security & surveillance

While offering vast opportunities for exercising and enhancing fundamental rights, the digital environment also offers both opportunities to commit new offences and to impose new restrictions on our online rights. Measures such as filtering, blocking and untargeted surveillance are often easy to implement and extremely difficult to rectify. EDRi therefore works to ensure that all security and surveillance measures are necessary, proportionate and implemented based on solid evidence.

10 Feb 2016

Holland and India prohibit zero-rating: the first of many?


The principle of net neutrality requires that internet access providers carry data without discrimination on the basis of origin, destination or type of data. Net neutrality prohibits telecoms operators from blocking or degrading content applications or services. From a telecom operator’s perspective, the goal is to move away from the “any-to-any” principle that is a key characteristic of the Internet, to a situation where they can sell access to their own customers.

................................................................. Support our work - make a recurrent donation! .................................................................

One aspect of net neutrality which has been subject to debate is ‘zero-rating’, which is a practice where data downloaded from certain applications or services is not counted towards a subscriber’s monthly limit. Zero-rating practices run contrary to net neutrality. ‘Positive discrimination’ allows telecoms services to collude with online services and grant them a competitive edge, thereby threatening competition and innovation and ultimately the open and free nature of the Internet.

While being different from more blatant blocking/throttling strategies, zero-rating ultimately achieves the same goal – it allows telecoms operators to sell privileged access to their customer base.

Zero-rating now seems to be losing ground. One of the largest zero-rating projects has been Facebook’s FreeBasics programme, which offers monetarily “free” access to a limited number of Facebook-approved services, with the telecom operator charging the customer for access to all other content. Civil society groups in India have heavily criticised this development, arguing that Facebook is attempting to create a second-class internet for developing countries. EDRi, too, has joined their ranks in a co-signed letter calling Facebook’s CEO from refraining from these practices. Now, In a resounding victory for net neutrality, the Telecoms Regulatory Authority of India (TRAI) officially banned FreeBasics and other zero-rating schemes (PDF) on 8 February 2016.

Closer to home, it has become clear that zero-rating is also prohibited under the Dutch conception of net neutrality. Since the adoption of a pioneering net neutrality law in 2011, article 7.4 of the Dutch Telecommunications Act prescribes that: ‘Internet access providers shall not make their rates for internet access services dependent on the services and applications which are offered or used via their services.’ Nevertheless, Vodafone had granted their users unlimited access to the app HBO Go without this being counted to monthly data caps. When Dutch authorities fined them 200,000 EUR for this policy, Vodafone went to court claiming that their zero-rating was not prohibited under the net neutrality law. However, in their judgment of 4 February 2016, the Rotterdam District Court ruled against Vodafone, reaffirming that the legislation on net neutrality adopted by the Dutch legislator also covered zero-rating.

For Europe, the future of zero-rating has not yet been decided. National net neutrality rules in the Netherlands and elsewhere will soon need to be updated to comply with the upcoming EU Regulation on net neutrality and roaming charges, applicable from 30 April 2016 onwards. Under this instrument, the legal status of zero-rating is not entirely clear. While the Dutch legislator has taken the preliminary view (PDF) that the Regulation will also prohibit (certain forms of) zero-rating, the prohibition is in any case less clear than the current Dutch law and could create higher burdens of proof for enforcement action. Given this ambiguity, the Body of European Regulators for Electronic Communications (BEREC) is set to play a crucial role, as they seek to agree on a common interpretation of the Regulation’s rules. Its implementation guidelines could either reaffirm or undermine the positive developments seen in the Netherlands, and will have a lasting impact on net neutrality and the innovative online ecosystem throughout Europe. It would be particularly unfortunate if large telecoms operators were able to construct new barriers in the online world in Europe at the same time as the European Commissions “digital single market” initiative seeks to tear them down, and at the same time as a more progressive approach is being taken elsewhere in the world.

Many hope therefore that BEREC will take India and the Netherlands as best practices and to embrace a clear, unambiguous approach to net neutrality. A first big step in this direction will be responding to BEREC’s upcoming consultation, planned for June 2016, and taking a firm stance against zero-rating and all other forms of data discrimination.

EDRi-gram: Net neutrality: Freedom also means banning positive discrimination (25.02.2015)

EDRi-gram: Netherlands: Two telcos fined for net neutrality violations (11.02.2015)

Rotterdam District Court, Decision Libertel BV v ACM (only in Dutch, 04.02.2016)

EDRi-gram: EDRi’s first input on EU regulators’ net neutrality guidelines (13.01.2016)

Regulation (EU) 2015/2120 on net neutrality and roaming charges (25.10.2015)

TRAI: ‘Prohibition of discriminatory tarriffs for data services’, press release (08.02.2016)

TRAI: ‘Prohibition of discriminatory tarriffs for data services’, full document (08.02.2016)

(Contribution by Paddy Leerssen, EDRi intern)



10 Feb 2016

MTE v. Hungary: the ECtHR rules again on intermediary liability


On 2 February 2016, the Fourth Section of the European Court of Human Rights (ECtHR) came back in judging on the matter of intermediary liability. In ‘MTE and Index v. Hungary’, the ECtHR held that freedom of expression as recognised in Article 10 of the European Convention of Human Rights was violated. The court had to decide whether a non-profit self-regulatory body of Internet content providers (MTE) and an Internet news portal (Index) were liable for offensive comments posted on their websites.

................................................................. Support our work - make a recurrent donation! .................................................................

In an earlier decision, the controversial case of Delfi v. Estonia in October 2013, the ECtHR held that an Internet news portal could be liable for the offensive online comments of its readers, and found that Delfi’s liability could be a justified interference to freedom of expression. Consequently, great attention was paid to MTE and Index v. Hungary, as it could be an opportunity for the court to set a more nuanced interpretation on the matter. The facts can be resumed as follows:

The applicants were Magyar Tartalomszolgáltatók Egyesülete (“MTE”) and Zrt (“Index”). On 5 February 2010, MTE published an article criticising two real estate management websites’ business practices. Index wrote about that article on its website, and copied its full text. Both articles attracted comments from readers attacking the real estate websites in question. In response, the two real estate websites brought a civil action against Index and MTE. The Hungarian courts found that readers’ comments were offensive and unlawful, and that Index and MTE were liable for those comments.

After exhausting all local remedies, Index and MTE brought the case before the ECtHR. In its judgement, the Court held that their right to freedom of expression was violated. At the same time, the Court specified that the present case was different from the Delfi case as the comments were “notably devoid of [their] pivotal elements of hate speech and incitement of violence”. Also, it clarified that Delfi was a commercially run Internet news portal, whereas one of the applicants in this case was not (MTE).

However, “the Court considered that the Hungarian courts, when deciding on the notion of liability of the applicants’ case, had not carried out a proper balancing between competing rights involved, namely between the applicants’ right to freedom of expression and the real estate websites’ right to respect for its commercial reputation”.  Accordingly, the Court considered Article 10 of the European Convention of Human Rights had been breached.

It is interesting to note that the Court gave a new interpretive pattern for the Delfi ruling.
New perspectives were raised with regard to the notice-and-take-down system, which now seems to be legitimate in the eyes of the Court. In fact, in the same ruling the ECtHR “found that if accompanied by effective procedures allowing for rapid response, the notice-and-take-down-system could function in many cases as an appropriate tool for balancing the rights and interests of all those involved”. This would reduce what was decided in the Delfi case, which appeared to encourage the duty of general monitoring of information. Now, the scope of that ruling appears to be narrowed to cases of hate speech and incitement to violence.

Even if this case could seem to set a more positive interpretation on the matter of intermediary liability, the truth is that the Court continues to ground its interpretative approach from the Delfi case. That asseverates what EDRi already observed in its paper for the Council of Europe on Human Rights violations online: “The current enforcement mechanisms used to fight hate speech, defamation and other online infringements, that are often supported and encouraged by courts, may go too far and impair legitimate rights of internet users as a collateral effect”.

In conclusion, the ECtHR seems to be willing to depart from the much criticised Delfi ruling, but it seems to be limited in its ability to do this.

EDRi-gram: ECtHR: Internet News Portal Liable For The Offensive Online Comments (23.10.2013)

EDRi paper “Human Rights Violations Online” for the Council of Europe (04.12.2014)

Free expression vs reputational rights: liability of online intermediaries (02.02.2016)

MTE v Hungary: is the ECtHR rewriting Delfi v Estonia? (02.02.2016)

(Contribution by Elisabetta Biasin, EDRi intern)



10 Feb 2016

David Kaye calls on companies to defend freedom of expression

By Maryant Fernández Pérez

The United Nations (UN) Special Rapporteur David Kaye on freedom of opinion and expression is conducting a project on the “responsibilities of the Information and Communication Technologies (ICT) sector to protect and promote freedom of expression in the digital age”. The UN Special Rapporteur made a call for input to help him identify actors with the ability to impact freedom of expression, to point out to current legal issues and practices to resolve them. EDRi submitted a response to the questions asked by the rapporteur.

................................................................. Support our work - make a recurrent donation! .................................................................

What kind of “intermediaries” have the ability to impact freedom of expression?
The answer is tricky, as any individual, legal entity, animals, robots, “connected things”… can have an impact on freedom of expression. In its submission to David Kaye’s call, EDRi focused on the list provided by Section 104 of the rejected Stop Online Piracy Act (SOPA), i.e. on traditional intermediaries, which range from payment providers, Internet search engines to domain name registrars. Despite being rejected, SOPA’s approach was broadly adopted by the US via “voluntary” agreements, which give rise to extraterritoriality, constitutionality, predictability and redress issues.

What are the legal issues that may arise from intermediaries’ activities?
One could write pages and pages about unfair contract terms, jurisdiction, applicable law, constitutional rights, human rights, fundamental freedoms, balance of corporate incentives, liability and “safe harbours”, “voluntary” or “self”-regulation. EDRi decided to concentrate its submission on some of the issues outlined by the UN Special Rapporteur himself. For instance, EDRi addressed problems related to transparency, content regulation, intermediary liability and balance of rights, political power of online companies, security and privacy, remedies and preventive measures.

After our submission, there have been some instances that exemplify some of the issues outlined above. We’ll consider three.

First, there are companies which can influence greatly your freedom of expression without even having a direct link to you. For example, if you run a start-up and your content is blocked under Facebook’s zero rating programme, Free Basics, and you don’t have the money to reach an agreement with Facebook, your freedom to impart information is quenched. The good news is that countries like India have banned these practices.

Second, Paypal has unilaterally terminated UnoTelly’s account due to infringements of its vague terms of service, including alleged copyright violations. UnoTelly provides Virtual Private Networks (VPN) and SmartDNS tools which can be crucial to inter alia protect people’s privacy rights. PayPal removed its services unilaterally, without warning UnoTelly or offering an appeal mechanism.

The third example is a result of the European Commission’s launch on 3 December 2015 of the IT-Forum (PDF). Its purpose is to have a dialogue, i.e. to bully, Internet companies to “voluntarily” solve the complex issue of terrorism and the problem “hate speech”. It is no coincidence that companies like Google or Twitter have put out press releases communicating on their efforts to counter-terrorism online, which includes content take downs or suspension of accounts. This can lead to false positives, human errors and censorship. It can also be ineffective and have counter-productive effects. For instance, it is very easy to set up another account and publish the same content over an over again, leading to a Whac-A-Mole game that never stops – or lead to the victimisation, or perceived victimisation of ethnic or religious groups. In addition, what are the incentives for companies to act for the public good and why wouldn’t they use such activities also for their own political benefit? Whose responsibility is it if anything goes wrong? Are we sure we want companies to further arbitrarily manipulate discourse online? What about the evidence needed for law enforcement authorities? Is the aim to ensure that the law is enforced or for terms of service to be enforced?

So what can you do to tackle those issues?
There are several approaches to empower companies to stand up against coercion from governments and to respect human rights, including freedom of expression and opinion. It is important for the UN Special Rapporteur to explore whether legally binding and
enforceable obligations for companies to respect human rights online would be a suitable option. In June 2016, David Kaye will present a preliminary mapping report to the Human Rights Council. We are looking forward to it.

UN Special Rapporteur’s call for submissions: Freedom of expression and the private sector in the digital age

EDRi submission to UN Special Rapporteur David Kayes call on freedom of expression and the private sector in the digital age (29.01.2016)

Indian regulator stands up for Net Neutrality, rules against zero-rated services (08.02.2016)

PayPal Starts Banning VPN and SmartDNS Services (05.02.2016)

EDRi position on the IT-Forum (16.12.2015)

EDRi-gram: documents content takedowns by companies (16.12.2015)

Twitter: Combating Violent Extremism (05.02.2016)

Google to deliver wrong ‘top’ search results to would-be jihadis (02.02.2016)

(Contribution by Maryant Fernández Pérez, EDRi)



10 Feb 2016

Romanian cybersecurity law reloaded

By Guest author

In January last year, the Romanian Constitutional Court declared the cybersecurity law unconstitutional in its entirety. Details of the content of the law and the (lack of) transparency of the decision-making process have been previously covered on the EDRi website (for reference see here and here).

................................................................. Support our work - make a recurrent donation! .................................................................

This year, a new cybersecurity law proposal has been published. The paradox is that the text of the law brings few changes. The same vague definitions are kept, the subjects of the law could be basically all legal persons in Romania and the same security institutions have been awarded with various responsibilities in the cybersecurity field. Still, we notice one improvement: access to data can be obtained only with a court order (in the previous version of the law access to the data at a simple reasoned request could be granted to nine different military type authorities, who all had responsibilities towards topics of cybersecurity). However, introducing the mandatory court order is only one small step and it does not make the law much less restrictive of fundamental rights.

Although the explanatory document accompanying the law mentions the fact that the law is meant to protect personal data in the digital field, neither the Law on data protection, nor the Romanian Data Protection Authority are even mentioned. Thus, there are only generic mandatory security breach notifications, irrespective of whether personal data have been affected as part of the breach.

What’s more, the explanatory document does not contain any reference to the Network Security Information (NIS) directive which has recently been agreed by the European institutions and it is only a few steps away from formal adoption. Therefore, the new cybersecurity proposal not only disregards the previous Constitutional Court decision, but it also does not appear to take the text of the directive into consideration. How is it possible for a member state to adopt a law that is automatically obliged to change again after a maximum of 21 months (given the period for implementation member states have to comply with after the NIS directive is formally adopted) if it is not in line with the European text?

The draft law was published on the Ministry for Communication and for Information Society website on 27 January 2016, but announced one day later. Although it is not specifically mentioned, presumably the period for public comments is the ministry’s very short standard consultation period of 10 days. The proposal also lacks a financial assessment and an impact study.

A day after its publication, on 28 January, the proposal attracted sufficient media coverage and the civil society reacted promptly by sending requests for a public debate and asking the ministry to extend the period for receiving public comments to 30 days, as it is bound to do by the requirements of the transparency law. The letter was also sent to the newly formed Ministry for Public Consultation and Social Dialogue, hoping that direct measures will be taken in this case to ensure that all the transparency obligations will be met.

This is how we spent part of the Data Protection Day. We hope yours was better!

Romanian Constitutional Court Decision nr. 17/2015 on cybersecurity law (21.012015)

Romanian Cybersecurity Law Sent to the Constitutional Court (29.012015)

Icing on the Cake: Romanian Cybersecurity Law Unconstitutional (29.01.2015)

Cybersecurity law proposal 2016 (draft text in Romanian)

Cybersecurity law proposal 2016 (explanatory memorandum in Romanian)

The new cybersecurity law and why it is no different than the other (in Romanian, 29.01.2016)

Letter asking for public debate (in Romanian)

The second version of the Romanian cybersecurity law or how we celebrated International Data Protection Day (in Romanian, 28.01.2015)

(Contribution by Valentina Pavel, ApTi)



04 Feb 2016

EDRi co-hosts the Privacy Camp, 26 January 2016


In the run up to CPDP conference in Brussels, civil society groups met at the fifth annual Privacy Camp to exchange views and develop new strategies. This year’s conference took place under the title “The Multiple Ways of (De/Self)-Regulation: What is at stake for Human Rights?” and included various panels and speakers from around the EU and the US involved in privacy activism. For those who missed it, we’ve provided an overview of the sessions (conference programme) below.

9:30-11:00 Opening session: Lobby X-Factor

Judges: Jennifer Baker (independent EU tech journalist), Olivier Hoedemans (Corporate Europe Observatory) and Cristian Bulumac (EU Parliament, Greens/NGL). Candidates: Raegan MacDonald (Mozilla), Walter van Holst (Vrijschrift), Joe McNamee (EDRi). Moderator: Rocco Bellanova (USL-B)

Privacy Camp kicked off with the greatest game show in the world: Lobby X-Factor. Three high-powered jury members, three world-class privacy pundits, and one proposed amendment to EU law. In order to determine an undisputed champ of EU privacy lobbying, candidates were challenged to persuade the jury of a proposal: let’s force all visitors to the Middle East to wear a tracking bracelet which uploads a selfie to a law enforcement app once per day.

Our host Rocco Bellanova first introduced the jury, composed of none other than Jennifer Baker, Olivier Hoedemans and Cristian Bulumac. Not easily impressed, it was clear from the start that contestants would have to bring their A-game to convince the Eurobubble veterans.

First off was Joe McNamee, who employed a broad range of tried-and-tested lobbying tactics. From bribing his targets with chocolate and alluding to comfy career opportunities, to simply shouting the word ‘freedom’, it was clear that Joe knew all the tricks in the lobbying book.


Raegan MacDonald displayed a markedly different style which one might call the ‘classic’ lobbying approach. The audience was amazed at her effortless stroll through the Brussels Bullshit Bingo, eliciting ‘oohs’, ‘ahs’, and riotous applause with each successive reference to synergy, stakeholders, security and innovation.

Walter van Holst took a maverick approach by focusing above all on unflinching honesty. He laid himself bare, explaining how his mortgage financing troubles had left him with no loyalty other than to his employer – therefore, the ideal lobbyist.

After tallying votes from the audience and jury members, it was Joe McNamee who took home the prize. We look forward to next year’s Privacy Camp to see if anyone dare take on our champ. Following a brief award ceremony, the participants also reflected on the real-world lessons to be learned from this experience. Bulumac noted how different strategies might be needed for different ‘targets’: while Joe’s Silicon Valley rhetoric might be able to charm assistants and younger staff, he believed that Raegan’s tried-and-tested buzzwords were unbeatable when it comes to persuading MEPs themselves. Clearly, the X-Factor was not just humorous (and dare we say glamorous?), but also educational.

11:30-12:45 Safe Harbor 2.0: a stillborn project?

Moderation: Diego Naranjo (EDRi). Speakers: Gloria Gonzalez Fuster (Vrije Universiteit Brussel), Laurent Lim (CNIL) and Marc Rotenberg (EPIC).

Following a brief introduction by Diego Naranjo, Laurent Lim kicked off the discussion by describing CNIL’s activities with regard to the Safe Harbour and international data transfers since the Schrems-decision. He also mentioned his personal skepticism of the Commission’s proposed reforms and the current viability of available alternatives (standard contractual clauses and binding corporate rules). Marc Rotenberg underlined Laurent’s conclusions by describing the shortcomings of US law in relation to international transfers. Gloria shared her experiences from visiting the US and the significance of the Schrems ruling in European law. After these opening marks, the floor was opened for discussion with the audience.

Both Laurent and Marc shared the sentiment that reaching an agreement before 1 February seemed unlikely of not impossible. “It’s too late now, the clock has run out”, Marc said. “The necessary reforms won’t happen before Tuesday. I won’t even have done my laundry before then”. EDRi can’t speak to the current status of Marc’s laundry, but he and Laurent have certainly been proven right on the lack of substantive legal reform. Laurent also added that, in his personal view, following the previous three month grace period, the question of enforcement has also become a ‘matter of credibility’ for DPAs and data protection law.

Another point of discussion was the differences in public perception between the US and the EU. Marc emphasised the converging trends in this field, debunking the conventional wisdom that Americans are freedom-oriented and Europeans are dignity-oriented. Gloria added, however, that Europeans continued to see privacy and data protection as universal rights, whereas Americans appear more amenable to exceptionalism approaches.

The panel also discussed the responsibilities and discretion of DPAs in handling complaints. From the audience, Max Schrems commented that the CJEU did not rule on this issue in his case. Marc, however, suggested that a duty to handle this complaint is implied by the logic of the judgment. While no consensus was reached on this point, it was suggested that Commission investigations might provide an impetus for more active enforcement at national level, especially in light of the hundreds of complaints launched against the Irish Data Protection Commissioner.

Finally, the issue of data localisation was raised. The panellists quickly agreed to refrain from using the unhelpful term ‘balkanisation’ and also that this trend would not in any way ‘break the internet’. Gloria noted that localisation does not generally yield concrete results for the protection of privacy, but that it can be a useful bargaining tool when negotiating with US legislators. Marc echoed this notion, stating that localisation can have a ratcheting effect on levels of privacy protection.

11:30-12:45 TTIP, TiSA, CETA and Co.:Trade agreements and digital rights

Moderation: Maryant Fernández Pérez (EDRi) Speakers: Walter van Holst (Vrijschrift), Ralf Bendrath (European Parliament, Policy Advisor), Jan-Willem Verheijden (EU Commission, Trade in Services Unit, DG Trade), Delphine Misonne (USL-B)

The panel discussed the main issues of trade agreements (in particular TTIP, TiSA, CETA) and their impact on digital rights.

Jan-Willem Verheijden, EU Commission Trade Official, opened the debate. Referring to TTIP and TiSA, he argued that they do not include the protection of personal data and do not affect data protection laws. From his point of view, the topic of data protection would not be touched by trade agreements as they deal with fundamental rights, “which are not negotiable”. On the other hand, he observed that data flows are important for the US and EU.

The second panelist was Ralf Bendrath, senior policy advisor to Jan Albrecht MEP. He observed that the protection of personal data is not a trade barrier but a fundamental freedom to be respected. Another important point touched by the MEP policy advisor was that the TiSA general exception based on Article XIV GATS offers insufficient protection for EU data protection rules. He also expressed his dislike of the “national security exceptions” provisioned in TiSA. Furthermore, quoting the draft TiSA text, he was wondering why the Commission chose to copy only parts of the e-Commerce Directive dealing with the topic of spam into the agreement, instead of the entire section.

Walter van Holst then took the floor and highlighted various concerns to civil society, including cryptographic standards and software source code disclosure requirements bans before moving on to more general issues. He questioned the validity of touching so many regulatory areas through secretly negotiated, take-it-or-leave-it trade agreements. Especially topics like ISDS (Investor State Dispute Settlement) and the proposed regulatory cooperation touch the fundamentals of our democracies and the rule of law. When the discussion arose about the necessity of multilateral or bilateral agreements instead of the existing GATT-frameworks, he pointed out that this had mostly to do with Brazil, India and China rightfully refusing to adopt US and EU-style IPR-legislation from which they have nothing to gain.

The final word was given to Delphine Misonne (USL-B researcher). In relation to TTIP, she criticised the ISDS system and stressed that the perceptions of the agreements’ issues are very different on both sides of the Atlantic. Having focused her academic research on environmental law, she also underlined that, regarding TTIP, there is a lack of public debate on environmental issues.

14:00-15:30 – Litigation activism and its future

Moderation: Ulf Buermeyer (Berlin Superior Court and CIHR). Speakers: Max Schrems (Europe vs Facebook), Adrienne Charmet (LQDN), Gus Hosein (Privacy International).

The panellists’ introductory remarks focused on their respective experiences with litigation activism. Common ground soon emerged, with the speakers stressing the high workload and related costs associated with litigation, and the importance of finding lawyers willing to provide expertise to help build a case. Gus Hosein added how Privacy International had benefited greatly from the the strong tradition of pro bono work in Anglo-saxon law firms.

A central theme was the importance of communications and PR throughout the litigation process. Gus warned against ‘hollow victories’; without the support of public opinion, favourable judgments may fail to lead to needed reforms – as occurred with the ECHR’s decision on prisoner voting rights in Hirst v UK. Max was praised for his effective communications strategies such as distributing FAQs to journalists directly after the judgment – in Gus’ words: ‘simple, correct, sexy’. Max advised to draft various statements in preparation for various possible outcomes. He also added that targeting large, popular companies is helpful in generating media attention, since journalists are eager to write on such issues. Adrienne described La Quadrature’s success with amicus curiae briefs to the Conseil d’Etat, for which they had crowd-sourced comments and feedback from over 500 participants.

The discussion also turned to the United States, where NGOs appear to litigate more actively. To explain this activity, US activist Marc Rotenberg (EPIC) pointed to the beneficial cost apportionment rules in the US which allow each side to bear its own costs (as opposed to the loser pays principle common in Europe). He also stressed the efficacy of amicus curiae briefs. However, downsides of the US system included the comparative difficulty of suing companies outside of a class action context, and the distribution of class action damages to non-neutral NGOs under the cy-près doctrine.

Other themes throughout the panel included the difficulty of finding lawyers trained in privacy and data protection law (and who don’t work ‘for the other side’); the balance between litigation before national courts and European courts; and the advantages brought by the General Data Protection Regulation regarding damage rules, collective redress and direct access to the CJEU.

The panel also discussed possible next steps in strengthening European litigation activism. They stressed the importance of international exchange and communication and combining resources from various actors. This could include technical expertise from the hacker community, litigation experience from professional lawyers, specialist legal knowledge from privacy activists and the financial means of larger NGOs such as consumer organisations. The need for a coordinating hub or network at European level was mentioned repeatedly. At these points, many eyes turned towards EDRi’s representatives in the room, although it was also acknowledged that these activities would involve a serious workload and require serious investments.

14:00-15:30 – Technology, regulation,…: What response to mass surveillance? (privacy by design & by default, obfuscation)

Moderation: Rocco Bellanova(USL-B and PRIO) Speakers: Eleanor Saitta (OpenITP and IMMI), Jérémie Zimmermann (La Quadrature du Net), Julia Powles (University of Cambridge and the Guardian)

The afternoon panel focused on mass surveillance and the possible responses to it. Eleanor Saitta spoke first. She argued that regulation is a key instrument and a cost driver (in other words, it can make surveillance more expensive) as it can lead companies towards different business models. Regulation is also important for innovation, and has a very critical role in preserving our freedom to build solutions that prevail on surveillance. In this sense, regulation is a tool that could be useful, as it gets market to build infrastructures. Julia Powles, (the Guardian and University of Cambridge) agreed on this point, as to her it is really important that regulation could lead the way to technology.

Jeremie Zimmermann intervened in the discussion. In his opinion, the topic of mass surveillance represents a collective failure. The failure consists in the fact that, after two years since Snowden’s revelations no one dared to bring legal action against the Safe Harbour agreement (only a student had this idea). A second failure is the battle for convincing inside and outside the institutions that privacy matters: “we may somehow give up on this elaborate bourgeois problem” and try to elaborate different communication strategies. We should pay attention on the concept of intimacy, which is different from the concept of privacy. Building on this, another failure enumerated by Jeremie Zimmermann was the fact that privacy campaigns did not reach the public in an extensive manner. Talking about regulation and technology is not sufficient, and a more cultural approach would be needed.

16:00-17:30 – Closing Session: New surveillance laws in the wake of Charlie Hebdo and 13/11

Moderation: Estelle Massé (Access) Speakers: Ton Siedsma (Bits of Freedom), Jim Killock (OpenRights Group), Anna Biselli (Digitale Gesellschaft) , Agnès de Cornulier (La Quadrature), Jesper Lund (IT-Pol)

The closing session aimed to create a dialogue on new surveillance laws in the wake of Charlie Hebdo and 13/11 events. The panel gathered NGOs representatives from Bits of Freedom, Open Rights Group, Digitale Gesellschaft, La Quadrature, and IT-Pol. With this composition, the panel was intended for NGOs to share their views on possible next steps for joint campaigning on the issue of mass surveillance.

Agnès de Cornulier, representative of the French association La Quadrature du Net, took the floor first. She explained how 2015 was a black year for freedoms in France: many security measures were enacted, and the state of emergency has been unreasonably prolonged. Particularly, Agnès focused on the proposed bill on the state of emergency, expressing her concerns regarding measures for police searches of electronic devices, Internet censorship and freedom of association.

Ton Siedsma then explained the current situation in Netherlands, following Minister Ronald Plasterk’s proposal amending the Dutch Intelligence and Security Act of 2002. He also pointed out that Bits of Freedom created an online consultation tool in order to help citizens respond the public consultation on the security bill.

Jesper Lund spoke about the mass surveillance situation in Denmark, referring in particular to the Danish anti-terror proposal issued on 19 February 2015 and the new Danish PNR proposal.

The situation in Germany was covered by Anna Biselli, from Digitale Gesellschaft. First, she talked about the German political situation that led to the data retention bill proposal on June 2015. Secondly, she added that a new draft legislation on public secret services should be announced by the first days of February 2016. Digitale Gesellschaft is waiting for it in order to analyse its contents.

(Contribution by Elisabetta Biasin and Paddy Leersen, EDRi interns)

04 Feb 2016

Press release: TiSA negotiations: the European Parliament’s strong position

By Maryant Fernández Pérez

On 3 February 2016, the European Parliament gave its opinion to the European Commission on what to do and what not to do with regard to the Trade in Services Agreement (TiSA). The European Commission is in charge of conducting the negotiations on behalf of the European Union. At the end of the negotiation process, the European Parliament only gets to give a final “yes” or “no” to trade agreements. Therefore, the European Parliament usually states its opinion and recommendations on trade agreements via non-legislative resolutions. In principle, this allows European Commission negotiators to know what elements of a deal would be likely to lead to rejection.

We are pleased that, on a broad range of digital issues, the European Parliament is in line with EDRi’s position on TiSA. As the various leaks show, the European Commission’s views differ from those of the European Parliament in some key aspects.

said Joe McNamee, Executive Director of European Digital Rights.

These Parliament’s recommendations have been adopted at a right time, as the Commission is currently negotiating with the other 22 Parties to TiSA on some sensitive issues. EDRi welcomes and highlights the Parliament’s recommendations on:

  • transparency of the negotiations;
  • data protection in the context of data flows and the often confused issue of “data localisation”;
  • national security exceptions;
  • net neutrality and
  • net competition.

The European Parliament followed the recommendations of the International Trade Committee (INTA) and barely changed its proposed report. Some amendments passed, adding some points, such as the need for a mechanism to suspend or reverse commitments.

As EDRi welcomes the Parliament’s recommendations on TiSA and urges the European Commission to respect it fully, or risk rejection of the entire deal, once it is completed.

Read more:

TiSA resolution: what are you going to do about it? (3.02.2016)

TiSA: European Parliament ready to defend digital rights? (27.01.2016)

EDRi’s position paper on TiSA

TiSA resolution: document pool

03 Feb 2016

TiSA resolution: what are you going to do about it?

By Maryant Fernández Pérez

The Trade in Services Agreement (TiSA) is bizarrely and sadly not subject to the same public debate as other “trade” agreements, such as the Transatlantic Trade and Investment Partnership (TTIP) or the recently concluded Trans-Pacific Partnership (TPP). While some do not find TiSA as “sexy”, it still contains provisions that should deserve all your attention.

Based on the leaked documents and limited public information available, EDRi has elaborated its position on TiSA to make sure digital rights are not forgotten in the discussions and that they can be duly respected. On 3 February 2016, the European Parliament updated its 2013 recommendations to the European Commission, which is ultimately in charge of conducting the negotiations on behalf of the European Union.

The Parliament’s resolution is timely because the 16th round of the TiSA negotiations is taking place this week. According to the European Commission, the negotiators of the 23 Parties to the TiSA are dealing with the subjects of transparency, e-commerce and telecommunications, among others.

According to the European Parliament, the Commission should endeavour to have the “highest level of transparency” and extend the European Ombudsman’s recommendations on transparency to TiSA documents. Interestingly enough, though, TiSA’s (leaked!) annex on Transparency addresses other types of “transparency”. For instance, some countries are proposing to undermine the right to regulate, both in this annex and the (also leaked) annex on Domestic Regulation. On this point, the Parliament is asking the Commission to legally secure the right to regulate, which EDRi welcomes (see p. 4 of our position).

Regarding e-commerce, we highlight the Parliament’s recognition of the value of protecting personal data when transferring data to third countries, which may include local data storage requirements for the specific purpose of data protection, but not forced data localisation. We also welcome the Parliament’s refusal to allow “any backdoors in technologies” or broaden the national security exceptions.

Concerning telecommunications, we highlight the Parliament’s recommendation to promote net competition and to safeguard of net neutrality.

In a nutshell, the Parliament followed the recommendations of the International Trade Committee (INTA), adding some points such as the need for a mechanism to suspend the agreement or reverse commitments. Now the question is whether the European Commission will succeed in integrating the (unfortunately non-binding) Parliament’s recommendations into the final text of TiSA. Amendments to INTA’s report were put forward in plenary to ensure that the EU would withdraw from the negotiations if Parliament’s demands were not met. However, these amendments did not obtain majority, undermining the strength of the message being sent by the Parliament.

The problem with bilateral or multilateral trade agreement negotiations is that you win on something in return for losing on something else. However, we believe the Commission should not use this excuse to disregard the Parliament’s (good!) recommendations on inter alia digital rights. As the UN independent expert Alfred-Maurice de Zayas pointed out, “[t]rade is not an end in itself” and in this sense countries must not “circumvent, undermine or make impossible the fulfilment of [their] human rights treaty obligations”. These include the right to privacy and the freedom of expression and opinion, which are also recognised as such under the EU Charter of Fundamental Rights, together with the fundamental right to data protection and many others.

03 Feb 2016

What’s behind the shield? Unspinning the “privacy shield” spin

By Joe McNamee
  • If there is a deal, why was nothing published?

It is standard practice from the European Commission. When an agreement is reached, the Commission launches a press release, but not the actual agreement. In this way, the Commission can control the amount of information available to journalists and the general public. It then launches the actual document once the press cycle is over and the details are no longer newsworthy.

  • Was there a deal?

Actually, there was no deal. The Commission had to announce something on 2 February in order to prevent regulators from starting enforcement action against companies that were (and, today, still are) transferring data illegally to the United States.

  • Is it strategically wise to announce a deal before discussions have been completed?

For the US, definitely, for the EU, it was strategically disastrous. As the EU has announced a deal, European negotiators have absolutely no leverage in the discussions around the detail of the agreement. Politically, it is impossible for the EU  to reject anything that the US now proposes, because it is politically impossible for the Commission to abandon negotiations after it announced the completion of an agreement.

  • Are there significant questions to be addressed?

Yes. The US was so sure that it would be able to persuade the EU to capitulate in the negotiations that it adopted the flawed “Cybersecurity Act”. Under that legislation, a provision was adopted under which Internet companies (either voluntarily or under coercion) will be able to secretly share personal data with US authorities – in direct contravention of the ruling of the Court of Justice of the EU.  Similarly, the previously announced but unpublished (see the first bullet point, above) Umbrella Agreement is seriously deficient and needs to be re-negotiated before it can be adopted. The EU now has no leverage to demand this. Finally, the crucial Judicial Redress Act has been amended by the US Senate in a way that means that individuals outside the US can only get redress if their government shares enough data with the US authorities.

  • Whose dictionary will be used?

A further major problem with the current approach is that the EU and US have different interpretations of the words being used. Under current US practice, collecting all information related to European citizens does not constitute processing of personal data and is targeted. Under current EU practice, such data collection is processing of personal data and is not targeted.

  • But at least the Commission will review this agreement every year?

Under the illegal Safe Harbor agreement, the European Commission was obliged to present an evaluation by July 2003. It failed to meet this obligation and submitted the evaluation one year and three months after the legal deadline.  Part of the reason for this delay was the effort it took to re-invent the evidence to show that the failing agreement was actually working. The Commission was not held accountable for failing to meet this deadline. Similarly, under the Data Retention Directive, the Commission was obliged to produce an implementation report by 15 September 2010. It finally published its implementation report on 18 April of the following year. The Commission was not held accountable for failing to meet this deadline.

  • But at least the Commission will be able to suspend the agreement if it feels it is not being respected?

When the Commission saw in 2013 that the Safe Harbour agreement was not protecting EU fundamental rights (and as it most probably saw in 2004 also), it could have and should have suspended the agreement at that time. It took the political decision not to do this and was not held accountable for failing in its duties. Having “negotiated” the new “Privacy Shield” agreement, it would politically be even more difficult to suspend the deal. It is simply inconceivable that the Commission would suspend the agreement.

  • But at least there will be no mass surveillance any more?

It is true that some significant reforms have been made in the US – although often fixing quite absurd, undemocratic practices. For example, as a domestic reform, the US authorities have promised not to invent new meanings for legislation after it has gone through the legislative process. However, fundamental problems remain with the key mass surveillance measures, in particular Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12.333. A simple question needs to be asked: if the judicial body tasked with oversight of implementation of FISA can be “systematically misled“, if the author of the PATRIOT Act can complain of that legislation being “abused“, if a group of congressmen can credibly accuse the Director of National Intelligence of “lying to Congress under oath” then what trust can non-US citizens have in letters signed by an outgoing US President?

  • But at least there will be proper oversight of corporate exploitation of our personal data?

Not exactly. If an individual manages to work out what a privacy policy actually means, if that individual then is able to gain an insight into how the data are really being used on the other side of the Atlantic, in a different jurisdiction, they will have some – as yet very unclear – options. The “fact sheet” produced by the Department of Commerce is very disturbing in this regard. While the opening political fluff speaks of “vigorous enforcement”, the text makes no reference to proactive enforcement, referring only – and in very unclear terms – to dispute resolution.


02 Feb 2016

European Commission defence of European rights sinks in an unsafe harbour

By Joe McNamee

Following the decision of the European Court of Justice to overturn the EU/US “Safe Harbor” Agreement last year, EU/US negotiations have been ongoing to reach a new deal, which would facilitate transfer of data across the Atlantic. Having failed to reach an agreement before 1 February, the European Commission today announced plans to back down from defending the European Court’s ruling and to accept a new badly flawed arrangement.

The emperor is trying on a new set of clothes. Today’s announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail.

said Joe McNamee, Executive Director of European Digital Rights.

Among the proposals are an “exchange of letters” to permit Europe to receive assurances from the outgoing US President that non-US data will be processed in ways that are strictly necessary and proportionate – i.e. not subject to mass surveillance.

The new arrangement will rely on additional legal instruments, which are also likely to fail to achieve their intended goals. At a meeting in the European Parliament last night, Commissioner Jourová was asked repeatedly for her views on flaws in the crucial Judicial Redress Act and the EU/US Umbrella Agreement. She refused to address either problem.

Parliamentarians from across the political spectrum last night repeatedly accused the United States of not taking the negotiations seriously. Seeing fatal problems being built into the Judicial Redress Act, seeing the adoption of the secret data-sharing provisions in the Cybersecurity Act and seeing the lack of any meaningful reforms on the US side, it is hard to disagree.

Read more:

Why is Safe Harbour II such a challenge?

Access Now, EDRi on data protection: “No Safe Harbour 2.0 without reform on both sides of the Atlantic”

01 Feb 2016

EDRi’s work in 2015

By Kirsten Fiedler

Information technology has a revolutionary impact on our society. It has boosted freedom of communication and democracy but has also led to new approaches to surveillance and is increasingly used to impose restrictions on fundamental rights. In the past year, we worked hard to ensure that your rights and freedoms in the online environment are respected when they are endangered by the actions of political bodies or private organisations.

Sadly, 2015 was a year in which our rights and freedoms were endangered on multiple occasions. In response to the terror attacks in Paris, Europe’s governments were quick to react to the tragedy by calling for more surveillance, ignoring the failures of existing measures. At the EU level, this meant the rushing of anti-terror measures (Directive on combating terrorism), a big push for the adoption of the previously rejected proposal for the monitoring of air passengers (EU PNR) and the launch of initiatives to push Internet companies into voluntary censorship measures.

But there were also successes, especially with regard to data protection and the demise of the “Safe Harbor” agreement. Our key campaigns were heavily focused on driving a positive agenda – for a conclusion of the data protection reform package, for the upholding of equal access to the Internet (net neutrality) in Europe, and for a reform of the EU’s outdated copyright framework. For copyright, we want to improve access to knowledge and culture online, thereby indirectly reducing incentives for invasive enforcement mechanisms. We also worked on privatised law enforcement by Internet companies as well as trade agreements (both of which are horizontal topics that touch virtually all digital rights issues).

Last but not least, we’ve been preparing for the future. In March 2015, EDRi’s members agreed on a multi-annual strategy and decided on the organisation’s four key focus areas for the next years (data protection and privacy, surveillance, network neutrality and copyright reform).

You can find the full annual report 2015 here (pdf) and our transparency report there (png). You can also check out our press review 2015, our responses to public consultations last year and, last but not least, you can find a neat overview of our biggest achievements below:

Data protection and privacy
Network neutrality
Copyright Reform
Privatised law enforcement
Trade agreements

Data protection and privacy

Privacy material


Surveillance material

Network neutrality

Our net neutrality material

Copyright Reform

Our copyright reform material

Privatised law enforcement

Our material on privatised enforcement

Trade agreements

Our trade agreements material

  • Document pool on the non-legislative resolution of the EU Parliament
  • Infographic to explain the legislative process of the resolution
  • Two booklets: EDRi’s “Red lines on TTIP” (pdf) and “TTIP and Digital Rights” (pdf)
  • Analysis of amendments tabled in various committees (for ex, in INTA together with BoF)