============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 7.4, 25 February 2009 ============================================================ Contents ============================================================ 1. Data protection authorities support civil society on the Telecom Package 2. The trial of The Pirate Bay in Sweden 3. Lex Nokia storms into the Finnish Parliament 4. Italy to enforce a global censorship legislation? 5. Norwegian group joins Sweden-based Justice Center against Swedish FRA law 6. European Commission disbanded data protection experts group 7. Romanian data retention law suspendend by the Government 8. HADOPI law close of creating a dangerous precedent 9. UK Government ignores the European Commission regarding Phorm 10. EDRi participates in European project on raising privacy awareness 11. ENDitorial: Privacy in the Czech Republic - nothing to celebrate 12. Recommended Action 13. Recommended Reading 14. Agenda 15. About ============================================================ 1. Data protection authorities support civil society on the Telecom Package ============================================================ The Article 29 Working Group and the European Data Protection Supervisor have issued public statement supporting some of the arguments of the civil society, including EDRi, made in the recent open letter sent to the European Parliament on 17 February 2009 and in the campaign against "voluntary data retention". The open letter underlines the signatories' concerns related to those amendments of the Telecoms Package which might affect the Internet and Internet users, by targeting the open and non-discriminatory access features. Thus the fundamental users' rights such as privacy and freedom of speech are put in jeopardy. The Article 29 adopted on 10 February Opinion 1/2009 on the proposals amending the e-Privacy Directive, acknowledging its concerns regarding the present article 6 a) that "might lend legitimacy to large scale deployment of deep packet inspection both in the network and in user equipment such as ADSL boxes, while the current legal framework already details the cases in which traffic data may be processed for security purposes." Considering that "the wording proposed by the Commission establishes beyond all doubt that the processing of traffic data falls within the scope of the Data Protection Directive", the working group decided that the Article 6(6a) is unnecessary. A similar opinion is supported by the European Data Protection Supervisor's comments on some issues in the review of the Universal Service Directive. According to the text "he is concerned about the implementation of traffic management policies that require the monitoring of Internet usage and interception without appropriate data protection safeguards," and concludes that "Article 5 of the ePrivacy Directive applies whenever traffic management policies entail interception or surveillance of Internet usage. Therefore, to avoid confusion, it seems only just and reasonable to recognise that pursuant to this article informed consent from users is necessary." In the same document, EDPS tackles the 3 strikes procedure and considers as unfortunate its possible introduction in the Telecom package and notes that "it would have been preferable if the European Parliament had not given up to pressure by laying down the foundation for a three strikes approach and if all these issues had been addressed separately in different legal instruments, after careful analysis and debate." The EDPS supports the civil society in calling upon decision makers to re-introduce Amendment 138 and Article 32a of the Universal Service Directive that would strengthen the safeguards towards ensuring the protection of individuals' rights, including the right to data protection and privacy and due process. The Article 29's Opinion also tackles other aspects regarding the e-Privacy directive. Thus the document strongly supports "an extension of personal data breach notifications to Information Society Services (...) given the ever increasing role these services play in the daily lives of European citizens." This resonates with the initial Amendments of the European Parliament or with Peter Hustinx's public comments, who explains why the position of the Commission and the Council is not enough to protect the citizens in the online world: "That restriction means European citizens would only be alerted if their internet access or telephone company suffers security breaches. If their online bank is hacked or its security systems are cracked, enabling the unauthorised access to bank account information, citizens might not be notified. So, unless the amendments proposed by the European Parliament are adopted by the Council, online banks and other e-businesses would be off the hook." The Article 29 Working Group has also re-emphasised its earlier opinion "that unless the service provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side". Thus the WG agrees with the Commission that a substantive provision of a directive is not the most suitable way of addressing this issue, and that a reporting obligation referring to "purposes not covered by this Directive" is not appropriate. Open letter to the European Parliament - Telecom Package (17.02.2009) http://www.edri.org/edrigram/campaigns/open-letter-telecom-package EU proposal puts confidential communications data at risk (28.02.2009) http://www.edri.org/campaigns/no-voluntary-data-retention All data breaches must be made public (29.01.2009) http://resources.zdnet.co.uk/articles/comment/0,1000002985,39603777,00.htm Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive) (10.02.2009) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp159_en.pdf EDPS comments on some issues in the review of the Directive 2002/22/EC (Universal Service) (16.02.2009) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... EDRi-gram: Data breach notification - different opinions in EU bodies ? (19.11.2008) http://www.edri.org/edri-gram/number6.22/data-breach-ec ============================================================ 2. The trial of The Pirate Bay in Sweden ============================================================ The big, long and extremely mediatized trial filed on 31 January 2008 by Swedish prosecutors against the four Pirate Bay founders for "promoting other people's infringements of copyright laws" started at Stockholm's District Court, on 16 February 2009. The first day of the trial was dedicated to the opening statements of the prosecution and the defendants, the latter denying any criminal act. Prosecutor Hekan Roswall presented the claims of the plaintiffs Warner Bros, MGM, EMI, Colombia Pictures, 20th Century Fox, Sony BMG and Universal and spent most of the morning trying to describe how the Pirate Bay works suggesting it was a commercial organization with Carl Lundstrvm as a shareholder and financier of the company. The prosecutor made a presentation of a series of movie, music and game downloads "coordinated by The Pirate Bay" before 2006. He continued trying to explain the change from a seed status to that of a peer as part of the evidence previously gathered by the plaintiffs. The civil parties represented by IFPI and MPAA expressed the intention to ask for 11 million euro damages. The second day of the trial started with a big victory for The Pirate Bay founders with the dropping out of most part of the accusations against them. The prosecutor announced the defendants would not be accused of "assisting copyright infringement" changing the accusation into "assisting making available copyright material". The prosecutor was unable to prove that the .torrent files introduced as evidence were actually using The Pirate Bay's tracker. Furthermore, he has shown to be technically unprepared and failed to explain the function of DHT which allows for so called "trackerless" torrents. This means the screenshots the prosecution provided as evidence did not necessarily belong to The Pirate Bay's tracker. Pirate Bay claimed it did not break the law because it did not host or disseminate copyright-infringing content but only links to that content and reproached the prosecution, the police and the music industry of not understanding the technology. According to Fredrik Neij, the entire accusation was based on a technical misunderstanding. On 18 February, the prosecution asked for about 11 million euro compensation and damages on the basis that the defendants should have obtained worldwide licences for the content it distributed. The defence rejected any discussion related to damages considering there had been no damage. "EU directive 2000/31/EC says that he who provides an information service is not responsible for the information that is being transferred. In order to be responsible, the service provider must initiate the transfer. But the admins of The Pirate Bay don't initiate transfers. It's the users that do and they are physically identifiable people. They call themselves names like King Kong," was defence lawyer Samuelsson's statement to the court. "According to legal procedure, the accusations must be against an individual and there must be a close tie between the perpetrators of a crime and those who are assisting. This tie has not been shown. The prosecutor must show that Carl Lundstrvm personally has interacted with the user King Kong, who may very well be found in the jungles of Cambodia," the lawyer added. The plaintiffs insited on The Pirate Bay's behaviour that refused to withdraw the .torrent links from their index, except for the cases when the content did not correspond with the one announced by the user placing the torrent file. In the prosecution's opinion, this would make The Pirate Bay more than a simple technical intermediary. The defense argued that uploading a torrent does not imply that the copyrighted files are actually 'available', as the torrent has to also be seeded and that, on the other hand, torrent files are not linked exclusively on The Pirate Bay and can be found through other search engines, including Google. Two of the defendents were heard on the fourth day, the technician Frederik Neij and the administrator Gottfrid Svartholm Warg who were both pretty much sticking to their initial position. The day did not bring very much change. Neij proved that it was possible to create a torrent file and host it somewhere else, like on TorrentSpy using the trackers opened by The Pirate Bay to distribute the files, in which case The Pirate Bay cannot know what is exchanged. In his opinion, the prosecusion had not succeeded in proving that the incriminated files had been actually downloaded on The Pirate Bay. The lawyer of the movie industry tried to show that The Pirate Bay had an active role in the choice of the content presented by its users and asked Gottfrid Svartholm Warg whether the site had withdrawn content related to child pornography. The administrator replied that they had notified the police on such torrent files and they had retired them at the request of the police. "We can't do investigations of our own. And if the police say we should remove a torrent, we will," he said. Peter Sunde was interrogated on Friday morning. The strategy of the prosecusion seemed to be clearer than during the first days being focused on trying to prove that The Pirate Bay had been created with the purpose of gaining money from "pirating". The prosecutor tried to show that The Pirate Bay was actually managed by a hierarchical organization with a commercial purpose. However no material evidence was brought to support this idea. When asked what the purpose of The Pirate Bay was Sunde answered: "It is to enable users to share their material with others." "Even though it is copyrighted?" questioned Danowsky. "That can sometimes be the sad consequences," Peter replied. The defendant stated to the court that in his opinion the entire trial was a political one and that the reason for which the plaintiffs brought the case against The Pirate Bay was not the fight against illegal downloading of their works but a a fight to preserve the monopoly on the distribution means. The trial started again on 24 February when the prosecutor also added to the charges that the site allowed its users to upload torrents that it further on stored. Magnus Mertensson, a lawyer for the IFPI testified during the morning but the evidence brought by him consisted only of screenshots and the witness also admitted having difficulties in answering some technical questions. Both him and policeman Magnus Nilsson of the Anti-Piracy Office who was the next witness for the prosecution were unable to bring forth any real evidence that the Pirate Bay trackers were actually used for the downloads investigated. Mertensson admited that he had no evidence of having any contact with The Pirate Bay's tracker during the downloading he was claiming to have made from the site. Nilsson was made to admit that the actual downloading of the pirated files happened outside of The Pirate Bay. The trial is supposed to last until the 4 March 2009. We will present the conclusions of the trial in our next newsletter. The Pirate Bay trial: 1st day under the sign of boredom (only in French, 16.02.2009) http://www.numerama.com/magazine/12023-Proces-de-The-Pirate-Bay-1ere-journee... Half of Pirate Bay case dropped in courtroom drama (17.02.2009) http://www.out-law.com//default.aspx?page=9803 The Pirate Bay cries victory after the dropping out of some charges ! (only in French, 17.02.2009) http://www.numerama.com/magazine/12041-The-Pirate-Bay-crie-victoire-apres-l-... The Pirate Bay (day 3): "We are winning on legal principles" (only in French, 18.02.2009) http://www.numerama.com/magazine/12066-The-Pirate-Bay-jour-3-Nous-gagnerons-... Day 3 - The Pirate Bay's 'King Kong' Defense (18.02.2009) http://torrentfreak.com/g-defense-090218/ The Pirate Bay (day 4): "Are you a coward, Fredrik Neij ?" (only in French, 19.02.2009) http://www.numerama.com/magazine/12087-The-Pirate-Bay-jour-4-Etes-vous-un-la... Day 4 - Pirate Bay Defense Calls Foul Over Evidence (19.02.2009) http://torrentfreak.com/day-4-pirate-bay-defense-calls-foul-over-evidence-09... The Pirate Bay (day 5): Peter Sunde counter-attacks (only in French, 20.02.2009) http://www.numerama.com/magazine/12100-The-Pirate-Bay-jour-5-Peter-Sunde-con... Pirate Bay Trial Day 5: Peter's "Political Trial" (20.02.2009) http://torrentfreak.com/pirate-bay-trial-day-5-peters-political-trial-090220... Pirate Bay Trial Day 7: Screenshots for Evidence (24.02.3009) http://torrentfreak.com/pirate-bay-trial-day-7-screenshots-for-evidence-0902... EDRI-gram: Pirate Bay in legal battle with IFPI (11.02.2009) http://www.edri.org/edri-gram/number7.3/piratebay-ifpi-battle ============================================================ 3. Lex Nokia storms into the Finnish Parliament ============================================================ Government bill dubbed as Lex Nokia, also known as the snooping law, entered the Parliament for debate on 24 February 2009. The bill has been widely criticized for heavy-handed treatment of fundamental rights, granting companies more rights than the police, suspicion of undue corporate pressure and vagueness and unclarity. The proponents of the law have continued making embarrassing gaffes: Communications Minister Suvi Lindin has said in an interview in Tampere newspaper Aamulehti that an employer currently has the right to order a strip-search of an employee if there is suspicion that the employee is leaking company secrets. Furthermore, Finance Minister Jyrki Katainen, has stated that he is not familiar with the contents of the bill, but supports it firmly, regardless. Yesterday's parliamentary debate consisted mainly of opponents of the law raising various concerns regarding fundamental rights, usefulness of the bill, increasing surveillance, bad drafting process etc. The defenders of the law kept repeating how opponents of the bill are ill-informed of its actual implications and how the bill improves the status of employee rights. The Left Alliance and the Social Democrats were calling for rejecting the bill and sending it back for a complete overhaul. TV news on 24 February reported about the law, stating that it is meant to prevent three things: * leakage of trade secrets * copying of copyrighted materials * disruption of corporate networks with attachments and malware. Unless this is some kind of mistake made by the news, this sheds a new light on the purpose of the bill. Government party lines seem to be holding, only the Greens (14 seats) are split on the issue. If the lines are not broken any further, the bill will pass even if all Greens vote against it, since the National Coalition (51 seats), the Centre (51) and the Swedish People's Party (10) have a majority in the 200-member strong parliament. The Greens have proposed limiting the bill so that the email log data is allowed to be examined only in cases where a company is investigating leakage of trade secrets. The content of the law is expected to be voted upon today, 25 February. The final vote, whether to pass or reject the bill, is expected next week. Lex Nokia Debate Ignites Parliament (24.02.2009) http://yle.fi/uutiset/news/2009/02/lex_nokia_debate_ignites_parliament__5695... Labour Ministry official confirms threat of Nokia leaving Finland over law on electronic communications (24.02.2009) http://www.hs.fi/english/article/Labour+Ministry+official+confirms+threat+of... Lex Nokia furore fuelled further by minister4s strip-search remark (13.02.2009) http://www.hs.fi/english/article/iLex+Nokiai+furore+fuelled+further+by+minis... EDRi-gram: Snooping law, "Lex Nokia", proceeding slowly but surely in Finland (17.12.2008) http://www.edri.org/edri-gram/number6.24/nokia-law-finland-snooping (Contribution by Leena Romppainen - EDRi-member Electronic Frontier Finland) ============================================================ 4. Italy to enforce a global censorship legislation? ============================================================ The Italian Senate approved - and the Camera dei deputati (Italian "Low Chamber") is ready to finally pass - draft law 733 named Pacchetto sicurezza - "Security Package", a series of (supposely) coordinated provisions aimed at improve, whatever that means, police bodies and public prosecutor powers. Of course, the law wouldn't have been complete without "taking care" of the Internet, and legislators didn't loose the chance. Under sect. 50 bis of this forthcoming law, a public prosecutor which is given "serious circumstantial evidence" that an online activity of inciting crime has been committed, is allowed to ask the Minister of Home Affair to order the ISP's to shut down the "concerned" network resource. ISP refusal to comply with Minister's order should be fined with a penalty up to 250 000 Euros. The provision is clearly flawed from a constitutional standpoint. The basis of every western democracy, indeed, is separation of power, thus is not legally possible to have such a cross-jurisdiction mess between the public prosecutor (the judiciary power) and a Ministership (the executive power). Further more, there would be a double trial for the same fact, one of which (the Home Affair Ministership one), done without the legal guarantee of a criminal trial (fair process, etc.). But this is only the tip of the iceberg. Crime-inciting wrongdoing is very difficult to handle, since the border between free-speech and law violation is often blurred (would a website supporting freedom rebel of a country be - per se - inciting to commit crimes?). Further more, if ISP's must prevent access to a network resource located outside their network (abroad, for instance) this would mean that the result will be achieved through deep-packet inspection, or similar, privacy threathning techniques. Thus - with the excuse of "protecting" Italian citizens - the D'Alia amendment (named after the MP that proposed it) is likely to be the first step toward a global censorship system. A Cassinelli amendment (again, from the MP name of its author) that followed the D'Alia one, tried to circumvent the above mentioned problems, but with no real changes in the substance of the matter and the political, net-phobic approach. Italy had a "sound" tradition in trying to enforce citizen's global surveillance systems through ISP's and telco operators, adopting every sort of justifications (from copyright, to child pornography, to online gambling and now to crime-inciting actions). Oddly enough, nevertheless, these "good intentions" fell always on innocent citizens' shoulders, while true criminals stay absolutely free. Or, to put it straight: to (maybe) catch a few criminals, the whole nation network usage will be subjected to "third parties" - namely, ISP's - systematic scrutiny. So long, human rights. (Contribution by Andrea Monti - EDRi-member ALCEI -Italy) ============================================================ 5. Norwegian group joins Sweden-based Justice Center against Swedish FRA law ============================================================ The Norwegian organisation of the International Commission of Jurists (ICJ) has filed a petition, known as a Third Party Intervention, in support of the case brought to the European Court of Human Rights challenging the Sweden's FRA law that authorizes the Sweden's National Defence Radio Establishment (Fvrsvarets radioanstalt - FRA) to wiretap all telephone and Internet traffic that crosses Sweden's borders. The legislative package which was passed by the Parliament of Sweden on 18 June 2008 and took effect on 1 January 2009, was fiercely criticized and opposed in Sweden by the public, opposition parties, the appeal courts for Skene and Blekinge, Sweden's Customs Agency, the Data Inspection Board and even politicians belonging to the alliance government. A case was filed in July 2008 by the Sweden-based Justice Center (Centrum fvr Rdttvisa - CFR), which argued FRA's expanded powers to monitor cross-border communications traffic violated Article 8 and Article 13 of the European Convention on Human Rights guaranteeing the citizens' right to privacy and ensuring the citizens with the possibility to hold national authorities to account for possible human rights violations. According to Lawyer Robin Lvvf of the European University Institute in Florence who reported the Swedish law to the European Commission in August 2008, the law is in clear breach of fundamental rights governing the movement of goods and services in the European Union. Clarence Crafoord, head attorney with CFR welcomed the Third Party Intervention of the Norwegian group considering the initiative "offers additional perspectives about the problems with the FRA-law and it's good that it makes clear to the European Court of Human Rights that the law affects both Swedes and citizens in other countries." The Norwegian petition cites a report issued by the Norwegian Postal and Telecoms Agency in November 2008 which showed that most electronic communications traffic into and out of Norway as well as a large part of the domestic traffic passes through Sweden, the Swedish law therefore affecting the privacy rights of Norwegian citizens. Although the Swedish government brought some changes to the law with an amendment in September 2008, in ICJ-Norway's opinion the changes apply only to Swedish citizens or people residing in Sweden. The group believes that Norwegian citizens' communications are the "explicit target for the secret monitoring by Swedish authorities". "Norwegian citizens are still left lawless under the present legislation.(...) They are faced with the constant risk that their private communications which happen to pass Sweden's borders could be subject to interception and be subsequently stored, distributed, and misused by and at the absolute discretion of the Swedish authorities," writes ICJ-Norway in its petition. ICJ-Norway points out a series a deficiencies in the formulation of the law which includes vague definitions of the targeted communications, the lack of clear regulations on information storing, the lack of independent judicial control and the lack of possibility of response for the citizens whose communications are intercepted. Norwegian group joins case against Sweden's wiretapping law (13.02.2009) http://www.thelocal.se/17578/20090213/ Swedish surveillance law 'breaks EU rules' (13.08.2008) http://www.thelocal.se/13664/20080813/ Goverment getting closer to surveillance law compromise (25.09.2008) http://www.thelocal.se/14554/20080925/ Snoop law to be tried in European court (15.07.2008) http://www.thelocal.se/13052/20080715/ EDRI-gram: ENDitorial: Wiretapping - the Swedish way (27.08.2008) http://www.edri.org/edrigram/number6.16/wiretapping-swedish-way ============================================================ 6. European Commission disbanded data protection experts group ============================================================ The European Commission has decided to dismantle a group of experts that needed to review the European Data Protection Directive. The group was formed after a tendering process and included: Peter Fleischer, global privacy counsel for Google, David Hoffman, director of security policy and global privacy officer for Intel; Henriette Tielemans a privacy lawyer from a US law firm, Christopher Kuner, a privacy lawyer with another US law firm; and Jacob Kohnstamm, chairman of the Dutch data protection authority. Alex T|rk, the French Data Protection Authority President and the Chairman of Article 29 Working Party, has complained about the biased structure of the group explaining to a French Senate committee that the group was composed "four-fifths of personalities representing American interests." The committee submitting a resolution stating it was "unacceptable" that four members of the group "are either from American companies or law firms whose principal establishment is in the U.S." The group had just one meeting at the end of the last year and even though they were gathered for a one-year mandate the Commissioner Barrot, who is also a French, decided to disband the group and to broaden the consultation on the review of the 1995 data protection directive. In fact T|rk asked Barrot to look into the matter, and the latter acknowledged that "the situation was abnormal". T|rk explained that part of the problem was that there were major conceptual differences between the EU and US data protection principles: "Europeans must note that the gap is big between the American vision and the European vision." Draft Resolution regarding the nomination by the European Commission of an expert group on data protection. (6.02.2009) http://www.senat.fr/leg/ppr08-203.html European Commission Disbands Privacy Group (17.02.2009) http://www.clickz.com/3632816 ============================================================ 7. Romanian data retention law suspendend by the Government ============================================================ In a sudden and unexpected move, the Romanian Government has decided on 25 February 2009 to suspend the application of the data retention law until the end of the year - 31 December 2009. The official reason from the press release of the Ministry of Communications and Information Society are related to the: - complications that the law brings to the penal cases, especially in the initial phases of information gathering; - the area of the crimes for which the retained data is accessible is contested (by whom? -n.a.); - not all of the communications providers may ensure the management of the retained data; - not all the providers are ready to respect the legal provisions regarding the confidentiality of the accessed data. Even though the law was in a public consultation (but dormant-type phase) for almost 9 months, it seems that the Government is realizing that they didn't get the "perfect text". The privacy concerns do not appear in the press release, but a better "information campaign" on the law and its consequences is mentioned somewhere in a work plan. It is still unclear how the "suspension" will work. It seems that the Government would like to issue a new emergency ordinance that will postpone the application of the law. It remains to be seen if the new text of the law supported by the Ministry will be better or worst than the present one. Application of the data retention law - postponed until the end of 2009 (only in Romanian, 25.02.2009) http://economie.hotnews.ro/stiri-telecom-5447913-aplicarea-legii-stocare-dat... Minsitry of Communications and Information Society (only in Romanian, 25.02.2009) http://media.hotnews.ro/media_server1/document-2009-02-25-5447934-0-comunica... ============================================================ 8. HADOPI law close of creating a dangerous precedent ============================================================ On 18 February 2009, Christine Albanel, French Minister of Culture, presented to the Chamber of Deputies the controversial Criation et Internet draft law (so called Hadopi law) calling for the creation of a government agency to manage the graduated response (or three-strike) process. The law which was passed by the Senate in October 2008 was discussed by the deputies in the legal commissions with amendments to be presented during the debates starting on 4 March. As previously during the long discussions having taken place for some years now, during the debates in the legal commissions, any amendment proposed in the direction of a global license, such as the "creative contribution" proposed by the socialist Patrick Bloche was rejected. The proposed mechanism would have implied a fee paid by the Internet subscribers to their ISP for legal downloading of copyrighted material. The fees collected could be used to remunerate artists for their work. "With a universal licence, the money recuperated will not uniquely go into the pockets of the producers, which is definitely the case now. Today, artists' royalty payments are significantly less, while the (media companies') royalty payments are considerably more," said Bloche. According to Nicolas Maubert, an attorney with law firm Gide Loyrette Nouel, if voted in the present form, the law might still be challenged by France's judicial body. Blocking Internet access as a sanction might breach constitutional protections guaranteed by the French Constitutional body (Conseil Constitutionnel) said Maubert, who added that a graduated response initiative is not a necessarily a bad thing in itself: "It still seems legitimate to question whether blocking the access to the internet is indeed a 'proportionate measure.' Especially these days, just imagine yourself without access to the internet, with no e-mails, no information." In the meantime, as a positive balance, according to reports from the European Parliament, the also very controversial Medina report containing a range of measures in support of copyright enforcement, including increased liability for ISPs, secondary liability for peer-to-peer sites and graduated response, has been postponed and apparently even removed from the European Parliament's agenda. Having in view the very strong opposition reaction from citizens all over Europe, it appears the socialist group in the European Parliament blocked the report for fear of losing votes at the next elections. If the Medina report had been pushed to the plenary, it would have also created a problem for the Telecoms Package.The Parliament miight not have passed it, supporting Amendment 138 which is against graduate response. "Thousands of emails and phone calls from concerned citizens reached the parliament. The outcome proves that informed citizens can altogether become stronger than a small obscurantist industry pressure group. We must consolidate this victory by guaranteeing, through the second reading of the Telecoms Package, that Internet remains the most fantastic advance for our societies since the invention of the printing press."declared Jirimie Zimmermann, co-founder of La Quadrature du Net. Antipiracy Law: "the creative contribution" of the Socialist Party rejected (only in French, 20.02.2009) http://www.01net.com/editorial/403824/loi-antipiratage-la-contribution-creat... French Legislature Puts Finishing Touches On Ambitious File-Sharing Law (23.02.2009) http://www.ip-watch.org/weblog/2009/02/23/french-legislature-puts-finishing-... Medina report indefinitely abandoned (22.02.2009) http://www.iptegrity.com/index.php?option=com_content&task=view&id=259&Itemid=9 Copyright dogmatism temporarily kicked out of European Parliament (19.02.2009) http://www.laquadrature.net/en/copyright-dogmatism-temporarily-kicked-out-eu... Christine Albanel defends the antipiracy law in front of the deputies (only in French, 18.02.2009) http://www.01net.com/editorial/403753/christine-albanel-defend-la-loi-antipi... EDRi-gram: One more step for France in adopting the graduated response (5.11.2008) http://www.edri.org/edrigram/number6.21/french-senate-adopts-3-strikes ============================================================ 9. UK Government ignores the European Commission regarding Phorm ============================================================ On 12 February 2009, the European Commission warned it would take formal action against the UK Government for not providing the requested information on the past trials of the Phorm ad-serving technology. The Commission has sent three letters until now requesting information on the secret trials by BT of Phorm, the latest having been sent at the end of January 2009. No satisfactory answers have been received so far, the response having focused only on future deployments without addressing the question of the past trials. The trials, conducted in 2006 and 2007, tracking the browsing behaviour of BT customers without their consent, resulted in complaints from privacy campaigners, peers, and politicians who argued that the actions were in breach of UK interception and data-protection laws. In July 2008, technology campaigner Alexander Hanff made a complaint to the police force considering the BT trials were not in compliance with RIPA and the Data Protection Act as the customers' consent had not been required. However, the City of London police informed Hanff in September 2008 that they would not continue the investigation for "lack of criminal intent". "One of the main reasons for this decision is the lack of criminal intent on behalf of BT and Phorm in relation to the tests. It is also believed that there would have been a level of implied consent from BT's customers in relation to the tests, as the aim was to enhance their products," wrote detective sergeant Barry Murray. Although UK regulators have provided rules for the future deployments of Phorm which require the company to not retain website history data, exclude sensitive search topics and obtain the customer's agreement also providing information of the respective technology, according to UK's EDRi-member Open Rights Group, it is not yet clear whether the consent of both the users and the visited websites is required. "Unless the ISPs employing Phorm's technology to intercept the communications between their customers and the owners of the websites their customers are visiting have the explicit consent of both parties, they are likely to be committing an offence under the Regulation of Investigatory Powers Act (RIPA), the legislation that governs interception of communications in the UK," stated the group. In spite of the repeated questions and investigations and disregarding the European Commission's warning, Phorm goes on. The company's CEO stated during an interview on 9 February that the system would be active in the UK by the end of 2009. The company has also signed deals with another two big UK ISPs, Carphone Warehouse and Virgin Media. EC warns gov't over Phorm foot-dragging (12.02.2009) http://news.zdnet.co.uk/security/0,1000000189,39615480,00.htm BT finishes trial, expects to use Phorm (15.12.2008) http://news.zdnet.co.uk/communications/0,1000000085,39578006,00.htm Police drop investigation into BT's Phorm trials (23.09.2008) http://news.zdnet.co.uk/security/0,1000000189,39492793,00.htm Phorm: damn the EU, full speed ahead! (11.02.2009) http://arstechnica.com/tech-policy/news/2009/02/phorm-damn-the-eu-full-speed... EU calls phoul over ad company Phorm's invasive snooping (15.08.2008) http://arstechnica.com/old/content/2008/08/eu-calls-phoul-over-ad-company-ph... EDRIgram: UK: Phorm threat (28.01.2009) http://www.edri.org/edri-gram/number7.2/phorm-uk ============================================================ 10. EDRi participates in European project on raising privacy awareness ============================================================ EDRi is one of the partners in a new European project initiated by the French Human Rights League (LDH), which aims to raise awareness on the privacy aspects, especially among the young generation. The project initiated by LDH and started on 1 January 2009 comprises, besides EDRI, another European Human Rights Network - European Association for the Defense of Human Rights (EAHR) and two national members - Pangea (in Spain) and Iuridicum Remedium (in Czech Republic). The project is funded by the European Commision within the framework of the Program on fundamental rights and citizenship - transnational projects. This project aims to help a large group of young people, teenagers and young adults to become vigilant about the protection of their personal data, to sensitise them on subjects which may seem trivial. A first meeting was held on 13-14 February 2009 when all project members met for the first time to better define the main two objectives: a) The analysis and comparison of some privacy invasive technologies in the selected countries, the identification of good and worst practices, applicable legislation and its implementation, relevant awareness campaigns. b) The production of an awareness tool aimed at young adults dealing with sensitive subjects in all countries, which are not sufficiently handled or specifically aimed at this target population. In this case our objective is to influence these practices and go against the tendency which professes "I have nothing to hide therefore nothing to fear, so no problem" with an accent upon "why should they care and how to do it". Human Rights League France http://www.ldh-france.org/ European Association for the Defense of Human Rights http://www.aedh.eu/?lang=en Pangea http://www.pangea.org/ Iuridicum Remedium http://www.iure.org ============================================================ 11. ENDitorial: Privacy in the Czech Republic - nothing to celebrate ============================================================ For the third time the Council of Europe has proclaimed 28 January the European Data Protection Day. EDRi-member Iuridicum Remedium (IuRe) reminds that the safety of Czech citizens4 personal data is still seriously endangered. Some of the most pressing issues are listed below. RFID based Opencard (or Praguer4s Universal Card) is now being promoted as an electronic travel card for public transportation. However, the contactless chip card formerly used for parking payment and as a library ID is not secure. The contactless chip can be read remotely and the data stored on it can be linked with the central database containing personal data. The system thus allows for movement tracking, especially at the electronic gates which are going to be introduced in Prague metro. In relation with the Opencard4s drawbacks, IuRe initiated a petition at the beginning of September 2008, which demands the deletion of both Opencard holder data and usage data from the central database after the card4s expiration and an observance of database administrator4s duty to allow user4s data deletion upon request. "We also demand an implementation of an anonymous Opencard at the same price as an ordinary Opencard," reports Filip Pospmsil from IuRe. The petition has already been signed by almost 700 people. The Municipal authorities of Prague began to sell anonymous cards on the 17 December 2008. However, there is an extra 8 EUR charge and since only transferable season transport tickets can be purchased with such a card, the price for the annual travel becomes significantly higher. The Praguers effectively have to pay extra for their privacy protection and IuRe will stand out for an implementation of non-discriminatory anonymous card, i.e. the card allowing to use the service at the same price without unnecessary disclosure of personal data. The Municipal Council of the city of Prague received a Big Brother Award 2008 for the Opencard project in "Worst Public Agency Privacy Intruder" category. Visa Waiver The term Visa Waiver refers to a set of agreements related to the abolition of the visa requirement for Czech citizens traveling to the USA. These agreements allow the American authorities access to personal data of the Czech citizens in Czech state authorities4 databases, including biometric data. The access is given as a compensation for the abolition of visa requirements, but in fact the paper visa have been merely replaced by the virtual visa - a system of detailed electronic questionnaires based on which the applicant can still be refused entry to the USA. "In the case of the Czech Republic the agreements where not negotiated properly with Czech Data Protection Agency and their comments were not respected," points out Filip Pospmsil from IuRe. The complementary Agreement on strengthening the cooperation for the prevention and fight against serious crime was approved by the government on the 4 December 2008. However, the Government disregarded the comments of the Czech Data Protection Agency and other state authorities. At the beginning of 2009, IuRe urged the MEPs and senators to not approve the proposed agreement. IuRe has made an attempt to find out the scale of personal data which had been promised by the Czech authorities to be handed over to the American authorities as well as the conditions of the data protection. The official request for information has been submitted to the Ministry of Internal Affairs by the end of 2008. "The request was concerning another visa waiver related memorandum on establishing of the Combating Terorism Center and the Electronic System of Travelling Registration (ESTA)," specifies Filip Pospmsil from IuRe. However, the memorandum is classified as secret and thus neither IuRe nor any other ordinary citizens know which of their personal data is being handed over. Privacy and bank sector The new Police Law was negotiated and approved in 2008. IuRe together with the bank sector and the Czech Bank Association have been criticizing the new power of the Czech Police to request data about the location and time of electronic card payments from banks, and particularly, the ability to access bank information systems. "We have been submitting comments during the negotiation of this law, but while some others have been accepted, our objection against this competence was not" reports Helena Svatosova, a lawyer from IuRe. According to IuRe, the government document named "The enhancement of the communication system between financial institutions and state authorities" introduces since the fall of 2008 the intention to create a central evidence of financial institutions4 clients and their operations. The evidence would then be available to an unspecified range of public administration authorities. "In our opinion, it's very disturbing that despite the list of related agencies being rather long, there is no mention of the involvement of the Data Protection Office," interprets Helena Svatosova from IuRe who plans to keep an eye on this issue in the future. IuRe has notified both the Czech Data Protection Office and the Bank Association about the issue and asked them for their opinion. Data retention EU directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communication services has been implemented into the national legislation since the beginning of 2006. In November 2007, Minister of Industry and Trade Martin Rmman proposed an amendment which would allow the secret service and the military intelligence a direct access to those data. Although he has abandoned the idea under the pressure from the media and politicians, intelligence services gained access through the "backdoor" in the new Police Law. There is a legal proceeding submitted by Ireland (suported by Slovakia) going on against the directive at the European Court of Justice, as well as at both Hungarian and German constitutional courts. IuRe has also been preparing the trial of the "data retention" provision of a law in respect of its constitutionality and compliance with human-right obligations of the Czech Republic; the plan is to approach lawmakers with the proposal for an annulment of a part of the law, and gather enough support to submit the proposal to the Czech Constitutional Court. Video surveillance The volume of CCTVs has been on a sharp increase in recent years. However, the Czech legislation has not reflected this development in any way. In December last year the Government Council for Human Rights accepted a proposal of a Committee for Civil and Political Rights. The proposal has been initiated by IuRe and aims at introducing a conceptual regulation of CCTV4s usage in public. IuRe has emphasised the necessity of such an adjustment for several years. "Thus, the resolution of Council of Government is a significant achievement of our campaign, which leads to a more transparent usage of CCTV systems regulated by strict rules," declared Filip Pospmsil from IuRe. The proposal should allow private persons to use CCTV only in order to protect their own property and family; public authorities should be allowed to make a record only in the public interest and only for purposes defined by the law. The proposal should also prevent the excessive personal data processing and stipulate a duty of the CCTV owner to inform about the CCTV surveillance within its range. The aim of the proposal is also to strictly regulate the retention of records, as well as the duty to clearly state and document the exact purpose of each CCTV installation by the police or another security agency. IuRe has already tried to pursue the legal regulation of CCTV through the Police law approved in June 2008 with the help of MP Katerina Jacques. Minister of Interior Ivan Langer has rejected the proposal, but has promised that his ministry will, in cooperation with the MP and Czech Data Protection Office, prepare amendments of the Act on Personal Data Protection containing proposed amendments. Negotiations are still ongoing with IuRe participating. Passengers Name Records (PNR) Passengers Name Records (PNR), the database of information about airline passengers has originally been used only by the aviation companies. But after the 9/11, the American Security Authorities have started making pressure on aviation companies to provide the detailed data of their passengers. This practice did not have a legal ground in most countries and the agreement between EU and the USA was found illegal by the European Court of Justice. The provisional agreement, built on the same illegal base in summer 2007, was called back from negotiations in the Czech Parliament by Foreign Affairs Minister after IuRe had sent a letter to MPs raising concerns against the approval of the agreement. After difficult negotiations, the EU came up with a new agreement on PNR data exchange with the USA in June 2007. In the Czech Republic the proposal of the agreement has not gone through an ordinary legislative process and only the Data Protection Office expressed its opinion: the proposal brings a deterioration of personal data protection level against previous agreements, as US authorities will acquire access to personal data of people without guaranteeing basic rights.( for example the right of correcting of false statements, etc.) IuRe has also approached a number of parliamentarians expressing concerns about the agreement and this resulted in the fact that the agreement did not obtain the support of the Foreign Affairs committee of the Czech Parliament. Also the Senate Standing Commission for Privacy Protection expressed its negative position. IuRe believes that the Parliament will demonstrate its sovereign role and will not approve this agreement at the forthcoming session. This article has been written as a part of the "Reclaim Your Rights in the Digital Age" project supported by the Trust for Civil Society in Central and Eastern Europe Foundation. (contribution by EDRi-member Iuridicum Remedium- Czech Republic) ============================================================ 12. Recommended Action ============================================================ Announcement of the second Privacy Open Space Conference in Berlin, 1-3 April 2009. After the successful finish of the first year of the EU-funded project Privacy Open Space (PrivacyOS) the project starts the New Year with the announcement of the Second PrivacyOS Conference. As the first PrivacyOS Conference in October 2008 in the European Parliament in Strasbourg was co-located with the International Conference of Privacy and Data Protection Commissioners, also the second PrivacyOS Conference will be held alongside with "re:publica", a conference to establish collective interfaces with other EU projects as well as national and international networks. After the positive feedback on the first conference, the second PrivacyOS Conference will also follow the Open Space approach and therefore invites all participants to bring topics to the agenda. "It leaves room for spontaneous creation of new workshops during the conference which reflects the dynamics of the discussion among participants" says Jan Schallabvck, the project Manager of PrivacyOS. "Only a set of timeslots is predefined. The topics for each of the slots are introduced and moderated by the participants themselves." This approach ensures that all topics relevant to the participants are included and that fields of common interest can be detected and worked on, while taking into account different perspectives across Europe and beyond. The second PrivacyOS Conference will focus on "Enabling Privacy on the Web". Visitors of the "re:publica" are invited to partly join the Open Space slots and to discuss with the PrivacyOS Project Partners about privacy issues or their experiences on this field. Thereby, an opportunity to articulate and exchange best practices, challenges and solutions is given. The conference primarily addresses legal and technical IT experts, interested manufacturers of IT products or services as well as data protection authorities. All persons interested in privacy or data protection aspects are welcome to register for the event. Project website http://www.privacyos.eu/ . Invitation PrivacyOS - Berlin https://www.privacyos.eu/images/111_PrivacyOS_Invitation_Berlin.pdf ============================================================ 13. Recommended Reading ============================================================ Report: The Abolition of Freedom Act 2009 This UCL SHRP research report, edited by the Guardian's Liberty Central columnist Henry Porter, was complied for The Convention on Modern Liberty on 28 February and marks the beginning of a research project that seeks to reflect on legislation since the Human Rights Act 1998 and the unintended consequences it has had on rights and liberties in the UK. http://www.uclshrp.com/exchange/report_the_abolition_of_freedom_act_2009/ http://www.uclshrp.com/images/uploads/pdf/Abolition_of_Freedom_Act_2009.pdf The Article 29 Working Party - 69th plenary session - Search Engines (10-11.02.2009) http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_12_02_09_en.pdf The Article 29 Working Party - 69th plenary session - Press Release (11.02.2009) http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_11_02_09_final_en.... ============================================================ 14. Agenda ============================================================ 18-20 March 2009, Prague, Czech Republic The Responsibilities of Content Providers and Users http://www.media-conference.cz 18-20 March 2009, Athens, Greece WebSci'09: Society On-Line http://www.websci09.org/ 23 March 2009, Berlin, Germany German-French Experts Meeting on Technologies for Electronic Identification http://www.e-identify-df.de/ 26-27 March 2009, London, UK 5th Communia Workshop: Accessing, Using, Reusing Public Sector Content and Data http://www.communia-project.eu/ws05 27-29 March 2009, Manchester, UK Oekonux Conference: Free Software and Beyond The World of Peer Production http://www.oekonux-conference.org/ 28 March 2009, London, UK Open Knowledge Conference (OKCon) 2009 http://www.okfn.org/okcon/ 29-31 March 2009, Edinburgh, UK Governance Of New Technologies: The Transformation Of Medicine, Information Technology And Intellectual Property - An International Interdisciplinary Conference http://www.law.ed.ac.uk/ahrc/conference09/ 1-3 April 2009, Berlin, Germany re:publica 2009 "Shift happens" http://www.re-publica.de/09/ Subconference: 2nd European Privacy Open Space http://www.privacyos.eu/ 4 April 2009, Paris, France French 2009 Big Brother Awards http://bigbrotherawards.eu.org/ 21-23 April 2009, Winchester, UK BILETA 2009 Annual Conference Call for Papers by 28 February 2009 http://www.winchester.ac.uk/?page=9871 11 May 2009, Brussels, Belgium GigaNet is organizing the 2nd international academic workshop on Global Internet Governance: An Interdisciplinary Research Field in Construction. Deadline for abstracts submissions is 20 March 2009. http://giganet.igloogroups.org/publiclibr/giganetcos/2009brusse 13-14 May 2009 Uppsala, Sweden Mashing-up Culture: The Rise of User-generated Content http://www.counter2010.org/workshop_call 24-28 May 2009, Venice, Italy ICIMP 2009, The Fourth International Conference on Internet Monitoring and Protection http://www.iaria.org/conferences2009/ICIMP09.html 1-4 June 2009, Washington, DC, USA Computers Freedom and Privacy 2009 http://www.cfp2009.org/ 5 June 2009, London, UK The Second Multidisciplinary Workshop on Identity in the Information Society (IDIS 09): "Identity and the Impact of Technology" Call for papers deadline: 13 March 2009 http://is2.lse.ac.uk/idis/2009/ 28-30 June 2009, Torino, Italy COMMUNIA Conference 2009: Global Science & Economics of Knowledge-Sharing Institutions Call for papers deadline: 1 March 2009 http://www.communia-project.eu/conf2009 2-3 July 2009, Padova, Italy 3rd FLOSS International Workshop on Free/Libre Open Source Software Paper submission by 31 March 2009 http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html 13-16 August 2009, Vierhouten, The Netherlands Hacking at Random http://www.har2009.org/ 23-27 August 2009, Milan, Italy World Library and Information Congress: 75th IFLA General Conference and Council: "Libraries create futures: Building on cultural heritage" http://www.ifla.org/IV/ifla75/index.htm 10-12 September 2009, Potsdam, Germany 5th ECPR General Conference, Potsdam Section: Protest Politics Panel: The Contentious Politics of Intellectual Property http://www.ecpr.org.uk/potsdam/default.asp 16-18 September 2009, Crete, Greece World Summit on the Knowledge Society WSKS 2009 http://www.open-knowledge-society.org/ October 2009, Istanbul, Turkey eChallenges 2009 Call for papers by 27 February 2009 http://www.echallenges.org/e2009/default.asp?page=c4p 16 October 2009, Bielefeld, Germany 10th German Big Brother Awards Deadlinea for nominations: 15 July 2009 http://www.bigbrotherawards.de/ 15-18 November 2009, Sharm El Sheikh, Egypt UN Internet Governance Forum http://www.intgovforum.org/ ============================================================ 15. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 29 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE