A measure which would be illegal if implemented by a government should also be illegal if implemented by industry as a “voluntary” measure, as a result of government pressure or for public relations or anti-competitive reasons. However, as key international legal instruments, such as the European Charter of Fundamental Rights and the European Convention on Human Rights, as well as national constitutions are binding for states and governments, they are not directly applicable to other entities, such as private companies. As a result, there is a major trend towards governments persuading or coercing companies to impose restrictions on fundamental freedoms under the guise of “self-regulation,” thereby circumventing legal protections.

31 May 2016

EDRi and Access Now withdraw from the EU Commission IT Forum discussions


Today, on 31 May, European Digital Rights (EDRi) and Access Now delivered a joint statement on the EU Commission’s “EU Internet Forum”, announcing our decision not to take part in future discussions and confirming that we do not have confidence in the ill considered “code of conduct” that was agreed.

Launched at the end of 2015, the “EU Internet Forum” was meant to counter vaguely defined “terrorist activity and hate speech online”. The discussions were convened by the European Commission and brought together almost exclusively US-based internet companies and representatives of EU Member States. While no civil society organisations were invited to attend the discussions on terrorism, several civil society representatives were allowed to take part in some of the discussions on online hate speech. However, civil society was systematically excluded from the negotiations that led to the voluntary “code of conduct” for IT companies – an official document that was presented today, despite the lack of transparency and public input into its content.

Faced with this lamentable outcome, and with no possibility to provide meaningful input to this process, the Commission has left us with no other choice but to withdraw from the discussion,

said Estelle Massé, EU Policy Analyst at Access Now.

It is ironic that the Commission is threatening to take Member States to court for failing to implement EU law on racism and xenophobia while it is persuading companies like Google and Facebook to sweep offences under the carpet,

added Joe McNamee, Executive Director at European Digital Rights.

What is in today’s code of conduct?

  • an explicit statement that companies will “take the lead” in policing controversial speech online, which means that law enforcement authorities will not be taking the lead;
  • an undertaking that IT companies will ban content that should already be legally banned;
  • an undertaking to review notifications against company terms of service first and then, “if necessary” to review them against the law. In practice, this means that the legal procedures for testing the legality of content against the law will never be used as the code of conduct asks for illegal content to be banned by terms of service.

In short, the “code of conduct” downgrades the law to a second-class status, behind the “leading role” of private companies that are being asked to arbitrarily implement their terms of service. This process, established outside an accountable democratic framework, exploits unclear liability rules for companies. It also creates serious risks for freedom of expression as legal but controversial content may well be deleted as a result of this voluntary and unaccountable take down mechanism.

This means that this “agreement” between only a handful of companies and the European Commission is likely in breach of the EU Charter of Fundamental Rights, under which restrictions on fundamental rights should be provided for by law. It will, in practical terms, overturn case law of the European Court of Human Rights on the defense of legal speech.

Countering hate speech online is an important issue that requires open and transparent discussions to ensure compliance with human rights obligations. This issue remains a priority for our organisations and we will continue working for the development of transparent, democratic frameworks:

  • In the European Union, EDRi and its members are working tirelessly to ensure that the proposed Directive on Combating Terrorism is in line with the EU Charter of Fundamental Rights.
  • Globally, Access Now is engaging civil society, governments, international experts and companies on policy recommendations on a digital rights anchored approach towards countering violent extremism online. For its part, EDRi has recently provided input to the UN High Commissioner on the respect of human rights while preventing and countering violent extremism.

Background information

EU Internet Forum against terrorist content and hate speech online: Document pool

EU Commission under investigation for EU Internet Forum documents (30.05.2016)


30 May 2016

EDRi launches working group to improve digital rights advocacy across Europe

By Guest author

Over the past decade, we’ve seen a lot of great work and successes by digital rights organisations across Europe. We have used our expertise, creativity and network to make up for being low on resources and few in number. However, threats to human rights in the digital environment are persistent and growing.

That’s why a number of EDRi members have launched a working group looking at how our network functions. What’s going well, and where can we improve? Are the goals we’ve set in line with the needs of (future) member organisations and in tune with the European digital rights community?

We welcome the thoughts and insights of both members and non-members. We’ll use this blog to keep you updated on our progress, but we hope you will also take the liberty of e-mailing us with any questions, ideas or concerns you may have.

(Article written by Evelyn Austin, Bits of Freedom)

30 May 2016

EU Commission under investigation for EU Internet Forum documents

By Kirsten Fiedler

In the past year, EDRi made numerous formal requests to get more information about the EU Internet Forum. This Forum was set up by the EU Commission to persuade companies to do “more” to fight terrorism. After months of obstruction from the European Commission, EDRi made a maladministration complaint to the European Ombudsman. As a result, a formal inquiry has been launched.

Privatised censorship

The problem: The action points agreed with online companies in secret meetings of the Forum may have a direct negative impact on our freedom of expression. Why? Because one of the topics that is being discussed is the censoring of online content by private companies – without any judicial process.

Many case studies highlighted by have shown that private companies regularly violate fundamental rights in the online space, flouting the principle that restrictions on civil and human rights must be based on law. This practice is now being encouraged and pushed by the EU Commission.

Additionally, the EU Commission repeatedly denied us access to the documents that are being discussed by the IT Forum. The reason for our requests is simple: The EU Commission has a very bad record of keeping such projects in line with fundamental rights.

Exclusion of civil society

Moreover, despite the fact that the Commission announced in its “Communication on the European Security Agenda” the need for an inclusion of civil society in such projects, no civil society organisation has been allowed to participate in the Forum’s meetings on terrorism.

We have raised this criticism on multiple occasions – in meetings with the department for Migration and Home Affairs (DG HOME) and in our position paper (pdf). This exclusion fails to respect the institutions’ responsibility to give citizens the opportunity to “publicly exchange their views in all areas of Union action” (Art. 11 of the Treaty on European Union).

EDRi’s complaint and Ombuds(wo)man investigation

The maladministration investigation has been launched following a complaint submitted by EDRi to Emily O’Reilly, the EU Ombudsman, on 17 February (Letter by the Ombudsman, pdf). The complaint points out that:

  1. The Commission systematically failed to respect the legal deadlines to respond to our requests.
  2. The Commissionʹs decision to merge (a process called “joining” in EU jargon) two of our access requests (GestDem 2015/6363 and GestDem 2016/0095) lacks any legal basis. By default the Commission should make non-confidential documents directly available.
  3. The Commission wrongly refused full access to the note of 10 June 2015 (pdf) and to the concept note (pdf).

The Ombudsman responded that she has decided to open an inquiry into the third and last claim. The letter states that she will be

carrying out an inspection of the relevant documents. I have therefore asked the Commission to facilitate, in accordance with Article 3(2) of the Statute of the European Ombudsman, my inspection of the Commission’s note of 10 June 2015 and the related concept note (to which only partial access was granted in the context of access request GestDem 2015/3658).

As regards the first claim, the letter states that Ombudsman is not opening an inquiry as this widespread practice is already the object of an own‐initiative inquiry. Regarding the second claim, the Ombudsman suggested we raise our request with the Commission again.

We will continue to report on the EU Internet Forum and the inquiry on our website.


26 May 2016

European Parliament confirms that “Privacy Shield” is inadequate


The European Parliament has adopted a Resolution on the “Privacy Shield”. This is the new agreement to permit data to be transferred from the EU to the USA. The previous agreement – “Safe Harbour” – was overturned by the European Court of Justice in October 2015.

The Parliament’s resolution confirms that the new agreement has no chance of being upheld, if challenged at the Court of Justice of the European Union,

said Joe McNamee, Executive Director of European Digital Rights.

It questions the legal meaning of the assurances received from the USA. It points out that indiscriminate (“bulk”) surveillance is still possible and the new Ombudsman role is inadequate.

The Parliament adopted a similar resolution in 2000, when the illegal Safe Harbour agreement was adopted, but its recommendations were ignored for 15 years. The Parliament failed to demand meaningful improvements before adoption.

Incomprehensibly the Parliament voted against a sunset clause that could have been a means to inspire a meaningful renegotiation. This means that the USA will have no incentive to make any concessions. This means that the fundamental rights of European Citizens will be undermined until Privacy Shield is overturned. This means that European businesses can have no legal certainty if they rely on this agreement, which is broken by design.

Under EU data protection rules, personal data can only be transferred outside the EU under certain circumstances. The EU negotiated “Safe Harbour” as a special arrangement for the USA in 2000. After the Snowden revelations in 2013, the European Commission recognised that the arrangement was inadequate. It spent two years trying and failing to bring the deal into line with the EU’s legal framework. Then, in October 2015, the framework was overturned. The “Privacy Shield” is meant to replace the “Safe Harbour”.


Read more:

Transatlantic coalition of civil society groups: Privacy Shield is not enough – renegotiation is needed (16.03.02016)

What’s behind the shield? Unspinning the “privacy shield” spin (02.03.2016)

Opinion 01/2016 on the EU–U.S. Privacy Shield draft adequacy decision (13.04.2016)

Fifteen years late, Safe Harbor hits the rocks (06.10.2015)


25 May 2016

EU Council & Commission plan to give law enforcement authorities access to data of foreign IT companies


EU Commissioner Věra Jourová revealed plans to increase the competences of criminal law enforcement authorities in a speech at the European Criminal Law Academic Network. She announced that the Council of the European Union is currently drafting Conclusions. This draft document calls for law enforcement agencies to have direct cross-border access to personal data held by foreign service providers, without a mutual legal assistance procedure. This is more than worrisome for the privacy of European citizens.

Initially Jourová pointed out that it is important to “accelerate and streamline” mutual legal assistance (MLA) requests between national authorities, in order to collect digital evidence easier. However, “where mutual legal assistance is not suitable or available” (what this means is not explained – the Data Retention Directive was proposed in part because MLATs are time-consuming but, in the last 8 years were not seen as a priority for reform) it is important that certain types of data, including personal data, can be requested from IT companies directly.

Intransparent Council discussions

Jourová says that the new data protection rules allow for a smoother cooperation and exchange of information between police and justice authorities, as they provide common standards of data protection. Those rules “will ensure that personal data, for instance of victims or witnesses of crime, is properly protected”. The Council draft goes by the name “Conclusions on improving criminal justice in cyberspace”, however, there is no document number assigned yet.

Commissioner Jourová did not release further details about the draft. However, EDRi received a copy of a document by the German government (only in German, pdf) which provides more information regarding the content and goals of the draft Conclusions. In order to improve “criminal justice in cyberspace”, the draft wants to introduce measures that help securing electronic evidence, which otherwise would have to be deleted. This is being described especially problematic in cross-border cases (echoing the analysis from ten years ago in relation to the Data Retention Directive). The aim is to set up rules that allow a short-term access to certain data categories of information, in particular personal data. One way to achieve that, is to improve the direct cooperation of law enforcement agencies with foreign service providers.

The Council Conclusions were also discussed controversially in the Committee on Internal Security (COSI), with Member States expressing their concerns over the proposal. It was considered especially problematic that a mere “business link” of a provider to a state will constitute a sufficient legal basis for data requests by foreign law enforcement authorities. According to the proposal it would not even require a business establishment in the concerned Member States to enable direct information claims. Some EU countries were pointing out that their sovereignty must not be undermined by such measures. France allegedly expressed concern that it was not legal under national law for providers to provide foreign law enforcement agencies with data.

In the end, there was wide-ranging agreement that future discussions must include other stakeholders, such as law enforcement authorities and IT businesses.

The Conclusions will be presented at the meeting of the Justice and Home Affairs Council on 9 June. The European Commission was asked to present analysis and, where appropriate, proposals before the summer 2017.

................................................................. Support our work - make a recurrent donation! .................................................................

Mutual Legal Assistance Agreement between the US and the EU

In parallel to the draft Conclusions, the Council is also working on an Agreement with the United States regarding mutual legal assistance (pdf). This Agreement aims to modify and refine the old MLA Agreement, which entered into force in 2010. It aims to ensure an effective cooperation between participating Members States of the EU and the US in the field of criminal justice and combating organised crime and terrorism. At the moment, the Council is waiting for the Committee of Article 36 (CATS) to approve the draft text, to allow the text to be formally agreed in June 2016.

The Agreement plans to make available “the ability to obtain information on bank accounts, form Joint Investigation Teams (JITS), transmit requests using faster means of communications, obtain witness evidence by video conferencing, and secure evidence for use by administrative bodies where subsequent criminal proceedings are envisaged.”

In contrast to the Conclusions discussed above, this US-EU Agreement does not plan to bypass the current MLA system. Despite the fact that the Agreement mentions the possibility of “direct access of EU-Member States to data held by Internet Service Providers”, it wants to ensure that this conduct still requires so-called “probable clause”. To meet this criterion, the government must present specific, detailed and reliable facts to a court to demonstrate that a criminal offence has been committed. Without “probable clause” it would not be possible to request data.

(Article written by Claudius Determann, EDRi intern)


25 May 2016

European fundamental rights to be regulated by companies


Today, on 25 May, the European Commission published two new proposals of their Digital Single Market strategy: its update of the Directive on audiovisual media services (ADVMS) and a Communication on online platforms, together with the evidence document for the platforms Communication.

The Communication on Platforms worries us the most. For instance, the proposals with regard to the regulation of “illegal” “or harmful” content are hugely disturbing. The Commission seems willing to completely give up on the notion of law. Instead, regulation of free speech is pushed into the hands of private corporations.

Demanding that multiple companies in multiple jurisdictions arbitrarily implement whatever national law or other preferences they choose is a sure-fire way of building new barriers in the “Digital Single Market”

said Joe McNamee, Executive Director of European Digital Rights (EDRi).

The Communication repeats “voluntary measures” almost like an ideological mantra – whatever the question is, the answer is always “platforms can fix it”. What about public authorities’ responsibilities to enforce the law?

The Commission refers to the EU Internet Forum as an “important example”. Indeed it is, although not in the way the Commission meant.The EU Internet Forum is a highly-untransparent Commission-driven project, undertaken in cooperation with exclusively US online companies (and not even all of the relevant ones!) to tackle terrorist content and hate speech online. The Commission describes it as a “multi-stakeholder” model, even though only the Commission and three US companies were involved in drafting the outcome.

The Communication also talks about limitations of liability for platforms when they take “good faith” law enforcement measures. Sounds familiar? The ill-fated Stop Online Piracy Act (SOPA) that was abandoned after huge protests in the USA proposed exactly the same thing. The good news is that, for now, no new liability measures are being proposed to coerce platforms into taking these measures. However, there are threats of “formal notice and action” procedures that make it clear that law will be used if the companies do not police European citizens extensively enough.


Today’s Communication offers “evidence” is either misrepresented or moulded to suit pre-existing policies. The Commission appears eager to ensure that the online monopolies monitor online activity, take action to remove any content that creates legal risks for them, and arbitrarily police content to “protect” unspecified and undefined “societal values”. Not a word is wasted on review processes, effectiveness, proportionality, possible counter-productive or anti-competitive effects.


Background information:

EDRi response to AVMS Consultation (30.09.2015)

EDRi response to Platforms Consultation (06.01.2016)

The EU Platforms Consultation – Just How Biased is it (14.12.2014)

Leaked EU Communication – Part 1: Privatised censorship and surveillance (26.04.2016)

Leaked EU Communication – Part 2: Protecting Google at all costs (28.04.2016)

EU Internet Forum against terrorist content and hate speech online: Document pool (10.03.2016)

Our overview of the Digital Single Market Communication (17.06.2015)


23 May 2016

Copyfails: Time to #fixcopyright!

By Diego Naranjo

We believe that new technologies bring new ways to access culture – they are not a threat for creators. We believe that the legitimacy crisis of the current EU copyright regime is created by the system itself. We believe there’s a need for a modernised copyright regime which takes into consideration the needs of all parts of society, including creators.

Europe needs a more profound reform of the EU copyright regime than the one that the European Commission has announced. To illustrate this, we have identified nine copyfails – crucial failures of the current EU system. You can read the first blogpost of our “copyfails” series, presenting the copyfail #1 here.

The European Commission has set in its agenda reforming copyright as one of the foundations to build the Digital Single Market. However, the Communication published at the end of 2015 did not meet the expectations of the announced “more modern, more European” copyright. On the contrary, the Commission apparently only wants to paper over the serious cracks in the wobbling structure of EU copyright legislation rather than addressing the real problems.


Are you ready to #fixcopyright in the EU? Follow #fixcopyright on Twitter!

Read more:

Copyright reform: Restoring the facade of a decrepit building (16.12.2015)



19 May 2016

Copyfail #1: Chaotic system of freedoms to use copyrighted works in the EU

By Diego Naranjo

This article is the first one in the series presenting Copyfails. The EU is reforming its copyright rules. We want to introduce to you the main failures of the current copyright system, with suggestions on how to fix them. You can find the nine key failures here.


How has it failed?

The current EU Copyright Directive outlines 21 different optional freedoms to use copyrighted works. These freedoms, called “exceptions and limitations”, specify how strict copyright rules can avoided in certain useful circumstances, as long as this does not interfere with the exploitation of the work by the creator. This would include, for example, using copyrighted material for educational purposes, adapting it for people with disabilities, making copies of music or films for personal use, or using it for academic quotations.

Each EU country putting the Directive into practice can choose to either include or exclude any of these optional exceptions. As a result, there are literally over two million ways to implement the Directive! In a borderless, open Internet, it is crazy that a simpler solution to implement flexibilities that do not interfere with the normal exploitation of the copyrighted material is not implemented.

However, copyright lobbyists are vehemently opposed to any flexibility. Indeed, in 2001, when the Directive was adopted, lobbyists argued that the one mandatory exception (for incidental copies in networks) was absolutely unworkable and would “a gaping hole in rightsholders’ protection under the reproduction right“. Fifteen years later, it is very obvious that no such “gaping hole” was created. Now, they warn again against a more flexible regime. Now, as then, they are wrong.


Why is this important?

People across the EU should be able enjoy the same rights. Harmonisation of the copyright rules is needed for creating a Digital Single Market – not 28 EU markets as we currently have.

The implications of the copyfail #1 are huge, for example:

  • In the UK, people are not allowed to make copies of music that they legally buy.
  • In Austria and Lithuania it’s illegal to send quotations by e-mail.
  • In some countries, like France, the uses of copyrighted works in schools are considerably more restricted, than in others, like Estonia. The latter allows teachers within an educational context to quote works to any justified extent, compile works of any nature and translate and adapt entire works, while France doesn’t.

How to fix it?


Read more:

Copyright combinatronics (16.11.2011)

Copyright exceptions and limitations – back to the future (25.03.2015)

Copyright reform: Restoring the facade of a decrepit building (16.12.2015)



18 May 2016

ENDitorial: Next year, you’ll complain about the Terrorism Directive

By Joe McNamee

The European Union is currently in the process of adopting a Directive on terrorism. The Directive is expected to be finalised later this year and then each Member State government will decide what it means, and will adopt national laws to put it into practice.

The European Commission wrote the draft Directive in two weeks, after the Paris attacks in November 2015, basing itself mainly on existing EU and international instruments. It was prepared without an impact assessment. An impact assessment assesses various options and the evidence available. This step is generally necessary for every piece of legislation. However, it appears it is not needed when human lives and civil liberties are at stake. Why? Because it is important to give people a feeling (even if the feeling is misguided) that the EU is doing something to “protect” them.

This is just the beginning of the political process, so the press is not interested.

Within three months, the EU Member States had adopted their informal position, or as they call it, their “general approach”. They did this in the absence of an impact assessment that would have provided the analysis to indicate what may or may not be lawful, appropriate, useful, necessary or proportionate. They added new text on blocking of websites “inciting to commit” terrorist offences, without any indication of whether the content would be legal or illegal, or why they might think that this might be a good idea. The Member States also envisage “the taking and the fixing of audio recordings in private or public vehicles and places, and of visual images of persons in public vehicles and places…”.

This is just the beginning of the political process, so the press is not interested.

The European Parliament is now preparing its position. Unlike legislation on other subjects, where relevant specialised parliamentary committees give their opinions to the Committee in charge, in this case only one Committee is assessing the Directive, because speed seems to be more important than evidence or effectiveness or even usefulness. Various Parliamentarians in the “Civil Liberties” Committee have proposed adding random additional (often incongruous or irrelevant) measures to the Directive – on blocking of websites, on banning terrorist malware (sic), on criminalising online platforms for failing to remove content on “counterfeiting trademarks” (sic), and a whole host of other measures that, similarly, are neither relevant nor based on any evidence of usefulness, effectiveness, proportionality, legality… anything.

This is just the beginning of the political process, so the press is not interested.

Now, instead of voting on the 438 amendments tabled, a small group of just eight representatives of political groups are having closed-door meetings, to create “compromise amendments” on the controversial points. Once the political groups go through this process, a vote can happen with everyone hiding in the crowd – citizens will never know who made what proposal or supported what decision. The ensuing vote in the Civil Liberties Committee will just be a mere formality because the other politicians tend to respectively follow the eight politicians that negotiated the text.

This is just the beginning of the political process, so the press is not interested.

Once the vote has happened in Committee, it does not need to be endorsed by the full Parliament. Instead, the eight Parliamentarians and Member States will start closed-door, secret meetings, together with the European Commission (known as “trilogues”) to reach a compromise between the position taken in the Committee’s so-called “orientation vote” and the Member States’ “general approach” (neither of which is binding on either institution). This process is secret, the negotiation drafts are secret and the procedure has no formal end-date.

This process is too opaque, so the press is not interested.

Once the trilogue process finishes, both the Member States and the Parliament are committed to rubber-stamping the agreement, so it is almost impossible to make any changes at this stage. Some policy-makers won’t agree on specific points, but they will nonetheless vote for the adoption of the text. If you ask them, they will tell you that it’s because of the “necessary” political trade-offs. If some politicians vote differently, they will be reprimanded by their political group.

Only at this stage the press is given press releases, a nice spin about “fighting terrorism”, a clear end-date for the Parliament vote.

The press is interested, the process is over. It’s too late to change anything.

Next year, when your Member State starts blocking websites, without quite knowing why, when it starts imposing restrictions on Tor and proxy servers, without quite knowing why, when unaccountable, unclear legislation leads to arbitrary and discriminatory enforcement, and your government says that it is “EU law that it is obliged to implement” and you wonder why the press never reported on it, when you search in vain for who is accountable for a weak and dangerous text, come back and read this again.

In this process, EDRi uses all of its political resources to obtain documents, provide input to decision-makers, and use all possible opportunities to shine a light on closed processes and defend citizens’ rights from the dangers created by opaque and unaccountable decision-making. Thankfully, the fact that the process is rotten does not mean that the individuals involved are not open to positive and constructive input – many work hard to achieve the best possible outcome for Europe’s citizens. Even if we cannot always – or often – claim credit for the successes we have in positively influencing such processes, it is important to engage as effectively as possible, while demanding that trilogues are reformed or, ideally, abandoned.

................................................................. Support our work with a one-off-donation! .................................................................

EDRi: EDRi’s recommendations for the European Parliament’s Draft Report on the Directive on Combating Terrorism (29.03.2016)

EDRi: Countering terrorism, a.k.a. the biggest human rights threat of 2016 (20.04.2016)

EDRi: Trilogues: the system that undermines EU democracy and transparency (20.04.2016)

Proposal for a Directive on combating terrorism (02.12.2015)

Council General Approach on the proposed Directive on combating terrorism (11.03.2016)

European Parliament draft report on Directive on combating terrorism (09.03.2016)

European Parliament amendments tabled to Directive on combating terrorism (nos 56 to 246)(08.04.2016)

European Parliament amendments tabled to Directive on combating terrorism (nos 247 to 438)(08.04.2016)

(Contribution by Joe McNamee, EDRi)



18 May 2016

Advocate General: Dynamic IP address can be personal data


On 12 May Manuel Campos Sánchez-Bordona, Advocate General (AG) of the European Court of Justice (CJEU), gave his opinion in the Case Patrick Breyer against the Federal Republic of Germany, C-582/14.

Patrick Breyer sued the German government for violating his right to data protection by storing the data about him visiting websites of the German government longer than necessary. The government’s websites use so-called “logs” that keep record of which particular dynamic IP address was having access to the service. Breyer claims that the storage of this data constitutes a processing of personal data, which is protected under the Data Protection Directive 95/46/EC. According to the Directive, such processing of personal data is generally unlawful, unless it is justified, for example by a previously given consent. The Republic of Germany, however, stated that the logs to its website are essential for its functioning, as they are important for preventing abuse and prosecuting network attacks. In the ongoing procedure, the German Federal Court of Justice (BGH) eventually forwarded two questions to the CJEU, asking for preliminary ruling.

................................................................. Support our work - make a recurrent donation! .................................................................

The first question was addressing the issue whether a dynamic IP address, together with the time of access, constitute personal data according to Article 2 (a) of the Data Protection Directive. The question referred specifically to whether a person is already “identifiable” if the information which is necessary to identify an individual has to be provided by a third party, in this case a telecommunication company. The Advocate General followed Breyer’s legal submissions in his opinion, stating that the definition of personal data also encompasses dynamic IP addresses, as long as an Access Provider holds additional information enabling the identification of an individual.

The Advocate General’s position directly contradicts the position of the Irish High Court in EMI Records & Ors -v-Eircom Ltd from 2010. In that case, Mr Justice Charleton (now elevated to the Irish Supreme Court), having explained that the internet is not “an amorphous extraterrestrial body” (paragraph 5), ruled that IP address data collected for the explicit purpose of identifying individuals in the context of copyright enforcement is not personal data.

The Advocate General’s view is also in line with an opinion from 2009 by the Article 29 Working Party (WP29), an independent body with advisory status regarding data protection, which was set up according to the Data Protection Directive. Back then, the WP29 considered that IP addresses can be personal data, even though they do not generally identify an individual by name.

The second question was assessing whether restrictions of data processing under the German Telemedia Act (§15 TMG), which lead to a prohibition of the processing, may violate the Article 7 (f) of the Data Protection Directive. The provision states that personal data may be processed, if it is necessary for the purposes of legitimate interest of the processor. However, the German Telemedia Act (TMG) allows the collection and use of users’ data in only limited circumstances, but not for the purpose of ensuring the general operability of the telemedia service. The AG claims that the purpose of a functioning of “telemedia” (as defined in §1 TMG) constitutes a legitimate interest according to the Directive and should therefore be permitted, when it prevails over the interests or the fundamental rights of the concerned person.

Patrick Breyer stated in reaction to the opinion that

nobody has a right to record everything we do and say online. Generation Internet has a right to access information online just as unmonitored and without inhibition as our parents read the paper, listened to the radio or browsed books.

The European Court of Justice did not yet set a date for the final decision.

Request for a preliminary ruling of the German Bundesgerichtshof (17.12.2016)

The 2009 opinion by the Article 29 Working Party (20.06.2016)

Opinion of the Advocate General (only in German, 12.05.2016)

EMI Records & Ors -v-Eircom Ltd (16.04.2010)

(Contribution by Claudius Determann, EDRi intern)