============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 8.13, 30 June 2010 ============================================================ Contents ============================================================ 1. Data retention - time for evidence-based decision making 2. Same privacy concerns for the new SWIFT treaty 3. ACTA - new criminal sanctions for non-commercial copyright uses? 4. EP calls for a clear legal framework for the Internet of Things 5. Article 29 WP issues opinion on cookies in the new ePrivacy Directive 6. Increased pressure on Turkey to stop Internet blocking 7. Iceland - first steps for a new media haven 8. ENDitorial: Council of Europe draft Recommendation on Profiling 9. Recommended Action 10. Recommended Reading 11. Agenda 12. About ============================================================ 1. Data retention - time for evidence-based decision making ============================================================ In June 2010 the European Parliament adopted a farcical "written declaration" ostensibly on the creation of an "early warning system" to fight pedophiles. Funded by unknown sources, the MEPs in charge (Zaborska from the Czech Republic and Motti from Italy) put together the Declaration in order to promote the retention of communications data and the extension of this practice to "search engines". After tabling the declaration, a highly polished, American-style lobby campaign went into operation. The lobbying neatly avoided mentioning data retention in any of the associated printed materials, in any of the e-mails sent to MEPs and on the campaign's website. The MEPs involved and their staff harangued and harassed parliamentarians, even to the point of putting lobbying material on their desks in the Parliament's hemicycle itself - with the simple message of "sign to fight sexual harassment" using a picture of a vulnerable-looking child. Mainly as a result of the large number of parliamentarians that signed due to mistakenly trusting what they were told about the content of the declaration, it was adopted. The Declaration has now been sent to the European Commission, where Cecillia Malmstrvm, who vehemently opposed the Data Retention Directive in her previous job as a Member of the European Parliament, needs to decide how to respond. Having indicated in the Swedish press that such an approach would be disproportionate, there are reasons to be hopeful that her position will be firm and favourable to citizens' rights. To make Commissioner Malmstrom's task even easier, she took an oath in May of this year to respect the Charter of Fundamental Rights of the European Union. Unequivocal opposition to such extreme proposals is important, particularly at the moment. By the end of this week, the relevant Directorate-General of the Commission will have completed its first draft assessment of the Data Retention Directive, which will then be reviewed by the Commissioner. This will then be followed by a second round of drafting, consultation with the other parts of the Commission and adoption of the final report, probably in the second half of September. In the absence of evidence to suggest that data retention has served any useful purpose, it is to be hoped that the Commissioner will maintain her opposition to the Directive and propose appropriate and ambitious amendments, removing obligations on all Member States to impose long-term blanket data retention on all citizens. This process is all the more important as a result of developments in the Council of Europe, which will soon adopt its Recommendation on Profiling. The current and almost final version of that text lends credibility to Member States that wish to exploit retained data to assign "profiles" to innocent citizens. The Recommendation exempts Member States from having to apply three important chapters: on lawfulness, data quality and sensitive data. In 2008, a report prepared for the Council of Europe pointed out that registration of internet users is "likely to have a chilling effect not just on journalists but on any users that wish to access public or legal, but controversial materials." The implementation of profiling would make this serious chilling effect seem minor in comparison. Campaigning against the Data Retention Directive is already in full swing. More than 100 organisations (including EDRi) from 23 European countries asked last week EU Commissioners Malmstrvm, Reding and Kroes in a joint letter to "propose the repeal of the EU requirements regarding data retention in favour of a system of expedited preservation and targeted collection of traffic data". Among the signatories are civil liberties, data protection and human rights associations as well as crisis line and emergency call operators, professional associations of journalists, jurists and doctors, trade unions, consumer organisations and industry associations. Study undertaken for the Council of Europe on the effects of anti-terror legislation (11.2008) http://www.coe.int/t/dghl/standardsetting/media/Doc/SpeakingOfTerror_en.pdf Written declaration 29 website http://www.smile29.eu Oath sworn by Commissioners (3.05.2010) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/487 Draft Council of Europe Recommendation on profiling (3.06.2010) http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD%20documents/T-P... Data retention Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:006... Malmstrom says no to Google Storage (only in Swedish, 28.06.2010) http://www.svd.se/nyheter/inrikes/malmstrom-sager-nej-till-googlelagring_492... Letter to Commissioner (22.06.2010) http://www.vorratsdatenspeicherung.de/images/DRletter_Malmstroem.pdf Civil society calls for an end to compulsory telecommunications data retention (28.06.2010) http://www.vorratsdatenspeicherung.de/content/view/370/79/lang,en/ (Contribution by Joe McNamee - EDRi) ============================================================ 2. Same privacy concerns for the new SWIFT treaty ============================================================ The agreement between the EU and USA on the transfer of bank data through SWIFT was signed on 28 June 2010 after the Spanish Presidency of the Council of Ministers has accepted some of the changes on the text proposed by MEPs, but with no significant improvements from the Agreement rejected by the European Parliament in February 2010. The text of the new SWIFT Agreement will now probably be rushed through the next European Parliament plenary session in Strasbourg (5-8 July). After the draft agreement was initiated by Commissioner Cecilia Malmstrvm on 10 June, MEPs asked for changes to the text concerning the bulk transfer of data, the creation of an EU counterpart to the US Terrorist Finance Tracking Programme (TFTP), and EU oversight of TFTP data-processing in the US. Unfortunately, the new adopted text still allows for bulk data transfers. The Parliament would have liked to replace bulk data with targeted searches carried out by an EU-based authority but according to MEP Birgit Sippel, "We cannot reduce the problem of bulk data for the moment as we do not have the technical capability." The retention period is still 5 years and there is no real system in place from the US on a binding legal redress. The US Privacy Act court clauses only apply to US citizens and legal residents. Therefore there is currently no right of judicial review for foreign citizens and residents (including EU) under the US law. Another key critique to the current text is the role of Europol that should authorize the data transfer requests from the US. Besides the fact that Europol is not a judicial authority, as requested by the European Parliament in May 2010 Resolution, the incentive from this agency to limit the amount of data being transferred is extremely reduced due to the fact that they can actually request data searches from the US. On 25 June, EDPS Peter Hustinx expressed his concerns related to the transfer of bulk amounts of bank data to the U.S. authorities and pointed out the key elements to be improved for data protection, especially as regarding data retention periods, enforceability of the citizens' data protection rights, judicial oversight and independent supervision. "I am fully aware that the fight against terrorism and terrorism financing may require restrictions to the right to the protection of personal data. However, in view of the intrusive nature of the draft agreement, which allows transfers of data in bulk to the US, the necessity of such scheme should first be unambiguously established, especially in relation to already existing instruments. Would this be the case, other key elements should however be improved in order to meet the conditions of the EU legal framework for data protection." As MEP Alexander Alvaro told EurActiv, in terms of the agreement, the European Commission will write a framework for the extraction of data on US soil in order to set up an EU equivalent to TFTP and in case after five years this is not in place, the Commission will have to renegotiate or terminate the present agreement. But the present text automatically extends for one more year if nothing happens. It does not have to be renewed, it just has to be actively terminated. EU, US sign SWIFT agreement (28.06.2010) http://www.europeanvoice.com:80/article/2010/06/eu,-us-sign-swift-agreement/... EU wins concessions on US bank data-sharing deal (25.06.2010) http://www.euractiv.com/en/justice/eu-wins-concessions-on-US-bank-data-shari... EU-US new draft agreement on financial data transfers: EDPS calls for further data protection improvements (22.06.2010) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... EDRi-gram: New SWIFT agreement as bad as the rejected one (16.06.2010) http://www.edri.org/edrigram/number8.12/new-switf-proposal-bad ============================================================ 3. ACTA - new criminal sanctions for non-commercial copyright uses? ============================================================ A new round of negotiations on the Anti-Counterfeiting Trade Agreement (ACTA) is in progress until 1 July 2010 at Luzern, Switzerland between 11 parties including the EU. A document leaked from the EU Presidency dated 7 April 2010 shows that EU member states intended to introduce under ACTA more criminal sanctions for copyright infringements even for non-commercial reasons. The EU Presidency document stated that the position of the EU Member States is still under examination with regard to article 2.14.1 covering copyright or related rights infringements. Some proposals of this article explicitly plan to apply criminal sanctions to "infringements that have no direct or indirect motivation of financial gain". "The ACTA agreement, by its opacity and undemocratic nature, allows criminal sanctions to be simply negotiated. The leaked document shows that the EU Member States are willing to impose prison sanctions for non-commercial usages of copyrighted works on the Internet as well as for 'inciting and aiding', a notion so broad that it could cover any Internet service or speech questioning copyright policies. EU citizens should interrogate their governments about their support to policies that obviously attack freedom of speech, privacy and innovation" says Jirimie Zimmermann, spokesperson for La Quadrature du Net. ACTA will also hinder access to medicine by preventing the production and the exportation of generic molecules. "ACTA would affect the access to treatments worldwide, because it will hinder the access to cheap generic drugs. Without generic drugs, it would have never been possible for 4 millions people to have access to antiretroviral drugs. If concluded, ACTA would be a terrible stepback for millions of people living with HIV worldwide," stated Pauline Londeix, spokesperson for Act Up-Paris. Some countries, such as India, threatened to establish a coalition of countries against the treaty as they believe ACTA is in conflict with international trade law, and it undermines the balance of rights, obligations and flexibilities that already exists within international law. The Swiss Pirate Party together with their Pirate colleagues from Germany and Switzerland organised a rally at the Lucerne train station. The Pirate parties and a group of 12 non-governmental organisations are also having short meetings with the Swiss and other delegations. The Berne Declaration, Midecins Sans Frontihres , ACT UP Paris, Knowledge Ecology International, Oxfam, La Quadrature du Net, Third World Network, and representatives of the Washington College of Law issued on 23 June an urgent ACTA Communique, which attracted a huge number of signatories from MEPs, academics and NGOs. The document states that the new treaty will encourage internet service providers to police the activities of internet users by holding internet providers responsible for the actions of subscribers, conditioning safe harbours on adopting policing policies, and by requiring parties to encourage cooperation between service providers and rights holders. It will also encourage this surveillance, and the potential for punitive disconnections by private actors, without adequate court oversight or due process. In a joint statement of the European associations of fixed and mobile telecoms operators, European internet service providers, cable companies and digital media organisations have also warned that the "proposed obligation on online providers to reveal the identity of their subscribers directly to right holders violates the existing EU data protection obligations." Also, the International Trademark Association and the International Chamber of Commerce's Business Action to Stop Counterfeiting and Piracy submitted joint recommendations and comments on the ACTA text and recommended maintaining the "original, narrow scope of ACTA to trademark counterfeiting and copyright piracy for ACTA's effective implementation in different countries." According to them, "the scope of draft text of the agreement includes a wide range of intellectual property rights, which risks diluting the focus and overall strength of the trade agreement." International Experts Find that Pending Anti-Counterfeiting Trade Agreement Threatens Public Interests (23.06.2010) http://www.wcl.american.edu/pijip/go/acta-communique Leak: EU pushes for criminalizing non-commercial usages in ACTA (24.06.2010) http://www.laquadrature.net/en/leak-eu-pushes-for-criminalizing-non-commerci... ACTA: International 'three strikes', surveillance and worse (23.06.2010) http://www.openrightsgroup.org/blog/2010/acta-international-three-strikes-su... The ACTA casino must be closed (28.06.2010) http://www.laquadrature.net/en/the-acta-casino-must-be-closed Geist: Developing world opposition mounts to anti-counterfeiting agreement (28.06.2010) http://www.thestar.com/news/sciencetech/technology/lawbytes/article/828525--... Scope Of Anti-Counterfeiting Agreement Again A Big Issue In Round Nine (26.06.2010) http://www.ip-watch.org/weblog/2010/06/26/scope-of-anti-counterfeiting-agree... EDRi-gram: ACTA: European Commission transparently ignores European Parliament (21.04.2010) http://www.edri.org/edrigram/number8.8/acta-transparency-european-comission ============================================================ 4. EP calls for a clear legal framework for the Internet of Things ============================================================ In a resolution on the Internet of Things, adopted on 15 June 2010, the European Parliament (EP) welcomes the communication of the Commission on the topic and in principle endorses the broad outlines of the action plan to promote the Internet of Things. The Parliament however takes the view that the development of new applications and the actual functioning and business potential of the Internet of Things will be intrinsically linked to the trust European consumers have in the system, and points out that trust exists when doubts about potential threats to privacy and health are clarified. It stresses that this trust must be based on a clear legal framework, including rules governing the control, collection, processing and use of the data collected and transmitted by the Internet of Things and the types of consent needed from consumers. The Parliament further notes that the Internet of Things will lead to the collection of truly massive amounts of data and calls on the Commission, in this connection, to submit a proposal for the adaptation of the European Data Protection Directive with a view to address the data collected and transmitted by the Internet of Things. In the view of the Parliament, respect for privacy and the protection of personal data together with openness and interoperability are the only ways the Internet of Things will gain wider social acceptance. The EP firmly believes that all users should have control over their personal data and stresses that a precondition for promoting technology is the introduction of legal provisions to reinforce respect for the fundamental values and for the protection of personal data and privacy. In the context of privacy by design, the European Parliament also notes the opinion of the European Data Protection Supervisor (EDPS) on this topic, who stressed the importance of Privacy by Design as the guiding principle and highlighted that in the context of RFID, the existing data protection rules need to be complemented with additional rules imposing specific safeguards, particularly making it mandatory to embed technical solutions (Privacy by Design) in RFID technology. He furthermore expressed his concern that RFID operators in the retail sector may overlook the possibility for RFID tags to be monitored by unwanted third parties and thinks it is conceivable that self-regulation will not deliver the expected results. He therefore called upon the Commission to be ready to propose legislative instruments regulating the main issues of RFID usage in case the effective implementation of the existing legal framework fails. This call for a regulation of the main issues of RFID usage now obviously gained support from the European Parliament which, in addition, underlines that RFID applications must be operated in accordance with the rules on privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The resolution of the Parliament not only addresses the European Commission but also calls on manufacturers to secure the right to "chip silence" and calls for RFID application operators to take all reasonable steps to ensure that data does not relate to an identified or identifiable natural person unless such data is processed in compliance with the applicable principles and legal rules on data protection. It is the believe of the Parliament that a general principle should be adopted whereby Internet of Things technologies should be designed to collect and use only the absolute minimum amount of data needed to perform their function, and should prevent from collecting any supplementary data. It calls for a significant amount of the data shared by the Internet of Things to be made anonymous before being transmitted, in order to secure privacy. The European Parliament believes in the importance of ensuring that all fundamental rights - not only privacy - are protected in the process of developing the Internet of Things and calls on the Commission to monitor closely the implementation of the European regulations already adopted in this area and to present, by the end of the year, a timetable for the guidelines it intends to propose at the EU level for improving the safety of the Internet of Things and of RFID applications. As EDRi-gram reported earlier this year the resolution was drafted by MEP Maria Badia i Cutchet, rapporteur to the European Parliament's Committee on Industry, Research and Energy (ITRE) including opinions of the Committees on International Trade, Internal Market and Consumer Protection and Legal Affairs. The EP Resolution has to be seen not only in the context of the European Commission's communication on the Internet of Things and the EDPS opinion on Privacy by Design, but also of the European Commission's RFID recommendation and the Industry proposal for an RFID Privacy Impact Assessment, which unfortunately fails to identify a single specific risk. In this context, the resolution of the European Parliament can be seen as another strong signal towards the European Commission to act without undue delay to effectively protect the fundamental rights of individuals affected by RFID and other technologies related to the Internet of Things and towards manufacturers and RFID application operators to take their obligations serious and effectively secure privacy and data protection rights of all persons affected by their products and applications. European Parliament resolution of 15 June 2010 on the Internet of Things (2009/2224(INI)) (15.06.2010) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-20... Communication to the European Parliament, the Council, the EESC and the committee of the Regions: Internet of Things - An action plan for Europe (18.06.2009) http://ec.europa.eu/information_society/policy/rfid/documents/commiot2009.pd... EDRi-gram: EP, EDPS and EDRi on RFID and the Internet of Things (24.03.2010) http://www.edri.org/edrigram/number8.6/ep-edps-edri-policy-rfid EDRi-gram: Industry proposed RFID Privacy Impact Assessment Framework (19.05.2010) http://www.edri.org/edrigram/number8.10/rfid-privacy-impact-assesment-indust... Commission Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (12.05.2009) http://ec.europa.eu/information_society/policy/rfid/documents/recommendation... (Contribution by Andreas Krisch - EDRi) ============================================================ 5. Article 29 WP issues opinion on cookies in the new ePrivacy Directive ============================================================ The Article 29 Data Protection Working Party (WP) representing the European data protection authorities published on 24 June an opinion clarifying the application of the data protection rules in online behavioural advertising, with a focus on the new text of the ePrivacy Directive. Article 29 Working Party believes that while online behavioural advertising may be beneficial for businesses and users alike, it still raises personal data protection and privacy issues. The opinion states that the advertising providers using tracking cookies are bound, through the revised ePrivacy Directive, to obtain the informed consent of their users before the installation of tracking devices such as cookies. According to the Directive, storing and accessing information on users' computers is lawful only "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information about the purposes of the processing". The only except is in the case a cookie is absolutely necessary for the provision of a certain service required explicitly by a user. In its Opinion, the Working Party asks for simple and effective mechanisms by means of which users can give their consent for online behavioural advertising but also simple and effective mechanisms by means of which they can withdraw their consent. Presently, allowing cookies is a default setting with three out of the four major used browsers and Article 29 WP believes that the users not changing a default setting does not necessarily means consent. The users should be clearly informed, in an understandable manner, on the purposes of tracking and given the choice of having their behaviour browsed or not. "Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies," says the opinion. However, the Working Party considered the consent may be given to an advertising network and not to every single website. "....the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie." Article 29 WP also said that this consent should expire after a year, and that each advertising network should request consent again after that period. It also said that the consent could be withdrawn at any time. The Internet Advertising Bureau Europe, the European Publishers Council and other advertising and publishers' trade bodies reacted to this opinion by issuing a statement saying: "The industry believes this is a gross misinterpretation of the intention of the Directive and a misrepresentation of the type of data typically collected and processed for the purposes of serving interest-based advertising to consumers on our websites." The Article 29 WG's opinion is based on the opinion presented on 23 June 2010 during EP Privacy Platform Meeting by Belgian Data Protection Supervisor Mr. Debeuckelaere which focused on "Transparency, Information, Consent". During the meeting, aspects of behavioural advertising were discussed by more than 100 representatives from industry, privacy activists, EU institutions, governments and European data protection supervisors. The representatives of Privacy International and the Electronic Frontier Foundation argued that the user control tools do not allow for the complete erasure of profiles, and some data collection, for example by flash cookies, remains invisible and outside the control of the user. During the meeting, Mrs Sophia In 't Veld, rapporteur for competition issues in the Economic Affairs committee, suggested that besides consent and transparency, a key word should be "choice". "Often internet users are more or less obliged to give their consent, as there is no alternative. Users must have a real choice, otherwise it is just token consent", said In 't Veld who also pointed out the necessity of having a single set of data protection rules that would apply to the private as well as the public sectors. "We must regulate the use of personal data for commercial purposes, but the same standards of data protection should apply to the use of those same data by public authorities for law enforcement purposes. We often do not realise how government agencies are using data collected by companies for commercial purposes. But different rules apply to the private and public sectors. That must be corrected". Article 29 Data Protection Working Party Opt-out is not sufficient (24.06.2010) http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_26_06_10_en.pdf Opt-out is not sufficient - European Data Protection Authorities clarify EU rules on online behavioural Advertising (22.06.2010) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp171_en.pdf Cookie consent can't be implied from browser settings, say privacy watchdogs (25.06.2010) http://www.out-law.com//default.aspx?page=11176 Transparency, Choice and Consent key words for cookies (24.06.2010) http://www.d66.nl/europa/nieuws/20100624/transparency_choice_and_consent ============================================================ 6. Increased pressure on Turkey to stop Internet blocking ============================================================ As Turkey continues its ban on Google's YouTube and other services, it attracts more and more criticism. After Turkey's President Abdullah Gul himself has taken position against its own government in this matter, it is now OSCE turn to react. On 22 June 2010, Dunja Mijatovic, the OSCE Representative on Freedom of the Media, asked the Turkish authorities to restore access to Google's YouTube and other services and change the much-criticized Law No. 5651 (so-called Internet Law) in order to be in line with international standards on free expression. "I ask the Turkish authorities to revoke the blocking provisions that prevent citizens from being part of today's global information society. I also ask them to carry out a very much needed reform of Law No. 5651," said Mijatovic. OSCE representative has sent a letter to Turkish Foreign Minister Ahmet Davutoglu, showing concern about the new blocking decisions taken at the beginning of June when the ban was extended to other Google services such as Google Translate or Google Docs. The Turkish Communication Minister Binali Yildirim has lately argued that the reason of banning Google services is related to tax disputes and has accused Google of infringing the Turkish law and of failing to cooperate with the Turkish authorities. "This site is waging a battle against the Turkish." But not even the flawed Internet Law includes tax disputes among the reasons for blocking websites, as was pointed out by Mijatovic who added: "My office has been promoting the urgent reform of Law No. 5651, because it considerably limits freedom of expression and severely restricts citizens' right to access information." Google, in its turn, is confident it complies with tax laws in every country where it operates. "We are currently in discussion with the Turkish authorities about this, and are confident we comply with Turkish law. We report profits in Turkey which are appropriate for the activities of our Turkish operations," was Google's statement. A petition has been signed by hundreds of Internet users denouncing the ban as an affront to "free speech and rights to access information" and calling for Binali Yildirim's resignation. Three information technology groups are challenging the ban in courts. Richard Howitt, a British member of the European Parliament and advocate of Turkey's European Union membership, has warned Turkey that the ban puts "the country alongside Iran, North Korea and Vietnam as one of the world's worst offenders for cyber censorship" and the country cannot expect to be considered as a serious candidate for the EU as long as it continues to censor the Internet. On 18 June 2010, as a protest against the decision taken by the Turkish Government, a group of hackers co-ordinated a DoS attack that lasted 10 hours against the websites of the Ministry of Transportation, Information and Communication Technologies Authority and the Telecommunications Communication Presidency, the authorities that have been directly involved in the banning. OSCE media freedom representative asks Turkey to withdraw recent Internet blocking provisions, calls for urgent reform of law (22.06.2010) http://www.osce.org/item/44754.html Turkey tightens Internet control in YouTube feud (26.06.2010) http://www.google.com/hostednews/ap/article/ALeqM5iPZmDTKYEB6SFdyOAv97vXytVn... OSCE calls on Turkey to stop blocking YouTube (22.06.2010) http://www.reuters.com/article/idUSTRE65L3MP20100622 Access Denied to Turkish Censorship Authorities' websites (18.06.2010) http://cyberlaw.org.uk/2010/06/18/access-denied-to-turkish-censorship-author... EDRi-gram: Turkey extends the censorship of YouTube (16.06.2010) http://www.edri.org/edrigram/number8.12/turkey-extends-blocking-youtube ============================================================ 7. Iceland - first steps for a new media haven ============================================================ Iceland's Parliament has recently accepted a proposal by Icelandic Modern Media Initiative (IMMI) asking the Icelandic Government to find "ways to strengthen freedoms of expression and information freedom in Iceland, (and provide) strong protections for sources and whistleblowers." The proposal from IMMI came after secret dealings by a few banks in Iceland in 2009 leading to enormous debts and the lack of regulation and control, almost bankrupted the entire country. The initiative comes also in relation to website Wikileaks, who made those Icelandese dealings public and which has a policy to make public secretly-submitted documents and materials. Its approval by the Parliament may turn Iceland into a haven for media, with one of the strongest freedom of expression and whistleblowing protection laws. "We can create a comprehensive policy and legal framework to protect the free expression needed for investigative journalism and other politically important publishing," says IMMI. The IMMI has proposed several legal reforms including the limitation of the scope of an exception to existing source protection laws, the increase of protections for whistleblowers employed by the state and the creation of a law similar to the free speech-protecting anti-SLAPP (Strategic Litigation against Public Participation) law of California. The plan intends to take advantage of protections in Iceland for material published from web servers based there. "Iceland could become an ideal environment for Internet-based international media and publishers to register their services, start-ups, data centers and human rights organizations. It could be a lever for the economy and create new work employment opportunities," says the initiative. Speaking at a meeting of the European Parliament on 21 June, MP Birgitta Jsnsdsttir said the Icelandic initiative "pulls together the best legislation from around the world to promote transparency" and suggested that such measures for the protection of sources may also be brought in Europe. "The right and ability to communicate knowledge is above most other rights. We must take care when regulating freedom of speech, because that speech is what all other rights are founded upon," said Jsnsdsttir. For those who suffer from breaches of confidence, according to Struan Robertson, a technology lawyer with Pinsent Masons, there will be some safeguards. "If Iceland is granting immunity to websites that host leaked documents, and if it's prepared to reject take-down orders from foreign courts, that gives the overseas content owner a real problem when the threat of domestic sanctions fails to deter a leak. The proposal does not affect copyright law, though. So it may be that take-down demands based on copyright infringement will be more effective than those based on breach of confidence." Icelandic parliament backs 'free speech haven' plan (21.06.2010) http://www.out-law.com//default.aspx?page=11158 Videos of proposal's vote (only in Icelandic) http://www.althingi.is/altext/hlusta.php?raeda=rad20100616T033127&horfa=1 http://www.althingi.is/altext/hlusta.php?raeda=rad20100616T033306&horfa=1 Icelandic Modern Media Initiative (IMMI) http://www.immi.is/?l=en&p=intro A Vision of Iceland as a Haven for Journalists (21.02.2010) http://www.nytimes.com/2010/02/22/business/media/22link.html EU 'must act as role model' in promoting free speech (23.06.2010) http://www.euractiv.com/en/pa/eu-must-act-role-model-promoting-free-speech-n... ============================================================ 8. ENDitorial: Council of Europe draft Recommendation on Profiling ============================================================ Approximately in parallel to the work of the EU's Article 29 Committee on cookies, the Council of Europe has been preparing a wider Recommendation on profiling. The document has been discussed for over a year, with a consultation on an earlier draft having been organised at the end of 2009. While obviously responding to the increasing options offered by the digital environment with regard to public and private sector profiling, the text attempts to cover the online and offline environments. The document makes some pertinent statements - in addition to acknowledging the positive benefits of more targeted services, it points out that "the lack of transparency or even "invisibility" of profiling and the lack of accuracy that may derive from the automatic application of pre-established rules of inference can pose significant risks for the individual's rights and freedoms," that "violate the principle of non-discrimination" and that profiling could expose individuals to particularly high risks of discrimination and attacks on their personal rights and dignity. However, it then does little to mitigate these risk and, worse still, appears to increase the chances of such risks being taken with personal data by public authorities. The text copies and pastes definitions from the Convention on Data Protection which seem rather incongruous in this context in the absence of more detailed analysis and practical analysis. From the profiling organisation's perspective, it seems obvious that data should and will be "adequate, relevant and not excessive in relation to the purposes for which they are collected or for which they will be processed". Generally, however, a lot of questions are left open, such as what could be understood by "informed consent", procedures for providing access to and correction of data which is indirectly personally identifiable. Overall, the current draft text does little to clarify the core issues of effective communication to consumers, informed consent, access to and correction of data and the "right to be forgotten". Earlier drafts of the proposal were neutral on the use of profiling by states, indicating that the Recommendation was aimed at the private sector, leaving the choice to Member States to extend it to the public sector if they so wished. This was replaced in the most recent version, which seems to assume the use of profiling by state authorities and implicitly accepts that, when "necessary". Member States can both use profiling and avoid implementation of a large swathe of the Recommendation covering lawfulness, information and the rights of data subjects. Bearing in mind the dangers to fundamental rights identified and enumerated in the text and previous positions taken by the Council of Europe, it appears unlikely that implicit and uncritical support for profiling is the intention of the Recommendation. Draft Recommendation on the Protection of Individuals with regard to automatic processing of personal data in the framework of profiling June 2010 (3.06.2010) http://www.coe.int/t/e/legal_affairs/legal_co-operation/steering_committees/... Draft Recommendation on the Protection of Individuals with regard to automatic processing of personal data in the framework of profiling (2.10.2009) http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/even... EDRi Consultation Response (3.11.2009) http://www.edri.org/docs/edri_CoEprofiling_response_091103.pdf (Contribution by Joe McNamee - EDRi) ============================================================ 9. Recommended Action ============================================================ Public consultation on the open internet and net neutrality. DG Information Society and Media has launched a public consultation on key questions arising from the issue of net neutrality. The consultation covers such issues as whether internet providers should be allowed to adopt certain traffic management practices, prioritising one kind of internet traffic over another; whether such traffic management practices may create problems and have unfair effects for users; whether the level of competition between different internet service providers and the transparency requirements of the new telecom framework may be sufficient to avoid potential problems by allowing consumers' choice; and whether the EU needs to act further to ensure fairness in the internet market, or whether industry should take the lead. http://ec.europa.eu/information_society/policy/ecomm/library/public_consult/... http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/860&format=HTML&aged=0&language=EN&guiLanguage=en European Commissions4 public consultation on the future direction of EU trade policy Call open until 28 July 2010 http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=FutureTradePolicy http://trade.ec.europa.eu/doclib/docs/2010/june/tradoc_146220.pdf ============================================================ 10. Recommended Reading ============================================================ The European Court of Justice defines the scope of the protection of personal data in the context of access to documents of the Union institutions. Judgment of the Court of Justice in Case C-28/08: Commission v Bavarian Lager http://curia.europa.eu/jcms/jcms/P_65670/ http://curia.europa.eu/jurisp/cgi-bin/form.pl?lang=EN&Submit=rechercher&numaff=C-139/07 OFCOM: No need for net neutrality http://www.ofcom.org.uk/consult/condocs/net-neutrality/netneutrality.pdf http://www.out-law.com//default.aspx?page=11177 ============================================================ 11. Agenda ============================================================ 9-11 July 2010, Gdansk, Poland Wikimedia 2010 - the 6th annual Wikimedia Conference http://wikimania2010.wikimedia.org/wiki/Main_Page 25-31 July 2010, Meissen, Germany European Summer School on Internet Governance http://www.euro-ssig.eu 29-31 July 2010, Freiburg, Germany IADIS - International Conference ICT, Society and Human Beings 2010 http://www.ict-conf.org/ 2-6 August 2010, Helsingborg, Sweden Privacy and Identity Management for Life (PrimeLife/IFIP Summer School 2010) http://www.cs.kau.se/IFIP-summerschool/ 31 August - 3 September 2010, Budapest, Hungary OpenOffice 2010 Conference http://www.ooocon.org/index.php/ooocon/2010 13-17 September 2010, Crete, Greece Privacy and Security in the Future Internet 3rd Network and Information Security (NIS'10) Summer School http://www.nis-summer-school.eu 14-16 September 2010, Vilnius, Lithuania Internet Governance Forum 2010 http://igf2010.lt/ 8-9 October 2010, Berlin, Germany The 3rd Free Culture Research Conference http://wikis.fu-berlin.de/display/fcrc/Home 25-26 October 2010, Jerusalem, Israel OECD Conference on "Privacy, Technology and Global Data Flows", celebrating the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org/sti/privacyanniversary 27-29 October 2010, Jerusalem, Israel The 32nd Annual International Conference of Data Protection and Privacy Commissioners http://www.privacyconference2010.org/ 28-31 October 2010, Barcelona, Spain oXcars and Free Culture Forum 2010, the biggest free culture event of all time http://exgae.net/oxcars10 http://fcforum.net/10 3-5 November 2010, Barcelona, Spain The Fifth International Conference on Legal, Security and Privacy Issues in IT Law. Call for papers deadline: 10 September 2010 http://www.lspi.net/ 17 November 2010, Gent, Belgium Big Brother Awards 2010 Belgium http://www.winuwprivacy.be/kandidaten ============================================================ 12. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 27 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE