============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 9.7, 7 April 2011 ============================================================ Contents ============================================================ 1. Czech Constitutional Court rejects data retention legislation 2. EDRi responds to IPR Enforcement consultation 3. EDPS criticizes the EU PNR scheme 4. Ten Internet Rights & Principles for Human Rights and Social Justice 5. Judicial Review of the Digital Economy Act 6. German Internet blocking law to be withdrawn 7. 80 NGOs ask CoE to investigate government collection of biometrics 8. RFID Privacy Impact Assessment Framework formally adopted 9. Website blocking and suspension discussions in the UK 10. Big Brother Awards Germany 2011 11. Privatised online enforcement series: B. Is "self-regulation" worse than useless? 12. ENDitorial Data Retention: Is the EC trying to dig itself out of a hole? 13. Recommended Action 14. Recommended Reading 15. Agenda 16. About ============================================================ 1. Czech Constitutional Court rejects data retention legislation ============================================================ The Czech Constitutional Court declared national data retention legislation unconstitutional on 31 March 2011. This is part of the Electronic Communications Act and its implementing legislation according to which records of e-mails, phone calls, and SMS as well as websites accesses of every citizen should be retained by telecommunications companies for a time period of six months, as an implementation of the Data Retention Directive. This court decision followed previous decisions of the constitutional courts of Germany and Romania. The complaint filed with the Constitutional Court was prepared by activists from EDRi-member Czech civic rights organisation Iuridicum Remedium and 51 MPs from the Civic Democratic Party (ODS) and the Green Party (SZ) who signed it in March 2010. The Constitutional Court decision criticizes the Czech transposition of the Data Retention Directive. The Czech legislation requires the retaining of a larger number of data than the directive demands, where the use of data is not limited to investigating terrorism and serious organised crime. There was a lack of the principle of subsidiarity in the legislation related to eavesdropping, although these data are equally sensitive. This has led to a large number of requests for such data by the police. The national legislation lacked, according to the constitutional court, clear and detailed rules for the protection of personal data as well as the obligation to inform the person whose data has been requested. The court said that EU law was not part of the constitution of the Czech Republic and that the directive could therefore not be reviewed by the Constitutional Court. According to the court decision, the content of the Data Retention Directive gives the Czech Republic sufficient space for its constitutionally conformal transposition. However, the Constitutional Court has doubts about the necessity and proportionality of the data retention principle in the obiter dictum paragraphs (p. 55-57). The court doubted whether the blanket monitoring of the communications of all citizens in terms of intensity of intervention into the private sphere is necessary and appropriate. The court also doubted the effectiveness of the use of the retained data in combating crime, particularly with reference to the possibility of anonymising communications. The police statistics show that despite a significant increase in the number of requests for traffic and location data, this did not translate into a proportional number of committed and solved crimes. The Constitutional Court also regards certain provisions of the Criminal Act concerning the use of such data by authorities engaged in criminal proceeding as highly questionable and it called on MPs to consider its modification. According to the Court, it will be necessary to consider each individual case in which data have already been requested in order to be used in criminal proceedings, with respect to the principle of proportionality regarding privacy rights infringement. Text of the complaint (only in Czech) http://www.slidilove.cz/content/plne-zneni-stiznosti-us-kvuli-ceskemu-data-r... Text of the court decision (only in Czech) - to be translated in English in the next 2 weeks http://www.concourt.cz/clanek/GetFile?id=5075 Constitutional Court: Spying on Communication Declared Unconstitutional (31.03.2011) http://www.slidilove.cz/en/english/constitutional-court-spying-communication... Constitutional Court invalidates telecommunications data retention law (1.04.2011) http://www.radio.cz/en/section/curraffrs/constitutional-court-invalidates-te... Czech Republic: Constitutional Court Overturns Parts of Data Retention Law (01.04.2011) http://www.loc.gov/lawweb/servlet/lloc_news?disp3_2601_text (Contribution by Jan Voboril - EDRi-member IuRe - Czech Republic) ============================================================ 2. EDRi responds to IPR Enforcement consultation ============================================================ European Digital Rights has submitted on 31 March 2011 its response to the European Commission's consultation on the implementation of the IPR Enforcement Directive. The response examines the claims made by the Commission, the evidence (or lack thereof) for its assumptions and the lessons that it draws and fails to draw from the experience of European citizens with the implementation of the Directive. The first section of the response deals with the overall approach of the Commission and its reaction to what it calls "ubiquitous" unauthorised filesharing online. EDRi questions whether many of the assumptions regarding the "cost" of such filesharing are correct, particularly with a growing body of research indicating that the impact is either zero or close to zero. This leads on to a more fundamental question of the legitimacy of current copyright legislation. If breaches really are "ubiquitous," is a response which is mainly or wholly based on repression either proportionate or effective? With equally ubiquitous problems concerning the cost, the format and the availability of audiovisual material, would it not be better to properly service the market rather enforce respect for a broken market? With regard to criminal law and unauthorised access to audiovisual content, EDRi argues that the Commission's current approach of treating "counterfeiting and piracy" as one phenomenon, as if the causes and solutions for counterfeit medication are the same as for private music downloading, is simply wrong. Indeed, worst than that, treating both as the same can only result in either counterfeit drugs being subject to unduly weak countermeasures or unauthorised access to audiovisual material being treated disproportionally harshly. The response pays particular attention to the vague and dangerous assertion that the fundamental right to privacy can somehow be re-balanced against the right, included in the Charter of Fundamental Rights, to property. The response points out that a balance between rights can never be done in the abstract, rendering the whole approach by the Commission meaningless. It goes on to point to the UNESCO Convention on Protection and Promotion of the Diversity of Cultural Expressions (which the EU collectively and almost all Member States individually have signed up to), which, in article 2, explains that cultural diversity can be protected and promoted only if human rights and fundamental freedoms, such as freedom of expression, information and communication, as well as the ability of individuals to choose cultural expressions, are guaranteed." In its report, the Commission also subtly mentions that "it could be useful to clarify that injunctions should not depend on the liability of the intermediary". What this means in practice is that courts could ignore the provisions of the E-Commerce Directive on "mere conduit" (regarding access to illegal material) and on the imposition of a "general obligation to monitor". The Commission's view - and the view that it has given to the European Court of Justice in the Scarlet/Sabam case - is that national courts may (and should) impose monitoring, blocking and filtering obligations on Internet service providers and that the E-Commerce Directive should not prevent them from doing this. The Commission's analysis fails to acknowledge, let alone address, how this would be compatible with the European Charter of Fundamental Rights - the same Charter that it so eagerly uses to defend the weakening of the fundamental right to privacy. The EDRi response concludes by listing a set of issues to be addressed in any impact assessment used to justify a re-opening and extension of the IPR Enforcement Directive. EDRi response to IPRED Consultation (31.03.2011) http://www.edri.org/files/edri_ipred_110331.pdf Report on the enforcement of intellectual property rights (COM(2010) 779) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52010DC0779:EN:N... Analysis of the application of Directive 2004/48/EC on the enforcement of intellectual property rights in the Member States (SEC(2010) 1589) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SEC:2010:1589:FIN:EN:P... (Contribution by Joe McNamee - EDRi) ============================================================ 3. EDPS criticizes the EU PNR scheme ============================================================ Peter Hustinx, the European Data Protection Supervisor (EDPS) issued on 25 March 2011 his opinion on the European Commission's proposal to oblige airline carriers to provide EU Member States with personal data (PNR) on passengers entering or leaving the EU space, with the declared purpose to fight serious crime and terrorism. On 2 February 2011, the European Commission made a new proposal for a PNR Directive, to extend the passenger-tracking systems already in use in the UK and US to all flights to and from the EU. PNR data may include personal information such as home addresses, email addresses, mobile phone numbers, frequent flyer information, and even credit card information. In the EDPS' opinion, although the new proposal is an improved version as compared to the previous document released in 2007, particularly due to the addition of data protection safeguards, the restriction of the proposal's scope and the conditions for PNR data processing under EU data protection law, it is still unjustified. The EDPS draws attention to the fact that the Proposal does not meet "the essential prerequisite to any development of a PNR scheme - i.e. compliance with necessity and proportionality principles". The EDPS emphasizes that the need to collect or store massive amounts of personal data must be substantiated by a clear demonstration of the relationship between use and result (necessity principle). Hustinx believes the proposal and the accompanying Impact Assessment fail to demonstrate the necessity and the proportionality of a large collection of PNR data for the purpose of the systematic assessment of all passengers. The EDPS raises concerns related to the use of PNR data "in a systematic and indiscriminate way" and believes that the only measure compliant with data protection requirements would be the use of PNR data on cases when there is a serious threat established by concrete indicators on a case-by-case basis. Hustinx makes a series of recommendations, among which a further limitation of the proposal's scope that would exclude minor crimes and the possibility for Member States to extend its reach. He also questions the inclusion of serious crimes which have no relation to terrorism. One recommendation is the limitation of the data retention period to 30 days, except for cases which require further investigation. The data should be retained in an identifiable form. The EDPS recommends a higher standard of safeguards, especially in relation to the data subjects' rights and transfers to third countries. While welcoming the fact that sensitive data were not included in the list of data to be collected, the EDPS still considers the list to be too extensive and recommends its further reduction in agreement with the recommendations of the Article 29 Working Party and the EDPS. Hustinx says that an assessment of the EU PNR system "should be based on comprehensive data, including the number of persons effectively convicted - and not only prosecuted - on the basis of the processing of their data." He also recommends the assessment of the system "in a broader perspective including the ongoing general evaluation of all EU instruments in the field of information exchange management launched by the Commission in January 2010. In particular, the results of the current work on the European Information Exchange Model expected for 2012 should be taken into consideration in the assessment of the need for an EU PNR scheme." Meanwhile, the UK Home Office has expressed concern over the delay of the draft PNR Directive and has shown its support for the extension of any passenger-tracking system to flights between EU countries as well as those outside EU territory. The House of Lords has recently urged the Government to opt in to the proposal, ensuring its change to include all international flights. EU Passenger Name Record: proposed system fails to meet necessity requirement, says EDPS (28.03.2011) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/P... Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (25.03.2011) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... PNR should be deleted after 30 days, says EU privacy watchdog (1.04.2011) http://www.out-law.com//default.aspx?page=11847 EDRi-gram: Commission's proposal for PNR Directive fails to impress MEPs (9.02.2011) http://www.edri.org/edrigram/number9.3/commission-pnr-directive ============================================================ 4. Ten Internet Rights & Principles for Human Rights and Social Justice ============================================================ The Internet Rights and Principles Dynamic Coalition (DC-IRP) launched on 31 March 2011 its "10 Internet Rights and Principles" for an Internet governance rooted in human rights and social justice. These 10 Internet Rights and Principles are part of a global initiative undertaken in the framework of the UN Internet Governance Forum (IGF), by the DC-IRP to develop a comprehensive Charter of Human Rights and Principles for the Internet. In addition to the 10 Internet Rights and Principles, the Charter is built into two sections. The first interprets human rights and defines principles that stem from these rights for the purposes and concerns of the information society. The second section addresses the roles that different actors and stakeholders should play in order to uphold these rights and principles. This Charter is not an attempt to create new rights, but to reinterpret and explain universal human rights standards in a new context - the Internet. The Charter re-emphasizes that human rights apply online as they do offline: human rights standards, as defined in international law, are non-negotiable. The Charter also identifies principles, deriving from human rights, which are necessary to preserve the Internet as a medium for civil, political, economic, social and cultural development. It describes the responsibilities that states have in relation to the Internet as well as the part that all individuals and society organs have to play, considering that the Internet is, through its design, a trans-boundary multi-stakeholder environment where no single entity has control. In this context, the 10 Internet Rights and Principles outline the core demands in order to defend and expand the Internet as a space which is empowering, open and accessible to all. To this end, they identify the main requirements that should be met in the online environment, with regards to: universality and equality; rights and social justice; accessibility; expression and association; privacy and data protection; life, liberty and security; diversity; network equality; standards and regulation; and Governance. Such guidelines for policy and practice are much needed at a time where human rights and social justice are under a double threat on the Internet, from governments (both authoritarian and democratic) who seek to control it, and from businesses who seek to monetise it. The 10 Internet Rights and Principles were launched at the second expert meeting on "Freedom of Expression and the Internet" in Stockholm, convened on 30-31 March 2011 by the Swedish Ministry for Foreign Affairs. The UN Special Rapporteur for Freedom of Opinion and Expression and the OSCE Representative on Freedom of the Media, who attended this launching event, welcomed this initiative. The DC-IRP is an international multi-stakeholder network of people and organisations - among them a number of EDRi members and observers - who are working to uphold human rights on and through the Internet. Its Charter is currently released as a beta version, and the Coalition welcomes comments and contributions on its website. The 10 Internet Rights and Principles derive from the Charter, distilling it down into 10 core demands. They are already available in more than 15 languages, with further translations still expected. DC-IRP main website with the 10 Internet Rights and Principles http://internetrightsandprinciples.org/ DC-IRP website dedicated to its Charter http://www.irpcharter.org Second Expert Meeting on Human Rights and the Internet Stockholm (30-31.03.2011) http://www.regeringen.se/sb/d/14187/a/165534 (Contribution by Meryem Marzouki, EDRi-member IRIS - France) ============================================================ 5. Judicial Review of the Digital Economy Act ============================================================ In July 2010 UK ISPs TalkTalk and BT filed papers seeking a Judicial Review (JR) of the Digital Economy Act, and were then granted a hearing. In the UK, JRs are rare. They can be brought when there is concern that a UK law contradicts over-riding legislation (e.g. European law). They sought the Review on four grounds: that the UK government didn't notify the EU as required under the Technical Standards Directive; that the Act does not comply with e-privacy laws; that the Act does not comply with e-commerce legislation; and that the Act has a "disproportionate" effect on ISPs, businesses and the public. More recently a fifth ground was added, related to the Costs Sharing Order and its consistency with the "Authorisation Directive." The hearing began on 23 March and finished on 28 March 2011. The Claimants BT and TalkTalk were joined by Consumer Focus and Article 19, who submitted evidence of the "chilling effect" of the DEAct. EDRi-member Open Rights Group submitted evidence as a "friend of the court", covering primarily the effect on public Wi-Fi provision, the privacy questions, and the weaknesses of IP evidence. As well as legal submissions from Francis Davey, we submitted a witness statement from Jim Killock and an expert report on the technical questions behind a reliance on IP address evidence from Richard Clayton. The primary Defendant is the Secretary of State for Business, Skills and Industry (ie the Minister in charge of the department that was responsible for the Bill / Act the time of passing). They were joined by the BPI, the British Video Association Limited, Broadcasting Entertainment Cinematograph and Theatre Union, Equity, Film Distributors' Association, the Premier League, the MPA, The Musicians Union, Producers Alliance for Cinema and Television, and Unit. A full daily summary of the JR hearing is up on our blog. There seemed (to this not-legally-trained observer) to be two key points and one interesting observation. First, that the Defence spent a long time arguing that the substantive powers to which the grounds of the JR should apply are not contained in the Act and will be in the yet-to-be-published final 'Initial Obligations Code'. A key question for the Judge is the extent to which the Act determines the important substantive details concerning the obligations on ISPs and consumers, which would make it possible for the Judge to decide on whether the Act as it stands with or without the IOC is in breach of EU law - or whether in fact it is the IOC that will in effect enact substantive powers. Second, the judge was very careful in his assessment of the nature of the "proportionality" test he was being asked to consider, and the extent to which he was being asked to make a judgement on the policy judgements that Parliament have made. He seemed to be reluctant to be drawn into a judgement on the accuracy or wisdom of a public policy assessment. One interesting point is that many of the arguments that policy wonks might think are most important, for example concerning how robust the evidence used to justify the Act is, or the likely benefits of the Act, were seemingly some of the least important in legal terms. It is very hard indeed to guess which way the Judge will fall. He listened carefully to all arguments. The Judge said that he'll take his time to consider the submissions; we expect (speculation) that this means 6 to 8 weeks from the end of the hearing. Judicial review of the Digital Economy Act (8.07.2010) http://www.talktalkblog.co.uk/2010/07/08/judicial-review-of-the-digital-econ... Digital Economy Act 2010 to Face Judicial Review (9.12.2010) http://www.olswang.com/newsarticle.asp?sid=558&aid=3224 Submission to the Judicial Review of the Digital Economy Act (1.02.2011) http://www.openrightsgroup.org/ourwork/reports/submission-to-the-judicial-re... DEA Judicial Review - Day 1 (23.03.2011) http://www.openrightsgroup.org/blog/2011/dea-judicial-review-day-1 (Contribution by Peter Bradwell - EDRi-member Open Rights Group - UK) ============================================================ 6. German Internet blocking law to be withdrawn ============================================================ On 5 April 2011, Germany's governing conservative and liberal parties agreed in a coalition committee meeting that the disputed law on Internet blocking of child abuse material (Zugangserschwerungsgesetz, ZugErschwG, "Access Impediment Act") will be dropped. The law had been enacted by the previous parliament in June 2009, but it had never been fully implemented after the newly elected coalition decided to only use the law's provisions for take-down, not those for blocking. After a one-year "trial period", the new consensus seems to be that the law will be withdrawn through a new act of the Parliament. There is speculation that the decision could be part of a wider "package deal" that might see Germany's data retention revived after the German Constitutional Court had declared the previous data retention law partly unconstitutional, but this was denied by speakers for Germany's liberal party, FDP. German digital rights groups welcomed the decision on the blocking law, but they will be watching how it is implemented in detail. Last EDRi-gram article on Germany's Internet blocking law, reporting on the law's history and a pending constitutional challenge that would be rendered obsolete if the law is now withdrawn (23.02.2011) http://www.edri.org/edrigram/number9.4/germany-constitutional-case-web-block... EDRi-gram on the ruling against Germany's data retention law (10.03.2010) http://www.edri.org/edrigram/number8.5/german-decision-data-retention-uncons... (Contribution by Sebastian Lisken, EDRI member FoeBuD) ============================================================ 7. 80 NGOs ask CoE to investigate government collection of biometrics ============================================================ An international alliance of organisations, including EDRi and several EDRi-members, and individuals from 27 countries has lodged a petition calling on the Council of Europe to start an in-depth survey on the collection and storage of biometric data by member states. European governments are increasingly demanding the storage of biometric data (fingerprints and facial scans) from individuals. These include storage on contactless "RFID" chips in passports and/or ID cards. Some are going even further by implementing database storage e.g. France, Lithuania and the Netherlands. The alliance of more than 80 signatories has asked Secretary General Thorbjxrn Jagland of the Council of Europe to urgently request the countries involved to explain under Article 52 ECHR whether their national law on this subject is in line with the European Convention on Human Rights (ECHR) and rulings of the European Court of Human Rights. In the petition to Strasbourg the alliance states: "It is vital to obtain an overview of the current 'patchwork' of different national laws that regulate this sensitive and important subject. An in-depth survey has to be conducted on whether the human rights guarantees and conditions of necessity (proportionality, subsidiarity and safety guarantees) set by the Convention are indeed upheld." These rights include the protection of human treatment (Article 3 ECHR), safety (Article 5), a fair trial (the privilege against self-incrimination and presumption of innocence) (Article 6), physical integrity and family and private life (Article 8), effective national legal remedies (Article 13), non-discrimination (Article 14) and the right to leave your country (Article 2 Protocol 4). "Article 52 clearly designates the Secretary General of the Council of Europe as the guardian of the fundamental rights placed at risk by this practice. We would like to emphasize that national biometric registration legislation (often in combination with other laws) should not 'lead to destroying democracy on the ground of defending it'", the alliance warns. "In a democratic society the collection of the biometrics of an entire population is a disproportionate and for other reasons unnecessary interference with the right to privacy and other rights like the presumption of innocence, protected by the Convention. Because of these concerns the United Kingdom Government recently abandoned the policy of collecting fingerprints of citizens. Yet most countries are keen to fingerprint groups and populations of people who have committed no crime, thus increasing the chances of identity fraud", says Simon Davies of Privacy International, which co-ordinated the online petition initiative. The signatories include, amongst others, digital, civil and human rights defenders, media, legal and medical organisations, academia, politicians and personal victims without a passport because of objections involving the biometric storage. The press release in other languages: Dutch, French, German, Spanish, Lithuanian and Slovak - for immediate publication (see bottom of the page) https://www.privacyinternational.org/article/alliance-raises-concerns-about-... Text of petition (with the list of signatories) (31.03.2011) https://www.privacyinternational.org/article/petition-council-europe-governm... EDRi-gram: Final call for petition on government use of citizens' biometrics (9.03.2011) http://www.edri.org/edrigram/number9.5/petition-coe-privacy-biometrics Highlights of the petition (6.03.2011) http://www.pogowasright.org/?p=22180&cpage=1#comment-334 (Thanks to Robin Caron from the Alliance) ============================================================ 8. RFID Privacy Impact Assessment Framework formally adopted ============================================================ The Privacy Impact Assessment Framework for RFID applications (RFID PIA) was officially signed by European Commission Vice President Neelie Kroes, representatives of the RFID industry, the chairman of the Article 29 Working Party, Jacob Kohnstamm, and the Executive Director of the European Network and Information Security Agency (ENISA), Udo Helmbrecht. The ceremony took place today, 6 April 2011, in the European Commission's Berlaymont building in Brussels. In its 2009 recommendation on the implementation of privacy and data protection principles in RFID applications, the European Commission suggested that the RFID industry should develop a framework for RFID privacy and data protection impact assessments. In the months following this recommendation a first draft PIA framework was developed by an informal working group of industry representatives to which EDRi and other stakeholders were also invited to contribute their views. This first draft RFID PIA framework was submitted for endorsement to the Article 29 Working Party, which did not endorse the framework but published on 13 July 2010 in its working paper no. 175 a request for improvements. Further improvements were suggested by ENISA in July 2010. In January 2011 a revised PIA Framework was submitted to the Article 29 Working Party, which formally endorsed it by publishing the framework as an annex to its working paper no.180 on 11.02.2011. In EDRi's opinion the RFID PIA Framework, that was formally signed today, properly follows a risk assessment methodology, which addresses the data protection targets defined in the European data protection legal framework and provides therefore a sound basis for a meaningful assessment of data protection risks for RFID applications. The RFID PIA Framework is an important milestone on the way to the implementation of privacy friendly RFID applications. Now it is important that industry quickly but thoroughly implements the PIA in practice. Today's formal signing ceremony took place before the background of the German Big Brother Awards, which were presented in Bielefeld only a few days earlier. One of the unpopular awards was given to the European Fashion Label Peuterey for violating the data protection rights of their customers by secretly tagging their fashion products with RFID chips. The next twelve months will show how the new RFID PIA Framework is received by industry, as the European Commission is expected to present its report on the implementation of the RFID recommendation, its effectiveness and its impact on operators and consumers in May 2012. EDRi sincerely hopes that today's important milestone will be followed by a number of serious implementation efforts and that last week's German Big Brother Award was the last one in Europe that will be awarded to a RFID operator. Commission Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (12.05.2009) http://ec.europa.eu/information_society/policy/rfid/documents/recommendation... EDRi-gram 7.10: EU supports RFID with proper protection of consumers' privacy (20.05.2009) http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommanda... Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp175_en.pdf ENISA Opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (31.03.2010) http://www.enisa.europa.eu/media/news-items/enisa-opinion-on-pia EDRi-gram 8.15: ENDitorial: Industry RFID PIA: not endorsed in its current form (28.07.2010) http://www.edri.org/edrigram/number8.15/article-29-no-to-rfid-pia Article 29 Working Party: Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en.pdf Annex: Privacy and Data Protection Impact Assessment Framework for RFID Applications http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_annex_en... (contribution by Andreas Krisch - EDRi) ============================================================ 9. Website blocking and suspension discussions in the UK ============================================================ UK Minister Ed Vaizey is involved in discussions for private blocking schemes to prevent access to copyright infringing websites. This follows the delays in implementing the Digital Economy Act. It is believed by the EDRi-member Open Rights Group and others that music and film lobby groups are pushing for private measures that would avoid the need for legaislation and potentially human rights considerations such as due process and freedom of expression. Nominet, the .uk registry is also engaging a wide range of bodies to create procedures for suspension of domains believed to be involved in criminal activity. Over the last two years, they have been suspending domains on request from the police, with appeals procedure but no examination of the legal and human rights implications. The consultation therefore presents a step forward in creating transparency but also a longer term danger, as registry suspensions could be abused as a short cut for law enforcement agencies. Silence from the website blocking Working Group (5.04.2011) http://www.openrightsgroup.org/blog/2011/silence-from-the-website-blocking-w... Nominet talks about domain suspensions (5.04.2011) http://www.openrightsgroup.org/blog/2011/nominet-talks-about-domain-suspensi... (Contribution by Jim Killock - EDRi-member Open Rights Group - UK) ============================================================ 10. Big Brother Awards Germany 2011 ============================================================ The eleventh German Big Brother Awards were bestowed on Friday 1 April 2011 in Bielefeld, Germany. Organized by EDRi member FoeBuD, the ceremony featured eight negative awards in various categories. In the "Communication" category, Facebook was one winner for "systematically poking its nose into people and their relationships, behind the friendly fagade of an ostensibly free service". In the awards speech, Facebook was described as a "gated community" on the Internet, comparing it, in several aspects, to the closed housing estates found in an increasing number of places across the world. Another "Communication" award went to Apple for virtually "blackmailing" its customers into accepting a dubious privacy policy as part of a terms and conditions document that, when displayed on the iPhone, takes up 117 pages. Consent to the privacy conditions should be voluntary, according to Germany's data protection law, but without consent, the iPhone's functions are reduced to telephony. With consent, Apple and partners receive excessive amounts of data, including the device's location. One winner in the "Workplace" category was German car maker Daimler, one of several employers that demand blood tests from their employees, which, in most cases, was not required by industrial law - in the words of the award speech, a form of modern-day vampirism. Another "Workplace" award went to the German Customs authority, for promoting a certification named "Authorized Economic Operator" (AEO) to companies with international business relationships. The certification involves checking each employee against EU or US anti-terror lists. This use of personal data has no legal foundation, meaning that German Customs encourage companies to use their employees' personal data in an illegal way. In the "Technology" category, the fashion brand Peuterey was cited for introducing RFID in clothing, not as theft-prevention attachments but sewn into jackets under a label saying "do not remove this label". The "Consumer Protection" award went to a publishing house called "Knowledge and Information" (Verlag f|r Wissen und Information) that doesn't actually produce and trade its own books but asks schools to distribute book coupons which can only be redeemed if names and addresses of the pupil and at least one parent are supplied. A blogger's investigation uncovered that the "publisher's"s business model was mainly a partnership with financial investment advisers and with a manufacturer of vitamin pills. Those that accepted and used the coupons were offered a telephone "interview" on the subject of "learning, health, and future". One award was actually collected by its winner (only the third time that this has happened in eleven years): Gert Wagner, head of the "census commission" that promotes this year's German census, defended the project against the accusation that it collects excessive and dangerous amounts of data, with too little information and without legal recourse. Mr Wagner's courage was appreciated, but when he attempted to put down his critics as "living in a parallel universe" and stressed that the census was justified by the mere fact that it had proper legal foundation, it did not win him many friends in the audience. The winner in the "Politics" category was the Interior Minister in the state of Lower Saxony, Uwe Sch|nemann, for the first known use of a police drone for clandestine monitoring of a public gathering during protests against a nuclear waste transport to Germany's main storage facility at Gorleben in the Wendland region. The audience award for the most "impressive, surprising, shocking, or outrageous" winner went to Facebook, on just over a third of the votes. Nominations for the next Big Brother Awards are open until the end of this year. BigBrotherAwards Germany 2011 (1.04.2011) http://www.bigbrotherawards.de/2011-en?set_language=en (Contribution by Sebastian Lisken - EDRi-member FoeBuD) ============================================================ 11. Privatised online enforcement series: B. Is "self-regulation" worse than useless? ============================================================ Much of the policy with regard to "self-regulation" in the context of illegal online content is developed on the basis that anything that industry can do to help fight crime is automatically a good thing. The assumption is that, however distasteful it is that private companies should be regulating and enforcing the law in the online world, it is better that "somebody" is doing "something". The reality is, however, very different. The first area where Internet intermediaries started enforcing the law is in relation to child abuse images. The European Commission funds "hotlines" to receive reports of child abuse images and these send reports to law enforcement authorities and Internet hosting providers and, sometimes, Internet access providers. Law enforcement authorities are supposed to play their role in investigation and prosecution, while Internet providers are supposed to play their role, in diligently and within the rule of law, removing content that has been shown to be illegal and supporting collection of evidence by law enforcement authorities. At a recent meeting of the European Commission "dialogue" on dissemination of illegal content within the European Union", the Safer Internet Unit of the Commission gave a different and more worrying analysis. A representative explained that many EU police forces did not prioritise online child abuse and even if it was on the priority list in some countries, it was at the bottom. The proposal was made, therefore, that hotlines should send reports directly to Internet hosting providers to delete the websites. The fact that this would facilitate and propagate the alleged inaction of the police appears not to be a consideration. This approach is confirmed by the European Commission's guidelines for co-funded hotlines on notice and takedown (that are, unsurprisingly, not publicly available), which suggest that agreements should be signed between the hotlines and the police. These guidelines suggest that "the agreement should preferably stipulate a deadline for the police to react after which the hotline would proceed with giving notice". In other words, law enforcement authorities would be assured that, if they remained wholly inactive for an agreed period, the evidence of their failure to address serious crimes would be diligently hidden by the hotlines, in cooperation with well-meaning "industry self-regulation". This is, unfortunately, far from the only example. As mentioned above, hotlines also contact Internet access providers. In some countries, these take it upon themselves to undertake technically limited "blocking" against sites identified as being illegal. In Sweden, for example, ISPs "block" sites and receive an updated list from the police every two weeks. The pointlessness of this whole process is shown by the fact that, while the lists are updated every 14 days, the British hotline, the IWF, has produced statistics showing that the average length of time the sites remain online is only twelve days. In other words, on average, there are no functioning sites at all on the "blocking" list one day out of every seven. Unfortunately, this activity is not just useless, it is worse than useless. In a speech given to the German Parliament, a Danish police official explained that, having "blocked" the websites domestically, the police in that country do not see any point in communicating evidence of serious crimes against children to the police forces in the United States and Russia, because they probably wouldn't be interested. It is difficult to imagine another crime which would be treated in such a trivial way. Reports from the European Commission are that there will be a major push to increase the "safer internet" budget, which is currently being reviewed. As yet, there are no signs that any lessons are being learned regarding the failures of "self-regulation" under the current programme. Internet Watch Foundation Annual Report 2010 http://www.iwf.org.uk/assets/media/annual-reports/Internet%20Watch%20Foundat... EDRi-gram: Dialogue on illegal online content (28.06.2010) http://www.edri.org/edrigram/number8.15/edri-euroispa-notice-takedown-comiss... Child abuse is difficult to stop on the web (only in Swedish, 29.09.2010) http://www.dn.se/nyheter/sverige/overgrepp-pa-barn-svart-stoppa-pa-natet Danish police statement http://www.edri.org/files/Written_Statement_Underbjerg.pdf Privatised Online Enforcement Series A. Abandonment of the rule of law (23.03.2011) http://www.edri.org/edrigram/number9.6/abandonment-rule-of-law (Contribution by Joe McNamee - EDRi) ============================================================ 12.ENDitorial: Data retention: Is the EC trying to dig itself out of a hole? ============================================================ The Data Retention Directive was adopted in 2006 in very controversial circumstances. Article 15 of the Directive placed a clear obligation on the European Commission (EC), to submit "no later than 15 September 2010" a report on the evaluation of the Directive and its impact on economic operators and consumers". Today is the 203rd day since that evaluation report was due to be published. This raises the obvious question - why has the Commission, as "guardian of the treaties" failed to respect its legal obligation and when will it finally comply? The main reason for the delay is that some crucial mistakes were made at the beginning of the review process. Firstly, the Commission failed to recognise that, under the Charter on Fundamental Rights, the Directive is only legal if it is both "necessary and genuinely meet(s) objectives of general interest." Its second mistake was to reach its conclusion ("data retention is here to stay") before starting the research, thereby limiting its scope and assuming that the Member States would have answers to its questions about the assumed value of data retention. The Commission then limited itself further by not seeking any information from Member States that had not implemented the Directive. This definitively prevented the Commission from being able to compare how much essential extra data is stored as a result of the Directive, thereby making the legislation "necessary". As a result, when the Commission asked for data in the second quarter of 2010, it received little useable information from the Member States. As a result, Commissioner Malmstrvm made a personal plea to Member States during the July 15 Justice and Home Affairs Council, followed by a letter (linked below) from the Commission to Member States. The letter betrays the Commission's disregard for the Charter (which each Commissioner swore a legally binding oath to support) by showing that it is not seeking to demonstrate "necessity" - "without this information it will be difficult for the Commission to adequately demonstrate that the Directive is useful". It further lowered the level of evidence it was requesting by asking for examples of where data retained under the Directive "played a determining role", rather than asking for examples of where data that would not otherwise have been retained played a determining role. Having created this untenable situation, the Commission managed to dig itself even deeper during the "Taking on the Data Retention Directive" conference in December 2010. For reasons that are far from obvious, Commissioner Malmstrvm made a speech arguing that "data retention is here to stay", despite the fact that inadequate information had been received from the Member States (who mostly ignored her personal plea at the July Council meeting) and despite the fact that her services were still months away from being able to provide a useable summary of the paltry information that was provided by the Member States. So, where are we now? The Home Affairs Directorate General (DG HOME) of the European Commission submitted a draft evaluation report at the end of February, resplendent in blank spaces where the Member State information should have been put, for review by colleagues from the rest of the Commission. These have now provided their feedback which, by all accounts, did not lavish praise on the work done so far. When and how the DG HOME will update the document based on this feedback is not yet clear - what is clear is the disastrous position their prejudging of the outcome of this process has created. The Commission has simply no basis, on the weak evidence presented by the Member States, to argue that the value added to law enforcement by the Directive shows that it is "necessary" (and therefore legal). It therefore cannot move forward with a revision of the Directive. For the same reason, it cannot opt simply to do nothing. It also cannot refine the Directive by learning from the experience of Member States, like Germany and Romania, that have not implemented the Directive, for the simple reason that it did not request any information from those countries. And, having pandered to the wishes of certain large Member States by proclaiming that "data retention is here to stay," even a tactical retreat seems politically difficult, even if it is legally and practically the only reasonable step left. Perhaps the Commission should stop digging and start listening, learning from the insightful words of a Swedish Liberal MEP on the day that the Directive was adopted in the European Parliament. "This is a difficult issue on which to adopt a position. Reflection is required, together with a solid factual basis in relation to the privacy aspect, the technical consequences and the actual costs for telecommunications operators and thus consumers." Data retention Directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:006... Letter from the Commission to Member States (27.06.2011) http://www.edri.org/files/drd_letter.pdf Czech Constitutional Court rejects Data Retention Law (31.03.2011) http://www.edri.org/czech-decision-data-retention EDRi-gram: Romanian Constitutional Court Decision against Data Retention (2.12.2009) http://www.edri.org/edrigram/number7.23/romania-decision-data-retention EDRi-gram: German Federal Constitutional Court Rejects Data Retention Law (10.03.2010) http://www.edri.org/edrigram/number8.5/german-decision-data-retention-uncons... Commissioner Malmstrvm's "data retention is here to stay" speech (3.12.2010) http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/10/723 Explanations of vote in the Euopean Parliament on the Data Retention Directive http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+CRE+2005121... (Contribution by Joe McNamee - EDRi) ============================================================ 13. Recommended Action ============================================================ Public consultation on on-line gambling in the Single Market. The final questions in the Green Paper asks about the value of, and options for, blocking of gambling websites. Deadline: 31 July 2011 http://ec.europa.eu/internal_market/services/gambling_en.htm ============================================================ 14. Recommended Reading ============================================================ Paul de Hert / Rocco Bellanova: Transatlantic Cooperation on Travelers' Data Processing: From Sorting Countries to Sorting Individuals (Migration Policy Institute, 2011) http://www.migrationpolicy.org/pubs/dataprocessing-2011.pdf European Data Protection Commissioners insist on the need for a comprehensive EU approach to data protection (6.04.2011) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/P... EU survey: 72% of Europeans not informed about their fundamental rights (18.03.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=EO/11/6&format=HTML&aged=0&language=EN&guiLanguage=en ============================================================ 15. Agenda ============================================================ 7-8 April 2011, Amsterdam, Netherlands European Legal Network Conference "Free Software law for the next ten years" http://fsfe.org/projects/ftf/legal-conference.en.html 13-15 April 2011, Berlin, Germany Re:publica XI: Conference about blogs, social media and the digital society http://re-publica.de/11/en/ 5-6 May 2011, Milano, Italy The European Thematic Network on Legal Aspects of Public Sector Information - public conference http://www.lapsi-project.eu/milan 17-18 May 2011, Berlin Germany European Data Protection Reform & International Data Protection Compliance http://www.edpd-conference.com 30-31 May 2011, Belgrade, Serbia Pan-European dialogue on Internet governance (EuroDIG) http://www.eurodig.org/ 2-3 June 2011, Krakow, Poland 4th International Conference on Multimedia, Communication, Services and Security organized by AGH in the scope of and under the auspices of INDECT project http://mcss2011.indect-project.eu/ 12-15 June 2011, Bled, Slovenia 24th Bled eConference, eFuture: Creating Solutions for the Individual, Organisations and Society http://www.bledconference.org/index.php/eConference/2011 14-16 June 2011, Washington DC, USA CFP 2011 - Computers, Freedom & Privacy "The Future is Now" http://www.cfp.org/2011/wiki/index.php/Main_Page 11-12 July 2011, Barcelona, Spain 7th International Conference on Internet, Law & Politics (IDP 2011): Net Neutrality and other challenges for the future of the Internet http://edcp.uoc.edu/symposia/lang/en/idp2011/?lang=en ============================================================ 16. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 29 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE