The right to privacy is a crucial element of our personal security, for free speech and for democratic participation. It is a fundamental right in the primary law of the European Union and is recognised in numerous international legal instruments. Digital technologies have generated a new environment of potential benefits and threats to this fundamental right. As a result, defending our right to privacy is at the centre of EDRi’s priorities.

08 Feb 2017

Proposed surveillance package in Austria sparks resistance

By Guest author

The Austrian coalition parties have renegotiated their government programme in January 2017. This new programme contains a so-called “security package” that encompasses the introduction of several new surveillance measures and additional powers for the Austrian security agencies. These changes in the law are to be implemented by June 2017.

However, so far no evaluation of already existing surveillance measures and investigatory powers has been carried out. Furthermore, it is doubtful that the new measures will bring about an increase in security, whereas they will severely limit fundamental right to privacy and dial back on existing data protection measures.

The following measures are outlined in the newly agreed government programme:

Networked CCTV monitoring: The Austrian Minister of the Interior Wolfgang Sobotka has repeatedly demanded “all-encompassing surveillance” of public spaces by linking already deployed CCTV cameras operated by both private and public entities, and even transmitting the footage to investigative authorities in real time. The implementation of this kind of surveillance apparatus would effectively create a true panopticon affecting every citizen. However, in light of the terrorist attack in Nice in mid-July 2016 on a promenade monitored by several surveillance cameras, any preventive effect of the surveillance of public spaces is highly doubtful, even with respect to conventional crimes: The Police Directorate of Vienna has removed 15 out of its 17 CCTV installations during the recent years due to high operating costs and no discernible benefits in combating crime.

Automatic license plate recognition: The government wants to implement a system which would recognise all licence plate numbers and retain details of the movements of all vehicles on Austrian highways. In 2007, the Austrian constitutional court decided in a similar case (Section Control) that surveillance of car drivers is only permitted for a few determined routes and that number plate information can only be retained if the vehicle was driving too fast or is on an official wanted list. The new government programme facilitates an unjustified storage of movements for all vehicles, which is very alarming.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

Government spyware: In 2016 there was a legislative proposal to legalise the use of government spyware on electronic devices of Austrian citizens. Due to massive criticism from a legal and technical perspective, the Austrian Minister of Justice Wolfgang Brandstetter withdrew the proposed law. In 2008 a commission of constitutional experts under Professor Bernd-Christian Funk came to the conclusion that government spyware is not in line with Austrian constitutional law. Nonetheless, the Austrian government has started a third attempt to pass a legal basis for this unconstitutional measure.

Data Retention Directive 2.0: The Austrian data retention law was abolished by the Austrian constitutional court in 2014 due to its unconstitutionality and violation of fundamental rights. The European Court of Justice (CJEU) confirmed this decision in December 2016 by passing an even further reaching verdict against this type of unfounded mass surveillance. Nevertheless, the new government agreement contains plans for a “quick freeze” based retention of telecommunication data. The final legislative text will have to be scrutinised carefully to define if it is in line with recent CJEU rulings.

Registration of prepaid SIM cards: The Austrian government plans to forbid unregistered prepaid SIM cards and thus to eliminate a way of communicating freely and anonymously with family members, help lines, and persons of trust (such as lawyers). Criminals can easily circumvent this by using foreign SIM cards or online messaging services, making the measure ineffective and disproportionate.

“Subversive movements”: It must be possible to criticise the state or institutions. The government wants to establish a criminal offense for the expression of opinions which undermine the authority of the state. This is a crucial development which stands against the fundamental principle of freedom of expression.

Electronic tags for non-convicted “endangerers”: Another critical demand in the security package is the introduction of electronic tags – a surveillance device locked to an individual’s body – for “endangerers”. But the term “endangerer” (“Gefährder”) is legally not defined and the federal government calls such a person a potential disturber and refers to an “abstract endangering situation” (“abstrakte Gefährdungslage”). So far, electronic tags have been used only for convicted perpetrators or in cases of strong suspicion. This extended use of electronic tags is highly problematic as it violates the principle of presumption of innocence. Similar discussions are ongoing in Germany.

Resistance has been mounting over the proposed extension of surveillance measures in Austria. EDRi observer, and other fundamental rights NGOs in Austria are working to mobilise the population to stop the unprecedented and unfounded surveillance measures in the new government programme to be enacted.

Surveillance package – government plans complete surveillance (only in German)

Surveillance: Cameras are being removed again (only in German, 28.01.2017)

Opportunity and risk of state spyware (only in German, 26.04.2016)

German “Bundestrojaner” – The dismantling of state spy software (only in German)

(Contribution by EDRi observer, Austria)



24 Nov 2016

Terrorism Directive: Document pool

By Maryant Fernández Pérez

I am convinced that the only effective way to tackle terrorism is firmly rooted in the respect of fundamental and human rights.

EU Security Union Commissioner Sir Julian King, 14 November 2016.

The European Commission proposed the Draft Directive on Combating Terrorism (the “Terrorism Directive”) in December 2015. Since then, the legislative process to adopt it has been fast-tracked, which has reduced the space for meaningful public participation, transparency and accountability.

On 17 November 2016, the Council of the European Union, the European Parliament and the European Commission concluded the so-called “trilogue“. This means that a political agreement was reached among the very few people representing the three institutions. Next, both the Council and the Parliament had to formally adopt the Directive. Amendments were possible, in theory. Indeed, there were some amendments tabled at the European Parliament. However, their adoption in practice was close to impossible. The Parliament formally adopted the provisional agreement as its “first reading position” on 16 February 2017. The Council formally adopted the Directive on 7 March 2017. EU Member States will have to give meaning to vague and unclear wording when implementing the Directive.

If the implementation is not done carefully, abuses to freedom of expression and privacy will be made in your Member State!

EDRi doesn’t give up and keeps pushing for a human rights agenda. In this document pool, you will find the relevant information, documents and analyses on the Terrorism Directive. We’ve been updating this document pool as the process advanced. Last update: 23 May 2017.

EDRi’s analysis and recommendations
Legislative documents
EDRi’s blogposts and press releases

EDRi’s analyses and recommendations


Legislative Texts


More information in PRELEX (EU Database on preparatory acts), OEIL (European Parliament’s Legislative Observatory) and IPEX (Interparliamentary Exchange Platform).

EDRi’s blogposts and press releases




(Click image to see the full sized infographics, or download the PDF here.)


16 Nov 2016

State of emergency worsens digital crackdown in Turkey

By Guest author

According to a new report by Freedom House, web freedom across the globe declined for the sixth consecutive year. Turkey placed among the red-flag states in terms of web freedom in 2015-2016 and is now rated “not free” in “Freedom on the net 2016” report after repeated blocking of social media. The country’s status score is “61/100 not free” with 13/25 for obstacles to access, 21/35 for limits on content and 27/40 for violations of user rights.


Turkey entered a state of emergency on 21 July 2016, and this will remain until 21 January 2017, if no further extensions are made by the government. Along with unprecedented attacks on media pluralism and prosecution of journalists, writers, academics and public servants after failed coup attempt, internet restrictions continue at an alarming rate in the country.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

Tensions heightened in the country following general elections in June and November of 2015 and a series of deadly terrorist attacks. Gag orders on the dissemination of images and videos of the bombings were introduced by the authorities, resulting in the blocking of hundreds of websites – over 100 000 websites were reportedly blocked as of 2016. Gag order blocking continues to increase, affecting a wide variety of political, social, and religious content. Access to Facebook, Twitter, and YouTube was repeatedly throttled until the companies removed controversial content. Specific hashtags related to the bombing locations, like #Istanbul, #Ankara, and #Diyarbakir, were temporarily filtered from Instagram. Counterterrorism operations in the southeastern region of the country repeatedly resulted in the suspension of 3G networks, affecting millions of residents for days at a time. The most significant obstacle to internet access in Turkey remains the shutting down of telecommunications networks during security operations, mainly in the southeastern part of the country. These internet shutdowns are obvious violations of the right to information and access at a moment when internet access is of huge importance to individuals. Dozens of news agencies, media outlets and social media accounts covering Kurdish issues have been either blocked or shut down for allegedly promoting terrorist propaganda over the past year.

The most recent social media blockage that also included virtual private network (VPN) restrictions occurred starting on 4 November. Alternative Informatics Association (Alternatif Bilisim) released an emergency notice for further dissemination and international coverage. This strategic operation was also planned at a specific time when detainment and arrest of dissident politicians took place in southeast Turkey.

Turkey is consistently featured among the countries with the highest number of removal requests sent to Twitter. Of all of the tweets “withheld” by Twitter around the world in the second half of 2015, Turkey accounted for almost 90 percent. According to Transparency Report, requests from courts and government agencies reached 2211 and rose to 2493 in the first half of 2016. In each reporting period, Twitter indicated it complied in 23 percent of cases. Twitter did file a court case after being fined by the Turkish information and communications technology authority (BTK) for failing to remove “terrorist propaganda”. Over the past year, hundreds of Twitter users faced charges of insulting government officials, defaming President Recep Tayyip Erdoğan, or sharing propaganda in support of terrorist organisations. In some cases, individuals, mostly journalists have been imprisoned.

Privacy and data protection is also a sensitive issue in Turkey. Even though a new data protection law has been adopted, how this law will be implemented still remains a mystery with the dismissal of the Turkish Telecommunications Authority (TIB) and transfer of all authority to BTK. The Alternative Informatics Association issued a press release on the massive data leak in March 2016, including the addresses, identity numbers, and other personal information of almost 50 million Turkish citizens. Binali Yildirim, Transport and Communication Minister at the time, admitted that the breach appeared to date back to at least 2010. An expert stated that the data was taken from the government’s official Population Governance Central Database (MERNIS) around 2009 and later illegally sold to foreclosure firms.

Active internet users and developers in Turkey were alarmed and shocked on 9 October 2016 when cloud storage services including Google Drive, Dropbox and Microsoft’s OneDrive as well as code hosting service GitHub were blocked by the government to suppress the leak of emails belonging to the Minister of Energy and Natural Resources Berat Albayrak, who is the son-in-law of President Erdogan. The ban was lifted after 48 hours following the public protest and pressure by prominent actors of the digital market.

Digital surveillance and cyber security measures are also worrisome for netizens in Turkey. Before the passage of the Homeland Security Act in March 2015, the law allowed Turkish security forces to conduct intelligence wiretapping for 24 hours in urgent situations without a court order. With the new law, the time limit was increased to 48 hours; the new requirement is that wiretapping officials notify their superiors. In addition, the Ankara High Criminal Court is solely authorised to decide whether the wiretapping is legitimate. It is necessary to mention that despite constitutional guarantees, most forms of telecommunication continue to be tapped and intercepted.

With social media purported as a threat to national security, intrusive government surveillance and the proven use of sophisticated malware tools by law enforcement authority, internet freedom is on a very negative course in Turkey.

Freedom on the net 2016: Silencing the messenger: Communication apps under pressure

Freedom on the net 2016: Turkey, country profile

To no one’s surprise, Erdogan backs extending Turkey’s state of emergency (29.09.2016)

New internet shutdown in Turkey’s Southeast: 8% of country now offline amidst Diyarbakir unrest (27.10.2016)

Emergency notice: Internet blockages in Turkey

Transparency report: Turkey

Twitter sues Turkey over ‘terror propaganda’ fine

Journalist detained in Turkey over tweets

Turkey blocks Google Drive, Dropbox, OneDrive and GitHub to stop email leaks

National Security Council under Erdoğan updates top secret national security “book”

EDRi: Turkey: “The worst menace to society” helps to defeat the coup

(Contribution by Asli Telli Aydemir, EDRi member Alternative Informatics Association, Turkey)



20 Jul 2016

Copyfail #9: Digital Rights Management (DRM): Restricting lending and borrowing books and music in digital format

By Diego Naranjo

This article is the ninth in the series presenting Copyfails.

The EU is reforming its copyright rules. We want to introduce you to the main failures of the current copyright system, with suggestions on how to fix them. You can find all the Copyfails here.

How has it failed?

We are able to lend book to our friends, make photocopies of its pages, quote parts of the text, or sell our book to a second-hand bookshop. But with digital works like ebooks, CDs, or DVDs, users often face technical restrictions. You cannot lend your ebook to a friend (without lending your e-reader, too), or make a copy of your copy-protected DVD, not even for your own private use. Even if your government says you are allowed to, European and international law says companies are permitted to question it by using “Digital Rights Management” (DRM), software that limits copying.

DRM is a collection of systems used to protect copyright on electronic media, such as digital music and films, as well as computer software. It attempts to control the user’s ability to access, copy, transfer and convert material. Circumventing DRM technologies is forbidden in EU copyright law.

Given the fact that DRM is a blunt tool that does not take into consideration the legal freedoms to use copyrighted works for parody, citation, quotation, private copying and so on, not allowing the circumvention DRM means in practice giving away all those rights. DRM, as a rule, take all of those freedoms from you, in the name of stopping copyright violations.


Why is this important?

If someone puts a lock on something you own, you are not the owner. DRMs are digital locks which are put on your devices without asking your opinion or permission to install them and, even worse, without giving you the key. Copyright experts widely agree that DRM systems don’t achieve their intended purpose; they are bad for society, businesses and artists.

Copyright is supposed to guarantee that artists and creators get paid for their work – that there are incentives to creativity. Copyright should not be used as an excuse to restrict our freedoms or access to knowledge and learning. DRM does not fix the problem it is supposed to fix – unauthorised copying and exchanging of ebooks, music, and videos – and it adds unnecessary restrictions on legally acquired content.

How to fix it?


Read more:

Amazon Erases Orwell Books From Kindle (17.07.2009)

DRM Frequently Asked Questions

Electronic Frontier Foundation: DRM

Amazon wipes customer’s Kindle and deletes account with no explanation (22.10.2012)


19 Jul 2016

European Court confirms: Strict safeguards essential for data retention


Today, on 19 July 2016, the Advocate General (AG) Henrik Saugmandsgaard Øe of the Court of Justice of the European Union (CJEU) issued an Opinion on a case Tele2 Sverige AB v Post- och telestyrelsen (C-203/15) that deals with data retention obligations that were imposed by law on a Swedish telecom provider.

The Court was asked a set of questions related to the respect of European Union (EU) law, in the context of the data retention laws in Sweden and the UK. In the Opinion issued today, the AG re-stated principles that were previously established in the Digital Rights Ireland case. He also provided extensive further analysis of the legal context that national courts need to consider when they “rigorously verify that no other measure or combination of measures” can be as effective as the national data retention regime being proposed.

It is to be hoped that the final Court ruling will be respected by EU Member States. Sadly, since the Digital Rights Ireland case was decided in 2014, EU Member States have persisted in implementing or creating new legislation that wilfully ignores the principles previously established by the Court. The Advocate General made it unequivocally clear that all of the safeguards listed in the Digital Rights Ireland case must be respected by national laws.

It is time for EU Member States to start respecting the law. It is time for the European Commission to do its job to ensure that the law is respected,

said Joe McNamee, Executive Director of European Digital Rights.

How many times does the Court need to be asked the same question before EU Member States start listening? Data retention is an extreme measure which can only be implemented if the criteria repeatedly laid down by the Court are respected.

The European Commission should, at long last, start doing its job. So far, it has avoided taking a position on the numerous data retention laws in Europe that breach the principles that were established by the EU Charter of Fundamental Rights, clarified by the Court in 2014 and, today, re-stated by the Advocate General of the Court of Justice of the European Union.

Almost exactly a year ago, EDRi wrote to the European Commission Vice-President, Frans Timmermans, demanding action. In response, the Commission said that it would “monitor” thoroughly the data retention laws in the EU, but has so far avoided taking action. Time has run out for the Commission’s delaying tactics. It is now time – finally – to ensure that the law of the European Union is respected.

Read more:

Press Release from the CJEU on the Advocate General Opinion on the case (Case C-203/15) (19.07.2016)

European Commission will “monitor” existing EU data retention laws (29.07.2015)

European Digital Rights asks the European Commission to investigate illegal data retention laws in the EU (02.07.2015)


15 Jun 2016

Swiss civil society struggles against digital surveillance laws

By Guest author

In June 2016, Swiss civil society activists are redoubling their efforts to collect signatures in support of a referendum vote on the revision of a surveillance law best known under the German acronym BÜPF, “federal law concerning surveillance of postal communications and telecommunications”. This revision would legalise surveillance by means of IMSI catchers (fake relay antennas for mobile phone) and govware trojans (spyware used by the government). It would require even private persons and associations to be subject to internet wiretapping on their premises, mailservers, etc.

................................................................. Support our work - make a recurrent donation! .................................................................

Unlike the situation in many other countries where public referendums are rare, in the Swiss system they are a normal part of the legislative process: The role of the Parliament is to debate possible amendments to legislative proposals, and to decide what is the specific text of a possible new law or change to an existing law. However, whether this output of the parliamentary process actually becomes law, is often decided directly by the people in a referendum vote. 50 000 signatures from Swiss citizens of voting age are required for making the referendum happen. In a small country like Switzerland, with a correspondingly small number of privacy activists, that is a significant hurdle.

The Swiss parliament is also proposing another related law, which contains noteworthy provisions on digital surveillance: The intelligence service law, “Nachrichtendienstgesetz” (NDG). This would give the Swiss intelligence service many additional powers, allowing it to use trojans, as well as introducing a form of internet mass surveillance in which internet communications are scanned for keywords. The NDG went through the Parliament faster than the revision of BÜPF, and consequently the hundred-day period for collecting referendum signatures was a few months earlier. In that case, the efforts of collecting signatures for the referendum was successful, and consequently there is going to be a referendum vote on the intelligence service law. The vote has been announced to take place on 25 September 2016.

In the case of the NDG, a very large part of the referendum signatures was collected by political groups which are also opposed to the revision of the BÜPF. However, these groups have not given this proposal the same degree of priority and they therefore aren’t putting major efforts on collecting signatures for the BÜPF referendum.

Even if the referendums on BÜPF and NDG take place, and citizens say “no” to these two surveillance laws, one aspect of Swiss surveillance legislation remains that threatens people’s privacy: data retention. Telecom providers must retain communications metadata for six months. This is already defined in the current BÜPF. Digitale Gesellschaft Switzerland, a civil rights organisation working on digital rights issues, has initiated legal proceedings to challenge the Swiss practice of data retention on grounds of fundamental rights. The case is currently “pending ready for a decision” at the Swiss Federal Court of Administration. Given the fact that Switzerland does not have a constitutional court, it is likely that the matter will be taken to the European Court of Human Rights.

BÜPF: What would change under the revised law, what is unchanged

Video: A Swiss perspective on the surveillance craze

EDRi: Swiss data retention visualisation (07.05.2014)

EDRi: Citizens demonstrate against data retention in Switzerland (04.06.2014)

EDRi: Data retention in Kosovo and Switzerland – legalising illegal laws (28.01.2015)

(Contribution by Norbert Bollow, EDRi observer, Switzerland)



19 May 2016

Copyfail #1: Chaotic system of freedoms to use copyrighted works in the EU

By Diego Naranjo

This article is the first one in the series presenting Copyfails. The EU is reforming its copyright rules. We want to introduce to you the main failures of the current copyright system, with suggestions on how to fix them. You can find the nine key failures here.


How has it failed?

The current EU Copyright Directive outlines 21 different optional freedoms to use copyrighted works. These freedoms, called “exceptions and limitations”, specify how strict copyright rules can avoided in certain useful circumstances, as long as this does not interfere with the exploitation of the work by the creator. This would include, for example, using copyrighted material for educational purposes, adapting it for people with disabilities, making copies of music or films for personal use, or using it for academic quotations.

Each EU country putting the Directive into practice can choose to either include or exclude any of these optional exceptions. As a result, there are literally over two million ways to implement the Directive! In a borderless, open Internet, it is crazy that a simpler solution to implement flexibilities that do not interfere with the normal exploitation of the copyrighted material is not implemented.

However, copyright lobbyists are vehemently opposed to any flexibility. Indeed, in 2001, when the Directive was adopted, lobbyists argued that the one mandatory exception (for incidental copies in networks) was absolutely unworkable and would “a gaping hole in rightsholders’ protection under the reproduction right“. Fifteen years later, it is very obvious that no such “gaping hole” was created. Now, they warn again against a more flexible regime. Now, as then, they are wrong.


Why is this important?

People across the EU should be able enjoy the same rights. Harmonisation of the copyright rules is needed for creating a Digital Single Market – not 28 EU markets as we currently have.

The implications of the copyfail #1 are huge, for example:

  • In the UK, people are not allowed to make copies of music that they legally buy.
  • In Austria and Lithuania it’s illegal to send quotations by e-mail.
  • In some countries, like France, the uses of copyrighted works in schools are considerably more restricted, than in others, like Estonia. The latter allows teachers within an educational context to quote works to any justified extent, compile works of any nature and translate and adapt entire works, while France doesn’t.

How to fix it?


Read more:

Copyright combinatronics (16.11.2011)

Copyright exceptions and limitations – back to the future (25.03.2015)

Copyright reform: Restoring the facade of a decrepit building (16.12.2015)



18 May 2016

Danish ticketing system a threat to privacy

By Guest author

Like many countries, Denmark is replacing paper tickets for public transportation with electronic tickets. The Danish system, called Rejsekort (“travel card”), is a contactless chip card similar to the Oyster card in the United Kingdom and the OV-chipkaart in the Netherlands.

At the start of the journey, the passenger holds the card in front of a check-in card reader, and this procedure is repeated when changing to another transport vehicle (train, metro or bus). At the end of the journey, the passenger holds the card in front of a check-out card reader, and the fare for the completed journey is calculated and subtracted from the balance of the card. Check-in/out card readers are placed at all train and metro stations and in buses.

................................................................. Support our work - make a recurrent donation! .................................................................

For passengers, the chip card offers convenience. It can be used for public transport in most parts of Denmark, and passengers do not have to be familiar with the complicated fare structure. For example, in the Greater Copenhagen area, there are eight different price levels for a ticket depending on the number of zones in the journey and, in some cases, the number of zones can differ between the outbound and inbound journey.

The Rejsekort card exists in personalised and non-personalised versions, the latter being called Rejsekort Anonymous. The personalised card, which requires proof of identity similar to opening a bank account, offers a number of incentives to citizens: greater fare discounts, automatic transfer of money from a credit card to the Rejsekort, and the possibility of transferring the balance to a replacement card if the Rejsekort is lost or stolen. Despite its name, the non-personalised Rejsekort is not really anonymous since all chip cards have a unique number, and all journeys along with the unique card number are registered in the back-end systems of the Rejsekort company. Passengers can, of course, get a new non-personalised card regularly to protect their privacy, but the price of the card itself is about 10 euro, and the remaining balance on the old card is lost.

From a privacy perspective, the Danish Rejsekort is a disaster, because the unique card number is connected to all journeys. The journeys of all card holders are registered in a central database, and this information is currently retained for five years, together with the citizen ID number (for the personalised card). Whereas mass public transport in trains and buses previously offered a relatively high degree of anonymity (save for the ever more pervasive CCTV surveillance cameras), it has now become similar to air travel where so-called Passenger Name Records (PNR) are created and stored for every journey. Unlike air travel, the anonymous travel option does still exist with the more expensive paper tickets.

There has been some public debate and criticism of the data retention practices in the Rejsekort system. The response from the publicly-owned travel card company has been that since the Rejsekort is a payment card (with limited applicability to paying for public transport), the Danish legislation for bookkeeping and measures against money laundering (based on EU law) makes it mandatory to keep information about every transaction, that is every journey, for five years. Furthermore, the travel patterns of every passenger are analysed for various fraud detection purposes. The Rejsekort is based on the Mifare Classic design which is lacking in terms of security. However, card hacking is not viewed as a problem by the Rejsekort company because the company believes that any attempted fraud can be detected in the back-end systems. In some sense, surveillance of passengers’ travel transactions is used to compensate for the inadequate security of the chip card.

The fare structure for the Rejsekort gives passengers an incentive to not to check out on long journeys or to check out before their final destination, especially when travelling by bus where the check-out card reader is placed inside the bus itself. According to the terms and conditions for the Rejsekort, a personalised card can be blocked after three journeys where the check-out is not done properly, and in that case the cardholder will be put on a blacklist so that she/he is unable to get a new personalised card for a year. The fraud detection system probably looks for uncompleted journeys and travel patterns that may otherwise indicate partial fare evasion, like premature check-out. The latter profiling involves cross-referencing with general customer information which could include the address of the passenger, but the precise details of the profiling for fraud detection are not known.

Because of the public criticism, the Danish government asked the law firm Poul Schmith (Kammeradvokaten) to investigate the data processing practices of the Rejsekort company. The report from the law firm was published on 29 March 2016. In an earlier assessment of the Rejsekort system, the independent Danish Data Protection Agency did not have any remarks about the five-year retention period for all journeys, but the report from the law firm concludes that there is no legal requirement to keep information about every journey for five years. It is only necessary to keep the information until the customer can no longer dispute the transaction, that is payment for the journey. The law firm indicates that this period could be three years as this is the statutory limitation period for simple financial claims in Denmark. A privacy-friendly argument for a shorter period than three years could also be made here, since a customer generally loses the right to dispute through inactivity. The official guidelines for the Danish bookkeeping administrative order contains an example with a telephone company where it is stated that only documentation about invoiced/paid amounts must be stored for five years, not details of the individual calls. When the telephone calls can no longer be disputed by the customer, the aggregate invoice is sufficient bookkeeping documentation. Clearly, the same principle must apply to a ticketing system like Rejsekort, but apparently the Rejsekort company had missed this detail in the official bookkeeping guidelines.

A second recommendation from the law firm Poul Schmith is that customers should give consent to the processing of personal data for fraud detection. Currently, no information at all is provided about this processing to the customers. This recommendation is a bit odd. The Rejsekort company argues that the processing can be done without consent because the legitimate interest exception applies to the fraud detection. Moreover, consent as a legal basis for processing hardly makes sense here since customers cannot really refuse (if they want a Rejsekort), and it seems rather unlikely that the Rejsekort company will provide sufficient information so that the consent actually becomes meaningful. Quite interestingly, there is a discussion in the report as to whether the consent to data processing for fraud detection will be coerced or not. The law firm argues that the consent is voluntary, but only because alternatives to the Rejsekort exist, especially single-journey paper tickets. These alternatives are however more expensive and more cumbersome to use.

The Rejsekort company has announced that it will follow the recommendations made by the law firm. This also applies to some of the minor points about reducing the number of employees with access to the central database with journeys, and ensuring written documentation for agreements with data processors.

What is rejsekort? (homepage of Rejsekort A/S)

Investigation of the processing of personal data in rejsekort by the law firm Poul Schmith (only in Danish, 29.03.2016)

(Contribution by Jesper Lund, EDRi member IT-pol, Denmark)



04 May 2016

Please sue us

By Guest author

Each of the Member States of the European Union is required to incorporate European directives into national legislation. If a Member State does not obey this obligation, the European Commission can sue this country in the Court of Justice of the European Union (CJEU). But what actions can a country take if such directives force it to adopt legislation that contradicts its own constitution? From the European Commission’s perspective, Member States have an opportunity to raise such concerns for a few weeks during the adoption process of a Directive and, if it doesn’t, all subsequent problems are the fault of the Member State itself.

................................................................. Support our work - make a recurrent donation! .................................................................

Being forced to do something you can’t actually do

This transposition into national legislation also applied to the Directive that forced telecom and Internet providers to retain data concerning the location and communication behaviour of all their users, also known as data retention Directive. Many Member States where unable to meet this requirement. This resulted in the Commission starting a number of infringement procedures against, among others, Romania, Sweden, and Germany.

In order to get a good impression of what goes on behind closed doors, Dutch EDRi member Bits of Freedom requested the Commission to disclose all documents relating to five of these infringement procedures. A few months later, we received thousands of sheets of paper. Now we know how effortlessly national and European leaders blatantly ignore fundamental practical and objections. Ironically, while Member States were taken to court for failing to implement the repressive measures in the Directive, no effort at all was devoted by the European Commission to enforcing Article 10 of the Directive – collecting statistics that were supposed to be used to assess whether the Directive was actually useful or not. It’s a tricky situation: being forced to implement certain rules, despite them being contradictory to the country’s constitution.

Please sue us

The preventive and persistent preservation of data concerning everybody’s location and communication behaviour is, fortunately, a controversial policy. However, to some governments, this seems to be irrelevant. In one of the obtained documents, the Commission describes how a Czech minister viewed the implementation of this controversial undertaking. His assessment: “one day’s headlines and then forgotten”. Some countries even encourage the Commission to start an infringement procedure against them. Crazy, right? It’s as if you’d approach a police officer on the street and beg him or her to please give you a ticket. But this is politics.

The politicians of the German ruling party CDU supported the Commission’s attempts to enforce the implementation of the Directive, because such an infringement procedures increase the pressure on the national debate. For the same reason, the German minister of Internal Affairs (who wanted to see the Directive implemented) did not want the Commission to amend the Directive. In the absence of a reform, the pressure on her Liberal colleague at the Justice department (who refused to implement the Directive) remained high. Similarly the Commission was told by Romanian representatives that a warning against the country would be “helpful”.

Keeping score is too much of an effort

There is no scientific evidence that the invalidation has caused the law enforcement agencies major difficulties. There is no evidence indicating that invalidating the data retention Directive has had a negative impact on the clear-up rate of criminal offences.

This is what the German Minister of Justice wrote in a letter to the European Commission, after the data retention Directive was found to be in violation of the constitution in Germany. It is clear-cut criticism on the assumed – but never substantiated – need for a data retention act.

For many countries, it is too much trouble to gather evidence that supports the alleged need for a data retention act. The Czechs told the Commission that maintaining statistical data (an unenforced obligation under the Directive) was an enormous burden and that it was difficult to obtain data from the police. Instead they indicated a preference to have a conversation with other Member States and to learn from their best practices. How to implement the Directive, without much need for working out if it was serving any purpose?

A data retention act doesn’t help anybody

The documents also give an impression of what is still ahead of us. For instance, the Commission pressured Romania into introducing a new data retention policy after the previous one was declared invalid. The Commission did this despite the warning that there is a risk that a new case would be brought to the Constitutional Court and that the new law will be again declared unconstitutional.

The national legislator being disciplined over and over again calls for additional complexity in the Commission’s enforcement procedures. Their lawyers wrote:

“By letter of 25 November 2008 […] Romania informed the Commission […] that it adopted law no. 298/2008 […]. Romania stated that these measures constituted ‘complete transposition’ of [the data retention Directive] into Romanian law. However, due to an internal omission, this infringement procedure was not subsequently terminated, which should have been done. On 23/11/2009, the Romanian constitutional Court annulled the national law. This law longer exists.

Given those circumstances, it is necessary to close this case which dealt with the situation prior to the annulment of the law by the Romanian Constitutional Court. However, the Commission decided to open a new procedure in order to make sure that [Romania] will transpose the Directive, taking into account the legal situation which is currently in force since the annulment of the law by the Romanian Constitutional Court.”

That is quite a mess that benefits no-one, other than a handful of lawyers. And this is what the Netherlands is about to do: adopting a new data retention law (even though the European Directive itself has now been overturned by the European court), while knowing that it will again collapse in a Dutch or European court. Meanwhile, the investigative agencies are left to deal with the consequences: they have no use for investigative tools that can be declared illegal by a judge – indeed, they were never able to show a use for the data in the first place. The Dutch government should instead invest in something the police can actually use.

Please sue us (only in Dutch, 23.03.2016)

(Contribution by Rejo Zenger, EDRi member Bits of Freedom, The Netherlands)



06 Apr 2016

CJEU hearing on the EU Canada PNR agreement: Still shady

By Diego Naranjo

The European Court of Justice (CJEU) had a hearing on 5 April to decide about the referral made on 25 November by the European Parliament on the EU-Canada agreement on Passenger Name Records (PNR). Passenger Name Records (PNR) include information provided by passengers and collected by air carriers for commercial purposes, such as, but not only, the date of the trip and complete itinerary, the name and contact information, the form of payment, frequent flyer information, meal preferences and medical information. In some cases, the airlines will have access to other data such as hotel bookings, car rentals, train journeys, travel associates, etc. This provides a massive insight into the private life of an individual.

................................................................. Support our work - make a recurrent donation! .................................................................

The agreement between the EU and Canada allows for the transfer and processing of PNR data of passengers flying between the EU and Canada. The result of the referral of the agreement to the CJEU could impact the proposal for an EU PNR Directive (Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD)), that was adopted by the European Parliament’s Civil Liberties Committee on 15 July 2015, and which may be scheduled to be voted in the European Parliament’s plenary session on 27-28 April 2016. The narrow vote (32 in favor, 26 against, no abstentions) in favour happened despite the rejection of this same EU PNR proposal by the same Committee in 2014 and despite the CJEU ruling invalidating the Data Retention Directive.

During the hearing, many crucial issues came up:

Firstly, the European Commission (EC) argued before the Court that PNR data is “anonymised” after 30 days and that, as a result, the CJEU judgment invalidating the data retention Directive is not applicable in this case. However, the EC fails to see that the PNR data is only “masked out” – depersonalised by masking certain identifiers. This is not anonymisation. The EU PNR Directive contains similar clauses and the European Data Protection Supervisor (EDPS) Opinion 5/2015 of 24 September 2015 said that they were glad that the mention to anonymous data was taken off the proposal since “(i)ndeed, the data at stake could not be considered as anonymous since they would still be re-identifiable.”

Secondly, the EC quoted the EU anti-terrorism coordinator saying that the number of convinctions based on PNR are irrelevant”. This just does not make sense. If the goal is to find suspects, and there are no convictions based on the PNR data used, the collection and processing of PNR data could well not be “necessary” nor “genuinely meet objectives of general interest recognised by the Union” as Article 52.1 of the Charter of Fundamental Rights states for any limitation for fundamental rights.

Thirdly, during the hearing Member States defended the agreement based on different reasons. The Spanish representative stated that the data retention period of 5 years is absolutely necessary for criminal investigations. Why not five and a half years, as it is the case currently under the PNR agreement with Australia… or 15 years, as under the PNR agreement with the USA? Why not 20 years? Or maybe just 3? Is the standard “whatever-length-we-randomly-decide-each-time”?

Fourthly the issue of the independent supervisory authority was also highlighted during the hearing. The EDPS reiterated the views expressed in their Opinion on the agreement of 30 September 2013 and said that the oversight in Canada PNR is not an equivalent independent authority, which was refuted by the EC during the hearing. The EDPS Opinion explicitly regretted the fact that “oversight may take place (…) by a (non independent) authority created by administrative means”. The EDPS also noted the “limitations of judicial review with respect to judicial redress”.

In sum, the hearing has shown once again that PNR profiling is a not a necessary and proportionate means to prevent international crime and terrorism in the EU. The Advocate General of the Court will announce his opinion on 13 June 2016.

EU-Canada agreement on PNR referred to the CJEU: What’s next? (03.12.2014)

Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record

EU PNR Document Pool

Opinion of the European Data Protection Supervisor on the Proposals for Council Decisions on the conclusion and the signature of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (30.09.2013)

Steve Peers: The Domino Effect: how many EU treaties violate the rights to privacy and data protection (25.11.2014)

Bruce Schneier: Refuse to be terrorised (24.08.2006)

Mass surveillance through PNR is facing closure: EU-Canada agreement is put to testing (in German) (05.04.2016)

(Contribution by Diego Naranjo, EDRi)