The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

18 Nov 2015

Founder of a Portuguese leak platform subject to gagging order

By Guest author

Rui Cruz is 28 years old and is the founder of Tugaleaks, a Portuguese Wikileaks-inspired website. He has been working on the website on his free time since December 2010, gathering exclusive articles about the security flaws of government and private company websites, publishing public-but-undisclosed documents, and making available data on security information about Portugal, among other subjects of interest not related to technology. Tugaleaks is the only website mentioned in the US Central Intelligence Agency (CIA) World Factbook for Portugal – in the “political pressure groups and leaders” section.

................................................................. Support our work - make a recurrent donation! .................................................................

In February 2015 Rui was detained and faced charges for “giving support” to hackers by “publishing news”. Some might just think that this is digital journalism, but the public prosecutor considered it a crime. Rui has been subject to a gagging order for eight months and unable to access the Internet, as this was a mandatory coercive measure. As Tugaleaks is based online, he is also unable to publish new content.

To make things worse, Rui was laid off from his day job in a company that is part of PT Comunicações Group, one of the largest communications companies in Portugal. Rui says that the company justified his dismissal by stating that he could not engage with any Internet-related work. Rui now does not have a job, awaiting the end of the coercive measure. Eight months is the maximum time a coercive measure that could be put in place. However, judges could renew the same measure over and over, if they think it’s necessary.

The local media organisations are kept quiet about the situation. Rui says that this is because Tugaleaks was considered to be a “renegade” media organisation because of the style and type of publications which frequently embarrassed the Government and public institutions.

Freedom of expression and the right to choose a job are constitutional rights under the Portuguese Constitution. Rui and his lawyer believe both rights have been violated for eight months by the justice institutions in Portugal without any regard for the quality of life and the “innocent until proven guilty” principle.

Rui is now looking for any solidarity in sharing his story on social media. This is the most important time to spread the message, as he could soon be free from this coercive measure and start rebuilding his life, if sufficient media attention and citizen solidarity is shown. He is also struggling to pay the fees of his lawyer from Jaime Roriz Advogados. Rui accepts donations at:
IBAN PT50 0033 0000 4542 2460 7280 5
Owner: Rui Diogo Morais da Cruz


CIA, The Word Factbook: Portugal

Tugaleaks founder detained for (alleged) cyber attacks to Lisbon’s Public Prosecutor’s Office (only in Portuguese, 26.02.2015)

TugaLeaks founder: fired and prevented from accessing the Internet (only in Portuguese, 02.03.2015)

(Contribution by Rui Cruz, Tugaleaks, Portugal and submitted by his lawyer Carla Guimarães (Jaime Roriz Advogados))



21 Oct 2015

Turkey: New attempts to limit online access and freedom of speech

By Heini Järvinen

The Turkish government has been heavily critised for implementing censorship on the Internet and other media. Currently, over 100 000 websites are officially blocked in the country. Additionally, popular websites such as Twitter, Facebook and YouTube have been frequently blocked with or without a court order. Other than officially blocking websites, Turkish Internet Service Providers (ISPs) have recently been allegedly forced to implement more “creative” methods for limiting access to certain sites.

According to the local Twitter and Facebook users, these social media platforms suffered a slow-down during the first half of October 2015. The traffic on the sites was slowed down, and although the sites were theorically accessible, they became so slow that they were practically inaccessible.

................................................................. Support our work - make a recurrent donation! .................................................................

At the beginning of September 2015, the Turkish authorities imposed a nine-day curfew on Cizre, a city of 120 000 inhabitants near the Turkish border with Syria and Iraq, in support of an “anti-terror” operation against suspected Kurdistan Workers’ Party (PKK) members. The curfew included, besides preventing anyone from entering or leaving the city, blocking all access to Internet, as well as to mobile and landline telephone, or severely restricting them. Council of Europe Commissioner for Human Rights, Nils Muiznieks, demanded that independent observers should be allowed to enter the city. He stated that the situation “combines an exceptionally severe interference with the human rights of a very large population and a near-complete information blackout.”

After the bombings of a peace rally in Ankara on 10 October, in which more than 100 demonstrators lost their lives, the government imposed a temporary broadcast ban on the images of the attacks in print, visual and online media, and warned media organisations not observing the ban that they could face “a full blackout”. The banned footage included also lines of riot police appearing to block a road near the blast site, with ambulances parked in the background. Protesters claimed that the police blocked a road being used by ambulances, and prevented them from transporting victims to hospitals. The ban has been criticised by organisations defending human rights for violating freedom of expression and assembly, for exacerbating tensions within the country, and for undermining opportunity for open political dialogue.

Turkey: Government must protect protest and debate after Ankara attack (12.10.2015)

Ankara terror attack: Protesters clash with police after ambulances “blocked” following explosions (10.10.2015)

Twitter reports “access issues” in Turkey after attack (10.10.2015)

Ankara terror attack: Turkey censors media coverage of bombings as Twitter and Facebook “blocked” (10.10.2015)

Turkey’s internet being intentionally slowed to prevent access to information (05.10.2015)
Turkey re-imposes curfews on Kurdish cities (14.09.2015)

Turkey to lift curfew in cut-off city of Cizre after reports of civilian deaths (12.09.2015)



23 Sep 2015

State of play of internet freedom in the Netherlands

By Guest author

Dutch EDRi member Bits of Freedom is diligently watching a set of broad tendencies, such as the dominant positions of a handful of tech giants, the Internet of Things, and the idea that technology cannot be neutral. Bits of Freedom is also working hard to prevent the occurrence of a number of very real threats to your internet freedom. Here’s an update on three topics currently debated in the Netherlands.

The dragnet for the Dutch secret service

On 2 July 2015, Minister of the Interior Ronald Plasterk published a bill for a new Intelligence and Security Services Act. This bill will give the most far-reaching power to the intelligence and security services to tap citizens’ communications, not only listen to their telephone conversations, but also to monitor chat and email messages, as well as the websites visited. It’s true that the current Intelligence and Security Services Act already allows the security services to tap specific individuals for monitoring purposes, but the new law would allow them to collect such data in bulk. This way innocent people would end up in the dragnet, too.

................................................................. Support our work - make a recurrent donation! .................................................................

Another problem concerning this bill is that the exchange of data with foreign security services will not be limited. This means that the data collected can be handed over to other intelligence and security services without the Dutch security service even knowing the content of the dataset they provide.

Finally, there’s no independent, legally binding oversight. If the oversight committee concludes that the minister has unjustly allowed the application of such a dragnet, the minister can simply overrule the oversight committee, he can only be held accountable by Parliament. Oversight over intelligence and security services should not be left to politicians, because this gives politicians power without any counterbalancing transparency or accountability.

Reintroduction of data retention law

On 11 March 2015, the Dutch data retention law was thwarted by a ruling of the District Court of The Hague. Under that law, everybody’s location and communication behaviour would have been stored for up to a year, which would have had a massive impact on our freedom. Unfortunately the minister of Security and Justice, Ard Van der Steur, has already indicated that he will introduce a new data retention bill.

Hacking Criminal Investigation Departments

Van der Steur also wishes to grant the Dutch law enforcement the power to hack citizens’ computers and other device, such as tablets and smartphones. Ironically this will only make the Dutch internet user more unsafe. Imagine the police has the ability to enter a suspect’s Outlook via a existing vulnerability in the software. The police would then want that vulnerability to remain open a little longer, rather than getting it fixed as soon as possible. Unfortunately, the police isn’t the only party that can use this vulnerability to get access. So that will mean that all other Outlook users are vulnerable to cyber criminals too.

Demystifying the algorithm: Who designs your life? (26.06.2015)

EDRi-gram: Dutch Minister of the Interior reveals plans for dragnet surveillance (15.07.2015)

Data retention law struck down – for now (11.03.2015)

How your innocent smartphone passes on almost your entire life to the secret service (30.07.2014)

Dutch government: Let’s keep data retention mostly unchanged (16.12.2014)

Dutch hacking proposal puts citizens at risk (2.05.2013)

(Contribution by Daphne van der Kroft, EDRi member Bits of Freedom, The Netherlands – translation into English by Jay Achterberg)



23 Sep 2015

Safe Harbor: European Court Advocate General says Agreement should be declared invalid

By Heini Järvinen

This morning, the Advocate General of the Court of Justice of the European Union (CJEU), in his Opinion on the “Safe Harbor” Agreement with the United States, advised the Court to declare the entire Agreement invalid. The catalyst for the case was the mass surveillance practices of the United States.

Sixteen years ago, the EU and US concluded an agreement to allow personal data to be transferred into the US jurisdiction, which does not have comprehensive privacy laws. Literally from day one, it was quite clear that the agreement was unlikely to succeed. Now, after fifteen years of criticism from academics, from privacy advocates and from independent studies, the Advocate General of the European Court of Justice has confirmed what we already knew – the Agreement should be declared invalid. The Agreement has been kept alive by the European Commission’s refusal to accept the ever-growing mountain of evidence of the inadequacy of the Agreement.

“If confirmed by the full Court, this is a very important step for the right to privacy in Europe,” said Joe McNamee, Executive Director of European Digital Rights. “What happens next is crucial. It must never again happen, like in this case, like in the case of the Data Retention Directive, that obduracy from the Commission can keep agreements or laws in force that are patently illegal.”

We now await the ruling of the full Court, which we fully expect to uphold the opinion of the Advocate General.

Read more:

Press Release from the CJEU:

Full text of the Opinion:

FAQ – Safe Harbor

1) What is the Safe Harbor agreement?

Under EU data protection legislation, personal data can only be transmitted outside the EU under number of specific circumstances. One of these is a recognition of adequate data protection rules in the country where the data is being sent.

Due to the fragmented, inadequate approach to data protection in the US, a specific arrangement, called “Safe Harbor” was designed to create a framework for transfer of data to the United States. This was adopted in 2000.

There have long been serious concerns about the real protection that Safe Harbour actually provided. For example the 2008 study by Galexa called “The US Safe Harbor – Fact or Fiction” identified numerous problems. Implementation reports demanded by a sceptical European Parliament also resulted in reports from the European Commission that pointed to problems, but refused to recognise the scale of the instrument’s problems.

2) Why is it suddenly a problem now?

Under the current framework of the EU Data Protection law (Directive 95//46/EC), transfers of personal data need to ensure “an adequate level of protection”. Given the revelations exposed by Edward Snowden on the mass surveillance activities performed by the US National Security Agency (NSA), serious concerns were raised about how the Safe Harbour agreement provides the adequate level of protection for European data. In particular the surveillance under NSA’s PRISM programme facilitated by mass exports of data raise serious concerns.

During questioning in the hearing in the Court, the European Commission representative reportedly admitted that adequate protection is not offered by the agreement.

3) What happens if it is revoked by the Court of Justice?

There are other options for legal transfer of data outside the EU. While some industry representatives claim that suspension of the agreement would be hugely costly from an economic perspective, this is not the case.

4) What has the Advocate General said today? Is this already a “decision” or a “judgement”?

The Advocate General’s role is to advise the Court on what it should do. In most cases the Court (which will make a final decision shortly) follows the Opinion of the Advocate General. So, today’s announcement is not the final ruling.

In his opinion, the Advocate General stated that if a Data Protection authority considers there is not enough protection in a given country, the national authority needs to have the “power to suspend that transfer, irrespective of the general assessment made by the Commission in its decision “. He also added that the US practices allow for “large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection” and that this lack of judicial protection is a disproportional interference with the right of EU citizens of the to an effective remedy, protected by the EU Charter of Fundamental Rights.


21 Sep 2015

European Commission & Data Retention – a faulty basis for decision-making*?

By Joe McNamee

Due to the sensitive nature of this summary, we shared it with the European Commission to allow for any corrections or clarifications that were deemed necessary before publication. The draft was updated on the basis of the feedback that was received, but not all suggestions from the Commission services were accepted by us. As a result, none of the analysis below should be read as necessarily reflecting the views of the European Commission. We are grateful to the Commission for its input.

On Tuesday 8 September 2015, EDRi had a meeting with the Police Cooperation Unit of the Directorate-General for Migration and Home Affairs (DG Home) of the European Commission. The two main purposes were:

  • to exchange views on how the EDRi analysis of breaches by Member States of the the Court of Justice of the European Union (CJEU) data retention ruling from 8 April 2014 was received by the Commission and;
  • to learn about any action planned by the Commission to tackle the data retention measures imposed by Member States that do not comply with the CJEU ruling, as detailed in documents submitted by EDRi to the Commission.

Summary of the meeting

In the eight years from the adoption of the Directive until its annulment last year, it seems that two sets of informal internal rules and decisions prevented the Commission from taking action to resolve the problems with the Directive. The Commission explained that it did not believe it was appropriate to take legal action against any Member State for excessive implementation of the Directive (as detailed in its evaluation report) as long as there were countries that had not yet implemented the Directive. The Commission was therefore unable to take action even when its own implementation report made these problems abundantly clear.

Even now, the Commission believes that the European Court’s ruling annulling the Directive is too ambiguous to allow it to take legal action to prevent any Member State from breaching any of its provisions. More generally, the meaning of “genuinely” and “necessary” (in the Charter of Fundamental Rights) is not clear from any Court ruling and would, therefore, not prevent the launch of a new Data Retention Directive (or Regulation) in the future. Legally, any such measure must be necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.


We wanted to learn about the steps that have been taken by the Commission when monitoring legislative developments in relation to data retention at national level, and which countries are under review by the Commission for possible legal action. We also wanted to obtain some more background information regarding the legal proceedings taken against Member States for not implementing the Data Retention Directive (Czech Republic [infringement procedure 2011/1143], Germany [infringement procedure 2011/2091], Romania [infringement procedure 2011/2089] and Sweden [infringement procedure 2007/1181]). A final related purpose of the meeting was to build on our relationship with the Commission in order to more effectively provide input on this and other related topics, such as Passenger Name Record (PNR) and surveillance, to facilitate future dialogue.

Access to documents request

The first topic that was discussed was the recent access to documents request submitted by EDRi member Bits of Freedom on the infringement proceedings mentioned above. The Commission services asked about when the submission was made, and promised to look into it and get back to EDRi to confirm that the application had been received. The Commission stated that the default in such circumstances was for documents to be made available, but could not comment further, as it had not seen the request.

Steps leading to infringement proceedings

The Commission services subsequently explained the mechanism of monitoring EU Directives. Basically, Member States must notify the European Commission of the transposition of a Directive into national law. Upon expiration of the deadline for transposition, if the Member State has not notified any national transposition measures to the Commission, the latter sends a warning letter inviting the Member State to notify it of planned national transposition measures.

Two situations can arise leading to non-implementation. On the one hand, it is possible that the transposition was not completed as a result of the lack of action of the Member State, in which case the Commission takes steps towards formal infringement proceedings (as in Sweden and the Czech Republic). On the other hand, it is possible that a judicial decision delayed the transposition (as in Germany and Romania). In this case, the Commission monitors the evolution of the issue and is more flexible regarding deadlines. The situation was somewhat more complicated in this case due to its political significance.

In the Czech Republic and Sweden proceedings, the Commission sent letters demanding implementation of the Directive. In the case of Romania and Germany, they had initially transposed the Directive, but their constitutional courts annulled them. Romania ended up having a different law and Germany did not pass any law at all. Ultimately, the CJEU annulled the Directive.

Respect for EU law in relation to data retention

As outlined in its Communication on the European Agenda on Security of April 2015, the Commission is now focusing on monitoring the situation at national level (rulings of national courts, legislative procedures and other relevant developments). The Commission services also closely follow the request for a preliminary ruling by the Swedish Court of Appeal pending with the European Court of Justice (case C-203/15).

The Commission explained that it did not feel that it was appropriate to take any legal action while the legislation was subject to legal proceedings. As there were Court of Justice proceedings almost continually from 2006 to 2014 on the subject matter of the Directive (Case C-301/06 (on the legal basis of the Directive), launched in 2006 and concluded in 2009; case C-461/10 (on the use of retained data for copyright enforcement purposes), launched in 2010 and concluded in 2012; and case C-293/12 (on the compliance with the EU Charter of Fundamental Rights), launched in 2012 and concluded in 2014), there was never an opportunity to raise issues regarding its implementation. Indeed, even after the Directive was annulled, there is another CJEU case (C-203/15, launched in 2015 and still ongoing).

The Commission also explained that it did not believe it was appropriate to take legal action against any Member State for excessive implementation of the Directive (as detailed in its evaluation report) as long as there were countries that had not yet implemented the Directive.

Finally, the Commission argued that the fact that a Member State does not implement a Directive cannot be taken as evidence that the Member State in question believes that the legislation is not necessary. The Commission said that if Member States had concerns about the legality of the Directive, they had a window of opportunities to raise them.

Consequently, according to the Commission, it was consistent for Cecilia Malmström, who is currently European Commissioner for Trade, and served previously as European Commissioner for Home Affairs, Member of the European Parliament (MEP), and Swedish Minister for European Union Affairs:

Respect for EU law of existing data retention legislation at Member State level

As a result of the annulment of the Directive, the Commission’s current main priority is to focus on the monitoring of what is being done by national courts and by the European Court of Justice.

The key points made by the Commission looking forward were:

      In order to assess the compatibility of national law with EU law, the Commission needs a clear enough benchmark. This means that the Commission needs to know what the relevant EU law is. After the annulment of the Data Retention Directive, the benchmark at EU level for assessing any national data retention legislation is, in principle, Article 15(1) of the e-Privacy Directive (Directive 2002/58/EC). However this provision only contains very generic criteria, such as “necessary, appropriate and proportionate” and refers further to general principles of law and to fundamental rights. The obligation from the Charter of Fundamental Rights of the European Union for such measures to be

“necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”

    and the European Court of Justice ruling on the data retention Directive are subject to varying interpretations and do not provide adequate benchmarks.

* The intervention of Cecilia Malmström MEP in the European Parliament debate before the vote on the Directive:

Good laws are not enacted under pressure of time and with a faulty basis for decision-making. I am very critical of the way in which the process relating to the proposal for a decision on the retention of electronic communication services data has been handled. This is a difficult issue on which to adopt a position. Reflection is required, together with a solid factual basis in relation to the privacy aspect, the technical consequences and the actual costs for telecommunications operators and thus consumers. This is an approach we owe Europeans.


09 Sep 2015

Austria creates new agency with unprecedented surveillance powers

By Guest author

In the midst of the biggest surveillance scandal of mankind and after years of criticism about rogue secret agencies spying on politicians and the government bodies supposed to control them, Austria is planning to establish a new secret agency.

Austria’s draft state security law, “Staatsschutzgesetz”, grants new, far reaching surveillance powers while reducing oversight and transparency of the planned ten state security agencies that are tasked with fighting threats to the state and its public institutions.

If the proposed law passes, state security services will have the power to oblige companies and government bodies to hand over all available data, including sensitive personal information protected by other laws. This information is then stored for up to five years in a centralised database. International data exchange of personal information with other security agencies is explicitly encouraged. Authorisation for surveillance measures is not granted to target individuals but to target “groups” – a term which neither specified by the draft law nor the specific request. Entire population segments would be targeted by blanket mass surveillance, and innocent individuals would be added to such groups by decision of the agency without any regard towards necessity, effectiveness or proportionality.

While surveillance powers are extended, oversight is reduced. This reform also lowers the control mechanisms: instead of approval by a judge or attorney, the oversight is only carried out by the internal legal redress officer of the interior ministry. A system of parliamentary oversight does not exist in Austria.

This reform was drafted after the debate about returning Daesh fighters and the terrorist attacks of Paris and Copenhagen. During the consultation period, 18 major institutions (including associations of judges, lawyers, doctors, Internet providers, the evangelic and catholic church, the federal association or worker unions, the federal economic chamber, the constitutional service of the Federal Chancellor, the federal ombudsman, Amnesty International and the Austrian Working Group on Data Retention), heavily criticised the draft law. The Working group on Data Retention ( also launched a campaign under listing more than 11 000 signatures and four demonstrations in three cities against the proposal.

The draft law is scheduled to be voted upon in plenary between 13-15 October. Civil society is pressuring the Members of Parliament to amend the law in order to establish the necessary safeguards and transparency measures to bring it back in line with the constitution.

Petition against the planned State Protection Act

(Contribution by Thomas Lohninger, EDRi member Initiative für Netzfreiheit, Austria)



09 Sep 2015

Journalists detained in Turkey for using encryption

By Guest author

On 27 August, a British journalist and a cameraman working for Vice News, a news channel that broadcasts in-depth documentaries about current subjects, and their fixer were detained in Turkey while reporting in Diyarbakir, the main city of the country’s predominantly Kurdish southeastern region. At the beginning of September, the three men were charged by a Turkish judge in Diyarbakir with “deliberately aiding an armed organisation”. The basis for the charge was that the fixer used a complex encryption system on his personal computer that many Islamic State militants allegedly also use for strategic communications.

In recent years, there have been several cases of journalists and activists being harassed or detained in Turkey. Moreover, the current Turkish government has repeatedly censored and monitored online platforms, such as YouTube and Twitter. However, what makes this case stand out, is the argument used to present the charges. For certain governments, the use of a neutral technology is becoming a new reason to believe that people have something to hide and that they are committing a crime.

However, encrypted communications have long been an important element of digital security, used for example, not only by companies such as Amazon or PayPal, but also by human rights defenders, lawyers and citizens that want to preserve their privacy and security. Privacy-enhancing technologies, like the TOR browser or email encryption, are essential to ensure that we can express ourselves freely – and that ideas that may make society advance have spaces where they can develop.

Nevertheless, there is a common misunderstanding that high standards of privacy could create unnecessary burdens for law enforcement agencies. However, experts such as the United Nation’s Office of the High Commissioner, disagree with this view. In a recent report, the UN’s Office of the High Commissioner stated that encryption “provides the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age.”

On 6 September, Vice News reported that two of the detained journalists had been released and have returned to the UK. The third member of the team is still being held by the Turkish authorities.

Vice News fixer “charged over encryption software” (02.09.2015)

Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye (22.05.2015)

U.N. report: Encryption is important to human rights — and backdoors undermine it (28.05.2015)

Why the terrorist attacks I’ve endured have strengthened my commitment to privacy

EDRi-gram: A new wave of Internet blocking in Turkey (29.07.2015)

EDRi-gram: Social media platforms blocked again in Turkey (08.04.2015)

(Contribution by Pierre Christopher, EDRi intern)



09 Sep 2015

Romania: After PNR, a proposal for retention of tourist data

By Guest author

On 15 July 2015, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament narrowly voted in favour of the EU Passenger Name Record (PNR) Directive proposal (32 in favour, 26 against, no abstentions), a mass surveillance measure to collect and process air traveller data for profiling purposes. This came after the rejection of a previous PNR proposal by the LIBE Committee in 2013 and the subsequent abandonment of that proposal in 2014.

Even so, in a worst case scenario of having the PNR Directive proposal fast-tracked through the legislative procedure, like the Data Retention Directive of 2006, it would still take some six months for the proposal to go through all the steps before becoming European law.

Roughly at the same time, the Romanian Government was having far fewer qualms about PNR than the European Parliament and its Committees. On 13 July 2015, the draft law “Government Statute no. 13” was silently adopted, thus creating a Romanian PNR system. No public debate was conducted, and the impact of the new law on fundamental rights was not assessed.

On 5 August 2015, another proposal for a governmental decision was published, mandating the implementation of a PNR-like system for people staying at any hotel, hostel or guest house in Romania. This means that personal identification data of everyone who is renting a room in Romania is entered by a hotel employee in a centralised computer system called “Integrated Tourist Record Computer System” (SIET). The system would be hosted and run by Special Telecommunications Service (STS), which is a militarised intelligence agency with almost no civilian oversight.

Access to the tourist data gathered and stored within this system raises even more questions. The purpose of the system is, ostensibly, to gather and analyse tourist data to improve the quality of the Romanian tourism industry. However, while the tourism industry is only going to get access to statistical data, various law enforcement organisations of the Internal Affairs Ministry (MAI) will have unrestricted access to all data based simply on an agreement between them and the STS.

The proposal’s authors and supporters justify the measure by explaining that it just brings in a computer system to do what was already being done with pen and paper. Romania is still using a system from the communist times, where all tourists who book a room at a hotel or hotel-like establishment are being asked for identification as a mandatory precondition for their stay. The personal data collected by the hotel is being forwarded on a daily basis to the local police station.

On 26 August, at EDRi member ApTI’s request, the Romanian Economy, Commerce and Tourism Ministry (MECT) organised a public debate about SIET. Unfortunately, any attempt to debate the issues of SIET on the basis of its impact on fundamental rights is futile.

EU PNR document pool (27.07.2015)

Statute no. 13/2015 regarding the use of some data from the passenger name registers for cross-border cooperation in order to prevent and combat terrorism, terrorism-related infractions and infractions against national security, as well as preventing and removing threats to national security (only in Romanian, 13.07.2015)

Governemt Decision for the adoption of the Integrated Tourist Record Computer System and the Norms regarding the access, record keeping and protection of tourists in establishments with accommodation facilities (only in Romanian)

Do you want the Police to know where you go on vacation? Join the public debate about the Integrated Tourist Record Computer System (SIET) (only in Romanian, 20.08.2015)

How we found out that we’ll all have “a chip under our skin” at the public debate about SIET (only in Romanian, 03.09.2015)

(Contribution by Matei Vasile, EDRi member ApTI, Romania)



12 Aug 2015 case: Prosecutor dismissed, inquiry dropped

By Heini Järvinen

As reported previously in EDRi-gram at the end of July 2015, two reporters of a German digital rights blog, Markus Beckedahl and André Meister, were under investigation for treason after the publication of leaked documents revealing plans to expand German internet surveillance. On 10 August, German federal prosecutors announced that the much disputed investigation will be dropped.

When the treason investigation came to light, it raised immediately concerns over freedom of press. Hundreds of journalists, citizens and civil society representatives signed a statement declaring that the investigation for treason and their unknown sources is an attack against the free press, and demanding to end it. Thousands participated in a demonstration organised on 1 August in Berlin to support A great number of politicians expressed also their concerns.

Following the protests, Germany’s prosecutor general, Harald Range, decided to put the investigation on hold, and stated that he would “await the results of an internal investigation into whether the journalists had quoted from a classified intelligence report, before deciding how to proceed.” On 4 August, Justice Minister Heiko Maas requested Range’s dismissal, after consultations with Chancellor Angela Merkel’s office, and questioned the necessity of the investigation. Range justified his actions, stating that he had to proceed the way he did partly for legal reasons. He criticised the government’s interference into the investigation, and called it “intolerable invasion of the independence of the judiciary”. Following the dismissal of the prosecutor general, it was revealed that the Ministry of Interior had detailed knowledge about every phase of the investigation.

Less than a week after Range’s dismissal, the case took a new turn when the acting federal prosecutor announced that he had concluded, in agreement with the Ministry of Justice, that the leaked documents didn’t constitute state secrets, and that the investigation will be dropped.

The journalists at have asked the German government to confirm if surveillance measures have been put in place by the state in order to monitor their activities. “We want to know concretely if we were the subject of surveillance during the nearly three-month probe,” said Markus Beckedahl in a statement posted on the blog.

Germany’s top prosecutor drops treason probe of Netzpolitik bloggers (10.08.2015)

German journalists celebrate as treason inquiry is dropped (10.08.2015)

EDRi-gram: Leaked documents: German news site investigated for treason (31.07.2015)

Jacob Applebaum: The nightmare is punishment (06.08.2015)

The Statement: The investigation against for treason and their unknown sources is an
attack against the free press

Germany pauses treason investigation into journalists (02.08.2015)

German justice minister to request prosecutor’s dismissal over treason case (04.08.2015)



05 Aug 2015

Our internships at EDRi: We made digital rights matter

By Guest author

During the last couple of months, as EDRi’s interns, through advocacy, campaigning and reporting, we were given a unique opportunity to challenge threats to fundamental rights posed in the context of net neutrality, privacy, personal data and copyright. It was a fruitful and rewarding experience that allowed us to put our theoretical skills into practice while promoting human values of freedom and dignity in the online world.

Here is a short summary of our wonderful journey at EDRi:


During my internship, I had the opportunity to work closely on three currently “hot issues”: data protection, copyright and Passenger Name Record (PNR). Since my arrival at EDRi, I was following the activities concerning these subjects and gained a lot of insight by participating in meetings, conferences and events, reading and analysing documents, as well as monitoring the work progress of three main EU institutions: the European Parliament, the European Commission and the Council of the European Union.

Thanks to the fact that I was following the Data protection reform developments, I have learnt what is behind the mystery known as “trialogue” and how it functions. The European Parliament’s early steps in reforming and modernising copyright was a great chance to see how the work of the Members of the European Parliament (MEPs) evolves and how a document can significantly change from the first draft to the final vote in plenary.

Some of the moments I enjoyed the most were visiting the European Parliament, the Commission and the Council for the first time, listening to different perspectives and interesting debates at the events I attended, contacting and meeting Permanent Representations of the EU Member States, analysing the Data retention legislation in Member States, and learning about encryption and basic tools which can protect my privacy online.

All in all, my time at EDRi has helped me enrich my understanding of the European institutions and their work significantly. Participating in the whole process was extremely beneficial to see and understand how the legislation is made at the EU level and how civil society can influence and be part of this process. I have also realised that advocating for citizens’ rights can sometimes be overwhelming and seem pointless, like in the case of the recently adopted EU PNR proposal. However, analysing Marietje Schaake’s Opinion on human rights in third countries, where the suggestions from EDRi were adopted by the Parliament, assured me that organisations like EDRi definitely play an important role in changing the future into a better one.


During my experience at EDRi, I mainly worked on the Telecom Single Market (TSM) package and on trade agreements. To be honest, I didn’t expect trade agreements to be that relevant to digital rights. Indeed, it was very challenging and interesting to deal with trade law and try to understand how a new generation of free trade agreements could affect fundamental rights such as privacy and data protection, which seemed to be completely unrelated to trade issues at first sight.

During these last months, I had the opportunity to follow the legislative procedure of the European Parliament’s own-initiative report on the Transatlantic Trade and Investment Partnership (TTIP). I participated in a whole range of advocacy activities, like contacting MEPs offices to arrange meetings and participating in these meetings, assisting in the analysis of amendments, contacting Committee secretariats to get information on the legislative procedure, preparing documents for internal use and help drafting documents and analyses. In this context, it was particularly challenging and gratifying to take part in writing the “TTIP and Digital Rights” booklet (pdf).

Along with the internal work of the association, the experience at EDRi also gave me the opportunity to participate in several external meetings. Particularly as regards TTIP, I took part in events organised by stakeholders and think tanks, civil society meetings and events organised by the European Commission.

Concerning the Telecoms Single Market (TSM) which is crucial for a potential legal safeguard of net neutrality, my internship gave me the opportunity to understand how important it is to have early contacts with MEPs and keep them informed with position papers and analyses on your positions. Following the TSM trialogue was fundamental to understand how the European institutions work in practice. Only knowing the ordinary legislative procedure can be useless in Brussels because informal meetings can deeply affect how policies are made. Besides the ups and downs of the trialogue negotiations, it was very thrilling and instructive to be involved in the net neutrality “fight”. On some days, this file taught me how institutions can be obscure, producing text that makes it difficult to orientate yourself in the details of legislation. On other days, it was great to see the results of our work, and to see how civil society associations like EDRi can make a difference at EU level.


Unfortunately, our joyful ride of protecting digital freedoms at EDRi has come to its last stop. It is time to take our suitcases, fully packed with new skills and knowledge, as well as our bursting confidence and even stronger determination to advocate for digital rights, and head off to a new destination where we can put into practice all the knowledge we gained here.

Last, but certainly not least, we want to thank the EDRi Brussels team for being our amazing guides on this journey, supporting us and making us smile even on a grey, cloudy Brussels day.

Off to some new and exciting adventures!

(Contribution by Morana Perušić and Aldo Sghirinzetti, EDRi interns)