The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

25 Feb 2015

Did GCHQ spy on you? Find out now!

By Guest author

Since its launch on 16 February 2015, over 25 000 people have joined an international campaign to try to learn whether Britain’s intelligence agency, GCHQ, illegally spied on them.

This opportunity is possible thanks to court victory in the Investigatory Powers Tribunal (IPT), a secret court set up to hear complaints against the British Security Services. As previously reported in the EDRi-gram, Privacy International won the first-ever case against GCHQ in the Tribunal, which ruled that the agency acted unlawfully in accessing millions of private communications collected by the US National Security Agency (NSA), up until December 2014.

Because of this victory, now anyone in the world can try to ask if their records, as collected by the NSA, were part of those communications unlawfully shared with GCHQ. We feel the public has a right to know if they were spied on illegally, and Privacy International wants to help make that as easy as possible.

Unfortunately, the IPT can’t act by itself, and that’s why it needs people to come forward and file complaints. Privacy International plans to assist as many people as possible in jumping through the hoops the process will probably entail. It is going to be a long fight, and it will likely take months for the IPT to process all the complaints. However, it is important to bear in mind that if the IPT find that your communications were illegally shared with GCHQ, they will be obligated to tell you.

Through their secret intelligence-sharing relationship with the NSA, GCHQ has intermittently enjoyed unrestricted access to PRISM, the NSA’s means of directly accessing data and content handled by some of the world’s largest Internet companies, including Microsoft, Yahoo!, Google, Facebook, Skype, and Apple. GCHQ has also had access to other parts of the NSA’s Upstream collections, through which telephone and internet traffic data is accessed as it flows through communications infrastructure, including CO-TRAVELER, which collects five billion mobile phone locational records a day, and DISHFIRE, which harvests 194 million text messages daily. The top five programs within Upstream created 160 billion interception records in one month alone.

Chances are, at some point over the past decade, your communications were swept up by one of the NSA’s mass surveillance programs and passed onto GCHQ. We think you have a right to know whether that’s the case, and if so, to try and demand that data be deleted. Privacy International wants to help you assert those rights.

Privacy International’s campaign “Did GCHQ illegally spy on you?”

FAQ: Did GCHQ Spy On You?

(Contribution by Eric King, Privacy International)



11 Feb 2015

Macedonia: Massive surveillance revelation: 20 000 people wiretapped

By Guest author

On 10 February, EDRi-member Metamorphosis, expressed grave concern about the publicly announced allegations of mass and unauthorised surveillance of citizens. Invasions of privacy directly affect freedom of expression in Macedonia, and fuel the overall climate of fear and silence.

On 9 February 2015, the Macedonian opposition leader Zoran Zaev held a press conference in Skopje, announcing that his party, the Social Democratic Union of Macedonia (SDSM) had obtained evidence that over 20 000 Macedonian citizens were subject to unauthorized surveillance. He stated that he is pressing charges for the massive wiretapping against PM Nikola Gruevski and his cousin, the director of the Counterintelligence Service, and an associate. Zaev also revealed that the evidence was provided by whistleblowers working for the Security Service who are now seek an amnesty for their cooperation.

According to report from the 9 February conference, Zaev said that all persons of some significance in the society, “all the judiciary, the Synod of the Orthodox Church, NGOs, and journalists were tapped.” He played leaked conversations between current government ministers, indicating that surveillance also extended to officials of the ruling party, VMRO-DPMNE, and their coalition partners. He said that only the Prime Minister Nikola Gruevski and the Director of the Intelligence and Security Sasho Mijalkov were not tapped. They allegedly received daily reports from the 24/7 surveillance operation that especially targeted political opponents during elections. Zaev also implied complicity of the major telecom operators with this massive operation.

After the initial revelation, SDSM announced that they will continue to publish evidence of alleged government corruption, gradually showing the overall effects of the control by the leadership of VMRO-DPMNE on the society. The allegations incited number of reactions demanding impartial investigation by independent media, civil society and international community, as issues of independence of the judiciary have been noted as one of the main obstacles to building democracy and preserving human rights in Macedonia, within reports issued by the EU and the US.

“The right to privacy is an extremely important human right, and the threat to privacy is also a direct threat to our freedom. Authorities must make the decisions on wiretapping and surveillance in accordance with the applicable laws. Those decisions must not be arbitrary decisions made by individuals who have the power to do so. The allegations for mass eavesdropping of more than 20 000 citizens are very serious and the public must seek responsibility from the relevant institutions,” said Bardhyl Jashari, director of the Metamorphosis Foundation.

Metamorphosis reminded the public that the protection of privacy, the protection of personal data, and the protection of human rights related to freedom and dignity that may be violated by eavesdropping, are protected by the Constitution of the Republic of Macedonia and by number of laws, including the Law on Personal Data Protection, while the Criminal Code sanctions unauthorized wiretapping. On the other hand, the 2014 European Commission Progress Report on the Republic of Macedonia indicated that it is necessary to further adjust the sector-specific laws in order to fully comply with the European regulations on personal data protection.

Setting the protection of privacy as a priority in building an information society, Metamorphosis has, since 2004, publicly indicated, on a number of occasions, the possibility for abuse due to the lack of mechanisms for supervision over institutions that have the capacity to conduct eavesdropping. In 2008, 2010 and 2012 it advocated against increasing of that capacity without any accountability mechanisms for a number of state bodies, contesting amendments to the Law on Electronic Communications and the laws affecting investigative procedures.

Press Release: Unauthorized Eavesdropping is Unlawful and Unconstitutional (10.02.2015)

Macedonia PM accused of large-scale wire-tapping (09.02.2015)

The former Yugoslav Republic of Macedonia progress report, October 2014

2013 Human Rights Reports: Macedonia

Twitter: #Macedonia-related links in English

EDRi-gram: Macedonian investigative magazine fined in defamation case (22.10.2014)

(Contribution by by Filip Stojanovski and Bardhyl Jashari EDRi-member Metamorphosis, Macedonia)




11 Feb 2015

Yet another internet blocking law in Turkey

By Heini Järvinen

This article is also available in:
Deutsch: Neues Gesetz über Internetsperren in der Türkei

In recent years, online censorship and the deteriorating situation regarding the freedom of speech has raised serious concerns in Turkey. The large majority of the traditional mainstream media is either directly or indirectly under the government control, and the Internet remains one of the few channels for free speech. However, the government is repeatedly taking measures to control also the Internet.

On 2 October 2014 the Turkish Constitutional Court overturned an amendment to the Internet law that would have given additional censorship powers to the Turkish Telecommunications Authority (TIB). Among other things, the suggested amendment allowed the TIB (hence the government) to issue “preventive” website blocking orders to the Internet Service Providers (ISPs) without a court decision. The blocking was to be executed for “national security, public order or crime prevention”.

Unperturbed by the decision, the government prepared a nearly identical bill and brought it before parliament on 20 January 2015. Like the previous one, the suggested amendment would oblige the ISPs to execute the blocking of contents within four hours after receiving the order from the TIB, enabling the government to block web sites quickly and without due process of law. The parliamentary commission has already passed the bill, and it’s expected to come to the general assembly in the next few weeks.

The government might be counting on the Constitutional Court not annulling the amendment this time, because some of its key members are in the process of retiring. But the tug of war between the those defending freedom of speech online and those wanting to restrict it continues. As EDRi-member Electronic Frontier Foundation (EFF) recently stated in its press release:

“Turkey has been a bastion of Internet censorship for so long that EFF could write a regular feature called ‘This Week in Turkish Internet Censorship’ and never run out of content.”

Unlike in the past, the international community is not being helpful. The Turkish government has followed the UK model of putting pressure on private companies to censor content outside the rule of law, coercing Facebook into restricting content. Blocking on the basis of ad hoc decisions by the telecoms regulator is currently in place (subject to a constitutional court ruling) in Italy and the Council of Europe’s draft Recommendation on Net Neutrality still (after a new revision) says that it is acceptable for restrictions can be imposed by regulatory authorities (or simply “in cooperation with public authorities”).

Facebook caves to Turkish government censorship (29.01.2015)

Turkish parliamentary commission approves bill for tighter website blocking (05.02.2015)

Government defies constitutional court on website blocking (22.01.2015),47525.html

Turkey: Internet freedom, rights in sharp decline (02.09.2014)

Turkey proposes tighter internet law, pursues Twitter critic (22.01.2015)

EDRi-gram: Turkey: Constitutional Court overturns Internet law amendment (08.10.2014)




11 Feb 2015

Digital Rights orgs call on world leaders to uphold human rights

By Guest author

Over 30 digital and civil liberties organisations from around the world have endorsed a joint statement calling on the world’s governments not to expand surveillance measures in the wake of the Charlie Hebdo attacks. In addition to European Digital Rights (EDRi), signatories include Article19, digitalcourage, IT-pol, Vrijschrift, La Quadrature du Net, Panoptykon, Initiative für Netzfreiheit, FITUG e.V., Alternative Informatics Association, ORG, EFF, Effi, APTi, and Access.

It seems that even while events were unfolding in Paris, proposals and measures restricting civil liberties have been put forward – from France, Belgium, Spain, the United States, Australia to Turkey and beyond. One of the most notable examples is in the very wake of the attacks, the French government convened an extraordinary EU Home Affairs summit, as several leaders were in Paris for the Unity March. There, it was decided to move several concrete proposals forward, two of which would drastically impact human rights: 1) a controversial EU Passenger Name Record agreement that has been discussed in Brussels since 2011; and 2) ad-hoc measures for internet platforms to monitor and remove alleged hate speech.

The signatories of this statement have seen this before —a tragedy that leads to a dramatic expansion of security measures, without proper democratic scrutiny, providing the necessary checks and balances to ensure that other rights, like privacy and free association, aren’t undermined.

The letter invites the French government to conduct a thorough evaluation of relevant policies, before enacting new laws and policies that can harm fundamental rights.

In addition, it calls on these political leaders to:

  • Ensure the protection and defence of national level human rights protections, particularly free expression and privacy online and offline;
  • Engage citizens and institutions in a public dialogue on targeted solutions that can help protect society while upholding human rights;
  • Defend a free and open society where human rights are not only protected, but celebrated, and where diverse viewpoints, including the satirical perspectives embraced by Charlie Hebdo, can be expressed online and offline.

There are no easy or quick solutions. In difficult moments like these, we must defend the values of the society that we want to live in, or we risk undermining those values in the name of saving them. The letter is still open for signatories: all are welcome to join us in working toward a better world where free expression, privacy, and other human rights can thrive.

Open letter to the world’s governments in the wake of attack on Charlie Hebdo:

Charlie Hebdo Tragedy Must Not Be Used by Governments to Expand Surveillance:

(Contribution by Raegan MacDonald, EDRi-member Access)




28 Jan 2015

Spanish Citizens’ Security Bill: Many restrictions, few freedoms

By Guest author

In summer 2014, the EDRi-gram reported on the Spanish bill on the Protection of Citizens’ Security, shedding light on some of its most controversial measures. In December 2014, the Spanish Congress passed the Citizens’ Security bill by 181 votes to 141. Now, the bill will be discussed in the Senate until the end of March 2015.

Not only does the proposed bill introduce several restrictions to the freedoms of assembly and expression in protests, but it also lays down measures that would severely undermine digital rights.

First, if the law is adopted in its current form, it would oblige cybercafés and similar establishments to keep records of their clients’ IDs. Non-compliance with this measure could result in fines ranging from 100 to 30 000 Euros and to additional sanctions such as the suspension of licences or even the closing down of the establishment. Similar measures have already been implemented in China in the past years, resulting in significant loss of business and a severe infringement of the right to privacy and data protection. In other countries like Chile, a similar proposal was declared unconstitutional by the Constitutional Court.

Second, the Spanish bill would categorise “the non-authorised use of pictures, personal or professional data” of security force officers as a serious offence. As a complement to this measure, the on-going reform of the Spanish Criminal code would punish those citizens sharing photographs or videos of misbehaviour of security service staff with imprisonment for up to one year.

These are only two examples of the several risks this legislation poses to civil rights. Several amendments improving the text were tabled in the Congress but failed to gain a majority. If the same happens in the Senate, the abovementioned threats to civil rights will become a reality. The rights Spanish citizens are entitled to under EU legislation and the EU Charter of Fundamental Rights would be limited.

Citizens, activists, civil society groups, politicians and the European Commission need to take action now to stop this legislation. We call on the Spanish government to uphold and respect the international and European frameworks for fundamental rights and freedoms.

EDRi-gram: Spain: Why you should care about the Citizens’ Security Bill (30.07.2014)

Dossier on the evolution of the Criminal code reform in Spain (in Spanish Only, 27.01.2015)

Latest Intellectual Property law in Spain (in Spanish only, 04.11.2014)

(Contribution by Estelle Massé, EDRi-member Access, and Maryant Fernández Pérez, EDRi)



28 Jan 2015

Data retention in Kosovo and Switzerland – legalising illegal laws

By Guest author

Less than a year ago, many thought data retention in Europe would finally be faced with incontrovertible evidence that it is not effective or proportionate. Now, sensing an opportunity to take advantage of a more favourable public relations landscape, some politicians seem to have the intention to bring EU data retention back again.

Data retention laws still exist in some EU Member States, pending evaluation of conformity with the Charter of Fundamental Rights of the EU. Additionally, there are also non-member countries in Europe where data retention is very much a live political debate. In Kosovo, the government is trying to introduce a very worrying law while in Switzerland the existing regulation is set to be further broadened.

In Kosovo, a “potential candidate” country of the EU, the government has proposed a “Draft Law on Interception of Electronic Communication”. Recently, this draft law, still suffering from many of the weaknesses we had pointed out in our previous analysis, was referred by the government to the Parliamentary Committee on European Integration. EDRi has written a letter to the Assembly of Kosovo voicing its concerns and noting that for Kosovo’s application for accession to the EU to be successful, the country’s legal system must respect the Charter.

Multiple aspects of the Kosovar draft law are highly problematic when looked at through the lens of the Court of Justice of the EU’s (CJEU) recent ruling on the Data Retention Directive. Among other worrying provisions, the draft law proposes to give the Kosovo Intelligence Agency its own interception interface functioning independently from those of the Internet Service Providers. Knowing intelligence agencies’ tendency towards secrecy, this will make supervising the correct use of that data difficult, if not impossible.

In a positive development, a large majority of the Plenary Session followed the recommendation of the parliamentary committee and sent the draft law back to the government. We should however be careful to call this victory final, as the Kosovar government has already formed a working group to start drafting a new version of the law. The Minister for European Integration voiced his displeasure on Facebook claiming that “the draft law has been fully harmonized with the European Commission, in line with the Acquis Communautaire and based on the best practices of EU countries.”

While the latest developments in Kosovo inspire hope, the situation in Switzerland is set to become even less respectful of citizens’ right to privacy. Switzerland has had a data retention law for ten years and is currently working on revising it. The Committee for Legal Affairs of the National Council recently followed the recommendations of the government and proposes to extend the period of retention from six to twelve months. The Committee does not see any reason to revise the law in order to oblige Service Providers to store sensitive data within the country.

Switzerland does not intend to join the EU and is thus not affected by the CJEU’s decision on the Data Retention Directive. However, the country is a member of of the Council of Europe and thus bound by the European Convention on Human Rights. The Legal Service of the European Parliament noted in an opinion that the jurisprudence of the CJEU and the European Court of Human Rights (ECtHR) in the matter of data retention is very similar and compatible. It is thus very likely that the ECtHR would rule that the Swiss data retention law violates the Convention.

However, it seems that both the Swiss government and the Legal Committee of the National Council are not particularly concerned by this. Digitale Gesellschaft Switzerland, an NGO working on digital rights issues, has initiated legal proceedings to challenge the law, and given the fact that Switzerland does not have a constitutional court, it is likely that we will see a decision by the ECtHR in a few years’ time.

Committee for Legal Affair wants 12 months data retention (only in German, 26.01.2015)

Data Retention ruled invalid: what does this mean for Kosovo? (09.04.2015)

Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)

The Kosovar Minister of European Integration’s Facebook post on the Assembly’s rejection of the draft law (only in Albanian, 20.01.2015)

(Contribution by Julian Hauser, EDRi intern)



28 Jan 2015

French Patriot Act: Do we really need more surveillance?

By Kirsten Fiedler

On 21 January, only two weeks after the attacks in Paris, the French government announced a big bundle of new security measures, a “general mobilisation against terrorism”. But does the country need more surveillance?

France has introduced telecommunications data retention for communications more than ten years ago, it has extensive video surveillance and intelligence services have been granted broad powers on multiple occasions since 9/11. Now, after the attacks, where more than enough data were available to the security services – and would have been even without the measures that are in place, the road to mass surveillance is neither being questioned nor are the existing measures evaluated for their effectiveness. On the contrary, French Prime Minister Manuel Valls believes that an “extraordinary situation calls for extraordinary measures”. In the opposition, some even demanded a French version of the US PATRIOT Act to be introduced.

In its launch of a “general mobilisation against terrorism”, the government proposed measures such as:

  • 735 million Euro in the next three years for internal security
  • the creation of 2680 new jobs – of which 1100 in intelligence services
  • Passenger Name Record (PNR) system, to be launched in September 2015 (for which France received a support of 17 million Euro from the Commission in February 2014)
  • the creation of a database for people found guilty or suspected of terrorism
  • a new law for intelligence services (“loi sur le renseignement”) in order to facilitate the interception of communications- proposal to be published in April 2015
  • “greater responsibility“ for internet services and increased “cooperation” with companies. Who better than companies like Facebook (the US business that at one stage was simultaneously banning breastfeeding pictures while permitting beheading videos) to regulate our free speech and security?

The exact details in the field of technology policies are not yet known. However, French Interior Minister Bernard Cazeneuve gave us a foretaste of what this “general mobilisation” might mean for the Internet. During a meeting of the Ministers of Interior of the European Union, Cazeneuve called for increased cooperation with online services to quickly remove illegal content and content that makes apologies for terrorism or promotes violence or hate. Only a few days later, Prime Minister Valls backed this logic by announcing his intention to increase “moral pressure” on hosting providers. During the International Forum on Cybersecurity (FIC) in Lille on 20 January, he reminded representatives of Facebook, Google and Twitter of their “policing role”. Fifty years of international human rights law, which demands that restrictions on our freedom of expression and privacy must be based on clear legislation, seem to have disappeared in this first month of the year.

That this is an over-reaction is without doubt: It is known that the radicalisation of the Kouachi brothers and Amedy Coulibaly did not take place via the Internet. On the contrary, Chérif Kouachi was part of the ”Buttes-Chaumont“ group which is named after the part of Paris that has been frequently visited by salafist leaders. During his first incarceration in the prison of Fleury-Mérogis, he was mentored by salafist Djamel Beghal. His use of the Internet was limited to websites explaining the handling of weapons. Amedy Coulibaly was first arrested for aggravated thefts and trafficking, and he met Chérif Kouachi in Fleury-Mérogis. According to police records he only used the Internet to visit poker sites.

But back to France’s surveillance measures. Since 2001, an impressive number of laws has been passed to increase internal security. Here is a non-exhaustive list:

In November 2014, the National Assembly adopted the anti-terror law (Loi renforçant les dispositions relatives à la lutte contre le terrorisme” that foresees web blocking of “terrorist” content without clear criteria or judicial decision.

In March 2014, Snowden documents revealed that French intelligence agencies already have broad powers to spy on their citizens, without any oversight or control. French General Directorate for External Security (DGSE) is closely cooperating with telecom giant France Télécom/Orange.

In February 2014, France received 17 million Euro from the European Commission for the surveillance of air passengers (PNR) despite the fact that the European Parliament had not voted on the proposal and that the legality of the proposal for a EU-Canada agreement on PNR data is now being evaluated by the Court of Justice of the European Union (CJEU).

In December 2013, France introduced a new military programming law which allows the interception of communications without a court order (LPM, Loi de programmation militaire 2014-2019). Article 20 not only allows the military and the police but also the Ministry of the Budget and the Ministry of Economics to access citizens’ communications data.

In February 2011, France implemented its version of the EU Directive on the retention of telecommunications data, including the retention of passwords, IP addresses, pseudonyms, email accounts etc. (Décret relatif à la conservation et à la communication des données permettant d’identifier toute personne ayant contribué à la création d’un contenu mis en ligne)

In March 2011, France adopts the ”LOPPSI 2“ package, (Loi d’Orientation et de Programmation pour la Performance de la Sécurité Intérieure) which includes web blocking, police keyloggers and government-installed Trojans, increased CCTV surveillance and the extension of police databases. In a move that sounds like weak parody, this law also changed all legislative provisions mentioning “video surveillance” with the more soothing term “video-protection”.

In 2009, France adopts a decree to implement the law on video surveillance of 2007 (Décret modifiant le décret n° 96-926 du 17 octobre 1996 relatif à la vidéosurveillance).
In 2007, France possesses 36 law enforcement data bases, two years later this figure increased to 45.

In January 2006 France adopts an anti-terrorism law (LCT, la loi relative à la lutte contre le terrorisme) which extends data retention obligations to cybercafés.

In June 2004, France adopts the “law on confidence in the digital economy” (LCEN, la loi pour la confiance dans l’économie numérique) which extends data retention provision to hosting and platform providers.

In March 2003, France adopts a law to increase internal security (LSI, Loi Sarkozy II). In addition, the temporary measure passed in 2001 is being extended for an indefinite period.

In August 2002, the law for the programming of internal security (LOPSI, loi d’orientation et de programmation pour la sécurité intérieure) is passed leading to a merging of several police data bases.

After 9/11 France adopts a temporary measure in order to increase “daily security” (LSQ, Loi relative à la sécurité quotidienne) which was meant to come to an end in 2003. The law introduced the retention of telecommunications data for the period of one year.

#Antiterrorisme: Manuel Valls announced exceptional measures (only in French, 21.01.2015)

Paris, Bruxelles, Toulouse… radicalisation of terrorists does’t happen on the internet (only in French, 12.01.2015)

Apologie of terrorism: Valls puts “moral” pressure on hosting providers (only in French, 21.01.2015)

Bernard Cazeneuve urges web platforms for self-regulation (only in French, 21.01.2015)



14 Jan 2015

Romanian cybersecurity law sent to the Constitutional Court

By Guest author

A new law on cybersecurity, previously reported in the EDRi-gram, was adopted by the Romanian Parliament at the end of 2014. The law gives the Romanian Intelligence Agency (SRI) access to any computer data owned by private companies, without a court order.

The proposal was tacitly adopted by the Chamber of Deputies on 17 September. Also, although the law was not under emergency procedure, once in Senate, it received a two-day deadline for comments from the Defense Commission. The Human Rights Commission of the Senate was not asked to give its advice. Then silence. After three months of inactivity on the text, the cybersecurity law was suddenly adopted unanimously by the Senate on 19 December 2014.

The law which grants the Romanian Intelligence Agency (SRI) – along with eight other public institutions, most of them secret services – the possibility of “accessing data” from any IT system owned, possessed, managed, operated or used by legal persons. The access can be granted with only a simple “motivated request” from these institutions in their own attributions and without any judicial supervision.

The legal text does not specify what the types of data could be accessed nor details of the protection measures against possible abuses. It also fails to ensure that authorities which can request access to data but that do not fall under the national security exemption are obliged to have personal data protection policies in place. Other concerns are related to the prominent role of the SRI in information security and to the vague obligations for all computer systems used by legal persons. .

Following a strong protest right before Christmas organised by human rights NGOs, including EDRi-member ApTI, a group of Members of Parliament from the Liberal Party sent the law to the Constitutional Court for analysis. The Court will make a decision on 21 January 2015. ApTI is working on submitting an amicus curiae to support the unconstitutionality claims.

The situation regarding surveillance practices in Romania seems to have recently become even blurrier. Even as the events in France were unfolding, a special inter-institutional group formed by several ministries and SRI had already met a couple of times to decide about a revival of the surveillance laws declared unconstitutional in 2014 – the data retention law and the mandatory registration of telephony pre-paid cards. The General Prosecutor declared that “these laws are just the right type of instruments for preventing terrorist attacks”. His belief is that no measure is disproportionate when speaking about the possibility to firmly react against terrorists. “The right to life is more important” than the right to privacy or the right to communicate.

One proposal after the other, Romanian authorities seem to repeatedly prove that they learn nothing from the past.

Romanian version of EU cybersecurity directive allows warrantless access to data (24.01.2014)

13 NGOs ask to stop the cybersecurity law (only in Romanian, 21.12.2014)

General Prosecutor on the Big Brother Law: Between the right to life and the secrecy of correspondance, we choose the first one (only in Romanian, 08.01.2015)

ApTI: A major attack against human rights is used by the Romanian authorities as a pretext for limiting human rights (08.01.2015)

EDRi-gram: Romania: No communication without registration (02.07.2014)

(Contribution by Valentina Pavel and Bogdan Manolea, EDRi-member Association for Technology and Internet ApTI, Romania)



14 Jan 2015

Danish government plans to re-introduce session logging

By Guest author

The Danish response to the ruling of the Court of Justice of the European Union (CJEU) on the Data Retention Directive was fairly limited. On 2 June 2014, the Ministry of Justice produced a legal analysis saying that there was no reason to believe that the Danish data retention law was in conflict with the Charter of Fundamental Rights and the CJEU judgment.

The Ministry of Justice did, however, repeal the so-called session logging obligation, which was a Danish extension of the requirements of the now annulled Data Retention Directive, whereby session information (source and destination IP addresses, port numbers, session type e.g. TCP or UDP, and timestamp) is retained for every 500th internet packet. The official reason given for repealing session logging was not the CJEU ruling, but the fact that the Danish police had been unable to use the massive amount of data collected. A government evaluation report from December 2012 could only point to a single case, involving web banking fraud on a minor scale, where Danish police had been able to use the data collected with session logging.

After the decision on 2 June 2014 to repeal session logging, data retention in Denmark essentially consists of the elements from the now invalid Data Retention Directive (call detail records for outgoing and incoming calls, cellular location data, and the IP address assigned to the customer for internet access). Before the summer of 2015, the Danish Parliament is supposed to evaluate and possibly revise the Danish data retention law.

On 7 January 2015, the Danish newspaper Berlingske reported, very surprisingly, that the Danish Ministry of Justice apparently plans to re-introduce session logging. Even though session logging has failed miserably for seven years (2007-2014), the Danish Police simply cannot give up on the phantom idea that it is possible to map every internet connection with the same level of precision as a telephone call (who has called whom, where, when, and for what duration). This is the stated purpose of session logging, in previous documents from the Ministry of Justice (going back to 1999), as well as in the newly leaked documents from the Danish Police as seen by Berlingske and IT-Pol Denmark. The changes proposed to session logging are minimal, and they are not going to address the inherent problems – mainly because they cannot be addressed in a meaningful way.

If the Danish Minister of Justice really puts this proposal before Parliament, the Danish data retention policy will have taken an absurd zig-zag course over the last three years. For several years, the Danish Police and the Ministry of Justice told Parliament that session logging was a useful instrument for law enforcement, even though it was rarely used. Then, on 2 June 2014, the Danish Minister of Justice suddenly decided to repeal session logging, to the great astonishment and protest of the politicians who had supported data retention in previous votes. And now, apparently, the Minister of Justice seems to be planning to re-introduce session logging in Danish data retention.

The Danish Minister of Justice has, so far, declined to comment on the leaked plans to re-introduce session logging. According to the Danish newspaper Information, the Minister of Justice has said that the final model for the revision of the data retention law is yet to be determined.

EDRi-gram: Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)

Police wants to reintroduce surveillance of Danes on the internet, Berlingske (only in Danish, 07.01.2015)

The internet surveillance that refuses to die, Information (only in Danish, 13.01.2015)

EDRi-gram: Denmark: Government postpones the data retention law evaluation (13.02.2013)

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)



14 Jan 2015

Legal Service Opinion on CJEU Data Retention ruling

By Diego Naranjo

The European Parliament (EP) legal services last week presented an opinion on the Court of Justice of the EU’s (CJEU) ruling on the Data Retention Directive (DRD) and its implications. The opinion, after restating the principles that are essential to permit any interference on fundamental rights (proportionality, justification and necessity), answered specific questions raised by the Civil Liberties, Justice and Home Affairs.

On the issue of existing mass surveillance mechanisms such as on Passenger Name Records (PNR) and the Terrorist Financing Tracking Programme Agreement (TFTP), the opinion states that the only directly affected legal norm is the Data Retention Directive itself. Other norms covering similar data retention schemes will have a “presumption of legality” that could be repealed “on a case-by-case basis in the light of the particular circumstances of each case”. This rebuttal could be made either via national courts that refer them to the CJEU in accordance with Article 267 TFEU, or via asking the Commission about the legality of existing EU acts.

In relation to similar legislative proposals that require mass data storage, the opinion states that EU law must respect the red lines set by the CJEU in this judgment. Thus, EU PNR and Entry/Exit System will fall clearly under the category of acts that need to be assessed in the light of this ruling and need to respect the principles of proportionality and necessity. International agreements that have similar consequences on personal data would also fall under this category, and the CJEU could be asked if such agreement is in line with EU law. This procedure was used last December in relation to the EU Canada PNR agreement.

As for the enacted national laws applying the Directive, the opinion says that the judgment produces a twofold effect: On one hand, Member States have no obligation to retain data by service providers and therefore they can repeal existing laws without breaking EU law. On the other hand, if a Member State decides to keep the legislation, “all national measures providing for data retention in connectionwith the provision of publicly available electronic communications services” would now be covered under Art.15(1) of the e-Privacy Directive. These measures will need to frespect Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and the principles of proportionality and necessity.

Lastly, the legal opinion mentions the situation of some of the national laws implementing the Directive. In Bulgaria, Romania, Germany, Cyprus, Czech Republic these laws were declared invalid even before the CJEU gave its judgment. In some other Member States they were declared invalid after the judgment, as in the case of Austria and Slovenia and partially in Poland.

The European Parliament has provided clear guidance on why the DRD was annulled and the effects of the judgment on national and European law as well as on international agreements established by the EU. The opinion covers the jurisprudence of both the CJEU and the European Court of Human Rights (ECtHR) on the existing safeguards with regard to surveillance and how principles of necessity and proportionality need to be met for such an interferences on fundamental rights. However, Member States appear to think, exploiting every available atrocity, that international courts, national courts and EU institutions got it all wrong..

In a joint statement, several EU Ministers of Interior called for the new measures: “Partnership” of Internet Service Providers (ISPs) regarding content that should be removed (a.k.a. “privatised law enforcement”) and “stepping up the detection and screening of travel movements by European nationals crossing the European Union’s external borders”. Companies like Facebook, that previously threatened to block Charlie Hebdo’s Facebook page would be used to enforce more censorship.

Tthe joint statement says that this time they need the “constructive approach” of the European Parliament, for the adoption of PNR measures, for which no evidence of necessity or proportionality has been provided.

For those attending the Privacy Camp “Data Retention and PNR” workshop next week (, we will need to be ready with concrete actions to stop this new attack on fundamental rights and freedoms.

European Parliament Opinion on the Court of Justice of the EU’s ruling on the Data Retention Directive (07.01.2015)

Joint Statement by Minister of Interior after the attack on Charlie Hebdo Offices (11.01.2015)

(Contribution by Diego Naranjo, EDRi)