The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

28 Jun 2017

Denmark allows massive retention of location data for mobile internet

By IT-Pol

On 24 May 2017, the Danish telecom regulator announced its decision concluding that the retention of location data for mobile internet usage is lawful. With the decision, the regulator allowed for massive data retention, which seriously undermines citizens’ right to privacy, since it means they can be tracked at all times and the data is being stored.

Under the Danish data retention law, mobile communications service providers must retain location data (cell ID) for telephone calls and SMS/MMS messages. There is no requirement to retain location data in connection with mobile internet usage. Smartphones generate internet traffic more or less constantly even when the device is not actively used, for example with updates from social media services. Therefore, a formal obligation or informal practice to retain location data for internet traffic effectively means that every movement in physical space of the citizen is registered and stored for a long period (12 months in Denmark).

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

The e-Privacy Directive 2002/58 only allows for providers of electronic communication services to retain traffic data, including location data, without consent from the subscriber if the data is required for billing or if there is a data retention requirement in national law. Location data for mobile internet traffic is not needed for billing, and there is no specific data retention requirement for this data in Denmark. The logical assumption would be that Danish mobile operators are not allowed to retain this information, even if they wanted to do so voluntarily for commercial reasons. However, in a somewhat surprising decision of 24 May 2017, the Danish telecom regulator concluded that the retention of location data for internet traffic is lawful.

A Danish citizen discovered, through a subject access request under the Data Protection Act, that his mobile operator retained a substantial amount of location data for internet traffic. In February 2016, this citizen filed a complaint with the Danish Business Authority, the telecom regulator responsible for the enforcement of the data protection rules of the e-Privacy Directive.

In its response to the complaint case, the mobile communications service provider TDC confirmed that location data is stored for so-called “state changes” in the network, which include start/end of an internet session, after 60 minutes of an uninterrupted session, after a certain volume of traffic, and when changing between different radio technologies (2G, 3G and 4G). TDC argued that this practice is necessary in order to comply with the data retention requirement for MMS traffic where the cell ID of sent and received messages must be retained. In the TDC mobile network, MMS messages are sent as data traffic, and the MMS traffic cannot be separated from the ordinary internet traffic. The cell IDs for internet traffic are retained based on pre-defined criteria related to data and network usage patterns, so the actual cell ID used when sending or receiving an MMS message is not directly available.

When law enforcement seeks access to communications metadata for a subscriber, TDC will match timestamps for MMS messages with the closest timestamp for the retained cell IDs for internet traffic in order to generate approximate cell IDs for MMS traffic. Law enforcement can also seek access to the full location data for internet traffic. Under Danish law (the Administration of Justice Act), law enforcement access to mobile location data, even if detailed in a way that it effectively records every movement of the citizen, is not restricted to investigation and prosecution of serious crime. Any offence that is subject to public prosecution is a legal ground for access to location data by the police. TDC was asked by the Danish Business Authority whether it would be possible to crosslink the cell IDs with MMS traffic immediately after collection and erase the records which are not related to MMS traffic. TDC responded that this procedure would compromise the data quality since the original location data (described as “raw data”) is no longer available.

The Danish Business Authority also asked the Ministry of Justice for an opinion on the interpretation of the Danish data retention rules. According to the Ministry of Justice, the obligation to retain location data (cell ID) for MMS traffic applies even if the mobile network is designed so that location data for other traffic types will have to be retained as well. This broad interpretation is hard to reconcile with data retention being an exception to the main rule in the e-Privacy Directive of erasure of traffic data. The Danish data retention law includes a provision similar to Article 1(1) and recital 13 of the now annulled Data Retention Directive 2006/24. The Directive limited the retention requirement to traffic data that is accessible (generated or processed) when supplying a communication service. In the present case, it could certainly be argued that location data for the MMS communication service is not accessible for the provider, especially as the procedure followed by TDC does not necessarily deliver the actual cell ID from which an MMS message is sent or received.

Based on the information received from TDC and the Ministry of Justice, the Danish Business Authority decided that the retention of location data for internet traffic by TDC is not in violation of the Danish law transposing the e-Privacy Directive. Retaining this data can be allowed, since there is a retention requirement for MMS traffic, and it would be disproportionate to require that TDC modifies its systems so that MMS and internet traffic are physically separated in the mobile network. In this regard, the Danish Business Authority accepted the argument from TDC that erasing the internet location records not related to MMS traffic – most likely all but a small fraction of the total set of location data – would compromise the traffic data that can be made available to law enforcement. The legal basis for this part of the decision seems somewhat questionable since the data retention law has no provisions on data quality or documentation for the retained data. All retained traffic data is presumably filtered or processed from a larger pool of traffic data that only exists temporarily in the network.

In the proportionality assessment of the decision, the Danish Business Authority also took into account that a revision of the Danish data retention rules is being planned, and that the Ministry of Justice intends to propose new requirements to retain location data for internet traffic. The decision mentions a pre-draft proposal for retention of location data for internet traffic which coincidentally is very close to what TDC is currently doing on the company’s own accord. However, this preliminary proposal by the Ministry of Justice for blanket retention of location data for internet traffic predates the Tele2 judgment of 21 December 2016, where the Court of Justice of the European Union (CJEU) clearly ruled that a blanket data retention requirement is illegal under European Union law. In March 2017, the Ministry of Justice accepted that the Danish data retention law would have to be changed as a consequence of the CJEU judgment. While a targeted data retention scheme could potentially include new requirements with location data for internet traffic, the overall setup would have to be distinctly different from the current practices of TDC which are based on retention of location data for all subscribers.

Decision by the Danish Business Authority on the processing and storage of mobile location data by TDC (only in Danish, 24.05.2017)

EDRi: Denmark: Our data retention law is illegal, but we keep it for now (08.03.2017)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



31 May 2017

EU discusses future of data retention: “Indiscriminate retention no longer possible”

By Guest author

This is a translation of an article originally written by Anna Biselli on Translation: Anna Biselli, Kirsten Fiedler.

The German government is maintaining its unswerving commitment to make communications data retention obligatory from July 2017 onwards. Meanwhile, different EU level groups and institutions are discussing if or how data retention measures are compatible with EU law. The reason for this is a ruling of the European Court of Justice (CJEU) in December 2016. It ruled the implementation of data retention in Sweden and the UK to be contrary to EU law, following its decision to invalidate the former EU Directive in 2014. According to the ruling, a “general and indiscriminate” retention is impossible – be it at the EU or the national level. The retention of communications data (who communicates, when, with whom and where) would only be permitted if there is a connection between the data and a specific purpose. Furthermore, data can only be retained for a specific time period and/or geographical area and/or a group of persons likely to be involved in a serious crime.

Photo: Luis Marina

In January 2017, the EU’s interior ministers tried to find a solution to make data retention measures compatible with these restrictions. Then, in February, the Legal Service of the Council of the EU delivered an assessment of the ruling’s consequences on national data retention schemes and how traffic data can be used for law enforcement in the future. The Legal Service concluded that Member States can still retain data for the protection of national security or law enforcement after Article 15 of the current e-Privacy directive.

General and indiscriminate retention obligation no longer possible

This conclusion is included in the version that is publicly accessible. However, two relevant paragraphs of the Legal Service’s assessment are missing and only available in the classified version published by The Legal Service states unambiguously

[…] that a general and indiscriminate retention obligation for crime prevention and other security reasons would no more be possible at national level than it is at EU level, since it would violate just as much the fundamental requirements as demonstrated by the Court’s insistence in two judgements delivered in Grand Chamber.

This means national laws for indiscriminate data retention will no longer be possible. The Legal Service also points out that the Commission’s proposal for a new e-Privacy Regulation would still allow providers to retain communications data for billing reasons.

Currently, a Council working group, the Working Party on Information Exchange and Data Protection (DAPIX), is working on an evaluation – according to their agenda for 10 April 2017 published by One of the questions discussed was: “What kind of measures could satisfy the Court’s criteria on access to data to meet the requirement of limiting the intervention of competent authorities to what is ‘strictly necessary and justified within a democratic society’?”

The working group wants to discuss which limitation factors could be considered regarding the geographical region and the time period of data retention and how independent oversight, demanded by the CJEU, could be implemented.

No analysis from the EU Commission yet

The Council of the EU is not the only institution discussing the future of data retention at EU level. Following the CJEU ruling in December 2016, the EU Commission asked the Member States to submit descriptions of the current situation in their countries. But according to a summary by the German Permanent Representation of a meeting of the Coordinating Committee in the area of police and judicial cooperation in criminal matters (CATS), the Commission was unable to indicate a date when their analysis would be ready and when it could issue specific guidelines on how to proceed further.

In 2015, EDRi contacted the Commission after the initial CJEU ruling and asked to investigate the data retention laws in EU Member States which appeared to be illegal. But, at that time, the Commission did not act and stated in a meeting with EDRi representatives that the CJEU ruling was too ambiguous to allow it to take legal action against specific Member States. This argument is hardly tenable after the second ruling.

Member States do not want to abandon illegal data retention practices

According to the German Permanent Representation’s summary, Slovenia and Austria assume that the only possibility for legal data retention would be the “quick freeze” method. According to this method, communications traffic data is not retained preventively but only after a judicial warrant. Usually, providers delete data in a timely manner, but if they receive a warrant they would “freeze” this data to make it available for law enforcement purposes.

The document highlights that most Member States do not want to abstain from data retention and now try to find a solution that cannot be instantly declared invalid by a court again. The options currently discussed are “quick freeze” and data retention through the back door.

German solo run

Germany did not wait for the consultations at EU level to introduce preventive and indiscriminate data retention. The German government is ignoring the fact that all indicators suggest that the German text is incompatible with EU law. The German implementation neither contains a time or geographical references, links to to serious crime nor does it limit the number of persons affected – which is why the Research Services of the German Bundestag already concluded that it is in violation of EU law.

Nevertheless, the German government claims that the law is constitutional and in line with EU law. This is rather puzzling because it also states that the assessment of the consequences of the CJEU ruling was not completed in February. And it still isn’t completed today – one month before the start of the retention obligation for providers in Germany.

Despite all concerns, the German Minister of the Interior Thomas de Maizière demanded to expand data retention to online messaging services and other media services. However, this is unlikely to happen during the remaining legislative term. The will to continue indiscriminate and patently illegal data retention appears to be strong both at the German and the EU levels.


08 Mar 2017

Is Telefónica offering real transparency and control?


Our data is extremely precious for technology companies. Internet and telecommunications services host and process huge amounts of personal data of their clients, based on often vague and confusing terms of service. The clients are rarely properly informed on what their data are being used for.

On 27 February, at the Mobile World Congress (MWC), Spanish telecommunications service provider Telefónica presented its project AURA, which it hopes to use to grab its share of data. AURA is an app that gives Telefónica’s clients “the possibility of managing their relationship with the company based on cognitive intelligence”. It processes personal data of the telecoms service provider’s clients and creates profiles of them. According to Telefónica, its clients will be able to access their data through the AURA app to check it and to decide whether they want to give a permission to share it with other internet giants.

The fact that clients can access their data and consult on it is something positive. However, according to the Spanish data protection law, we should also be able to demand that such data is not being processed at all without our consent.

As a telecommunications service provider, Telefónica collects data on its clients’ bills, messages and calls, payments, and so on. It also has access to the data of the masts to which clients’ devices connect when they are using their mobile (thereby producing location data), which web pages and services they visit and for how long, how many and what devices are connected to their router, and in some cases also which TV channels they are watching, and which series and movies they prefer. By processing the collected data with the artificial intelligence it has developed in collaboration with Microsoft, Telefónica can build profiles of its clients. By combining and analysing this data, it can create completely new data and draw new conclusions on its clients’ potential and probable behaviour.

Telefónica claims that its clients have the power to choose whether to share their data with third parties or not. It is yet to be seen how it will ask for this consent: in a clear and transparent manner, or pushing aggressively to accept the terms under which the data is shared, in exchange for attractive features or services. There is also a huge difference between sharing and having access to raw data and having access to the outputs of the analysis of that data.

Telefónica tries to, naturally, highlight the benefits of AURA. However, much will depend on the real choices being offered to individuals, the transparency that will be provided to them and control that can be exercised by them.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

Aura: Telefónica process and trade with your data while proclaims itself “warden” of your personal information

Telefónica presents AURA, a pioneering way in the industry to interact with customers based on cognitive intelligence



08 Mar 2017

Denmark: Our data retention law is illegal, but we keep it for now

By Guest author

On 2 March 2017, the Danish Minister of Justice appeared before the Legal Affairs Committee of the Danish Parliament to answer questions about the implications of the Tele2 data retention ruling (joined cases C-203/15 and C-698/15) from the Court of Justice of the European Union (CJEU).

In his statement to the committee, the Minister started by noting that the Danish government is still analysing the consequences of the judgment, but two conclusions are clear. First, EU law precludes a general and undifferentiated data retention scheme covering all subscribers. Secondly, EU law does not preclude a targeted data retention scheme for the purpose of fighting serious crime. The Minister of Justice then noted that the Danish data retention law covers all subscribers, similar to the data retention laws in the other Member States that currently have data retention. The unavoidable implication of this is that the current Danish data retention law does not comply with EU law, which the Minister of Justice admitted before the committee.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

It is definitely noteworthy that this conclusion comes from the Danish Ministry of Justice after two months of undoubtedly very intensive internal analysis of the Tele2 judgment and presumably consultations with other Member States. In June 2014, there was also a meeting in the Legal Affairs Committee of the Danish Parliament, two months after the CJEU ruled on 8 April 2014 that the Data Retention Directive (2006/24/EC) was invalid. However, at that meeting, the Minister of Justice was able to get away with presenting a legal analysis with a very narrow interpretation of the 2014 CJEU judgment that allowed the minister to conclude that there was no reason to assume that the Danish data retention law was in conflict with the Charter of Fundamental Rights. At the committee meeting on 2 March 2017, no doubt about the interpretation of the new Tele2 judgment was possible: blanket data retention is illegal in the European Union.

In this situation, a country committed to the rule of law would take immediate steps to repeal the illegal legislation. In Denmark, this can be done very easily, since the Danish data retention law authorises the Minister of Justice to lay down the specific data retention requirements in an administrative order. A simple executive decision by the Minister of Justice, repealing the illegal data retention administrative order (”logningsbekendtgørelsen”), would suffice to uphold the rule of law in Denmark.

However, this will not happen in the immediate future. Despite being unable – twice – to convince the Court of Justice of the EU of this, the Minister of Justice still argues that data retention is simply too valuable for the Danish police. Therefore, the current blanket data retention will simply continue without any change until new rules for targeted data retention have been fully implemented. The Minister of Justice claims that the EU Commission has not made any demands to the Danish government to repeal the current (illegal) data retention rules.

The projected timeline for the future process is somewhat unclear, although the next parliamentary year was mentioned tentatively at the meeting. Currently, the Danish government is consulting with the other Member States and the EU Commission on interpreting the Tele2 ruling and in particular how targeted data retention should be defined. Another requirement for the Minister of Justice is that the targeted data retention scheme is technically feasible for the telecommunications operators, and consultations with the telecommunications industry on this are ongoing. When a technically feasible targeted data retention plan is available, the Minister of Justice will present a legislative proposal to the Danish Parliament, which eventually will lead to replacing the illegal data retention scheme with a new, hopefully legal, scheme.

The Minister of Justice made it clear that the future targeted data retention rules will even include the extensions for internet traffic that were planned under blanket data retention until just prior to the Tele2 judgment, possibly including internet connection records (introduced in the United Kingdom with the Investigatory Power Act). Retention of internet connection records was a massive failure when used between 2007 and 2014 in Denmark (under the old name “session logging”). Just before the Tele2 judgment in December 2016, the working plan of the Ministry of Justice was to re-introduce internet connection records for subscribers with Carrier Grade Network Address Translation (CG-NAT) connections.

At the committee meeting on 2 March 2017, the Minister of Justice described the future process towards targeted data retention as an ”adjustment of the current data retention rules”, and he emphasised the importance of ensuring that the police and intelligence services would continue to have the necessary tools to protect the population, as had been the case for the past 10 years with data retention. Here, the Minister of Justice is clearly confusing the use of telecommunications metadata in police investigations with mandatory data retention. Danish police has systematically used available telecommunications metadata in investigations for the past 20 years, and mandatory data retention only took effect on 15 September 2007.

While the Minister of Justice repeatedly referred to the ongoing EU consultations and that the EU Commission is currently preparing guidelines for targeted data retention, there was also some informal discussion of the issue among the Members of Parliament (MPs) that participated in the committee meeting. MPs in favour of data retention were clear about their intentions: data retention should allow the police to look into the past for suspects that were unknown at the time of the crime. This sounds very much like blanket data retention, and the word targeted is only used because the CJEU has made it very clear that EU law only allows targeted data retention. There seems to be little doubt that the Danish government, backed by a clear majority in Parliament, will push the scope of targeted data retention, once this concept has been defined, to the legal limit of EU law in the future revision of the Danish data retention rules.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

EDRi: Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)

Webcast of meeting in the Legal Affairs Committee of the Danish parliament (in Danish, 02.03.2017)

EDRi: Danish government postpones plans to re-introduce session logging (23.03.2016)

Minister of Justice continues illegal surveillance, Information (in Danish, 03.03.2017)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



08 Mar 2017

German intelligence agency violates freedom of the press

By Guest author

EDRi observer Reporters Without Borders Germany is appalled by the apparently targeted surveillance of foreign journalists by the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency. As reported by the Spiegel, the BND spied on at least 50 telephone numbers, fax numbers and email addresses belonging to journalists or newsrooms around the world in the years following 1999.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

“We have long feared that the BND has monitored journalists as part of its massive filtering of communications data. The targeted surveillance revealed by the Spiegel investigation is a massive violation of the freedom of the press,” said Christian Mihr, executive director of Reporters Without Borders Germany. Press freedom “is not a right granted by the graciousness of the German government, it is an inviolable human right that also applies to foreign journalists.”

According to documents seen by Spiegel, among the targets were the British BBC in Afghanistan and London, the New York Times in Afghanistan, as well as mobile and satellite telephones of the news agency Reuters in Afghanistan, Pakistan and Nigeria.

In October 2016 the German Parliament (Bundestag) passed the new law governing the BND. Exemptions protecting journalists, such as those in paragraph 3 of Germany’s so-called G10 law – a law specifying the restrictions that can be placed on the constitutional right to the confidentiality of email and telecommunications – are completely absent from the law.

The BND law allows the German foreign intelligence agency to carry out mass surveillance and monitor Europeans, with certain restrictions, and citizens of third countries whenever this can ensure the “capacity for action” of Germany or bring “new findings of significance to foreign and security policy”. Foreign journalists can thus quickly be targeted by the German foreign intelligence – especially when they exchange information about politically sensitive issues. The bill allows, for example, the BND to place the New York Times under surveillance if the newspaper received confidential information that the German authorities regarded as sensitive. This means that the new BND law legalises what the foreign intelligence agency did illegally before, that is spying on foreign journalists, as revealed by the Spiegel. “The reform of the BND bill was already a clear breach of the constitution. It does not alter the current practice of monitoring journalists,” said Christian Mihr.

Together with other journalist associations and under the leadership of the Society for Civil Rights, Reporters without Borders is preparing a constitutional challenge to the new BND law.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

BND violates freedom of the press

Documents Indicate Germany Spied on Foreign Journalists

(Contribution by EDRi observer Reporters Without Borders Germany)



08 Feb 2017

Proposed surveillance package in Austria sparks resistance

By Guest author

The Austrian coalition parties have renegotiated their government programme in January 2017. This new programme contains a so-called “security package” that encompasses the introduction of several new surveillance measures and additional powers for the Austrian security agencies. These changes in the law are to be implemented by June 2017.

However, so far no evaluation of already existing surveillance measures and investigatory powers has been carried out. Furthermore, it is doubtful that the new measures will bring about an increase in security, whereas they will severely limit fundamental right to privacy and dial back on existing data protection measures.

The following measures are outlined in the newly agreed government programme:

Networked CCTV monitoring: The Austrian Minister of the Interior Wolfgang Sobotka has repeatedly demanded “all-encompassing surveillance” of public spaces by linking already deployed CCTV cameras operated by both private and public entities, and even transmitting the footage to investigative authorities in real time. The implementation of this kind of surveillance apparatus would effectively create a true panopticon affecting every citizen. However, in light of the terrorist attack in Nice in mid-July 2016 on a promenade monitored by several surveillance cameras, any preventive effect of the surveillance of public spaces is highly doubtful, even with respect to conventional crimes: The Police Directorate of Vienna has removed 15 out of its 17 CCTV installations during the recent years due to high operating costs and no discernible benefits in combating crime.

Automatic license plate recognition: The government wants to implement a system which would recognise all licence plate numbers and retain details of the movements of all vehicles on Austrian highways. In 2007, the Austrian constitutional court decided in a similar case (Section Control) that surveillance of car drivers is only permitted for a few determined routes and that number plate information can only be retained if the vehicle was driving too fast or is on an official wanted list. The new government programme facilitates an unjustified storage of movements for all vehicles, which is very alarming.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

Government spyware: In 2016 there was a legislative proposal to legalise the use of government spyware on electronic devices of Austrian citizens. Due to massive criticism from a legal and technical perspective, the Austrian Minister of Justice Wolfgang Brandstetter withdrew the proposed law. In 2008 a commission of constitutional experts under Professor Bernd-Christian Funk came to the conclusion that government spyware is not in line with Austrian constitutional law. Nonetheless, the Austrian government has started a third attempt to pass a legal basis for this unconstitutional measure.

Data Retention Directive 2.0: The Austrian data retention law was abolished by the Austrian constitutional court in 2014 due to its unconstitutionality and violation of fundamental rights. The European Court of Justice (CJEU) confirmed this decision in December 2016 by passing an even further reaching verdict against this type of unfounded mass surveillance. Nevertheless, the new government agreement contains plans for a “quick freeze” based retention of telecommunication data. The final legislative text will have to be scrutinised carefully to define if it is in line with recent CJEU rulings.

Registration of prepaid SIM cards: The Austrian government plans to forbid unregistered prepaid SIM cards and thus to eliminate a way of communicating freely and anonymously with family members, help lines, and persons of trust (such as lawyers). Criminals can easily circumvent this by using foreign SIM cards or online messaging services, making the measure ineffective and disproportionate.

“Subversive movements”: It must be possible to criticise the state or institutions. The government wants to establish a criminal offense for the expression of opinions which undermine the authority of the state. This is a crucial development which stands against the fundamental principle of freedom of expression.

Electronic tags for non-convicted “endangerers”: Another critical demand in the security package is the introduction of electronic tags – a surveillance device locked to an individual’s body – for “endangerers”. But the term “endangerer” (“Gefährder”) is legally not defined and the federal government calls such a person a potential disturber and refers to an “abstract endangering situation” (“abstrakte Gefährdungslage”). So far, electronic tags have been used only for convicted perpetrators or in cases of strong suspicion. This extended use of electronic tags is highly problematic as it violates the principle of presumption of innocence. Similar discussions are ongoing in Germany.

Resistance has been mounting over the proposed extension of surveillance measures in Austria. EDRi observer, and other fundamental rights NGOs in Austria are working to mobilise the population to stop the unprecedented and unfounded surveillance measures in the new government programme to be enacted.

Surveillance package – government plans complete surveillance (only in German)

Surveillance: Cameras are being removed again (only in German, 28.01.2017)

Opportunity and risk of state spyware (only in German, 26.04.2016)

German “Bundestrojaner” – The dismantling of state spy software (only in German)

(Contribution by EDRi observer, Austria)



24 Nov 2016

Terrorism Directive: Document pool

By Maryant Fernández Pérez

I am convinced that the only effective way to tackle terrorism is firmly rooted in the respect of fundamental and human rights.

EU Security Union Commissioner Sir Julian King, 14 November 2016.

The European Commission proposed the Draft Directive on Combating Terrorism (the “Terrorism Directive”) in December 2015. Since then, the legislative process to adopt it has been fast-tracked, which has reduced the space for meaningful public participation, transparency and accountability.

On 17 November 2016, the Council of the European Union, the European Parliament and the European Commission concluded the so-called “trilogue“. This means that a political agreement was reached among the very few people representing the three institutions. Next, both the Council and the Parliament had to formally adopt the Directive. Amendments were possible, in theory. Indeed, there were some amendments tabled at the European Parliament. However, their adoption in practice was close to impossible. The Parliament formally adopted the provisional agreement as its “first reading position” on 16 February 2017. The Council formally adopted the Directive on 7 March 2017. EU Member States will have to give meaning to vague and unclear wording when implementing the Directive.

If the implementation is not done carefully, abuses to freedom of expression and privacy will be made in your Member State!

EDRi doesn’t give up and keeps pushing for a human rights agenda. In this document pool, you will find the relevant information, documents and analyses on the Terrorism Directive. We’ve been updating this document pool as the process advanced. Last update: 13 February 2018.

EDRi’s analysis and recommendations
Legislative documents
EDRi’s blogposts and press releases

EDRi’s analyses and recommendations


Legislative Texts

More information in PRELEX (EU Database on preparatory acts), OEIL (European Parliament’s Legislative Observatory) and IPEX (Interparliamentary Exchange Platform).

EDRi’s blogposts and press releases




(Click image to see the full sized infographics, or download the PDF here.)


16 Nov 2016

State of emergency worsens digital crackdown in Turkey

By Guest author

According to a new report by Freedom House, web freedom across the globe declined for the sixth consecutive year. Turkey placed among the red-flag states in terms of web freedom in 2015-2016 and is now rated “not free” in “Freedom on the net 2016” report after repeated blocking of social media. The country’s status score is “61/100 not free” with 13/25 for obstacles to access, 21/35 for limits on content and 27/40 for violations of user rights.


Turkey entered a state of emergency on 21 July 2016, and this will remain until 21 January 2017, if no further extensions are made by the government. Along with unprecedented attacks on media pluralism and prosecution of journalists, writers, academics and public servants after failed coup attempt, internet restrictions continue at an alarming rate in the country.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

Tensions heightened in the country following general elections in June and November of 2015 and a series of deadly terrorist attacks. Gag orders on the dissemination of images and videos of the bombings were introduced by the authorities, resulting in the blocking of hundreds of websites – over 100 000 websites were reportedly blocked as of 2016. Gag order blocking continues to increase, affecting a wide variety of political, social, and religious content. Access to Facebook, Twitter, and YouTube was repeatedly throttled until the companies removed controversial content. Specific hashtags related to the bombing locations, like #Istanbul, #Ankara, and #Diyarbakir, were temporarily filtered from Instagram. Counterterrorism operations in the southeastern region of the country repeatedly resulted in the suspension of 3G networks, affecting millions of residents for days at a time. The most significant obstacle to internet access in Turkey remains the shutting down of telecommunications networks during security operations, mainly in the southeastern part of the country. These internet shutdowns are obvious violations of the right to information and access at a moment when internet access is of huge importance to individuals. Dozens of news agencies, media outlets and social media accounts covering Kurdish issues have been either blocked or shut down for allegedly promoting terrorist propaganda over the past year.

The most recent social media blockage that also included virtual private network (VPN) restrictions occurred starting on 4 November. Alternative Informatics Association (Alternatif Bilisim) released an emergency notice for further dissemination and international coverage. This strategic operation was also planned at a specific time when detainment and arrest of dissident politicians took place in southeast Turkey.

Turkey is consistently featured among the countries with the highest number of removal requests sent to Twitter. Of all of the tweets “withheld” by Twitter around the world in the second half of 2015, Turkey accounted for almost 90 percent. According to Transparency Report, requests from courts and government agencies reached 2211 and rose to 2493 in the first half of 2016. In each reporting period, Twitter indicated it complied in 23 percent of cases. Twitter did file a court case after being fined by the Turkish information and communications technology authority (BTK) for failing to remove “terrorist propaganda”. Over the past year, hundreds of Twitter users faced charges of insulting government officials, defaming President Recep Tayyip Erdoğan, or sharing propaganda in support of terrorist organisations. In some cases, individuals, mostly journalists have been imprisoned.

Privacy and data protection is also a sensitive issue in Turkey. Even though a new data protection law has been adopted, how this law will be implemented still remains a mystery with the dismissal of the Turkish Telecommunications Authority (TIB) and transfer of all authority to BTK. The Alternative Informatics Association issued a press release on the massive data leak in March 2016, including the addresses, identity numbers, and other personal information of almost 50 million Turkish citizens. Binali Yildirim, Transport and Communication Minister at the time, admitted that the breach appeared to date back to at least 2010. An expert stated that the data was taken from the government’s official Population Governance Central Database (MERNIS) around 2009 and later illegally sold to foreclosure firms.

Active internet users and developers in Turkey were alarmed and shocked on 9 October 2016 when cloud storage services including Google Drive, Dropbox and Microsoft’s OneDrive as well as code hosting service GitHub were blocked by the government to suppress the leak of emails belonging to the Minister of Energy and Natural Resources Berat Albayrak, who is the son-in-law of President Erdogan. The ban was lifted after 48 hours following the public protest and pressure by prominent actors of the digital market.

Digital surveillance and cyber security measures are also worrisome for netizens in Turkey. Before the passage of the Homeland Security Act in March 2015, the law allowed Turkish security forces to conduct intelligence wiretapping for 24 hours in urgent situations without a court order. With the new law, the time limit was increased to 48 hours; the new requirement is that wiretapping officials notify their superiors. In addition, the Ankara High Criminal Court is solely authorised to decide whether the wiretapping is legitimate. It is necessary to mention that despite constitutional guarantees, most forms of telecommunication continue to be tapped and intercepted.

With social media purported as a threat to national security, intrusive government surveillance and the proven use of sophisticated malware tools by law enforcement authority, internet freedom is on a very negative course in Turkey.

Freedom on the net 2016: Silencing the messenger: Communication apps under pressure

Freedom on the net 2016: Turkey, country profile

To no one’s surprise, Erdogan backs extending Turkey’s state of emergency (29.09.2016)

New internet shutdown in Turkey’s Southeast: 8% of country now offline amidst Diyarbakir unrest (27.10.2016)

Emergency notice: Internet blockages in Turkey

Transparency report: Turkey

Twitter sues Turkey over ‘terror propaganda’ fine

Journalist detained in Turkey over tweets

Turkey blocks Google Drive, Dropbox, OneDrive and GitHub to stop email leaks

National Security Council under Erdoğan updates top secret national security “book”

EDRi: Turkey: “The worst menace to society” helps to defeat the coup

(Contribution by Asli Telli Aydemir, EDRi member Alternative Informatics Association, Turkey)



20 Jul 2016

Copyfail #9: Digital Rights Management (DRM): Restricting lending and borrowing books and music in digital format

By Diego Naranjo

This article is the ninth in the series presenting Copyfails.

The EU is reforming its copyright rules. We want to introduce you to the main failures of the current copyright system, with suggestions on how to fix them. You can find all the Copyfails here.

How has it failed?

We are able to lend book to our friends, make photocopies of its pages, quote parts of the text, or sell our book to a second-hand bookshop. But with digital works like ebooks, CDs, or DVDs, users often face technical restrictions. You cannot lend your ebook to a friend (without lending your e-reader, too), or make a copy of your copy-protected DVD, not even for your own private use. Even if your government says you are allowed to, European and international law says companies are permitted to question it by using “Digital Rights Management” (DRM), software that limits copying.

DRM is a collection of systems used to protect copyright on electronic media, such as digital music and films, as well as computer software. It attempts to control the user’s ability to access, copy, transfer and convert material. Circumventing DRM technologies is forbidden in EU copyright law.

Given the fact that DRM is a blunt tool that does not take into consideration the legal freedoms to use copyrighted works for parody, citation, quotation, private copying and so on, not allowing the circumvention DRM means in practice giving away all those rights. DRM, as a rule, take all of those freedoms from you, in the name of stopping copyright violations.


Why is this important?

If someone puts a lock on something you own, you are not the owner. DRMs are digital locks which are put on your devices without asking your opinion or permission to install them and, even worse, without giving you the key. Copyright experts widely agree that DRM systems don’t achieve their intended purpose; they are bad for society, businesses and artists.

Copyright is supposed to guarantee that artists and creators get paid for their work – that there are incentives to creativity. Copyright should not be used as an excuse to restrict our freedoms or access to knowledge and learning. DRM does not fix the problem it is supposed to fix – unauthorised copying and exchanging of ebooks, music, and videos – and it adds unnecessary restrictions on legally acquired content.

How to fix it?


Read more:

Amazon Erases Orwell Books From Kindle (17.07.2009)

DRM Frequently Asked Questions

Electronic Frontier Foundation: DRM

Amazon wipes customer’s Kindle and deletes account with no explanation (22.10.2012)


19 Jul 2016

European Court confirms: Strict safeguards essential for data retention


Today, on 19 July 2016, the Advocate General (AG) Henrik Saugmandsgaard Øe of the Court of Justice of the European Union (CJEU) issued an Opinion on a case Tele2 Sverige AB v Post- och telestyrelsen (C-203/15) that deals with data retention obligations that were imposed by law on a Swedish telecom provider.

The Court was asked a set of questions related to the respect of European Union (EU) law, in the context of the data retention laws in Sweden and the UK. In the Opinion issued today, the AG re-stated principles that were previously established in the Digital Rights Ireland case. He also provided extensive further analysis of the legal context that national courts need to consider when they “rigorously verify that no other measure or combination of measures” can be as effective as the national data retention regime being proposed.

It is to be hoped that the final Court ruling will be respected by EU Member States. Sadly, since the Digital Rights Ireland case was decided in 2014, EU Member States have persisted in implementing or creating new legislation that wilfully ignores the principles previously established by the Court. The Advocate General made it unequivocally clear that all of the safeguards listed in the Digital Rights Ireland case must be respected by national laws.

It is time for EU Member States to start respecting the law. It is time for the European Commission to do its job to ensure that the law is respected,

said Joe McNamee, Executive Director of European Digital Rights.

How many times does the Court need to be asked the same question before EU Member States start listening? Data retention is an extreme measure which can only be implemented if the criteria repeatedly laid down by the Court are respected.

The European Commission should, at long last, start doing its job. So far, it has avoided taking a position on the numerous data retention laws in Europe that breach the principles that were established by the EU Charter of Fundamental Rights, clarified by the Court in 2014 and, today, re-stated by the Advocate General of the Court of Justice of the European Union.

Almost exactly a year ago, EDRi wrote to the European Commission Vice-President, Frans Timmermans, demanding action. In response, the Commission said that it would “monitor” thoroughly the data retention laws in the EU, but has so far avoided taking action. Time has run out for the Commission’s delaying tactics. It is now time – finally – to ensure that the law of the European Union is respected.

Read more:

Press Release from the CJEU on the Advocate General Opinion on the case (Case C-203/15) (19.07.2016)

European Commission will “monitor” existing EU data retention laws (29.07.2015)

European Digital Rights asks the European Commission to investigate illegal data retention laws in the EU (02.07.2015)