The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

25 Mar 2015

In Germany, Data Retention refuses to die

By Guest author

The debate is intensifying in Germany on whether telecommunications data retention should be reintroduced. At the centre of the controversy is Sigmar Gabriel, the leader of the Social Democrats (SPD, the smaller party in Germany’s “grand coalition” government since 2013), and consequently a government minister for the economy and chancellor Angela Merkel’s deputy. Gabriel’s role is pivotal because his party would be the focus of any hope of balancing calls for data retention from the larger coalition partner, the Christian Democrats (CDU/CSU).

Data retention has been judged, twice, to illegally violate fundamental rights under the German constitutioanl framework. In March 2010, a ruling by Germany’s Federal Constitutional Court struck down Germany’s national data retention law that had implemented the European Union’s Data Retention Directive since the end of 2007. In April 2014 the Directive itself was invalidated by the Court of Justice of the European Union (CJEU).

This U-turn has happened almost simultaneously with another major shift in policy for the SPD, which changed the party’s position on the transatlantic free-trade agreement TTIP, to which it was previously opposed.

On data retention, Gabriel has surprised many with the strange range of arguments he has used to defend his position. He says he never really opposed the measure, in fact he voted for its introduction in 2007. But since the European Commission gave up its plans to introduce a new Data Retention Directive after the CJEU’s ruling, it has become clear that the plan is to leave it to Member States to muddle their own ways through this question.

After the recent terrorist attacks in Paris and Copenhagen Gabriel has shown little restraint on using just any event or argument to portray data retention as indispensable. This includes the claim that data retention was an important means for Norway to deal with right-wing terrorist Anders Breivik’s attacks in 2011. This seems weird as Norway didn’t have a law for data retention in 2011 and still doesn’t have one today. After making this claim twice and being challenged on this, the latest statement from the SPD is that Norway used the instrument without legal basis, with support from US secret services. So, allegedly Norway’s authorities have disregarded their own country’s law and relied on organisations known to operate without any regard for legal boundaries, whose methods may or may not fall under the European definition of telecommunications data retention. How this should make Europeans accept a surveillance instrument whose effectiveness is questionable and which clearly requires strict legal controls is hard to imagine, probably even for Gabriel himself.

Other examples of fact bending include a claim that the previous data retention law had been the work of a Christian Democrat-Liberal government, when in fact it was introduced in 2007 by a previous CDU–SPD “grand coalition” (in which Gabriel himself served as environment minister), and misrepresentations of the points were the Constitutional Court ruling of 2010 had found fault with that previous law.

Sigmar Gabriel has now made up his mind that the time has come to work on a new German data retention law and push it through the Bundestag. He has recently instructed SPD’s Heiko Maas, Minister of Justice, previously an outspoken sceptic of data retention, to come up with a draft law in cooperation with the Interior Minister, CDU’s Thomas de Maizière. Getting a majority in Parliament will not be a problem, given the coalition’s almost 80-percent majority of seats. But what the true motives are and how the measure could be seen as constitutional after the court rulings, remains a mystery.

Data retention is Norway must actually be called NSA (only in German, 20.03.2015)

SPD leader Sigmar Gabriel calls for data retention to be reintroduced (only in German, 15.03.2015)

Sigmar Gabriel retains misapprehensions (only in German)!156871/

An almost impossible law (only in German, 23.03.2015)

(Contribution by Sebastian Lisken, EDRi-member Digitalcourage, Germany)



25 Mar 2015

Denmark plans to preserve illegally collected medical data

By Guest author

In Denmark, a controversial plan to prevent illegally collected medical data from being deleted has become a hot topic for the government. The plan involves transferring the data to the National Archives, which has an exemption in the Danish data protection act.

Under the Danish health care act, general practitioners can transfer medical data to a third party without consent from the patients if it is done for limited groups of patients and if analysis of the data can be used to improve the treatment of patients. This provision was used to create a central database known as Danish General Practice Database (DAMD) with the Region of Southern Denmark as the data controller.

DAMD was limited to the diagnosis for diabetes at the outset in 2007, but within a couple of years, all ICPC diagnosis data from general practice was being transferred to DAMD. This is clearly illegal, since the data collection without consent is no longer done only for limited groups of patients.

In November 2014, the Danish Minister for Health and the Region of Southern Denmark finally admitted that most of the medical data in DAMD is collected illegally. The natural next step would have been to delete the illegally collected data, but the Minister for Health stated publicly that he would prefer that this does not happen.

Within a week of the comment by the Minister for Health, the Danish National Archives suddenly decided that DAMD is a unique database which should be preserved at the National Archives. The data protection act has an exemption for transfer of personal data to the Danish National Archive, so that this can be done without consent. Based on an administrative authority in the national archive law, the Danish National Archives instructed the Region of Southern Denmark to retain the illegally collected medical data until further notice.

Privacy activists, including EDRi-member IT-Pol Denmark, object to this blatant abuse of the national archive law to essentially whitewash an illegal data collection of highly sensitive medical data. The Ministry of Culture has the responsibility for the National Archives. After an initial promise to delete the illegally collected data by mid February 2015, the culture minister Marianne Jelved decided to preserve DAMD at the National Archives.

Together with this decision, the minister proposed an amendment to the archive law which blocks access to illegally collected medical data for up to 230 years. However, these restrictions can always be removed by another amendment in a couple of years (the amendment law must be revised after no more than five years). Moreover, no assessment has been made of the costs of storing the highly sensitive medical data securely for 230 years, so that it could be used for historical research starting in 2245.

While the Danish government and parliament consider the fate of the DAMD database, Danish citizens can use their right under the data protection act to demand that their own illegally collected data is deleted. However, the order from the Danish National Archives prevents the data controller from deleting the entire DAMD database.

On 18 March, the Ministry of Culture was forced to admit that the Danish National Archives have used an inappropriate administrative order for demanding that DAMD is preserved. The correct administrative order for records held by the Danish regions places DAMD in the category of records to be discarded when no longer needed. The Ministry of Culture apparently sees this as a minor problem which can be solved simply by issuing an amended administrative order which places DAMD in the preservation category. However, before the new administrative order can take effect, there must be a formal consultation period. The deadline for consultation responses is set at 27 March, and the new administrative order will take effect from 7 April.

On 19 March, the Region of Southern Denmark found out that there is currently no proper legal basis for demanding the preservation of DAMD by the National Archives, and decided that the entire database will be deleted. Rather than just doing it, the region sent a letter to the Ministry of Culture stating that DAMD will be deleted on 24 March at noon.

The Danish National Archives and the Ministry of Culture responded almost immediately to this “threat” of restoring the rule of law by deleting illegally collected medical data. On 20 March, the deadline for the consultation was moved forward to March 23 (giving one working day for consultation responses), and the new administrative order will take effect on March 24, just in time to prevent the planned deletion of the entire DAMD database.

The only public comment from the Minister of Culture on these absurd developments is that the illegally collected medical data must be preserved in order to document illegal acts in the public administration for future generations. This is a rather strange argument since the illegal data collection has been documented extensively in several reports from government agencies. Moreover, the proposed blocked access wouldn’t allow any exceptions for the first 120 years, and this would also prevent using the data to document the illegalities.

Who wins the race for deletion of our medical data in DAMD? DenFri (only in Danish, 22.03.2015)

Illegally collected health data will not be deleted under Danish law, Medium (15.12.2014)

Danish General Practice Database

The Danish National Archives (Rigsarkivet)

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)



23 Mar 2015

EU trade secrets Directive: threat to free speech, health, environment and worker mobility

By Maryant Fernández Pérez

STATEMENT (pdf) 23 March 2015 (updated from 17 December 2014)

Multi-sectoral civil society coalition calls for greater protections for consumers, journalists, whistleblowers, researchers and workers

We strongly oppose the hasty push by the European Commission and Council for a new European Union (EU) directive on trade secrets because it contains:
– An unreasonably broad definition of “trade secrets” that enables almost anything within a company to be deemed as such;
– Far-reaching legal remedies for companies whose “trade secrets” have been “unlawfully acquired, used or disclosed”, including provisional and precautionary measures, damages and secrecy rights throughout the judicial process; and
– Inadequate safeguards that will not ensure that EU consumers, journalists, whistleblowers, researchers and workers have reliable access to important data that is in the public interest.

The proposal must be amended to ensure that only information acquired, disclosed or used by third parties with intention of commercial gain is protected under the directive.

Specifically, we share great concern that under the draft directive:

– The right to freedom of expression and information could be seriously harmed because the proposed directive does not guarantee the protection of journalists and whistleblowers. Under the proposed directive, journalists and whistleblowers must show that “…the alleged acquisition, use or disclosure of the trade secret was necessary for such revelation and that the respondent acted in the public interest”. Unfortunately, determining whether disclosure was necessary can often only be evaluated afterwards. In addition, the limitation of the right to disclose and use trade secrets to reveal “wrongdoing”, “misconduct” or to protect a “legitimate interest” would allow for sanctions to be applied even when the information ought to be in the public domain, such as planned redundancies and detrimental effects on health and the environment. The proposed directive should be amended to exempt information acquired, used or disclosed in the public interest.
– The mobility of EU workers could be undermined. The proposed directive poses a danger of lock-in effects for workers. It could create situations where an employee will avoid jobs in the same field as his/her former employer, rather than risking not being able to use his/her own skills and competences, and being liable for damages. This inhibits career development, as well as professional and geographical mobility in the labour market.
– Companies in the health, environment and food safety fields might use the directive to refuse compliance with transparency policies, even when the public interest is at stake. The proposed directive should be amended to ensure that (1) it does not cover information that must, by law (including international law), be disclosed by public authorities under public access to information legislation and (2) it excludes regulatory data of public interest that is needed for public scrutiny of regulatory authorities’ activities.

Health: Pharmaceutical companies argue that all aspects of clinical development should be considered a trade secret; however, access to biomedical research data by regulatory authorities, researchers, doctors and patients—particularly data on drug efficacy and adverse drug reactions—is critical to protecting patient safety and conducting further research and independent analyses. This information also prevents scarce public resources from being spent on therapies that are no better than existing treatments, do not work, or do more harm than good. Moreover, disclosure of pharmaceutical research is needed to avoid unethical repetition of clinical trials on people. The proposed directive should not obstruct recent EU developments to increase sharing and transparency of this data.
Environment: The directive must be amended to comply with the EU’s international obligations under the United Nations Aarhus Convention, which prevents public authorities from protecting the secrecy of information on emissions into the environment and requires active dissemination of information enabling consumers to make informed environmental choices. Therefore, the definition of “trade secret” should be amended to remove information on emissions from the scope of the proposed directive and companies should be prevented from using the directive to refuse disclosure of information on hazardous products, such as chemicals in plastics, clothing, cleaning products, and other activities that can cause severe damage to the environment and human health, including the dumping of chemicals and fracking fluids.
Food safety: Under EU law, all food products, genetically modified organisms and pesticides are assessed by the European Food Safety Authority (EFSA). EFSA assesses the risks associated with these products based on studies performed by manufacturers themselves. Scientific scrutiny of the EFSA’s assessments is only possible with complete access to these studies; therefore, this data must be removed from the scope of the directive.

Despite the Commission’s desire for a “magic bullet” that will keep Europe in the innovation game, without amendment, the proposed directive may make it more difficult for the EU to engage in open and collaborative forms of research. In fact, there is a risk that the measures and remedies provided in this directive will undermine legitimate competition and even facilitate anti-competitive behaviour. Unsurprisingly, the text is strongly supported by multinational companies.

Industry coalitions in the EU and the United States (US) are lobbying, through a unified Trade Secrets Coalition, for the adoption of trade secret protection. In the US, two new bills are pending before Congress. If passed, these texts would allow trade secret protection to be included in the Transatlantic Trade and Investment Partnership (TTIP)—something that will be incredibly difficult to repeal in the future through democratic processes. Given that TTIP is expected to set a new global standard, its potential inclusion of trade secret protection could have devastating consequences.

We urge the Council and the European Parliament to amend the directive by limiting the definition of what constitutes a trade secret and strengthening safeguards and exceptions to ensure that data in the public interest cannot be protected as trade secrets. The right to freely use and disseminate information should be the rule, and trade secret protection the exception.

For additional information or comment, please contact Walter van Holst (, representing EDRi and Vrijschrift.

12 Mar 2015

Dutch data retention law struck down – for now

By Guest author

Published originally by EDRi-member Bits of Freedom 

And then everything went BANG: from our Twitter-timeline to the champagne bottle at our office. This morning the court annulled the data retention law. Effective immediately. But what exactly did the judge say and what will happen now?

The data-retention law requires telecom providers to save communication- and location data from everyone in the Netherlands for as long as a year. The law, and the judges agreed, heavily impacts our freedom.

An infringement of this magnitude requires proper safeguards

The District court of The Hague decided we no longer have to blindly trust the Dutch government. The law’s underlying European directive was meant as a tool in the fight against serious crimes. The Dutch law, however, is much more expansive, including everything from terrorism to bike theft. During the hearing, the state’s attorneys avowed that the Public Prosecution does not take the law lightly, and would not call on the law to request data in case of a bicycle theft. The judge’s response: it doesn’t matter if you exploit the possibility or not, the fact that the possibility exists is already reason enough to conclude that the current safeguards are unsatisfactory.

Additionally, the court determined that insufficient thought has gone into how data is requested. Saving personal information for a lengthy amount of time is a huge infringement on privacy. Therefore, proper safeguards and guarantees are needed when it comes to acquiring access to this data. The judge deems it reasonable that before a request for information is granted, it is reviewed by a juridical entity or an independent administrative entity. During the hearing, a state’s attorney claimed that a district attorney counts as an independent entity. That claim was met with a wave of chuckles throughout the crowd, and now it turns out the court agrees that this is baloney – but you won’t catch a judge using smileys.

Furthermore, the court considered the substantiation of the necessity of the law. The State claims that the data retention law is necessary. This claim was illustrated during the hearing using a number of shocking criminal cases — but they failed to substantiate necessity. Regretfully, the court took this on board as a valid point, but mainly because during the preliminary injunction, this particular argument was not rebutted. Nonetheless, it is important to realize that necessity has not been proven: not in evaluations, not in the Parliament, and not during the preliminary injunction. The fact that no rebuttal was offered, doesn’t change that.

The question is: now what?

First of all, we have to wait for a response from the Ministry of Security and Justice. It is hard to predict what they’ll say. With the former Justice Minister Ivo Opstelten temporarly replaced by Stef Blok, all we can do is hope for the best, and prepare for the worst. We hope the ministry is finally convinced that the law, now and in the future, must be dissolved. And as far as the providers are concerned, they must part with the data they’ve been saving under the data retention law that has now been struck down. Update: KPN, Vodafone, Hi, XS4ALL, Telfort, BIT and Tweak have announced that they will cease to execute the data retention law.

What will happen on the long term is unclear. That is up to Parliament and Opstelten’s successor. As the law has already been struck down, it seems self-evident that the law in its entirety should be revoked. The political party GroenLinks has already submitted a proposal along these lines to Parliament. But one thing is clear: this is not a done deal.

Today the data retention law has been struck down. The government won’t leave it with that. Do you want us to continue to fight against the undirected and lengthy storage of our communication data? Support our cause!

Court ruling (only in Dutch, 11.03.2015)


06 Mar 2015

EU Council proposals on open internet – Episode 2, the clown wars

By Joe McNamee

After one year of negotiations, a second element of the telecoms regulation was also agreed by the EU Council: arbitrary, ad hoc law enforcement by internet companies. The Council has decided that this is something that internet companies may do, may not do and may do (Council text, pdf).

When the European Commission proposed its draft Regulation on a Telecoms Single Market in September 2013, it decided that it would be a good idea to allow internet companies to decide (or not) to block unspecified content to “prevent or impede” undefined “serious crime”. In order to excuse this reckless, potentially counterproductive meddling with the policing of serious criminal activity, it explained that such activities could be to address problems “including” child pornography.

As such arbitrary interferences with communications are in direct and obvious breach of our rights and freedoms (“Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law”, EU Charter of Fundamental Rights), the European Parliament did the only thing it could – and deleted this provision in April 2014.

On January 20, the Latvian Presidency of the EU, seeking to do carry out its function in a balanced, legal and reasonable way, noted both the legal limitations of such an approach (“this request appears to raise certain legal issues relating to the Charter of Fundamental Rights”) and the lack of support for the measure among Member States. It promised to add “appropriate text” if the legal issues could be resolved and if Member States supported such measures.

Then, however, things went horribly wrong. The UK kept insisting on the provisions being in the text, while other countries wanted the provisions being kept out. The deadlock was blocked when, behind the scenes, Sweden took incoherent, incomprehensible proposals about unspecified “measures” from the UK and presented them as their own. As time was running out, the Latvian Presidency felt that it had no option other than to include everyone’s contradictory proposals – meaning that the agreed text now says that internet providers can and can not block and filter traffic outside the rule of law.

The Article in the draft legislation is very clear:

comply with legal obligations to which the internet access service provider is subject

The explanatory “recitals”, which are supposed to clarify this text, allow everything and nothing. Recital 7 is a baffling salad of disconnected provisions:

Providers of internet access service may be subject to legal obligations requiring, for example, blocking of specific content, applications or services or specific categories thereof.

So far so clear… legal obligations to block content. This obviously does not need to be clarified, but okay… Then…

Those legal obligations should be laid down in Union or national legislation (for example, Union or national legislation related to the lawfulness of information, content, applications or services or legislation related to public safety), in compliance with Union law […]

It is strange that the Council feels the need to explain what “legal obligations” are, but okay…and then…

[…], or they should be established in measures implementing or applying such legislation, such as national measures of general application […]

So a measure applying such national measures? Does that include measures taken in the absence of a legal obligation to do so? As these “measures” or listed separately to court orders or decisions of a public authorities, this appears to be the case. This interpretation is reinforced by the next part of this surreal stream of consciousness, which explains that ISPs will have to comply with court orders or “other measures” which are, for example, court orders, but could also mean orders by public authorities and/or something else.

[…] courts orders, decisions of public authorities vested with relevant powers, or other measures ensuring compliance with such legislation (for example, obligations to comply with court orders or orders by public authorities requiring to block unlawful content).

The next sentence of recital 7, then says the direct opposite since Article 52 of the Charter of Fundamental Rights does not allow restrictions outside the rule of law:

The requirement to comply with Union law relates, among others, to the compliance with the requirements of the Charter of Fundamental rights of the European Union in relation to limitations of fundamental rights and freedoms.

If internet providers are only allowed to block, as the Charter says, this is “provided for by law”, what is the rest of the text for? The answer, sadly, is that this is legal text that is actively and deliberately drafted to be so unclear that it generates enough uncertainty to allow what the European Charter of Fundamental Rights prohibits.

The agreed text also says that “parental controls” are permitted. The only problem here is that there was never any doubt that parental controls are permitted because any service that actually offers control to parents would not in any way contradict the definition of “internet access service”:

“internet access service” means a publicly available electronic communications service that provides access to the internet, and thereby connectivity to substantially all* end points of the internet, irrespective of the network technology and terminal equipment used;

Which either means that the 28 legal experts that are negotiating a key piece of European legislation of global significance do not know what parental controls are, or they are trying to sneak in additional optional restrictions that can be imposed by internet companies and neither they or we can guess what these might be.

This ridiculous mess is a major problem for two reasons. Firstly, it represents an agreement of the EU Council to circumvent the primary law of the European Union, to the detriment of the rule of law, freedom of communication and privacy. Secondly, it undermines the implementation of net neutrality, because it will lead to a situation where internet access providers will be asked (for public policy reasons) to block and filter internet traffic and asked not to interfere with internet traffic for their own business purposes.

*No, we don’t know what “substantially all” means either.

25 Feb 2015

Did GCHQ spy on you? Find out now!

By Guest author

Since its launch on 16 February 2015, over 25 000 people have joined an international campaign to try to learn whether Britain’s intelligence agency, GCHQ, illegally spied on them.

This opportunity is possible thanks to court victory in the Investigatory Powers Tribunal (IPT), a secret court set up to hear complaints against the British Security Services. As previously reported in the EDRi-gram, Privacy International won the first-ever case against GCHQ in the Tribunal, which ruled that the agency acted unlawfully in accessing millions of private communications collected by the US National Security Agency (NSA), up until December 2014.

Because of this victory, now anyone in the world can try to ask if their records, as collected by the NSA, were part of those communications unlawfully shared with GCHQ. We feel the public has a right to know if they were spied on illegally, and Privacy International wants to help make that as easy as possible.

Unfortunately, the IPT can’t act by itself, and that’s why it needs people to come forward and file complaints. Privacy International plans to assist as many people as possible in jumping through the hoops the process will probably entail. It is going to be a long fight, and it will likely take months for the IPT to process all the complaints. However, it is important to bear in mind that if the IPT find that your communications were illegally shared with GCHQ, they will be obligated to tell you.

Through their secret intelligence-sharing relationship with the NSA, GCHQ has intermittently enjoyed unrestricted access to PRISM, the NSA’s means of directly accessing data and content handled by some of the world’s largest Internet companies, including Microsoft, Yahoo!, Google, Facebook, Skype, and Apple. GCHQ has also had access to other parts of the NSA’s Upstream collections, through which telephone and internet traffic data is accessed as it flows through communications infrastructure, including CO-TRAVELER, which collects five billion mobile phone locational records a day, and DISHFIRE, which harvests 194 million text messages daily. The top five programs within Upstream created 160 billion interception records in one month alone.

Chances are, at some point over the past decade, your communications were swept up by one of the NSA’s mass surveillance programs and passed onto GCHQ. We think you have a right to know whether that’s the case, and if so, to try and demand that data be deleted. Privacy International wants to help you assert those rights.

Privacy International’s campaign “Did GCHQ illegally spy on you?”

FAQ: Did GCHQ Spy On You?

(Contribution by Eric King, Privacy International)



11 Feb 2015

Macedonia: Massive surveillance revelation: 20 000 people wiretapped

By Guest author

On 10 February, EDRi-member Metamorphosis, expressed grave concern about the publicly announced allegations of mass and unauthorised surveillance of citizens. Invasions of privacy directly affect freedom of expression in Macedonia, and fuel the overall climate of fear and silence.

On 9 February 2015, the Macedonian opposition leader Zoran Zaev held a press conference in Skopje, announcing that his party, the Social Democratic Union of Macedonia (SDSM) had obtained evidence that over 20 000 Macedonian citizens were subject to unauthorized surveillance. He stated that he is pressing charges for the massive wiretapping against PM Nikola Gruevski and his cousin, the director of the Counterintelligence Service, and an associate. Zaev also revealed that the evidence was provided by whistleblowers working for the Security Service who are now seek an amnesty for their cooperation.

According to report from the 9 February conference, Zaev said that all persons of some significance in the society, “all the judiciary, the Synod of the Orthodox Church, NGOs, and journalists were tapped.” He played leaked conversations between current government ministers, indicating that surveillance also extended to officials of the ruling party, VMRO-DPMNE, and their coalition partners. He said that only the Prime Minister Nikola Gruevski and the Director of the Intelligence and Security Sasho Mijalkov were not tapped. They allegedly received daily reports from the 24/7 surveillance operation that especially targeted political opponents during elections. Zaev also implied complicity of the major telecom operators with this massive operation.

After the initial revelation, SDSM announced that they will continue to publish evidence of alleged government corruption, gradually showing the overall effects of the control by the leadership of VMRO-DPMNE on the society. The allegations incited number of reactions demanding impartial investigation by independent media, civil society and international community, as issues of independence of the judiciary have been noted as one of the main obstacles to building democracy and preserving human rights in Macedonia, within reports issued by the EU and the US.

“The right to privacy is an extremely important human right, and the threat to privacy is also a direct threat to our freedom. Authorities must make the decisions on wiretapping and surveillance in accordance with the applicable laws. Those decisions must not be arbitrary decisions made by individuals who have the power to do so. The allegations for mass eavesdropping of more than 20 000 citizens are very serious and the public must seek responsibility from the relevant institutions,” said Bardhyl Jashari, director of the Metamorphosis Foundation.

Metamorphosis reminded the public that the protection of privacy, the protection of personal data, and the protection of human rights related to freedom and dignity that may be violated by eavesdropping, are protected by the Constitution of the Republic of Macedonia and by number of laws, including the Law on Personal Data Protection, while the Criminal Code sanctions unauthorized wiretapping. On the other hand, the 2014 European Commission Progress Report on the Republic of Macedonia indicated that it is necessary to further adjust the sector-specific laws in order to fully comply with the European regulations on personal data protection.

Setting the protection of privacy as a priority in building an information society, Metamorphosis has, since 2004, publicly indicated, on a number of occasions, the possibility for abuse due to the lack of mechanisms for supervision over institutions that have the capacity to conduct eavesdropping. In 2008, 2010 and 2012 it advocated against increasing of that capacity without any accountability mechanisms for a number of state bodies, contesting amendments to the Law on Electronic Communications and the laws affecting investigative procedures.

Press Release: Unauthorized Eavesdropping is Unlawful and Unconstitutional (10.02.2015)

Macedonia PM accused of large-scale wire-tapping (09.02.2015)

The former Yugoslav Republic of Macedonia progress report, October 2014

2013 Human Rights Reports: Macedonia

Twitter: #Macedonia-related links in English

EDRi-gram: Macedonian investigative magazine fined in defamation case (22.10.2014)

(Contribution by by Filip Stojanovski and Bardhyl Jashari EDRi-member Metamorphosis, Macedonia)




11 Feb 2015

Yet another internet blocking law in Turkey

By Heini Järvinen

This article is also available in:
Deutsch: Neues Gesetz über Internetsperren in der Türkei

In recent years, online censorship and the deteriorating situation regarding the freedom of speech has raised serious concerns in Turkey. The large majority of the traditional mainstream media is either directly or indirectly under the government control, and the Internet remains one of the few channels for free speech. However, the government is repeatedly taking measures to control also the Internet.

On 2 October 2014 the Turkish Constitutional Court overturned an amendment to the Internet law that would have given additional censorship powers to the Turkish Telecommunications Authority (TIB). Among other things, the suggested amendment allowed the TIB (hence the government) to issue “preventive” website blocking orders to the Internet Service Providers (ISPs) without a court decision. The blocking was to be executed for “national security, public order or crime prevention”.

Unperturbed by the decision, the government prepared a nearly identical bill and brought it before parliament on 20 January 2015. Like the previous one, the suggested amendment would oblige the ISPs to execute the blocking of contents within four hours after receiving the order from the TIB, enabling the government to block web sites quickly and without due process of law. The parliamentary commission has already passed the bill, and it’s expected to come to the general assembly in the next few weeks.

The government might be counting on the Constitutional Court not annulling the amendment this time, because some of its key members are in the process of retiring. But the tug of war between the those defending freedom of speech online and those wanting to restrict it continues. As EDRi-member Electronic Frontier Foundation (EFF) recently stated in its press release:

“Turkey has been a bastion of Internet censorship for so long that EFF could write a regular feature called ‘This Week in Turkish Internet Censorship’ and never run out of content.”

Unlike in the past, the international community is not being helpful. The Turkish government has followed the UK model of putting pressure on private companies to censor content outside the rule of law, coercing Facebook into restricting content. Blocking on the basis of ad hoc decisions by the telecoms regulator is currently in place (subject to a constitutional court ruling) in Italy and the Council of Europe’s draft Recommendation on Net Neutrality still (after a new revision) says that it is acceptable for restrictions can be imposed by regulatory authorities (or simply “in cooperation with public authorities”).

Facebook caves to Turkish government censorship (29.01.2015)

Turkish parliamentary commission approves bill for tighter website blocking (05.02.2015)

Government defies constitutional court on website blocking (22.01.2015),47525.html

Turkey: Internet freedom, rights in sharp decline (02.09.2014)

Turkey proposes tighter internet law, pursues Twitter critic (22.01.2015)

EDRi-gram: Turkey: Constitutional Court overturns Internet law amendment (08.10.2014)




11 Feb 2015

Digital Rights orgs call on world leaders to uphold human rights

By Guest author

Over 30 digital and civil liberties organisations from around the world have endorsed a joint statement calling on the world’s governments not to expand surveillance measures in the wake of the Charlie Hebdo attacks. In addition to European Digital Rights (EDRi), signatories include Article19, digitalcourage, IT-pol, Vrijschrift, La Quadrature du Net, Panoptykon, Initiative für Netzfreiheit, FITUG e.V., Alternative Informatics Association, ORG, EFF, Effi, APTi, and Access.

It seems that even while events were unfolding in Paris, proposals and measures restricting civil liberties have been put forward – from France, Belgium, Spain, the United States, Australia to Turkey and beyond. One of the most notable examples is in the very wake of the attacks, the French government convened an extraordinary EU Home Affairs summit, as several leaders were in Paris for the Unity March. There, it was decided to move several concrete proposals forward, two of which would drastically impact human rights: 1) a controversial EU Passenger Name Record agreement that has been discussed in Brussels since 2011; and 2) ad-hoc measures for internet platforms to monitor and remove alleged hate speech.

The signatories of this statement have seen this before —a tragedy that leads to a dramatic expansion of security measures, without proper democratic scrutiny, providing the necessary checks and balances to ensure that other rights, like privacy and free association, aren’t undermined.

The letter invites the French government to conduct a thorough evaluation of relevant policies, before enacting new laws and policies that can harm fundamental rights.

In addition, it calls on these political leaders to:

  • Ensure the protection and defence of national level human rights protections, particularly free expression and privacy online and offline;
  • Engage citizens and institutions in a public dialogue on targeted solutions that can help protect society while upholding human rights;
  • Defend a free and open society where human rights are not only protected, but celebrated, and where diverse viewpoints, including the satirical perspectives embraced by Charlie Hebdo, can be expressed online and offline.

There are no easy or quick solutions. In difficult moments like these, we must defend the values of the society that we want to live in, or we risk undermining those values in the name of saving them. The letter is still open for signatories: all are welcome to join us in working toward a better world where free expression, privacy, and other human rights can thrive.

Open letter to the world’s governments in the wake of attack on Charlie Hebdo:

Charlie Hebdo Tragedy Must Not Be Used by Governments to Expand Surveillance:

(Contribution by Raegan MacDonald, EDRi-member Access)




28 Jan 2015

Spanish Citizens’ Security Bill: Many restrictions, few freedoms

By Guest author

In summer 2014, the EDRi-gram reported on the Spanish bill on the Protection of Citizens’ Security, shedding light on some of its most controversial measures. In December 2014, the Spanish Congress passed the Citizens’ Security bill by 181 votes to 141. Now, the bill will be discussed in the Senate until the end of March 2015.

Not only does the proposed bill introduce several restrictions to the freedoms of assembly and expression in protests, but it also lays down measures that would severely undermine digital rights.

First, if the law is adopted in its current form, it would oblige cybercafés and similar establishments to keep records of their clients’ IDs. Non-compliance with this measure could result in fines ranging from 100 to 30 000 Euros and to additional sanctions such as the suspension of licences or even the closing down of the establishment. Similar measures have already been implemented in China in the past years, resulting in significant loss of business and a severe infringement of the right to privacy and data protection. In other countries like Chile, a similar proposal was declared unconstitutional by the Constitutional Court.

Second, the Spanish bill would categorise “the non-authorised use of pictures, personal or professional data” of security force officers as a serious offence. As a complement to this measure, the on-going reform of the Spanish Criminal code would punish those citizens sharing photographs or videos of misbehaviour of security service staff with imprisonment for up to one year.

These are only two examples of the several risks this legislation poses to civil rights. Several amendments improving the text were tabled in the Congress but failed to gain a majority. If the same happens in the Senate, the abovementioned threats to civil rights will become a reality. The rights Spanish citizens are entitled to under EU legislation and the EU Charter of Fundamental Rights would be limited.

Citizens, activists, civil society groups, politicians and the European Commission need to take action now to stop this legislation. We call on the Spanish government to uphold and respect the international and European frameworks for fundamental rights and freedoms.

EDRi-gram: Spain: Why you should care about the Citizens’ Security Bill (30.07.2014)

Dossier on the evolution of the Criminal code reform in Spain (in Spanish Only, 27.01.2015)

Latest Intellectual Property law in Spain (in Spanish only, 04.11.2014)

(Contribution by Estelle Massé, EDRi-member Access, and Maryant Fernández Pérez, EDRi)