The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

11 Jul 2018

Danish High Court ruling on data retention use and file sharing cases

By IT-Pol

On 7 May 2018, the Eastern High Court in Denmark delivered a ruling that internet service providers (ISPs) are not required to disclose subscriber information in file sharing cases. This represents a major change of the previous legal practice in Denmark, where rightsholders were routinely granted access to subscriber information for alleged file sharers, even if the identification required access to retained data from mandatory data retention.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

Two Danish law firms have specialised in legal action against file sharers in cooperation with the German file sharing monitoring company MaverickEye UG, which is well known from similar activities in other European countries. MaverickEye monitors BitTorrent file sharing networks and collects IP addresses of the participants in the BitTorrent swarm. In order to verify that the copyrighted work is made available from the IP address in question, a small piece of the file is downloaded using a modified BitTorrent client. For each copyrighted work, MaverickEye provides information about IP addresses and timestamps to the relevant rightsholders or, in most cases, the specialised law firms that represents them. The next step is to seek a court order requiring the ISPs to identify the actual subscribers that have used the IP addresses at the specific time. This is the critical step and legal practice varies among EU Member States.

If the subscriber names and addresses can be obtained from the ISPs, the law firm can either file a lawsuit demanding compensation for copyright infringement or send a letter to the subscriber with a proposed settlement for the case. The latter is generally the preferred option since lawsuits are expensive, and the alleged copyright infringement using BitTorrent is often limited to a single film or TV-series episode/season. In Denmark, the settlement offer from the law firm has typically been a payment of 200 to 300 euros for a single film. Only a handful of lawsuits have been filed with Danish courts, so most claims have either been settled or dropped if the subscriber denies having taken part in the alleged file sharing activity.

Based on Danish case law for three file sharing cases at the two High Courts around 2008, the subscriber does not automatically become legally responsible for file sharing from the IP address. The rightsholder must prove who has committed the file sharing act in order to obtain compensation. This burden of proof can be very difficult to meet if the subscriber for instance has an open WiFi network, has allowed guests to use his/her internet connection, or if there are several persons in the household. Most subscribers are probably not aware of this, so it is quite likely that many cases have been settled by paying the offered settlement amount of 200 to 300 euros.

The current wave of legal action started in 2014, and according to information from the recent High Court ruling of 7 May 2018, the two Danish law firms have obtained subscriber information for some 200,000 IP addresses. This shows the massive scale of the monitoring operation of file sharing networks by MaverickEye. Access to subscriber information for a large number of IP addresses has also been reported in Sweden by TorrentFreak, incidentally involving the same Danish law firm as the present case.

Each court application for subscriber identification consists of a large number of IP addresses, for example 4000 IP addresses in the case ruled by the High Court on 7 May 2018. Because of the Danish data retention law, ISPs hold information about assignment of dynamic IP addresses for 12 months, so there is no urgent need for the law firm to quickly seek a court order for subscriber identification when information about the file sharing activity has been received from MaverickEye. A large batch of IP addresses from the same ISP can be collected before seeking the court order for subscriber identification from that ISP.

Until recently, this assembly-line strategy by the two law firms to send letters to alleged file sharers did not meet any legal challenges. In most cases, Danish ISPs do not object to a court application for subscriber information, and there is no court hearing for the application. The sole purpose of the court order, which is granted without any objections, is to provide a legal basis for the ISP to disclose the personal data (subscriber information) to the rightsholder.

However, between 2016 and 2017 the large Danish ISPs finally changed their response strategy and started to object to the court applications for subscriber information. Besides the administrative cost of handling the large number of requests for subscriber information and the increasing news media reporting of ISP customers complaining about file sharing allegations based on information obtained by law firms from their own ISP, the Tele2 data retention judgment (joined cases C-203/15 and C-698/15) of the Court of Justice of the European Union (CJEU) also played a major role.

According to the Tele2 judgment, general and undifferentiated (blanket) data retention is illegal under EU law. Moreover, access to the retained data, whether from (illegal) blanket data retention or targeted data retention, must be limited to what is strictly necessary. For criminal offences, the Tele2 judgment specifically states that access can only be granted for serious crime. Paragraph 115 of the Tele2 does not completely rule out that access to the retained data can be granted for civil claims, as there is an indirect reference to the Promusicae case C-275/06. However, when access to the retained data for criminal offences is strictly limited to serious crime, it does not seem to be proportionate to grant access to the retained data in civil proceedings involving only a minor copyright infringement, such as file sharing of a single film or TV series.

In a case involving Telenor and TeliaSonera, the District Court of Frederiksberg considered the data protection issues (noting that it was unclear whether this had been done in previous cases), but followed the established practice of ruling in favour of the rightsholder on 24 October 2017, that is ordering the disclosure of subscriber information. The ISPs appealed the court decision to the Eastern High Court. The ruling from the High Court on 7 May 2018, which reverses the ruling from the District Court and blocks disclosure of the subscriber information, is mainly based on an interpretation of the e-Privacy Directive 2002/58/EU and case law of the CJEU in Tele2, Promusicae and Bonnier C-461/10.

The e-Privacy Directive imposes an obligation of confidentiality on ISPs with respect the subscribers’ use of the internet. ISPs must delete traffic data, such as assignment of dynamic IP addresses, when it is no longer needed for the purpose of the transmission of a communication. According to statements to the High Court given by Telenor, TeliaSonera and a third ISP not involved in the case (TDC), information about assignment of dynamic IP addresses to individual subscribers is retained for at most 3-4 weeks for operational purposes. Therefore, the necessary information is only available in a special system for law enforcement access because of the Danish data retention law which has a mandatory 12-month retention period.

The High Court then considers the case law of Promusicae and Bonnier, and notes that the e-Privacy Directive does not preclude national legislation which requires disclosure of subscriber information in civil proceedings on copyright infringement, but that it must be possible to consider the opposing interests in an application for disclosure.

In the present case, the High Court finds that there are compelling reasons against disclosure. The information needed to identify the subscribers is only available because of the data retention obligation, and the sole purpose of the data retention provisions is to enable the police to obtain access to retained data for the purpose of investigation and prosecution of criminal offences. The Court is aware that the civil claims cannot be pursued without access to subscriber information, and that it is likely that there has been a substantial copyright infringement. After balancing the opposing interests, the Court finds that this does not outweigh the confidentiality of communication for the subscribers under the e-Privacy Directive. Therefore, the request for disclosure of subscriber information is denied. The decisive factor in the High Court ruling is the Danish data retention law which limits access to the retained data for the purpose of investigation and prosecution of criminal offences.

Read more:

Denmark: Our data retention law is illegal, but we keep it for now, EDRi (08.03.2017)

ISPs Win Landmark Case to Protect Privacy of Alleged Pirates, TorrentFreak (08.05.2018)

Copyright Trolls Hit Thousands of Swedish ‘Pirates’ With $550 ‘Fines’ (23.10.2017)

(Contribution by Jesper Lund, IT – Pol, EDRi member, Denmark)



27 Jun 2018

Restoring freedom of expression in Spain: end the “gag law”

By Maria Roson

Spain has been one of the countries of the European Union that has most shamefully stood out for its government’s attitude against freedom of expression and information. During the government of former President Mariano Rajoy, the Spanish parliament passed the controversial “gag law”- as it was popularly known – which entered into force on 1 July 2015. This law amended the Spanish penal code by, among other things, reinforcing the penalties of “glorification of terrorism” and “humiliation of the victims of terrorism” and introducing limitations on protests and imposing administrative sanctions against demonstrators.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

One of the most obvious consequences that this law has had for freedom of expression and information online have been the criminal cases against many political activists, artists, and politicians because of their tweets. In its last report “Tweet…if you dare: How counter-terrorism laws restrict Freedom of Expression in Spain”, Amnesty International denounces the lack of legitimate purpose of the law, considering it too broad and too vague and with an evident purpose of targeting those expressing dissident opinions against the Spanish political system.

Among the limitations that this law has imposed on online activity are:

Arbitrarily restricting access to websites that promote or advocate “terrorism”

The text is written with such an ambiguous wording that it condemns not only the dissemination of criminal content but also simple access to it. This implies that accessing these websites is, itself, a crime, regardless of whether the person simply wanted to be informed or whether they are actually involved in a terrorist activity.

“Seriously disturbing the public order”

Without any definition of what the law considers to be “seriously disturbing the public order”. This ambiguity has lead to arbitrary fines to journalists when they were covering a public event.

Organizing online protests

The gag law punishes “unauthorised protest” which could be fined between 30,000 and 600,000 euro if the protest takes part near institutions such as the Spanish parliament, which happened with the protest organised by the “7N against gender violence”.

Posting pictures of police officers which imply a “danger for their personal of family security”

The doubt is of course what does “danger” mean. How exactly will the law measure “danger”? Again, it is not defined. The result is freedom of expression is curtailed, with fines ranging from 600 to 30,000 euro, and with such extreme consequences as fining a women for posting a picture of a police car parked illegally in a parking spot reserved for people with disabilities.

Penalising content sharing platforms

Platforms such as the sport streaming website “Rojadirecta”. Despite the legitimate intent to limit copyright infringements, the consequences of this measure will be creating legal uncertainty for hundreds of small businesses that have nothing to do with infringements.

Restriction of online protests

The “gag rule” punishes with criminal penalties the dissemination of messages on the internet which may be considered as “glorification or justification” of terrorism or “the dissemination of slogans” which may incite others to commit offences. This has undoubtedly been the most controversial part of the law and the most arbitrarily applied. Under the pretext of committing “glorification of terrorism”, an extremely abusive interpretation of this offence has been used. As a consequence, rappers, professional puppeteers and visual artists have been charged or prosecuted by the Spanish justice because of the politically content of their lyrics, plays or even the meaning of their artistic pieces.

The other battlefield has been Twitter where, since 2014, four coordinated police operations – called the “Spider Operations” – led to a big number of people arrested for posting messages and jokes on social media platforms referring, among other topics, to ETA’s terrorist attacks addressed to members of the Franco dictatorship. One of the most famous cases was the conviction of the rapper “Strawberry” for tweeting about ETA’s terrorist attacks. Although most of the people accused were released without charges or were not imprisoned , there are particularly worrying cases such as the recent convictions of rappers Pablo Hassel and Valtonyc, the latter currently on the run.

After almost 3 years since this law was approved, one of the first tasks of the new Spanish government is to take down the “gag law”. The idea of fixing the law by making amendments within the law, as the Socialist party has pointed out, is not enough. As associations such as the Platform for the Defence of Freedom of Information (Plataforma en Defensa de la Libertad de Información), Amnesty International, Rights International Spain and Spanish EDRi member X-Net have expressed, the only solution is to call for the repeal of the law.

Read more:

Amnesty International Report: “Tweet…if you dare. How counter-terrorism laws restrict Freedom of Expression in Spain” (13.03.2018)

UN Rapporteur demands respect for freedom of expression online (14.06.2017)

Xnet: Legislation that restricts freedom of expression of action and organization in the Spanish State (available only in Spanish) (01.12.2015)

Spanish Citizens’ Security law: There is still some hope (21.06.2015)

Spanish Citizens’ Security Bill: Many restrictions, few freedoms (28.01.2015)

(Contribution by Maria Roson, EDRi intern)



21 Jun 2018

ENAR and EDRi join forces for diligent and restorative solutions to illegal content online

By Maryant Fernández Pérez

The European Network Against Racism (ENAR) and European Digital Rights (EDRi) joined forces to draw up some core principles in the fight against illegal content online. Our position paper springs both from the perspective of victims of racism and that of free speech and privacy protection.

The European Commission has so far not been successful in tackling illegal content in a way that provides a redress mechanism for victims. In fact, the European Commission has been way too long focused on a “public relations regime” on how quickly and how many online posts have been deleted, while not having a diligent approach for addressing the deeper problems behind the removed content. Indeed, the European Commission has been continuously promoting rather superficial “solutions” that are not dealing with the problems faced by victims of illegal activity in a meaningful way.

At the same time, the European Commission’s approach is undermining people’s rights to privacy and freedom of expression by urging and pressuring internet giants to take over privatised law enforcement functions. As a consequence, ENAR and EDRi have agreed a joint position paper following our commitment to ensure fundamental rights for all.

Our joint position paper relies on four basic principles:

1. No place for arbitrary restrictions – Any measure that is implemented must be predictable and subject to real accountability.

2. Diligent review processes – Any measure must be implemented on the basis of neutral assessment, rather than being left entirely to private parties, particularly as they may have significant conflicts of interest.

3. Learning lessons – Any measure implemented must be subject to thorough evidence-gathering and review processes.

4. Different solutions for different problems – No superficial measure in relation to incitement to violence or hatred should be implemented without clear obligations on all relevant stakeholders to play their role in dealing with the content in a comprehensive manner. Illegal racist content inciting to violence or discrimination should be referred to competent and properly resourced law enforcement authorities for adequate sanctions if they meet the criminal threshold. States must also ensure that laws on racism and incitement to violence are based on solid evidence and respect international human rights law.

This paper follows cooperation between the two organisations over the past few years to bring the digital rights community and the anti-racist movement together in a more comprehensive way. The common initiative comes at a time where the European Commission is consulting stakeholders and individuals to provide their opinion on how to tackle illegal content online by 25 June 2018. EDRi has developed an answering guide for individuals that consider that the European Union should take a diligent, long-term approach that protects for the victims of illegal content, such as racism online, and victims of free speech restrictions.

(Contribution by Maryant Fernández Pérez, EDRi Senior Policy Advisor)

Read more:

ENAR-EDRi Joint position paper: Tackling illegal content online – principles for efficient and restorative solutions (20.06.2018)

EDRi Answering guide to EU Commission’s “illegal” content “consultation” (13.06.2018)

Commission’s position on tackling illegal content online is contradictory and dangerous for free speech (28.09.2017)

EU Commission’s Recommendation: Let’s put internet giants in charge of censoring Europe (28.09.2017)

02 May 2018

EU Member States fight to retain data retention in place despite CJEU rulings

By IT-Pol

EU Member States are still working to adopt their position on the ePrivacy Regulation proposed by the European Commission in January 2017. A number of draft compromise texts have been published by the Council Presidency before discussions in the Working Party on Telecommunications and Information Society (WP TELE).

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

Unfortunately, the Council transparency in publishing those documents does not extend to the part of the ePrivacy Regulation that concerns data retention. This means mainly Article 11, which allows Member States to restrict the rights to data protection and confidentiality of electronic communication under certain conditions, in a similar way to Article 15(1) of the current ePrivacy Directive. This part of the ePrivacy Regulation is being discussed jointly by WP TELE and the Working Party on Information Exchange and Data Protection – Friends of the Presidency on Data Retention (DAPIX FoP), which is also tasked with analysing the implications of the Tele2 judgment (joined cases C-203/15 and C-698/15) from the Court of Justice of the European Union (CJEU).

Documents from these discussions are marked “LIMITE” and therefore not generally available to the public. An incomplete picture of the work is available through a combination of Freedom of Information (FOI) requests and leaked documents. It is known that DAPIX FoP has developed the concept of ”restricted data retention” which is a deliberately crafted attempt to circumvent the Tele2 ruling of the highest court of the European Union (the CJEU) with a data retention scheme that is, in reality, general and undifferentiated (and therefore illegal) while officially claiming not to be.

Recently, the working document WK 11127/2017 of 10 October 2017 was released in full through a FOI request by Corporate Europe Observatory. This document provides another piece of the puzzle regarding the secret data retention discussions in Council working groups by outlining two different strategies for storage of electronic communications metadata for law enforcement purposes.

The first strategy is based on data retained by providers of Electronic Communication Services (ECS) for business purposes. Article 6(2)(b) of the Commission proposal for the ePrivacy Regulation allows ECS providers to process electronic communications metadata for purposes of billing, calculating interconnection payments as well as stopping fraudulent or abusive use of ECS. The working document proposes to expand Article 6(2)(b) to include ”illicit use” of ECS, which would allow processing for a broader purpose than abuse or fraudulent use of the communications service itself. Potentially, ”illicit use” could include any crime or illegal behaviour committed by the subscriber with the assistance of the electronic communications service, even if the ECS provider is not the victim of the offence (such as through fraudulent use of the service). The working document further proposes a minimum six month retention period for electronic communications data processed under the broadened purposes of Article 6(2)(b).

In effect, this is mandatory blanket data retention disguised as storage of communications data processed for voluntary business purposes, like billing. When ECS providers process communications data for business purposes, the processing, and in particular any storage of personal data, should be limited to the duration necessary for this purpose. Setting a minimum mandatory retention period for communications data processed under Article 6(2)(b) will mean weakening the level of protection guaranteed under the General Data Protection Regulation (GDPR), which is not only unacceptable but also contradictory to the ePrivacy Regulation being lex specialis to the GDPR. If Member States want to “ensure” the availability of electronic communications data for law enforcement, this should be done by appropriately restricting the rights to data protection and confidentiality of communications in accordance with Article 11 of the ePrivacy Regulation and, in particular, in accordance with the CJEU case law which prescribes targeted data retention rather than blanket data retention.

The second consideration in working document WK 11127/2017 is to exclude processing for law enforcement purposes from the scope of the ePrivacy Regulation in Article 2(2). Under the current ePrivacy Directive, both the retention of electronic communications data and access to retained data by competent authorities is within the scope of the Directive. The working document suggests that excluding processing for law enforcement purposes from the scope of the ePrivacy Regulation could ”bring more clarity to the legal context of data retention”. This would put national legislation for mandatory data retention outside the scope of the ePrivacy Regulation and possibly even outside the scope of EU law, which would be very dangerous for fundamental rights. It could also be considered that it does not put this activity outside the scope of EU law (or at least not fully), as data retention could be considered an exception to the GDPR. So much for “clarity”.

The current ePrivacy Directive provides legal clarity for the retention of electronic communications data and access to the retained data since both types of processing are covered by Article 15(1) of the Directive. Furthermore, CJEU case law provides specific conditions for retention and access to electronic communications data, which ensure appropriate safeguards for fundamental rights. Excluding processing for law enforcement purposes from the scope of the ePrivacy Regulation would bring less legal clarity, not more. In addition, a Regulation aimed at protecting personal data and confidentiality of electronic communications would be deprived of its purpose if certain types of processing (such as “processing for law enforcement purposes”) are completely excluded from its scope. This was also noted by the CJEU in paragraph 73 of the Tele2 judgment.

On 25 April 2018, EDRi member Statewatch published a recent document from the Bulgarian Council Presidency on data retention. Working document WK 3974/2018 looks at the “renewable retention warrant” (RRW). The intention is that competent authorities can issue data retention orders (warrants) to ECS providers under certain conditions. The legal basis for issuing RRWs will have to be national law as no EU legal basis currently exists. It is suggested by the Presidency that ECS providers could appeal the warrant, which would give private companies the job of safeguarding citizens’ fundamental rights. Even though the data retention requirements for RRWs could differ among ECS providers, the Presidency notes that the RRW would be rendered ineffective for law enforcement purposes if not all providers are covered. This will make the RRW approach identical to blanket data retention for all practical purposes and, therefore, a clear circumvention of CJEU rulings.

The patchwork of Council documents (only some of which are available) from DAPIX FoP on data retention shows that some Member States governments are exploring every possible option to uphold their current data retention requirements, despite two very clear CJEU rulings in 2014 and 2016 that blanket data retention is illegal under EU law. These efforts often take place behind closed doors in Council working groups, and the discussions only receive input from Member States’ governments and EU institutions in the law enforcement area, such as Europol and the EU Counter-Terrorism Coordinator. The European public, civil society organisations and data protection authorities are excluded from most of the critical discussions around data retention. In the past, this approach has repeatedly produced legislation such as the Data Retention Directive which was later overturned by the CJEU.

After working document WK 11127/2017 was published in full, European Digital Rights and EDRi members Access Now, Privacy International and IT-Pol Denmark, sent an open letter to EU Member States on the ePrivacy reform. The letter calls upon EU Member States to ensure privacy and reject data retention.

ePrivacy: Civil society letter calls to ensure privacy and reject data retention (24.04.2018)

Freedom of Information request by CEO for WP TELE ePrivacy documents (17.04.2018)

“Renewable retention warrants”: a new concept in the data retention debate, Statewatch (25.04.2018)

EU Member States plan to ignore EU Court data retention rulings (29.11.2017)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



24 Apr 2018

ePrivacy: Civil society letter calls to ensure privacy and reject data retention


On 23 April 2017, EDRi, together with other civil society organisations, sent a follow up to our previous open letter to the permanent representations of EU Member States in Brussels. The letter highlighted the importance of the ongoing reform of Europe’s ePrivacy legislation for strengthening individuals’ rights to privacy and freedom of expression and for rebuilding trust in online services, in particular in the light of the revelations of the Cambridge Analytica scandal.

Open letter to European member states on the ePrivacy reform

23 April 2018

Dear Minister,
Dear Member of the WP TELE,

We, the undersigned organisations, support the ongoing and much-needed efforts to reform Europe’s ePrivacy legislation. As we mentioned in our recent open letter, the reform is essential in order to strengthen individuals’ rights to privacy and freedom of expression across the EU and to rebuild trust in online services, in particular given the revelations of the Cambridge Analytica scandal.1

Despite the urgent need to protect the confidentiality of communications, we are aware of the political difficulties that were met during debates in Council and at Working Party level, specifically regarding Article 11 of the proposed ePrivacy Regulation.

Given these difficulties and following the recent publication of the full document WK 11127/2017,2 we would like to highlight a number of legal points that may help move the discussion forward:

– The Court of Justice of the European Union (CJEU) clarified, in two different judgements (Digital Rights Ireland – joined cases 293/12 and 594/12 and Tele2-Watson, joined cases C-203/15 and C-698/15), that mandatory bulk retention of communications data breaches the Charter of Fundamental rights. Any attempt to subvert CJEU case law by adding “clarity to the legal context” without a legal basis that respects the Charter is a direct attack on the most basic foundations of the European Union and should be dismissed. In fact, the current legal framework (the e-Privacy Directive, Directive 2002/58) provides legal clarity since mandatory retention of metadata for the purpose of prevention, investigation, detection or prosecution of criminal offences, as well as access to retained metadata for this purpose, is regulated in its Article 15(1).

– A Regulation aimed at protecting personal data and confidentiality of electronic communications would be deprived of its purpose if certain types of processing (“processing for law enforcement purposes”) are completely excluded from its scope. This was also noted by the Court of Justice in paragraph 73 of the Tele2-Watson judgment. Furthermore, such processing requires specific safeguards defined by the Court and must be necessary and proportionate.

– Finally, we have also noted certain attempts by a number of delegations to introduce a minimum storage period (of 6 months) for all categories of data processed under Article 6(2)(b). If approved, this would impose indiscriminate retention of personal data in a way that has already been ruled as unlawful by the Court of Justice of the European Union in Tele2/Watson. If Article 6(2)(b) establishes a legal basis for processing communications data in order to maintain or restore security of electronic communications networks and services, or to detect errors, attacks and abuse of these networks/services, the processing should still be limited to the duration necessary for this purpose. On top of this, the general principles of GDPR Article 5 should apply, e.g. storage limitation in Article 5(1)(e). If the technical purpose can be achieved with anonymised data, this is no justification for processing data for identified or identifiable end-users. Setting a minimum mandatory retention period for communications data processed under Article 6(2)(b) will mean weakening the level of protection guaranteed under the GDPR, which is not only unacceptable but also contradictory to the concept of lex specialis.

We are aware of the political difficulties raised in Council around the issue of data retention, however the clarity provided by the CJEU in two landmark rulings on that matter can not and must not simply be ignored. We strongly encourage you to keep in mind all of the legal points above in the ongoing debates. We count on the Council to swiftly conclude a general approach on the ePrivacy Regulation, which should include a legally sound Article 11 rooted in respect for the EU Charter and the CJEU case law, to provide law enforcement authorities with the legal certainty needed to accomplish their duties.3

Yours faithfully,

European Digital Rights




Privacy International


IT-Political Association of Denmark and


18 Apr 2018

Hermes Center demands investigation of NAT-related data retention

By Hermes Center

On 27 March 2018, EDRi member Hermes Center for Transparency and Digital Human Rights filed a request with the Italian Data Protection Authority (DPA) to investigate on the widespread practice of logging Network Address Translations (NAT) by most of the telecommunication operators.

To better understand the issue, we must first study, from a technical point of view, the operation and allocation of IP addresses by telecommunications companies, in particular, the practice of Carrier-Grade NAT (CGN), an approach used by telecommunications companies – and especially mobile operators – to manage the allocation of IPv4 addresses. Due to the shortage of available IPv4 addresses, it has become necessary to assign private IP addresses to customers, and then translate them into public IP addresses through a NAT procedure performed by devices connected to the internet operator network. In this way, a single public IP address can shield several private IP addresses: the direct identification of the unequivocal user that on “that day and at that time” was assigned to that internet identifier — similar to telephone numbers identification — is more difficult.

According to the statements of law enforcement authorities (LEA), this practice complicates the operations of identification of those who commit crimes because, given a public IP address, there may be dozens of different users. A practice widely used by telecommunication operators to deal with requests for identification by the judicial authority is that of recording and storing all NAT operations between private IP addresses of its customers and public IP addresses: like this, all the connections of the various IP addresses to the internet are recorded.

The Hermes Center demanded that the Italian Data Protection Authority perform a timely verification and inspection of all the main mobile and fixed operators in relation to the practices of data collection of internet traffic, publicly reporting the results, to verify which is the information collected for the purpose of providing compulsory services to the judicial authorities.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

A recently introduced Italian law on data retention has extended the retention time period by telecoms providers by up to six years. This data retention concerns both phone traffic and internet connections and clearly goes against the European data retention principles.

On 13 October 2017, Europol and the Estonian Presidency of Council of European Union organised a workshop with 35 policy-makers and law enforcement officials from all around Europe, in order to discuss the “increasing problem of non-crime attribution associated with the widespread use of Carrier Grade Network Address Translation (CGN) technologies by companies that provide access to the internet”.

The Hermes Center filed a Freedom of Information (FOI) request to Europol and the documents are available here: In Italy, the Hermes Center has appealed to the Data Protection Authority, asking for inspection across all telecommunication operators in order to verify in great details which are the exact information elements logged to comply with data retention laws.

Italy extends data retention to six years (29.11.2017)

Europol’s FOIA on data retention with carrier grade NAT (22.01.2018)

Documents related to the Hermes Center’s FOI request to Europol

(Contribution by Riccardo Coluccini, EDRi-member Hermes Center for Transparency and Digital Human Rights, Italy)



27 Mar 2018

Europol: Delete criminals’ data, but keep watch on the innocent

By Joe McNamee

It is almost impossible to believe, but the European Union Agency for Law Enforcement Cooperation (Europol) simultaneously:

  1. has policies that lead to evidence related to possible crimes being deleted (a data indifference regime) and
  2. supports laws requiring the data of innocent people to be stored (a data retention regime).

Worse still, most of this is not necessarily Europol’s fault. The contradiction is supported, or more precisely demanded, by the European Commission and some EU Member States.

1. Data indifference regime

Under the Europol Regulation, the agency must “support Member States’ actions in preventing and combating forms of crime” such as terrorism and racism. However, much of the criminality that Europol works on is not harmonised on a EU level. Indeed, Member States have little interest in actually enforcing much of the relevant law. For the sake of being seen to be doing “something”, the EU has given Europol the job of putting pressure on internet companies to delete content that may or may not be illegal. In the absence of an accusation that a crime was committed, everyone can quietly look the other way.

Under the Regulation, Europol is given the task of referring “internet content, by which […] forms of crime are facilitated, promoted or committed, to the online service providers concerned for their voluntary consideration of the compatibility of the referred internet content with their own terms and conditions”. (emphasis added)

Once Europol identifies and refers illegal content associated with serious crime or terrorism to the relevant internet service providers, how many times does this lead to investigations?

The answer is unknown. Neither Europol nor the European Commission knows if any reports are referred to national law enforcement or judicial authorities nor if there are any investigations.

If there are actual investigations, what happens to the evidence associated with the content? Well, when referring content to service providers, Europol confirmed to EDRi in an e-mail that they give no instructions whatsoever to the internet companies as to whether data should be retained for law enforcement purposes. However, they consider whether the associated personal data can be considered to be “sensitive data” from a legal perspective and treat it accordingly. This assessment is not shared with the providers. If the providers feel that it is “sensitive data”, then they would normally be expected to delete all data not needed for business purposes. Indeed, one of the major social media platforms told us that, when they delete accounts on the basis of referrals, all associated data are deleted after 30 days.

That needs to be said again: in the absence of any instructions whatsoever from Europol, data that is allegedly associated with serious crime or terrorism is deleted.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

2. Data retention regime

While data related to content where Europol has acted due to potential serious crime or terrorism is not considered interesting, it is busy supporting measures to require the storage to data related to perfectly innocent people. “We don’t want to use the data we have, but we want more” appears to be the message.

They want more data, even if the mandatory storage of the data has already been deemed illegal by the Court of Justice of the European Union (CJEU) . In addition, numerous EU Member States have laws requiring communications companies to store communications data related to every individual within their territory. They have these laws despite two CJEU rulings against this activity. The European Commission failed and continues to fail to take court action against those countries, in breach of its legal obligation to uphold the treaties of the European Union.

Worse still, the European Commission, Member States (represented in the Council of the EU) and Europol are engaged in a “reflection process” that is seeking to implement new mandatory communications data retention rules. The institutions are attempting to bypass the CJEU rulings through exercises of legal sophistry to exploit imaginary loopholes. Europol even prepared a presentation to support this effort to break the law in the name of ostensibly enforcing the law.

In short, Europol, the Commission and Member States are promoting action by private companies with no obligations for their own law enforcement authorities. The European Commission keeps publishing press releases boasting increasingly restrictive demands on what action internet companies can take to prevent and act on crimes. All of this is done, no doubt, in order to give the impression that somebody is doing something, without actually doing what needs to be done.

A good European Commission would confront law enforcement agencies on their failure to cooperate and start looking into solutions to address this. At the very least it would demand that Member States and Europol to publish consistent and reliable statistics. Right now this Commission is acting against its own mandate by hiding unpleasant facts and actively promoting practices that have repeatedly been found in violation of the Charter of Fundamental Rights of the European Union, of which the Commission supposedly is a Guardian.

(Contribution by Joe McNamee, EDRi)



07 Mar 2018

Czech BBA for Ministry of Industry and Trade for data retention

By Iuridicum Remedium

The winners of the 13th edition of the Czech Big Brother Awards were announced on 15 February 2018 in Prague. The awards are intended to draw public attention to privacy issues and related alarming trends. The Big Brother Awards are based on a concept created by EDRi member Privacy International. In the Czech Republic, the contest is organised by EDRi member Iuridicum Remedium (IuRE) since 2005.

An eight-member jury comprising of experts on new technologies, lawyers, human rights defenders as well as journalists chose the winners out of forty nominations sent in by the general public. The awards in four different categories went to the Ministry of Industry and Trade, Member of the Parliament (MP) Jiří Běhounek, Equa bank, and the Office of the Government. Non-profit organisation Open Whisper Systems won the positive award, named after Edward Snowden.

The award for the biggest privacy intruder in the long-term perspective went to the Ministry of Industry and Trade – the Ministry in charge of the Electronic Communications Act containing legislation related to data retention, which defines the obligation of providers of electronic communication services to collect metadata and store it for the needs of police and other authorities over a period of six months. Such data is very sensitive as it reveals who was involved in the communication as well as the whereabouts of the users of communication services. The Court of Justice of the European Union (CJEU) has already twice identified such data collection as unacceptable and unconstitutional. In addition, statistics show that this massive collection of data does not result in the decrease of the number of crimes committed nor in the increase in cases successfully solved by the police. Moreover, as is often the case, this measure is most likely to hit all others but the intended group of people – individuals involved in organised crime know how to avoid it. “The jury decided to award the Ministry for its inactivity in a situation where fundamental rights of all citizens are being undermined,” said Jan Vobořil, executive director of IuRe.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The award for the biggest business privacy intruder went to Equabank for forcing its clients to agree to provide the so-called TelcoScore – which is based on the data from mobile phone operators. A typical use of TelcoScore is to verify the client’s credibility. The bank requests it from a telecoms company providing such information. The score is calculated based on 60 different data that the operator has about the client. Although clients are asked to agree with this procedure, in practice they cannot avoid it. This trend is dangerous, as it leads to a situation where clients will have no other option than to agree. “The score is calculated based on unrelated data, such as the client’s whereabouts, mobile phone use, number of journeys abroad, frequency of exchanging the telephone, and so on. “This can mean that in the future our actions can have unexpected impacts in other unrelated areas of life – and this could lead to permanent stress, conformism, and self-censorship,” explained Voboril. All three biggest mobile phone operators present on the Czech market do currently sell customer data in this way.

The award for biggest administrative privacy intruder went to MP Jiří Běhounek for his proposal for an amendment to the Act on Health Services that introduced an unrestricted access to electronic healthcare documentation. As part of the Electronic Identification Act, it passed through the legislative process. It establishes a so-called National Contact Point, through which broad access to electronic medical documentation, including access from abroad, should be facilitated. Alarmingly, there are no limits to this, nor does the legislative text mention whether the patient can influence which data is shared and how.

Last but not least, the positive awards named after Edward Snowden goes to Open Whisper Systems which developed Signal application for encrypted mobile communication. Signal is an encrypted communicator designed primarily for mobile platforms (Android, iOS) for messaging and voice messaging. It can encrypt text messages, pictures as well as phone calls. Signal is now generally regarded as the most secure communication platform in terms of encryption. It has two major advantages. The communication is end-to-end encrypted, which means that only the end users themselves have access to its content. The second advantage is that Signal is an open source application meaning everyone can check what happens with the data.

Czech Big Brother Awards

(Contribution by Jan Vobořil, EDRi member Iuridicum Remedium – IuRE, Czech Republic)



07 Mar 2018

Data retention “reflection process”: Council working documents

By Statewatch

A number of “working documents” discussed as part of the Council of the EU’s “reflection process” on the mandatory retention of telecommunications data have been released following an access to documents request submitted to the Council by EDRi member Statewatch.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The documents provide an insight into some of the issues that have been discussed by Member States’ representatives and EU agencies who, since March 2017, have participated in a sub-group of the Council’s Working Party on Information Exchange and Data Protection (DAPIX) to “facilitate a common reflection process at EU level on data retention in light of the recent judgments of the Court of Justice of the European Union”.

The documents include overviews of the legal framework for telecommunications data retention in the Member States, a presentation from Europol on the possibility of introducing a new measure on “targeted data retention”, and proposals for using the forthcoming ePrivacy Regulation to make possible some form of data retention.

It can be observed that the use of working documents does not serve the interests of transparency, as they are not automatically listed in the Council’s register of documents and will likely only become available to the public through dedicated requests or leaks.

Statewatch requested access to all minutes/“outcome of proceedings” produced by the Council working group “DAPIX (Friends of Presidency) – Data retention” and all working papers/non-papers/other documentation submitted to that working group. Some documents were released in full, others were released in censored form while others could not be released at all, on the basis of argumentation from the Council’s transparency department.

Working documents produced and discussed during the Council’s “reflection process” on data retention:

1. Europol Study on the data retention regime applying in the EU Member States (WK 3570/2017 INIT, LIMITE, 4 April 2017, pdf):

2. European Judicial Cybercrime Network (EJCN) on the effects of the CJEU judgement (WK 3596/2017 INIT, LIMITE, 4 April 2017, pdf):

3. Data Retention – State of play in the Member States (WK 5206/17, LIMITE, 8 May 2017, pdf):

4. A submission from Europol that has been censored: Data categories to be retained for law enforcement purposes (WK 5380/2017 INIT, LIMITE, 11 May 2017, pdf):

5. Not a working document, but not previously published: Note from the Presidency: Targeted data retention – Exchange of views (9558/17, LIMITE, 23 May 2017, pdf):

6. Censored document from the Council Presidency: Ensuring the availability of data for the purposes of prevention and prosecution of crime = Presentation of options and exchange of views (WK 9380/17 INIT, LIMITE, 12 September 2017, pdf):

7. Europol: Proportionate data retention for law enforcement purposes (WK 9957/2017 INIT, LIMITE, 21 September 2017, pdf):

8. Censored document from the Presidency: Availability of data and issues related to data retention – elements relevant in the context of e-Privacy = Exchange of views (WK 11127/2017 INIT, LIMITE, 10 October 2017, pdf):

This is a shortened version of an article originally published by EDRi member Statewatch :

(Contribution by EDRi member Statewatch, the United Kingdom)



22 Feb 2018

In the making: The largest internet filter Europe has ever seen


European policy makers are working on the largest internet filter we’ve ever seen. That might sound a tad dramatic, but it’s really not an overstatement. If the proposal is accepted, websites such as Soundcloud, eBay, Facebook and Flickr will be forced to filter everything you want to upload. An algorithm will be the boss over which of your uploads will be seen by the rest of the world and which won’t.

Why haven’t I heard about this before?

This internet filter is tucked away in a proposal for new European copyright regulation. Internet filters can’t and shouldn’t be used to regulate copyright. They don’t work. But there’s a much bigger problem: once it’s installed, the internet filter can -and will- be used for a myriad of other purposes. We bet you anything that policy makers are gleefully awaiting the internet filter in order to use it in their latest battle, be it fake news, terrorism or undesirable political opinions.

Main issues

There are a lot of reasons not to want an internet filter. These are the three most important ones:

  1. It’s an attack on your freedom of expression. You will have to get permission to speak.
  2. Filters like these tend to make lots of mistakes and it will be up to you to fight them. (Spoiler alert: you can’t.)
  3. Platforms will be incentivised to avoid risk – at the cost of your freedom.

What can you do?

The following weeks are crucial. Tweet or e-mail your representatives that are part of the JURI committee. On 20-21 June they will be deciding on the upload filter. Use the hashtag #CensorshipMachine or #filterfail and let your representatives know you’re against the internet filter (Article 13)! You can find the Members of the European Parliament (MEPs) relevant to you here:

We’ve written some tweets to inspire you, but feel free to compose your own!

  • .@MEP Stand up for our freedom of expression online. Please oppose the #censorshipmachine in the #copyright Directive proposal.
  • .@MEP Stand up for our privacy online. Please oppose the #censorshipmachine in the #copyright Directive proposal.”
  • .@MEP Show that you care about culture and free speech: oppose the #censorshipmachine in the #copyright Directive proposal.”
  • .@MEP Internet filters don’t work. Please delete article 13 of the #copyright Directive proposal! #filterfail

We already tweeted at MEPs in their own language, check it out.