security & surveillance

While offering vast opportunities for exercising and enhancing fundamental rights, the digital environment also offers both opportunities to commit new offences and to impose new restrictions on our online rights. Measures such as filtering, blocking and untargeted surveillance are often easy to implement and extremely difficult to rectify. EDRi therefore works to ensure that all security and surveillance measures are necessary, proportionate and implemented based on solid evidence.

26 Oct 2016

#3 Freedom to make mistakes: How to defend yourself from abuses


This is the third blogpost of our series dedicated to privacy, security and freedoms. In the next weeks, we will explain how your freedoms are under threat, and what you can do to fight back.


Public availability of sensitive information: What is that and how it works?

In the online environment we constantly feed companies and institutions with our personal information. In most cases, we are not in control of the use of that information. The information we consciously provide can be combined with other pieces of information and create completely new information that we did not even know could be created. This can cause risks for our freedoms, also offline.

Nowadays a big part of our social interaction happens online, in social media like Facebook, Snapchat and Twitter. Apart from the information you post or send via these services, they can also collect other information from your devices, such as location data, battery levels, and the list of apps you have installed in your phone. By combining all this data, it is easy to connect this information to you even even if you used a pseudonym. Being anonymous online is far more difficult than it seems.

And the internet does not forget. Think about it: anything you post online now (or that you posted years ago!) could be later tracked back to you, by anyone who happens to get access to it. An old online communication that you thought was private could come up in a job interview, and affect your chances to get employed. The threats are even greater in countries where freedom of expression and freedom of assembly are not respected. In the worst cases, the information about you could be used to damage your financial or even personal security.

How to claim back your freedom

When you post something online, you need to be sure to use the best available tools to protect yourself from others snooping on your private life. One of the best ways to reduce risks is the use of encryption messaging apps and add-ons that can protect your privacy.

Install TOR and use it to browse the web anonymously and easily: TOR is used by activists and journalists all around the world. The technology is both easy to use and it is regularly updated by experts.

Install Signal. Recommended by whistleblower Edward Snowden as one of the best available apps, this application allows you to chat securely. All the communications are encrypted end-to-end by default, including group chats and attachments. This means that nobody but the person to whom you send the message will be able to read its contents. Sometimes it is a pain to change to a different technology. However, the more people that use Signal, the more people will use Signal! Privacy and security needs leaders to set an example… Try Signal, it’s as easy as any other instant message app! Ask the five people with whom you are in contact the most regularly to start using it, too, and you’ll be able to chat with them, with no risk to your privacy and security.

John is also dealing with the risks of re-identification in this video, prepared by our member Association for Technology and Internet (ApTI) – Romania:


What can politicians do to safeguard your freedoms online?

The rules on online privacy in the EU (ePrivacy Directive) will be soon updated. This law is dealing with privacy and confidentiality of communications for the entire EU, and it affects tracking and other issues related to your freedoms online. Are politicians ready to fight for your protection?

Read our previous blogposts here, and stay tuned to our next blogposts to know more about your freedoms online, and how they are threatened!

Read more:

Facebook researchers are trying to predict when you and your spouse will break up (28.10.2013)

Ever liked a film on Facebook? You’ve given the security services a key to your soul (13.01.2015)

In insurance Big Data could lower rates for optimistic tweeters (23.10.2016)

Quiz: Can we guess your age and income, based solely on the apps on your phone? (03.03.2016)


24 Oct 2016

Privacy Camp 2017: Call for submissions

By Kirsten Fiedler


Join us for the 5th annual Privacy Camp! Held every January just before the start of the CPDP conference, the camp brings together civil society, policy-makers and academia to discuss existing and looming problems for human rights in the digital environment. As every year, the event is co-organised by EDRi, Privacy Salon, USL-B and VUB-LSTS.

When: 24 January 2017, 9am – 5.30pm
Where: Université Saint-Louis, Boulevard du Jardin Botanique 43, 1000 Brussels, Rooms P60 and P61 (TBC)


Who controls (your) data, who controls the machines? These questions are at the very center of the debates surrounding the pending adoption of important EU-wide legislation, such as the review of the ePrivacy Directive, the smart borders package, the draft Regulation on dual-use goods and the latest filtering proposals in the draft copyright Directive.

We invite you to propose a panel for one of these two tracks:

Track 01 controlling data
Topics: #metadata #onlinetracking #export #surveillance #accountability #UploadFilters

Track 02 controlling machines
Topics: #IoT #InternetOfThings #algorithms #wearables #sharingeconomy #AI

Some things to keep in mind when submitting your proposal:

  • indicate a clear objective for your session: what would be a good outcome for you?
  • indicate other speakers that could participate in your panel (and invite them)
  • make it as participative as possible, think about how to include the audience as much as possible
  • send us a max 500 word description of your session.

How to submit:
1. Send your proposal to Imge: imge.ozcan (at) before 23 November 2016.
2. After the deadline, we will review your submission and let you know by 6 December 2016.
3. The draft programme is scheduled to be announced in the first week of January 2017.

Please note that it is possible that we suggest to merge proposals if they are very similar.

24 Oct 2016

Civil society urges EU leaders to protect citizens’ data in trade agreements

By Heini Järvinen

European Digital Rights (EDRi), together with 20 civil rights organisations and individual signatories, sent a letter to the leaders of the European Union. In the letter, a broad coalition urges the European Commission and Member State representatives to resist pressure and come forward with proposals which will not sacrifice citizens’ fundamental rights.

EU leaders must protect individuals’ personal information and privacy. The best way to do this is by not including data flows in trade agreements,

said Maryant Fernández Pérez, Advocacy Manager of EDRi.

The European Union should defend its values and regain its leadership on this key issue,

she added.

The letter highlights the negative impacts that including clauses on processing and transfer of personal data in trade agreements like the Trade in Services Agreement (TiSA) could have. It explains how the problems could be solved and encourages EU leaders to adopt a positive, citizen-focused agenda, which will help rebuild trust in trade negotiations.

EDRi and its members have joined efforts with consumers organisations in this initiative. Another open letter, also co-signed by EDRi, was sent to Commission’s president Jean-Claude Juncker to underline that the EU should set a global example for a data protection-proof trade policy. Otherwise, as independent research has shown, trade agreements will never work for citizens. They will not just undermine fundamental rights, but also trust and vibrancy in the data economy.

Read more:

Open letter: Trade agreements, data flows, data protection and privacy

Corporate-sponsored privacy confusion in the EU on trade and data protection (12.10.2016)

Study: Trade and privacy – Difficult bedfellows? How to achieve data protection-proof free trade agreements

BEUC and EDRi urge the EU Commission not to undermine citizens’ privacy in trade agreements (13.06.2016)

EDRi analysis of Wikileaks’ TiSA leaks of 15 September and Greenpeace’s TiSA leaks of 20 September 2016

Why privacy safeguards in trade deals need urgent improvement


19 Oct 2016

ENDitorial: Commissioner defends nuclear attack on internet freedom

By Joe McNamee

The European Commission launched its proposal for a Copyright Directive in September 2016. The legislation includes new rules on filtering of uploads to the internet, text and data mining and the so-called “link tax”.


In response, on 9 September, the Copyright for Creativity Alliance (including EDRi) sent a letter to European Commission Vice-President Andrus Ansip about the copyright reform that was launched recently under his authority. On 12 October, the Commissioner responded.

In the letter, Ansip said:

One of the main goals of the Commission’s Digital Single Market Strategy is to achieve a wide availability of creative content across the EU.

The proposal suggests to create a power for copyright holders to prevent the upload of ANY content that contains some of their work – which includes the power to block availability of perfectly legal and democratically valuable quotation or parody. This quite obviously does not achieve a wide availability of creative content across the EU.

Worse still, going beyond any surveillance and censorship regime imposed anywhere else in the world, the Commission not alone proposes mass filtering and blocking of uploads to the internet in Europe. It also privatises this activity, putting the hands of bizarre “pluristakeholderism” – like multi-stakeholderism, but without internet users. This means that (big) rightsholders and internet companies will cooperate to decide what filtering is implemented and how.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

In the letter, Ansip said:

We acknowledge the positive effects of the limited liability regime established in the e-commerce Directive on innovative online services.

Under existing EU law (in the e-commerce Directive), internet companies are protected from liability for illegal or unauthorised activity of their customers. This is crucial to minimise incentives to monitor and censor internet users and to allow innovation to flourish. What he did in his proposal was to kill the limited liability regime in a kind of legislative “drive-by shooting”. It moves virtually all internet hosting providers outside the scope of the e-commerce Directive by saying that availability to the public is not a passive activity (as recognised by the e-commerce Directive and the Court of Justice of the EU). It does this with just one word – “thereby”:

“Where information society service providers store and provide access to the public to copyright protected works or other subject-matter uploaded by their users, thereby going beyond the mere provision of physical facilities.”

Having already killed the e-commerce Directive, it then drives a stake through its heart by saying that providing such a service is “performing an act of communication to the public”. This means that not alone is the pre-existing protection from liability removed, the hosting company becomes directly liable for any infringements carried out by its customers.

In the letter Ansip said:

Our goal is not to change this regime and not diminish innovation and user choice.

What he did in his proposal was to create a right of appeal for unfair deletion or blocking of user content. This is not a bad thing and this makes it clear that the Commission itself sees a risk of the legislation diminishing user choice. However, we know from experience that online companies rarely remove user content because it is “illegal”. They remove it because it is an alleged breach of their terms and conditions. There is no mechanism in EU or national law to force internet companies to host material they have decided was in breach of their terms of service. As a result, the “safeguard” that is proposed by the Commission will not be usable in practice. The Commission has recognised that it has created a problem and failed to deliver a solution.

Worryingly, the analysis in Commissioner Ansip’s letter is not just wrong. It is demonstrably, obviously and egregiously wrong.

Copyright for Creativity Alliance’s sent a letter to Andrus Ansip (09.09.2016)

Ansip’s reply to Copyright for Creativity Alliance’s letter (12.10.2016)

Proposal for a Directive of the European Parliament and of the Council on copyright in the Digital Single Market (14.09.2016)

(Contribution by Joe McNamee, EDRi)



19 Oct 2016

Censorship in Italy: Child protection is the excuse again

By Guest author

One of the recurrent attempts to control the internet is the excuse of “child protection”. Italy has moved a step to this direction, and is going to release a new law against “cyberbullying” that confirms this new trend. This new project follows the same well-worn, failed approach.


The draft has been modified by the Chamber of Deputies of the Italian Parliament, and will be discussed in the following months in the Italian Senate which was the author of the first draft.

The text, as amended, contains many worrying points.

First, the scope of the legislation has been extensively broadened: all the possible crimes that can be conducted online are included. If the purpose of the new legislation is to fight cyberbullying, the logic behind including other crimes is difficult to understand.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

These inclusions will only create legal uncertainty. How will a certain conduct be criminalised, and based on which law? Is the purpose of this law to actually fight cyberbullying?

Secondly, what raises more doubts is the clause related to the instruments that would be used for the enforcement of this “protection” against cyberbullying.

On one hand, a board of “experts” will be created to find appropriate measures to combat cyberbullying. Leaving aside the scepticism deriving from previous experiences with “expert” groups, the criteria to select the board is far from clear. The expert group should be able to elaborate appropriate measures to fight cyberbullying in only 60 days.

On the other hand, thanks to this new provision anyone who will feel hurt, defamed, harassed, stalked or offended by certain content will be able to act directly. They can inform the platform where the content appears, and ask for its removal. At the same time, the same person will inform the Data Protection Authority (DPA), who will control the removal of the content, and act directly to assure it after 48 hours, if the platform does not act as requested.

This new activity is likely to increase enormously the already high number of requests that the DPA receives. However, it does not foresee any increase to the DPA’s budget.

This specific measure will have two consequences: unilateral and arbitrary censorship of content, and a huge power for and pressure on platforms to act without any form of neutral examination. The consequences are unpredictable.

According to experts and journalists, the new project, assuming it will be amended by the Senate, is the result of non-evidence based digital policies. The internet, at least in Italy is rarely considered from a positive perspective, at least by the texts like this one – for example as a place or an environment useful also to improve the lack of digital literacy. Using cyberbullying as an excuse to regulating the internet by censoring inconvenient content, and by delegating the responsibility to private companies is an enormous threat to our democracies. The Italian Senate needs to stand up for its citizens, and defend an internet where rule of law and fundamental freedoms are respected.

Italy on the verge of the stupidest censorship law in European history (18.09.2016)

Cyberbullies in the Parliament (only in Italian, 07.08.2016)

The fight against cyberbullies is something serious (only in Italian, 06.08.2016)

(Contribution by Alessandro Bruni, EDRi intern)



19 Oct 2016

Shadow regulations – unfair and undemocratic

By Guest author

Shadow Regulations are voluntary agreements between companies (sometimes described as codes, principles, standards, or guidelines) to regulate your use of the internet, often without your knowledge.


Shadow Regulation has become increasingly popular after the monumental failure of restrictive internet laws such as Anti-Counterfeiting Trade Agreement (ACTA), The Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA). This is because Shadow Regulation can involve restrictions that are as effective as any law, but without the need for approval by a court or parliament. Indeed, sometimes Shadow Regulation is even initiated by government officials, who offer companies the Hobson’s choice of coming up with a “voluntary” solution, or submitting to government regulation.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

Shadow Regulation is used in many different contexts, including copyright enforcement, regulation of “hate speech”, and to restrict sales of lawful products, among others. What’s wrong with these agreements? The crux of the problem is that they can quietly reshape our internet without our knowledge or input. We weren’t consulted during their development, don’t know how they are being applied, and typically have little or no means of recourse when they are used to shut down our speech online.

This doesn’t mean that voluntary agreements with internet companies are always a bad thing. Such agreements can be a positive way to avoid heavy-handed and inflexible regulation, and there are ways of reaching such agreements in an inclusive, balanced, and accountable way.

But although voluntary agreements can be done right, more often Shadow Regulation is deliberately exclusive and opaque, resulting in private parties acting as the internet police to enforce content removal or the restriction of online behaviour, while elected governments avoid responsibility. That’s both unfair and undemocratic.

This article was originally published by EDRi member EFF on

Anti-Counterfeiting Trade Agreement

SOPA/PIPA: Internet Blacklist Legislation

Shadow Regulation: the Back-Room Threat to Digital Rights (29.09.2016)

Fair Processes, Better Outcomes (30.09.2016)

Free speech – only as strong as the weakest link

Beyond regulation: Reaching solutions that work for users

(Contribution by EDRi member EFF, international)



19 Oct 2016

Orange is the new blacklist

By Guest author

On Monday morning 17 October, Orange customers who tried to access, and other sites found themselves being redirected to the site of the Interior Ministry explaining that those sites were blocked. The banned websites were accused of “provoking terrorist acts or publicly glorifying terrorist acts”.


Orange declared that the websites had been added to the terrorism blacklist due to “human error”.

Since the adoption of the law on terrorism in late 2014, and more precisely a decree of February 2015, the French police can order – without a court order or judicial control – the blocking of internet sites that support terrorist acts or groups.

This measure was widely criticised, in particular because it could lead to over-blocking cases, and because the definition of the “glorification of terrorism” is more than vague.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

Some EU Member States are now seeking to export this concept to the European level. In the draft Anti-Terrorism Directive, the Council of the European Union introduced text to make the ”glorification and justification of terrorism” a crime, without providing a definition of what this might mean. This could lead to the Europeanisation of the collateral damage that is already happening in France, and which has just been proved to be, one more time, absurdly ineffective.

Google redirected to place Beauvau by Orange (only in French, 17.10.2016) blocked for glorifying terrorist acts because of Orange’s “human error” (only in French, 17.10.2016)

(Contribution by Guillermo Peris, EDRi intern)



19 Oct 2016

“Follow the money” on copyright infringements

By Joe McNamee

The European Commission is pushing forward energetically on privatised law enforcement projects for all manner of internet activities. This is the approach to terrorism, hate speech, copyright enforcement… whatever the question, the answer is that internet companies can solve the problem.


It is currently discussing “guiding principles” for withdrawal of services by advertising companies to penalise and prevent “commercial scale” infringements. Tellingly, the final paragraph of the “guiding principles” contains very similar wording to the ill-fated “Anti-Counterfeiting Trade Agreement” (ACTA) that was rejected in 2012.

Like ACTA, the “guiding principles” include illusory “safeguards”, such as references to non-existent legal terms like “fundamental principles” and “fair process” (not due process). Like ACTA, it refers to “commercial scale”, as if this was a safeguard. The European Commission itself has previously said that the term is too vague in existing law.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The text also refers to a “right to access lawful content”, even though there is no such “right”. We have a right to freedom of movement (not a right to legal movement), we have a right to freedom of communication. The implication of the expression “right to access lawful content” is that everything we do or say should be assumed to be illegal until proven otherwise. This is profoundly objectionable.

The planned agreement has a “verification and compliance” process for when participating companies cooperate to destroy an online service by withdrawing advertising revenue. But what is this “verification and compliance” process actually verifying or complying with? This is not specified, presumably because it is not important for the Commission. How accessible will a process be, if a provider withdraws services on the basis of terms of service? On what basis would an injured party believe that their service will get a fair hearing from a large provider, possibly in another country? A credible and accessible complaint process and redress mechanism appears unlikely.

Paragraph 7 of the Commission’s document both says that the agreement “will establish key performance indicators (KPIs)” and that signatories to the agreement will set up a working group “on the KPIs”. Does this mean that a working group on KPIs will be set up after the KPIs have already been defined?

It has been shown again and again and again that rightsholders cannot be trusted in projects of this kind. The Commission is proposing a project where, as described above, the target is ill-defined, the safeguards are illusory, jurisdiction is unaddressed and the compatibility with primary EU law (Article 52 of the Charter of Fundamental Rights of the European Union in particular – in contravention to the most basic of the Commission’s roles) is ignored – the Commission has already taken the view that such “voluntary” agreements are beyond the reach of the Charter. Such proposal appears reckless at best and legally untenable at worst.

European Commission: Guiding principles: The Follow the Money Approach to IPR enforcement –
Stakeholders’ voluntary agreement on online advertising and IPR

European Commission – Roadmap: Proposal for a revision of the Directive on the enforcement of intellectual property rights (Directive 2004/48/EC)

Warner Bros: Our false DMCA takedowns are not a crime (15.11.2013)

Digital camera review taken down by a botched DMCA notice that makes claims of trademark infringement (21.03.2013)

Microsoft DMCA notice “mistakenly” targets BBC, Techcrunch, Wikipedia and U.S. Govt

(Contribution by Joe McNamee, EDRi)



17 Oct 2016

EDRi’s privacy for kids booklet: Your guide to the Digital Defenders


Today, we are publishing a booklet “Your guide to Digital Defenders vs. Data Intruders – Privacy for kids!“, to help young people between 10-14 years to protect their privacy.

The internet is an amazing opportunity for young people to learn, communicate and to explore new worlds. Our booklet will help them enjoy all the benefits of the internet while protecting their personal information.

said Kirsten Fiedler, Managing Director of European Digital Rights.

Children’s freedom to explore and develop should not be limited due to lack of awareness of privacy-protecting strategies. The booklet helps them make safer and more informed choices about what to share and how to share online. It includes chapters on what privacy actually is, how to use safer messaging systems and how to improve the security of smartphones.


The booklet is the outcome of an international project with contributions by EDRi’s network (Bits of Freedom, Open Rights Group, Chaos Computer Club, Digitale Gesellschaft, ApTI Romania, Mediamocracy and many more). In the parallel universe of the booklet, a team of superheroes (the Digital Defenders) fights a group of villains (the Intruders). They were created by German comic artist and illustrator Gregor Sedlag.

The original language is English, but we have started to coordinate translations to make it available in as many languages as possible. The booklet is available under a creative commons (CC-BY) licence and can be freely downloaded and re-distributed. Donations to cover printing costs as well as translations are accepted here. If you want to help with translations, or if you want to print it and distribute it at schools please contact us!



Read more:
Educate and empower children on online privacy


12 Oct 2016

Corporate-sponsored privacy confusion in the EU on trade and data protection

By Maryant Fernández Pérez

After the “Privacy shield” was adopted on 12 July 2016, the European Commission started internal discussions about whether or not to include “data flows” and “data localisation” clauses in Transatlantic Trade and Investment Partnership (TTIP) and in the Trade in Services Agreement (TiSA). It appears that the European Commission Directorate-General for Justice and Consumers (DG Justice) initially accepted the inclusion of clauses on forced, unjustified “data localisation”, but not on transfers of data. However, according to EurActiv, DG Justice has backed down and accepted a weakening of its position on data protection and privacy in order to placate industry, after a campaign based on dubious assertions and backed up by the US government.

Now, the European Commission President Jean-Claude Juncker and the Vice-President Frans Timmermans seem to be prepared to defend core principles of EU law and the rights of EU citizens. They are allegedly blocking the “compromise” to water down protections because “the deal might poke holes in the EU data protection rules that are set to go into effect in 2018”. Weakening privacy and data protection of European citizens through the inclusion of “data flows” in trade agreements has global corporate sponsorship. The EU should resist. There are three main reasons for this:

1. Data flows must not be part of trade agreements

Trade negotiations are not suitable for shaping rules affecting the fundamental rights to privacy and data protection. If the EU was unable to ensure protections of fundamental rights in the Privacy Shield (see here, here and here), on what basis could it think that trade agreements would achieve a better result? Is the apparently ideological rush to include “data flows” in trade agreements worth the risk of making a dubious compromise that would put the whole agreement in doubt?

Data transfers are and can be ensured in other legal fora. Personal data flows are ensured in the EU legal framework by several mechanisms, such as binding corporate rules, modal clauses, adequacy decisions or special arrangements, of which the EU-US Privacy Shield is an example, albeit not a stellar one. The General Data Protection Regulation (GDPR) even provides more alternatives to transfer data of EU citizens abroad, such as self-certification. In addition, the European Commission is expected to issue a “Free flow of data initiative”, apparently only for commercial data.

2. Including data flows in trade agreements like TTIP or TiSA would have huge implications

On 13 July 2016, the University of Amsterdam issued an independent study that EDRi, BEUC, TACD and CDD commissioned in order to ascertain whether fears with regard to both privacy and data protection in trade agreements were founded. The study concluded the risks are real, and a great deal of effort needs to be put into making trade agreements data protection- and privacy-proof. This is our take:

Unless parties want to change their legal framework to truly protect human rights online, trade agreements’ vague commitments to protect data protection and privacy will be meaningless in practice.

Exceptions and safeguards protecting personal data and privacy are being suggested as a means to address the concerns about fundamental rights. However, these clauses can only be activated if certain conditions are complied with, such as:

  • that privacy and data protection measures cannot be inconsistent with other obligations of the agreement. Would the EU legal measures on data protection be inconsistent with the obligation to ensure “a free flow of data”? According to the lobby group CCIA, the response could well be “yes” (cf. “Europe might want to consider whether its 20th century localised data protection framework is well suited in the 21st century interconnected digital world”). To guard against such extreme positions, the European Parliament asked the Commission not to include such conditionality; or
  • that privacy and data protection measures should take “international standards” into consideration. As the EU is a standard setter in privacy and data protection, this creates the risk of a race to the bottom and could prevent other countries from adopting measures which defend privacy and data protection as much as (or more than) the EU.

Even if trade agreements had strong exceptions and safeguards, they could be undermined by:

  •  trade dispute settlement mechanisms of trade agreements, as the Charter of Fundamental Rights will obviously not be considered; and by
  • national security exceptions. Trade agreements contain exceptions on “essential security interests” that establish that nothing in the trade agreement shall prevent any Party to the agreement from adopting measures to protect “essential security interests”. This means that if a party to the agreement wanted to conduct mass surveillance, for example, the trade deal would not ensure the protection of the privacy and personal information of individuals. This is very worrisome, as the Snowden revelations and other scandals have shown. The European Parliament has warned the Commission that their consent to TTIP could be endangered if “US blanket mass surveillance activities are not completely abandoned”.

Conditions, suspensions or prohibitions of transfers of EU citizens’ personal data outside the EU must be possible if fundamental rights are violated or circumvented, as the European Parliament has proposed to the Commission. This position is absent from all of the clauses seen in current trade proposals. In fact, the EU is currently negotiating on trade agreements whose drafts include provisions on data protection that are fundamentally broken. The existence, application or enforcement of the laws adopted by the Parties to a trade agreement relating to their fundamental rights requirements must not be considered as a violation of any trade agreement.

3. Blackmail tactics of industry lobbyists

The hollow-sounding and specious arguments that the “global tech sector” use, such as that they take “the fundamental right to privacy very seriously”; and that without data flows (as if they would suddenly, mysteriously, stop), no trade agreements will be or can be concluded; or that the EU could be perceived as “data protectionist” are far from credible. Even some industry actors (e.g. eBay) had admitted to the Commission that the inclusion of data flows are not a priority for them because they rely on binding corporate rules to transfer data from EU citizens.

Having lobbied unsuccessfully against the General Data Protection Regulation (GDPR), having successfully lobbied for a flawed, inevitably temporary “Privacy Shield”, having incomprehensibly asked the Commission to repeal the e-Privacy Directive, it is understandable that industry lobbyists, backed by the US government want to:

  • ensure there are legal means available to challenge privacy and data protection measures, with the weak excuse that fundamental rights are barriers to trade;
  • prevent other countries to adopt high standards on data protection and privacy; and
  • make sure whatever protections on privacy and personal data are contingent on a nebulous and unpredictable understanding of “necessity” and “proportionality” in trade agreements, whereby fundamental rights will always be deprioritised compared with trade concerns.

It is also understandable that after hearing that the Commission was opposing to include data flows, they increased their lobbying and resorted to “independent” “think tanks” like ECIPE to multiply their message.

The European Commission should do better. As Evgeny Morozof argues, when policy is dictated by corporations, the protection of your privacy starts being seen as a barrier to economic growth. By defending the protection of privacy and personal information of all, the EU will gain influence and credibility. Data protection and privacy are not barriers to trade. Quite the opposite, privacy is an asset of economic growth; it’s a business opportunity to regain trust. Making void assurances and general statements that are not reflected in the actual text of the agreements would not be enough. The European Parliament has strongly reiterated this approach and even asked the Commission to “immediately and formally oppose the US proposals on movement of information”.

This is exactly what the EU should do.