security & surveillance

While offering vast opportunities for exercising and enhancing fundamental rights, the digital environment also offers both opportunities to commit new offences and to impose new restrictions on our online rights. Measures such as filtering, blocking and untargeted surveillance are often easy to implement and extremely difficult to rectify. EDRi therefore works to ensure that all security and surveillance measures are necessary, proportionate and implemented based on solid evidence.

18 Nov 2015

EU Parliament to vote on contentious anti-radicalisation Resolution

By Maryant Fernández Pérez

On 24 November 2015, the European Parliament is expected to vote on a controversial but important political statement, aimed at preventing terrorist radicalisation and the recruitment of EU citizens by terrorist organisations.

Since June 2015, EDRi has been working hard with politicians and advisers to improve this timely political statement. Our objective has been to ensure that citizens’ online rights are upheld when adopting measures in the fight against terror. Accordingly, EDRi proposed amendments to the draft Report, analysed the amendments tabled, commented on every draft of the compromise amendments proposed by the parliamentarian responsible, the rapporteur Rachida Dati (EPP, France), had regular contact with the rapporteur’s assistant as well as the shadow rapporteurs from the other political groups, and created public awareness by publishing several blog posts and by communicating the developments via social media.

................................................................. Support our work - make a recurrent donation! .................................................................

While the forthcoming Resolution covers a wide range of aspects related to for example education, prisons, or immigration, EDRi focused on the Internet-related provisions. In this regard, we managed to resolve many of the problems of the initial draft in the Civil Liberties Committee vote on 19 October 2015.

Now, the whole European Parliament has the opportunity to fix three main issues related to the role of Internet companies and their responsibility when dealing with illegal content, companies’ involvement in counter-terrorist narratives, and the EU Passenger Name Records (PNR) Directive.

First, there is one paragraph of the Draft Resolution which refers to Internet companies’ liability in relation to illegal content. Currently, hosting providers must act expeditiously to delete or disable access to illegal content online. However, the current Draft Resolution asks for companies to be held criminally liable if they fail to act, even if only in response to an “administrative request” and not a court order. After many years of experience, EDRi has never seen any evidence suggesting that there are companies active in Europe whose fail to act to address illegal terrorist content could be considered to amount to a criminal act in its own right. The criminalisation of internet companies to address a problem that does not exist brings no benefits, but supporting this measure, even in principle, sets a terrible international precedent. As a result, we strongly prefer deletion of the criminal related part. If politicians insist to keep it, enough safeguards must be put in place.

Secondly, the draft resolution also says that companies, civil society organisations and Member States should manipulate online speech as a mechanism for preventing radicalisation and hate speech. EDRi believes it would be very dangerous to promote any such manipulation. This risks being counterproductive, contrary to democracy, and its values and has worrying echos of state-sponsored “troll armies” in jurisdictions with weak democratic values.

Thirdly, the draft Resolution affirms the intention to finalise the EU PNR Directive by the end of 2015. As many independent researchers, the European Data Protection Supervisor (EDPS) and other important authorities have stated, PNR is neither a necessary nor proportionate measure, and implementing it would not solve the problem of terrorism; it would contribute to profiling innocent people, and not just terrorist suspects. However, even the simple fact that the PNR directive procedurally cannot be finished by the end of the year, isn’t a barrier to the Resolution saying that this will happen.

In sum, EDRi welcomes the efforts of the politicians throughout the elaboration of this Draft Resolution, and trust parliamentarians to fix the remaining problems. If this is done, the Parliament will be sending a clear and legally tenable message: Europe will remain united and will not renounce democracy or citizens’ fundamental rights and freedoms.

Draft Report on the prevention of radicalisation and recruitment of European citizens by terrorist organisations, “Dati’s Draft Report” (01.06.2015)

EDRi: Proposal for amendments to Dati’s Draft Report (22.06.2015)

EDRi: Analysis of the Amendments to Dati’s Draft Report (03.09.2015)

EDRi: Problems with translations of Dati’s Draft Report (03.09.2015)

EDRi: Comments to the draft Compromise Amendments to Dati’s Draft Report (21.09.2015)

EDRi: Comments to the draft Compromise Amendments(v4) to Dati’s Draft Report (05.10.2015)

EDRi-gram: EP Committee adopts short-sighted anti-”radicalisation” report (21.10.2015)

Report on the prevention of radicalisation and recruitment of European citizens by terrorist organisations (03.11.2015)

EDRi: Proposal for plenary amendments to Dati’s Report (17.11.2015)

(Contribution by Maryant Fernández Pérez, EDRi)



18 Nov 2015

Founder of a Portuguese leak platform subject to gagging order

By Guest author

Rui Cruz is 28 years old and is the founder of Tugaleaks, a Portuguese Wikileaks-inspired website. He has been working on the website on his free time since December 2010, gathering exclusive articles about the security flaws of government and private company websites, publishing public-but-undisclosed documents, and making available data on security information about Portugal, among other subjects of interest not related to technology. Tugaleaks is the only website mentioned in the US Central Intelligence Agency (CIA) World Factbook for Portugal – in the “political pressure groups and leaders” section.

................................................................. Support our work - make a recurrent donation! .................................................................

In February 2015 Rui was detained and faced charges for “giving support” to hackers by “publishing news”. Some might just think that this is digital journalism, but the public prosecutor considered it a crime. Rui has been subject to a gagging order for eight months and unable to access the Internet, as this was a mandatory coercive measure. As Tugaleaks is based online, he is also unable to publish new content.

To make things worse, Rui was laid off from his day job in a company that is part of PT Comunicações Group, one of the largest communications companies in Portugal. Rui says that the company justified his dismissal by stating that he could not engage with any Internet-related work. Rui now does not have a job, awaiting the end of the coercive measure. Eight months is the maximum time a coercive measure that could be put in place. However, judges could renew the same measure over and over, if they think it’s necessary.

The local media organisations are kept quiet about the situation. Rui says that this is because Tugaleaks was considered to be a “renegade” media organisation because of the style and type of publications which frequently embarrassed the Government and public institutions.

Freedom of expression and the right to choose a job are constitutional rights under the Portuguese Constitution. Rui and his lawyer believe both rights have been violated for eight months by the justice institutions in Portugal without any regard for the quality of life and the “innocent until proven guilty” principle.

Rui is now looking for any solidarity in sharing his story on social media. This is the most important time to spread the message, as he could soon be free from this coercive measure and start rebuilding his life, if sufficient media attention and citizen solidarity is shown. He is also struggling to pay the fees of his lawyer from Jaime Roriz Advogados. Rui accepts donations at:
IBAN PT50 0033 0000 4542 2460 7280 5
Owner: Rui Diogo Morais da Cruz


CIA, The Word Factbook: Portugal

Tugaleaks founder detained for (alleged) cyber attacks to Lisbon’s Public Prosecutor’s Office (only in Portuguese, 26.02.2015)

TugaLeaks founder: fired and prevented from accessing the Internet (only in Portuguese, 02.03.2015)

(Contribution by Rui Cruz, Tugaleaks, Portugal and submitted by his lawyer Carla Guimarães (Jaime Roriz Advogados))



18 Nov 2015

Data Protection Directive on law enforcement: The loopholes

By Diego Naranjo

The way some of your most sensitive data which, if processed carelessly, could lead to the most serious consequences for you, is being dealt with almost no attention of the media and the general public. Outside the spotlight of the General Data Protection Regulation (GDPR), the Directive for Law enforcement agencies (LEDP) seems not to have for some the charisma of the Regulation.

................................................................. Support our work - make a recurrent donation! .................................................................

However, the Directive contains numerous loopholes which, if not carefully addressed, will undermine the already fragile data protection regime. The Council of the European Union version of the text (the so-called “general approach” text) was published on 9 October 2015, and the (always opaque) trilogue negotiations are now underway. The goal of the trilogues is to reach an agreement at the end of December 2015, in line with the foreseen calendar for the GDPR.

The Directive’s original goal was the protection of personal data in the context of the use by “competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”. That was the scope until the Council added to its version a mention “safeguarding against and the prevention of the threats to public security”. Although this wider scope could be positive in the sense that it could fill some gaps provided by the exceptions in the GDPR, it is not clear what types of activities will be covered, within the limited EU legal competences in this matter. For example, it is not clear whether or how it will relate to any activities of intelligence agencies that fall outside of EU legal competence, but where the EU itself, for example through Europol, is increasing its activities. If these activities performed by intelligence agencies will be covered to any extent by the Directive, the question that follows is what the consequence would be for the data gathered pro-actively and/or in bulk on people who are not linked to any criminal activity, contrary to the protection of fair trial rights in Art. 6 ECHR and Art. 47 of the Charter of Fundamental Rights of the European Union. The Directive gives no hint to solve this, or other similar questions.

One of the most worrying aspects is that current articles on lawful processing (7 and 7a) could allow massive transfer of data from law enforcement agencies in the Member States (inside the Directive’s scope) to the respective national security agencies (outside the Directive’s scope). Bearing in mind that some national agencies have a tendency to engage in international data transfer practices with other agencies both inside and outside the EU, the alarms should be ringing already in the heads to those involved in the trilogue negotiations. As the European Parliament (EP) stated in its resolution on the surveillance of EU citizens that was passed on 29 October 2015, the Commission must “immediately take the necessary measures to ensure that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU”. These precautions need to be inserted in the Directive.

The recitals and the definitions do not bring the clarification that the text requires. For example, Recital 16 includes a reference to “data rendered anonymous in such a way that the data subject is no longer identifiable”, which by definition would not be personal data and therefore (obviously) would fall outside the Directive and the Regulation. Later on, in the definitions, health status relates in some parts of the Directive only to the current health status (Article 3), while in another part (recital 17) it relates to “past, current or future” health of the individual. More worryingly, the “national security” lacks the definition called for in the aforementioned resolution of the Parliament. Furthermore, the distinction between activities related to “public security” and “national security” should be clarified in the recital.

In line with what is happening in the Regulation, profiling protections are also weakened in the Directive. Although there is a general prohibition of using sensitive data when doing profiling, the provision lacks sufficient safeguards, and profiling is only covered under the Directive when this is done in a fully automated process. Anything that is not “fully” automated falls outside the protection of this safeguard.

The Directive, as it stands today, has a significant list of worrysome aspects that need to be re-defined and clarified. The negotiators in the trilogues need to decide now if they want to aim for a Directive that includes loopholes which could weaken the new data protection regime, or to strive for the data protection regime which is needed to guarantee the fundamental right to privacy in Europe.

EDRi analysis of the European Commission’s original proposal for the Directive

EDRi: General Data Protection Regulation: Document Pool

EDRi: The Data Protection Archive

Mass surveillance: EU citizens’ rights still in danger, says Parliament (29.10.2015)’-rights-still-in-danger-says-Parliament

(Contribution by Diego Naranjo, EDRi)



18 Nov 2015

UK Draft Investigatory Powers Bill: Missed opportunity

By Guest author

The UK Government has published a draft of the long-awaited Investigatory Powers Bill.

Since the Snowden revelations, civil liberty groups have been calling for a new law that would restrain the UK intelligence and law enforcement agencies. The UK government, however, has been calling for increased surveillance powers since the failure of the draft Communications Data Bill in 2012. The Bill, which became known as the ”Snoopers’ Charter” proposed forcing Internet Service Providers (ISPs) and phone companies to keep data about UK citizens’ Internet browsing activity, emails and phone calls for 12 months. The Bill was defeated but there have been repeated calls to bring it back, and even an attempt to insert its provisions as amendments to a different Counter Terrorism Bill.

................................................................. Support our work - make a recurrent donation! .................................................................

The draft Investigatory Powers Bills does not go as far as the draft Communications Data Bill, but it would oblige ISPs to keep data about websites visited by their customers for 12 months. EDRi member Open Rights Group (ORG) will make a submission to the Joint Committee that will now scrutinise the legislation.

The draft bill spells out the powers that the security services have for the collection of content and data in bulk. Although this had been done for years, no one really understood the extent of the UK Government Communications Headquarters’ (GCHQ’s) capabilities until the Snowden leaks. The government has acknowledged that secret agencies have been going even further, accessing data in bulk from UK internet providers, not “just” from international cables. The bill effectively endorses these previously secret – and at face value disproportionate – mass surveillance powers. This is in addition to powers to obtain bulk datasets, such as contact lists, driving licences, travel or banking records.

One of the most controversial parts of this new Bill is that ISPs will be forced to keep much more detailed data about their clients’ internet activities. To access this data, the police would need to get a court order – this seems to be a concession to the European Court of Justice (CJEU) ruling in April 2015 that said there must be safeguards for accessing retained data. In July 2015, the UK High Court (EWHC) said that parts of the Data Retention and Investigatory Powers Bill were unlawful for the same reason.

The new Bill proposes a new system of “double-lock”, where some warrants will be signed both by the Secretary of State or an authorised person, and additionally by a special judge. At face value this might seem an improvement on the current situation where judges do not have a role, but there are concerns that in practice this may simply amount to a rubber-stamp. Judges would have a very narrow role, only being allowed to check that there are grounds for the minister’s decision, and that procedures have been followed, but not to challenge the substance of the decision. Fully independent judicial authorisation would be a more meaningful guarantee of due process. Disappointingly, the draft new bill still allows police, councils and other agencies to obtain communications data without the need to involve a judge.

The Bill asks for powers to compel communications providers to assist with demands for interception. How companies do this will presumably be at their discretion. In some cases this might involve compromising their software to make the encryption less effective.

The Bill clarifies the powers of security agencies to break into individuals’ laptops and mobile phones, including worrying new powers for non targeted mass hacking. It also forces internet companies to help in hacking their customers.

What are the positives? On first reading the Bill seems to be very clear about the powers being given to the State. Transparency over these activities is very welcome, as it enables debate and challenges to specifics, including in the courts. There also seems to be improvements to redress, including the right to appeal rulings by the Investigatory Powers Tribunal. The new Investigatory Powers Commissioner may also bring improvements to democratic oversight.

ORG’s initial view is that the draft bill appears to be a missed opportunity to rein in the surveillance state. It mainly seems to legalise current practices, and add a veneer of human rights compliance without fundamentally changing what the police and secret agencies already do.

First take on the Investigatory Powers Bill (05.11.2015)

(Contribution by Pam Cowburn, EDRi member Open Rights Group, United Kingdom)



18 Nov 2015

The School of Rock(ing) EU Copyright: United to #fixcopyright

By Diego Naranjo

As part of our ongoing work on the copyright reform, EDRi in cooperation with Centrum Cyfrowe, Communia and Wikimedia, organised the School of Rock(ing) EU Copyright in Warsaw on 5-6 November. The date and location of the event were chosen taking advantage of the Copycamp event on 4 November, which gathers hundreds of copyright experts and activists every year.

................................................................. Support our work - make a recurrent donation! .................................................................

The School of Rock(ing) EU Copyright took place over two days. The first day was focused on the content of the copyright reform and the main issues that need to be addressed. The first panel session brought together national and EU level policy makers, as well as civil society: Emil Kedzierski from the Ministry of Administration and Digitization of Poland; Jean Bergevin, Head of Unit of the Fight against Counterfeiting and Piracy Unit in the European Commission Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs (DG GROW); Eszter Bako, an assistant of the Member of the European Parliament Julia Reda; and Dimitar Dimitrov from Wikimedia. The goal of this panel was to provide a general legal background, as well as to inform activists who do not usually work in EU affairs who the main actors in the process are, how to approach them, and when to get involved in the dossiers to have a meaningful impact in the different policies. Also introductory sessions on the EU decision-making process, on cultural heritage and public domain, and one on copyright enforcement policies took place during the first day of the event.


The second day was focused on strategies. The day started with a round of interventions from participants, who introduced their national level work and activities, and what their interest was in global EU copyright topics. After that the participants were split into small working groups on four different topics: the platforms consultation launched by the the European Commission, Copyright and Education, Public Domain, and the Communication from the European Commission leaked the evening of 5 November. The groups took note of specific actions points which will be developed in the following weeks among the civil society groups that expressed interests in those topics. The civil society agenda in the upcoming EU copyright reform will be established based on these action points.

The School of Rock(ing) Copyright was able to bring together activists to discuss general problems and opportunities in the EU copyright regime and the upcoming reform. It also shed some light of specific topics related to copyright, as well as the current and soon-to-be-proposed policies, and helped activists to gain a better understanding of how the EU functions and how to influence EU policies. Finally, and most importantly, it has created new networks to overcome the isolation of activists working in both national and Brussels contexts. These alliances already exist and are very strong among groups that are resisting modernisation, and therefore need to be equally strengthened among civil society organisations to #fixcopyright in the EU.


Activist Guide to the Brussels Maze

EDRi’s Copyright Handbook

School of Rock(ing) EU Copyright – Agenda

(Contribution by Diego Naranjo, EDRi)



18 Nov 2015

EU and US NGOs propose privacy reforms post Schrems

By Guest author

On 12 November 2015, leading human rights and consumer organisations issued a letter to urge the US and the EU to protect the fundamental right to privacy. After the Schrems ruling by the Court of Justice of the European Union (CJEU) in October 2015, the parties are now attempting to negotiate a revised Safe Harbor arrangement, but civil society groups are sceptical that such an agreement by itself will be sufficient.

EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová recently travelled to Washington DC to discuss the possibilities to replace the invalidated Safe Harbor data transfer framework. While negotiating with American officials, Secretary of Commerce Penny Pritzker in particular, the Commissioner took the time to meet with US civil society organisations on 13 November 2015.

................................................................. Support our work - make a recurrent donation! .................................................................

On that occasion, the groups warned that without significant changes to “domestic law” and “international commitments” by the United States, a “Safe Harbor 2.0” will almost certainly fail. The NGOs recommended 13 proposals for the EU and the US that are necessary after the judgment.

Among other requirements, the NGO leaders have called for a comprehensive privacy framework in the US, which includes the establishment of an independent privacy agency and the modernisation of the Privacy Act of 1974, to provide for meaningful judicial redress for everybody, including non-US persons, whose data is stored by a US federal agency.

The paper argued that it is important to conclude the General Data Protection Reform (GDPR) by the end of 2015 and that the EU must keep or increase the level of protection for privacy and data protection. The EU should follow the opinion of the Article 29 Working Party, and ensure that “no portion of the GDPR lessens protections or reduces the rights of individuals within the EU” and that “harmonization of a high level of protection remains the goal.”

Additionally, the paper stated that the EU and the US should stand up for strong encryption, and reject any law or policy that would undermine the security of consumers and Internet users. Both parties should end the mass surveillance of people and the EU must ensure that fundamental human rights such as privacy are respected in the wake of political urgency for more intrusive surveillance laws and practices to generate false assumption of higher level of safety and security.

Finally, organisations propose that the EU and the US should commit to annual summit with the full participation of civil society organisations to assess progress toward these goals.

Commissioner Jourová welcomed the comments of the civil society organisations.

NGO letter to Commissioner Jourová and Secretary Pritzker (12.11.2015)

Commissioner Jourova’s Speech at the Brookings Institute (16.11.2015)

Fortify New US-EU Data Transfer Pact, Privacy Groups Urge, Law360 (13.11.2015)

Article 29 Working Party: Statement on Safe Harbor (16.10.2015)

US House: Hearing on Safe Harbor (27.10.2015)

EU High Court: Press Release on Safe Harbor Decision (06.10.2015)

EPIC: Max Schrems v Irish Data Protection Commissioner (Safe Harbor)

The New York Times: “Digital Privacy, in the U.S. and Europe,” by Marc Rotenberg, Anna Fielder, Jeff Chester (13.10.2015)

(Contribution by Fanny Hidvegi, EPIC, US)



18 Nov 2015

Netherlands: Preliminary questions on blocking Pirate Bay access

By Guest author

On 13 November 2015, the Supreme Court of the Netherlands referred preliminary questions to the Court of Justice of the European Union (CJEU) with regards to blocking access to The Pirate Bay. The questions derive from a lengthy judicial procedure between a Dutch copyright enforcement organisation the BREIN foundation and two Internet access providers Ziggo and XS4ALL.

................................................................. Support our work - make a recurrent donation! .................................................................

In 2010 the foundation demanded Dutch Internet providers to block access to The Pirate Bay. When the above-mentioned providers refused to implement the measure, BREIN initiated judicial proceedings. In January 2012 the District Court of The Hague decided in favour of the claimant. From that moment onwards direct access to The Pirate Bay domain was blocked by several providers in the Netherlands. Two years later however, the Court of Appeal considered the injunction to be disproportionate and ineffective and annulled the aforementioned judgement. In its reasoning, the Court of Appeal attached great importance to earlier research conducted by an independent research institute, Netherlands Organisation for Applied Scientific Research (TNO). Analysis of XS4ALL networking information after the injunction had came into force did not show a significant decrease in peer-to-peer traffic in the Netherlands. The research indicated that the IP blocks were largely circumvented by Internet users, and did not result in less copyright infringing activities. Furthermore, the Court of Appeal found it incomprehensible that BREIN did not take legal action against similar torrent indexing websites. BREIN appealed to the Supreme Court arguing, inter alia, that the Court of Appeal misinterpreted the term ”effectiveness”.

On 13 November, the Supreme Court referred preliminary questions concerning the statutory grounds for an injunction to the European Court of Justice. Pursuant to article 8(3) Copyright directive and article 11 Enforcement directive, the judiciary may impose injunctions on intermediaries with regard to services that are used by a third party (e.g. Internet subscribers) for copyright infringing activities. Hence, the first question is whether indexing and categorising magnet-links (hyperlinks configured to work automatically with torrent software) on a searchable website must be regarded as a communication to the public and therewith as a direct copyright infringing activity. This question is necessary because unlike earlier cases, such as the Svensson case in February 2014, where hyperlinking to a previously published work was ruled by the CJEU not to be infringing copyright, the content available via The Pirate Bay is not determined by the website operator, but by its users. The second question, if the answer to the first question is negative, is whether the statutory grounds allow the national courts to impose an injunction nevertheless.

Answering the first question requires further explanation of article 3(1) Copyright directive. It should be noted that the term ”communication to the public” is widely defined by the CJEU in its earlier case law, for example the Rafael Hoteles case (C-306/05) and Airfield case (C-431/09). However, the services provided by The Pirate Bay are only indirectly related to the copyright infringing activities. Not only do the users need additional software to be able to use the magnet-links on the website, but the copyright protected materials also need to be constantly uploaded by website users. As the Advocate-General put forward earlier, the underlying question is where to draw a line. As far as the second question is concerned, the Supreme Court refers to the earlier UPC Telekabel case (C-314/12). It follows that an Internet access provider qualifies as an intermediary, and can be ordered to take action to limit access to a website, if copyright protected material is made available to the public. Still, it is uncertain whether the statutory grounds allow for an injunction without any directly copyright-relevant activities taking place.

EDRi-gram: Dutch Internet providers forced to block The Pirate Bay (18.01.2012)

EDRi-gram: Dutch Court finds Pirate Bay blocking disproportionate (29.01.2014)

Decision Court of Appeal (only in Dutch, 28.01.2014)

Advocate-General’s advice (only in Dutch, 29.05.2015)

Decision Supreme Court (only in Dutch, 13.11.2015)

(Contribution by Bram de Vos, EDRi member Bits of Freedom, the Netherlands)



16 Nov 2015

#NetCompetition: A new broadband stakeholder alliance takes-off in Brussels

By Heini Järvinen

Today, 16 November 2015, consumer organisations, digital rights advocates, competitive broadband operators and others joined forces to form a new alliance: #NetCompetition.


Ahead of the upcoming review of EU rules governing telecoms, the alliance wants to send a message loud and clear to EU policy makers: Broadband is there to serve society at large and all users deserve real choice, innovation, freedom of communication and affordable services.

The coalition, support the #NetCompetition principles, which aim at fostering competition, digital rights, business diversity, economic pluralism and consumer benefits.

“Broadband markets routinely score badly with EU consumers but are vital to use digital services. Competition is the best recipe to prevent EU consumers are not at the mercy of a handful of big players”,

said Monique Goyens, Director General of The European Consumer Organisation (BEUC).

“Liberalisation is not just an economic issue – protecting liberalisation is protecting innovation, choice and freedom of communication”,

added Joe McNamee Executive Director of European Digital Rights.

Broadband markets naturally tend to form oligopolistic or monopolistic structures. As a result, markets need to be continuously shielded against foreclosure, excessive concentration and attempts of re-monopolisation. In this context, the main objective of EU lawmakers should be to protect users particularly by promoting competition in open networks.

“Our customers, consumers and businesses alike, are asking for more choice and freedom to access the internet. All we ask is clear rules allowing us to invest and to compete to gain their trust”,

said Lisa di Feliciantonio, Fastweb’s public affairs director,

#NetCompetition supporters believe that the US broadband market serves as a warning example: less competition raises prices, delivers poor services and creates traffic discrimination while failing to provide higher level of network investments. Evidence shows that there is no possible trade-off between competition and investments; on the contrary, large companies have an incentive to invest only when they are subject to competitive pressure.

The #NetCompetition alliance is open and it includes so far consumer and user groups BEUC, ConsumentenBond, OCU, EDRi and Access Now; industrial ICT users association INTUG,; the association of Italian ISPs AIIP, alternative broadband providers QSC, Fastweb, BREKO, the German competitive broadband providers association, Voiceworks and the global ISP Cogent.

The alliance will be formally launched today at the annual conference of the European Competitive Telecommunications Association (ECTA) in Brussels. Its role will be to draw the attention to the importance of a healthy competitive EU broadband market to the benefit of the economy and the entire society.

More info at

Phone: +32 (0)484 403 455


04 Nov 2015

Minister of Interior and National Police Force win Dutch BBA 2015

By Guest author

Amsterdam hosted four big privacy conferences in October 2015: the Amsterdam Privacy Conference and the Privacy Law Scholars Conference, both for academia, the International Privacy Conference for regulators, and the Dutch Big Brother Awards, organised by EDRi member Bits of Freedom on 29 October in Stadsschouwburg.

The winner of the Big Brother Audience Award is Dutch Minister of the Interior, Ronald Plasterk, for his plans for the most far-reaching surveillance measures for secret services the Netherlands ever had, while ignoring the broad societal criticism. Everyone was encouraged to propose nominations for the Audience Award through the website The three candidates that were mentioned most frequently were automatically shortlisted to the final vote. Ronald Plasterk won with 57 percent of the total votes. The other nominees were the insurer Achmea, for undermining the solidarity (on which insurance is normally based) in exchange for big data, and Microsoft, for the privacy infringements in Windows 10.

................................................................. Support our work - make a recurrent donation! .................................................................

The National Police Force won the Expert Award for its engagement in ”Predictive Policing” based on big data. This should, they believe, predict criminal acts, but a more probable consequence will be that instead of criminal behavior, non-standard behavior will be will be identified by the system. For the Expert Award, Bits of Freedom had asked several privacy experts to propose candidates that might have had less media attention, but still deserve a nomination. Besides the National Police, the nominees were the Van der Valk hotel in Hengelo, the Netherlands, for systematically and voluntarily handing over guest registrations to the police, and again Ronald Plasterk, for his proposal for a new Intelligence and Security Services Act.

The positive Award, the Felipe Rodriguez Award, was presented to Max Schrems for his outstanding contribution to privacy. Through the different court cases he put both Facebook and the American secret services in the spotlight. Previously the Positive Privacy Award was named after Winston, the protagonist of Orwell’s novel “1984”. This year, it was renamed to honor Felipe Rodriguez, one of the founders of XS4ALL, which is one of the first Internet Service Providers (ISPs) in the Netherlands, and of De Digitale Stad, the first Dutch Freenet. His work was essential to both Bits of Freedom and to the Dutch digital civil rights movement. Felipe passed away on 6 October, but his life story shows how much difference an individual can make. By renaming the Award, Bits of Freedom hopes others will be inspired by his work for privacy and freedom on the Internet. Max Schrems was the first to receive the Felipe Rodriguez Award. Schrems is the founder of “Europe vs. Facebook” and the initiator of the “Safe Harbor” case, in which the European Court of Justice (CJEU) concluded that the European Commission’s eponymous agreement with the United States failed on both a procedural and practical level to protect Europeans’ privacy rights.

Dutch Big Brother Awards

Big Brother Awards 2015 (video)

Amsterdam Privacy Conference

Privacy Law Scholars Conference

International Privacy Conference

(Contribution by Daphne van der Kroft, EDRi member Bits of Freedom, The Netherlands)



04 Nov 2015

Smart Borders package: Unproportionate & unnecessary data collection

By Diego Naranjo

“The proposal is fear-driven and fear-triggering at the same time, placing emphasis on a putative need to protect the EU from those coming from outside.”

(Extract from EDRi’s response to the consultation)

In an attempt to overcome the failed proposal from 2013 on the Smart Borders package, the European Commission launched a consultation to prepare a revised text, to which EDRi submitted its response on 29 October 2015. The new EU Entry/Exit System (EES) plans to extend biometric ID checks to all non-EU nationals entering or leaving the EU. Despite the numerous questions about the costs and serious implications to civil liberties raised in relation to the 2013 proposal, the European Commission seems decided to give it another try.

................................................................. Support our work - make a recurrent donation! .................................................................

The Smart Borders Package, which is aimed at improving the management of migratory flows , consists of three legislative proposals: (1) a Regulation establishing an EU Entry/Exit System (EES); (2) a Regulation establishing a Registered Traveller Programme (RTP) and (3) a Regulation amending the Schengen Borders Code to take into account the establishment of the EES and the RTP.

EDRi’s submitted the position that such a vast collection of sensitive personal data risks undermining the right to privacy of millions of people. As any other restriction of fundamental rights, this measure needs to be guided, inter alia, by the necessity and proportionality test of the Article 52.1 of the Charter of Fundamental Rights of the European Union. The new entry system could include biometric ID checks including the collection of ten fingerprints and facial images. The Commission has yet to demonstrate clearly why these privacy invasive measures are necessary, effective and proportionate, and whether the system could operate without some or all of them.

In our submission we mentioned the need to learn from the case law of both the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU), and recalled that if an intrusive measure such as data retention was to be considered, the legislators would have the obligation to verify the “proportionality of the interference”. Therefore, no data retention mandates should be approved until a credible, independent test, proving compliance with CJEU and ECtHR case law has been conducted. In addition to the European courts, the issue of biometric databases has been the subject of debate in various Member States, for example in the French Constitutional Court.

Once the European Commission has analysed the responses, it will produce a legislative proposal. This proposal needs to take into account the concerns that were raised before and that are still under analysis by experts like the EU Fundamental Rights Agency. As we have seen with the Safe Harbor agreement and the Data Retention Directive, legislation which was in clear violation of EU core norms can lead to the violation of citizen’s rights that can drag on for years, as well as costs for companies, citizens and the European courts. The Commission and the European Parliament cannot fail again and drag us into years of litigation, nor can it leave it to the CJEU to fix the breaches of fundamental rights law that they willfully or negligently foist on individuals. The EU needs to produce the right policies to achieve its goals, and stop suggesting the dragnet collection of personal data as the solution to all European problems.

Response from EDRi to the Smart Borders Consultation (29.10.2015)

EDRi-gram: France: Biometric ID database found unconstitutional (28.03.2012)

Biometric data in large EU IT systems in the areas of borders, visa and asylum – fundamental rights implications

(Contribution by Diego Naranjo, EDRi)