============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 7.13, 1 July 2009 ============================================================ Contents ============================================================ 1. Article 29 Working Party on online social networking 2. Rapidshare forced by the court to filter more than 5000 tracks 3. Judge unbiased, no retrial for The Pirate Bay 4. 'Right to the silence of the chips' in the new EC Communication 5. Norway will not chase file-sharers 6. France: No to new EDVIGE! 7. Swedish court: IP addresses are personal data 8. The French Government acts like a bulldog with its three strikes law 9. ENDitorial: EU DP - state of the play, potential for enhancements 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. Article 29 Working Party on online social networking ============================================================ Article 29 Working Party issued on 22 June 2009 an opinion on how European privacy laws affect social networking sites such as Facebook or Myspace. The opinion states the social networking sites should be responsible for the compliance to European privacy laws and, on the other hand, that users of such sites should upload pictures or information about other individuals only with the consent of the respective individuals. Presently, social networking users share pictures and tag friends' images without requiring a prior consent and generally, communicate publicly, placing their own and others' private information on shared "walls". The Data Protection Authorities recommend that users are given the opt out choice and are warned of the privacy risks and on the personal data that is being made available to others. The opinion says that "the homepage should contain a link to a complaint facility covering data protection issues for both members and non-members". The group also draws attention to the processing of personal data on the Internet for commercial purposes, recommending that before using the collected data aimed for personalised advertisements, the sites should obtain the prior consent of the respective users. Data on sensitive topics such as race, religion or sexual orientation should not be processed or passed on to advertisers and individuals should be allowed to adopt a pseudonym. Special attention should be given to the processing of the minors' personal data. This is an opinion that has been lately supported by the European Commission which has announced future strong measures to regulate online tailored ads. The opinion also advises imposing limits on retaining the data of inactive users believing that abandoned accounts, together with their accompanying data, should be deleted. The Article 29 Working Party's opinion is based on the principle that social networking websites must be subject to the EU Data Protection Directive even when their headquarters are outside the European Union space. The group interprets the definition of "data controller" as covering the service providers who, therefore, must adhere to privacy laws. Although an exception is made for personal or "household" users, when users broadcast or gather information very widely via such sites, they become data controllers themselves which could affect users who organise concerts, human rights letter-writing campaigns or try to sell a homemade product online. The recommendations are not binding but show the trend in the legislative measures that might be taken in the future at the national as well as EU level. The group has focused lately on privacy issues related to search engines and its initiatives have led to actions in this direction. The big search engines such as Google, Microsoft and Yahoo!, have been pressed to reduce the retention period of data collected from their users. The opinion has implications on the way the responsibility of social networks themselves is seen in carrying images and information that could breach protecting privacy and security rules. The European Commission has lately focused more on protecting citizens and consumers' privacy and social networking websites are considered potentially dangerous for inexpert users. Information Society Commissioner Viviane Reding has shown her support to this line of action and has kept pushing the major players in this field in adopting a code of conduct meant to protect young users, threatening to otherwise take further action to protect privacy. Article 29 Data Protection Working Party - Opinion 5/2009 on online social networking (12.06.2009) English http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp163_en.pdf German version http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2009_de.htm French version http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2009_fr.htm EU data monitors outline Facebook ground rules (25.06.2009) http://euobserver.com/9/28370/?rk=1 EU privacy regulators eye online social networks (25.06.2009) http://www.euractiv.com/en/infosociety/eu-privacy-regulators-eye-online-soci... Citizens' privacy must become priority in digital age, says EU Commissioner Reding (14.04.2009) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/571&format=HTML&aged=0&language=EN&guiLanguage=en EDRI-gram: Behavioural targeting at the European Consumer Summit (8.04.2009) http://www.edri.org/edri-gram/number7.7/behavoural-target-eu-consumers ============================================================ 2. Rapidshare forced by the court to filter more than 5000 tracks ============================================================ The file-sharing site Rapidshare.de has recently lost another case to the German copyright society GEMA, being ordered by the Regional Court in Hamburg to "proactively filter" more than 5000 tracks from GEMA's catalogue. In January 2008, another regional court in D|sseldorf had already found that RapidShare was responsible for what its users uploaded to the service. Hence, RapidShare implemented a screening process and maintained hashes of files that were pulled down for infringement but GEMA was not contented with this and went back to court. GEMA created a software that can search web forums and extract links to content that seem to infringe GEMA's copyrights but Rapidshare complained that the software did not work. "It's questionable whether the application can deal with mechanisms to prevent the scraping of links, open encrypted files, accurately identify audio files or find links in forums that can't be accessed by search engines," said Rapidshare CEO Bobby Chang. In October 2008, the court decided the systems implemented by Rapidshare were not efficient enough considering that "a business model that doesn't use common methods of prevention cannot claim the protection of the law." "The judgment states that the hosting service itself is now responsible for making sure that none of the music tracks concerned are distributed via its platform in the future. (...) This means that the copyright holder is no longer required to perform the ongoing and complex checks," was GEMA's statement. The decision may imply that, in the future, user-generated content sites located in Germany will need to take proactive, efficient measures to screen copyrighted material. "We do not consider the court's decision to be a breakthrough," said Chang, who added: "As other proceedings in similar disputes with GEMA have shown, there is considerable disparity amongst the individual courts in some cases. Our experience is that the courts of appeal tend to restrict the scope of the decisions made by the lower courts." Rapidshare has announced that they would appeal the verdict. Rapidshare to appeal German court decision (29.06.2009) http://www.afterdawn.com/news/archive/18325.cfm Rapidshare stung with 24m fine (24.06.2009) http://www.theregister.co.uk/2009/06/24/rapidshare_gema/ German Court Orders RapidShare to Proactively Filter Songs (23.06.2009) http://www.dmwmedia.com/news/2009/06/23/german-court-orders-rapidshare-proac... Achtung! RapidShare ordered to filter all user uploads (24.06.2009) http://arstechnica.com/tech-policy/news/2009/06/achtung-rapidshare-hit-with-... EDRI-gram: RapidShare needs to check every file for copyright infringement (8.10.2008) http://www.edri.org/edrigram/number6.19/rapidshare-hamburg-decision ============================================================ 3. Judge unbiased, no retrial for The Pirate Bay ============================================================ On 25 June 2009, Sweden's Court of Appeal ruled that judge Norstrvm in The Pirate Bay (TPB) case was not biased as the lawyers representing TPB founders had claimed. Therefore there will be no retrial for TPB in Stockholm District Court. The TPB lawyers had accused Norstrvm of being in a conflict of interests as he was a member of several organizations funded by the recording industry organization IFPI. The Court of Appeal acknowledged that the judge was a member of organisations acting in the interests of rights holders, but emphasized that copyright holders benefited of constitutional protection under the Swedish law. "We have reached the conclusion that we do not agree with the conflict of interest claim," said appeals court judge Anders Eka to news agency TT. "For a judge to back the principles on which this legislation rests cannot be considered bias," said the court ruling. The court criticised Norstrvm for not having stated, before the trial, that he was a member of those organizations but considered this was not sufficient reason to declare the district court verdict null and void. "This is part of a pattern. It shows that the Swedish legal system is no longer to be trusted when it comes to copyright cases. It's a travesty of justice quite simply", commented newly elected European Parliament member Christian Engstrvm of the Swedish Pirate Party who added: "There are certainly problems with the laws too but this also shows that the courts are not capable of applying the laws in a correct manner. I've been a lay judge for seven years and I've never seen an indictment as bad as the Pirate Bay verdict. But that didn't stop the court from setting ridiculous sentences." The Pirate Bay defendants can still appeal the results of the first trial. One of them, Peter Sunde has stated: "The Pirate Bay will now file charges against Sweden for violation for Human Rights. ... (The bias-judge is himself biased...)". The Pirate Bay faces now another legal case brought to court by the Dutch anti-piracy organization BREIN which wants to close the file-sharing site in the Netherlands and see three of TPB founders to court on 21 July. As the organization was unable to find the exact whereabouts of the three men, it used Twitter and Facebook social networking websites to deliver the court summons. "The internet works both for those who respect copyrights and those who violate them. Now they know that the hearing will take place on July 21st in Amsterdam," said BREIN CEO Tim Kuik. However, it remains to be seen whether the summoned founders will show up. Neij who is living in Bangkok, Thailand, claimed he had seen no summons on the respective sites. "I have Twitter and Facebook accounts, but I haven't seen anything about it," he told the TT news agency. In a recent announcement posted by Thelocal.se on 30 June 2009, said that The PirateBay "is set to be purchased for 60 million crowns (approx. $5.55 million euros) by Global Gaming Factory X (GGF), a company specializing in internet cafi management software." GGF said in its statement that it wanted content providers and copyright owners to get paid for content downloaded. TPB has confirmed on their blog that they might get aquired by the above mentioned company. No retrial in Pirate Bay case (25.06.2009) http://www.thelocal.se/20280/20090625/ Dutch Antipiracy Organization Takes Aim at Pirate Bay (24.06.2009) http://www.pcworld.com/article/167273/dutch_antipiracy_organization_takes_ai... Pirate Bay served with Dutch lawsuit via Twitter and Facebook (24.06.2009) http://www.thelocal.se/20244/20090624/ Pirate Bay retrial denied; judge declared "unbiased"(25.06.2009) http://arstechnica.com/tech-policy/news/2009/06/pirate-bay-retrial-denied-ju... Swedish IT company to buy Pirate Bay (30.06.2009) http://www.thelocal.se/20364/20090630/ ============================================================ 4. 'Right to the silence of the chips' in the new EC Communication ============================================================ A new communication from the European Commission to the other European bodies on the RFID (radio-frequency identification) titled "Internet of Things - An action plan for Europe" was made public on 18 June 2009. The communication builds on the work of the Recommendation on the use of RFID published on 12 May 2009 after a fifteen-month period of consultations. The communication includes a 14-point action plan to address the main issues raised from the RFID usage as discussed in the working group and in the consultation period. One of the most important action point is the launch of "a debate on the technical and legal aspects of the 'right to silence of the chips', which has been referred to under different names by different authors and expresses the idea that individuals should be able to disconnect from their networked environment at any time." This is one of the main actions of the plan in order to allow the usage of the RFID while respecting privacy and the protection of personal data, two fundamental rights of the EU. The communication underlines that these rights will have an influence on how the Internet of Things is conceived but, at the same time, its development will affect the way we understand privacy. The European Commission also announced that in 2010 it intends to publish a broader Communication on privacy and trust in the ubiquitous information society. The Communication makes it clear that "simply leaving the development of Internet of Things to the private sector, and possibly to other world regions is not a sensible option." Thus, the concept of governance of the RFID usage will be initiated and promoted by the Commission in international fora in order to establish a set of principles and to set up an "architecture" with a sufficient level of decentralised management. Communication from the Commission to the European Parliament: Internet of Things - An action plan for Europe (18.06.2009) http://ec.europa.eu/information_society/policy/rfid/documents/commiot2009.pd... EU lays out plans for the "internet of things" (18.06.2009) http://www.v3.co.uk/computing/news/2244448/eu-prepares-mass-rfid EDRi-gram: RFID and Informed Consent - Using and removing of RFID functionality (5.12.2007) http://www.edri.org/edrigram/number5.23/rfid-informed-consent EDRi-gram: EU supports RFID with proper protection of consumers' privacy (20.05.2009) http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommanda... ============================================================ 5. Norway will not chase file-sharers ============================================================ The Norwegian data protection authority has decided that ISPs had to delete all IP address-related data just 3 weeks after collection, a decision that will make difficult to chase file-sharers. The regulator started with two ISPs, Tele2 and Lyse Tele but the decision, subject by the Personal Data Act, will apply to all ISPs in Norway. As Norway is not a member of the European Union, it is not bound to comply to the European data retention directive which says that this type of data must be held for at least 6 months. In Norway, now, data retention can go from a few days to five months. The Norwegian telecom regulator has also recently ruled that the identity of file-sharers can be disclosed to copyright holders only by court order. And to make things even tougher for copyright holders, Simonsen law firm, the only legal company having had a licence to track file-sharers, has seen it expire with no renewal provided. Simonsen has had the licence since 2006 having been enabled to monitor alleged pirates and collect their IP addresses. The licence was however temporary and it won't be renewed due to the very little debate on the matter. Data protection authorities have requested legislative clarification on what the license can and cannot do, but have not received the requested information from the competent authorities. Simonsen lawyer Espen Txndel said that his law firm would object against the non-renewal of their license. "One can not deny (the copyright holders) their right to protect their interests in this way," he said. Anti-Piracy Lawyers Lose License To Chase Pirates (22.06.2009) http://torrentfreak.com/anti-piracy-lawyers-loses-license-to-chase-pirates-0... Data Protection Makes Identifying Online Pirates a Nightmare (10.06.2009) http://torrentfreak.com/data-protection-makes-identifying-online-pirates-a-n... Norway organises the immunity of P2Ps (only in French, 25.06.2009) http://www.numerama.com/magazine/13272-La-Norvege-organise-l-immunite-de-ses... Anti-Piracy Lawyers Thwarted in Norway (23.06.2009) http://www.tomsguide.com/us/Anti-Piracy-Twarted-Lawyers-License,news-4114.ht... ============================================================ 6. France: No to new EDVIGE! ============================================================ A text of a draft law on Police Files initiated by the two French deputies Delphine Batho and Jacques-Alain Binisti has been approved by the Laws Commission of the National Assembly. The draft law contains a new form of the EDVIGE file, nicknamed now EDVIGE 3.0. EDVIGE was a new database created in June 2008 with the purpose of filing "individuals, groups, organisations and moral persons which, due to their individual or collective activity, are likely to attempt to public order". Not only these persons will be filed (without any offence committed), but also "those who undertake or have undertaken direct and non fortuitous relations with them." Filing was supposed to start at age 13 and the database would be used by French intelligence services and the administrative police. Following a massive civil society protest, the database was initially revised into EDVIRSP (or so-called EDVIGE 2.0) and then withdrawn in December 2008. Although it makes some significant progress, the text of the new law is still not good enough in respecting the human rights, as underlined by a common press release of several unions and civil society groups, among which the EDRi-member IRIS. One of the major concerns that the press release highlights is the generic global tendency that wants to extend the methods and tools used for serious crimes and terrorism acts to the "small delinquency". The main step forward is that according to the new text every new Police file needs to be stipulated by law. At the same time the "No to EDVIGE" group considers that the law should go much further, including a better democratic character of the CNIL (French Data Protection) by the inclusion of some members proposed by the human rights activists. Also, the new draft laws which receive a negative opinion from the CNIL should get an opinion from the State Council (Conseil d'Itat) and all these opinions need to be made public. The new law proposal also includes new provisions for EDVIGE 3.0 which is still covers all the children above13 years old. But this proposal goes even further than the two earlier versions. The definitions suggested in the new draft proposal introduce dangerous provisions. Thus, the very large definitions of the attacks on the people's security or goods cover activities of the police which are already supported by other existing databases. The "No to EDVIGE" group asks for a limitation of the acts of attacks to the State security and public security committed with violence. Also the new file should not include minors. The French organisations also criticized the qualification given to other files, such as STIC (Systhme de traitement des infractions constaties - Recorded offences treatment system), a huge police database, which records also data on minors, without any age limitation. Law proposal on Police Files: EDVIGE 3.0, still NO (only in French, 19.06.2009) http://www.iris.sgdg.org/info-debat/comm-fichierspolice0609.html Law proposal on Police Files (only in French, 7.05.2009) http://www.assemblee-nationale.fr/13/propositions/pion1659.asp The deputies want to frame the creation of police files (only in French, 18.06.2009) http://www.lesechos.fr/info/france/4876857-les-deputes-veulent-encadrer-la-c... EDRi-gram: ENDitorial: Massive mobilization against EDVIGE, the new French database (16.07.2008) http://www.edri.org/edrigram/number6.14/edvige-french-database EDRi-gram: French EDVIGE decree withdrawn (4.12.2008) http://www.edri.org/edri-gram/number6.23/edvige-retired ============================================================ 7. Swedish court: IP addresses are personal data ============================================================ The Swedish Supreme Administrative Court ruled on 18 June that the IP addresses are personal data in a case regarding APB (the Swedish Anti-Piracy Bureau, Antipiratbyren), a lobby group representing copyright owners. However, from the comments following the judgement, it became clear that this ruling will not stop the implementation of the Swedish IPRED Directive or the way the copyright holder representatives record and keep IP addresses in order to identify alleged file-shares. Although the ruling means that APB's methods for chasing filesharers by logging their IP addresses was in violation of the Personal Data Act, the new IPRED law changed the situation. A policy adviser at the Swedish Ministry of Justice explained to The Register: "The rumours that this decision will kill off IPRED are wrong, because the bill creating the law includes an exemption for rights holders - they may request and keep IP numbers for this purpose." Jonas Agnvall, a legal adviser with the Swedish Data Inspection Board, says that the new IPRED law specifically allows the activities of IP logging of the APB: "I have not scrutinised the directive in detail, but as I understand do they no longer need the legal exception whit the implementation of the IPRED-law", Jonas Agnvall says to Computer Sweden. He also added: "During the autumn we will inquire this and how these lobby groups of copyright holders use the personal records. This we can do now when it stands clear that IP addresses' really are personal records". A week later, on the 25 June 2009, a first ruling on the new IPRED law was given by the Solna District Court which decided that an ISP must hand information revealing its customers based on the IP addresses given by five publishers of audiobooks who were trying to identify some alleged copyright offenders. In this case, the Swedish broadband service provider Ephone was asked by the five publishers to reveal who owned a server suspected of containing some several hundred audio book titles. The ISP refused to say who was behind the IP address, questioning if the matter was indeed a copyright infringement since the FTP server was not publicly available and the access to it was possible only to the persons that knew the password to access it. In the decision of the Solna District Court, the judges ordered Ephone to reveal the information regarding the customers that are using several IP addresses under a penalty of 750 000 Swedish crowns fine (approx. 70 000 euros). The company also needed to pay the publishers' court costs. Collecting IP Addresses Illegal in Sweden (18.06.2009) http://torrentfreak.com/collecting-ip-addresses-illegal-sweden-090618/ Favorable court ruling do not save file-sharing (18.06.2009) http://www.stockholmnews.com/more.aspx?NID=3440 Sweden: IP numbers are personal...unless you're a pirate (18.06.2009) http://www.theregister.co.uk/2009/06/18/sweden_ip_law/ Publishers win anti-piracy law test case (25.06.2009) http://www.thelocal.se/20274/20090625/ First IPRED case settled (only in Swedish, 25.06.2009) http://www.svd.se/naringsliv/it/artikel_3115633.svd ============================================================ 8. The French Government acts like a bulldog with its three strikes law ============================================================ Nicolas Sarkozy and the French Government want to go on with the new three strikes draft law (called also Hadopi 2) which was presented to the Council of Ministers on 24 June 2009. The emergency procedure has been initiated and therefore the two chambers will have only one reading for the text. The new text will be first presented to the Senate on 8 and 9 July to be further on examined by the deputies, presumably starting with 22 July. The draft law including now five articles stipulates, besides the disconnection of the alleged infringer which has to be decided by the court, fines that can amount to 1 500 euros or 3 000 euros in case of repeated offences. The new version has reintroduced an extension previously rejected by the deputies in the first text: a user can be condemned not only for "piracy" through an online public communication service, but also for "piracy" by any electronic communication means. This means that the judges will be able to sanction "piracy" that was performed also by instant messaging services or e-mails. And, in order to soften the censure imposed by the Constitutional Council, the new text introduces a legal instrument that would allow the justice system to use simplified procedures in applying sanctions "against the authors of illegal downloading. A fast and efficient treatment of the cases will thus be ensured by means of penal ordinances". So, the court can decide, by penal ordinance, to condemn an alleged infringer to pay a fine in his absence. The text thus includes "Internet piracy" on the same list of infringements with the use of hallucinogenic drugs or violations of the traffic code. The infringement is established by Hadopi authority officers who then notify the police. Their reports are considered "truthful until proven otherwise" which actually implies there is no presumption of innocence. Unfortunately, the Constitutional Court seems to have left an open door for the culpability presumption by saying that the legislator can exceptionally establish such presumptions under certain conditions such as the respect of the defense right. The file is then sent to the public ministry which can choose the simplified procedure and sends it to the president of the court who establishes without prior debate a penal ordinance applying or not a fine. The subject of the fine is never heard. The procedure gives the court president the possibility to ask for a contradictory debate in which case the file is sent back to the public ministry. The penal ordinance is given by a sole judge, which is the president of the court and includes the names and coordinates of the alleged infringer, the date and place of the alleged infringement and the sanctions. The sanctions are then carried out by the public ministry within a period of 10 days. The user can make an appeal within 45 days and present himself in front of a magistrate for a new judgment but the risk is that, in case the user is found guilty, the sanction can be aggravated up to a maximum of 3 years in prison and 300 000 euros of fine. Actually, the new text introduces the three-strikes in an even harder version: warning, fine and then disconnection. The only improvement is that the disconnection can be decided only by the court and that is also shadowed by the simplified procedure allowing for the penal ordinance. Hadopi 2 starting on 8 July in the Senate (only in French, 26.06.2009) http://www.numerama.com/magazine/13283-Hadopi-2-des-le-8-juillet-au-Senat.ht... Hadopi 2: the surveillance of e-mails is back (only in French, 25.06.2009) http://www.numerama.com/magazine/13273-Hadopi-2-la-surveillance-des-e-mails-... Fine for illegal downloading, how does it work ? (only in French, 25.06.2009) http://www.01net.com/editorial/503828/amende-pour-telechargement-illegal-com... Hadopi: and now, the fines... (MAJ) (only in French, 24.06.2009) http://www.01net.com/editorial/503668/hadopi-et-maintenant-les-amendes-(maj)... Draft law on the legal protection of literary and artistic copyright on the Internet (only in French, 29.06.2009) http://www.legifrance.gouv.fr/html/actualite/actualite_legislative/pl_protec... The French Constitutional Council censures the 3 strikes law (17.06.2009) http://www.edri.org/edri-gram/number7.12/3-strikes-censured-council-constitu... ============================================================ 9. ENDitorial: EU DP - state of the play, potential for enhancements ============================================================ With the title "Personal data - more use, more protection?" the European Commission organised on 19 and 20 May 2009 a data protection (DP) conference in Brussels. The purpose of the conference was to look for new challenges for privacy and to kick off a process towards a new quality of data protection for the European Union. On invitation of the European Commission, Andreas Krisch participated on behalf of EDRi. The topics of the one and a half day conference included a wide range of areas related to data protection. Amongst them: data protection in the area of law enforcement, data retention, the role of businesses as well as supervisory authorities and consumer protection. Following the presentations on data retention by Kurt Alavaara (National Police Board, Sweden) and Francis Stoliaroff (Ministry of Justice, France) a long debate on the legitimacy of the data retention directive took place. Spiros Simits (Goethe-University Frankfurt am Main) argued that data retention not only is in violation of fundamental rights and against the German constitution but also violates the fundamental principles of data protection, especially the principle of purpose limitation. Panellist Douwe Korff (London Metropolitan University) concured by saying that for vague purpose specifications the interpretation is different in the member states. While some countries differentiate between the purposes of prevention and prosecution of crimes others simply subsume these with the term "police purposes" with huge implications regarding the access to retained data. Furthermore, he made clear that communication traffic data is personal data. Finally Waltraud Kotschy (Austrian Data Protection Commission) joined the discussion and stated that, in her view, it will be impossible to keep the access to retained data restricted to cases of terrorism and organised crime. Already now there are discussions in Austria on access to data for purposes of copyright enforcement. These and similar discussions will gain momentum once data retention is in place. For all presentations and discussions of the first day of the conference a webcast of 15 minutes of discussion with English, German and French translations is available on the EC website and definitely worth viewing. The role of business and personal data protection was the title of my presentation. Starting with a general overview of commercial data collection on shopping and communication habits, financial, location and movement information, I argued that in many cases commercial data collection leads to the use of these data by the state. Examples for this include but are not limited to the SWIFT case where US authorities accessed data on EU financial transactions, PNR data where the EU grants the US access to passenger information and plans to access these data as well, and the mandatory data retention where EU member states retain and access data on communications of 490 million people. Given these practices, the significance of commercial data collection cannot be overestimated and the 1983 ruling of the German Constitutional Court reasoning that "... an as such inconsequential date can get a new significance;" and that "insofar there is no 'inconsequential' date anymore under the conditions of modern data processing", has more relevance today than ever before. At the same time, we see significant weaknesses at the counterparts of these data controllers, the data protection authorities. On the one hand, they are often confronted with very limited financial and personal resources and therefore are also limited in their possibilities to enforce data protection legislation. On the other hand, we also see problematic decisions - or at least problematic reasoning - of data protection authorities (see Privacy International on the UK Information Commissioner). In addition, it is also clear that traditional means of oversight will be unable to cope with the immense increase of the amount of data being processed. Present means for individual data protection are also limited and often impose relatively high financial risks for legal procedures in combination with relatively little potential gains in individual cases. Improvements of data protection and data protection legislation can therefore be achieved by expanding the possibilities for individual data (self-)protection (e.g. easier and less risky legal procedures; evaluation of current practices regarding "informed consent" of data subjects), the introduction of mandatory data breach notifications and punitive damages on a per data basis in cases of data leaks. With regard to the area of Radio Frequency Identification and the Internet of Things it will be necessary to follow the developments carefully and to evaluate if current data protection concepts still provide sufficient means to address the data protection challenges introduced by these technologies. Additionally, positive measures need to be also taken. Tools and mechanisms that help businesses to prove and publicly communicate their compliance with data protection legislation, like the European Privacy Seal (EuroPriSe), should get a strong foundation in the European data protection legislation. The introduction of mandatory data protection officers for companies would not only help companies to establish data protection mechanisms in their organisations and to work internally on improvements but would also bring positive effects for the relationship between companies and their customers by providing a competent contact person for questions related to data protection. Finally, better educational information on data protection is needed to ensure that young people have access to relevant first hand information on data protection and their possibilities to protect their privacy. The future will show what this process towards a new quality of data protection for the European Union brings. For the time being, it is to say that the European Union has at least two faces when it comes to data protection. On the one hand, important steps towards data protection in the area of RFID and the Internet of Things are taken, but on the other hand, the planned Stockholm Programme on Justice and Home Affairs policy for the next five years describes the way towards a surveillance society in which the floods of the digital tsunami threaten to overwhelm the data protection rights of individuals in Europe. Conference "Personal data - more use, more protection?" (19-20.05.2009) http://ec.europa.eu/justice_home/news/events/news_events_en.htm#dp_conferenc... Conference Programme "Personal data - more use, more protection?"(19-20.05.2009) http://ec.europa.eu/justice_home/news/events/conference_dp_2009/programme_en... Webcast of the discussion on data retention (Simits, Korff, Kotschy and others) at the conference http://webcast.ec.europa.eu/eutv/portal/jsf/_vi_fl_300_en/player/index_player.html?id=7249&pId=7239&startTime=0&locale=en# Webcast of the presentation by Andreas Krisch "The Role of Business and Personal Data Protection" http://webcast.ec.europa.eu/eutv/portal/jsf/_vi_fl_300_en/player/index_player.html?id=7254&pId=7239&startTime=0&locale=en PI calls for review of UK privacy regulator following series of failed judgements (23.04.2009) http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-564402 European Privacy Seal (EuroPriSe) https://www.european-privacy-seal.eu/ EDRi-gram: Stockholm programme - the new EU dangerous surveillance system (17.06.2009) http://www.edri.org/edri-gram/number7.12/stockholm-programme-eu-surveillance EDRi-gram: EU supports RFID with proper protection of consumers' privacy (20.05.2009) http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommanda... EDRi-gram: 'Right to the silence of the chips' in the new EC Communication (1.07.2009) http://www.edri.org/edri-gram/number7.13/right-silence-of-the-chips (Contribution by Andreas Krisch - EDRi) ============================================================ 10. Recommended Reading ============================================================ Briefing on the Interception Modernisation Programme by the LSE Policy Engagement Network http://www.lse.ac.uk/collections/informationSystems/research/policyEngagemen... Deep Packet Inspection and Internet Censorship: International Convergence on an 'Integrated Technology of Control' http://advocacy.globalvoicesonline.org/wp-content/plugins/download-monitor/d... http://advocacy.globalvoicesonline.org/2009/06/25/study-deep-packet-inspecti... Final Report on the Content Online Platform http://ec.europa.eu/avpolicy/docs/other_actions/col_platform_report.pdf http://ec.europa.eu/avpolicy/other_actions/content_online/index_en.htm ============================================================ 11. Agenda ============================================================ 2-3 July 2009, Padova, Italy 3rd FLOSS International Workshop on Free/Libre Open Source Software http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html 6-7 July 2009, Barcelona, Spain Fifth Internet Law & Politics Conference organized by the Law and Political Science Department of the Universitat Oberta de Catalunya The Pros and Cons of Social Networking Sites. http://www.uoc.edu/symposia/idp2009/engl/index.html 13-16 August 2009, Vierhouten, The Netherlands Hacking at Random http://www.har2009.org/ 23-27 August 2009, Milan, Italy World Library and Information Congress: 75th IFLA General Conference and Council: "Libraries create futures: Building on cultural heritage" http://www.ifla.org/IV/ifla75/index.htm 10-12 September 2009, Potsdam, Germany 5th ECPR General Conference, Potsdam Section: Protest Politics Panel: The Contentious Politics of Intellectual Property http://www.ecpr.org.uk/potsdam/default.asp 16-18 September 2009, Crete, Greece World Summit on the Knowledge Society WSKS 2009 http://www.open-knowledge-society.org/ 17-18 September 2009, Amsterdam, Netherlands Gikii, A Workshop on Law, Technology and Popular Culture Institute for Information Law (IViR) - University of Amsterdam http://www.law.ed.ac.uk/ahrc/gikii/2009.asp 21-23 October 2009, Istanbul, Turkey eChallenges 2009 http://www.echallenges.org/e2009/default.asp 24-25 October 2009, Vienna, Austria 3rd European Privacy Open Space http://www.privacyos.eu 25 October 2009, Vienna, Austria Austrian Big Brother Awards Deadline for nominations: 21 September 2009 http://www.bigbrotherawards.at/ 16 October 2009, Bielefeld, Germany 10th German Big Brother Awards Deadline for nominations: 15 July 2009 http://www.bigbrotherawards.de/ 13-15 November 2009, Gothenburg, Sweden Free Society Conference and Nordic Summit http://www.fscons.org/ 15-18 November 2009, Sharm El Sheikh, Egypt UN Internet Governance Forum http://www.intgovforum.org/ ============================================================ 12. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 29 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE