============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 9.22, 16 November 2011 ============================================================ Contents ============================================================ 1. EDRi letter: EC proposes reduced retention periods for retained data 2. US court allows access to world-wide Twitter accounts data 3. Online Distribution of Audiovisual Works: EDRi's answer to the EC 4. Unlocking education in the Netherlands 5. EDRi Responds to BEREC's Consultation on Net Neutrality and Transparency 6. 2011 Public Voice Civil Society Conference: "Privacy is Freedom" 7. 33rd International DPA Conference in Mexico City 8. Will the new flawed EU-US PNR agreement be approved by the EP? 9. ENDitorial: Copyright combinatronics 10. Recommended Action 11. Recommended Reading 12. Agenda 13. About ============================================================ 1. EDRi letter: EC proposes reduced retention periods for retained data ============================================================ In September 2011, European Digital Rights and 37 other NGOs sent a detailed letter to the European Commission with regard to the current stage of the review of the Data retention Directive - the impact assessment. The purpose of the letter was to provide early input to the Commission, in order to give maximum opportunity to take our concerns into account. The response from the Commission acknowledges the problems with the Directive. Without being specific, Commissioner Malmstrvm responded that the maximum retention periods needs to be reduced and also pointed out that the text must be improved with regard to its clarity. She also recognised and accepted the need for a followup of the methodology detailed in the Fundamental Rights Checklist and that cost-reimbursement for Internet providers is a way of minimising access to retained traffic data. The Commissioner promises improvements to resolve two problems in the Directive: - the length of the maximum retention periods and the lack of clarity (and therefore predictability) of the Directive. However, the recognition of these two problems implies an acceptance of doubts regarding the compliance of the current Directive with the Charter of Fundamental Rights and the European Convention on Human Rights. . This raises an important question: - in such circumstances, how can it be appropriate to recognise the questionable legality of the Directive, on the one hand, and undertake legal proceedings against Germany, Romania and Sweden for failing to implement the Directive, on the other? Rather disappointingly, the Commissioner decided to answer a question which was not asked, namely how difficult it would be to get major improvements past the Council of Ministers. While the political obstacles to an adequate resolution of the data retention Directive's problems are certainly massive, the current College of Commissioners took an oath, as individual citizens, to defend the Charter on Fundamental Rights. This oath was without exceptions, to cover challenging political environments. However, the subtext of the Commissioner's response to civil society is clear - without a shift in the positions of Member States, the Commission does not feel able to resolve the deep problems with data retention. Nonetheless, the tone of the letter is very positive and the constructive engagement of civil society is clearly welcomed. EDRi and the co-signatories of the letter will continue to engage constructively with the Commission. Joint letter on data retention (26.09.2011) http://www.edri.org/files/dr_letter_260911.pdf Commissioner Malmstrvm's response (dated 31.10.2011) http://www.edri.org/files/malmstroem_letter31Oct2011.pdf Fundamental rights checklist http://ec.europa.eu/justice/news/intro/doc/com_2010_573_4_en.pdf Oath to respect the EU Treaties and Charter: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/487 (Contribution by Joe McNamee - EDRi) ============================================================ 2. US court allows access to world-wide Twitter accounts data ============================================================ A US judge decided on 10 November 2011 that Twitter had to release to the US authorities data on the Twitter accounts of people involved in WikiLeaks founder Julian Assange case investigated by the US Justice Department. The Twitter accounts in question belong to Icelandic MP and former WikiLeaks volunteer Birgitta Jsnsdsttir, Seattle-based WikiLeaks volunteer Jacob Appelbaum and Dutch XS4ALL Internet provider co-founder Rop Gonggrijp. The judge's ruling is a response to the appeal made by the three twitter account holders, thus backing up the previous decision in March of another judge. Even more worrying is the fact that the investigated people have found out about the US first court's decision only because Twitter notified the subscribers that prosecutors had obtained a court order for their account information. Furthermore, the judge blocked the users' attempt to discover whether other Internet companies had been ordered to release their data to the US government. "With this decision, the court is telling all users of online tools hosted in the U.S. that the U.S. government will have secret access to their data," said Jonsdottir who expressed her intention to take the case to the Council of Europe. The court order of the appeal was criticised by IPU (Inter-Parliamentary Union, the international organization of Parliaments with MPs from 157 countries), which adopted a resolution condemning the move which, in their opinion, threatens free speech and may be in violation of Article 19 of the Universal Declaration of Human Rights which gives everyone the right to freedom of opinion and expression. In seeking the respective information, US authorities used the Stored Communications Act to demand that Twitter provide the internet protocol addresses of users as well as bank account details, user names, screen names or other identities, mailing and other addresses. In the judge' opinion, "the information sought was clearly material to establishing key facts related to an ongoing investigation and would have assisted a grand jury in conducting an inquiry into the particular matters under investigation." Also extremely worrying is that he also considered that the Twitter users had implicitly given their agreement to give over their IP addresses the moment they signed up for an account and relinquished an expectation of privacy. "Petitioners knew or should have known that their IP information was subject to examination by Twitter, so they had a lessened expectation of privacy in that information, particularly in light of their apparent consent to the Twitter terms of service and privacy policy," wrote the judge in his decision. Basically, what this decision says is that US authorities can require account information on any users of US-based online social networks, irrespective of their location and citizenship. This brings forth very serious concerns related to online privacy. EFF Legal Director Cindy Cohn also expressed her concern that in a world where Internet users place online more and more of their conversations, experiences, pictures, locations and many other types of personal information, the court's conclusion is that "records about you that are collected by Internet services like Twitter, Facebook, Skype and Google are fair game for warrantless searches by the government." US court verdict 'huge blow' to privacy, says fomer WikiLeaks aide (11.11.2011) http://www.guardian.co.uk/world/2011/nov/11/us-verdict-privacy-wikileaks-twi... Second judge gives DOJ access to WikiLeaks-related Twitter accounts (10.11.2011) http://news.cnet.com/8301-31921_3-57322538-281/second-judge-gives-doj-access... Privacy Loses in Twitter/Wikileaks Records Battle (10.11.2011) https://www.eff.org/press/releases/privacy-loses-twitterwikileaks-records-ba... ============================================================ 3. Online Distribution of Audiovisual Works: EDRi's answer to the EC ============================================================ Adapting the European policy to the digital environment would offer the audiovisual industry access to an even broader audience and would give the consumer greater access to cultural works. It is the opportunity to redefine a simple and harmonised framework. It is a chance to achieve a digital single market. What creates obstacles to achieving this goal? Which interests should be taken into account? What should the EU policy-maker do to offer a satisfactory environment to both rightsholders and consumers? EU policy must be user-friendly, innovation-friendly and creation-friendly. The current framework somehow fails to take into account all those aspects and to find the right balance between the interests at stake. One of the essential aspects is access to culture. The current divided market, particularly on the copyright aspects, creates barriers that prevent EU citizens to access, use and enjoy cultural content such as the audiovisual works. Nowadays, consumers consider the current copyright law system as illegitimate, which explains the level of infringements. The current system not only is not consumer-unfriendly but it also has an economic downturn, it indeed stifles the development of new technology. Its overly strict application of copyright, indefensible and ineffective repressive enforcement measures are counterproductive. There are numerous ways to improve the actual eco-environment without putting aside any interests: harmonising the actual framework, minimising the complexity and waste generated by intermediaries, micro-payments, enabling the development of legal platforms to access, share and stream audiovisual content, cross-border licensing, pan-European offers. The achievement a digital single market should not be undermined by efforts to create more restrictions over the use of content, such as limiting exceptions and limitations to copyright. Equal access to culture should also be recognised for people with disabilities and the copyright exception should be made mandatory for that purpose. The digital environment offers new perspectives, new possibilities and new opportunities for the industries and for citizens and those opportunities must be embraced by the EU. The right balance between economic and social goals, the interests of creators and consumers can be found without putting the interests of one above the others. More repressive enforcement will risk making the legal framework even more illegitimate. What the EU needs is a clear, simple and harmonised framework. EC Green Paper on the Online Distribution of Audiovisual Works: http://ec.europa.eu/internal_market/consultations/docs/2011/audiovisual/gree... EDRi's answer to the consultation (11.2011) http://www.edri.org/files/2011EDRi_response_OnlineAudiovisual_Works.pdf (Contribution by Marie Humeau - EDRi) ============================================================ 4. Unlocking education in the Netherlands ============================================================ Dutch schools are progressively locking out students from online environments due to the use of proprietary web-technology (Silverlight) and closed standards. This contravenes with the 2007 Netherlands Open in Connection policy framework that mandates the use of open standards for all public sector organizations, including educational institutions. In responding to questions by the Parliament about this situation, the minister of Education, Marja van Bijsterveldt, stated she was unwilling to force educational institutions to comply with the official open standards policy. The Dutch open standards policy framework calls for a mandatory use of open standards in all public sector organizations (via comply or explain). The ministry of education should have begun taking steps to implement it four years ago. However, open standards have not become an integral part of educational IT-procurement and thus are not considered when purchasing, renewing or upgrading (educational) IT-services, software and digital learning materials. The negligent attitude of the ministry of education resulted in an increasing vendor-lock, effectively locking out substantial and growing numbers of students. Through the "Unlocking education, for growth without limits" campaign, Dutch activists are pushing for a more robust implementation of the open standards policy, by making the use of open standards mandatory for all publicly-funded institutions. The campaign is supported by a various range of Dutch organizations (NLLGG, NLUUG, LPI Netherlands, HCC!, ISOC.nl, Free Knowledge Institute and the Dutch Pirate Party), the Free Software Foundation Europe and over 900 individuals who signed the petition. Arjan el Fassed, MP for the Green party (GroenLinks), expressed dissatisfaction with the minister of Education's answers. The next round of parliamentary questions is being prepared in collaboration with the activists. FSFE campaign page - Unlocking education, for growth without limits http://fsfe.org/campaigns/nledu/nledu.en.html The lack of open standards in secondary education (only in Dutch, 5.10.2011) http://www.ikregeer.nl/documenten/kv-132148 Answer to Parliamentary questions about the lack of open standards in secondary education (only in Dutch, 28.10.2011) http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken... Dutch government hands over education's keys to Microsoft (7.11.2011) http://fsfe.org/news/2011/news-20111107-01.en.html Dutch petition (only in Dutch, 27.09.2011) http://www.janstedehouder.nl/2011/09/27/petitie-weg-met-het-overgewicht-in-n... International petition (28.09.2011) http://www.janstedehouder.nl/2011/09/28/make-the-use-of-open-standards-in-ed... (contribution from Jan Stedehouder - EDRi-member Vrijschrift - Netherlands) ============================================================ 5. EDRi Responds to BEREC's Consultation on Net Neutrality and Transparency ============================================================ Net Neutrality is at the centre of the debate in almost every European institution. The European Commission has been looking at this topic for more than a year now and is moving more and more away from its initial position to uphold net neutrality in Europe. In contrast to her own statements in January 2010, Vice-President Neelie Kroes is now advocating a wait-and-see-approach stressing the importance of transparency and the ability to switch operators. In a speech during the EUHackathon on 9 November 2011, Kroes said she heard "allegations that some internet providers throttle, degrade the quality of services". Earlier this year she therefore asked the EU Telecom's regulator BEREC to go on a fact-finding mission in order to prove these "allegations". Net neutrality was also recently discussed in the European Parliament. The Industry Committee just adopted a resolution which called on the BEREC to swiftly publish the evidence emerging from its investigations. The resolution emphasised that net neutrality is crucial for fundamental freedoms, innovation and competition. Indeed, there is a growing number of threats to it, such as blocking of applications and degradation of services. These experiments with the essence of the Internet have sometimes been transparently declared by operators themselves and reported by end users and content providers, while at other times consumers' services have simply been restricted, without notification or explanation. Not only do operators have incentives to seize more control over internet traffic, they are also increasingly under pressure from vested interests to take measures which run counter to their role as a mere conduit. On 2 November 2011, EDRi responded to the consultation on BEREC's "transparency and net neutrality" which will be followed by a paper on Quality of Service and a report on competition and discrimination issues next year. BEREC's draft guidelines on transparency however, are in line with the Commission's wait-and-see approach and argue that transparency is an effective tool to achieve the regulatory objective of maintaining an open and competitive Internet. In its response, EDRi explains that transparency on service restrictions will lead neither to sufficient protection nor to empowerment of end users. In the light of numerous transparent and non-transparent violations of the principle of net neutrality, EDRi expresses its deep concerns about the Guidelines' apparent acceptance of restricted offers that provide limited access to the Internet. EDRi fears that relying solely on transparency requirements and on market forces will lead to the development of a multiple-tier Internet, to the detriment of citizens' rights and the competitive online marketplace. Few would be able to access premium managed services and many would be left in the slow lane with a low quality and restricted access to the Internet. EDRi asks the BEREC to design regulatory tools for national regulatory bodies to ensure that traffic management practices do not unsettle the Internet ecosystem. The BEREC should promote narrowly-tailored measures to protect net neutrality and the open Internet's core characteristic as a unique platform for innovation and freedom of expression defined by end user control. EDRi's response to the net neutrality consultation (2.11.2011) http://www.edri.org/02112011EDRi_response_BEREC_NNtransp.pdf BEREC guidelines on transparency and net neutrality (10.2011) http://erg.eu.int/doc/berec/consultation_draft_guidelines.pdf Speech given by Neelie Kroes on 9 November 2011during the EUHackathon (9.11.2011) http://www.youtube.com/watch?v=LhlBpE4llLM Net Neutrality Resolution as adopted by ITRE (7.11.2011) http://www.europarl.europa.eu/sides/getDoc.do?type=MOTION&reference=B7-2011-0572&language=EN EDRi-gram: Neelie Kroes on Net Neutrality (27.01.2010) http://www.edri.org/edrigram/number8.2/kroes-net-neutrality (Contribution by Kirsten Fiedler - EDRi) ========================================================== 6. 2011 Public Voice Civil Society Conference: "Privacy is Freedom" ========================================================== The Public Voice meeting that took place on 31 October 2011 in Mexico City began with a discussion of the 2009 Madrid declarations (both those from DPAs and civil society). Most participants felt there had been little progress towards implementation or acceptance by governments. Peter Schaar (Federal DPC Germany) stressed that upholding the rights of data subjects required independent oversight, and that CoE Convention 108 was still available for regulating transborder data flows, and was open to third-countries. Discussions about multilateral vs. single global instruments were becoming repetitive. In the panel on Cultures of Privacy, Jacob Kohnstamm (Netherlands DPC & Art.29 WP Chair) noted that databases were implicated in extensive human rights violations during WW2, and the families of many Europeans had cause to remember such risks. David Vladeck (FTC) saw his role not as "referee" over different and clashing cultures, but to preserve consumer choice; clicking through EULA "wordbarf" is not "meaningful" consent. He stated US could not be more different from EU culture, but "we get to the same result", citing FTC support for "Do Not Track". Lara Ballard (US State Department) described an Egyptian activist creating a database identifying members of the secret police (to name and shame them). Flicker took down the pictures on copyright (not privacy) grounds. The activist's view was that the secret police had invalidated their own right to privacy, because their conduct undermined the rule of law itself. Ballard was sceptical of nostrums about lack of Asian sense of privacy, (e.g., non-legal concepts of Japanese politeness are similar) and, cited sociologist Irwin Altman on privacy as dynamically negotiated social boundaries. She asserted EU DPCs were mistrustful of major US Internet companies, but trusted their own governments. She praised the concept of "accountability agents" and the APEC privacy process. Moderator Alberto Cerda (Derechos Digitales - Chile) remarked that global agreements for the enforcement of "intellectual property" already existed, but there seemed to be little prospect of comparable treaties for privacy. Zhou Hanhua (China - Social Science Academy) said although China had no history of privacy, the real concerns of people were similar. China today may have the worst of both worlds. People felt resigned to marketing privacy invasions such as endemic mobile voice spam. China has still not enacted a DP law (and the choice between US and EU systems was most difficult), but on paper, Constitutional protections were similar to developed countries, and culture is changing rapidly. Moez Chakchouk (Tunisia) spoke of their first free election, and new constitution next year. Their main priority was to transform the former censorship agency into a human rights and privacy agency (sic). Cerda asked whether EU standards were too high (so few countries attained adequacy), and Kohnstamm replied national authorities couldn't do much without co-operation from the rest of the world. Schaar said the EU should not lower standards, given European history; data protection will stay a fundamental right in Europe. Vladeck contrasted common-law vs. civil law cultures; in the EU privacy law is very specific, in the US not. There was a vocabulary problem. To US ears, rights mean what is in the US Constitution, "and why do I have to fill in a form for the police when I check into a hotel in Europe?" - a right not enforced isn't much of a right. US goals were similar to the EU. "There is no difference between opt-in and opt-out given current technology" (sic). Ballard re-iterated support for "accountability agents" ("a new legal regime accountable to e.g. TRUSTe"). The panel on Raising Public Awareness on Privacy vs. Technology was moderated by Pablo Molina (US), and began with a description of the new Brazilian law from Danilo Doneda. Michael Donohue (OECD) stated that transborder flows of data can be blocked only if there was no adequate protection of sensitive data. Omer Tene said face recognition was not a new issue (e.g. police line-ups). His view of consent was that an opt-out should be sufficient if good information was provided. Thomas Nortvedt (TACD) emphasized that consumers needed to be able to enforce rights. Korina Velazquez (MEX) moderated the panel on Children's Privacy Online, with contributions from Adriana Labardini (Mexico - Alconsumidor), Kristina Irion (CEU Hungary), and Conchy Martin Rey (TACD). Neuro-marketing techniques were discussed, and Jeff Chester remarked that the COPPA legislation was unique in the US, in that it gave opt-in protection (to minors). There were few answers to a question on when children should attain legal independence from their parents for the exercise of privacy rights, given the wide differences between individual children. Dave Banisar (Article 19) led a conversation with Marc Rotenberg (EPIC) on the relationship (both deprecated the word "balance") between Privacy and Freedom of Expression. There were strong analogies between the right to withhold identity and freedom of expression rights. Business obviously prefers to conduct their activities unregulated. Banisar remarked that in the UK, some attempted to justify "phone-hacking" in the name of free expression, and Rotenberg recalled that Warren & Brandeis stipulated a public interest exemption in their seminal article. Caspar Bowden asked if a right of subject access to data in the private sector was feasible in the US, and Rotenberg replied that the Federal Constitution normally doesn't coerce private parties, but some state constitutions do. Probably "compelled speech" cases can be distinguished (to allow a subject access right). EPIC has pursued information self-determination rights, and this one is on their "to do" list. The office of the EDPS pointed to the ECJ "Bavarian beer" case, and their intervention to ensure FOI rights aren't subordinated to privacy rights, in cases of public interest. Lara Ballard (US State Department) asked whether government officials had privacy rights when offering confidential advice. Dave Banisar said no, and deprecated the use of the word privacy to mean "organizational secrecy". Simon Davies (PI) moderated the panel on a Right to Forget. Marie-Helen Boulanger (EU Commission) said the data subjects' existing rights needed to be clarified, and that the impact of cheap data storage was that many traces were left in online services. Data must be fully deleted when its processing would be unlawful, e.g. when the retention period is not in line with the purpose. However there is no "right to hide" in EU law. Regarding a right to erasure of public records, it was preferable that unnecessary data was not collected at all - data minimization remains a sound principle, in conjunction with privacy-by-design. Peter Fleischer said Google merely reflected the web, and should be allowed to index whatever is lawful on the web, and mentioned a possible ECJ referral of the current Spanish case. Alejandro Pisanty (Mexico) stressed the end-to-end principle of the Internet (network flows should not depend on the content), and that Mayer-Schvnberger's idea for self-deleting data would still leave metadata traces behind, even after content was deleted. Banisar recalled that the possibility for rehabilitation was an internationally accepted principle in Freedom of Expression. Chris Soghoian rounded on Fleischer's assertion that Google "deleted" search data after nine months, pointing out that their actual practice (IP-last-byte-deletion) did not even properly anonymize the data. The important "right to be forgotten" is over the behavioural data we are scarcely conscious is being collected, but the public debate mostly avoids this issue, focussing on e.g. tagged photos. The major Internet companies don't let the user delete behavioural data. Moreover there is the further issue of aggregate data used to sort users automatically into marketing buckets. Caspar Bowden asked why Google didn't permit users to delete web history from a "parallel" logging system, only disclosed by an elliptical reference in an FAQ outside the privacy statement. Gus Hosein (PI) moderated the final panel on Government Databases. Caspar Bowden (EDRi) summarised the effect of the US law FISAA 2008 1881a; that Cloud providers within US jurisdiction may be coerced into wiretapping their own datacentres (inside or outside the US) to conduct purely political surveillance on non-US persons outside the US. Meryem Marzouki (France - CNRS) made a plea for a data confinement doctrine and its strict application by law, in response to the vulnerability of mega-databases to malicious intrusions, technical breaches and unlawful use. Katitza Rodriguez (EFF), Cedric Laurent (Access) and Jessica Matus Arenas (Chile) provided analysis on national legislations on data protection and access to information, respectively in Mexico, Colombia and Chile, as well as commented the current situation in these countries. Public Voice conference http://thepublicvoice.org/events/mexicocity11/ Caspar Bowden's presentation at Public Voice event (31.10.2011) http://edri.org/files/Public%20Voice%20-%20Mexico%20%28Caspar%20Bowden%20-%2... (Contribution by Caspar Bowden - EDRi Observer) ============================================================ 7. 33rd International DPA Conference in Mexico City ============================================================ The 33rd International Conference of Data Protection and Privacy Commissioners was held in Mexico City, on 2-3 November 2011, hosted by IFAI (The Mexican Federal Institute for Access to Information and Data Protection). This year theme, "Privacy, the Global Age", showed the clear willing of the organizers to make it a direct follow-up to the 31st Conference held in Madrid and its adopted resolution on global standards. As a matter of fact, Jacqueline Peschard, IFAI President, called in her opening remarks for a plan of action to be proposed by this conference. This commitment to take further steps was shared by most, though not all, of the DPA (Data Protection Authorities) at the conference. The two-days conference included four plenary sessions and four sets of four parallel sessions. A useful innovation consisted in the presentation of highlights from parallel sessions, to keep the audience updated of all discussions. While the parallel sessions addressed a broad range of current hot data protection issues, the plenary sessions focused on various aspects of the "big and distributed data" challenge: "Observation, Analytics, Innovation and Privacy", "The Drivers for Data Protection Law in Latin America, Asia, and Africa", "Security in an Insecure World "and "One Data Protection Community. Many Cultures, Threats and Risks". The "big data challenge" was rather overstressed in the first plenary session, especially through the keynote presentation by Ken Cukier (The Economist), followed by two panel sessions. In the first panel session, Jacob Kohnstamm, Peter Schaar and Marie Shroff (DP Commissioners of The Netherlands, Germany and New Zealand, respectively) and David Vladeck (FTC, USA) were asked whether the growth of data, its mining and application challenge the way privacy enforcement agencies protect individuals. The two European DP Commissioners insisted on the need for a strict application of the legislation and more independent control powers given to DPA, while the New Zealand Commissioner rather took the view that there is a need to move from a focus of compliance to rules towards being more strategic, identifiy the big risks, strategizing, and move to a leadership mode or, as she said, "move from a negative mode to a positive mode". The FTC representative insisted on the changing nature of big data (collected from smartphones, sensors, social networks.), leading to the importance of privacy by design. He acknowledged that "the burden has to be on the company, not on the consumer, to protect the data". In the second part of this session, gathering a panel of other stakeholders, Gus Hosein (Privacy International) and Joel Reidenberg (Fordham Law School) reminded the audience that the basic DP principles still applies. The former warned that it would be a mistake to only focus on the use of big data while forgetting about their collection process. The latter insisted on the need to consider the broader systemic risks arising with big data, as they create an unprecedented level of transparency of the citizen, who loses any anonymity and choice capabilities, with the consent model breaking down. One very informative sessions on new legal developments was the one dealing with "changing laws in the US and the States". Frangoise Lebail (EC DG Justice) presented the main features of the deep reform the EU has undertaken in terms of privacy legislation. She made clear that the revised legislation, to be adopted at the beginning of next year, will leave less room for intrepretation for Member States, as the disparities are currently huge: "no longer legal fragmentation", she said, mentioning both the national legislations and the two sectors, public and private, including sectors formerly falling under the 3rd pillar. Other important new features include: data breach notification, better enforcement of rights, harmonization and increase of DPAs resources and powers, stronger cooperation between DPAs (a reflection on a cooperation mechanism is ongoing). On International aspects, she mentioned the need for a continuation of EU citizen protection, not only through the adequacy but also through the interoperability of the different DP schemes. Lawrence Strickling (NTIA, USA) also introduced the big changes undertaken in the USA to strengthen the privacy regime towards a general regime of consumer data privacy, with a large focus on the international interoperability of DP systems. A white paper will be issued in the weeks to come, valid for the entire Obama administration, developing a four-pillars framework: (1) A consumer bill of rights, that should be enacted in legislation; (2) Codes of conduct developed by stakeholders; (3) Enforcement of these codes of conducts by FTC; and (4) International interoperability. One probably needs to wait until this white paper will be made available to understand the exact share of enforced legislation and of self-regulation this framework will actually encompass, as well as to which extent industry lobbies will impose their views in the so-called multi-stakeholder process of codes of conduct development. "International interoperability" seems thus to be the new buzzword, and the most that would be conceded in international discussions on a global privacy and data protection framework. Civil society, as well as many DPAs, expect more, though. They expect global privacy and data protection standards, and this was precisely the topic addressed at the session on "Global Standards Linked to Global Value", organized and moderated by Lillie Coney (Electronic Privacy Information Center). During this session, Jvrg Polakiewicz (Council of Europe) introduced the major features of the current revision of Convention 108 that will soon been submitted to consultation, and insisted on the fact that this Convention is and will still be open to signatures and ratifications by third countries, being the ideal vehicle towards a global privacy and data protection standard. Rafel Garcia (Spanish DPA) reminded the main advances of the Madrid Resolution on global standards, adopted at the 31st DPA two years ago, and mentioned the progress, though slow, made since then. Meryem Marzouki (EDRi) took as a starting point the Madrid Civil Society Declaration on "Global Privacy Standards in a Global World" adopted at the 2009 Public Voice Civil Society Conference organized in Madrid, in liaison with the DPA Conference. She identified 6 main steps for an urgent action plan to implement the provisions of this Declaration. EDRi representative also reacted to the way the "big data" issue (or rather propaganda, in view of radical deregulation of privacy forced by technological determinism, as many civil society representative analysed) was addressed during the conference. Meryem Marzouki reminded that "privacy is a fundamental human right, that shouldn't be adapted to new technical developments or economic models". Asking to put this dialectic back on its feet, she added that "it is rather the technical, economic and behavioral norms that should comply to international human rights standards." The next International Conference of Data Protection and Privacy Commissioners will certainly bring interesting follow-up to this year conference, especially with the new EU and US legislative frameworks, as well as the revised Council of Europe Convention 108 being discussed. The 34th Conference will be held again in Latin America (Uruguay). 33rd DPA Conference, Mexico City (2-3.11.2011) http://www.privacyconference2011.org 31st DPA Conference, Madrid (4-6.11. 2009) http://www.privacyconference2009.org The Madrid Civil Society Declaration (3.11.2009) http://thepublicvoice.org/madrid-declaration/ Meryem Marzouki (EDRi) Presentation (3.11.2011) http://edri.org/files/Marzouki-DPA-talk.pdf "Big data and Small Agencies" - Colin Bennet's Reflections on the 33rd DPA Conference (7.11.2011) http://www.colinbennett.ca/2011/11/big-data-and-small-agencies-reflections-o... (Contribution by Meryem Marzouki (EDRI member IRIS - France) ============================================================ 8. Will the new flawed EU-US PNR agreement be approved by the EP? ============================================================ In May 2011, the European Commission's Legal Service said the EU-USA PNR agreement on the transfer of personal data of travellers flying from Europe to the US was not compatible with fundamental rights. Five months later a new, but similarly flawed version, is now presented to the European Parliament. With the US side having kept pressing the EU on finalising the PNR agreement, a new slightly changed version is now under discussion. Although the new text still raises privacy concerns, it seems unlikely that the European Parliament will reject this version. Commissioner Malmstrvm presented details of the new EU-US agreement to the German newspaper FAZ on 9 November 2011. While Parliamentarians currently do not have the right to talk about details of the negotiations, the Commission has apparently every right to go on a promotion campaign. The text of the Agreement is available for Parliamentarians in a secret reading room of the EU-Parliament where they can only read it, but do not have the right to take photos or notes. It is bizarre that there has been no reaction so far by MEPs on the fact that the German newspaper got briefed before the official briefing for the rapporteur and shadow rapporteurs which took place only on 15 November. This is clearly in breach of art. 218(10) TFEU, which reads "The European Parliament shall be immediately and fully informed at all stages of the procedure." The retention period for the all data remains 15 years but now there are restrictions for accesing that data after 10 years for serious crimes, such as drug and human trafficking. Also, under the draft deal, the data sent to US authorities would become "pseudonymous" after six months which means that some data would be masked out although still available in case of an event. Other data, including frequent flier info and payment/biling info will still be unmasked. The data would remain in an "active" database easily accessible to US officials for five years, and then would be transferred to a "dormant" database which will require stricter conditions to be accessed. The US police or intelligence officers can retrieve or black out the data only with special permission from a superior. "Whatever they did are just cosmetic changes, the substance of blanket data retention has remained. And even if they say personal data will be 'anonymised' after six months, the US still keeps all the records for 15 years," said German Green MEP Jan Philipp Albrecht. In his opinion, the agreement still violates EU data privacy rules as the US will still access and store all private data, (including telephone numbers, email addresses and even credit card data). MEP Sophie in't Veld (LIBE / Netherlands), said that her group would wait for legal advice before deciding on the vote but also expressed concern regarding the fact that the text still allows the use of data for boarder purposes than the fight against terrorism and organised crime. She also showed her disappointment that after a long negotiation period, the final version of the text is still only very little better than what MEPs have continuously been asking for some years now. "If this is what we are able to get out of our closest allies, what will come out of negotiations with other countries? South Korea and Qatar are also interested in PNR agreements, South Africa, Malaysia and Cuba are preparing demands and it will be only a matter of time until Russia and China will want this, too," stated Sophie in't Veld. Michele Cercone, spokesman for EU Home Affairs Commissioner Cecilia Malmstroem, stated however that, in their opinion, the new draft was a big improvement to the last text: "The new agreement will guarantee that PNR data will be used for restricted and well defined purposes, which are fighting transnational crime and terrorism." According to the proponents of the new treaty, the EU is not in the best position to negotiate considering that European airlines will have to pass travellers' information to the US authorities in order to be able to fly to the US. By rejecting the agreement, the EU may put airlines in the position to face potential law cases for infringing privacy regulations. In October 2011, a PNR agreement with Australian was approved by MEPs but in that case the retention period is only five and a half years and the data transfer is limited to terrorism and organised crime. Unhappy MEPs to approve passenger data deal (11.11.2011) http://euobserver.com/22/114252 FAZ article with Commissioner Malmstrvm (only in German, 10.11.2011) http://www.faz.net/aktuell/politik/eu-einigt-sich-mit-amerika-neues-abkommen... EU, US pen new passenger data deal to ease privacy fears (11.11.2011) http://www.google.com/hostednews/afp/article/ALeqM5i3XjX6aLv4Ab9X2znGo8AbFBI... EDRi-gram: EU-US PNR agreement found incompatible with human rights (29.06.2011) http://edri.org/edrigram/number9.13/us-eu-pnr-breaches-human-rights ============================================================ 9. ENDitorial: Copyright combinatronics ============================================================ Although the creation of the single market has been the primary focus of the European Union for decades, it often seems that for every step forward it takes two back. In that respect it's often rather interesting to look at the mathematics as they play out in the different directives that come out of Brussels. The EU Copyright Directive outlines 21 different optional exceptions or limitations to the right of reproduction of copyrighted works. Each country implementing the directive can choose to either include or leave out the exception clause. If we imagine this as a set of 21 switches where each has two positions, then to calculate the number of total possible configurations for these switches we multiply together the number of options for each one: 2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2, or written more concisely, 2^21 (two to the power of twenty-one). This gives us 2.097.152 different ways to implement the directive. But it gets better. After the 21 exception clauses for reproduction rights, there comes a paragraph stating that where the Member States may provide exceptions or limitations for reproduction, they may provide similarly an exception or limitation to the right of distribution. This can be understood in at least two different ways, with radically different results. On the one hand, if you have an exception on reproduction then you may also have the same exception for distribution (meaning we'd have 21 switches with 3 settings each), or on the other hand, you may apply the same exception independently of each other (meaning we'd have 42 switches with 2 settings each, or 21 switches with 4 settings - doesn't matter). The wording suggests the latter, but at the same time it seems slightly absurd to have an "oh by the way you may also" in a directive; there are other cleaner ways to approach this. There is probably some literature that I'm unaware of about which one they mean, but it's easier to do the math on both cases than it is to navigate through commission and parliament documentation. The first case is a three step process where each exception can be either "off", "on for reproduction" or "on for reproduction and distribution". This means we get three to the power of twenty-one options, totalling 10.460.353.203. The second case is a four step process where each exception can be "off", "on for reproduction", "on for distribution", or "on for reproduction and distribution". This gives us four to the power of twenty-one options, totalling 4.398.046.511.104. That's either ten billion or four trillion ways to implement the copyright directive, depending on how you read article 5, paragraph 4. It's very hard to visualize numbers of this size, but the larger number is about fifteen times larger than the number of stars in our galaxy. This back-of-envelope analysis doesn't even touch on the combinatorical implications of different understandings of the details of articles 5.5, 6 and 7 in particular, and in general the rest of the directive, mostly because they're less directly quantifiable. Let alone the distinction between "exception" and "limitation", which could easily bring the number up significantly. This basically means that, a priori, there is a one in three hundred and eighty million chance that any two member states come up with the same implementation, taking the slightly better case. How does that serve the ideal of a single market? It looks like internal dissolution about the specifics of the exception clauses, with each country being difficult in its own little way and no political hardheadedness forcing a tenable solution, has yielded a completely useless directive in terms of unification. While it is true that all the member states could in theory decide on the same exceptions, making this headache go away, the fact that they're all optional suggests that, in each case, there was at least some strongly for and some strongly against. At some point somebody must have gotten so tired of debating the exceptions that they just lumped all of them together under optional and decided to let the Member States figure it out. What this shows is that the EU is not effectively managing to create a single market, and through its policy on intellectual monopolies may even be pushing the markets further apart. The question of who stands to gain from this state of affairs is left as an exercise to the reader. (Contribution by Smari McCarthy - International Modern Media Institute) ============================================================ 10. Recommended Action ============================================================ Stop ACTA ! http://www.edri.org/stopacta Beat the censor - online game http://stefanwehrmeyer.com/projects/beatcensors/ ============================================================ 11. Recommended Reading ============================================================ Civil society letter against the US SOPA law - Stop Online Piracy Act (15.11.2011) http://www.edri.org/files/sopa_civilsociety_15Nov_2011.pdf EU charter creating "confusion" on human rights (11.11.2011) http://euobserver.com/18/114247 Want to create a really strong password? Don't ask Google (8.11.2011) http://www.lightbluetouchpaper.org/2011/11/08/want-to-create-a-really-strong... INTA chairman defends secrecy (12.11.2011) http://acta.ffii.org/?p=869 ============================================================ 12. Agenda ============================================================ 24-25 November 2011, Vienna, Austria "Our Internet - Our Rights, Our Freedoms" Towards the Council of Europe Strategy on Internet Governance 2012 - 2015 http://www.coe.int/t/informationsociety/conf2011/ 30 November 2011, Brussels, Belgium Horizon 2020: investing in the common good Treating knowledge as a public good in EU research and innovation http://tacd-ip.org/archives/459 27-30 December 2011, Berlin, Germany 28C3 - 28th Chaos Communication Congress http://events.ccc.de/category/28c3/ http://events.ccc.de/congress/2011/ 25-27 January 2012, Brussels, Belgium Computers, Privacy and Data Protection 2012 http://www.cpdpconferences.org/ 14-15 June 2012, Stockholm, Sweden EuroDIG 2012 http://www.eurodig.org/ 9-10 July 2012, Barcelona, Spain 8th International Conference on Internet Law & Politics: Challenges and Opportunities of Online Entertainment Abstracts deadline: 20 December 2011 http://edcp.uoc.edu/symposia/idp2012/cfp/?lang=en ============================================================ 13. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 28 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. This EDRi-gram has been published with financial support from the EU's Fundamental Rights and Citizenship Programme. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE