privacy

The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

02 Jul 2015

European Digital Rights asks the European Commission to investigate illegal data retention laws in the EU

By Heini Järvinen

European Digital Rights (EDRi) this morning sent a letter to European Commission First Vice-President Frans Timmermans, asking the European Commission to investigate the data retention laws in EU Member States which appear to be illegal in light of the Court of Justice of the European Union (CJEU) ruling on this issue from 8 April last year.

Looking superficially at a cross-section of 14 EU Member States’ approaches to data retention, EDRi identidied strong similarities between the provisions in force and those ruled illegal by the European Court. We therefore carried out case studies in relation to six countries (Croatia, Denmark, Finland, Italy, Poland and the United Kingdom) and sent them to the Commission as compelling proof that action needs to be taken.

“Over a year after the Court ruling, it is finally time for the Commission to act,” said Joe McNamee, Executive Director of European Digital Rights. “EU Member States cannot be allowed to break European law with impunity.”

The focus of EDRi’s analysis is:

  1. if EU Member States have provisions which link the data being retained with a particular time period, location, group of people or a serious crime;
  2. the procedures to access the retained data, and who can access it, and
  3. the conditions and the period during which the data is kept.

Although there are differences between the selected Member States, EDRi concluded that the existing laws in these six countries appear to be contravention to the Charter of Fundamental Rights, following the analysis of the CJEU.

EDRi calls on the European Commission, as the Guardian of the Treaties, to investigate further these and any other national laws that may be in breach of EU case law.

Read more:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights ruft die Europäische Kommission dazu auf, illegale Gesetze zur Vorratsdatenspeicherung in der EU zu prüfen

European Digital Rights (EDRi) hat heute Morgen einen Brief an den Ersten Vizepräsidenten der Europäischen Kommission geschickt. In dem Schreiben wird die EU-Kommission dazu aufgerufen, die Gesetze zur Vorratsdatenspeicherung in den Mitgliedstaaten der EU zu untersuchen, da diese vor dem Hintergrund der Entscheidung des Europäischen Gerichtshofs vom 8. April letzen Jahres illegal erscheinen.

EDRi hat nach einer kusorischen Betrachtung der Regulierungen zur Vorratsdatenspeicherung von 14 EU-Mitlgiedstaaten festgestellt, dass grosse Ähnlichkeiten zwischen den momentan geltenden Bestimmungen und jenen, die der Gerichtshof als illegal befunden hat, bestehen. Daher haben wir Fallstudien über sechs Länder (Kroation, Dänemark, Finnland, Italien, Polen und Grossbritannien) angefertigt und diese der Kommission übermittelt, um klar aufzuzeigen, dass entsprechende Massnahmen ergriffen werden müssen.

“Über ein Jahr nach dem Gerichtsbeschluss ist es endgültig an der Zeit, dass die Kommission handelt,” sagt Joe McNamee, Geschäftsführer von European Digital Rights. “Es darf EU-Mitgliedstaaten nicht erlaubt sein, ungestraft EU Recht zu brechen.”

Die Schwerpunkte der Analyse sind:

  1. Ob die Bestimmungen der Mitgliedstaaten die auf Vorrat gespeicherten Daten mit einem spezifischen Zeitpunkt, Ort, Gruppe oder einem schweren Verbrechen in Verbindung setzen;
  2. Die Verfahren zum Zugriff auf die auf Vorrat gespeicherten Daten sowie wer auf diese Daten Zugriff hat;
  3. Die Bedingungen zur Speicherung der Daten sowie die Dauer der Speicherfrist.

Obwohl es Unterschiede zwischen den untersuchten Mitgliedstaaten gibt, ist EDRi auf Grundlage des EuGH-Urteils zu der Schlussfolgerung gekommen, dass die Gesetze, die in diesen sechs Ländern existieren, gegen die Charta der Grundrechte verstossen.

EDRi ruft die Europäische Kommission als Hüterin der Verträge dazu auf, zu untersuchen, ob diese und andere nationale Gesetze zur Vorratsdatenspeicherung gegen EU-Recht verstoßen.

Mehr dazu:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights chiede alla Commissione Europea di aprire un’indagine all’interno dell’UE sulle leggi illegittime in materia di data retention

Questa mattina European Digital Rights (EDRi) ha inviato una lettera al Primo Vice-Presidente della Commissione Europea Frans Timmermans, nella quale ha chiesto di aprire un’indagine, all’interno degli Stati Membri dell’UE, riguardo alle norme in materia di data retention che risultano illegali alla luce della decisione adottata dalla Corte di Giustizia dell’Unione Europea (CGUE) lo scorso 8 Aprile.

Dopo una prima analisi dell’approccio intrapreso in materia di data retention nelle legislazioni di 14 Stati Membri, EDRi ha individuato delle profonde somiglianze tra le norme in vigore e quelle dichiarate illegali dalla Corte di Giustizia. Abbiamo quindi studiato la situazione riguardante sei Paesi (Croazia, Danimarca, Finlandia, Italia, Polonia e Regno Unito) e inviato i risultati della nostra ricerca alla Commissione, come prova evidente della necessità di prendere provvedimenti.

“A piu di un anno di distanza dalla decisione della Corte, è giunto il momento di agire per la Commissione,” ha dichiarato Joe McNamee, Direttore Esecutivo di European Digital Rights. “Non si puo’ permettere agli Stati Membri dell”UE di violare il diritto Europeo impunemente.”

Gli elementi su cui si concentra l’analisi effettuata da EDRi sono:

  1. se le norme in vigore negli Stati Membri dell’UE mettono in relazione i dati che vengono conservati ad un certo periodo di tempo, ad un luogo o un gruppo di persone particolari, o ad un reato grave;
  2. le procedure di accesso ai dati conservati, e chi puo’ accedervi;
  3. le condizioni e la durata del periodo di conservazione dei dati.

Nonostante ci siano differenze tra gli Stati Membri selezionati, EDRi ha concluso che, in seguito all’analisi effettuata dalla CGUE, le norme vigenti in questi sei paesi risultano essere in contrasto con la Carta dei Diritti Fondamentali.

EDRi lancia un appello alla Commissione Europea, in quanto Custode dei Trattati, affinchè investighi piu’ a fondo queste leggi, e ogni altra legge nazionale che possa violare la giurisprudenza dell’UE.

Approfondisci:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights anmoder Europa-Kommissionen om at undersøge ulovlige logningslove i EU

European Digital Rights (EDRi) har her til morgen sendt et brev til 1. næstformand for Europa-Kommissionen Frans Timmermans, der beder Europa-Kommissionen undersøge logningslovene i EUs medlemsstater, som synes at være ulovlige i lyset af dommen fra EU-domstolen om logningsdirektivet den 8. april 2014.

Ud fra en indledende analyse af logningsreglerne i 14 EU medlemsstater, har EDRi identificeret stærke ligheder mellem de gældende lovbestemmelser og de bestemmelser som blev kendt ulovlige af EU-domstolen. Vi har derfor udført casestudier på seks lande (Kroatien, Danmark, Finland, Italien, Polen og Storbritannien) og sendt dem til Kommissionen som et overbevisende argument for at der er behov for handling.

“Et år efter EU-domstolens afgørelse er det endelig tid for Kommissionen til at handle,” siger Joe McNamee, Executive Director for European Digital Rights. “EUs medlemsstater skal ikke ustraffet kunne bryde europæisk lov.”

Fokus for EDRi’s analyse er:

  1. om EUs medlemsstater i deres nationale lovbestemmelser har begrænset dataindsamlingen til bestemte perioder eller bestemte forbrydelser;
  2. proceduren for at få adgang til de indsamlede data, og hvem der kan få adgang, og
  3. betingelserne for opbevaring af logningsdata og opbevaringsperioden.

Selv om der er forskelle mellem de udvalgte medlemsstater, konkluderer EDRi at de eksisterende love i disse seks lande ser ud til at være i strid med Charter om Grundlæggende Rettigheder, jf. analysen fra EU-domstolen.

EDRi opfordrer Europa-Kommissionen, som vogter af traktaterne, til at undersøge lovgivningen i disse seks lande og andre nationale love, som kan være i strid med retspraksis fra EU-domstolen.

Læs mere:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights traži Europsku Komisiju da istraži ilegalne zakone ozadržavanju podataka u Europskoj Uniji

European Digital Rights (EDRi) poslao je danas ujutro pismo prvom potpredsjedniku Europske Komisije, Fransu Timmermansu, u kojem traži da Europska Komisija provede istragu o zakonima o zadržavanju podataka u državama članicama EU, za koje se smatra da nisu u skladu s presudom Suda pravde Europske Unije (CJEU) na tu temu, donesene 8. travnja prošle godine.

Površno pregledavajući presjek pristupa zadržavanju podataka 14 država članica EU, EDRi je uočio snažne sličnosti između odredaba na snazi i onih proglašenih nezakonitima od strane Europskog suda. Iz tog razloga proveli smo analizu stanja u šest država (Hrvatska, Danska, Finska, Italija, Poljska i Ujedinjeno Kraljevstvo) koju smo proslijedili Komisiji kao neoboriv dokaz da je djelovanje nužno.

“Nakon više od godinu dana nakon što je presuda donesena, krajnje je vrijeme da Komisija počne djelovati”, izjavio je Joe McNamee, izvršni direktor European Digital Rights. “Državama članicama Europske Unije ne smije biti dopušteno nekažnjeno kršiti Europske zakone.”

Provodeći analizu EDRi se usredotočio na sljedeće glavne točke:

  1. imaju li države članice u svojim nacionalnim zakonodavstvima odredbe koje povezuju zadržane podatke s određenim razdobljem, zemljopisnim područjem, skupinom ljudi ili teškim kaznenim djelom;
  2. postupak pristupa zadržanim podacima i tko im može pristupiti;
  3. uvjete i razdoblje unutar kojeg su podaci zadržani.

Unatoč razlikama koje postoje između spomenutih država, prema zaključku EDRi-ja čini se da postojeći zakoni u ovih šest država predstavljaju kršenje Povelje o ljudskim pravima, imajući u vidu analizu Suda pravde (CJEU).

EDRi poziva Europsku komisiju, kao Čuvara Europskih ugovora, da podrobnije istraži navedene kao i bilo koje druge nacionalne zakone koji potencijalno predstavljaju kršenje sudske prakse Europske Unije.

Pročitajte više:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


European Digital Rights vaatii Euroopan komissiota tutkimaan laittomat teletunnistetietojen säilyttämistä koskevat lait EU:ssa

Tänä aamuna European Digital Rights (EDRi) lähetti Euroopan komission varapuheenjohtaja Frans Timmermansille kirjeen, jossa vaaditaan komissiota käynnistämään tutkinta EU-jäsenmaiden teletunnistetietojen säilyttämistä koskevista laeista, jotka Euroopan unionin tuomioistuimen (ECJ) viime vuoden huhtikuun 8. päivän päätöksen valossa vaikuttavat lain vastaisilta.

EDRi havaitsi vertaillessaan 14 EU-jäsenmaan kantoja teletunnistetietojen säilyttämiseen selkeitä yhtäläisyyksiä eri jäsenmaissa voimassa olevien säännösten ja tuomioistuimen laittomiksi julistamien säännösten välillä. Kuuden jäsenmaan (Kroatia, Tanska, Suomi, Italia, Puola ja Iso-Britannia) tilanteesta tehdyt tarkemmat analyysit lähetettiin Euroopan komissiolle vakuuttavana todisteena siitä, että komission on ryhdyttävä pikaisesti toimiin asian korjaamiseksi.

“Yli vuosi tuomioistuimen päätöksen jälkeen komission olisi vihdoin aika toimia”, sanoi Joe McNamee, EDRi:n toiminnanjohtaja. “Jäsenmaiden ei voi antaa rikkoa EU:n lainsäädäntöä rangaistuksetta.”

EDRi:n analyysi keskittyy seuraaviin kohtiin:

  1. onko EU-jäsenmaissa on voimassa säännöksiä, jotka yhdistävät tietyn ajanjakson, sijannin tai ihmisryhmän tietoja tai tietoja jotka liittyvät vakaviin rikoksiin
  2. menettelytavat liittyen siihen, kuinka ja kenellä on pääsy säilytettyihin tietoihin
  3. tietojen säilyttämisen ehdot ja ajanjakso, joka tiedot säilytetään

Vaikka jäsenmaiden laeissa on eroja, voimassa olevat lait kuudessa tutkitussa jäsenmaassa vaikuttavat olevan ristiriidassa Euroopan unionin perusoikeuskirjan kanssa, perustuen ECJ:n päätökseen ja analyysiin.

EDRi kehottaa Euroopan komissiota perussopimusten vartijana tutkimaan kyseisten maiden teletunnistetietojen säilyttämistä koskevat lait, sekä muut kansalliset lait, jotka saattavat rikkoa EU:n oikeuskäytäntöä.

Lisätietoa:
Belgian Constitutional Court rules against data retention (17.06.2015)
Data retention: German government tries again (03.06.2015)
Hungarian data retention case: ORG, PI & scholars file amicus briefs (22.04.2015)
In Germany, Data Retention refuses to die (25.03.2015)
Dutch data retention law struck down – for now (12.03.2015)
Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)
Legal Service Opinion on CJEU Data Retention ruling (14.01.2015)
Data retention: EU Commission – guardian and enemy of the treaties (17.12.2015)
Dutch government: Let’s keep data retention mostly unchanged (03.12.2014)
Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
ECJ: Data retention directive contravenes European law (09.04.2014)
Data Retention in Austria: Constitutional Court turns to the CJEU (16.01.2013)

 


Twitter_tweet_and_follow_banner

close
17 Jun 2015

Belgian Constitutional Court rules against data retention

By Guest author

On 12 June, following two actions for annulment brought independently, the Belgian Constitutional Court ruled against the mass collection of communications metadata. This ruling is line with a recent ruling from the Court of Justice of the European Union (CJEU) invalidating the directive that inspired the Belgian law.

The Data Retention Directive (2006/24/CE) adopted in the aftermath of the terrorist attacks in Madrid (2004) and London (2005) – and invalidated in 2014 -required telecommunication service providers or operators to retain communications metadata on each and every customer for between 18 months and two years. In July 2013, the Belgian Federal Parliament adopted, under an emergency procedure, a law and a decree transposing the Directive into Belgian law.

In February 2014, NURPA, datapanik.org, EDRi member Liga voor Mensenrechten and the Ligue des Droits de l’Homme (LDH) jointly initiated a crowdfunding campaign to finance an action for annulment before the Constitutional Court. The success encountered by the campaign – the 5 000 euro goal was exceeded in a couple of weeks – has shown how much citizens value their privacy.

In the ruling, the Belgian Constitutional Court reaffirms the importance of the right to privacy under the Article 22 of the Belgian Constitution, and recalls that any limitation of this right must be proportionate. Belgium joins the growing list of Member States in which the national transposition of the Directive was challenged successfully. It should be noted that it is currently not clear whether the European Commission plans to introduce a new proposal for the retention of communications data or not.

“This constitutional ruling should have the effect of a shock to our governments: they cannot expand indefinitely the massive surveillance of their citizens. There is an increasingly obvious imbalance between the respect for privacy and the legitimate need for security. This is what prompted LDH to make data protection and privacy our main themes for 2015,”

said Alexis Deswaef, President of LDH.

“The ruling of the Constitutional Court brings a breath of fresh air in a nauseating context where murderous acts of a few terrorists are enough to destroy the fundamental principles of rights and freedoms of our democracies. This should remind everyone that rights and freedoms are a constant struggle, even more so when the trend in Europe is the stacking of securitarian measures, as sadly demonstrated by the French case,”

concluded André Loconte, spokesman of NURPA.

The Constitutional Court repeals the transposition of the data retention directive (12.06.2015)
http://nurpa.be/actualites/2015/06/const-court-repeals-data-retention-belgium

Avis de la Cour de justice de l’Union au sujet de la directive sur la conservation des données (12.06.2015)
http://nurpa.be/actualites/2013/12/avis-CJUE-data-retention#contexte-belge

Data retention in Belgium
http://stopdataretention.be/en/

Ruling in Dutch
http://nurpa.be/files/20150611_ruling-const-cour-dataretention-belgium_nl.pdf

Ruling in German
http://nurpa.be/files/20150611_ruling-const-cour-dataretention-belgium_de.pdf

Status of data rentention Directive transpositions accross Member States
http://wiki.vorratsdatenspeicherung.de/Transposition

EU executive plans no new data retention law (12.06.2015)
www.reuters.com/article/2015/03/12/us-eu-data-telecommunications-idUSKBN0M82CO20150312

(Contribution by NURPA, Belgium)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
04 Jun 2015

Surveillance of air passengers: Letter to Parliamentarians

By Diego Naranjo

Surveillance in the EU - infographics

Today, 4 June, in light of the discussion in the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the amendments for the Passenger Name Record (PNR) proposal, we have sent the following e-mail to all members in the Committee:

“Dear Ms/Mr ……,

Ahead of today’s debate on the proposed EU-PNR Directive, EDRi and Access would like to draw your attention on the striking and deeply concerning similarities between this proposal and the now invalid Data Retention Directive.

Please find attached an infographic comparing these proposals and here a short post providing more information on these issues here and here.

We remain at your disposal for any information you might need.

Best regards,
Diego Naranjo & Estelle Masse.

Contact information:
Diego Naranjo (EDRi) – diego.naranjo@edri.org
Estelle Masse (Access) – estelle@accessnow.org

EDRi is a pan-European organisation working on human rights in the digital environment.

Access is an international organisation that defends and extends the digital rights of users at risk around the world.”

Twitter_tweet_and_follow_banner

close
03 Jun 2015

Data retention: German government tries again

By Guest author

Even before the parliamentary summer recess starting on 4 July, the German government wants to push a national law on data retention through the German Bundestag. After the Ministry of Justice presented so-called guidelines in mid-April, and a complete draft law only a month later, the Parliament is now supposed to debate and pass this legal instrument within only a month.

The retention of metadata from electronic communications has been on the political agenda throughout Europe for many years now. After the EU had passed a Directive on data retention, Germany first introduced a national law that forced telecommunication providers to store metadata from electronic communications in 2008. Two years later, the German Federal Constitutional Court (FCC) came to the conclusion that this law violated fundamental rights, and therefore declared it null and void. A decision from the Court of Justice of the European Union (CJEU) followed in 2014, rescinding the EU Directive entirely. While the European Commission, for the time being, has refrained from making another attempt at introducing a Directive, the German government is still hell-bent on bringing a national law on data retention into effect.

The Ministry of Justice is trying to sell its draft law as a “well-balanced compromise between freedom and security“ which meets all the requirements set by both the FCC and the CJEU. In the draft, storage periods have been reduced to ten weeks for traffic data and four weeks for location data. Metadata on e-mails will not be collected at all and government authorities will always need a court order allowing them to access the data. Civil rights groups, academia and even parts of the Social Democrats (who form the governing “great coalition“ together with the Conservatives) beg to differ, though.

Until today neither the European Commission nor any government of an EU Member State has been able to present evidence or even indications for the effectiveness of data retention in combating terrorism or serious crime. In fact, all of the studies examining the effects of data retention on the prevention and prosecution of such offences have found that it does not lead to higher clearance rates. This is an important aspect, because every infringement of a fundamental right must be necessary and proportionate in order to be legal under international law – and a measure that does not even have a measurable effect towards the goal of the legislation can never be necessary.

The undifferentiated character of the planned data retention is the draft’s next fundamental flaw. According to the CJEU, one of the main faults of the EU Directive on data retention was the fact that it demanded storing the metadata of everyone, in the absence of a concrete suspicion of any wrongdoing or any other criterion that would limit the scope of the data collection. Even though e-mails have now been excluded from the German draft law, it still orders telecommunications providers to stockpile traffic and location data without any specific preconditions.

Another problem with the proposal is the planned protection of people with a duty for professional secrecy. While clerical and social institutions as well as government authorities in these fields are entirely exempt from the collection of metadata, traffic and location data of other professionals who equally depend upon confidentiality (like lawyers, doctors, pharmacists, psychotherapists, tax consultants and journalists) will be stored. The draft law nonetheless forbids government authorities to access this data. Apart from the fact that it defies logic to store data for the purpose of not using it later, this approach puts highly sensitive personal data at the risk of being stolen and abused by criminals and intelligence agencies. The fact that this already happened in the UK shows that this is not a just a hypothetical risk.

More importantly, this approach also violates the principles of equal treatment and legal certainty laid down in the German Constitution. There is no objective reason to consider the communications of clerical and social institutions worthier of protection than those of lawyers and doctors, rendering this differentiation entirely arbitrary. Also, it remains unclear how the protection is supposed to work in practice. There is no obvious non-intrusive way to manage this unpredictable distinction .

The list of defects in the draft law goes on and on, from the easily bypassed requirement of a judicial order to access the data, to a new offence of “data-fencing“ which threatens the work of journalists and whistleblowers. Still, with an 80 percent majority in the Parliament, the German government is simply ignoring all the protest and criticism, recklessly pushing the law into existence. This also means that the European Commissioner for Digital Economy and Society, Günther Oettinger, will soon have a chance to back up his words with deeds. In the hearing before the European Parliament on the occasion of his inauguration as a Commissioner, Oettinger announced that he will launch an infringement procedure against any Member State that attempts to introduce a law on data retention after the CJEU ruling.

Lack of protection due to the end of data retention?
https://www.mpg.de/5000721/vorratsdatenspeicherung.pdf

UK admits unlawfully monitoring legally privileged communications (18.02.2015)
http://www.theguardian.com/uk-news/2015/feb/18/uk-admits-unlawfully-monitoring-legally-privileged-communications

(Contribution by Volker Tripp, EDRi member Digitale Gesellschaft, Germany)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
06 May 2015

Slovakia: Mass surveillance of citizens is unconstitutional

By Guest author

Slovakia’s data retention law is now history. On 29 April, the Constitutional Court of the Slovak Republic ruled that the mass surveillance of citizens is unconstitutional. The decision was made in the context of proceedings initiated by 30 Members of the Parliament on behalf of the European Information Society Institute (EISi), a Slovakia-based think-tank.

In a non-public session, the Grand Chamber of the Constitutional Court (PL. ÚS 10/2014) ruled that provisions of Act on Electronic Communications (Act No. 351/2011 Coll.), which until now required mobile network providers to track the communication of their users, as well as provisions of the Penal Code (Act No. 301/2005 Coll.), and the Police Force Act (Act No. 171/1993 Coll.), which allowed access to this data, to be in contradiction to the constitutionally guaranteed rights of citizens to privacy and personal data. As a consequence, these provisions lost their binding effect.

According to now invalid provisions of the Electronic Communications Act, the providers of electronic communications were obliged to store traffic data, location data and data about the communicating parties for a period of six months (in the case of Internet, email or Voice over IP (VoIP) communications) or for a period of 12 months (in case of other communications). Data about unsuccessful calls was also stored for the same periods. Moreover, the legal framework regulating the access to data retention data was completely arbitrary and considerably less stringent than comparable provisions on wire-tapping.

In the opinion of EISi, the introduction of these obligations constituted a substantial encroachment upon the private life of individuals – especially because this mandated a blanket monitoring of all inhabitants of Slovakia, regardless of their innocence or prior behaviour. The data retention requirements mandated that every day the data about every inhabitant of Slovakia must be collected, amassing a profile of who called whom, to whom someone sent an SMS or email, when the person sent it, from which location, using what type of device or service, how long the communication took, and many others details. It almost goes without saying that combining of all this information made it possible to perfectly analyse the movements of every inhabitant of Slovakia using a mobile phone or the internet. This allowed the behaviour, circle of acquaintances, hobbies, health, sexuality and other information that citizens might prefer to keep to themselves to be predicted.

The decision marks an end to EISi’s five-year battle against mass surveillance. Soon after the launch of the now unconstitutional data retention requirements, EISi authored a short report pointing out the basic discrepancies between the Act on Electronic Communications (“the Act”) and its data retention provisions, and the fundamental rights embodied in the Slovak constitution, the EU Charter of Fundamental Rights and Freedoms, and the Convention for the Protection of Human Rights and Fundamental Freedoms. This report was then presented in the form of a motion to two local authorities, which, despite the evidence, reached the view that the data retention provisions do not lead to an interference with the fundamental rights and freedoms of citizens. , and no proceedings before the Constitutional Court were initiated.

EISi then put together a submission for the Constitutional Court, and started asking for the support of the Members of the Parliament, who can also initiate such a constitutional review. The submission gained the support of the required number of MPs, 30 signatures, and a motion was filed before the Constitutional Court successfully.

The decision of the Constitutional Court of the Slovak Republic was issued almost a year after the Court of Justice of the European Union (CJEU) proclaimed the Data Retention Directive invalid in the spring of 2014. At that time, the Constitutional Court of Slovakia promptly reacted by suspending the collection of data through a preliminary measure. By the virtue of the decision on 29 April, data collection was completely cancelled.

So far, only the final outcome of the decision is known. The reasoning of the court is expected to be available within three months.

EISi’s press release: The Slovak Constitutional Court cancelled mass surveillance of citizens (29.04.2015)
http://www.eisionline.org/index.php/en/projekty-m-2/ochrana-sukromia/109-the-slovak-constitutional-court-cancelled-mass-surveillance-of-citizens

Slovak Constitutional Court Suspends Data Retention Legislation (23.04.2015)
http://www.eisionline.org/index.php/en/projekty-m-2/ochrana-sukromia/74-us-data-retention-suspension

Data Retention before the Slovak Constitutional Court
http://www.eisionline.org/index.php/en/projekty-m-2/ochrana-sukromia/49-slovak-case-on-data-retention

The quest for privacy in Slovakia: The case of data retention
www.giswatch.org/en/country-report/communications-surveillance/slovak-republic

(Contribution by Matej Gera, European Information Society Institute – EISi, Slovakia)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
22 Apr 2015

Hungarian data retention case: ORG, PI & scholars file amicus briefs

By Guest author

EDRi member Open Rights Group (ORG), Privacy International and a group of internationally acknowledged experts filed amicus curiae briefs with the Hungarian Constitutional Court. The case has been brought by the Hungarian Civil Liberties Union (HCLU) against two major service providers, in an attempt to force the Hungarian Constitutional Court to repeal the Hungarian Electronic Communications Act.

“A year ago, the Court of Justice of the European Union (CJEU) ruled that blanket data retention interferes with our fundamental rights to privacy and the protection of our personal data. ORG has already intervened in a case challenging data retention in the UK and hope to see other European countries repeal national legislation that forces companies to keep everyone’s personal communications data,”

said Elizabeth Knight, Legal Director of Open Rights Group.

The submissions focus on the importance of EU law and why the Hungarian law does not comply with it. Open Rights Group and Privacy International emphasise in particular in their submission the need for carefully calibrated EU rules in the field of surveillance and data protection, the significance of the retention of ”communications data” or “metadata”, the seriousness of data retention as an interference with human rights, and the need for effective remedies in national legal systems to address breaches of EU law.

The final ruling of the Hungarian Constitutional Court is expected in one month.

The amicus curiae submissions of Open Rights Group and Privacy International (08.04.2015)
https://www.openrightsgroup.org/assets/files/legal/ORG_PI_Hungarian%20Constitutional%20Court%20submissions_final.pdf

The amicus curiae submissions of the group of international scholars (15.03.2015)
http://tasz.hu/files/tasz/imce/2015/amicus_brief_hungary_data_retention_law_ac_final.pdf

HCLU litigates Hungarian service providers to terminate data retention (13.10.2014)
http://tasz.hu/en/data-protection/hclu-litigates-hungarian-service-providers-terminate-data-retention

Press Release: Open Rights Group files amicus brief in Hungarian data retention case
https://www.openrightsgroup.org/press/releases/open-rights-group-file-amicus-brief-in-hungarian-data-retention-case

EDRi-gram: Hungarian Data Retention Law – challenged at the Constitutional Court (04.06.2008)
https://edri.org/edrigramnumber6-11hungary-data-retention-constitutional/

(Contribution by EDRi member Open Rights Group, United Kingdom)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Mar 2015

In Germany, Data Retention refuses to die

By Guest author

The debate is intensifying in Germany on whether telecommunications data retention should be reintroduced. At the centre of the controversy is Sigmar Gabriel, the leader of the Social Democrats (SPD, the smaller party in Germany’s “grand coalition” government since 2013), and consequently a government minister for the economy and chancellor Angela Merkel’s deputy. Gabriel’s role is pivotal because his party would be the focus of any hope of balancing calls for data retention from the larger coalition partner, the Christian Democrats (CDU/CSU).

Data retention has been judged, twice, to illegally violate fundamental rights under the German constitutioanl framework. In March 2010, a ruling by Germany’s Federal Constitutional Court struck down Germany’s national data retention law that had implemented the European Union’s Data Retention Directive since the end of 2007. In April 2014 the Directive itself was invalidated by the Court of Justice of the European Union (CJEU).

This U-turn has happened almost simultaneously with another major shift in policy for the SPD, which changed the party’s position on the transatlantic free-trade agreement TTIP, to which it was previously opposed.

On data retention, Gabriel has surprised many with the strange range of arguments he has used to defend his position. He says he never really opposed the measure, in fact he voted for its introduction in 2007. But since the European Commission gave up its plans to introduce a new Data Retention Directive after the CJEU’s ruling, it has become clear that the plan is to leave it to Member States to muddle their own ways through this question.

After the recent terrorist attacks in Paris and Copenhagen Gabriel has shown little restraint on using just any event or argument to portray data retention as indispensable. This includes the claim that data retention was an important means for Norway to deal with right-wing terrorist Anders Breivik’s attacks in 2011. This seems weird as Norway didn’t have a law for data retention in 2011 and still doesn’t have one today. After making this claim twice and being challenged on this, the latest statement from the SPD is that Norway used the instrument without legal basis, with support from US secret services. So, allegedly Norway’s authorities have disregarded their own country’s law and relied on organisations known to operate without any regard for legal boundaries, whose methods may or may not fall under the European definition of telecommunications data retention. How this should make Europeans accept a surveillance instrument whose effectiveness is questionable and which clearly requires strict legal controls is hard to imagine, probably even for Gabriel himself.

Other examples of fact bending include a claim that the previous data retention law had been the work of a Christian Democrat-Liberal government, when in fact it was introduced in 2007 by a previous CDU–SPD “grand coalition” (in which Gabriel himself served as environment minister), and misrepresentations of the points were the Constitutional Court ruling of 2010 had found fault with that previous law.

Sigmar Gabriel has now made up his mind that the time has come to work on a new German data retention law and push it through the Bundestag. He has recently instructed SPD’s Heiko Maas, Minister of Justice, previously an outspoken sceptic of data retention, to come up with a draft law in cooperation with the Interior Minister, CDU’s Thomas de Maizière. Getting a majority in Parliament will not be a problem, given the coalition’s almost 80-percent majority of seats. But what the true motives are and how the measure could be seen as constitutional after the court rulings, remains a mystery.

Data retention is Norway must actually be called NSA (only in German, 20.03.2015)
https://netzpolitik.org/2015/journalisten-sind-keine-buerger-und-vorratsdatenspeicherung-in-norwegen-heisst-in-wahrheit-nsa/

SPD leader Sigmar Gabriel calls for data retention to be reintroduced (only in German, 15.03.2015)
https://netzpolitik.org/2015/spd-chef-sigmar-gabriel-fordert-wiedereinfuehrung-der-vorratsdatenspeicherung/

Sigmar Gabriel retains misapprehensions (only in German)
http://www.taz.de/!156871/

An almost impossible law (only in German, 23.03.2015)
http://www.zeit.de/digital/datenschutz/2015-03/vorratsdatenspeicherung-heiko-maas-sigmar-gabriel-gesetz

(Contribution by Sebastian Lisken, EDRi-member Digitalcourage, Germany)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
25 Mar 2015

Denmark plans to preserve illegally collected medical data

By Guest author

In Denmark, a controversial plan to prevent illegally collected medical data from being deleted has become a hot topic for the government. The plan involves transferring the data to the National Archives, which has an exemption in the Danish data protection act.

Under the Danish health care act, general practitioners can transfer medical data to a third party without consent from the patients if it is done for limited groups of patients and if analysis of the data can be used to improve the treatment of patients. This provision was used to create a central database known as Danish General Practice Database (DAMD) with the Region of Southern Denmark as the data controller.

DAMD was limited to the diagnosis for diabetes at the outset in 2007, but within a couple of years, all ICPC diagnosis data from general practice was being transferred to DAMD. This is clearly illegal, since the data collection without consent is no longer done only for limited groups of patients.

In November 2014, the Danish Minister for Health and the Region of Southern Denmark finally admitted that most of the medical data in DAMD is collected illegally. The natural next step would have been to delete the illegally collected data, but the Minister for Health stated publicly that he would prefer that this does not happen.

Within a week of the comment by the Minister for Health, the Danish National Archives suddenly decided that DAMD is a unique database which should be preserved at the National Archives. The data protection act has an exemption for transfer of personal data to the Danish National Archive, so that this can be done without consent. Based on an administrative authority in the national archive law, the Danish National Archives instructed the Region of Southern Denmark to retain the illegally collected medical data until further notice.

Privacy activists, including EDRi-member IT-Pol Denmark, object to this blatant abuse of the national archive law to essentially whitewash an illegal data collection of highly sensitive medical data. The Ministry of Culture has the responsibility for the National Archives. After an initial promise to delete the illegally collected data by mid February 2015, the culture minister Marianne Jelved decided to preserve DAMD at the National Archives.

Together with this decision, the minister proposed an amendment to the archive law which blocks access to illegally collected medical data for up to 230 years. However, these restrictions can always be removed by another amendment in a couple of years (the amendment law must be revised after no more than five years). Moreover, no assessment has been made of the costs of storing the highly sensitive medical data securely for 230 years, so that it could be used for historical research starting in 2245.

While the Danish government and parliament consider the fate of the DAMD database, Danish citizens can use their right under the data protection act to demand that their own illegally collected data is deleted. However, the order from the Danish National Archives prevents the data controller from deleting the entire DAMD database.

On 18 March, the Ministry of Culture was forced to admit that the Danish National Archives have used an inappropriate administrative order for demanding that DAMD is preserved. The correct administrative order for records held by the Danish regions places DAMD in the category of records to be discarded when no longer needed. The Ministry of Culture apparently sees this as a minor problem which can be solved simply by issuing an amended administrative order which places DAMD in the preservation category. However, before the new administrative order can take effect, there must be a formal consultation period. The deadline for consultation responses is set at 27 March, and the new administrative order will take effect from 7 April.

On 19 March, the Region of Southern Denmark found out that there is currently no proper legal basis for demanding the preservation of DAMD by the National Archives, and decided that the entire database will be deleted. Rather than just doing it, the region sent a letter to the Ministry of Culture stating that DAMD will be deleted on 24 March at noon.

The Danish National Archives and the Ministry of Culture responded almost immediately to this “threat” of restoring the rule of law by deleting illegally collected medical data. On 20 March, the deadline for the consultation was moved forward to March 23 (giving one working day for consultation responses), and the new administrative order will take effect on March 24, just in time to prevent the planned deletion of the entire DAMD database.

The only public comment from the Minister of Culture on these absurd developments is that the illegally collected medical data must be preserved in order to document illegal acts in the public administration for future generations. This is a rather strange argument since the illegal data collection has been documented extensively in several reports from government agencies. Moreover, the proposed blocked access wouldn’t allow any exceptions for the first 120 years, and this would also prevent using the data to document the illegalities.

Who wins the race for deletion of our medical data in DAMD? DenFri (only in Danish, 22.03.2015)
https://www.denfri.dk/2015/03/kaploebet-om-sletning-af-damd/

Illegally collected health data will not be deleted under Danish law, Medium (15.12.2014)
https://medium.com/@chulu/illegally-collected-health-data-will-not-be-deleted-under-danish-law-e72d934f5124

Danish General Practice Database
http://www.dak-e.dk/flx/en/danish-general-practice-database/

The Danish National Archives (Rigsarkivet)
https://www.sa.dk/en/

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

close
23 Mar 2015

EU trade secrets Directive: threat to free speech, health, environment and worker mobility

By Maryant Fernández Pérez

STATEMENT (pdf) 23 March 2015 (updated from 17 December 2014)

Multi-sectoral civil society coalition calls for greater protections for consumers, journalists, whistleblowers, researchers and workers

We strongly oppose the hasty push by the European Commission and Council for a new European Union (EU) directive on trade secrets because it contains:
– An unreasonably broad definition of “trade secrets” that enables almost anything within a company to be deemed as such;
– Far-reaching legal remedies for companies whose “trade secrets” have been “unlawfully acquired, used or disclosed”, including provisional and precautionary measures, damages and secrecy rights throughout the judicial process; and
– Inadequate safeguards that will not ensure that EU consumers, journalists, whistleblowers, researchers and workers have reliable access to important data that is in the public interest.

The proposal must be amended to ensure that only information acquired, disclosed or used by third parties with intention of commercial gain is protected under the directive.

Specifically, we share great concern that under the draft directive:

– The right to freedom of expression and information could be seriously harmed because the proposed directive does not guarantee the protection of journalists and whistleblowers. Under the proposed directive, journalists and whistleblowers must show that “…the alleged acquisition, use or disclosure of the trade secret was necessary for such revelation and that the respondent acted in the public interest”. Unfortunately, determining whether disclosure was necessary can often only be evaluated afterwards. In addition, the limitation of the right to disclose and use trade secrets to reveal “wrongdoing”, “misconduct” or to protect a “legitimate interest” would allow for sanctions to be applied even when the information ought to be in the public domain, such as planned redundancies and detrimental effects on health and the environment. The proposed directive should be amended to exempt information acquired, used or disclosed in the public interest.
– The mobility of EU workers could be undermined. The proposed directive poses a danger of lock-in effects for workers. It could create situations where an employee will avoid jobs in the same field as his/her former employer, rather than risking not being able to use his/her own skills and competences, and being liable for damages. This inhibits career development, as well as professional and geographical mobility in the labour market.
– Companies in the health, environment and food safety fields might use the directive to refuse compliance with transparency policies, even when the public interest is at stake. The proposed directive should be amended to ensure that (1) it does not cover information that must, by law (including international law), be disclosed by public authorities under public access to information legislation and (2) it excludes regulatory data of public interest that is needed for public scrutiny of regulatory authorities’ activities.

Health: Pharmaceutical companies argue that all aspects of clinical development should be considered a trade secret; however, access to biomedical research data by regulatory authorities, researchers, doctors and patients—particularly data on drug efficacy and adverse drug reactions—is critical to protecting patient safety and conducting further research and independent analyses. This information also prevents scarce public resources from being spent on therapies that are no better than existing treatments, do not work, or do more harm than good. Moreover, disclosure of pharmaceutical research is needed to avoid unethical repetition of clinical trials on people. The proposed directive should not obstruct recent EU developments to increase sharing and transparency of this data.
Environment: The directive must be amended to comply with the EU’s international obligations under the United Nations Aarhus Convention, which prevents public authorities from protecting the secrecy of information on emissions into the environment and requires active dissemination of information enabling consumers to make informed environmental choices. Therefore, the definition of “trade secret” should be amended to remove information on emissions from the scope of the proposed directive and companies should be prevented from using the directive to refuse disclosure of information on hazardous products, such as chemicals in plastics, clothing, cleaning products, and other activities that can cause severe damage to the environment and human health, including the dumping of chemicals and fracking fluids.
Food safety: Under EU law, all food products, genetically modified organisms and pesticides are assessed by the European Food Safety Authority (EFSA). EFSA assesses the risks associated with these products based on studies performed by manufacturers themselves. Scientific scrutiny of the EFSA’s assessments is only possible with complete access to these studies; therefore, this data must be removed from the scope of the directive.

Despite the Commission’s desire for a “magic bullet” that will keep Europe in the innovation game, without amendment, the proposed directive may make it more difficult for the EU to engage in open and collaborative forms of research. In fact, there is a risk that the measures and remedies provided in this directive will undermine legitimate competition and even facilitate anti-competitive behaviour. Unsurprisingly, the text is strongly supported by multinational companies.

Industry coalitions in the EU and the United States (US) are lobbying, through a unified Trade Secrets Coalition, for the adoption of trade secret protection. In the US, two new bills are pending before Congress. If passed, these texts would allow trade secret protection to be included in the Transatlantic Trade and Investment Partnership (TTIP)—something that will be incredibly difficult to repeal in the future through democratic processes. Given that TTIP is expected to set a new global standard, its potential inclusion of trade secret protection could have devastating consequences.

We urge the Council and the European Parliament to amend the directive by limiting the definition of what constitutes a trade secret and strengthening safeguards and exceptions to ensure that data in the public interest cannot be protected as trade secrets. The right to freely use and disseminate information should be the rule, and trade secret protection the exception.

For additional information or comment, please contact Walter van Holst (walter@vrijschrift.nl), representing EDRi and Vrijschrift.

close
12 Mar 2015

Dutch data retention law struck down – for now

By Guest author

Published originally by EDRi-member Bits of Freedom 

And then everything went BANG: from our Twitter-timeline to the champagne bottle at our office. This morning the court annulled the data retention law. Effective immediately. But what exactly did the judge say and what will happen now?

The data-retention law requires telecom providers to save communication- and location data from everyone in the Netherlands for as long as a year. The law, and the judges agreed, heavily impacts our freedom.

An infringement of this magnitude requires proper safeguards

The District court of The Hague decided we no longer have to blindly trust the Dutch government. The law’s underlying European directive was meant as a tool in the fight against serious crimes. The Dutch law, however, is much more expansive, including everything from terrorism to bike theft. During the hearing, the state’s attorneys avowed that the Public Prosecution does not take the law lightly, and would not call on the law to request data in case of a bicycle theft. The judge’s response: it doesn’t matter if you exploit the possibility or not, the fact that the possibility exists is already reason enough to conclude that the current safeguards are unsatisfactory.

Additionally, the court determined that insufficient thought has gone into how data is requested. Saving personal information for a lengthy amount of time is a huge infringement on privacy. Therefore, proper safeguards and guarantees are needed when it comes to acquiring access to this data. The judge deems it reasonable that before a request for information is granted, it is reviewed by a juridical entity or an independent administrative entity. During the hearing, a state’s attorney claimed that a district attorney counts as an independent entity. That claim was met with a wave of chuckles throughout the crowd, and now it turns out the court agrees that this is baloney – but you won’t catch a judge using smileys.

Furthermore, the court considered the substantiation of the necessity of the law. The State claims that the data retention law is necessary. This claim was illustrated during the hearing using a number of shocking criminal cases — but they failed to substantiate necessity. Regretfully, the court took this on board as a valid point, but mainly because during the preliminary injunction, this particular argument was not rebutted. Nonetheless, it is important to realize that necessity has not been proven: not in evaluations, not in the Parliament, and not during the preliminary injunction. The fact that no rebuttal was offered, doesn’t change that.

The question is: now what?

First of all, we have to wait for a response from the Ministry of Security and Justice. It is hard to predict what they’ll say. With the former Justice Minister Ivo Opstelten temporarly replaced by Stef Blok, all we can do is hope for the best, and prepare for the worst. We hope the ministry is finally convinced that the law, now and in the future, must be dissolved. And as far as the providers are concerned, they must part with the data they’ve been saving under the data retention law that has now been struck down. Update: KPN, Vodafone, Hi, XS4ALL, Telfort, BIT and Tweak have announced that they will cease to execute the data retention law.

What will happen on the long term is unclear. That is up to Parliament and Opstelten’s successor. As the law has already been struck down, it seems self-evident that the law in its entirety should be revoked. The political party GroenLinks has already submitted a proposal along these lines to Parliament. But one thing is clear: this is not a done deal.

Today the data retention law has been struck down. The government won’t leave it with that. Do you want us to continue to fight against the undirected and lengthy storage of our communication data? Support our cause!

Court ruling (only in Dutch, 11.03.2015)
https://tweakimg.net/files/upload/uitspraak-WBT.pdf

Twitter_tweet_and_follow_banner

close