============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 9.23, 30 November 2011 ============================================================ Contents ============================================================ 1. Scarlet v SABAM: a win for fundamental rights and Internet freedoms 2. Proposed US-EU PNR Agreement made public 3. Dutch Parliament: no discussions on ACTA if negotiations are still secret 4. Turkey launches Internet filtering scheme 5. US crackdown on global domain names and IP addresses continues 6. Italian Police blocks sites that had banners to alleged illegal websites 7. EU-US summit joint statement ignores European civil rights 8. Two years into the Stockholm Programme: on the way to e-Fortress Europe? 9. New Guidelines to RFID Privacy Impact Assessments 10. ENDitorial: Advocate General on Data Retention: Strange answer&question 11. Recommended Action 12. Recommended Reading 13. Agenda 14. About ============================================================ 1. Scarlet v SABAM: a win for fundamental rights and Internet freedoms ============================================================ On 24 November 2011, the European Court of Justice decided that an Internet service provider (ISP) can not be ordered to install a system of filtering of all electronic communications and blocking certain content in order to protect intellectual property rights. The Court largely based its decision on the Charter of Fundamental Rights. The ruling is hugely important for the openness of the Internet, and therefore for the fundamental rights value and the economic value of the Internet. SABAM (the Belgian collective society - Sociiti belge des auteurs, compositeurs et iditeurs) wanted the ISP Scarlet to install a generalised filtering system for all incoming and outgoing electronic communications passing through its services and to block potentially unlawful communications. In First Instance, while refusing the liability of the ISP, the Brussels Court concluded that the SABAM's claim was legitimate and that a filtering system had to be deployed. Scarlet appealed and the case was referred to the Court of Justice of the European Union. In its decision, the Court of Justice ruled that a filtering and blocking system for all its customers for an unlimited period, in abstracto and as preventive measure, violates fundamental rights, more particularly the right to privacy, freedom of communication and freedom of information. In addition, it breaches the freedom of ISPs to conduct business. The EU ruling underlines the importance of an open and neutral Internet, respecting fundamental rights. The alternative would have lead to a permanent surveillance and filtering of all European networks. The consequences would have been catastrophic for democracy, civil rights and the Internet economy. The role of Internet intermediaries is to provide the infrastructures and services that allow users to access and use the Internet, not to police the flows of traffic to privately enforce intellectual property rights. By protecting ISPs, the ruling is likely to preserve key elements of the online economy and society. The Court sought the right balance between the interest of the rightsholders on the one hand and the interests of the ISPs and of citizens on the other hand. Internet blocking is not completely banned by the decision neither does it deny ISPs' liability in every situation. On the former, the EU Court had to rule on the liability of the type of blocking/filtering that was proposed. On that point, it declared that the level of filtering and blocking asked for in the case was too broad in terms of material and geographic scopes, that the legitimate interests of society as a whole outweighed the other interests at stake and that the unlimited and open-ended nature of the blocking was excessive. As a result, the Court ruled that the proposed measures were in violation of the European law. The Court could not have made a ruling on unknown future technologies and developments or answered questions it was not asked. On ISP liability, the ruling avoids the circumvention of the existing EU law. In the current framework in the e-commerce Directive (2000/31/EC), the ISP cannot be held liable for its customers' behaviour when the ISP is unaware of illegal activity. Far from creating a law free zone, the ruling sets safeguards to better protect fundamental rights on the Internet. The decision re-establishes the importance of the rule of law in the digital environment. Illegal behaviour remains illegal but the policing stays the responsibility of the state, and the liability stays on the person responsible for the illegal content. ECJ Decision Scarlet vs Sabam (24.11.2011) http://curia.europa.eu/jurisp/cgi-bin/gettext.pl?where=&lang=en&num=79888875C19100070&doc=T&ouvert=T&seance=ARRET Press release and FAQ from EDRi (24.11.2011) http://edri.org/scarlet_sabam_win Press release from ECJ (24.11.2011) http://curia.europa.eu/jcms/upload/docs/application/pdf/2011-11/cp110126en.p... (Contribution by Marie Humeau - EDRi) ============================================================ 2. Proposed US-EU PNR Agreement made public ============================================================ On 17 November 2011, U.S. and EU officials initialled a proposed agreement to authorize airlines to forward passenger name record (PNR) data to the U.S. Department of Homeland Security (DHS). Although the agreement cannot take effect without the approval of the European Parliament and the Council, MEPs could read the proposed agreement only in a sealed room where they could not take notes or make copies. This week the complete text on which the European Parliament will vote has finally been made public, revealing a failure to address the concerns raised by the Parliament and continued shortfalls in data protection, due process, and protection of fundamental rights. In its resolution of 5 May 2010, the Parliament said that the PNR agreement should take the form of a treaty, recognize the fundamental right to freedom of movement, prohibit the use of PNR data for data mining or profiling, and take into consideration "PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU." The proposed agreement does not meet these criteria, and does not mention any of these issues. The agreement would require that DHS copies of PNRs be "depersonalized" after 6 months. But the "depersonalized" DHS copy of each PNR would still include a unique record locator. There is no data protection law in the U.S. for commercial data. So, at any time - secretly, without a court order, and without violating U.S. law or the U.S.-EU agreement - the DHS could use the record locator to obtain a copy of the complete PNR from the computer reservation systems. The agreement claims that all DHS access to PNR data will be logged. But when individuals have requested these logs, both the DHS and European airlines have said that they didn't exist. Without access logs, there can be no accountability or oversight. According to the agreement, any individual is entitled to "request" access or corrections to their PNR data under the Freedom of Information Act (FOIA). But most PNR data is exempt from FOIA. Under both the agreement and U.S. law, you are entitled to request your PNR data, and the DHS is entitled to say "No". FOIA is not a data protection law. FOIA never requires any accounting of usage or disclosure of data. FOIA never requires correction of records. FOIA does not restrict what information is collected or how it is used. U.S. courts have no authority under FOIA to take any action against misuse or disclosure of personal information. The agreement says that individuals may "seek" or "petition" for judicial review in U.S. courts. But such a petition related to violations of the agreement would be denied. The proposed agreement would protect travel companies against enforcement of EU data protection laws, while failing to protect the rights of travellers. Because the proposed agreement does not provide an adequate level of protection for the processing of personal data, as required by the EU Data Protection Directive and Article 8 of the Charter of Fundamental Rights, EDRi recommends that the Council and the Parliament should reject the proposed agreement. Text of the PNR Agreement (23.11.2011) http://www.ipex.eu/IPEXL-WEB/dossier/dossier.do?code=NLE&year=2011&number=0382 Analysis of the proposed U.S.-EU agreement on PNR transfers to the DHS (with links to the full text in English, German, and French, 28.11.2011) http://papersplease.org/wp/2011/11/28/revised-eu-us-agreement-on-pnr-data-st... Analysis of the proposed agreement by NoPNR! (only in in German, 28.11.2011) http://www.nopnr.org/fluggastdaten-an-die-usa-analyse/ EDRi archive of articles about PNR http://www.edri.org/issues/privacy/pnr (Contribution by Edward Hasbrouck, PapersPlease.org - EDRi observer) ============================================================ 3. Dutch Parliament: no discussions on ACTA if negotiations are still secret ============================================================ ACTA is creating quite some noise, not only internationally but also domestically. National Parliaments, including the Dutch Parliament, will have to decide whether they will approve ACTA or not. In order to correctly assess the implications of ACTA, the Dutch Parliament requested publication of all preparatory documents on ACTA. The Dutch Minister of Economic Affairs, Agriculture and Innovation, Maxime Verhagen, would only hand over these documents if parliamentarians vowed not to reveal anything about these documents. Last week, the Dutch Parliament debated the imposed restrictions. A majority of the Parliament indicated that ACTA could not be discussed in Parliament before all information on the negotiations is disclosed without conditions. EDRi-member Bits of Freedom sent, in preparation of this debate, a letter to the Parliament that underlined the problems associated with ACTA and advised to not accept the imposed restrictions, as these would prohibit the Parliament from discussing the treaty freely in public and consult experts. Dutch parliament refuses ACTA secrecy (23.11.2011) http://acta.ffii.org/?p=924 Absurd obligation of confidentiality on ACTA blocks public debate (only in Dutch, 21.11.2011) https://www.bof.nl/2011/11/21/absurde-zwijgplicht-over-acta-blokkeert-publie... Parliament demands moratorium on anti-counterfeiting treaty ACTA (only in Dutch, 23.11.2011) https://www.bof.nl/2011/11/23/kamer-eist-moratorium-op-anti-namaakverdrag-ac... (Contribution by Rebecca Roskam EDRi-member Bits of Freedom volunteer - Netherlands) ============================================================ 4. Turkey launches Internet filtering scheme ============================================================ Turkish Information Technologies and Communications Authority (BTK) launched the Internet safety scheme on 22 November 2011, as planned, but on a voluntary basis, following the fierce criticism and opposition to the original plans to introduce a mandatory filtering system. Internet users may sign up with their ISPs for the free of charge filtering system which blocks "objectionable content", being able to choose from three variants: child, family and domestic. When an Internet user wants to choose one of the filtering variants, BTK issues a new user name and password enabling the user's access to the chosen filtering system. The users who want to stop using the Internet filtering can change back to a standard no-filter profile. Although voluntary, the system still raises concerns, one of them being the supervision of the system by a new committee called Child and Family Profiles Criteria Working Committee which, in the opinion of law professor Yaman Akdeniz of Bilgi University in Istanbul "... does not look independent nor impartial." The professor also believes that the state authorities may be in the position to impose moral values. More worrying is the fact that the filter blocks not only adult content, but some 130 search terms, including "separatist" content from the PKK and Kurdish rights groups. "I also believe that the Turkish authorities are not only trying to protect children but also adults from the 'so called harmful content '," said Akdeniz. Moreover, as frequently proven by liberty activists and IT experts, filtering is not a real solution to solve real Internet threats to children. Filters are easy to circumvent, costly and, in most of the case, can lead to blocking innocent content in the process. State censorship can be easily masked by apparently justified reasons such as threats to family and children. Under the cover of protecting children, governments may try to include political censorship by including on the filtering list words that relate more to political criticism and opposition than to child pornography or terrorism. This Week in Internet Censorship: Opaque Censorship in Turkey, Russia, and Britain (23.11.2011) https://www.eff.org/deeplinks/2011/11/week-internet-censorship-opaque-censor... New Internet filtering system available after 3-month test period (21.11.2011) http://www.todayszaman.com/news-263471-new-internet-filtering-system-availab... EDRigram: Turkey postpones its Internet filtering plans (24.08.2011) http://www.edri.org/edrigram/number9.16/turkey-postpones-internet-filtering ============================================================ 5. US crackdown on global domain names and IP addresses continues ============================================================ US authorities have resumed their "Operation in Our Sites" in order to attempt to fight counterfeit and piracy-related websites. During this second annual "Cyber Monday" crackdown, the Immigration and Customs Enforcement (ICE) has shut down 150 websites from all over the world. The recent introduction of draft bills, such as the Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA) now aims at providing a legal basis for domain names and IP address seizures. SOPA's broad definitions could indeed mean that no online resource in the global Internet would be outside US jurisdiction. In response to these legislative proposals and repeated unilateral measures against European websites, the European Parliament adopted a resolution on 17 November 2011 in preparation of the EU/US summit stressing "the need to protect the integrity of the global internet and freedom of communication by refraining from unilateral measures to revoke IP addresses or domain names." The joint EU/US summit declaration published on 28 November 2011 indeed says: "We share a commitment to a single, global Internet, and will resist unilateral efforts to weaken the security, reliability, or independence of its operations". However, despite the big show of opposition to the US bills and the Parliament's actions, Internet filtering and blocking schemes like SOPA and PIPA are still on the agenda on the other side of the Atlantic claiming worldwide jurisdiction for domain names and IP addresses. According to recent reports, attempts to terminate the Internet's end-to-end architecture also seem to get even closer to the core of the Internet. This sort of access restriction is an experiment with key functions of the Internet, increasing the risk of fragmentation of the global Internet and as one co-chair of RIPE's DNS Working group stated, this gives restrictive tools "to the bad guys". Another attempt to govern the Internet is for instance the latest international law enforcement action by the FBI against a large botnet. During this action, the FBI, without a court order or without a legal basis, took over the address blocks used by the botnet's nameservers and then assigned those address blocks to Internet Systems Consortium's (ISC) nameservers. The European Regional Internet Registry RIPE-NCC was rather concerned about the implications of getting involved in policy and governance issues and has now sued the public prosecutor's office to get a judicial decision on the question whether they had sufficient legal ground to order the temporary "lock" of the registrations. The implications of RIPE having to respond to such orders, particularly due to the very wide geographic coverage of its activities, would be very severe indeed. List of blocked web sites by the Immigration and Customs Enforcement (ICE) (28.11.2011) http://www.ice.gov/doclib/news/releases/2011/111128washingtondc.pdf EU-US Summit Resolution by the European Parliament (15.11.2011) http://www.europarl.europa.eu/sides/getDoc.do?type=MOTION&reference=P7-RC-2011-0577&language=EN EU-US Summit Joint Declaraion (28.11.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/842 Civil society, human rights groups urge Congress to reject the Stop Online Piracy Act (15.11.2011) https://www.accessnow.org/policy-activism/press-blog/urge-congress-to-reject... IP Watch: Filtering and Blocking Closer To The Core Of The Internet? (20.11.2011) http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-t... RIPE NCC Intends to Seek Clarification from Dutch Court on Police Order to Temporarily Lock Registration (16.11.2011) https://www.ripe.net/internet-coordination/news/about-ripe-ncc-and-ripe/ripe... (Contribution by Kirsten Fiedler - EDRi) ============================================================ 6. Italian Police blocks sites that had banners to alleged illegal websites ============================================================ The Italian cybercrime police, Guardia di Finanza Agropoli, has recently DNS blocked a series of websites that were offering links to content indexed on BitTorrent, cyberlockers and eDonkey networks. Five of the blocked sites belonged to Italianshare.net network, which were allegedly releasing the links to the movies, games or music before their commercial release. Two more websites that had nothing to do with that network were also blocked. According to Guardia di Finanza, the sites had advertising and donation accounts operating through PayPal giving the authority the reason to investigate them under commercial piracy and tax evasion accusations. The on-going investigation has led to complaints filed by several anti-piracy groups against the alleged leaders of the websites, resulting in the seizure of their computer equipment. But also two innocent websites, italianstylewebsite.net and freeplayclub.org, have fallen victim of this action being, apparently by mistake, associated to the investigated sites. The owners of the two websites have both reacted by stating their sites were perfectly legal, their only link with Italianshare.net being an exchange of banners. Their sites hosted only legal links to free downloadable software of computer games. Furthermore, the two owners stated that they had received no previous warning from the authorities and that initially they thought they had problems with their DNS. Having not received any official notification, they did not even know to whom to address in order to prove the legality of their sites. Fulvio Sarzana, the lawer of the alleged owner of Italianshare.net network, stated that, after a first analysis, he believed there had been an obvious anomaly of the preventive seizure procedure. Sarzana's opinion is that the measures taken by the police are incompatible with the free flow of information on the web, as well as the free expression of thought in online forums. "The principle which we must begin with is that any illegality should be suppressed and not encouraged, when you are certain of course, without prejudice and preconceived ideas about the navigability associated with the P2P service which was used for illegal activity. And when the instruments used to preventively suppress are not in the position to harm constitutional values or rights of third parties." The lawyer warned on the fact that if such preventive seizure can be thus used "without a scrupulous control of alternative means to repress illegal content", this instrument can also be used in cases of defamation through the information media or just blogs. "With a very strong impact upon the freedom of information on the Internet." Italianshare, the word to the defenders (only in Italian, 17.11.2011) http://punto-informatico.it/3339573/PI/Interviste/italianshare-parola-alla-d... Free Play Club, a surprise seizure (only in Italian, 16.11.2011) http://punto-informatico.it/3337434/PI/Lettere/free-play-club-un-sequestro-s... Italianstylewebsite / another surprise seizure (only in Italian, 17.11.2011) http://punto-informatico.it/3339385/PI/Lettere/italianstylewebsite-altro-seq... Italian Anti-Piracy Blockade Takes Legit Sites Offline (18.11.2011) http://torrentfreak.com/italian-anti-piracy-blockade-takes-legit-sites-offli... Cybercrime Police Shut Down Five File-Sharing Sites (11.11.2011) http://torrentfreak.com/cybercrime-police-shut-down-five-file-sharing-sites-... ============================================================ 7. EU-US summit joint statement ignores European civil rights ============================================================ A common statement issued at the EU-US summit that took place on 28 November 2011 at the White House in Washington included several aspects with direct impact on digital civil rights that shows the US have succeeded again in obtaining what they wanted, while the European Union representatives have failed to protect the EU citizens fundamental rights, especially the right to privacy. The statement clearly states that while the PNR agreement was negotiated, there is still no deadline for an EU-US data protection agreement. "We welcome the successful completion of negotiations on a new Passenger Name Record agreement, and look forward to its early adoption and ratification" says item 18 of the statement which continues by mentioning the intention to finalize negotiations on a "comprehensive EU-U.S. data privacy and protection agreement that provides a high level of privacy protection for all individuals and thereby facilitates the exchange of data needed to fight crime and terrorism." US have also pushed in support for the CoE Cybercrime Convention, but there is nothing stated in relation with a commitment to ratify or at least start to negotiate any of the fundamental rights conventions of the CoE. Also, the US has rejected a request from the Commission to include net neutrality in the statement, but they have managed to get in their wording on the engagement with the private sector. "We welcome the progress made by the EU-U.S. Working Group on Cyber-security and Cyber-crime, notably the successful Cyber Atlantic 2011 exercise. We endorse its ambitious goals for 2012, including combating online sexual abuse of children; enhancing the security of domain names and Internet Protocol addresses; promotion of international ratification, including by all EU Member States, of the Budapest Convention on Cybercrime ideally by year's end; establishing appropriate information exchange mechanisms to jointly engage with the private sector; and confronting the unfair market access barriers that European and U.S. technology companies face abroad," says item18 of the joint statement. EU-U.S. Summit joint statement (28.11.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/842 ============================================================ 8. Two years into the Stockholm Programme: on the way to e-Fortress Europe? ============================================================ It has been two years now since the Stockholm Programme - a 5-year plan for Justice and Home Affairs - was adopted. On 24 November 2011, an experts' and activists' round table, organised in the European Parliament, raised the question whether Europe was on its way to an e-Fortress. The discussions focused on the proposal for so-called smart borders, the processing of air passenger data (PNR) and the creation of a European Border Surveillance System (EUROSUR). With the introduction of smart borders, the European Commission aims at implementing more effective border surveillance against "irregular migration" by the use of drone planes, satellite and surveillance systems, unmanned ground or marine vehicles and even combat robots. EUROSUR is a further attempt by the European Commission to reduce the number of illegal immigrants entering the European Union, to develop common tools and instruments for Member States and to permit an EU-wide exchange of data. A legislative proposal is expected to be published by the Commission around 7 December 2011. Sergio Carrera, first speaker of the round table and senior research fellow at the Centre for European Policy Studies (CEPS), criticised the current policy making in the field of security saying that it was not evidence based and that debates on necessity were non-existent, thus fundamental rights always play a secondary role. During the development of every new project, the presumption of innocence, the consent of individuals and the principle of non-discrimination are rarely taken into account. He doubted that the gaps of Frontex could be closed by EUROSUR. Owe Langfeldt and Gabriel Blaj from the EDPS stressed the importance that the Commission should provide clear proof that future security policy measures were necessary and effective after their implementation. They also warned of a function creep, called for clear purpose limitation and criticised that through the introduction of profiling, for example via PNR agreements, a generalised suspicion was laid upon society. Blaj added that the subgroup on borders and law enforcement of the Article 29 Working Group has recently decided to react on the proposals by the Commission. Erich Tvpfer's (Cilip & Statewatch) short input focused on the corporate interest in the field of security policy and on the fact that border and security measures involve a powerful security-industry complex. Detailed information can be found in "Arming Big Brother" analysis and in a report for the Transnational Institute which explains how most of the European security research projects have been outsourced to the corporations that have the most to gain from their implementation and examines the EU security-industrial complex. An open debate followed the short presentations during which the participants of the round table discussed future activities, possible arguments, cooperation and initiatives. The debate centred on useful arguments to counter those in favor of the introduction of more surveillance measures. The participants agreed on the necessity of an evaluation of existing systems, of impact and cost assessments. Highlighting the export of Western surveillance technologies to the Middle East was suggested, in order to name and shame companies. At the same time, It is crucial for civil society to provide MEPs with counter-facts (regarding EU-PNR for instance). Tony Bunyan, Director of Statewatch, summarized the debated issues at the end of the event. He pointed out that a very first proposal for EU-PNR already collapsed in 2007 when the European Parliament opposed it. Now, the Parliament and the Commission only needed to be reminded of their own history. However, Bunyan also emphasized the necessity of campaigns outside the Parliament, from the "ground", which would be far more effective than those that focus on winning a majority in the EP only. European Commission Communication: Smart Border - options and the way ahead (25.11.2011) http://ec.europa.eu/home-affairs/news/intro/docs/20111025/20111025-680%20en.... Statewatch Analysis: Arming Big Brother http://www.statewatch.org/analyses/bigbrother.pdf Transnational Institute : NeoConOpticon Report, The EU Security-Industrial Complex http://www.statewatch.org/analyses/neoconopticon-report.pdf Programme of the event: Two Years into the Stockholm Programme - on the way to e-Fortress Europe? (24.11.2011) http://www.ska-keller.de/images/stories/files/roundtable_e-fortress-europe%2... (Contribution by Kirsten Fiedler - EDRi) ============================================================ 9. New Guidelines to RFID Privacy Impact Assessments ============================================================ On 25 November 2011 the German Federal Office for Information Security (BSI) and the Institute for Management Information Systems of the Vienna University of Economics and Business (WU) held an expert symposium on RFID Privacy Impact Assessments in Berlin and presented their BSI Privacy Impact Assessment (PIA) Guidelines. The PIA guidelines are based on the RFID PIA Framework, a kind of co-regulation instrument that was signed by Vice President of the European Commission Neelie Kroes and industry representatives earlier this year. The goal of the guidelines is to explain the PIA Framework and to provide RFID application operators with an in-depth understanding of the framework terminology and proposed procedures. The methodology outlined in the document is understood to be a concretion of the generic process outlined in the PIA framework. The PIA guidelines will help European RFID operators to ensure a high level of data protection, which can be seen as an important aspect of quality and a unique selling proposition for European companies, said Professor Sarah Spiekermann, Head of the Institute for Management Information Systems. The PIA guidelines are available from the symposium website. PIA case studies for three different sectors will soon be published by BSI. In his presentation at the symposium the German Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, explained that, while Data Protection Authorities (DPAs) might not be able to check each and every PIA report, in future, the results of privacy impact assessments and the implementation of their results will be important aspects in data protection inspections. He therefore asked, that PIA reports and the data protection goals identified in the course of the PIA process should be made transparent to DPAs and individuals. Furthermore, Mr. Schaar called for PIA frameworks being defined on the European level and for the establishment of a European data protection competence centre, which should work on technical means and measures for data protection. The European Data Protection Supervisor, Peter Hustinx, stressed in his contribution the need to reduce the unhelpful diversity in EU member states' data protection legislation. While there is no need to reinvent data protection, it is necessary to make the current principles work better, to improve the definition of responsibilities and to ensure a better compliance, he said. With regard to privacy impact assessments, Mr. Hustinx envisaged that these could be optional in some cases while being compulsory in others. A coherent European approach to the implementation of the RFID Privacy Impact Assessment Framework will be in the centre of a conference organised by the European Commission on 8 February 2012 in Brussels, where experiences with the PIA Framework and the future of the European Commission's RFID Recommendation will be discussed. As EDRi already expressed earlier, the success of RFID Privacy Impact Assessments will, to a large extend, depend on the quality of the assessment. In particular, it will be crucial to address and eliminate risks that stem from third parties and are not directly related with the RFID applications operated by a given company, but facilitate the RFID tags disseminated by the company. Expert Symposium on RFID Privacy Impact Assessments, 25.11.2011, Austrian Embassy Berlin http://www.wu.ac.at/ec/events/piasymposium RFID Privacy Impact Assessment Guidelines http://www.wu.ac.at/ec/events/pia_guideline Federal Office for Security in Information technology - RFID PIA (only in German) https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/RadioFrequencyIdenti... EDRi-gram: EU supports RFID with proper protection of consumers' privacy (20.05.2009) http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommanda... EDRi-gram: RFID Privacy Impact Assessment Framework formally adopted (06.04.2011) http://www.edri.org/edrigram/number9.7/rfid-pia-adopted-eu EDRi-gram: ENDitorial: RFID PIA: Check against delivery http://www.edri.org/edrigram/number9.10/rfid-pia-check-against-delivery European Commission Conference: 08.02.2012: Implementation of the RFID Privacy Impact Assessment (PIA) Framework Invitation: http://ec.europa.eu/information_society/policy/rfid/documents/piaconferencei... Programme: http://ec.europa.eu/information_society/policy/rfid/documents/piaconferencep... (Contribution by Andreas Krisch - EDRi) ============================================================ 10. ENDitorial: Advocate General on Data Retention: Strange answer&question ============================================================ The Advocate General of the European Court of Justice recently issued an opinion on the case of Bonnier Audio vs Perfect Communication Sweden (case no. C-461/10). The question to be answered was whether data retention Directive and/or articles 3, 4, 5 and 11 of the E-Privacy Directive prevent Member States from permitting internet service providers in civil proceedings to be ordered to give copyright holders information on subscribers that allegedly infringed intellectual property rights, as foreseen by Article 8 of the IPR Enforcement Directive. The question partly seeks to answer itself, by explicitly demanding an assumption that the measure is proportionate and that evidence has been "adduced" evidence of an infringement. The answer from the Advocate General is, "no", there is nothing in the Data Retention Directive nor the E-Privacy Directive which would prevent a national administration from imposing a measure requiring stored data to be used to identify people within the scope of the IPR Enforcement Directive. However, such information should be stored for the purpose of possible disclosure to IPR holders, according to detailed national provisions and compliant with EU law on data protection. He bases this view on various elements. Firstly, regarding the Data Retention Directive, he explains that this is not relevant in the context of this specific case. However, his views on the E-Privacy Directive are the most interesting and difficult to comprehend. This analysis explains that Member States may impose data retention for purposes outside the scope of the legal basis of the Directives. This analysis was confirmed by the European Commission in a declaration at the time of adoption of the Directive. As the Commission explained in its position on the common position, "the present Directive based on Article 95 of the Treaty cannot include substantive provisions on law enforcement measures. It should neither prohibit nor approve any particular measure Member States may deem necessary." Article 15 of the E-Privacy Directive does explain that such an infringement of the fundamental right to privacy must be adequately justified - namely that any such measure be "necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC." However, the Advocate General is clear that the restrictions described in Article 15.1 of the E-Privacy Directive must be respected for any data storage to be legal. The Advocate General makes no effort to explain why such a measure would or could be "necessary" as well as being proportionate (the question attempts to preempt the court by explaining that proportionality is assumed). This is surprising when we bear in mind the only position taken so far on long-term, suspicionless retention of data on innocent citizens - the Telefonica/Promusicae case. In that case, the Advocate General argued that "(i)t may be doubted whether the storage of traffic data of all users without any concrete suspicion - laying in a stock, as it were - is compatible with fundamental rights." How did we move from a situation before the adoption of the Charter of Fundamental Rights where an Advocate General said that data retention per se is of questionable legality, to a position now, under the Charter, where an Advocate General believes it is permissible for narrow business interests - ignoring the fact that data retention was explicitly implemented under the condition that it was for fighting "serious crime"? Maybe the answer lies in the fact that the question demands that the ECJ makes the very dubious assumption that the measure being imposed is "proportionate". Having ignored the part of the Telefonica/Promusicae case that highlighted the serious dangers of data retention for fundamental rights, perhaps the oddest interpretation is the one that relies on analysis in that case. The Advocate General explains that, during the implementation of Directives in national law, a fair balance of different fundamental rights must be respected. This is odd because the case in question does not concern implementation of EU Directives into national laws, it concerns the question whether new, additional and unforeseen implementations of data retention are forbidden by the relevant legislation or not. Starting from this questionable logical basis, the Advocate General treats private property "rights" of narrow business interests as fully equal to the rights of citizens as a whole. While this is unfortunately, in abstract terms, correct, he then fails to address the fact that, in specific terms, it is not appropriate to treat narrow business interests as of equal value as the privacy of the entire society. This position has, thankfully, already been contradicted by the Court in last week's Scarlet/Sabam case, where the judges ruled that "The protection of the right to intellectual property is indeed enshrined in Article 17(2) of the Charter of Fundamental Rights of the European Union. There is, however, nothing whatsoever in the wording of that provision or in the Court's case-law to suggest that that right is inviolable and must for that reason be absolutely protected." However, the ultimate conclusion that the Advocate General comes to is probably the only possible one as a result of the very leading way in which the question was posed. Having been asked to assume that any such measure was proportionate (and assuming that intellectual property breaches are criminal offences), there is nothing in the Directives mentioned in the question which would prevent a Member State from introducing a new law to require data retention for intellectual property enforcement purposes - as long as the minimum criteria set out in the E-Privacy Directive are respected. It is to be hoped that the Court will not restrict itself to the very questionable assumption of proportionality and address necessity and proportionality as well. If it does, the result should be quite different, as Advocate General Kokott already pointed out in the Telefonica/Promusicae case. Commission Declaration http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52002PC0338:EN:H... Data Retention Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:006... E-Privacy Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NO... ECJ Cases: Telefonica/Promusicae: Case C-275/06 Scarlet/Sabam: Case C-70/10 Bonnier Audio/Perfect Communications: Case: 461/10 all accessible at http://curia.europa.eu/jcms/jcms/j_6/ (Contribution by Joe McNamee - EDRi) ============================================================ 11. Recommended Action ============================================================ Stop ACTA! http://www.edri.org/stopacta ============================================================ 12. Recommended Reading ============================================================ EDPS calls for strengthening of proposed Regulation on the Internal Market Information System (22.11.2011) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/P... http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... Sweden: Net Neutrality: Mobile Broadband Suppliers Discriminate Against BitTorrent (22.11.2011) http://torrentfreak.com/net-neutrality-mobile-broadband-suppliers-discrimina... http://www.iis.se/docs/N%C3%A4tneutralitet2011.pdf Data losses from local authorities in UK (23.11.2011) http://www.bigbrotherwatch.org.uk/home/2011/11/local-authority-data-loss-exp... http://bigbrotherwatch.org.uk/la-data-loss-breakdown.pdf ============================================================ 13. Agenda ============================================================ 7 December 2011, Bruxelles, Belgium "Self"-regulation: Should online companies police the Internet? http://selfregulation.tumblr.com/ 9 December 2011, The Hague, Amsterdam Conference on internet freedom hosted by the Dutch Ministry of Foreign Affairs http://www.minbuza.nl/en/ministry/conference-on-internet-freedom/internetfre... 27-30 December 2011, Berlin, Germany 28C3 - 28th Chaos Communication Congress http://events.ccc.de/category/28c3/ http://events.ccc.de/congress/2011/ 25-27 January 2012, Brussels, Belgium Computers, Privacy and Data Protection 2012 http://www.cpdpconferences.org/ 16-18 April 2012, Cambridge, UK Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance Education OER12 and the OCW Consortium's Global Conference http://conference.ocwconsortium.org/index.php/2012/uk 14-15 June 2012, Stockholm, Sweden EuroDIG 2012 http://www.eurodig.org/ 9-10 July 2012, Barcelona, Spain 8th International Conference on Internet Law & Politics: Challenges and Opportunities of Online Entertainment Abstracts deadline: 20 December 2011 http://edcp.uoc.edu/symposia/idp2012/cfp/?lang=en ============================================================ 14. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 28 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. This EDRi-gram has been published with financial support from the EU's Fundamental Rights and Citizenship Programme. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE