============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 5.9, 9 May 2007 ============================================================ Contents ============================================================ 1. European Commission supports Privacy Enhancing Technologies 2. EDPS advises against new data protection framework decision 3. PNR deal ratification postponed by the Czech Senate 4. RapidShare sues German rights holder association 5. The EDPS Annual Report for 2006 shows more concern for data protection 6. Failure of the Scottish e-voting system 7. First draft on data retention law in Romania 8. New calls for computer online searches by German authorities 9. Recommended Action 10. Agenda 11. About ============================================================ 1. European Commission supports Privacy Enhancing Technologies ============================================================ Commissioner Franco Frattini, who is responsible for the legislation concerning co-operation between European police as well as data protection of European police, has shown public support for privacy enhancing technologies (PETs). Frattini's position is surprising taking into consideration its open support for other privacy-invasive projects such as the data retention directive, EU-US PNR agreement or the planned EU fingerprint database. A public statement published by the European Commission (EC) on 2 May 2007 directly supports PETs, expecting them to improve the protection of privacy as well as help fulfil the data protection rules. "The use of PETs would be complementary to the existing legal framework and enforcement mechanisms. In fact the intervention of different actors in the data processing and the existence of the different national jurisdictions involved could make enforcement of the legal framework difficult." The PETs mentioned in the Commission's communication are: the automatic anonymisation after a certain lapse of time, encryption tools, cookie-cutters or the Platform for Privacy Preferences (P3P). These PETs could ensure that "breaches of the data protection rules and violations of individual's rights are not only something forbidden...but also technically more difficult". The communication shows the plans of the EC in this field through activities such as identifying the need and technological requirements of PETs, promoting use of PETs by the industry, ensuring respect for appropriate standards in the protection of personal data through PETs and promoting the use of PETs by public authorities. It also aims at direct support by funding research on PETs: Europe contributed over 18 million Euro to PET research as part of its 6th Framework Programme (2002-06), and this is expected to increase significantly in the coming years. Frattini also advanced the idea of a pan-European system of "privacy seals" that will help the consumers. Privacy Enhancing Technologies (PETs) (2.05.2007) http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/07/159&format=HTML&aged=0&language=EN&guiLanguage=en Euro Data watchdog warns of database creep (3.05.2007) http://www.theregister.co.uk/2007/05/03/database_creep/ ============================================================ 2. EDPS advises against new data protection framework decision ============================================================ The European Data Protection Supervisor (EDPS) has shown serious concerns in his opinion on the Commission's new Council Framework Decision proposal regarding the protection of personal data processed in the framework of police and judicial co-operation in criminal matters. Although appreciative of the German presidency's efforts, Peter Hustinx advised the Council against adopting the proposal considering it failed to provide appropriate data protection. EDPS believes that a Framework Decision on the protection of personal data in the third pillar is essential in the development of an area of freedom, security and justice and that "the growing importance of the police and judicial cooperation in criminal matters as well as the actions stemming from the Hague Programme have highlighted the necessity of common standards in the protection of personal data in the third pillar". At the same time, Hustinx underlines that some of the aspects of the proposal are not in agreement with the EU Treaty and some are even below the standards of the Council of Europe Convention 108 of 1981. "We need to ensure high standards to guarantee both the citizens rights and the efficiency in police and judicial cooperation. Unfortunately, this proposal does not meet the expectations" stated the EDPS. Two important issues Hustinx opposes to are the extension of the proposal scope to third pillar data processing by Europol and Eurojust and the creation of a new joint supervisory authority before including adequate protection measures for the citizens' data when such data are exchanged between member states and third parties. In his opinion, the lack of proper and broad level of data protection will make information exchanges "subject to different national "rules of origin" and "double standards" that strongly affect efficiency in law enforcement cooperation while not improving the protection of personal data". The EDPS considers some essential data protection provisions have been taken out from the previous text thus weakening the level of protection of citizens and also finds the legislative quality of the text as unsatisfactory. "Apart from the choice of legal instrument, several provisions do not fulfil the requirements of the common guidelines for the quality of drafting of Community legislation. In particular, the text is not drafted clearly, simply and precisely, which makes it difficult for the citizens to identify their rights and obligations unambiguously". Two of the aspects that are not properly covered by the proposal are the limitation of the further purposes for which personal data may be processed, and the lack of specific and strict conditions for the data exchanges with non-law enforcement authorities. The opinion shows there are no adequate provisions related to the quality of data. There are no provisions regarding the differentiation of data categories based on the accuracy degree and reliability, no distinction between data based on facts and data based on personal opinions or assessment. "The lack of such a common requirement could actually undermine the data being exchanged between police authorities as they will not be able to ascertain whether the data can be construed as "evidence", "fact", "hard intelligence" or "soft intelligence". This could have the consequence of not only hampering security operations and intelligence." The privacy watchdog especially objects to the way of handling the exchange of DNA data and urges on caution regarding the introduction of biometric data in passports. He remarked that, in the fight against crime, data protection adequate measures had very often been disregarded for the sake of security. Third pillar data protection: EDPS strongly advises Council not to adopt current proposal without significant improvements (30.04.07) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/P... Third opinion of the European Data Protection Supervisor on the Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters (27.04.2007) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... EU Data Protection Supervisor warns against networking police databases (3.05.2007) http://www.heise.de/english/newsticker/news/89219/ ============================================================ 3. PNR deal ratification postponed by the Czech Senate ============================================================ The ratification by the Czech Parliament of the proposed agreement between the European Union and the Unites States of America on the processing and transfer of passenger name record (PNR) data has been taken off the agenda based on the position of the Green Party MPs. On 23 April 2007, EDRI-member Iuridicum Remedium - Czech Republic sent a written appeal to the members of the Green Party parliamentary club, recommending them to vote against the ratification of the proposed agreement between the European Union and the Unites States of America on the processing and transfer of passenger name record (PNR) data for the following reasons: The scope of the agreement submitted for approval as parliamentary paper no. 162 by the Ministry of Foreign Affairs and the Ministry of Transport has been (in comparison with the former agreement repealed by the European Court of Justice) "widened substantially (more data requested, considerable weakening if not complete elimination of the purpose limitation, sharing with more and unspecified agencies and countries, undefined retention periods, allowing for more frequent and earlier pushing of data, no guarantees for a definitive switch to the PUSH system, the virtual abolition of the joint evaluation) whereas the protection of personal data of EU citizens and means of legal redress are at best unclear, and probably weaker than under the previous agreement." Further concerns were raised about the "precedent this agreement may set for future agreements with the US on PNR, or on other categories of data (such as bank account details as in the case of SWIFT, or records of telecommunications). The lack of democratic legitimacy regarding rules on the transfer of data must be remedied as a matter of urgency." Moreover, the Department of Homeland Security has been using PNR data in the system called the Automated Targeting System, which violates both EU and US data protection laws. It uses passenger personal data for "risk assessment scoring" and retains the data for up to 40 years. In January 2007, Privacy International and ACLU called for repeal of the EU-US agreement on data transfers on this basis. Decision on the Agreement between the EU and USA passenger name record postponed by the Czech Senate (only in Czech, 25.04.2007) http://www.iure.org/614715 EU original text of the PNR Agreement -submitted as parliamentary paper n.162 (27.10.2006) http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_298/l_29820061027en002... EDRI-gram: Travellers privacy and European Union (30.07.2006) http://www.edri.org/edrigram/number4.16/prague (Thanks to Marek Tichy - EDRI-member Iuridicum Remedium, Czech Republic) ============================================================ 4. RapidShare sues German rights holder association ============================================================ Rapidshare AG sued the German society for musical performing and mechanical reproduction rights (GEMA) in order to clarify the legal situation regarding free file hosting in Germany. The counter-attack from Rapidshare, a well-known free file hosting provider based in Switzerland, comes after the suit initiated in Germany by GEMA in January 2007 for distributing MP3 files on Rapidshare.com. GEMA won a preliminary injunction in the first lawsuit that was upheld by the appeal in March of the District Court of Cologne. The District Court in Cologne had considered that Rapidshare was liable for copyright infringements even if the works were uploaded by the users and not by the provider. As a result of the GEMA action, Rapidshare was forced to stop the distribution of works from the GEMA catalogue and to actively monitor uploads of these works. Rapidshare argues that this activity is close to impossible and is not covered by the German copyright law either. Rapidshare CEO Bobby Chang considers that people have the right to make backup copies of their music and that it is practically impossible to distinguish between legal and unauthorized uses of MP3s. "We are confident that it is possible to solve the conflict with GEMA while at the same time paying tribute to innovation" said Chang. Rapidshare sues rights holders (19.04.2007) http://www.p2p-blog.com/item-280.html RapidShare AG press release (only in German, 18.04.2007) http://www.blogspan.net/377-rapidshare-ag-klagt-gegen-gema-welche-prufungspf... EDRI-gram: Temporary injunction against RapidShare.de (31.01.2007) http://www.edri.org/edrigram/number5.2/rapidshare ============================================================ 5. The EDPS Annual Report for 2006 shows more concern for data protection ============================================================ The European Data Protection Supervisor (EDPS) has issued its report for 2006 that includes activities and events as well as the main trends of the past year and draws conclusions related to complaints, developments in security, justice, freedom and new technologies with possible impact on personal data protection. One of the conclusions of the report is that while the number of complaints has increased, it is still low and only 20% of the complaints made in 2006 were valid. "A large majority of the complaints received continued to fall outside of the supervisory competences of the EDPS, for instance because they dealt exclusively with processing of personal data on the level of the member states, where national Data Protection Authorities are competent," said the report. The report shows that data protection continues to be a significant challenge and more work is needed to make data protection rules and practices be implemented in the European laws and "to develop a data protection culture as part of good governance". It also states concern regarding the increasing tendency of authorities to establish central databases and large scale IT systems. According to EDPS, state databases continuously exceed their function, not always to the benefit of people and there is "the risk of illegitimate use" of these databases. "The EDPS has observed a trend in that once a database has been established, access to it is extended to more authorities, for other purposes than those for which it was set up." He believes that the cooperation between the police forces and the judiciary systems have been developed without a proper protection for the citizens' data protection rights. European Data Protection Supervisor - Annual Report 2006 - Executive Summary http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/P... European Data Protection Supervisor- Annual Report 2006 http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/P... Most complaints to EU privacy watchdog are misdirected (2.05.2007) http://www.out-law.com//default.aspx?page=8015 ============================================================ 6. Failure of the Scottish e-voting system ============================================================ The electronic voting system used in the Scottish Parliamentary Elections on 3 May 2007 went on as the security experts had worned and the Scotland Office announced an urgent investigation on the "serious technical failures" having delayed the announcement of results in several areas. Several counts were delayed and about 140 000 votes (approx. 7% of the total votes cast) may be discounted because of the problems that occurred with the new electronic counting system, used for the first time in Scotland. The independent Electoral Commission, set up by the Parliament to monitor elections, had previously advised against the system with different types of election used by the UK Department for Constitutional Affairs (DCA) in the elections for the local councils, the Scottish Parliament and the Welsh assembly. The experimental system included early voting in person up to two weeks in advance, internet voting, touch-phone telephone voting or e-counting as was the case for the Scottish Parliament. In spite of the testing in advance, problems with the automatic counting system occurred causing the suspension of the counting for some time. DRS Data Services, which supplied the electronic counting machines, stated to BBC that the delays had been caused by a "small issue" that their technical staff was doing efforts to solve. "The e-counting system has not crashed. This is a temporary interruption to one small aspect of the overall process," said the company spokeswomen. However, the system was described as a fiasco by the thirty experts from North America invited to witness the new electronic voting system. Robert Richie, executive director of US-based organisation Fair Vote, considered as "totally unacceptable to have so many votes spoiled" and stated: "We were also very concerned about the lack of uniform standards in judging what votes were rejected and which were deemed to be valid". The Electoral Commission will perform an extended statutory review into the election. The Scotland Office spokesman said: "It is important that they look as a matter of urgency into delays in postal ballots, the high number of spoiled ballot papers, and the performance of the electronic counting machines." E-voting policy review after Scottish ballot chaos (4.05.2007) http://www.electronicsweekly.com/Articles/2007/05/04/41323/E-voting+policy+r... Inquiry launched into Scottish voting confusion (4.05.2007) http://uk.reuters.com/article/topNews/idUKL0429559920070504 International experts slam ballot fiasco (6.05.2007) http://observer.guardian.co.uk/politics/story/0,,2073641,00.html Security fear over internet voting (2.05.2007) http://technology.guardian.co.uk/news/story/0,,2070296,00.html Vote early, vote often (1.05.2007) http://commentisfree.guardian.co.uk/david_hencke/2007/05/vote_early_vote_oft... ============================================================ 7. First draft on data retention law in Romania ============================================================ A first draft law for the implementation of the data retention directive was presented at the end of April 2007 by the Romanian Ministry of Communications and Information Technology for public consultation. The ministry also organized on 26 April a public debate on the draft law. The first draft was achieved in cooperation with a number of public bodies including the Ministry of Justice, Ministry of Internal Affairs or the Romanian Data Protection Authority. The text proposing a 12-month period of traffic data retention, without any explanatory reports, has received criticism from ISPs and other telecom operators that believe it puts a high financial burden on them. The draft clearly specifies that the content of the communications cannot be retained by the operators, considering the retention of the content as well as any retained data transfer without a proper judicial authorization as crimes. The retained data should be deleted at the end of the 12 month period. Only the electronic communication providers that have notified the Regulatory Authority are subject to data retention obligations and there are no provisions for the hosting or other online service providers. The retained data can be accessed by prosecutors only in the penal cases related to organized crime and terrorism crimes and with a proper specific judged-approved access authorization. The prosecutor can ask, through a specific ordinance, for access to the data as a provisional measure, if this is necessary due to specific circumstances that could otherwise put in danger the penal investigation. But in this case, the prosecutor's decision together with the data needs to be confirmed by a judge in 48 hours. If a judge does not confirm the prosecutor's ordinance, all the accessed data will be destroyed. The very detailed procedure regarding access by prosecutors to the retained data is in opposition with Article 16 of the draft text that allows, "in case of a threat to the national security", the request of the retained data by "the specific bodies, as explained in the laws on national security". The vagueness of this article was criticized in the public debate, the participants considering that this could leave room for discriminatory access by the Romanian secret services. As regards the type of data retained, the Romanian draft is only a translation of the European Directive on data retention. The public consultation will end on 10 May 2007 and the text could be approved by the Government and then sent to the Parliament for consideration. Draft law on data retention by public electronic communication providers (only in Romanian, 04.2007) http://www.mcti.ro/index.php?id=16&lege=383 MCIT Publicly Debates the Retention of Data Generated or Processed in Connection with the Provision of Publicly available electronic communications services or of public communications networks (26.04.2007) http://www.mcti.ro/index.php?id=28&lege=1257&L=1 EDRI - Member APTI - Romania - Opinion of the draft data retention law (only in Romanian, 9.05.2007) http://www.apti.ro/opinie_APTI_Legedatetrafic_9052007.pdf ============================================================ 8. New calls for computer online searches by German authorities ============================================================ The German authorities seem to have a higher desire to push for a legal basis of the online searches of personal computers in Germany, despite the Federal Supreme Court decision in February 2007 that, according to the German Code of Criminal Procedure, decided that online police snooping was illegal. Wolfgang Schduble, The German Federal Minister of the Interior, has asked again to adopt stricter security rules that are essential in the fight against terror. Schduble said that terrorists were beginning to set their sights on Germany and "These days the Internet is the place where terrorists from all over the world arrange to meet". This is why it is essential to make the online searches of computers a legal possibility for the German law enforcement. The online searches of computers by the secret services have been a reality in Germany since 2005, following an order to do so by then-Interior Minister Otto Schily. The statement was admitted by the Chancellor's Office that did not reveal the number of searches. The German Government stated that it did not see any breach of the privacy of telecommunications in these actions. Gisela Piltz, spokesperson for home affairs from the FDP in the Bundestag, who forced the government to admit the searches, said that "the cat is out of the bag". The Social Democratic Party has accused Mr. Schduble of engaging in a "hypocritical debate" and the new approach is like "a recipe for asking for trouble". The German Supreme Court president, Hans-J|rgen Papier, told the Frankfurt Press Club that the politicians were going too far in asking for greater security and they were forgetting that the state is also obliged of ensuring civil rights. Minister of the Interior renews call for legal online PC search option (4.05.2007) http://www.heise.de/english/newsticker/news/89294 German government admits it is already conducting online searches (26.04.2007) http://www.heise.de/english/newsticker/news/88895 EDRI-gram: Online police searches found illegal in Germany (14.02.2007) http://www.edri.org/edrigram/number5.3/online-searches EDRI-gram: Proposal of computers online searching in Germany (20.12.2006) http://www.edri.org/edrigram/number4.24/computer-online-searching ============================================================ 9. Recommended Action ============================================================ Public consultation on the Regulation regarding public access to European Parliament, Council and Commission documents (Regulation 1049/2001). http://europa.eu/rapid/pressReleasesAction.do?reference=IP/07/511&format=HTML&aged=0&language=EN&guiLanguage=en http://ec.europa.eu/transparency/revision/index_en.htm For Dutch readers - Petition for more flexible contracts for members of the rights collecting society which allow them to choose the conditions under which to release their own music and use CC licenses. http://www.ipetitions.com/petition/bumawakeup/ ============================================================ 10. Agenda ============================================================ 15-16 May 2007, Brussels, Belgium The European Patent Conference - EUROPACO-2 http://www.eupaco.org/eupaco2 18 May 2007, Oxford, UK Global Internet Filtering Conference 2007 The OpenNet Initiative is holding its first public conference to discuss the current state of play of Internet filtering worldwide. http://cyber.law.harvard.edu/oniconference07/Main_Page 18-19 May 2007, Brasov, Romania eLiberatica - The Benefits of Open and Free Technologies - Romanian IT Open Source and Free Software Conference http://www.eliberatica.ro/ 26 May 2007, Zurich, Switzerland Creative Commons Switzerland - Launch Event http://www.tweakfest.ch/festival/2007/program/program_detail_de.php?id=progr... 11-15 June 2007, Geneva, Switzerland Provisional Committee on Proposals Related to a WIPO Development Agenda: Fourth Session http://www.wipo.int/meetings/en/details.jsp?meeting_id=11927 11-12 June 2007, Strasbourg, France Council of Europe - Octopus Interface 2007 - Cooperation against Cybercrime http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_economic_c... 12 June 2007, Berlin, Germany German Federal Commissioner for Data Protection and Freedom of Information - Symposium "Data Protection in Europe" http://www.bfdi.bund.de/cln_029/nn_533554/DE/Oeffentlichkeitsarbeit/Termine/... 14 June 2007, Paris, France ENISA/EEMA European eIdentity conference - Next Generation Electronic Identity - eID beyond PKI http://enisa.europa.eu/pages/eID/eID_ws2007.htm 15-17 June 2007, Dubrovnik, Croatia Creative Commons iSummit 2007 http://wiki.icommons.org/index.php/ISummit_2007 17-22 June 2007 Seville, Spain 19th Annual FIRST Conference, "Private Lives and Corporate Risk" http://www.first.org/conference/2007/ 18-22 June 2007, Geneva, Switzerland Second Special Session of the Standing Committee on Copyright and Related Rights (SCCR) http://www.wipo.int/meetings/en/details.jsp?meeting_id=12744 ============================================================ 11. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 25 members from 16 European countries. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE