============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 8.20, 20 October 2010 ============================================================ Contents ============================================================ 1. Guidelines for more rigorous respect of the Fundamental Rights Charter 2. Facebook applications raise new privacy concerns again 3. French DNS management must respect constitutional freedoms 4. Danish tax authorities want to mirror hard disks of private companies 5. Informal discussion in European Parliament on net neutrality 6. Lives put at risk by communications data retention 7. European Commission high-level discussions on data protection 8. UK Government will introduce an open data licence 9. Spanish DPA opens infringement procedures for Google Streetview 10. ENDitorial: Irish court rejects music industry demands for three strikes 11. Recommended Action 12. Recommended Reading 13. Agenda 14. About ============================================================ 1. Guidelines for more rigorous respect of the Fundamental Rights Charter ============================================================ The European Commission has adopted a strategy which is aimed at ensuring that the EU Charter of Fundamental Rights is respected at every stage of the EU legislative process. At the initiative of Commissioner Reding, the intention is to create a template to make it easier for the Commission to measure its own respect for the Charter and, by extension, to give the public a clearer yardstick by which to measure the actions of the Commission. As is Commissioner Reding's trademark, the Communication is very ambitious, arguing that the "Union must be exemplary" in matters of fundamental rights and demands that "the Charter must serve as compass for the Union's policies and their implementation by the Member States." Since the adoption of the Lisbon Treaty, which made the Charter legally binding, all Commissioners took a personal oath to respect the Charter. However, in the absence of a methodology to incorporate this into policy development, the Commission has struggled to "mainstream" this new element of legislative development into all of its activities. For example, when the Commission re-tabled the draft Framework Decision on Child Exploitation, it changed the proposal in a way which, according to its own impact assessment, was contrary to the European Convention on Fundamental Rights (the "meaning and rights" of which are incorporated into the Charter). One of the clearest pedagogical elements of the Communication is a "Fundamental Rights 'Check List'", listing the questions that the Commission must ask at each stage of the legislative process when assessing the possible impact of the proposed legislation. This is to be repeated at each step of all legislative processes, from preparatory consultations thorough the impact assessment process and the legislative process. This includes, "using all means at its disposal" to fight noncompliant amendments tabled by other institutions. It is, unfortunately, very obvious that the Communication will not solve all or even most of the failures of the Commission with regard to respect for fundamental rights protected by the Charter and Convention of Fundamental Rights. However, it is also clear that the Communication establishes a new and very clear set of standards and guidelines against which the Commission can now be measured. This is an important step in the right direction and a significant achievement by Commissioner Reding. European Commission adopts strategy to ensure respect for EU Charter of Fundamental Rights (19.10.2010) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1348&format=HTML&aged=0&language=EN&guiLanguage=en European Commission Communication - Strategy for the effective implementation of the Charter of Fundamental Rights by the European Union (19.10.2010) http://ec.europa.eu/justice/news/intro/doc/com_2010_573_4_en.pdf (Contribution by Joe McNamee - EDRi) ============================================================ 2. Facebook applications raise new privacy concerns again ============================================================ Facebook continues to raise concerns related to the privacy of its users' personal data. According to an investigation made by Wall Street Journal (WSJ), Facebook applications such as FarmVille have been supplying identifying information of its users to several online advertising and tracking companies. Already in May 2010 it was revealed that under certain circumstances, when a user was clicking on an ad, Facebook was transmitting its ID codes that were used to look up individual profiles, including the user's real name, age, hometown and other data. Although Facebook has interrupted the practice, it has now come Facebook applications were doing the same practice. The practice affects millions of users including those who have placed their data under the strictest privacy settings. According to WSJ, at least ten of the most popular Facebook applications also transmitted personal information about the user's friends to external companies. Two Facebook users from California, David Gould and Mike Robertson, have filed a federal lawsuit against the social network for allegedly sharing their real names and other private information with some advertisers, considering Facebook was thus in direct violation of the federal law that protects the privacy of electronic communications, the California computer-crime law as well as the company's own privacy policy. "A Facebook user ID may be inadvertently shared by a user's Internet browser or by an application," stated a spokesman from Facebook on 16 October 2010, who added that the company would introduce new technology to address the problem. According to the company, there is no basis for the law suit. As a Facebook user's ID is a public part of any Facebook profile, anyone can use this number to look up a person's name, by using a standard Web browser, even if that person has posted Facebook information as private. Facebook IDs reveal information that the users have set to share with everyone. Most applications on Facebook are created by independent software developers and it is not yet clear whether their developers knew that their applications were transmitting Facebook ID numbers. The applications use a common Web standard, known as a "referer" which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referers can expose a user's identity. While the supporters of online tracking argue that this kind of surveillance is benign when being carried out anonymously, WSJ has found out that RapLeaf, a data-collection firm, had linked Facebook users' ID information obtained from applications to its own database of Internet users. The company is selling its database and has transmitted Facebook IDs to several other firms. "We didn't do it on purpose," stated Joel Jewitt, vice president of business development for RapLeaf. After being contacted by the WSJ, Facebook has changed its system so that the ID codes are no longer sent to other websites and has apparently also shut down some applications transmitting user IDs. Since 15 October, the users having tried to access certain applications have received an error message being reverted to Facebook's home screen. "We have taken immediate action to disable all applications that violate our terms," a Facebook spokesman said. Facebook in Privacy Breach (18.10.2010) http://online.wsj.com/article/SB10001424052702304772804575558484075236968.ht... Facebook apps 'leaking details to advertisers' (18.10.2010) http://www.guardian.co.uk/technology/2010/oct/18/facebook-apps-data-privacy Facebook Faces Suit Over Earlier Breach (17.10.2010) http://blogs.wsj.com/digits/2010/10/17/facebook-faces-suit-over-earlier-brea... EDRi-gram: Facebook under pressure for not observing its privacy principles (19.05.2010) http://www.edri.org/edrigram/number8.10/privacy-google-article-29 ============================================================ 3. French DNS management must respect constitutional freedoms ============================================================ In a ruling issued on 6 October 2010, the French Constitutional Council affirmed the constitutional value of domain names. According to this decision, which applies to the whole French DNS, a domain name attribution, renewal, transfer or cancellation process must not only respect intellectual property rights, but also freedom of expression and freedom of entrepreneurship. The ruling was issued in the framework of a new procedure, that allows questioning the constitutionality of an existing law in the course of legal proceedings related to the application of the given law. In this case, the plaintiff was questioning the constitutionality of article L.45 of the French Posts and Electronic Communication Code, adopted in 2004 as part of the French law on trust in the digital economy ('Loi pour la confiance dans l'iconomie numirique' or LCEN). This article provides that the French Domain Name System (DNS) registries are appointed by the government; that each French ccTLD is managed by a unique registry; and that the government ensures that domain names are attributed by these registries "in view of the general interest, according to non discriminatory rules made publicly available and ensuring the respect, by the domain name holder, of intellectual property rights". The ruling follows the plaintiff argument that the article in question was infringing Article 34 of the Constitution which provides, inter alia, that "law shall lay down the basic principles of (...) systems of ownership, property rights and civil and commercial obligations". Therefore, due to the absence of precise enough safeguards, Article L.45 of the French Posts and Electronic Communication Code gives the Administration and the designed registries too much latitude regarding the management of the French DNS. In particular, the Constitutional Council found that, as currently defined, the law indeed protects intellectual property rights but neither freedom of expression nor freedom of entrepreneurship, since the last two may be restricted by the registry through denial of a domain name registration or renewal, or through its transfer or cancellation. AFNIC, the main French registry, manages the .fr as well as .re (Riunion Island), .pm (Saint-Pierre and Miquelon), .tf (French Southern and Antarctic Territories), .wf (Wallis and Futuna) and .yt (Mayotte). Other French ccTLDs are managed by different registries; .mq (Martinique), .gp (Guadeloupe) and .gf (French Guiana) are delegated to registrars; while.nc (New Caledonia) and .pf (French Polynesia) are administrated by the respective territories. The ccTLDs of the two other French territories (Saint Barthelemy and Saint Martin) have no assigned registries yet, and the corresponding domains (.bl and .mf) are not yet present in the root zone. All these registries have to comply with the provision of Article L.45 of the French Posts and Electronic Communication Code. As a result of this decision, the law should now be amended by 1 July 2011. The Constitutional Council gave this delay in order to avoid a major disruption that would otherwise threaten the legal continuity and security of the French domain name space. After this deadline, any decision from the government and/or from the registries designed pursuant to current Article L.45 of the French Posts and Electronic Communication Code would be deemed illegal. It must be noted that this ruling only concerns registries designated by the French government, according to the provisions having been found unconstitutional. It does not extend to any other ccTLD than that of the French national territory, nor to any gTLD. Furthermore, the Constitutional Council decision has no impact on the question of whether the registration of a domain name implies any property rights over this name or only the right to use this name for the registration period. However, and this is the major outcome of this decision, such a ruling may be seen as a breakthrough from a political point of view for all those who consider domain names as one of the means of freedom of expression and communication in the digital environment. French Constitutional Council decision and related dossier (only in French, 06.10.2010) http://www.conseil-constitutionnel.fr/conseil-constitutionnel/francais/les-d... AFNIC (.fr registry) webiste http://www.afnic.fr (Contribution by Meryem Marzouki, French EDRI-member IRIS) ============================================================ 4. Danish tax authorities want to mirror hard disks of private companies ============================================================ A new proposed law would allow the Danish tax authorities to simply mirror entire hard disks of companies without a court order and before they have a reason to suspect the company has engaged in unlawful activities. The proposal adds the following two paragraphs to the law of tax auditing (unofficial translation): "Paragraph. 6. Customs and tax administration can make identical electronic copies (mirrors) of the content of electronic media that falls under the control of the customs and tax administrations, and can take the copied material away for subsequent review. The copied material must be deleted, if the customs and tax administration determines that the material does not contain information that is relevant for the control exercised by the customs and tax administration. However, if the customs and tax agency decides to proceed with the case, the copied material must be deleted only after the case is finally decided. Paragraph. 7. The minister of taxation determines, after submission to the National Board of Taxation, further rules regarding the customs and tax administration's right to make identical electronic copies (mirrors) of the data content of electronic media, that are part of an inspection, including rules on the retention and deletion of the copied material. " In the comments to the proposal, the issue of proportionality in relation to the Human Rights Convention article 8.2 is discussed. It was concluded that since the tax authorities will only use mirroring in cases where they would otherwise not get the necessary information, and only after they have determined in each case that less drastic measures would not be sufficient, then the impact on the individuals subject to the control is limited. The tax authorities argue the law will make their job easier, they promise not to abuse their new powers, and are willing to make adjustments if the consultation should point out minor problems. The proposal from the liberal/conservative government is supported by the largest opposition party, the Social Democrats, as Nick Hfkkerup said to Berlingske newspaper. He wants to ensure that the mirrors are only used for taxation, with the exception that if the tax authorities happen to discover child abuse images, it should be reported to the police. Conversely, the proposal has met hard criticism from the Danish Data Protection Agency, major medias, think tank CEPOS, blogs, etc. Draft law (only in Danish, 1.09.2010) https://www.borger.dk/Lovgivning/Hoeringsportalen/dl.aspx?hpid=24994 Civil liberty under pressure (only in Danish, 4.10.2010) http://www.berlingske.dk/ledere/borgerlig-frihed-under-pres Tax authorities requires free access to the hard disk (only in Danish, 4.10.2010) http://www.business.dk/oekonomi/skat-kraever-fri-adgang-til-harddisken Politicians welcomed the mirroring (only in Danish, 4.10.2010) http://www.business.dk/oekonomi/politikere-ser-positivt-paa-spejling (Contribution by Niels Elgaard Larsen, EDRI-member IT-POL Denmark) ============================================================ 5. Informal discussion in European Parliament on net neutrality ============================================================ For possibly the first time since the adoption of the "telecoms package", an informal discussion on the issue of "net neutrality" took place at a breakfast meeting hosted by Catherine Trautmann MEP. This happened ahead of upcoming the net neutrality "summit" planned to take place in the European Parliament. None of the positions defended by the industry or consumer representatives were particularly surprising, with Telefonica arguing that the "nightmare" of increased demands of their services had to be responded to by increased "management". In the same way as roads are not built to cope with maximum possible demands, it would be wasteful to build networks to have enough capacity to cope with maximum demand. Skype argued that the virtuous circle created by the open Internet, whereby openness fosters innovation which attracts more users, which increases the incentives to innovate, must be protected. Skype and the European Consumers Bureau (BEUC) argued that research shows clearly that transparency is insufficient to protect consumers from non-neutral access providers because of the difficulties involved in changing broadband providers. The Commission said that there were over 300 responses to the recently closed net neutrality consultation and that the priority was to ensure a level playing field and to avoid fragmentation. The issue of deep packet inspection, which BEUC said should be banned, was avoided by the Commission, which argued that other technologies "must be possible". During the debate, both Ivailo Kalfin (S+D, Bulgaria) and Edit Herczog (S+D, Hungary) briefly raised the thorny issue of content regulation, presumably because increased interference with citizens' communications for business purposes will make it harder for access providers to avoid caving in to demands to restrict or monitor access to data on the basis of government requests or media pressure. Telefonica (whose subsidiary O2 accidentally blocked the entirely innocent Imgur website because the "technology behind the service is more far reaching than anticipated and on occasion a site which should not be blocked may be") said that it was not interested in censoring online material. EDRi response to Commission consultation on net neutrality (30.09.2010) http://www.edri.org/docs/netneutralityreaction300910.pdf (Contribution by Joe McNamee - EDRi) ============================================================ 6. Lives put at risk by communications data retention ============================================================ A report published on 8 October 2010 by German civil liberties activists reveals that human lives are put at risk by the retention of all telecommunication data. According to the report, the data retention policy has endangered scientific research, caused unemployment, encouraged corruption, promoted the abuse of personal data and hindered the prosecution of crime. The report gives examples of cases when the registration of communication data failed to help the police in stopping criminals and how criminals might have used more discreet ways of communicating and internet cafes to disguise the origin and destination of messages. Crisis lines have also been hindered in their work to persuade potential perpetrators not to commit violent crimes by the traceability of anonymous calls. Already a 2009 study showed that the communications data retention law had resulted in 12.8% of those surveyed already using an anonymisation service, 6.4% moving to a service provider that didn't store data and 5.1% using internet cafis, The report also revealed that journalists had lost their sources for fear of being traced. The legislation also opened the door to abuse. In 2006, a T-Mobile co-worker sold a database containing the personal data of 17 million customers, including private addresses and secret numbers of politicians, ministers, an ex-federal president, industrial leaders, billionaires and religious leaders. "Even if one investigation was facilitated by collecting all call details, the policy has frustrated many other investigations and put human lives at risk," stated the Working Group on Data Retention adding: "Blanket and indiscriminate recording of details on every phone call, e-mail and internet connection was useless for the prosecution of crime and totally disproportionate." In June 2010, more than 100 organisations (including EDRi) from 23 European countries sent a letter to EU Commissioners Malmstrvm, Reding and Kroes asking for the data retention law to be repealed and be replaced by "a system of expedited preservation and targeted collection of traffic data". Communications data retention puts human lives at risk! (8.10.2010) http://www.vorratsdatenspeicherung.de/content/view/390/55/lang,en/ Data retention boosts crime, says civil liberties group (8.10.2010) http://www.computerweekly.com/Articles/2010/10/08/243246/Data-retention-boos... Liberties Groups' Report (only in German, 13.10.2010) http://wiki.vorratsdatenspeicherung.de/images/Bericht_Sicherheit-vor-Sammelw... Civil society calls for an end to compulsory telecommunications data retention (28.06.2010) http://www.vorratsdatenspeicherung.de/content/view/370/79/lang,en/ EDRi-gram: German civil society calls for a definitive end to telecom data retention (21.04.2010) http://www.edri.org/edrigram/number8.8/german-ngos-repeal-data-retention ============================================================ 7. European Commission high-level discussions on data protection ============================================================ Commissioner Reding recently invited a wide variety of representatives from industry, civil society, academia and law enforcement bodies to a high-level meeting in the European Commission headquarters in Brussels. The dossier is clearly a major priority for Ms Reding, who was very keen to discuss the minutiae of the legislation with experts. One of the most interesting elements of the discussions was the apparently unanimous agreement across all stakeholders that the current data protection regime is fragmented, ineffective and out of date. This environment unfortunately leads to civil society groups and industry representatives argue about jurisdiction rules when a key reason that jurisdiction is a major issue is not jurisdiction itself, it is incoherence in implementation of the Directive that makes both citizens and business afraid of having to interact with foreign authorities with varying and sometimes unpredictable interpretations of the Directive. Industry speakers were also keen to reduce bureaucracy - one representative said that the move of a data centre from Germany to the Switzerland costs half a million euro in data protection-related legal fees. A number of industry speakers were in favour of more detailed ex post checks and a reduction in ex ante obligations. The Commission is clearly open to finding ways of reducing the bureaucracy involved in data protection, although no public statement has been made yet on what that could mean in practice. The next stage in this process will be the publication next week of a Communication by the European Commission establishing the broad direction that the Commission intends to take with regard to updating existing elements of the Directive and broadening the scope to a take account of the Lisbon Treaty, which brings the former "third pillar" (police and judicial cooperation) within the scope of the Treaty. One interesting question is whether the Commission will seriously consider proposing a Regulation (directly applicable on all Member States) as a way of overcoming the current fragmentation in the implementation of the Directive. European Commission Data Protection: http://ec.europa.eu/justice/policies/privacy/index_en.htm EDRi response to the first round of consultations (23.12.2009) http://www.edri.org/files/Response%20EDRi%20on%20personal%20data%20consultat... (Contribution by Joe McNamee - EDRi) ============================================================ 8. UK Government will introduce an open data licence ============================================================ A perpetual, royalty-free licence called Open Government Licence (OGL) allowing the re-use of Governmental and public information will be introduced by the UK Government. "The Government grants a worldwide, royalty-free, perpetual and non-exclusive licence under the conditions laid out in the OGL. The OGL governs the re-use of public sector information, including material produced by government departments, Parliaments, agencies, local authorities and Trading Funds, but excludes personal data," is the government's statement. According to the National Archives the licence will replace the present Click-Use Licence and will also cover Crown Copyright, databases and source codes. Moreover, OGL will not require the registration of users or a formal application to get permission to re-use data. The licence is meant to make governmental activities more transparent and to enable and encourage the civil society and private sector to re-use this information, assisting them in promoting creative and innovative activities. It will be machine readable and therefore flexible, being able to work in parallel with other licensing models recognised internationally such as Creative Commons. "We believe (transparency) is the best way for the public to hold politicians and public bodies to account, encourage innovation and deliver better value for money in public spending," said Francis Maude, Minister for the Cabinet Office. The types of information to be used and re-used will cover "non-personal information collected and produced by government and the public sector, including works subject to copyright and database right (much of this information will be accessible on public sector web sites or already published by the public sector), previously unpublished datasets released by the public sector on portals, such as data.gov.uk and original and open source software and source code." The Government has also issued a framework governing the use of the licence by Government departments and other public bodies. "The UK Government Licensing Framework (UKGLF) provides a policy and legal overview for licensing the re-use of public sector information both in central government and the wider public sector. It sets out best practice, standardises the licensing principles for government information and recommends the use of the UK Open Government Licence (OGL) for public sector information." The framework makes it compulsory for central Government departments and agencies to use the OGL for their freely available public information and is intended to meet the needs and interests of community groups and social organisations, the information re-user community in the private sector and civil society and the public data developer community. Government publishes open data license (7.10.2010) http://www.out-law.com//default.aspx?page=11426 UK Government Licensing Framework for public sector information http://www.nationalarchives.gov.uk/documents/uk-government-licensing-framewo... EDRi-gram: New governmental usage of open licenses in the Netherlands and UK (7.04.2010) http://www.edri.org/edrigram/number8.7/open-content-government-uk-netherland... ============================================================ 9. Spanish DPA opens infringement procedures for Google Streetview ============================================================ The Spanish Data Protection Agency (AEPD) has opened an infringement proceeding against Google after completing the preliminary inspection activities which started in May on the collection and storage without consent of Wi-Fi networks location data and traffic data associated with them (payload) by the vehicles used to photograph streets of several Spanish cities, for the company's Street View application. Moreover, once the infringement proceeding has been initiated, the AEPD has forwarded to the court the final inspection report, and according to the Administrative Procedure law, has adjourned the proceedings, pending the outcome of criminal proceedings in which the company is involved in the Court of Instruction No. 45 of Madrid. The opening of an infringement proceeding by the Spanish Data Protection Agency follows the conclusion of the investigations carried out by the AEPD's inspection, which have revealed the presence of signs of a total of five violations -two serious and three very serious- of the Spanish Data Protection Act. Two of them are attributable to Google in its capacity as responsible for providing the service and designing the software that collects data for the Street View service. The other three are attributable to Google Spain, as Google representatives in Spain are responsible for collecting and storing the data in Spain and for transferring it to the United States. Specifically, the investigations carried out by the Spanish DPA have verified the collection and storage by Google vehicles of personal data of various types transmitted through open Wi-Fi networks. Between the typology of personal data transmitted through these Wi- Fi networks, the AEPD has established the collection and storage by Google of email addresses, with names and surnames, addresses associated with email messages or instant messaging, access to social network accounts and websites or user names and passwords with personal data identifying its owners and, in some cases, allowing access to special sensitive data, among others. Furthermore, the investigation established the collection by Google of location and identification data of wireless networks, such as SSID, identifiers or names of the Wi-Fi network, that in some cases, contains the real name of the subscriber, and the MAC addresses- that identify the router, connected devices and the geographic position in which they were collected. In addition, it has been established the international transfer of personal data by Google to United States, without demonstrating the compliance of the guarantees provided by the Data Protection Act that authorizes the international transfers. In this regard, the decision starting the infringement proceedings charges both Google Spain and Google Inc with the commission of serious violations of the Organic Act 15/1999 - subject to fines from 60 000 euro to 300 000 euro each - due to the processing of personal data without the consent of the data subject, as well as very serious violations of collecting and processing of personal data with special protection or without the explicit consent of the data subject, as stated by the Data Protection Act. Also, Google Spain is charged with another very serious violation of the Organic Law because of the international transfer of data to the United States of America without the guarantees foreseen by the Data Protection Act. By virtue of section 7 of the Royal Decree 1398/1993, the Spanish Data Protection Agency had to adjourn the administrative proceedings because of the criminal proceedings started by the First-instance Court number 45 of Madrid. Once the criminal proceedings are finalised, the Spanish Data Protection Agency will resume the administrative proceedings in accordance with the legal procedural rules, In that sense, the affected entities will have a term for bringing pleadings or evidence, before the final resolution of the Authority deciding on the infringements and on their legal categorisation is determined. Press release in Spanish (18.10.2010) https://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_p... (Thanks to Spanish DPA Press Release) ============================================================ 10. ENDitorial: Irish court rejects music industry demands for three strikes ============================================================ On 11 October 2010, Mr. Justice Peter Charleton of the Irish High Court gave judgment in EMI and Others v. UPC , rejecting music industry claims that broadband provider UPC was responsible under Irish law for policing their users and preventing copyright infringement by them. In this case, EMI, Sony, Universal, Warner and WEA sought an injunction which would require UPC to introduce a three strikes system and to block users' access to The Pirate Bay. This followed the music industry's success in an earlier case against Eircom (Ireland's largest ISP). In that case, Eircom settled and agreed to establish a three strikes system and not to oppose the application to court to block access to The Pirate Bay. In two subsequent decisions arising from that settlement, Charleton J. held that (a) the court had the power to order Eircom to block access to particular sites and (b) that the three strikes system which was agreed between Eircom and the music industry did not conflict with data protection law. Unlike Eircom, however, UPC fought the music industry action, leading for the first time in the Irish courts to a full, contested hearing on the obligations of internet service providers in relation to filesharing. In a lengthy judgment, Charleton J. found that UPC users were engaged in extensive illegal downloading and uploading. He found that it would be possible for UPC to effectively reduce this by making use of systems such as CopySense peer to peer filtering or the detection and disconnection of users who are making available infringing copies, and made a specific finding that such systems would be accurate, practicable and not disproportionately expensive or burdensome. He found that other remedies available to the music industry, in particular identifying infringing users and bringing action against them, were inadequate. He also found that no privacy interest was implicated by the monitoring which these systems would entail. Charleton J. also held that the blocking of The Pirate Bay would be "both educative and helpful", rejecting expert testimony that blocking would be easily evaded and futile. Notwithstanding these findings, however, Charleton J. held that, under the Irish law, the court did not have the authority to grant an injunction requiring an ISP to introduce such systems or to block access to particular sites. The relevant Irish law was identified as section 40(4) of the Copyright and Related Rights Act 2000, which provides that: "where a person who provides facilities [to make a work available to the public] is notified by the owner of the copyright in the work concerned that those facilities are being used to infringe the copyright in that work and that person fails to remove that infringing material as soon as practicable thereafter that person shall also be liable for the infringement." The court found that this section, referring to the removal of infringing material, primarily envisaged situations where a defendant hosted material rather than simply permitted transit of material. Consequently, it could not be used to justify the grant of an injunction in relation to transit, and Charleton J. acknowledged that his earlier decision ordering Eircom to block access to The Pirate Bay was incorrect. Charleton J. went on to consider the effect of the European law and in particular the E-Commerce Directive and the Copyright Directive. He found that Article 15 of the E-Commerce Directive (prohibiting a general obligation to monitor) was irrelevant, holding that the use of deep packet inspection: "is not the seeking of information which is in the course of transmission. Instead, it identifies the nature of transmissions, whether encrypted or otherwise, by reference to the ports which they use, and the protocol employed, so as to identify peer-to-peer communication. UPC does this already for legitimate commercial purposes related to the management of transmissions. If it suited, they could also easily identify the file # of copyright works and block them or divert the search in aid of theft to a legal site. This is not a general search for information." He also held that UPC was a mere conduit for the purposes of the E-Commerce Directive, but that this, nevertheless, left open the possibility for a court to require an internet provider to terminate or prevent an infringement, and went on to hold that the Copyright Directive required Member States to introduce laws which would provide for these remedies. Consequently, as the Irish law did not provide for these remedies Charleton J. found that Ireland "is not yet fully in compliance with its obligations under European law". Following this judgment, and in particular its finding that Irish law has failed to correctly implement the Copyright Directive, it is likely that the issue of filesharing will be high on the political agenda in Ireland. Representatives of the music industry have already called for legislative intervention, and have also threatened to sue the Irish state for losses caused by failure to tackle filesharing. Against this, however, the judgment can be criticised on a number of fronts. Concern has been expressed about the figures relied on by the judge for the extent of piracy, which have been described as inflated. The confident description of deep packet inspection as not involving a "general duty to monitor" is also unusual in light of the preliminary reference to the European Court of Justice in SABAM v. Scarlet (Tiscali) in which this would seem to be a live issue. Similarly, the claim that no privacy issues are involved in three strikes and blocking systems seems to be undermined by the fact that the Data Protection Commissioner took no part in these proceedings so that an important viewpoint went unrepresented, and also fails to take account of developments elsewhere (such as Switzerland) where opposite conclusions have been reached. It is also unclear where this leaves the three strikes and blocking systems which Eircom has already introduced. To date there has been no indication from Eircom as to whether it intends to continue with these systems despite the ruling, and despite the competitive disadvantage which it would appear to impose on it. EMI v. UPC (Unreported, High Court, 11.10.2010) http://www.scribd.com/doc/39104491/EMI-v-UPC John Collins and Ronan McGreevy, "Music labels to rethink fight against piracy" (12.10.2010) http://www.irishtimes.com/newspaper/frontpage/2010/1012/1224280879811.html Ronan McGreevy, "U2 manager criticises UPC defence", Irish Times (14.10.2010) http://www.irishtimes.com/newspaper/breaking/2010/1014/breaking52.html Justin Mason, "Aslan's hard times, from the UPC judgment", taint.org (11.10.2010) http://taint.org/2010/10/11/231501a.html Rossa McMahon, "Strike 1?", A Clatter of the Law (13.10.2010) http://aclatterofthelaw.com/2010/10/13/strike-one/ (Contribution by TJ McIntyre - EDRi-member Digital Rights Ireland) ============================================================ 11. Recommended Action ============================================================ An on-line survey on the PSI Directive The Digital Agenda for Europe lists the revision of the Directive 2003/98/EC on the re-use of public sector information (PSI Directive) among its first key actions. It highlights that governments can stimulate content markets by making PSI available on transparent, effective and non-discriminatory terms. Deadline: 30 November 2010 http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=psidirective2010 Technolife debate: social and ethical implications of biometrics and mobility http://biometrics.kertechno.net/ ============================================================ 12. Recommended Reading ============================================================ Opinion of the European Data Protection Supervisor on the Communication from the Commission on the global approach to transfers of Passenger Name Record (PNR) data to third countries (19.10.2010) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... New microshort film on the Public Domain Calculators (12.10.2010) http://blog.okfn.org/2010/10/12/new-microshort-film-on-the-public-domain-cal... Brussels: There are no guarantees in terms of controlling the secret police in Macedonia (14.10.2010) http://metamorphosis.org.mk/macedonia/brisel-nema-garancii-kako-da-se-kontro... ============================================================ 13. Agenda ============================================================ 25 October 2010, Brussels, Belgium Hearing by the European Parliament's Committee on Civil Liberties, Justice, and Home Affairs (LIBE): "Data Protection in a Transatlantic Perspective. Future EU-US data protection agreement in the framework of police and judicial cooperation in criminal matters", 15.00-18.30, Room ASP 3E002. Programme http://www.europarl.europa.eu/document/activities/cont/201010/20101013ATT868... Live-Stream http://www.europarl.europa.eu/wps-europarl-internet/frd/live/live-video?lang... 25-26 October 2010, Jerusalem, Israel OECD Conference on "Privacy, Technology and Global Data Flows", celebrating the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org/sti/privacyanniversary 26 October 2010, Brussels, Belgium Future Internet Architecture (FIArch) Open Workshop on the Future Internet Architecture Limitations http://ec.europa.eu/information_society/activities/foi/research/fiarch/index... 27-29 October 2010, Jerusalem, Israel The 32nd Annual International Conference of Data Protection and Privacy Commissioners http://www.privacyconference2010.org/ 28-31 October 2010, Barcelona, Spain oXcars and Free Culture Forum 2010, the biggest free culture event of all time http://exgae.net/oxcars10 http://fcforum.net/10 3-5 November 2010, Barcelona, Spain The Fifth International Conference on Legal, Security and Privacy Issues in IT Law. http://www.lspi.net/ 5-7 November 2010, Cologne, Germany Transparency, Work, Surveillance Joint Annual Meeting of FIfF and DVD http://fiff.de/veranstaltungen/fiff-jahrestagungen/JT2010/jt2010_uebersicht 5-7 November 2010, Gothenburg, Sweden Free Society Conference and Nordic Summit http://www.fscons.org/ 17 November 2010, Gent, Belgium Big Brother Awards 2010 Belgium http://www.winuwprivacy.be/kandidaten 27-30 December 2010, Berlin, Germany 27th Chaos Communication Congress (27C3) http://events.ccc.de/congress/2010 25-28 January 2011, Brussels, Belgium The annual Conference Computers, Privacy & Data Protection CPDP 2011 European Data Protection: In Good Health? Submission deadline for Full Papers and Position Papers: 16 November 2010 http://www.cpdpconferences.org/ ============================================================ 14. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE