security & surveillance

While offering vast opportunities for exercising and enhancing fundamental rights, the digital environment also offers both opportunities to commit new offences and to impose new restrictions on our online rights. Measures such as filtering, blocking and untargeted surveillance are often easy to implement and extremely difficult to rectify. EDRi therefore works to ensure that all security and surveillance measures are necessary, proportionate and implemented based on solid evidence.

19 Oct 2018

Civil society calls for evidence-based solutions to disinformation


Human and digital rights organisations Access Now, Civil Liberties Union for Europe and European Digital Rights (EDRi) published a joint report on 18 October 2018 evaluating the European Commission’s online disinformation and propaganda initiatives.

The report encourages good policy development based on thorough research and evidence. The European Commission or Member States should not propose binding policies until evidence and accurate benchmarks have been identified.

“We urge the European Commission to restrain from issuing any binding policy simply because there’s not enough meaningful data to underpin evidence-based policy. Research is needed to evaluate the impact of online disinformation and propaganda on society, and develop measures according to the fact-based findings of that research. Any measures should respect freedom of expression and data protection”, said Éva Simon, Freedom of Expression and Privacy Advocacy Officer of Liberties.

“Any measure to tackle the complex topic of online disinformation must not be blindly reliant on automated means, artificial intelligence or similar emerging technologies without ensuring that the design, development and deployment of such technologies are individual centric and respect human rights”, said Fanny Hidvégi, European Policy Manager with Access Now.

The EU should move away from superficial solutions and propose practical, proportionate solutions to tackle the root causes of online disinformation and manipulation, such as the dominant data-hungry business models in the market,

said Maryant Fernández Pérez, Senior Policy Advisor at European Digital Rights (EDRi).

The three organisations warn against some of the proposed solutions by the Commission. Example of such flawed solutions are institutionalised fact-checking, relying on blind faith in Artificial intelligence and emerging technologies, creating the “EU vs. Disinformation” campaign and limiting anonymity.

As a possible way forward, the report advocates for three more meaningful solutions:

  1. Address the business model of online manipulation through appropriate data protection, privacy and competition laws.
  2. Prevent the misuse of personal data in elections.
  3. Increase media information and literacy.

With this analysis and these solutions, the report aims at feeding into the European Commission’s Action Plan on Disinformation that is expected to present by the end of the year.

EDRi, Liberties and Access Now issue this report today following their common understanding on addressing disinformation in the digital age.

To read all our recommendations download the full report here.

Questions and media inquiries should be addressed to:

Fanny Hidvégi
Access Now – European Policy Manager

Éva Simon
Civil Liberties Union for Europe – Freedom of Expression and Privacy Advocacy Officer
+49 3091566653

Andreea Belu
European Digital Rights – Campaigns and Communications Manager
+32 2 274 25 70


18 Oct 2018

#PrivacyCamp19 – Save the Date and Call for Panel Proposals


Join us for the 7th annual Privacy Camp!

Privacy Camp will take place on 29 January 2019 in Brussels, Belgium, just before the start of the CPDP conference. Privacy Camp brings together civil society, policy-makers and academia to discuss existing and looming problems for human rights in the digital environment.

Take me to the call for panel submissions.
Take me to the call for user story submissions.

Platforms, Politics, Participation

Privacy Camp 2019 will focus on digital platforms, their societal impact and political significance. Due to the rise of a few powerful companies such as Uber, Facebook, Amazon or Google, the term “platform” has moved beyond its initial computational meaning of technological architecture and has come to be understood as a socio-cultural phenomenon. Platforms are said to facilitate and shape human interactions, thus becoming important economic and political actors. While the companies offering platform services are increasingly the target of regulative action, they are also considered as allies of national and supranational actors in enforcing policies voluntarily and gauging political interest and support. Digital platforms employ business models that rely on the collection of large amounts of data and the use of advanced algorithms, which raise concerns about their surveillance potential and their impact on political events. Increasingly rooted in the daily life of many individuals, platforms monetise social interactions and turn to questionable labor practices. Many sectors and social practices are being “platformised”, from public health to security, from news to entertainment services. Lately, some scholars have conceptualised this phenomenon as “platform capitalism” or “platform society”.

Privacy Camp 2019 will unpack the implications of “platformisation” for the socio-political fabric, human rights and policy making. In particular, how does the platform logic shape our experiences and the world we live in? How do institutional actors attempt to regulate platforms? In what ways do the affordances and constraints of platforms shape how people share and make use of their data?


We welcome panel proposals relating to the broad theme of platforms. Besides classic panel proposals we are also seeking short contributions for our workshop “Situating Platforms: User Narratives”.

1. Panel proposals

We are particularly interested in panel proposals on the following topics: platform economy and labour; algorithmic bias; democratic participation and social networks.

Submission guidelines:

  • Indicate a clear objective for your session, i.e. what would be a good outcome for you?
  • Indicate other speakers that could participate in your panel (and let us know which speaker has already confirmed, at least in principle, to participate).
  • Make it as participative as possible, think about how to include the audience and diverse actors. Note that the average panel length is 75 minutes.
  • Send us a description of no more than 400 words.

2. “Situating Platforms: User Narratives” submissions

In an effort to discuss situated contexts with regard to platforms, we will have a session on lived practices and user narratives. Individuals, civil society groups or community associations are welcome to contribute in the format of a short talk or show & tell demonstration. Details and the online submission form are here: [[link to submission form coming soon!]]


The deadline for all submissions is 18 November. After the deadline, we will review your submission and let you know by the end of November whether your proposal can be included in the programme. It is possible that we suggest merging panel proposals if they are very similar.

Please send your proposal via email to privacycamp(at)!

If you have questions, please contact Kirsten at kirsten.fiedler(at)edri(dot)org or Imge at imge.ozcan(at)vub(dot)be.

About Privacy Camp

Privacy Camp is jointly organised by European Digital Rights (EDRi), the Institute for European Studies of the Université Saint-Louis – Bruxelles (USL-B), the Law, Science, Technology & Society research group of the Vrije Universiteit Brussel (LSTS-VUB), and Privacy Salon.

Participation is free. Registrations will open in early December.


16 Oct 2018

EDRi is looking for an Administration and Finance Intern


European Digital Rights (EDRi) is an international not-for-profit association of 39 digital human rights organisations from across Europe. We defend and promote rights and freedoms in the digital environment, such as the right to privacy, freedom of expression, and access to information.

The EDRi office in Brussels is currently looking for one intern to support our administrative and fundraising team for a duration of six months, with a possibility of a prolongation under an employee contract. The intern will work under the supervision of the Senior Office Manager and the Fundraising Manager. The internship is paid 750, – EUR per month. The selected candidate should start on 3 December.


Day-to-day office operations

  • Assisting the Senior Office Manager in dealing with the needs and requests of the office organisation and supplies;
  • Assisting with the management of the contractual relations with EDRi office’s various service providers;
  • Tracking the needs of and ordering supplies;
  • Processing incoming and outgoing mail, e-mail correspondence and answering incoming calls.

Office space management

  • Setting up a system and tracking of expenses linked to the occupation of the office space.

Payments & Accounting

  • Preparation of payment requests and other payment documents;
  • Planning and booking of business trips;
  • Assisting in the bookkeeping of accounts and in particular of transactions.


  • Assistance in the organisation of internal and external meetings and events.

Maintenance of the joint calendar

  • Data administration and contact management.


  • Assisting the Senior Office Manager and the Fundraising Manager in the
    administrative and financial work for grant applications;

The successful candidate should possess the following:

  • Fluent command of spoken and written English and French;
  • Completion of secondary education;
  • Proficiency in MS Office tools and particularly MS Excel;
  • Basic experience with CRM systems (database) would be a plus;
  • A relevant experience in providing operational and administrative support is an advantage;
  • Good organisational and time management skills;
  • Motivated & positive attitude.

How to apply:

To apply please send a maximum one-page cover letter and a maximum two page CV in English and only in .pdf files (other formats – such as .doc and .docx – will not be accepted) to julien.bencze(at)

The closing date for applications is 4 November 2018 at 12:00 pm Brussels time. Please note that only shortlisted candidates for the next stage of the recruitment process will be contacted.

We are an equal opportunities employer with a strong commitment to transparency and inclusion. People from all backgrounds are encouraged to apply and we strive to have a diverse and inclusive working environment.


10 Oct 2018

EU Parliament’s anti-terrorism draft Report raises major concerns

By Maryant Fernández Pérez

In June 2018, Member of the European Parliament (MEP) Rapporteurs Monika Hohlmeier (EPP) and Helga Stevens (ECR) released their draft Report of the rather secret work carried out by the European Parliament’s Special Committee on Terrorism (TERR). The draft Report attracted more than 1500 amendments, which proves that political groups in the TERR Committee disagree on how to move forward on the EU counter-terrorism policies. While the recommendations of the final Report will not be binding, it sets a bad precedent for EU citizens prior to the elections, and its impact could be greater than that of most other political statements.

A draft Report that ignores the fundamental rights mandate of the TERR Committee

The TERR Committee had a mandate “to assess the impact of the EU anti-terrorism legislation and its implementation on fundamental rights”. The draft Report, however, does not deliver such assessment.

From a digital rights perspective, the draft Report contains numerous worrying recommendations, statements and approaches to counter-terrorism. It is problematic for several reasons. For example, it encourages the “next President of the Commission to maintain a self-standing portfolio for the Commissioner for Security Union” – a portfolio currently held by the UK Commissioner Sir Julian King, who has been pushing several worrisome proposals for fundamental rights in the digital environment, such as the new draft Terrorism Regulation. In addition, the text encourages privatised law enforcement; it promotes the expansion of illegal data retention; it encourages eroding encryption; it promotes the creation of an EU Big Brother database hidden behind “interoperability” proposals that the European Data Protection Supervisor has strongly criticised; it supports the flawed Commission proposals on cross-border access to data or “e-evidence” that have been criticised by most stakeholders and most recently by the European Data Protection Board; it encourages the extension of the Passenger Name Records (PNR) profiling, despite the 2017 Court of Justice of the European Union (CJEU) Opinion on this matter; it encourages and it even portrays a false image of fundamental rights, by for example saying that between security and the fundamental right to privacy, security should prevail.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

Luckily, there are 1519 amendments to change this draft Report. However, among the large number of amendments, there are some that, if adopted, would make the draft Report even worse. For example, there are amendments that ask for decryption or the implementation of encryption backdoors for “law enforcement”. Assuming that undermining security and privacy will help to uphold security while fighting terrorism is not rational.

Coincidental, problematic similarities

One of the interesting parts of the draft Report is that it contains many resemblances with the draft Regulation on preventing and tackling the dissemination of “terrorist content” online proposed by the Commission on 12 September 2018. Both texts specifically focus obliging internet service providers to remove terrorist content within a maximum one hour. Both texts limit transparency obligations to simply how many removals providers conducted and how quickly were these actions taken. While the Rapporteurs in TERR affirm that “the limit of voluntary action of companies has been reached”, the explanatory memorandum of the proposed Regulation states that “the voluntary arrangements have also shown their limitations”. Both texts put a light on the role of “smaller platforms” in this policy challenge as well as of “automated means”. Either the Rapporteurs had a crystal ball to know what the European Commission was about to say, this is a mere “coincidence”, or something else.

The fact that the TERR Committee draft’s “spontaneously” chose to propose similar wording to what the Commission proposed is important. It means that the two rapporteurs have led the European Parliament a long way towards adopting a position that fully aligns with the terms of the proposed Terrorist content Regulation before the vast majority of Parliamentarians were aware of what the Commission was about to propose as binding legislation. If deliberate, this would be a serious attack on institutional integrity of the European Parliament.

The TERR Report risks being a missed opportunity

Overall, the draft Report misses an important call for sober analysis of the current situation of counter-terrorism policies vis-à-vis fundamental rights and for evidence-based policy-making. A lot would have to change for the TERR Committee to have been proven useful and abide by the responsibilities conferred by the European Parliament in July 2017. The Committee is expected to consider compromise amendments on 15 October 2018 and have a vote on the draft Report and the tabled amendments on 12 November 2018. The whole Parliament would be asked to vote on it in December.

Draft report on findings and recommendations of the Special Committee on Terrorism (21.06.2018)

European Parliament – fighting terrorism with closed-door secrecy (07.02.2018)

(Contribution by Maryant Fernández Pérez, EDRi, and Chloé Berthelemy, EDRi intern)



10 Oct 2018

What’s next for Europe’s internet censorship plan?

By Guest author

In September 2018, a key European vote brought the EU much closer to a system of universal mass censorship and surveillance, in the name of defending copyright.

Members of the EU Parliament voted to advance the new Copyright Directive, even though it contained two extreme and unworkable clauses: Article 13 (“censorship machines”) that would filter everything everyone posts to online platforms to see if matches a crowdsourced database of “copyrighted works” that anyone could add anything to; and Article 11 (“the link tax”), a ban on quote more than one word from an article when linking to them unless you are using a platform that has paid for a linking license. The link tax provision allows, but does not require, member states to create exceptions and limitations to protect online speech.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

With the vote out of the way, the next step is the “trilogues”. These closed-door meetings are held between representatives from European national governments, the European Commission, and the European Parliament. This is the last time the language of the Directive can be substantially altered without a (rare) second Parliamentary debate.

Normally the trilogues are completely opaque. But Julia Reda, the German Member of the European Parliament (MEP) who has led the principled opposition to Articles 11 and 13, has committed to publishing all of the negotiating documents from the Trilogues as they take place. (Reda is relying on a recent European Court of Justice ruling that upheld the right of the public to know what’s going on in the trilogues.)

This is an incredibly important moment. The trilogues are not held in secret because the negotiators are sure that you’ll be delighted with the outcome and don’t want to spoil the surprise. They’re meetings where well-organised, powerful corporate lobbyists’ voices are heard and the public is unable to speak. By making these documents public, Reda is changing the way European law is made, and not a moment too soon.

Articles 11 and 13 are so defective as to be unsalvageable; when they are challenged in the European Court of Justice, they may well be struck down. In the meantime, the trilogues — if they do their job right — must struggle to clarify their terms so that some of their potential for abuse and their unnavigable ambiguity is resolved.

The trilogues have it in their power to expand on the Directive’s hollow feints toward due process and proportionality and produce real, concrete protections that will minimise the damage this terrible law wreaks while we work to have it invalidated by the courts.

Existing copyright filters (like YouTube’s ContentID system) are set up to block people who attract too many copyright complaints, but what about people who make false copyright claims? The platforms must be allowed to terminate access to the copyright filter system for those who repeatedly make false or inaccurate claims about which copyright works are theirs.

A public record of which rightsholders demanded which takedowns would be vital for transparency and oversight, but could only work if implemented at a mandatory, EU level.

On links, the existing Article 11 language does not define when quotation amounts to a use that must be licensed, though proponents have argued that quoting more than a single word requires a license.

The trilogues could resolve that ambiguity by carving out a clear safe harbour for users, and ensure that there’s a consistent set of Europe-wide exceptions and limitations to news media’s new pseudo-copyright that ensure they don’t overreach with their power.

The trilogues must safeguard against dominant players (Google, Facebook, the news giants) creating licensing agreements that exclude everyone else.

News sites should be permitted to opt out of requiring a license for inbound links (so that other services could confidently link to them without fear of being sued), but these opt-outs must be all-or-nothing, applying to all services, so that the law doesn’t add to Google’s market power by allowing them to negotiate an exclusive exemption from the link tax, while smaller competitors are saddled with license fees.

The trilogues must establish a clear definition of “noncommercial, personal linking”, clarifying whether making links in a personal capacity from a for-profit blogging or social media platform requires a license, and establishing that (for example) a personal blog with ads or affiliate links to recoup hosting costs is “noncommercial”.

These patches are the minimum steps that the trilogues must take to make the Directive clear enough to understand and obey. They won’t make the Directive fit for purpose – merely coherent enough to understand. Implementing these patches would at least demonstrate that the negotiators understand the magnitude of the damage the Directive will cause to the internet.

From what we’ve gathered in whispers and hints, the leaders of the trilogues recognise that these Articles are the most politically contentious of the Directive — but those negotiators think these glaring, foundational flaws can be finessed in a few weeks, with a few closed door meetings.

We’re sceptical, but at least there’s a chance that we’ll see what is going on. We’ll be watching for Reda’s publication of the negotiating documents and analysing them as they appear. In the meantime, you can and should talk to your MEP about talking to your country’s trilogue reps about softening the blow that the new Copyright Directive is set to deliver to our internet.

This article was originally published by EDRi member Electronic Frontier Foundation

Today, Europe Lost The Internet. Now, We Fight Back. (12.09.2018)

Trilogues: the system that undermines EU democracy and transparency (20.04.2016)

Press Release: The European Parliament must in principle grant access, on specific request, to
documents relating to ongoing trilogues (22.03.2018)

Save Your Internet

(Contribution by Cory Doctorow)



10 Oct 2018

Independent study reveals the pitfalls of “e-evidence” proposals

By Chloé Berthélémy

On 21 September 2018, the European Parliament released an independent study written by Professor Martin Böse assessing the European Commission’s proposals for law enforcement authorities to have cross-border access to data (“e-evidence”). If adopted, these proposals would introduce European Production and Preservation Orders (EPO) for criminal matters. In order to inform the legislative process of this proposal, the study looks at the different aspects of the draft Regulation and the legal implications for the territoriality and sovereignty principles as well as for fundamental rights.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

The conclusion of the study could not be clearer: “The added value of the new cooperation regime (quick and effective access to provider data) is mainly based on the abolition of cooperation obstacles and procedures ensuring effective protection of fundamental rights.” In this article, we summarise the main findings of the study.

1. Mutual cooperation should not mean lower level of protection for individuals

The study recalls the current framework for accessing data in a cross-border situation and existing instruments such as the European Investigation Order (EIO) that was only recently implemented. The study points out that the EIO, introduced in 2017, was designed to speed up the procedure for the enforcement of preservation and production orders by limiting the grounds for refusal for issuing and executing such orders. It was the opinion of the Commission that traditional investigation tools are not always adapted to the digital era because internet data is not easily traceable. Thus, it decided to find another tool for judicial authorities to simplify their cross-border access to “evidence”, including electronic data. Comparing the EIO with the EPO, the study finds that there are two main differences: the first is that the EIO requires prior validation by an independent authority in the executing Member State, and the second is the still further reduced number of refusal grounds both at the issuing and enforcement stages.

While “the EIO Directive has maintained traditional rules of cross-border cooperation such as the double criminality requirement and the analogous application of thresholds for particularly intrusive investigative measures”, the new draft Regulation removes all of these.

On top of that and “contrary to the Commission’s explanatory memorandum”, the minimum maximum penalty threshold does not exclude petty offences, such as theft or fraud, from the scope of the Regulation. The study is unequivocal on that matter: these new thresholds do not reach a similar level of protection than requirements provided by individual Member States in the Union to access sensitive data. As a result, an EPO can be executed in a Member State even if has has higher national protection standards in place than the issuing state. It can also cover alarger range of crimes.

2. Unilateral enforcement is not a good idea

The study raises concerns about the approach of the European Commission allowing the unilateral extension of enforcement jurisdiction.

First, the study shows there is a problem with the legality assessment of an order. According to the draft Regulation, if law enforcement authorities of Country A order the production of data to a service provider whose services are offered in Country B, it means that Country A is the issuing Member State and Country B the executing Member State. The proposal shifts the competence of assessing legality of the order from the executing authority in Country B to the issuing authority in Country A. In particular, law enforcement authorities in Country A are required to verify if the data requested is not protected under the law of Country B. According to the study, there are good reasons to believe that the law enforcement authorities will bypass this obligation as they are serving their own national interests in a criminal investigation and have little or no incentive to seriously consider the sovereign interests of the other State.

Second, direct “cooperation” with service providers affects the territorial sovereignty of Member States in which the new cooperation instruments should be executed. The executing State cannot effectively fulfill its responsibility to protect fundamental rights. Why? Because under the proposals it is either not aware or notified of foreign orders or it can only act once the service provider refuses to execute the order.

Third, this model could be copied by third countries, which could put in place extraterritorial enforcement rules to access data stored in the EU. The study recalls that moving away from a jurisdiction based on the data storage location as in the Commission’s proposal, opens the way for third countries to access EU citizens’ data in turn. There is a risk of clash with the General Data Protection Regulation (GDPR). This would leave service providers and citizens alike with legal uncertainty, which is precisely one of the drawbacks the Commission is trying to remedy.

Lastly, the study questions the validity of the legal basis used by the proposal – Article 82(1) of the Treaty on the Functioning of the European Union (TFEU) establishing the principle of mutual recognition. Article 89 of the TFEU says that law enforcement operations should be carried out in liaison and in agreement with the Member State authorities whose territorial sovereignty is affected. In this case, the principle of direct cooperation with service providers goes against limitations to extraterritorial operations. It is to be underlined that the notification requirement could only be a solution to this problem if the executing State is not just informed but explicitly agrees with the order.

3. The narrow window for contesting a European Production order is problematic

The service provider is responsible for carrying out a first assessment of the order. This does not include the possibility to challenge the legality of an order in the issuing Member State. The provider only benefits from procedural safeguards in the enforcement process as it can appeal sanctions. The study expresses doubts on the quality of the protective function of a service provider as regards fundamental rights. “The limited number of grounds for non-execution suggests that the addressee must not refuse to produce […] the requested data for other reasons; for instance if the formal and substantial requirements for issuing an EPOC […] are not met (e.g. proportionality, comparable domestic case).”

In the case of the service provider refuses to execute the order, it is then referred to the executing Member State authorities which become the enforcing authorities. There again, “the effectiveness of judicial protection in the enforcing MS […] is compromised by the limited number of refusal grounds. The draft regulation provides for a rather far-reaching obligation of the enforcing authority to recognise and enforce of an [EPO].”

When it comes to the rights of the individuals whose data have been collected and transferred, there is no mention when they will be informed about the order and the possible legal remedies to contest it. The only possibility to contest arises during the criminal proceedings, which comes very late in the process – if criminal proceedings take place, of course.

4. Upholding of usual mutual recognition safeguards is essential

The study sees in the proposal a strong imbalance between the interests of service providers for legal certainty and the “legitimate expectations of users and customers”. “The objective to enhance legal certainty for service providers in the Union should not be pursued at the expense of the fundamental rights of users”, the study highlights.

The study concludes with recommendations, including a preference for using and improving the EIO to better protect fundamental rights, as well as reestablishing mutual recognition principles such as traditional restrictions, a notification mechanism, and effective legal remedies. Hopefully the study influences the co-legislators, the Council of the European Union and the European Parliament.

An assessment of the Commission’s proposals on electronic evidence (24.09.2018)

EU “e-evidence” proposals turn service providers into judicial authorities (17.04.2018)

New Protocol on cybercrime: a recipe for human rights abuse? (25.07.2018)

Wiretapping & data access by foreign courts? Why not! (13.06.2018)

As of today the “European Investigation Order” will help authorities to fight crime and terrorism (22.05.2017)

(Contribution by Chloé Berthélémy, EDRi intern)



10 Oct 2018

Openness Index: Decrease of openness in Western Balkans

By Metamorphosis

Openness of institutions of executive power from the Western Balkans (WB) region is not at a satisfactory level. Only approximately 47% of indicators from the Regional Openness Index are currently being achieved.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

Openness is a key element of democracy, since it allows citizens to receive the information and knowledge necessary for participation in political life, effective decision-making and for holding institutions accountable for their policies. The Regional Openness Index measures the degree to which institutions of Western Balkan countries are open for citizens and society. It is based on the principles of 1) transparency, 2) accessibility, 3) integrity and 4) effectiveness. It is a tool designed for citizens to examine the openness of public administration and other public bodies. It also helps managers and politicians in evaluating their work towards the better openness. The Index was created in the framework of the Regional network Accountability, Technology and Institutional Openness Network in Southeast Europe (ActionSEE), founded by leading Western Balkans NGOs working on transparency and accountability: EDRi member Metamorphosis Foundation from Macedonia, CA Why not from Bosnia and Herzegovina, Center for Democratic Transition from Montenegro, and Center for Research Transparency Accountability (CRTA) from Serbia.

The founding members of the Regional network are organisations that use information and communications technology in their work on promoting democracy. ActionSEE conducts an EU-funded project providing a platform for dialogue between significant stakeholders, and a concrete tool to measure the degree to which state institutions uphold principles and standards of open governance. It aims to increase the inclusion of civil society and media organisations in decision making processes in informing public opinion and policies, as well as to raise the capacity of civic societies to address sensitive issues.

In the first measurement conducted in 2016 the results from six countries measured 642 institutions, and more than 25 000 indicators and research findings were published. International standards, recommendations given in multiple EU reports on countries in the region as well as good practices were followed during the measuring of the level of institutional openness. The institutions were assessed by using specific quantitative and qualitative indicators, such as access to information on institutions’ official websites, legal framework’s quality in individual cases, other sources of public information, published data regarding the work of institutions, public procurement, and information on spending of public spending.

The situation in the region regarding the openness of the government differs from country to country, but one of the important factors is whether the given country is a member of the Open Government Partnership (OGP). Albania, Croatia, Macedonian, Montenegro and Serbia are members, while Bosnia and Herzegovina joined in September 2014. However, while the OGP is mostly focused on national policy making and its implementation, the Regional Openness Index deals with all the levels and all the public bodies.

The 2017 Index was conducted between December 2017 and late February 2018. It showed that clear, consistent and policies of openness grounded in strategic documents do not exist. Instead of the expected progress in the area of openness, institutions of executive power had even worse results in comparison to previous year. Openness amounts to only approximately 38% of fulfilled indicators, whereas the percentage for the previous year was higher, at 41%.

A lack of a strategic approach to openness is still evident in the regional countries. The data obtained suggest that, in a large number of cases, there is still no expression of openness and transparency of institutions of executive power in relevant documents (strategies, procedures or policies related to the issues). Not even the presence of international initiatives advocating openness contributed to increase in openness and transparency.

Only the Macedonian government’s top executive body shows an obvious increase of the level of openness. An example of the practices leading to this increase is the prime minister’s cabinet and general secretariat starting to publish session agendas, minutes from sessions held, as well as regular press releases after the sessions. The implementation of the recommendations given by the civil society sector on advancing the institutional openness made a valuable contribution to this, for instance the recommendations laid down in the Regional Roadmap for the Western Balkans countries.

Regional Openness Index

The Openness Index 2016

The Openness Index 2017

Roadmap on good governance for state institutions in the Republic of Macedonia (08.08.2017)

ActionSEE: Roadmaps for institutions

(Contribution by EDRi member Metamorphosis, Macedonia)



10 Oct 2018

The Facebook breach – a GDPR test-case

By Yannic Blaschke

On 28 September, Facebook notified the Irish Data Protection Commissioner (DPC) about a massive data breach affecting more than 50 million of its users. The hack of the “view as” feature, which allowed users to see their profile from the perspective of an external visitor or friend, exploited an interaction of several bugs on Facebook and allowed the intruders to acquire so called “access tokens”. With these tokens, the attackers had access to personal data from the affected accounts, potentially including personal messages.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The incident is a highly salient test-case for the application of the General Data Protection Regulation (GDPR) in practice, specifically for:

1) Notification and provision of information: Under Article 33 of the GDPR, an entity facing a breach must notify the relevant data protection authority (DPA) within 72 hours, “where feasible”. As the vulnerability was discovered on 26 September, Facebook complied with this provision, unlike other companies (Uber being one of them) have done in the past. However, the information provided by Facebook so far seems to only have delivered the very basics of what is required under the GDPR. The Irish DPC publicly urged the enterprise to submit more details so the authorities could properly assess the nature of the breach and the risk to users. Article 34 of the GDPR further requires that individuals whose personal data might have been compromised during the breach are notified without undue delay of the incident and the counter-measures that have been taken so far. Facebook implemented this by displaying a message in the feed of the affected accounts. The information provided included an initial overview on the “view as” weakness, as well as the statements that the function has been turned off and that accounts who had used it in since July 2017 had their access tokens removed, requiring a new login.

2) Sanctions: The GDPR allows for sanctions against the entity that faced the breach, which depend on the sensitivity of the compromised information and the degree to which appropriate safeguards were not implemented. Since approximately five million of the affected users come from the EU, Facebook could be liable for a 1,63 billion US dollar fine if that was found to be the case. Since the exact nature of the breach is still investigated by the Irish DPC, it remains unclear to which extent the hacking was a result of negligence. In any case, the investigation might bring some further clarification on how the responsibility for the security of processing is allocated in practice, and how strictly infringements of this obligation are sanctioned. Cases like this thus offer an opportunity for other companies processing users’ personal data to learn in more detail about their security obligations under the GDPR, and provide them with examples on how to respond to a data breach. For users, the investigation also serves an important purpose: It shows them whether the security of their data is actually taken seriously. If it is not and they suffer adverse effects from that, they have the possibility to demand compensation – and since the Irish implementation of the GDPR allows for collective redress, they could even be represented by civil society in court. On the other hand, the incident also emphasises that, even if Facebook did not act carelessly, caution about uploading personal data is always advised, as absolute safety of personal information is never certain.

This data breach is yet another example of the importance of secure and confidential storing of personal data on the internet. While the news show that the GDPR has successfully obliged Facebook to communicate in a more comprehensive and timely manner about its breach than other big tech companies previously did, it is now of utmost importance to follow up on the incident with an in-depth investigation: Users’ rights under the GDPR should be fully and effectively enforced by the Irish DPC.

A Digestible Guide to Individual’s Rights under GDPR (29.5.2018)

GDPRexplained Campaign: the new regulation is here to protect our rights (29.5.2018)

General Data Protection Regulation: Document pool (25.6.2015)

Your ePrivacy is nobody else’s business (30.5.2018)

Cambridge Analytica access to Facebook messages a privacy violation (18.4.2018)

(Contribution by Yannic Blaschke, EDRi intern)



26 Sep 2018

Anatomy of an AI system – from the Earth’s crust to our homes

By SHARE Foundation

The Internet of Things (IoT) and the numerous devices that surround us and let us get through our daily routine with more convenience are becoming more advanced. A “smart” home is not a futuristic notion anymore – it is reality. However, there is another side to this convenient technology: the one that exploits material resources, human labor, and data.

In their latest research, Kate Crawford from New York University AI Now Institute, a research institute examining the social implications of artificial intelligence (AI), and Vladan Joler from EDRi member SHARE Foundation’s SHARE Lab have analysed the extraction of resources across time – represented as a visual description of the birth, life and death of a single Amazon Echo unit. The interlaced chains of resource extraction, human labor and algorithmic processing across networks of mining, logistics, distribution, prediction and optimisation make the scale of this system almost beyond human imagining. The whole process is presented on a detailed large-resolution map.

It is easy to give Alexa a command – you just need to say “play music”, “read my last unread email” or “add milk to my shopping list” – but this small moment of convenience requires a vast planetary network, fuelled by the extraction of non-renewable materials, labour, and data. The scope is overwhelming: hard labour in mines for extracting the minerals that form the physical basis of information technologies, strictly controlled and sometimes dangerous hardware manufacturing and assembly processes in Chinese factories, outsourced cognitive workers in developing countries labelling AI training data sets, all the way to the workers at toxic waste dumps. All these processes create new accumulations of wealth and power, which are concentrated in a very thin social layer.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

These extractive processes have an enormous toll in terms of pollution and energy consumption, although it is not visible until you scratch the surface. Also, many aspects of human behaviour are being recorded, quantified into data and used to train AI systems and enclosed as “intellectual property”. Many of the assumptions about human life made by machine learning systems are narrow, normative and laden with errors, yet they are inscribing and building those assumptions into a new world, and will increasingly play a role in how opportunities, wealth, and knowledge are distributed.

Anatomy of an AI system

Map: Anatomy of an AI system

(Contribution by Bojan Perkov, EDRi member SHARE Foundation, Serbia)



26 Sep 2018

UK counter-terrorism law would restrict freedom of expression

By Guest author

Freedom of expression campaigners, human rights groups and legal experts are raising concerns that proposed new counter-terrorism legislation in the United Kingdom would restrict freedom of expression and limit access to information online.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

The UK Parliament is currently considering the Counter-Terrorism and Border Security Bill, which could become law within a few months. The government aims to build on existing laws to fill gaps and close perceived loopholes. However, in doing so, the bill goes very far, including restricting online activity, which undermines fundamental rights to freedom of expression.

For example, the bill would make it a crime to view online content that is likely to be useful for terrorism, even if you have no terrorist intent (and even if you are watching over someone else’s shoulder). The crime would carry a prison sentence of up to 15 years. It would make the work of investigative journalists and academic researchers difficult and risky – as mistakenly landing on an offending page could have major consequences. The first version of this clause required a person to access the wrong content three times, but the government has amended this to become a “one-click rule” rather than the original “three-click rule”.

The bill would criminalise publishing (for example, posting on social media) a picture or video clip of clothes or a flag in a way that raises “reasonable suspicion” that the person doing it is a member or supporter of a terrorist organisation. Parliament’s Joint Committee on Human Rights recommended that this clause be withdrawn or amended because it “risks a huge swathe of publications being caught, including historical images and journalistic articles” and because of its potentially very wide reach and interference with Article 10 of the European Convention on Human Rights. The government has not taken this recommendation into account.

United Nations special rapporteur Professor Fionnuala Ní Aoláin has expressed concerns that the proposed clause “runs the risk of criminalizing a broad range of legitimate behaviour, including reporting by journalists, civil society organizations or human rights activists as well as academic and other research activity”. She has expressed concerns about several parts of the bill and emphasised that it should be brought in line with the UK’s obligations under international human rights law.

EDRi member Index on Censorship believes that the bill is not fit for purpose and should go back to the drawing board. It would significantly impact freedom of expression online, damage journalism and academic research, and signal the wrong direction for future online regulation in the UK.

Counter-Terrorism and Border Security Bill 2017-19

“Reckless” counter-terror bill a threat to academic research (17.09.2018)

Joint Committee on Human Rights Legislative Scrutiny: Counter-Terrorism and Border Security Bill – Ninth Report of Session 2017–19

Mandate of the Special Rapporteur on the promotion and protection of human rights and
fundamental freedoms while countering terrorism (17.07.2018)

Counter-Terrorism and Border Security Bill not fit for purpose (10.09.2018)

(Contribution by Joy Hyvarinen, EDRi observer Index on Censorship, the United Kingdom)