail #1 are huge, for example:

  • In the UK, people are not allowed to make copies of music that they legally buy.
  • In Austria and Lithuania is illegal to send quotations by e-mail.
  • In some countries, like France, the uses of copyrighted works in schools are considerably more restricted, than in others, like Estonia. The latter allows teachers within an educational context to quote works to any justified extent, compile works of any nature and translate and adapt entire works, while France doesn’t.

How to fix it?


Read more:

Copyright combinatronics (16.11.2011)

Copyright exceptions and limitations – back to the future (25.03.2015)

Copyright reform: Restoring the facade of a decrepit building (16.12.2015)



18 May 2016

Danish ticketing system a threat to privacy

By Guest author

Like many countries, Denmark is replacing paper tickets for public transportation with electronic tickets. The Danish system, called Rejsekort (“travel card”), is a contactless chip card similar to the Oyster card in the United Kingdom and the OV-chipkaart in the Netherlands.

At the start of the journey, the passenger holds the card in front of a check-in card reader, and this procedure is repeated when changing to another transport vehicle (train, metro or bus). At the end of the journey, the passenger holds the card in front of a check-out card reader, and the fare for the completed journey is calculated and subtracted from the balance of the card. Check-in/out card readers are placed at all train and metro stations and in buses.

................................................................. Support our work - make a recurrent donation! .................................................................

For passengers, the chip card offers convenience. It can be used for public transport in most parts of Denmark, and passengers do not have to be familiar with the complicated fare structure. For example, in the Greater Copenhagen area, there are eight different price levels for a ticket depending on the number of zones in the journey and, in some cases, the number of zones can differ between the outbound and inbound journey.

The Rejsekort card exists in personalised and non-personalised versions, the latter being called Rejsekort Anonymous. The personalised card, which requires proof of identity similar to opening a bank account, offers a number of incentives to citizens: greater fare discounts, automatic transfer of money from a credit card to the Rejsekort, and the possibility of transferring the balance to a replacement card if the Rejsekort is lost or stolen. Despite its name, the non-personalised Rejsekort is not really anonymous since all chip cards have a unique number, and all journeys along with the unique card number are registered in the back-end systems of the Rejsekort company. Passengers can, of course, get a new non-personalised card regularly to protect their privacy, but the price of the card itself is about 10 euro, and the remaining balance on the old card is lost.

From a privacy perspective, the Danish Rejsekort is a disaster, because the unique card number is connected to all journeys. The journeys of all card holders are registered in a central database, and this information is currently retained for five years, together with the citizen ID number (for the personalised card). Whereas mass public transport in trains and buses previously offered a relatively high degree of anonymity (save for the ever more pervasive CCTV surveillance cameras), it has now become similar to air travel where so-called Passenger Name Records (PNR) are created and stored for every journey. Unlike air travel, the anonymous travel option does still exist with the more expensive paper tickets.

There has been some public debate and criticism of the data retention practices in the Rejsekort system. The response from the publicly-owned travel card company has been that since the Rejsekort is a payment card (with limited applicability to paying for public transport), the Danish legislation for bookkeeping and measures against money laundering (based on EU law) makes it mandatory to keep information about every transaction, that is every journey, for five years. Furthermore, the travel patterns of every passenger are analysed for various fraud detection purposes. The Rejsekort is based on the Mifare Classic design which is lacking in terms of security. However, card hacking is not viewed as a problem by the Rejsekort company because the company believes that any attempted fraud can be detected in the back-end systems. In some sense, surveillance of passengers’ travel transactions is used to compensate for the inadequate security of the chip card.

The fare structure for the Rejsekort gives passengers an incentive to not to check out on long journeys or to check out before their final destination, especially when travelling by bus where the check-out card reader is placed inside the bus itself. According to the terms and conditions for the Rejsekort, a personalised card can be blocked after three journeys where the check-out is not done properly, and in that case the cardholder will be put on a blacklist so that she/he is unable to get a new personalised card for a year. The fraud detection system probably looks for uncompleted journeys and travel patterns that may otherwise indicate partial fare evasion, like premature check-out. The latter profiling involves cross-referencing with general customer information which could include the address of the passenger, but the precise details of the profiling for fraud detection are not known.

Because of the public criticism, the Danish government asked the law firm Poul Schmith (Kammeradvokaten) to investigate the data processing practices of the Rejsekort company. The report from the law firm was published on 29 March 2016. In an earlier assessment of the Rejsekort system, the independent Danish Data Protection Agency did not have any remarks about the five-year retention period for all journeys, but the report from the law firm concludes that there is no legal requirement to keep information about every journey for five years. It is only necessary to keep the information until the customer can no longer dispute the transaction, that is payment for the journey. The law firm indicates that this period could be three years as this is the statutory limitation period for simple financial claims in Denmark. A privacy-friendly argument for a shorter period than three years could also be made here, since a customer generally loses the right to dispute through inactivity. The official guidelines for the Danish bookkeeping administrative order contains an example with a telephone company where it is stated that only documentation about invoiced/paid amounts must be stored for five years, not details of the individual calls. When the telephone calls can no longer be disputed by the customer, the aggregate invoice is sufficient bookkeeping documentation. Clearly, the same principle must apply to a ticketing system like Rejsekort, but apparently the Rejsekort company had missed this detail in the official bookkeeping guidelines.

A second recommendation from the law firm Poul Schmith is that customers should give consent to the processing of personal data for fraud detection. Currently, no information at all is provided about this processing to the customers. This recommendation is a bit odd. The Rejsekort company argues that the processing can be done without consent because the legitimate interest exception applies to the fraud detection. Moreover, consent as a legal basis for processing hardly makes sense here since customers cannot really refuse (if they want a Rejsekort), and it seems rather unlikely that the Rejsekort company will provide sufficient information so that the consent actually becomes meaningful. Quite interestingly, there is a discussion in the report as to whether the consent to data processing for fraud detection will be coerced or not. The law firm argues that the consent is voluntary, but only because alternatives to the Rejsekort exist, especially single-journey paper tickets. These alternatives are however more expensive and more cumbersome to use.

The Rejsekort company has announced that it will follow the recommendations made by the law firm. This also applies to some of the minor points about reducing the number of employees with access to the central database with journeys, and ensuring written documentation for agreements with data processors.

What is rejsekort? (homepage of Rejsekort A/S)

Investigation of the processing of personal data in rejsekort by the law firm Poul Schmith (only in Danish, 29.03.2016)

(Contribution by Jesper Lund, EDRi member IT-pol, Denmark)



04 May 2016

Please sue us

By Guest author

Each of the Member States of the European Union is required to incorporate European directives into national legislation. If a Member State does not obey this obligation, the European Commission can sue this country in the Court of Justice of the European Union (CJEU). But what actions can a country take if such directives force it to adopt legislation that contradicts its own constitution? From the European Commission’s perspective, Member States have an opportunity to raise such concerns for a few weeks during the adoption process of a Directive and, if it doesn’t, all subsequent problems are the fault of the Member State itself.

................................................................. Support our work - make a recurrent donation! .................................................................

Being forced to do something you can’t actually do

This transposition into national legislation also applied to the Directive that forced telecom and Internet providers to retain data concerning the location and communication behaviour of all their users, also known as data retention Directive. Many Member States where unable to meet this requirement. This resulted in the Commission starting a number of infringement procedures against, among others, Romania, Sweden, and Germany.

In order to get a good impression of what goes on behind closed doors, Dutch EDRi member Bits of Freedom requested the Commission to disclose all documents relating to five of these infringement procedures. A few months later, we received thousands of sheets of paper. Now we know how effortlessly national and European leaders blatantly ignore fundamental practical and objections. Ironically, while Member States were taken to court for failing to implement the repressive measures in the Directive, no effort at all was devoted by the European Commission to enforcing Article 10 of the Directive – collecting statistics that were supposed to be used to assess whether the Directive was actually useful or not. It’s a tricky situation: being forced to implement certain rules, despite them being contradictory to the country’s constitution.

Please sue us

The preventive and persistent preservation of data concerning everybody’s location and communication behaviour is, fortunately, a controversial policy. However, to some governments, this seems to be irrelevant. In one of the obtained documents, the Commission describes how a Czech minister viewed the implementation of this controversial undertaking. His assessment: “one day’s headlines and then forgotten”. Some countries even encourage the Commission to start an infringement procedure against them. Crazy, right? It’s as if you’d approach a police officer on the street and beg him or her to please give you a ticket. But this is politics.

The politicians of the German ruling party CDU supported the Commission’s attempts to enforce the implementation of the Directive, because such an infringement procedures increase the pressure on the national debate. For the same reason, the German minister of Internal Affairs (who wanted to see the Directive implemented) did not want the Commission to amend the Directive. In the absence of a reform, the pressure on her Liberal colleague at the Justice department (who refused to implement the Directive) remained high. Similarly the Commission was told by Romanian representatives that a warning against the country would be “helpful”.

Keeping score is too much of an effort

There is no scientific evidence that the invalidation has caused the law enforcement agencies major difficulties. There is no evidence indicating that invalidating the data retention Directive has had a negative impact on the clear-up rate of criminal offences.

This is what the German Minister of Justice wrote in a letter to the European Commission, after the data retention Directive was found to be in violation of the constitution in Germany. It is clear-cut criticism on the assumed – but never substantiated – need for a data retention act.

For many countries, it is too much trouble to gather evidence that supports the alleged need for a data retention act. The Czechs told the Commission that maintaining statistical data (an unenforced obligation under the Directive) was an enormous burden and that it was difficult to obtain data from the police. Instead they indicated a preference to have a conversation with other Member States and to learn from their best practices. How to implement the Directive, without much need for working out if it was serving any purpose?

A data retention act doesn’t help anybody

The documents also give an impression of what is still ahead of us. For instance, the Commission pressured Romania into introducing a new data retention policy after the previous one was declared invalid. The Commission did this despite the warning that there is a risk that a new case would be brought to the Constitutional Court and that the new law will be again declared unconstitutional.

The national legislator being disciplined over and over again calls for additional complexity in the Commission’s enforcement procedures. Their lawyers wrote:

“By letter of 25 November 2008 […] Romania informed the Commission […] that it adopted law no. 298/2008 […]. Romania stated that these measures constituted ‘complete transposition’ of [the data retention Directive] into Romanian law. However, due to an internal omission, this infringement procedure was not subsequently terminated, which should have been done. On 23/11/2009, the Romanian constitutional Court annulled the national law. This law longer exists.

Given those circumstances, it is necessary to close this case which dealt with the situation prior to the annulment of the law by the Romanian Constitutional Court. However, the Commission decided to open a new procedure in order to make sure that [Romania] will transpose the Directive, taking into account the legal situation which is currently in force since the annulment of the law by the Romanian Constitutional Court.”

That is quite a mess that benefits no-one, other than a handful of lawyers. And this is what the Netherlands is about to do: adopting a new data retention law (even though the European Directive itself has now been overturned by the European court), while knowing that it will again collapse in a Dutch or European court. Meanwhile, the investigative agencies are left to deal with the consequences: they have no use for investigative tools that can be declared illegal by a judge – indeed, they were never able to show a use for the data in the first place. The Dutch government should instead invest in something the police can actually use.

Please sue us (only in Dutch, 23.03.2016)

(Contribution by Rejo Zenger, EDRi member Bits of Freedom, The Netherlands)



06 Apr 2016

CJEU hearing on the EU Canada PNR agreement: Still shady

By Diego Naranjo

The European Court of Justice (CJEU) had a hearing on 5 April to decide about the referral made on 25 November by the European Parliament on the EU-Canada agreement on Passenger Name Records (PNR). Passenger Name Records (PNR) include information provided by passengers and collected by air carriers for commercial purposes, such as, but not only, the date of the trip and complete itinerary, the name and contact information, the form of payment, frequent flyer information, meal preferences and medical information. In some cases, the airlines will have access to other data such as hotel bookings, car rentals, train journeys, travel associates, etc. This provides a massive insight into the private life of an individual.

................................................................. Support our work - make a recurrent donation! .................................................................

The agreement between the EU and Canada allows for the transfer and processing of PNR data of passengers flying between the EU and Canada. The result of the referral of the agreement to the CJEU could impact the proposal for an EU PNR Directive (Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD)), that was adopted by the European Parliament’s Civil Liberties Committee on 15 July 2015, and which may be scheduled to be voted in the European Parliament’s plenary session on 27-28 April 2016. The narrow vote (32 in favor, 26 against, no abstentions) in favour happened despite the rejection of this same EU PNR proposal by the same Committee in 2014 and despite the CJEU ruling invalidating the Data Retention Directive.

During the hearing, many crucial issues came up:

Firstly, the European Commission (EC) argued before the Court that PNR data is “anonymised” after 30 days and that, as a result, the CJEU judgment invalidating the data retention Directive is not applicable in this case. However, the EC fails to see that the PNR data is only “masked out” – depersonalised by masking certain identifiers. This is not anonymisation. The EU PNR Directive contains similar clauses and the European Data Protection Supervisor (EDPS) Opinion 5/2015 of 24 September 2015 said that they were glad that the mention to anonymous data was taken off the proposal since “(i)ndeed, the data at stake could not be considered as anonymous since they would still be re-identifiable.”

Secondly, the EC quoted the EU anti-terrorism coordinator saying that the number of convinctions based on PNR are irrelevant”. This just does not make sense. If the goal is to find suspects, and there are no convictions based on the PNR data used, the collection and processing of PNR data could well not be “necessary” nor “genuinely meet objectives of general interest recognised by the Union” as Article 52.1 of the Charter of Fundamental Rights states for any limitation for fundamental rights.

Thirdly, during the hearing Member States defended the agreement based on different reasons. The Spanish representative stated that the data retention period of 5 years is absolutely necessary for criminal investigations. Why not five and a half years, as it is the case currently under the PNR agreement with Australia… or 15 years, as under the PNR agreement with the USA? Why not 20 years? Or maybe just 3? Is the standard “whatever-length-we-randomly-decide-each-time”?

Fourthly the issue of the independent supervisory authority was also highlighted during the hearing. The EDPS reiterated the views expressed in their Opinion on the agreement of 30 September 2013 and said that the oversight in Canada PNR is not an equivalent independent authority, which was refuted by the EC during the hearing. The EDPS Opinion explicitly regretted the fact that “oversight may take place (…) by a (non independent) authority created by administrative means”. The EDPS also noted the “limitations of judicial review with respect to judicial redress”.

In sum, the hearing has shown once again that PNR profiling is a not a necessary and proportionate means to prevent international crime and terrorism in the EU. The Advocate General of the Court will announce his opinion on 13 June 2016.

EU-Canada agreement on PNR referred to the CJEU: What’s next? (03.12.2014)

Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record

EU PNR Document Pool

Opinion of the European Data Protection Supervisor on the Proposals for Council Decisions on the conclusion and the signature of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (30.09.2013)

Steve Peers: The Domino Effect: how many EU treaties violate the rights to privacy and data protection (25.11.2014)

Bruce Schneier: Refuse to be terrorised (24.08.2006)

Mass surveillance through PNR is facing closure: EU-Canada agreement is put to testing (in German) (05.04.2016)

(Contribution by Diego Naranjo, EDRi)



02 Feb 2016

European Commission defence of European rights sinks in an unsafe harbour

By Joe McNamee

Following the decision of the European Court of Justice to overturn the EU/US “Safe Harbor” Agreement last year, EU/US negotiations have been ongoing to reach a new deal, which would facilitate transfer of data across the Atlantic. Having failed to reach an agreement before 1 February, the European Commission today announced plans to back down from defending the European Court’s ruling and to accept a new badly flawed arrangement.

The emperor is trying on a new set of clothes. Today’s announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail.

said Joe McNamee, Executive Director of European Digital Rights.

Among the proposals are an “exchange of letters” to permit Europe to receive assurances from the outgoing US President that non-US data will be processed in ways that are strictly necessary and proportionate – i.e. not subject to mass surveillance.

The new arrangement will rely on additional legal instruments, which are also likely to fail to achieve their intended goals. At a meeting in the European Parliament last night, Commissioner Jourová was asked repeatedly for her views on flaws in the crucial Judicial Redress Act and the EU/US Umbrella Agreement. She refused to address either problem.

Parliamentarians from across the political spectrum last night repeatedly accused the United States of not taking the negotiations seriously. Seeing fatal problems being built into the Judicial Redress Act, seeing the adoption of the secret data-sharing provisions in the Cybersecurity Act and seeing the lack of any meaningful reforms on the US side, it is hard to disagree.

Read more:

Why is Safe Harbour II such a challenge?

Access Now, EDRi on data protection: “No Safe Harbour 2.0 without reform on both sides of the Atlantic”

01 Feb 2016

Why is Safe Harbour II such a challenge?

By Joe McNamee

It seems baffling to many outside the Brussels bubble – and certainly our friends across the Atlantic – that reaching a revised Safe Harbour deal has proved so difficult.

Part of the problem is Europe. The United States was able to negotiate a questionable deal with the EU to gain access to financial transaction data (the TFTP agreement) and only had to deal with a highly deferential letter from Commissioner Malmström when the Snowden revelations indicated that the deal was being abused.

When the United States wanted long-term storage of air passenger data, the EU caved in completely to US demands and agreed to 15-year long data storage. That deal remains in place, despite of being patently illegal – as proven by the fact that the European Court of Justice overturned the EU’s Data Retention Directive and by the fact that the Commission now considers that 5 years of passenger data retention to be sufficient (i.e. if 5 years is enough, 15 years is clearly far too much).

And let’s not forget that the EU also agreed to the original Safe Harbour deal, although many experts believed that it was illegal.

If, over the past 17 years, the EU caved in and accepted a questionable deal on financial data, if it then ignored evidence that the deal was not being respected, if it accepted and still maintains an illegal deal on passenger data, if it accepted the illegal Safe Harbour deal, it would seem entirely rational and logical that the United States would negotiate on the basis that the EU would cave in again.

That assessment appears to be wrong in this case, as the consequences of a deal that fails to respect the law would be felt more quickly and the range of manoeuvre available to the Commission is narrower.  Generally, as we see with Safe Harbour and the Data Retention Directive, for example, it takes so long for the Court to catch up, that the Commissioner responsible will have left office, so there are no political consequences. Safe Harbour is different.

A new illegal deal would have even worse transatlantic consequences than we are facing at the moment, making the consequences more meaningful. Politically, legally and economically, the Commission needs to ensure that it is able to put forward a credible defence before the Court. It would be grossly reckless for the European Commission to treat this as a political negotiation, and up until this weekend, it has laudably not done so.

Furthermore, while the European Commission frequently seeks solace in semantics (“what does ‘genuinely necessary’ really mean?”) in order to avoid fully respecting Court rulings, the Safe Harbour ruling is very clear in not giving room for manoeuvre. Also, due to the inevitability of the Court being asked to rule on any new deal, the scope for the Commission to play for time is severely limited.

This unique situation has led to the two sides in the Safe Harbour II negotiations simply not hearing each other. The United States – logically in the historical context – has been proposing elaborate political spin and elegant, but ultimately specious, explanations of what a deal could look like – in a manner that has always worked before. Meanwhile, the European Commission has been explaining that this negotiation is different. This, too, however, sounds like a negotiating tactic. “Why do they not understand?” both sides ask, infuriated that the other side won’t accept to move forward based on their version of the political and legal context.

As a result, the only possible deal that is immediately available is where the European Commission agrees a politically expeditious but legally untenable deal, creating a time bomb rather than a durable deal, to the benefit of no one. In absence of reforms before an agreement, individuals’ fundamental rights would remain under threat. The political arm wrestling which led us nowhere must end. Discussing legal solutions to a legal problem is the only viable path to agreeing to a robust data transfer agreement.

21 Jan 2016

Access Now, EDRi on data protection: “No Safe Harbour 2.0 without reform on both sides of the Atlantic”

By Theresia Reinhold

On January 12, Estelle Massé, Policy Analyst at Access Now, and Joe McNamee, Executive Director at EDRi, were invited by the committee of EU data protection authorities – the Article 29 Data Protection Working Party – to discuss the aftermath of the Safe Harbour ruling.

Read our full submission to the Article 29 Data Protection Working Group (PDF).

At that meeting, we discussed the consequences of the European Union Court of Justice (CJEU) ruling in the case C-362/14 (Maximillian Schrems v Data Protection Commissioner, known as “the Schrems case”) which invalidated the Safe Harbour arrangement. We provided evidence to the EU data protection authorities on the reforms needed on both sides of the Atlantic, including the specific reforms needed in the US for a robust new transatlantic data transfer agreement that would resist legal challenge. Here is the list of reforms we recommend:

  1. Surveillance reform in the European Union and the United States which includes
    a. Reform of Foreign Intelligence Surveillance Act (FISA) Section 702
    b. Reform of Executive Order 12333
    c. Reform of EU Member States’ legislation on surveillance
  2. US compliance with the International Covenant on Civil and Political Rights (ICCPR)
  3. Passage of comprehensive data protection legislation at federal level in the US
  4. EU member states to stop avoiding their human rights obligation in the guise of the ill-defined “national security exemption”

Despite the impetus for reform generated by the Schrems ruling and the launch of negotiations for a so-called Safe Harbour 2.0, the status quo remains on both sides of the Atlantic. Worse, legislation was passed in the US that potentially negates the possibility of a future transatlantic data transfer agreement. That legislation is the Cybersecurity Act of 2015 (also known as CISA). Passage of the Cybersecurity Act increases the breadth of unaccountable, secret US spying and further cements the corporate-intelligence relationship. This law would require the Department of Homeland Security (DHS) to deliver “cyber threat” indicators, which are shared with the intelligence and law enforcement agencies in near real-time. Companies would be granted broad legal immunity for supplying those indicators to the US government, which could include personal information. The option exists to transfer the information entirely secretly. That means massive repositories of personal information, including data transferred from the EU, could be secretly turned over to spying agencies.

We highlighted these shortcomings in our meeting and written submission. They are in addition to the considerations raised by the limitations the Schrems ruling imposed on the EU Commission and the repeated “misleading” of US institutions and secret re-interpretation of US legislation.

Finally, we called on negotiators to take the time necessary to conduct reform that would provide users and companies on both sides of the Atlantic with a robust, trustworthy mechanism for transfer of data, upholding the right to privacy and ensuring legal certainty.

13 Jan 2016

Dutch government says no to weakening encryption

By Guest author

The Dutch government will, “at this time”, “not adopt restrictive legislative measures against the development, availability and use of encryption within the Netherlands.” This statement was posted by the Dutch government in a letter to the Dutch parliament on 4 January 2016. This is clearly position to be applauded.

................................................................. Support our work - make a recurrent donation! .................................................................

In the letter, the government recognises the importance of encryption for the entire society. The ministers of Economic Affairs and Security and Justice find that “cryptography plays a key role in technical security in the digital domain.” This not only applies to companies protecting their business secrets and customer data, but also to the government itself. The Dutch government indeed “increasingly communicates with citizens via digital means, and provides services where confidential data is exchanged.” Citizens benefit from encryption, because it allows them to “ensure privacy and confidentially of their communication.” This is “also important for exercising the right to free speech,” according to the government.

Of equal importance is the realisation that it is not possible to weaken encryption by just a little bit. The government argues that “there is no outlook on possibilities to, in a general sense, for instance via standards, weaken encryption products without compromising the security of digital systems that use encryption.” Hence, when introducing back doors that would enable prosecution and intelligence services to access encrypted files on digital systems – these encrypted systems “can become vulnerable to criminals, terrorists and foreign intelligence services.”

The weakening of encryption would have undesirable consequences for the security of our digital infrastructure. And that is why the Dutch government concludes that “at this time, it is not appropriate to adopt restrictive legislative measures against the development, availability and use of encryption within the Netherlands.” The government will propagate this position “in the international context.” The letter ends with the commitment to grant 500.000 Euro to the widely used encryption software library OpenSSL, as proposed by the parliament. This is a highly commendable position.

Letter from government to parliament with position on encryption (04.01.2016)

Unofficial translation and comments from Matthijs Koot

Proposal to amend budget to grant OpenSSL 500.000 euros funding

(Contribution by Rejo Zenger, Bits Of Freedom)



13 Jan 2016

Swedish border control becomes a privacy nightmare for travellers

By Guest author

European citizens are finding that their freedom of travel is being curtailed as more and more Schengen countries introduce temporary border controls in response to the flow of refugees from the Middle East war and conflict zones. Moreover, Sweden and Denmark have passed national legislations which gives train, bus and ship operators the responsibility of checking if their passengers have valid travel documents before they are transported through the border zone where state border guards officially check passports or identification documents. This is similar to the obligations imposed on carriers in the EU Directive 2001/51/EC, except that the new Swedish and Danish obligations apply to passengers transported within the Schengen area.

................................................................. Support our work - make a recurrent donation! .................................................................

At the Swedish border, the obligations on transport operators to check IDs of passengers took effect on 4 January 2016. This has disrupted train travel from Copenhagen to Malmö, the main option of public transportation over the Øresund Bridge. At Copenhagen Airport Station, just before the bridge to Malmö, all passengers have to disembark the train and walk through a security checkpoint with ID inspection. After the checkpoint, passengers can board another train which takes them to the official border control on the first Swedish station after the Øresund Bridge, and then onwards to their final destination on the Swedish side of the Øresund Region.

In addition to the general disruption and travel delays for passengers, the ID inspection at Copenhagen Airport railway station has generated a lot of public controversy over privacy since the train operator DSB has decided to take photos of the identity documents presented for inspection at the checkpoint. This information is retained in a central database for up 30 days, and Swedish Police will be granted access to the database upon request, according to a press release from DSB.

Under the new Swedish law, transport operators are subject to a fine of 50000 SEK (about 5500 EUR) for every passenger that is transported to the border without a valid ID unless the operator can document that the ID inspection prior to crossing the border was carried out in accordance with Swedish law. The legal requirements for this documentations are unclear, and this has led DSB to take the radical step of retaining copies of the ID presented for every passenger. DSB is the only public transport operator in the Øresund Region that retains copies of passenger IDs for this documentation purpose.

The legality of the data retention has been questioned by a Danish data protection expert. The processing of personal data takes place in Denmark and is therefore subject to the Danish Data Protection Act. In Denmark, the processing of citizen ID numbers (present on all identity documents) is subject to special requirements similar to those for sensitive personal data, and the legal arguments submitted by lawyers for DSB to the Danish Data Protection Agency do not address this issue. A more general issue is the legal basis for the retention of copies of ID documents in the first place. The DSB lawyers refer to the exemption for “a task carried out in the public interest or in the exercise of official authority vested in the controller” in Article 7(e) of the Data Protection Directive, but the real purpose of the data retention is to avoid the possibility of fines being imposed on DSB for passengers without ID. In any case, there is clearly an issue of proportionality that must be considered here since a central database with pictures and other personal data of citizens, readily accessible by the Swedish Police (and possibly other public authorities), is a significant intrusion.

The Danish government has not yet imposed ID check obligations on transport operators between Germany and Denmark, and such a step would have to be negotiated with the German authorities since the ID check by the private operator takes place in Germany. However, if the Swedish-Danish idea of imposing ID check obligations on private transport operators spreads to other EU countries, it will have huge consequences for the freedom of travel and privacy for European citizens, especially if the private transport operators are pressured into keeping copies of the passenger IDs for their internal “documentation” of the ID checks. A partially privatised border control system along these lines would, in effect, extend the mass surveillance of European air travellers in the PNR (Passenger Name Records) Directive to train, bus and ship passengers on intra-EU cross-border routes.

Questions and answers for the DSB ID check (04.01.2016)

Practical Guide for the Swedish regulation on ID checks, Swedish Police (in Swedish only, 30.12.2015)

DSB press release about the retention of passenger ID copies (in Danish only, 02.01.2016)

DSB has registered passengers in violation of the law, Politiken (in Danish only, 07.01.2016)

(Contribution by Jesper Lund, IT-Pol Denmark)



02 Dec 2015

EU Council on Data Retention: “Can we please just have it back?”

By Diego Naranjo

One and a half years after the Court of Justice of the European Union (CJEU) invalidated the Data Retention Directive, the idea of having an EU data retention instrument is back on the table.

On 8 September 2015, officials from the European Commission (EC) told EDRi that, despite the evidence that we provided of the possible existence of illegal laws in Europe,, they had no intention of starting any infringement proceedings against Member States that are not complying with the CJEU judgement and are therefore in breach of the Charter of Fundamental Rights of the European Union. We were left without a clear idea of what their promise to “continue monitoring legislative developments at the national level” meant.

................................................................. Support our work - make a recurrent donation! .................................................................

As a result of the current chaotic situation, in which some countries stick to their existing data retention laws, while others invalidate them, the Council of the European Union has decided to take the initiative. In a note published on 24 November, the Council asked if this non-harmonised system (which does not seem to be a problem for the Guardian of the Treaties, the EC) should be changed with a new EU-wide data retention proposal from the European Commission. The Council seems to not have digested well the CJEU judgment, and asks the following question:

“Is the Data Retention Judgement to be interpreted in the sense that retaining bulk electronic communication data without specific reason is still allowed?”

The Council might find a hint of the answer to that question from the press release from the CJEU, published on 8 April 2014, right after the ruling declaring the Data Retention Directive invalid, where the Court stated that “the wide-ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary” and that “by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality”.Despite this clear wording the Council has a question, which could be rephrased for rhetorical purposes as follows: What would Member States think about having invasive data retention laws (either their own ones, or a new EU norm to rule them all), if we ignore the CJEU case law and the Charter of Fundamental Rights altogether? While Member States take their time to respond, we assume the Commission will continue with their monitoring tasks.

As the Council of Europe’s Secretary General said: “Terrorists can’t destroy our democracies, only we can do that.” For that, at least, the EU is on the right track.

Note from the Council of the European Union on a general debate on data retention. 24.11.2015

European Digital Rights asks the European Commission to investigate illegal data retention laws in the EU

European Commission will “monitor” existing EU data retention laws 29.07.2015

EPP Press Release: Data Protection Directive trialogue should be suspended

The Court of Justice declares the Data Retention Directive to be invalid (08.04.2014)

(Contribution by Diego Naranjo, EDRi)