A measure which would be illegal if implemented by a government should also be illegal if implemented by industry as a “voluntary” measure, as a result of government pressure or for public relations or anti-competitive reasons. However, as key international legal instruments, such as the European Charter of Fundamental Rights and the European Convention on Human Rights, as well as national constitutions are binding for states and governments, they are not directly applicable to other entities, such as private companies. As a result, there is a major trend towards governments persuading or coercing companies to impose restrictions on fundamental freedoms under the guise of “self-regulation,” thereby circumventing legal protections.

30 Jun 2015

Blurry, ambiguous “net neutrality” deal is an abdication of responsibility

By Joe McNamee

Fifteen months after the European Parliament voted in favour of clear protection for net neutrality in Europe, a messy, ambiguous “deal” was reached around 2am this morning. In the coming days, negotiators will finalise explanatory notes (known as “recitals”) which may add some clarity. However, the apparently deliberate ambiguity of the text agreed so far does not create much hope.

If approved by the Member States in the Council and European Parliament, we will have to wait for at least a full year before courts and regulators will start giving meaning to the agreement.

“What is the point of agreeing to adopt legislation that makes the legal situation less clear than it was before? Now we have text which could mean almost anything – we did not need more legal uncertainty,”

said Joe McNamee, Executive Director of European Digital Rights.

Key points of confusion:

  • Distinction between “specialised services” and the public internet. The “fast lane” services can only get this status if this is “necessary”. However, the current draft explanatory recital defines “necessary” so broadly that anything that is not a “general prioritisation” of traffic could, in principle, be covered. (Recital 11, Article 3.5)
  • The scope of the Regulation is defined in a way that does not fully cover the key issue of “specialised services”. (Article 1)
  • Not alone does the Regulation seek to define what a “legal obligation” for blocking/filtering might be (does this really need to be explained?), the definition is so badly drafted that it could cover activities that are not legal obligations – “measures giving effect to such Union or national legislation, in compliance with Union law, including [i.e. not limited to] with orders by courts or public authorities vested with relevant powers;” (Article 3.3.a). The current draft recital contains a 90-word sentence that has no obvious meaning.
  • Even though a draft recital explains that “specialised services” are only possible if they do not have a “negative impact of the provision of such services on the availability or quality of internet access services”, there is an obligation for Internet access providers to provide details of the “impact on the same end-user’s internet access services”. What is the agreement – that they can have an impact or they can’t? (Recital 11a and Article 4.3.c)

The “deal” was achieved after three months of “negotiations” between the EU Council (the Member States of the EU) and the European Parliament. At every stage, the Council simply refused to engage in a dialogue. Then, racing to meet the arbitrary deadline created by the end of the Latvian Presidency of the EU Council, this chaotic, sub-standard text was provisionally agreed.

Now that our political “leaders” have decided that they cannot make a decision, we must wait for unelected judges and regulators to do the hard work.

This is “just” a provisional agreement. First, the explanatory recitals need to be finalised. Then, the EU institutions need to decide if they are really prepared to create such legal uncertainty for European citizens and business. This will become clear in the coming weeks.

Please find our summary of recent developments here:


26 Jun 2015

Press release: Father of net neutrality warns EU’s proposals may “guarantee US dominance” online

By Heini Järvinen

Following high-level meetings with the European Commission this week, leading US Professor Tim Wu said he was “worried that the Internet in Europe will never recover if these proposals are adopted.” He added that, in relation to online services, the proposals may guarantee the dominance of US online services in Europe for years to come.

With regard to his meetings with the Commission, Professor Wu commented:

I don’t think the Commission should have a preference for a bad agreement rather than no agreement at all.

Joe McNamee, Executive Director of European Digital Rights said:

Professor Wu is a leading expert on the issue of net neutrality. It is crucial that European policy-makers take these warnings seriously.

The current situation in the European Union is critical. After the European Parliament adopted a strong first reading text in 2014, it is being subject to pressure from Member State governments represented in the Council and from the Commission. The Parliament has the democratic support not to concede to pressure and deliver net neutrality. You can help save the Internet through

Background information:

  • In 2013, Prof. Wu was named to National Law Journal’s “America’s 100 Most Influential Lawyers.”
  • In 2006 he was named one of Scientific American’s 50 people of the year.
  • In 2007, he was named one of Harvard University’s 100 most influential graduates by 02138 magazine.
  • From 2011 to 2012, Wu served as a Senior Advisor to the Federal Trade Commission.
  • Notably, Prof. Wu was the first person to coin the term “net neutrality”.

Photo by Sagmanbennettrobbins at English Wikipedia, CC BY-SA 3.0


25 Jun 2015

Democratic support for net neutrality is clear, as is Council’s stubbornness

By Maryant Fernández Pérez

All political groups in the European Parliament have made their support for net neutrality clear. Not alone did the European Parliament adopt a strong text in favour of non-discrimination on the Internet in 2014, but political groups representing the vast majority of the Parliament have made clear statements in favour of a neutral, innovative, democratic internet.

However, in three months of “negotiations” with 28 EU Member States represented in the Council of the European Union, the Council completely refused to show any openness to honest compromise. Even worse, in the last public Council meeting, nobody, either from the Commission or the Member States, was even prepared to say the words “net neutrality”.

Democratic support for net neutrality exists. It’s clear. Citizens want net neutrality, start-ups want net neutrality, civil society wants net neutrality, consumers groups want net neutrality, the youth wings of European political parties want net neutrality, online companies want net neutrality. And our representatives in the Council? The EU Council wants protectionist measures for a few ex-monopolies. Contact your MEPs to offer your support at and contact your national Telecommunications Ministry to find out why they are not representing you.



25 Jun 2015

General Data Protection Regulation: Document pool

By Diego Naranjo

In January 2012, the European Commission, following extensive consultations, published a draft Regulation. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU (proposing a single Regulation rather than a Directive that is implemented via 28 national laws) and maintaining existing levels of protection. These goals were to be underpinned by more efficient implementation measures.

After 3 years of discussion following the first proposal being made by the European Commission (and a first reading by the European Parliament that was finalised in 2014), the Council has decided to agree on a new text (a “general approach“) that will be the object of current trialogues.

The trilogue discussions between the three institutions officially started on 24 June 2015 with the first meeting in Brussels. In order to explain the process, we will be publishing information and analysis in this document pool. We will update this post as the negotiations advance.

If you would like to know more about specific parts of the Regulation, please go to EDRi’s detailed analysis on the original proposal made by the Commission at

Selected Documents (a more exhaustive collection of documents can be found on Carlo Piltz’ website):

The calendar of the negotiations is:

24.06.2015: Brussels  (subject to agreement with Commission and Council)
1st Trilogue Meeting on the Regulation
Draft Agenda:
Commitment for the Directive in Council
Agreement on the overall roadmap for Trilogue negotiations
General method and approach for delegated and implementing acts

– 14.07.2015: Brussels (subject to agreement with Commission and Council)
2nd Trilogue Meeting on the Regulation
Draft Agenda:
Territorial scope (Article 3)
International transfers (Chapter V)

– Further Trilogue roadmap
(All subject to agreement with Commission and Council)

Data protection principles (Chapter II)
Data subject rights (Chapter III)
Controller and Processor (Chapter IV)

Data Protection Authorities (Chapter VI)
Cooperation and Consistency (Chapter VII)
Remedies, liability and sanctions (Chapter VIII)

Objectives and material scope, flexibility public sector (Chapter I)
Specific regimes (Chapter IX)

Delegated and Implementing Acts (Chapter X)
Final provisions (Chapter XI)
Other remaining issues


22 Jun 2015

Net neutrality in critical danger in Europe. The time to act is NOW!

By Maryant Fernández Pérez

Last week, the European Parliament finalised its second compromise proposal on net neutrality, and sent it to the Member States (represented in the Council of the European Union) and the European Commission. This will now allow the Council and Commission to put pressure on the Parliament to accept a final compromise this week.

The new proposal is another major concession from the Parliament. It contains only the absolute minimum elements for net neutrality, while proposing incoherent, meaningless text on blocking of allegedly illegal content, and dangerous suggestions on “parental controls” (filtering of legal content).

The new compromise represents another surrender from the European Parliament, which continues to offer concessions to the Council, which continues to offer absolutely nothing in return. Everything appears to be building to the “end game”, where telecoms providers will be allowed to launch a new abuse (the end of net neutrality) in return for the end of an old abuse (mobile roaming charges).

So, what is the “score” in the negotiations so far?

What has the Parliament given up?

  • All of the proposed measures on radio spectrum;
  • The definition of (or even a reference to!) ‘net neutrality’, replacing it with a non-defined “open internet”, as the Council had suggested. Adding adjectives like “open” suggests there is a “non-open” Internet, which makes little sense outside countries like Iran;
  • The definition of specialised services;
  • Virtually all of the proposed measures on user rights;
  • Its proposal for the removal of irrelevant elements (like spam – unsolicited e-mails- or parental controls), which renders the scope of the Regulation unclear;
  • Its proposal to remove unclear text on blocking.

Ultimately, the Parliament has given up all of this in return for virtually nothing apart from minor concessions on roaming. Worse still, the Parliament has no strategy for the next round of negotiations – is this just another step towards giving up completely or is this is the final red line from the Parliament? We don’t know. We fear that they don’t know.

What has the Council given up?
Almost nothing, as all the Council’s proposals were virtually identical. Modifications made in the most recent texts went even further away the Parliament’s position and even worse than the Council’s initial position of 4 March 2015 in certain points.

What to do now?
Visit the campaign site. Through, anyone can contact her/his representative in the Industry committee of the European Parliament (ITRE) via phone, e-mail or social-media for free!

Technical meetings amongst the three institutions are scheduled for this week.
Contact your MEP: and remind him/her the four steps towards ensuring net neutrality:



17 Jun 2015

UK: Report of the investigatory powers review

By Guest author

A key report reviewing the UK’s legal framework governing surveillance commissioned by the Government and written by David Anderson QC, was released on 11 June 2015. The thrust of the report is a resounding call for wholesale reform of Britain’s surveillance legislation with it concluding that

“This state of affairs is undemocratic, unnecessary and – in the long run – intolerable.”

Anderson addresses a range of issues and makes more than 120 recommendations for legislative change. Many of these recommendations align with the demands made by Privacy International, EDRi members Open Rights Group (ORG) and Article 19 and their coalition partners in the Don’t Spy On Us campaign: making judges, not ministers, in charge of authorising surveillance, for example, and improving oversight and redress mechanisms.

However, Anderson’s report could have gone further. It is disappointing that he did not see fit to condemn the very idea of bulk interception (leaving that to the courts to decide). His report does not recommend providing equal protections to people no matter where they are in the world, nor does it remedy problems with national laws that claim extraterritorial reach. Key recommendations include:

  • The progression of any new surveillance powers – including the Communications Data Bill – should be halted. The report states that no compelling operational case has been made for previous government proposals such as the Snoopers’ Charter, and reiterates that any new proposals should be assessed with a “strict evidence-based approach” as well as a rigorous assessment of “lawfulness, likely effectiveness, intrusiveness and cost.” There can be “no question of progressing proposals” until such conditions are satisfied.
  • Judges, not ministers, should authorise warrants for the interception of communications. Rejecting Foreign Office recommendations that judicial authorisation might “disadvantage the UK” because judges would refuse applications for surveillance that Ministers would otherwise green light, Anderson retorts that “were it the case that Ministers might be tempted to issue warrants in circumstances where it is illegal to do so, that would seem to me a strong argument in favour of judicial authorisation.” ] Anderson’s proposals would add an additional and much-needed layer of accountability to Britain’s surveillance system, requiring police and intelligence agencies to have their application for interception scrutinised and signed of by a “judicial commissioner”.
  • Extraterritoriality provisions of the Data Retention and Investigatory Powers Act (DRIPA) that are an “unsatisfactory substitute” should be replaced. The long term goal must be a “multilateral arrangement” between states regulating access to information held across borders. A further analysis of cross-border information sharing was to have been provided in a separate report authored by Sir Nigel Sheinwald, but was recently shelved by the Government.
  • Intelligence sharing should be properly regulated and prescribed by law. Acknowledging there is no statute or code of practice governing how exchange of information between agencies should take place, it is recommended that new legislation defines as clearly as possible procedures for the receipt and exchange of intelligence including “an express prohibition on the use of foreign partners in any way that results in the circumvention of national legal standards.”
  • The Government must expressly avow to the public and explicitly regulate intrusive surveillance capabilities such as hacking and computer network exploitation, rather than maintaining a position of “neither confirm nor deny”. This extends, says Anderson, to techniques such as bulk collection and the use of bulk personal datasets, which was challenged this week by Privacy International in a claim before the Investigatory Powers Tribunal.
  • An Independent Surveillance and Intelligence Commission should be established, with the authority to notify individuals if their data has been subject to error and their right to take their case to the Investigatory Powers Tribunal.
  • The Investigatory Powers Tribunal should have its powers extended to enable it to make declarations of incompatibility with the Human Rights Act; there should also be a right of appeal on points of law from the Tribunal’s decisions.

A question of trust – Report of the investigatory powers review (11.06.2015)

Privacy International briefing on A Question of Trust: Report of the Investigatory Powers Review

Don’t spy on us

(Contribution by Eric King, Privacy International)



17 Jun 2015

EU continues push for travel surveillance by the back door

By Kirsten Fiedler

The European Commission has released its plans for providing financial support to national security measures. These plans, despite the absence of a legal basis, privacy concerns and a pending EU Court of Justice (CJEU) decision, include the financing of a European mass surveillance measure: namely the long-term storage and exchange of citizens’ air travel data, Passenger Name Record (PNR).

In 2013, the European Commission made 50 million euro available to fund the development of a PNR system in Europe. This sum was split between 14 of the EU’s 28 Member States for projects aimed at “setting up national passenger information units”. Now the Commission continues to introduce surveillance by the back door and announces to provide support to harmonise and “facilitate the exchange” between the individual national systems it previously helped to develop.

However, no legislative measure that would provide a sound legal basis for this EU-wide system has been adopted. For more than four years, the EU has been trying to introduce a Directive with a draft launched by the Commission in 2011 and extensive discussions in three European Parliament committees. In 2013, the key committee (Civil Liberties Committee, LIBE) rejected the proposal because it considered its measures to be disproportionate and privacy invasive – and now it is back in the Parliament. Following political charades and a subsequent referral back to the LIBE committee, the Parliament is expected to vote on the draft proposal before the end of 2015.

In the meantime, the EU Commission continues to release funds for a measure which has been considered in breach of fundamental rights by various bodies, including the European Data Protection Supervisor and the Fundamental Rights Agency.

The Commission’s 2013 grants for national systems contributed to a disharmony of the single market, instead of harmonising it. After releasing this first batch of money, the Commission argued that the development of the PNR system had nothing to do with the ongoing legislative discussions. Now, after having tried to use this fragmentation as a means to advance negotiations on the Directive, it moves on to resolve the problem it helped to create, by facilitating information exchange between the national systems – which is one of the main goals of the draft Directive. In this context, it would be interesting to hear the Commission’s justification of the new grant, as a selection criterion states that applicants must be able to demonstrate a “European added value of the proposed action”. The Parliament might soon be forced to recognise a fait accompli.

European Commission Annual Work Programme for 2015 for support to Union Actions under the Internal Security Fund, 8 June 2015

European Commission funds for national PNR systems, action grants 2012

Civil Liberties Committee rejects EU Passenger Name records proposal

PNR is back in the European Parliament

Timeline of the proposal for A Directive on the retention and use of PNR data

The proposed EU passenger name records (PNR) directive Revived in the new security context

(Contribution by Kirsten Fiedler, EDRi)



17 Jun 2015

Belgian Constitutional Court rules against data retention

By Guest author

On 12 June, following two actions for annulment brought independently, the Belgian Constitutional Court ruled against the mass collection of communications metadata. This ruling is line with a recent ruling from the Court of Justice of the European Union (CJEU) invalidating the directive that inspired the Belgian law.

The Data Retention Directive (2006/24/CE) adopted in the aftermath of the terrorist attacks in Madrid (2004) and London (2005) – and invalidated in 2014 -required telecommunication service providers or operators to retain communications metadata on each and every customer for between 18 months and two years. In July 2013, the Belgian Federal Parliament adopted, under an emergency procedure, a law and a decree transposing the Directive into Belgian law.

In February 2014, NURPA,, EDRi member Liga voor Mensenrechten and the Ligue des Droits de l’Homme (LDH) jointly initiated a crowdfunding campaign to finance an action for annulment before the Constitutional Court. The success encountered by the campaign – the 5 000 euro goal was exceeded in a couple of weeks – has shown how much citizens value their privacy.

In the ruling, the Belgian Constitutional Court reaffirms the importance of the right to privacy under the Article 22 of the Belgian Constitution, and recalls that any limitation of this right must be proportionate. Belgium joins the growing list of Member States in which the national transposition of the Directive was challenged successfully. It should be noted that it is currently not clear whether the European Commission plans to introduce a new proposal for the retention of communications data or not.

“This constitutional ruling should have the effect of a shock to our governments: they cannot expand indefinitely the massive surveillance of their citizens. There is an increasingly obvious imbalance between the respect for privacy and the legitimate need for security. This is what prompted LDH to make data protection and privacy our main themes for 2015,”

said Alexis Deswaef, President of LDH.

“The ruling of the Constitutional Court brings a breath of fresh air in a nauseating context where murderous acts of a few terrorists are enough to destroy the fundamental principles of rights and freedoms of our democracies. This should remind everyone that rights and freedoms are a constant struggle, even more so when the trend in Europe is the stacking of securitarian measures, as sadly demonstrated by the French case,”

concluded André Loconte, spokesman of NURPA.

The Constitutional Court repeals the transposition of the data retention directive (12.06.2015)

Avis de la Cour de justice de l’Union au sujet de la directive sur la conservation des données (12.06.2015)

Data retention in Belgium

Ruling in Dutch

Ruling in German

Status of data rentention Directive transpositions accross Member States

EU executive plans no new data retention law (12.06.2015)

(Contribution by NURPA, Belgium)



17 Jun 2015

Microsoft’s new small print – how your personal data is (ab)used

By Heini Järvinen

Microsoft has renewed its Privacy Policy and Service Agreement. The new services agreement goes into effect on 1 August 2015, only a couple of days after the launch of the Windows 10 operating system on 29 July.

The new “privacy dashboard” is presented to give the users a possibility to control their data related to various products in a centralised manner. Microsoft’s deputy general counsel, Horacio Gutierrez, wrote in a blog post that Microsoft believes “that real transparency starts with straightforward terms and policies that people can clearly understand”. We copied and pasted the Microsoft Privacy Statement and the Services Agreement into a document editor and found that these “straightforward” terms are 22 and 23 pages long respectively. Summing up these 45 pages, one can say that Microsoft basically grants itself very broad rights to collect everything you do, say and write with and on your devices in order to sell more targeted advertising or to sell your data to third parties. The company appears to be granting itself the right to share your data either with your consent “or as necessary”.

A French tech news website Numerama analysed the new privacy policy and found a number of conditions users should be aware of:

By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example “web browser history, favorites, and websites you have open” as well as “saved app, website, mobile hotspot, and Wi-Fi network names and passwords”. Users can however deactivate this transfer to the Microsoft servers by changing their settings.

More problematic from a data protection perspective is however the fact that Windows generates a unique advertising ID for each user on a device. This advertising ID can be used by third parties, such as app developers and advertising networks for profiling purposes.

Also, when device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery key. The BitLocker recovery key for the user’s device is automatically backed up online in the Microsoft OneDrive account.

Microsoft’s updated terms also state that they collect basic information “from you and your devices, including for example “app use data for apps that run on Windows” and “data about the networks you connect to.”

Users who chose to enable Microsoft’s personal assistant software “Cortana” have to live with the following invasion to their privacy: “To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.” But this is not all, as this piece of software also analyses undefined “speech data”: “we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames.”

But Microsoft’s updated privacy policy is not only bad news for privacy. Your free speech rights can also be violated on an ad hoc basis as the company warns:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to”, for example, “protect their customers” or “enforce the terms governing
the use of the services”.

So much for clearly understandable and straightforward terms of service.

Microsoft Privacy Statement

Microsoft Services Agreement

Windows 10, Microsoft and your personal data: what you need to know (only in French, 11.06.2015)

Microsoft provides privacy dashboard ahead of Windows 10 launch (04.06.2015)

(Contribution by Kirsten Fiedler and Heini Järvinen, EDRi)



17 Jun 2015

Our overview of the Digital Single Market Communication

By Joe McNamee

This article was originally published on the website of Friends of Europe

EDRi has published its analysis of the European Commission’s Digital Single Market Communication (PDF).

The European Commission’s launch of its Digital Single Market Strategy is undoubtedly a positive step, but is plagued with ambiguities, contradictions and an overall lack of leadership on key issues.

For too long, we have found ourselves in the ridiculous situation in which “progress” has meant new technologies complicating tasks that were once easy – such as selling or lending books – and in which European citizens and businesses have been tripping over the million-plus options for the national implementation of copyright laws, while internet users have been frustrated by the line, “not available in your country”.

The new structure of the European Commission is an encouraging start, as it allows a level of coordination and accountability that was previously impossible. Take internet service provider liability and voluntary law enforcement measures, for example. This was previously the responsibility of the Home Affairs, Internal Market, Communications Networks, Content and Technology, Trade and Consumer Directorates, as well as the Secretariat General of the Commission, each acting independently. Now, Commission Vice-President Andrus Ansip leads the Digital Single Market project as a team, providing accountability and structure.

If a Commission is going to act boldly and ambitiously, it must do so from the start of its mandate. And while the Commission is completely correct about the need to engender trust in the online space, the Strategy’s attempts to accommodate all the demands of all lobbyist groups has led to policies which will fail to achieve this trust, and show its willingness to be pushed off track.

The most serious example is the approach to online intermediaries. Responding to pressure from telecoms operators, the Strategy expresses concern that intermediaries are too powerful. The argument is not without merit except, in the very next section, the Commission argues, in response to pressure from copyright holders, that online intermediaries should be given more power, in order to undertake ad hoc policing activities. In the absence of any analytical information showing that this would be necessary, useful or legal, the Strategy’s accompanying “evidence” document descends into chaos, confusing unauthorised online content, illegal online content and legal but potentially harmful content, treating all as one issue. The dangers of this unsophisticated approach are very clear.

The same lobbying damage can be found in the proposals on personal data. While producing typically ambitious figures about the economic value of “big data”, the Strategy offers no strengthening of the e-Privacy Directive, no explanation for the lack of progress on the proposed Directive on protecting personal data being processed for law enforcement purposes, and no leadership on the proposed General Data Protection Regulation.

It is also worth noting the “once only” approach to e-government, designed to increase efficiency in public administrations by not asking users to submit the same information more than once. In practice this means that personal data will flow around government departments, and potentially across borders, reducing citizens’ control over their personal data. Cost efficient solutions that also develop trust can be designed and implemented, but only when privacy by design and default are priorities, not afterthoughts.

There are numerous positive aspects of the Digital Single Market Strategy. Its very existence is a recognition of the problems, and it has identified key issues central to the creation of a Digital Single Market that would benefit citizens and businesses alike. However, it is important for policymakers to remember that the lack of progress over the past ten years is not an inexplicable anomaly – it comes from a lack of leadership and heavy pressure from vested interests that stand to profit from inertia. If the Commission can understand these issues and show leadership and vision, the Digital Single Market can be a huge success. It is time to hoist the sails, re-set the rudder and set a course for a unified digital Europe.

Read our analysis here (PDF):