A measure which would be illegal if implemented by a government should also be illegal if implemented by industry as a “voluntary” measure, as a result of government pressure or for public relations or anti-competitive reasons. However, as key international legal instruments, such as the European Charter of Fundamental Rights and the European Convention on Human Rights, as well as national constitutions are binding for states and governments, they are not directly applicable to other entities, such as private companies. As a result, there is a major trend towards governments persuading or coercing companies to impose restrictions on fundamental freedoms under the guise of “self-regulation,” thereby circumventing legal protections.

13 Sep 2017

Five things the online tracking industry gets wrong

By Diego Naranjo

The Interactive Advertising Bureau (IAB) Europe, one of the loudest enemies of the e-Privacy Regulation, is the association of online tracking and adverting companies. On 7 September, IAB Europe published a report titled: “Europe Online: An experience driven by advertising”.

In the report, some of the key issues are clearly displayed, but some are hidden behind the large misleading headlines and graphics. The IAB Europe Report says:

1) “In the online world most users’ experience is predominantly free.”

The report conveys the message that online users are using services without paying for the services in cash. This is true in many cases. However, it cleverly creates a false dichotomy that the only alternative to massive, untransparent profiling and tracking is unspecified costs for users.

It is clear that they are unknowingly “paying” with their data, without any clarity about the financial value or security cost of handing over their data nor, indeed, the actual cost of providing the “free” services. In the online world, companies offering “free” services live from insights into how to manipulate their users. Often the “free” websites have no idea about (nor control over) where their visitors’ data goes, what other data it is merged with, and what uses that data are put to.

To provide the best services for their actual customers (the companies paying to place advertisements or cookies), advertisers sometimes get access to the content of your emails, track your physical movements, analyse your browsing habits, or listen to the interactions of your children with their toys.

Even though the way online tracking happens is not immediately obvious, the results of the Eurobarometer on e-Privacy show clearly what matters to people: 92% of EU citizens said that it is very important that the personal information (such as their pictures, contact lists, etc.) on their computer, smartphone, tablet or any other device is only accessed with their permission. The same percentage highlighted the importance of protecting their online communications (e-mails and online instant messaging).

2) “Nine in ten online users (92%) would stop accessing their most-used free news, content or service site or app if it switched to paid access only.”

Here again, a false dichotomy was presented to users, to generate the response requested by IAB. The approach misleads readers by implying that no innovation is possible, no solutions other than the status quo exist. However, it is not true that different business models cannot be created – we do not have to rely on a model that has created a quasi-duopoly for Google and Facebook. For example, there are successful micropayment models for quality news sources. Also, innovation around contextual advertising is increasingly successful to achieve its goals, without engaging in invasive profiling and tracking of individuals. Such innovation has the capacity to generate a level playing field, as an alternative to the current duopoly stranglehold of the online advertising market.

The statement closes the door to alternative ways of payment. Furthermore, it ignores the fact that a majority of EU citizens think it is “unacceptable to have their online activities monitored in exchange for unrestricted access to a certain website (64%) or to pay in order not to be monitored when using a website (74%)”, as shown by the Eurobarometer.

3) “Most users are either positive or neutral about online advertising.”

Another misrepresentation. Online advertising is online advertising. Advertising based on tracking and profiling is advertising based on tracking and profiling. Asking about one and suggesting that the answer is about the other is blatantly misleading. This is demonstrated when report admits that 58% of users are not happy with their browsing data being shared as the basis for advertising. Later on in its “research”, the IAB admits that 80% would not like to see their data shared with third parties for advertising purposes.

The use of ad-blockers increased up to 30% in 2016. Now 11% of internet users worldwide are using one. And yet the online advertising industry still refuses to acknowledge that innovation is even possible.

4) “Four in ten users (42%) are happy with their browsing data being shared as the basis for advertising, stating they don’t mind seeing personalised advertising based on their browsing data in exchange for free news, content or services.”

This suggests that 58% of online users do not feel comfortable with their browsing being analysed in htis way.

The Eurobarometer report on the e-Privacy Regulation says that six in ten respondents (60%) have already changed the privacy settings on their internet browser, for example, to delete browsing history or cookies. It also shows that 40% of respondents avoid certain websites because they are worried their online activities are monitored, and that 71% of them say it is unacceptable for companies to share information about them without their permission, even if it helps companies provide new services they may like.

5) “Continually approving the use of cookies as a precondition for accessing a site was the least popular and most divisive of the two options.”

Yet another false dichotomy: it has been done badly so the only option is not to do it at all. The way that the e-Privacy Directive was implemented led to the “cookie” pop-up notices that users often see. These cookie notices are sometimes intrustive, almost always demonstrably factually incorrect and therefore inefficient.However, there is no reason to believe that there is therefore no other – more efficient and informative – way to protect citizens’ privacy.

The study conducted for the IAB report gave respondents two options: that every app asks every time for consent for the use of their data, or that the apps only show how their data is being used, without asking for their consent. Obviously, most of the respondents chose the lesser of two evils. In reality, users want services to work differently: According to Eurobarometer, eight in ten (82%) said that it is important that tools for monitoring their activities online (such as cookies) can only be used with their permission, and 56% stated that this is very important to them.

The businesses that listen to consumers and hear their concerns about current tracking based models will have an advantage. They will understand the importance of earning the trust of their clients – an essential element of running a successful business – and develop towards less privacy intrusive business models. They will, as long as untransparent, trust-eroding practices are restricted by law – and this is exactly what the IAB “research” is designed to prevent.

Europe Online: An experience driven by advertising

e-Privacy Directive: Frequently Asked Questions (05.10.2016)

e-Privacy revision: Document pool (10.01.2017)

Your privacy, security and freedom online are in danger (14.09.2016)


13 Sep 2017

Public Money? Public Code!


31 organisations ask to improve public procurement of software

Today, on 13 September 2017, 31 organisations are publishing an open letter. The letter calls for lawmakers to advance legislation requiring publicly financed software that has been developed for the public sector be made available under a Free and Open Source Software licence.

Digital services offered and used by public administrations are the critical infrastructure of 21st-century democratic nations. To establish trustworthy systems, government agencies must ensure they have full control at the core of our digital infrastructure. Unfortunately, this is rarely the case today, due to restrictive software licences.

The initial signatories of the letter include EDRi and its members Chaos Computer Club (CCC) and Wikimedia Germany, as well as Free Software Foundation Europe, KDE, Open Knowledge Foundation Germany, Open Source Business Alliance, Open Source Initiative, The Document Foundation, and many others.

Public institutions spend millions of euros each year on the development of new software tailored to their needs. The procurement choices of the public sector play a significant role in determining which companies are allowed to compete and what software is supported with tax payers’ money. Public administrations on all levels have frequently problems sharing code with each other, even if they funded its complete development. Furthermore, without the option for independent third parties to run audits or other security checks on the code, sensible data and privacy rights are at risk.

We need software that fosters the sharing of good ideas and solutions. Only like this will we be able to improve IT services for people all over Europe. We need software that guarantees freedom of choice, access, and competition. We need software that helps public administrations regain full control of their critical digital infrastructure, allowing them to become and remain independent from a handful of companies,

said Matthias Kirschner, President of the Free Software Foundation Europe.

Because the source code of proprietary software is often a business secret, it radically increases the difficulty of discovering both accidental and intentional security flaws in critical software. Reverse engineering proprietary software to improve or strengthen it is an absolute necessity in today’s environment, but this basic technical requirement is unlawful in many circumstances and jurisdictions. With critical infrastructure such as hospitals, automobile factories, and freight shippers having all been brought offline this year due to flaws concealed within proprietary software, unauditable code is a liability that states can no longer subsidize with special legal privileges without incurring a cost denominated in lives.

Right now, the blueprints for much of our most critical public infrastructure are simply unavailable to the public. By aligning public funding with a Free Software requirement — “Free” referring to public code availability, not cost — we can find and fix flaws before they are used to turn the lights out in the next hospital.

said Edward Snowden, President of Freedom of the Press Foundation about the launch of the campaign.

The signatories therefore call on representatives all around Europe to modernise their digital infrastructure to allow other public administrations, companies, or individuals to freely use, study, share and improve applications developed with public money. This will provide safeguards for the public administration against the risk of being locked down to services from specific companies that use restrictive licences to hinder competition. Finally, it ensures that the source code is accessible so that back doors and security holes can be fixed without depending on only one service provider.

The signatories ask individuals and other organisations to sign the open letter. It which will be sent to candidates for the German Parliament election and to EU policy-makers in the run up to the EU elections in 2019.

The initial signatories:


07 Sep 2017

Estonia loves digital – why is it supporting the #censorshipmachine?

By Joe McNamee

Estonia is globally known as a powerhouse of the digital world. It eagerly moves everything into the digital realm and prides itself on being at the forefront of technology. As it now holds the Presidency of the Council of the EU, it is in charge of negotiations on the new Copyright Directive proposal.

Knowing how “digital” and progressive Estonia is, many people are surprised at the rather primitive, backward-looking leaked “compromise” proposal it produced on intermediary liability and upload filtering.

What are the peculiarities of EU politics that lead a government to oppose its own interests and abandon its own expertise when it holds the rotating presidency of the EU? The explanations are implausibly simple:

1) Presidency prestige

Member States that hold the EU presidency always seem to believe that the eyes of the world are on them. They need to conclude open negotiations in order to win prestige. This imaginary prestige is often prioritised over national policy interests. For example, Hungary, which fundamentally opposed the unitary patent, successfully pushed through the adoption of the unitary patent. It did so in order to gain the imperceptible prestige of closing the negotiations. Estonia, fundamentally committed to an open, innovative internet, is supporting a measure that will lead to a closed, Google-centred internet for the same reason – it thinks that this is the most likely approach to produce an agreement.

2) Commission power I

All EU Member States appoint a European Commissioner, so each state has a former high-level official/politician in the Commission. That individual is well placed to lobby the Member State to support the Commission’s proposals. The pressure is more intense in this case – the Commission Vice-President with overall responsibility for the Copyright Directive is the former Estonian Prime Minister, Andrus Ansip. This gives the Commission a unique level of leverage over the Estonian Council Presidency. By coincidence, the next Council Presidency (starting in January) is Bulgaria and the new Bulgarian Commissioner has direct responsibility for the Copyright Directive.

3) Commission power II

Smaller member states such as Estonia have smaller government bureaucracies and suddenly have to take over the running of the Council of the European Union for six months. The European Commission is very sympathetic to the challenges that this presents and generously allows its staff to be temporarily seconded to the Presidency for the period of the Presidency. It is difficult to imagine that this does not strengthen the voices within the Presidency in favour of Commission positions.

4) Trilogue power I

By agreeing to go through the closed-door “trilogue” process, rather than the treaty-based, more transparent public deliberations that should happen, the European Parliament give yet more power to the Council Presidency – power without accountability.

The Council is traditionally a very closed institution, whereas the Parliament’s mandate is based on democracy. The closed process plays the game by the Council’s rules. The Council, with the resources of 28 national ministries to draw upon and supported by the Commission, has vastly more capacity to prepare the closed-door trilogue meetings than the Parliament. This makes it even easier to push through agreements, with limited accountability.

5) Trilogue power II

Most bizarre of all, there is the “fictional deadline” phenomenon. At the end of each Council Presidency, the institutions decide that it is (for no particular, rational reason) of paramount importance to conclude negotiations before the presidency ends. The irrational decision that regulation affecting the lives of 500 million Europeans must be rushed to a conclusion simply to ensure that the Council Presidency can claim credit for closing the negotiations is baffling, but powerful. The EU institutions, often in all-night meetings, accept this false urgency and compromises that were unacceptable during normal negotiations become acceptable.


So, the Estonian Presidency is acting against Estonia’s interests because of a mistaken belief that the ephemeral benefits will outweigh the years of costs.

The Estonian Presidency is being energetically encouraged to do this because, by coincidence, the Estonian Commissioner (who inherited the mess from German Commissioner Oettinger) coincidentally has overall responsibility for the file. He apparently feels he has a duty to the Commission to push this bad proposal to a conclusion.

So, the Estonian Presidency is behaving in the way that EU Council presidencies traditionally act, faced with the additional pressures of being one of the smallest EU Member States and the challenges of a former Prime Minister as the Commission Vice-President under whose responsibility the Copyright Directive falls.

And that is how a government can be persuaded to actively and consciously fight against its own best interests, the best interests of the country, the best interests of its own people and the people of Europe in general.

Leaked document: EU Presidency calls for massive internet filtering (06.09.2017)


06 Sep 2017

Winter is here

By Heini Järvinen

This autumn announces itself much colder and threatening for our rights and freedoms than we thought: The e-Privacy Regulation and copyright reform are the two main pieces of EU legislation that will keep the digital rights defenders of EDRi’s Brussels office busy. We will also continue our work on implementation of the General Data Protection Regulation (GDPR), the Audiovisual Media Services Directive (AVMSD), encryption, cross-border access to electronic evidence, and intermediary liability, among other dossiers.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------


In January 2017, the European Commission published its proposal for an e-Privacy Regulation (ePR), which will cover privacy and data protection issues specific to electronic communications. Our longer position paper and quick guide provide an introduction to the most important points of the proposal. The next steps with this dossier will be the key votes in the European Parliament (EP). Some Committees are scheduled to vote on an Opinion in late September, and the lead Committee (Civil Liberties, Justice and Home Affairs, LIBE) is likely to vote on its final Report in October. The good news is that the LIBE draft Report already contains a number of amendments to the original Commission text that are in line with our suggestions. After the LIBE vote, the text is likely to go through “trilogues”, which are informal negotiations between the Council of the European Union, the European Parliament and the Commission. The text will then be adopted in the Parliament’s Plenary session. This is likely to happen at the earliest in spring 2018.

Copyright reform

In September 2016, The European Commission published its proposal for a new Copyright Directive that aims at modernising EU copyright rules. The proposal poses a number of threats to our online freedoms, of which the most distressing is the introduction of a “censorship machine”, which would filter all uploads to the internet (Article 13 of the proposal) in contradiction to at least four European court rulings and existing EU secondary law. Another paragraph introduces the so-called “link tax” (Article 11), which has already been an expensive failure in Germany and Spain. In addition to our continuous efforts to convince the politicians to abandon the most damaging points of the proposal, we are also meeting and exchanging with activists around Europe to increase cooperation. Our event, the “School of Rock(ing) Copyright” will take place in September in Ljubljana, and in October in Budapest and in Lisbon.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), the main text of EU legislation dealing with the protection of personal data, was finalised in 2016. However, because of the numerous, unpredictable flexibilities in the legislation, our work is not over yet. We are working together with many EDRi members, the European Consumer Organisation (BEUC) and academics, to promote the best possible implementation of the GDPR. We will be working on a “compliance check list for users”, general research about the effects of the Regulation, and technical tools to help citizens to exercise their rights.

E-evidence and cybercrime

The European Commission is preparing to present plans on dealing with access to electronic evidence (“e-evidence”). In addition, an optional protocol to the Cybercrime Convention (also known as “the Budapest Convention”) is currently being prepared, to be finalised by the end of 2019. We will be following the process closely, and sending submissions to the Council of Europe (CoE) to ensure that our rights and freedoms are considered in the final protocol. The first meeting of the drafting group will take place on 19-20 September 2017.

Audiovisual Media Services Directive (AVMSD)

In May 2016, the European Commission proposed to reform the Audiovisual Media Services Directive (AVMSD). The current AVMS Directive regulates traditional TV broadcasters and on-demand services in the EU. The new proposal broadens the scope of the Directive to cover the regulation of video-sharing platforms and potentially even other social media companies. Our main concern is the lack of clarity and safeguards for respecting the rule of law and protecting fundamental rights. The trilogue negotiations on the proposal have now started, following a vote in favour by 17 (in the Committee that took the decision) of the 751 Members of the European Parliament (adopting the Parliament’s negotiating position) and none of the EU Member States (adopting the negotiating position of the Council of the European Union). A few policy-makers will continue with the aim of reaching a political agreement by the end of the year. EDRi will issue recommendations and try to obtain improvements in the opaque process.

In addition to the priorities listed above, we will also be working on other topics, such as Notice and Action, digital trade, a Fundamental Rights Review Project on surveillance instruments, and following developments on net neutrality and whistleblowing protection.

e-Privacy revision: Document pool

Copyright reform: Document pool

The School of Rock(ing) EU Copyright 2017

Proceed with caution: Flexibilities in the General Data Protection Regulation

Access to e-evidence: Inevitable sacrifice of our right to privacy?

Audiovisual Media Services Directive reform: Document pool



06 Sep 2017

Denmark: Targeted ANPR data retention turned into mass surveillance

By IT-Pol

Since mid 2016, Denmark has a nationwide automatic number plate recognition (ANPR) system with stationary cameras at 24 locations and mobile cameras mounted on 48 police cars. The ANPR system is currently being integrated with POL-INTEL, the new Danish system for intelligence-led policing (predictive policing), which is supplied by Palantir Technologies. Expansion of the ANPR system with more cameras can be expected in the coming years.

Preparations for the ANPR system started in 2014. Besides the public tender and subsequent deployment of the ANPR equipment, a legal framework for using ANPR was also put in place. The Ministry of Justice decided in 2015 that it was sufficient to lay down rules for processing ANPR information in an administrative order. This meant that surveillance with ANPR was introduced in Denmark without ever being debated in the Parliament.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The legal framework for ANPR makes a distinction between hits and no-hits when a number plate of a vehicle is scanned by the ANPR equipment. Hits are number plates on the police hotlist – that is vehicles which are wanted by the police for reasons ranging from unpaid insurance, mandatory inspections skipped by the owner, vehicles reported stolen, to suspected involvement in criminal activities. Vehicles registered in the Schengen Information System (under Council Decision 2007/533/JHA) by other EU Member States for discreet checks (Article 36) or sought for purposes of seizure (Article 38) can also be put on the hotlist. No-hits are number plates with no match on the hotlist.

The ANPR system is designed to serve a dual purpose. If a police car with mobile ANPR equipment encounters a vehicle on the hotlist, the police officers get a signal from the ANPR device, so that they can decide whether to pursue the vehicle or not. This part of the ANPR system is actively promoted by the Minister of Justice and the Danish National Police as a huge help for police officers on the road. The second purpose of the ANPR system, which is rarely mentioned in public by the same authorities, is the passive retention of number plates encountered by either mobile ANPR in police cars or the stationary ANPR cameras. The location, timestamp, and a picture of the vehicle, which may include the driver and passengers, is also stored in the central ANPR database.

Retention periods for ANPR hits range from three months to two years, depending on the reason for being on the hotlist. If a vehicle is on the hotlist because of unpaid insurance or skipped mandatory inspections, the mobile ANPR equipment can be used to stop the vehicle and confiscate the number plates. Retention of location information in cases like this is neither necessary nor proportionate since any further processing of the ANPR data will be totally unrelated to the reasons for putting the vehicle on the hotlist.

However, the main controversy has been around the retention of no-hits, that is vehicles that are not even wanted for minor offences such as driving without insurance. The original plan of the Danish National Police was to retain all no-hits for 30 days and use this information for backward-looking investigations, such as using data mining (profiling) to determine persons of interest based on their proximity to the time and place where a crime was committed. The Danish Data Protection Agency (DPA) objected to the proposal to retain all ANPR no-hits. In an Opinion of 17 March 2015, the DPA concluded that blanket retention of all no-hits was not legal, and that retention of no-hits could only be done under certain conditions, for example in connection with targeted surveillance at the border.

Due to the opinion of the Danish DPA, the ANPR administrative order of December 2015 provides that no-hits can be retained for up to 30 days only if the no-hit is registered in connection with a targeted police operation, which must be limited in time and geographic area. These conditions bear some resemblance to paragraph 59 of the judgment on the Data Retention Directive (joined cases C-293/12 and C-594/12) by the Court of Justice of the European Union (CJEU) in April 2014. Accordingly, only targeted data retention, and not blanket data retention, is allowed for the Danish ANPR system. Unfortunately, the administrative order does not give any guidance as to how a limited time period and a limited geographic area should be interpreted, except that this will be specified in internal guidelines by the Danish National Police.

During the summer 2017, it was revealed through freedom of information (FOI) requests that most no-hits were actually retained in the ANPR system. Specifically, the Danish National Police decided in November 2016 that all 24 locations with stationary ANPR cameras are part of targeted police operations running until the end of 2017. This decision paved the way for retaining all no-hits from the stationary ANPR cameras for 30 days. No-hits from the mobile ANPR equipment are not covered by this decision, and hence not necessarily retained on a general basis for 30 days, but the mobile cameras account for less than 10% of the scanned number plates.

The FOI request further revealed that 830 000 no-hits are retained every day, and that the ratio between retained no-hits and hits is 90:1. The Danish National Police has repeatedly denied FOI requests for documents showing the location of the stationary ANPR cameras, but since the cameras are very visible in the landscape, their location has been mapped by activists. The unofficial map at the website shows that roughly half of the ANPR cameras are placed at border crossings (all intra-Schengen borders), whereas the other half covers major traffic intersections. The map indicates a strategic positioning of the stationary ANPR cameras in areas where lots of vehicles are encountered every day.

In essence, the ANPR system has become a tool for mass surveillance since 99% of the retained number plates are not of any interest to the police when the location of the vehicle is stored in the central database. The justification for storing no-hits is subsequent processing for unknown purposes and that the data may be useful for the police. Moreover, the opinion of the Danish DPA, that no-hits can only be processed in the ANPR system under certain conditions rather than generally as the police wanted initially, and the targeted data retention regime prescribed by the ANPR administrative order, have been completely subverted by the decision of the Danish National Police to include all stationary ANPR cameras all the time in “targeted” police operations where no-hits can be retained for 30 days.

After the story was reported in Danish news media, the police confirmed that all no-hits from the stationary ANPR cameras are retained. In a later interview with Dagbladet Information, the Danish National Police called the criticism misguided. The retention of no-hits is geographically limited to the locations where the police has decided to put up stationary ANPR cameras. Even though there are cameras throughout Denmark, as seen on the unofficial map, not every road in Denmark is covered by ANPR, and in that sense, only a limited geographic area is subject to surveillance. According to the police, the requirement of “a limited time period” is satisfied by putting an end date on the targeted police operation allowing no-hits to be retained. This end date can, however, be extended with a later decision by the police.

On 13 August 2017, EDRi member IT-Pol Denmark and Bitbureauet filed a complaint with the Danish DPA about the retention practices for ANPR no-hits. The complaint is currently being investigated by the DPA.

EDRi: New legal framework for predictive policing in Denmark (22.02.2017)

EDRi: Denmark about to implement a nationwide ANPR system (02.07.2014)

Unofficial map with the location of Danish ANPR cameras

Danish car owners subject to extensive surveillance even though they are not suspected of anything, Dagbladet Information (only in Danish, 25.07.2017)

Complaint to the Danish Data Protection Agency about retention practices for ANPR no-hits (only in Danish, 13.08.2017)

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)



06 Sep 2017

Controversial testing of facial recognition software in Germany

By Anne-Morgane Devriendt

At the end of August 2017, German police has been testing a facial recognition software at Südkreuz train station in Berlin. The system was tested on 300 volunteers. The goal was to evaluate the accuracy of the software in recognising and distinguishing them from the crowd – a feature that the police hopes to ultimately use to track and arrest crime and terrorism suspects.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

However, this testing has been subject to criticism regarding its parameters and its efficiency in the fight against terrorism. The experiment raises two concerns: the terms of the experiment and the relevance of such a measure against terrorism.

In the aftermaths of recent terrorist attacks, mass surveillance measures have been increasingly introduced in Europe, as a means to “fight against terrorism”. These measures might give citizens the impression that the government is taking action, but there is no evidence that they are efficient towards this goal.

By using facial recognition software, Thomas de Maizière, the German Minister of the Interior, aims at strengthening the public’s sense of security and help the fight against terrorism. He considers that it does not undermine civil liberties, but lawyers and civil society organisations disagree, first and foremost on the terms of the experiment. The facial recognition software was tested on volunteers, who carried around bluetooth sensors transmitting information about their location. German EDRi member Digitalcourage reported that these sensors provide information that is not useful for the results of the experiment and that it was not communicated to the volunteers. Furthermore, Digitalcourage affirms that this data is easily accessible by anyone.

Beyond the technical issues and the lack of consent, it has been denounced by lawyers as unconstitutional and uncalled for, because it costs more in terms of civil rights than it can bring to the fight against terrorism. The usefulness of mass surveillance in improving security is questionable, to say the least. The fact that those involved in recent terrorist attacks were known by the intelligence services and had previously been under surveillance did not stop the attacks. It would require immense resources to constantly follow all potential suspects. It is difficult to see how introducing tools such as facial recognition in public places to widen the scope of surveillance, and thus increasing the amount of data to be processed by law enforcement, could help preventing future terrorist attacks.

Facial recognition at the Südkreuz station: Federal police did not inform correctly – We request the end of the experiment

Berlin starts controversial test of facial recognition cameras at train station (02.08.2017)

German police test facial recognition cameras at Berlin station (01.08.2017)

Opinion: Facial recognition tech makes suspects of us all (31.08.2017)

Germany’s facial recognition pilot program divides public (24.08.2017)

Facial recognition software to catch terrorists being tested at Berlin station (02.08.2017)

Facial recognition cameras at Berlin station are tricking volunteers, activists claim (23.08.2017)

(Contribution by Anne-Morgane Devriendt, EDRi intern)



06 Sep 2017

Netherlands: Sharing of travel data violated students’ privacy

By Bits of Freedom

It was all over the news on 22 August 2017: Translink, the company responsible for the Dutch public transport card “OV-chipkaart” had been passing student travel data to the Education Executive Agency responsible for student finance in the Netherlands (DUO). DUO uses this data to figure out whether students who claim to live on their own – and therefore receive a supplementary grant – actually still live with their parents. A court ruled that this was violating students’ privacy. The same day, Dutch EDRi member Bits of Freedom called upon students to issue a right of access request to DUO and Translink. The students were encouraged to ask the following questions:

  1. Which data does DUO have on me and if I didn’t supply this data myself, how did DUO obtain it?
  2. Which data does Translink have on me and with whom has this data been shared?

Where and when we travel, whom we call, what we buy: sometimes it seems records are kept of every single thing we do. We are becoming more and more transparent and easier to influence for companies and governments. Based on the data that is gathered about us, conclusions are drawn with tangible, sometimes far-reaching consequences. Therefore it is important that we gain insight into who knows what about us. And of course, what is being done with that information.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

Imagine: you live in a dorm room when one of your parents becomes seriously ill. You are at your parents’ home for weeks or even months on end. You don’t actually live there, but you do sleep over. Is it really possible for a DUO employee to make that distinction based on your public transport data? We don’t think so. You can interpret data in multiple ways and often it does not tell the whole story. Conclusions that someone else reaches by looking at your data are not always correct. But still, you are the one who has to deal with the consequences.

It is indeed important that fraud is addressed. However, it is also important that the tools used to do so are proportionate to the offence. In this case, the Dutch court ruled that DUO cannot request this kind of privacy-sensitive information just like that. And even Translink really does know better: in its terms and conditions, Translink states that it will only hand over data as part of a criminal investigation and therefore only to the police and judiciary. By deviating from its own commitment, the company undermines trust in its service.

The Dutch constitution states that everyone is entitled to respect of their personal environment. The Dutch Data Protection Act (Wbp) is the most important law regarding the collection and sharing of personal data. This law also gives citizens the right to gain insight into their own data and the right to correct it. By executing these rights, you can verify whether the processing of your personal data is correct, complete, relevant and lawful. Bits of Freedom’s Privacy Review Machine can help you with this.

DUO and the OV-chipkaart: Ask for clarification about your data! (only in Dutch, 22.08.2017)

Privacy Review Machine (only in Dutch)

(Contribution by Evelyn Austin, EDRi member Bits of Freedom, the Netherlands; Translation: Philip Westbroek)



06 Sep 2017

Private copy levy: Just pay up! Then we’ll see…

By Julien Bencze

European businesses and associations are still in reality forced to pay “compensation” to copyright collecting societies for private copies, despite repeated rulings of the Court of Justice of the European Union (CJEU) exempting them from having to do so.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

European Digital Rights (EDRi) recently received an invoice from our office supplies company for the purchase of an external hard drive, which included a near-7% private copy levy of the total amount. The private copy levy is the surcharge on the price of media capable of making copies. It is supposed to compensate the alleged harm done to rightsholders by legal private copying by private end-users of those devices. The device we purchased will not be used to make copies of copyrighted content.

Article 5 of the 2001 Copyright Directive states that fair compensation for private copies applies to a natural person for its private, non-commercial use. This has led the 28 EU Member States to take hugely varied approaches to implementing this provision, undermining the single market. Furthermore, the system can be absurdly expensive to implement – Digital Europe calculates that the establishment and implementation of the Dutch system cost 50 million euro, in order to collect 40 million euro.

The 2011 and 2015 CJEU rulings in Padawan v SGAE and Copydan Båndkopi/Nokia Danmark cases clarified explicitly that the Private copy levy do not apply:

  1. To media sold to legal entities.
  2. For purposes other than private copying.

Again in 2016, the CJEU repeated that private copying exception is intended solely for individuals, and that legal entities are excluded.

So… How come that EDRi, a legal entity and the final user of the product, should still pay the private copy levy?

It was probably obvious to the retailer who sells office equipment, furniture and supplies to professionals, that EDRi is not a private person who is required to pay the private copy levy. But never mind, as they were preemptively charged the fee by their the wholesaler, and their wholesaler was charged by the manufacturer or importer, they passed on the hot potato to the end users.

Rather contradictorily, this blindness of applying the private copy levy to entities without any consideration as to know whether these entities are liable for it, has been made possible by the above mentioned Copydan Båndkopi/Nokia Danmark ruling. Its paragraph 53 still allows Member States to impose the levy when it is difficult to identify whether the final user is a private or a legal person, provided that the levy be passed on in the transaction chain to the final user and that undue, established payers can be easily reimbursed – if they just ask for it.

The situation is absurd: EDRi has an obligation to pay the levy that it should not pay in the first place, then ask Auvibel, the company collecting the private copy levy in Belgium, for reimbursement in order to ensure its right not to pay the levy. Even if the name “Auvibel” and an amount corresponding to the levy appears on the invoice, it is likely that numerous professionals do not even notice they pay private copy levies that they should not be paying, and consequently do not ask for a refund. In 2016, Auvibel invoiced 23 million euro for private copy levies. From that amount, it is not known to the public how much is collected from non-private users or for non-private use, nor the amount reimbursed to those categories. Similarly, many organisations will not want to invest administrative resources in reclaiming a few euro every time they buy a hard disk, printer, DVD drive, USB key, etc.

Europe-wide, this extremely expensive bureaucracy generated 580 million euro for private copy levies in 2015, according to official figures. However, there is no estimate of the proportion of illegitimate, automatic, collection of private copy levies from professional end-users.

Maybe we should bounce this back by invoicing Auvibel, in addition to the private copy levy reimbursement, for the harm caused by a time-and-money wasting, inappropriate, legally dubious, private copy levy collection for professional use of computer equipment. Or maybe the Belgian government could charge a levy to Auvibel, to recoup the unjustified revenue and spend the money on social projects.

(Contribution by Julien Bencze, EDRi)



06 Sep 2017

Leaked document: EU Presidency calls for massive internet filtering

By Diego Naranjo

A Council of the European Union document leaked by Statewatch on 30 August reveals that during the summer months, that Estonia (current EU Presidency) has been pushing the other Member States to strengthen indiscriminate internet surveillance, and to follow in the footsteps of China regarding online censorship. Standing firmly behind its belief that filtering the uploads is the way to go, the Presidency has worked hard in order to make the proposal for the new copyright Directive even more harmful than the Commission’s original proposal, and pushing it further into the realms of illegality.

According to the leaked document, the text suggests two options for each of the two most controversial proposals: the so-called “link tax” or ancillary copyright and the upload filter. Regarding the upload filter, the text offers two alternatives:

  • Option A maintains the Commission’s original proposal of having in place an upload filter which will be under the control of platforms and other companies that are hosting online content. Although it removes mentions to “content recognition technologies”, in reality, there is no way to “prevent the availability” (another expression which remains in the text) of certain content without scanning all the content first.
  • Option B is, at best, a more extreme version of Option A. In fact, it seems so extreme that it almost makes the first option look like a reasonable compromise. This may, of course, be the “diplomatic” strategy. In this extreme option, the text attacks again the liability regime of the e-commerce Directive – which, bizarrely, would not be repealed, leaving us with two contradictory pieces of EU law but adds a “clarification” of what constitutes a “communication to the public”. This clarification establishes that platforms (and its users) would be liable for the copyright infringing content uploaded by its users.

The proposals in this leak highlight a very dangerous roadmap for the EU Member States, if they were to follow the Presidency’s lead. The consequences of these flawed proposals can only be prevented if civil society and EU citizens firmly raise their voices against having a censorship machine in the EU. We will be turning on our call tool at before each of the key votes in the European Parliament. Make use of the tool, and call your representatives to stop the #censorshipmachine!

Estonia loves digital – why is it supporting the #censorshipmachine? (07.09.2017)

No, you can’t enjoy the music you paid for, says EU Parliament Committee (05.07.2017)

Proposed Copyright Directive – Commissioner confirms it is illegal (28.06.2017)

EU Copyright Directive – privatised censorship and filtering of free speech (10.11.2016)

Copyright reform: Document pool

(Contribution by Diego Naranjo, EDRi)


05 Sep 2017

Six states raise concerns about legality of Copyright Directive

By Diego Naranjo

According to a new leak, a number of EU Member States share our serious concerns about the proposal for mass surveillance and censorship of uploads to the internet in Europe, included in the European Commission’s proposal for a new copyright Directive. Those Member States seem unwilling to build a censorship machine forcing EU countries to adopt Google’s current practices. They highlight that such practices should not be implemented without making sure of the consequences for fundamental rights and for the rule of law.

The leaked document contains a list of questions posed to the internal legal service of the Council of the EU, signed by six EU Member States: Belgium, the Czech Republic, Finland, Hungary, Ireland and the Netherlands. From the questions, it appears that those Member States feel that the proposals for the upload filter are so grave that their legality is in serious doubt. They have asked the Council legal service to evaluate if the proposal is legal, in light of the proactive monitoring of content being demanded. Following the rulings (Scarlet/Sabam, Netlog/Sabam) of the Court of Justice of the European Union (CJEU) that such proactive filtering are a disproportionate breach of freedom of expression and information, freedom to conduct a business and to the protection of personal data, the Member States want a neutral evaluation.

They also ask if these measures are “justified and proportionate”, in order to verify if they would be in line with the Charter of Fundamental Rights of the European Union. These Member States also ask if the fact that one article of the proposed copyright Directive could fundamentally change the scope of the liability principles for internet providers in the e-commerce Directive. Those principles are crucial for freedom of expression in Europe, because they prevent internet companies from being excessively incentivised to restrict users’ communications.

The six Member States also raised crucial questions about the argument that searching for specific files (within all internet traffic) is a “general” monitoring obligation (see Question 3). This doubt appears very valid, bearing in mind that the e-Commerce Directive (recital 47) explicitly states that exceptions to the prohibition of general monitoring obligations would only be possible when searching for data in “a specific case”. Are millions of searches “a specific case”?

Finally, they also ask whether the wording “communication to the public” is being mixed up with the expression “providing access” when, as these Member States recall, “(t)he CJEU has never considered that is (sic) was sufficient for a service to be ‘providing access’ in order to establish that it is communicating to the public.”

The Council legal service will have to analyse thoroughly these questions before it can take a position on the subject, but right now it seems they will only deliberate orally during the next working group on 11-12 September. It is clear that the European Commission should have, but apparently did not, carry out a neutral assessment of these questions before launching its proposal for the copyright Directive. Therefore, it is welcome that the six EU Member States have invested time and resources in diligently raising fundamental questions on illegality, legal uncertainty and outright chaos that the upload filters suggested in Article 13 of the proposed Directive would bring. It is crucial to clarify what they would mean for human rights in the online environment, for European innovation and for Europe’s credibility in defending online freedoms in its foreign policy. The EU Presidency, Members of the European Parliament (MEPs) supporting the censorship machine, and some Member States (such as France, Spain, and Germany) should take note of the serious questions posed to the Council and re-think their positions on this debate.

Leaked document: Questions from Member States to the Council legal services on the Censorship Machine

EU countries question legality & attack on fundamental rights

No, you can’t enjoy the music you paid for, says EU Parliament Committee (05.07.2017)

Proposed Copyright Directive – Commissioner confirms it is illegal (28.06.2017)

EU Copyright Directive – privatised censorship and filtering of free speech (10.11.2016)

Copyright reform: Document pool

(Contribution by Diego Naranjo, EDRi)