============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 7.2, 28 January 2009 Special issue - Data protection day ============================================================ Contents ============================================================ Data Protection Day 1. EU proposal puts confidential communications data at risk 2. Privacy and data protection in the Netherlands in 2008 3. Data protection in Italy: Loudly more of the same 4. Romania: Is really privacy a topic in the public debate? 5. UK: Phorm threat 6. Macedonia: Privacy Developments in 2008 7. Austria: Some EU data protection policy developments in 2008 8. France: Who have they forgotten to control today? 9. Germany: A new fundamental right, a privacy mass movement + surveillance 10. Some EU data protection policy developments in 2008 11. Towards International Data Protection Standards 12. Recommended Action 13. Recommended Reading 14. Agenda 15. About ============================================================ Data Protection Day ============================================================ 28 January is the European Data Protection Day. For the third time, in 2009, this date marks the anniversary of the Council of Europe's Convention 108, the first legally binding international instrument related to data protection. This issue of the EDRi-gram is dedicated to the European Data Protection Day and marks the privacy developments in some European countries in the past year, as reported by EDRi members. It also includes a warning from major civil society groups and the EDPS on the adoption of the "voluntary data retention" in the telecom package. European data protection day activities - 28.01.2009 http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Defa... ============================================================ 1. EU proposal puts confidential communications data at risk ============================================================ Civil liberties groups La Quadrature du Net, European Digital Rights (EDRi), AK Vorrat, and Netzpolitik.org are urging the European Parliament to heed advice given by the European Data Protection Supervisor Peter Hustinx and scrap plans dubbed "voluntary data retention". "A proposal currently discussed in the European Parliament as part of the 'telecom package' would allow providers to collect a potentially unlimited amount of sensitive, confidential communications data including our telephone and e-mail contacts, the geographic position of our mobile phones and the websites we visit on the Internet", warns Patrick Breyer of German privacy watchdog AK Vorrat. "Apart from the creation of vast data pools that could go far beyond what is being collected under the directive on data retention, the proposal would also permit the passing on of traffic data to other companies for 'security purposes'. We must not let a potentially unlimited amount of confidential data be exposed to risks of disclosure or abuse in this way", he also said. "This proposal is lobbied for under the guise of 'security', but what it really means is that users and citizens would have no expectation of privacy on the Internet anymore," adds Ralf Bendrath from EDRi. "This is a clear breach of the European tradition of considering privacy a fundamental human right." In a paper published earlier this month, European Data Protection Supervisor Peter Hustinx joined the critics, warning the proposal would constitute a "risk of abuse" and "may be interpreted as enabling the collection and processing of traffic data for security purposes for an unspecified period of time." Hustinx reached "the conclusion that the best outcome would be for the proposed Article 6.6(a) to be deleted altogether" - a view firmly shared by La Quadrature du Net, EDRi, netzpolitik.org and AK Vorrat. "A few months before the elections, citizens will have the opportunity to see if the Members of European Parliament are willing to protect their privacy", declares Jirimie Zimmermann, co-founder of the citizen's initiative La Quadrature du Net. "Every citizen should inform their MEPs and ask them to massively reject this article 6 (6a) of the ePrivacy directive. Other crucial issues about content and network neutrality are at stake as well.We must remind MEPs that they were elected to protect Europeans' fundamental rights and freedom rather than abolishing them in favour of particular interests." In a letter of September last year, 11 German civil liberties, journalists, lawyers and consumer protection organisations "urgently" asked the Commission, the Council and Parliament to scrap the proposed article 6 (6a) and "maintain the successful regulation of traffic data" which they say has "proven to constitute the best guarantee for our safety in information society." Second opinion of the European Data Protection Supervisor on the review of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (9.01.2009) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... Open leter to MEP rapporteurs (8.12.2008) http://www.laquadrature.net/files/20081208_LaQuadrature_letter-rapporteurs-t... Resistance against watering down of traffic data protection (29.10.08) http://www.vorratsdatenspeicherung.de/content/view/271/79/lang,en/ Position on the processing of traffic data for "security purposes" (27.01.2009) http://www.vorratsdatenspeicherung.de/images/wg_esecurity_position.pdf ============================================================ 2. Privacy and data protection in the Netherlands in 2008 ============================================================ The year 2008 did not improve the course of privacy and data protection in the Netherlands. The public debate focused on data collection systems related to fundamental aspects of Dutch citizens' lives, such as communications, health and movement. Unfortunately, there are no signs that concerns or incidental public outcry over privacy will lead to significant improvements to the design of the systems or reconsideration of their goals, merit and impact on society. After years of negotiations, the Dutch Data Protection Authority (DPA) approved the data protection guarantees in the smart card system for the public transport sector. Besides other major implementation problems, the smart card system introduces a major privacy concern due to the planned registration of all travel movements of users of the Dutch public transport system in a central database. At the end of 2008, the DPA approved the system after receiving guarantees that only derived data would be used for marketing purposes with an opt-out and that for any processing of personal travel movements opt-in will be sought. As there are no hard guarantees that all personal travel data will be deleted or that the system will not make it possible to access travel movements in identifiable form, many have expressed their disappointment with the approval. Another transport related privacy problem that re-entered the public debate in 2008 was the planned system for road charging. The current design for the system entails the collection of details about personal travel movements. The Dutch Parliament considered the data retention implementation law in the first half of 2008. In this context, a group of prominent academics voiced their concern that Dutch society is turning into a control society and a police state. After the Parliament adopted the law, lowering the data retention term from 18 to 12 months, the Senate has been critically looking at the proposal ever since. The Senate has also another law under consideration that would streamline access for the national security agency to datasets in the public, communications, transport and financial sector. Probably the most prominent discussion about privacy took place in the health sector. The Electronic Patient File (EPD), a centralized system for the collection and exchange of medical data for use by medical professionals, caused widespread privacy concerns and generated 170 000 objections. Like the public transport smart card, the EPD has major implementation problems and has recently been postponed. A similar national dossier system for children, proposed to improve child care by building an extensive digital dossier of each young individual, is still on the political agenda. The broadly defined dataset, including medical data, psychosocial data and subjective opinions about children and their parents, will be updated for all children until they reach the age of nineteen, after which it will be kept for another 15 years. Finally, a government commissioned report on the balance between privacy and security in the public sector was published. The report, titled "Do it simply, Simply do it", concludes that government and public agencies should be pragmatic, but do much more to protect privacy and deal with the possible tension between privacy and security while doing their work. The report gives a number of recommendations and a reference framework for dealing with privacy and security issues. It advises to "keep it simple, facilitate and ensure that security and privacy are mutually reinforcing as far as possible." The report has been widely interpreted in the media as a call to stop addressing fundamental questions related to the widespread processing of personal data in the public sector. EDRi-gram: Dutch Parliament lowers data retention term to 12 months (4.06.2008) http://www.edri.org/edrigram/number6.11/nl-data-retention-12-months Report, 'DO IT SIMPLY - SIMPLY DO IT, to protect security and privacy', (in Dutch, Bijlage 4 = English Summary, 22.01.2009) http://www.minbzk.nl/aspx/download.aspx?file=/contents/pages/96602/rapportge... OV-Chipkaart roll-out creeps forward (16.01.2009) http://www.railwaygazette.com/news_view/article/2009/01/9219/ov_chipkaart_ro... (Contribution by Joris van Hoboken) ============================================================ 3. Data protection in Italy: Loudly more of the same ============================================================ I am sorry to say that I am skeptical about "days" dedicated to this or that cause or problem. They are often ignored, sometimes briefly celebrated, rarely leave any relevant trace over time. There are so many that we shall soon have one a week - and it won't be more relevant than brunch on Sunday. On the loud and confusing current debate in Italy about data protection, the situation could be summarised in four words. More of the same. There has been a lot of wiretapping (sometimes real, sometimes imaginary or overstated) for over sixty years (actually also long before that, but it's reasonable to start from when Italy returned to democracy and freedom after World War Two). And of course it extended to electronic networks since the very beginning. It's a notorious, though rarely published, fact that there were legitimate police forces, as well as "undercover" spies by secret services or private interests, including scamsters and organised crime, lurking since the days when networking was based on BBSs or newsgroups and the extended use of the internet was not yet developed. Privacy and data protection were practically ignored until a poorly conceived law was instated in 1996, creating a bureaucratic body called "Ufficio del Garante" that was supposed to be an "ombudsman" but, de facto, has rarely done anything in that role, being much more concerned with complicated and inefficient formalistic ruling and with occasional attention to the specific cases of politicians or "famous people" being embarrassed in their "privacy" or spied in legal or illegal ways. The currently loud debate is more confusing than it is meaningful. While everybody is saying that it's about the rights of citizens, the truth is that it relates to the conflicting interests of politicians and mass media. There have been, over the years, many episodes (and discussions) about intercepting private telephone conversations, or online communication - sometimes legally, sometimes not - including some invasive spying done secretly by individuals or departments in telecoms - in addition to ISPs being forced by authorities or police to spy on their customers. Another source of aggressive debate is the "leaking" to the press of recorded conversations, including private dialogues unrelated to any criminal investigation. At this stage, it's hard to understand what is actually happening and what may happen in the next few days or weeks - or maybe never. Italy's Prime Minister has publicly announced that he will make "shattering revelations", but we don't know if and when he, or some government spokesman, will actually do so - and what the "scandal" might imply. There is threatening talk about new legislation, but so far no indication of what, when and how. Also the issue of data retention is discussed in contradictory and confusing statements, some proclaiming the need to extend it in size and time and some saying the opposite (more for the cost and organisation problems of generating and maintaining vast databases than for the protection of citizens' privacy). Is this just more inconclusive noise, as has happened many times, or will it lead to some action on a national scale or (as has been suggested) as recommendations to the European Union and/or on a wider international scale, maybe including the G8 meeting to be hosted in Italy in July 2009? Quite simply, we don't know. And, as far as we can tell, nobody (so far) has a clear idea of what those rulings or suggestions might imply. There may be some news in the next few days, or it could take much longer, or it could vanish (if only for a while) from the political and media scene as other priorities prevail. Right now, we can only wait and see. EDRi-gram: ENDitorial- Seizures and other abuses - from bad to worse (22.10.2008) http://www.edri.org/edri-gram/number6.20/seizures-and-other-abuses ALCEI - Data Retention http://www.alcei.org/?cat=4 Data retention - not only a privacy issue - Civil rights and ambiguity of crime "prevention" (24.01.2004) http://gandalf.it/free/datret.htm Internet freedom, privacy and culture in Italy (and the activity of NGOs) (02.2000) http://gandalf.it/free/ifp.htm (contribution by Giancarlo Livraghi - EDRi-member ALCEI - Italy) ============================================================ 4. Romania: Is really privacy a topic in the public debate? ============================================================ Privacy is a sporadic keyword in the Romanian mass-media. And even less used in public speech. Becoming an ideal motivation only when talking about some local stars' private life and their juicy intricacies, the real debate on the most important issues lacks completely. The Human Rights Committees in the Parliament seem unfamiliar with the topic and the Data Protection Authority prefers to keep its quiet status. What to discuss anyway? A law on the Police DNA database was approved by the Parliament in 2008. The subject did not seem to be appealing for any public debate and the Chamber of Deputies Human Rights Committee did not see even a minor problem with that version, so they adopted it unanimously with no amendments. No reference or report from the data protection authority was considered useful, but a "simple reference" to law 677/2001 was indicated. The deletion of the stored data is possible only by decision of the court or prosecutors that are investigating the case. Therefore, if they forget about that, you need to start your own case on this. The law foresees a number of 30 crimes for which collecting DNA is possible. The April Eurobarometer that investigated perceptions on data protection among EU citizens shows that 79% of the Romanians have no idea that there is a law in the field of personal data. I might add to that: if the other 21% were asked to name it, probably at least 19% would have found that they were wrong. The same study reveals that Romania is number one in EU countries with the percentage of the people (47%) not knowing that there are laws allowing you to have access to your personal data kept by others. Not surprising with a Data Protection Authority which is understaffed and has insignificant powers or will to be an active voice in the public sphere. But let's be more positive. How can you not be happy when you might find, after you finish your master courses at the prestigious Academy of Economic Sciences (ASE) in Bucharest, that you have an account at a Romanian Bank without signing any act or being informed about it. Isn't it funny to get a bank statement home from a bank account you had no idea about? The bad part is that there is no money in it, only the traditional bank commission. The Representative of ASE must be right: the students are to blame, because they did not check the ASE web page. And let's be smart. We may find already a few websites presenting now real databases of Personal Numerical Code (CNP) or just simulated CNP that seem real. CNP is a piece of 13-figure data on everyone's ID, which should be the "master identifier". One of the reason of these databases is that some telecom operators are asking for the CNP data to activate some extra-options on the pre-paid cards. Should we care? The Romanian Government decided to start issuing biometric passports starting with 1 January 2009, after postponing it a couple of times. Although most of the public comments against the law involved arguments related with the "corporate conspiracy", "devil's hand" or "666 dangerous number", a court case has been initiated by a lawyer in order to stop its application on privacy grounds. It remains to be seen what the judge will decide. The data retention law was approved by the Parliament, even though all the major key-actors involved in the discussion have agreed that it is useless and it will not work. But they have supported it, because Romania can't make a stand in front of the EU. Not yet, at least. Funny enough, the law includes the first crime related to the misuse of personal data (the intentional access to the data without a proper authorization is a crime punished with prison from 6 months to 2 years.) Even funnier, after the draft law has received almost no comments and little interest from the media and general public, the day it entered into force someone discovered it in the Official Journal and a public outcry started with tons of newspaper articles on the new law, stating that the law "will keep all the content of communications, including phone calls, SMSs and emails." Politicians started to appear on TV claiming privacy breach, when only 3 months before they raised their hands to support the same law. Another brave action - an online petition - gathered a lot of signatures claiming that the Romanian Government will create an "archive of all emails sent by Romanians." All this when the new law says - in black and white - that the content is not kept. But saying that, you are already a protector of the government intrusion into the private life. So, I am wrong - privacy is in the public debate. With the totally wrong subject and no legal arguments, but it is somewhere there. Shouldn't we be happy? EDRi-gram: Romanian Govt adopts Data retention law, but calls it inefficient (27.02.2008) http://www.edri.org/edrigram/number6.4/romania-data-retention EDRi-gram: Eurobarometers on data protection in EU (23.04.2008) http://www.edri.org/edrigram/number6.8/eurobarometer-data-protection Over 300 master students from ASE accuse the institution of opening bank accounts without their knowledge (only in Romanian, 24.04.2008) http://economie.hotnews.ro/stiri-finante_banci-2866018-peste-300-fosti-maste... Law 76/2008 - Police DNA Database (only in Romanian) http://www.cdep.ro/proiecte/2008/000/10/8/leg_pl018_08.pdf Some things about biometric passports (only in Romanian, 27.01.2009) http://legi-internet.ro/blogs/index.php/2009/01/27/citeva-chestii-pasapoarte... (contribution by Bogdan Manolea, EDRi-member APTI - Romania) ============================================================ 5. UK: Phorm threat ============================================================ One particular commercial threat to internet privacy should be looked at very closely by our fellow European Digital Rights campaigners. That threat is Phorm: an invasive and probably illegal web advertising technology that could soon be coming to you. Phorm works by looking at the web traffic between you (an ISP client) and the sites you visit. Phorm examines the content of the web pages you visit, and logs keyword information derived from it. Phorm can then deliver adverts to you based on keyword information. For instance, if you visit car related sites, and make searches for new car models, you would start seeing car adverts when you visit Phorm's partner's websites. UK EDRi-member Open Right Group (ORG) was alerted last March on the serious privacy concerns Phorm poses, and has been working hard to establish what is really being advocated. We believe the technology is fundamentally invasive and illegal. Permission to examine data moving from website visitor and owner must be approved in advance by both parties. Not obtaining permission from both parties is illegal. Yet UK ISPs such as BT and Virgin are not seeking to gain permission from website owners. Seeing web traffic as belonging to sender and receiver is the right way to view privacy on the net. The data on websites belongs to many people, and the data exchanged and the relationship between a client and a website owner should remain private. Despite these obvious privacy and legal worries, Phorm could soon be on the agenda in your country too. ISPs are interested because it gives them the potential to dominate the internet advertising sector. Many 'content creators' and EU governments could be interested in Phorm, because they perceive ad revenues to be slipping from traditional domestic outlets. This is why you need to be interested, as Phorm's invasive technology could easily be seen to be a panacea for Europe's advertising market troubles. Foundation for information policy research - Open Letter to the Information Commissioner (17.03.2008) http://www.fipr.org/080317icoletter.html The Phorm storm (12.03.2008) http://www.openrightsgroup.org/2008/03/12/the-phorm-storm/ 4 good reasons not to take part in the BT Webwise trial (30.09.2008) http://www.openrightsgroup.org/2008/09/30/4-good-reasons-not-to-take-part-in... What BERR want from Phorm - and what we think they're missing (19.09.2008) http://www.openrightsgroup.org/2008/09/19/what-berr-want-from-phorm-and-what... The Phorm "Webwise" System (18.05.2008) http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf (contribution by Jim Killock, EDRi-member Open Rights Group - UK) ============================================================ 6. Macedonia: Privacy Developments in 2008 ============================================================ Even though the Constitution of the Republic of Macedonia and the Law on Personal Data Protection (LPDP), the Criminal Code, Law on Organization and Operation of State Administrative Bodies and other laws recognize and protect the rights of privacy, data protection and secrecy of communications, the implementation of these protections has met with major difficulties during 2008. A small number of Macedonian NGOs cover the issue of privacy, and during 2008 their main concerns involved the protection of human rights of children on the Internet-including the privacy of children-and the protection of privacy by the police and law enforcement agencies. In July 2008, the Parliament ratified the Additional Protocol of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and trans-border data flow. This document was signed on 4 January 2008. In July 2008, the Parliament also enacted the Law that amends the LPDP and increased the fines for spamming. Both pieces of legislation (the Additional Protocol and the amendments) came into force on August 19, 2008. The main amendments and modifications were made for the harmonization with the EU acquis and CoE Convention, adding specific provisions regarding video surveillance, the independence of the Directorate for Personal Data Protection and the simplification of the notification and complaint handling procedures. For the period of 2007-2008, the Directorate gave priority to public awareness on the right of personal data protection. In cooperation with the EDRI-member Metamorphosis Foundation it implemented the Norwegian model on raising public awareness for youngsters, through creation of educational content and conducting public events in three secondary schools. During 2008, Metamorphosis Foundation implemented the Children's Rights on the Internet - Safe and Protected (CRISP) project, co-funded by the European Initiative for Democracy and Human Rights (EIDHR) and Metamorphosis. It included establishment of a network of 12 NGOs working on the promotion and safeguarding of children's rights online in cooperation with the Directorate for Personal Data Protection. Project activities included developing a curriculum and educational resources in Macedonian and Albanian, available both offline and online, and conducting trainings. The trainings covered 50 primary and 20 secondary schools with participation of 8,482 children, 1,138 parents and 1,170 teachers from 12 cities and 7 villages from all parts of Macedonia. A public panel on privacy in Macedonia held on 26 August 2008, as part of a public consultation to elaborate the Macedonia Report for Privacy and Human Rights Report 2008, reiterated the assertions from the previous year that there has been no public knowledge about cases of implementation of privacy protection provisions of the Law on Electronic Communications, and spamming remains widespread practice in the Macedonian business sector. Moreover, at least one company continues to provide spamming services for other companies, and the number of Macedonian legal entities who have a privacy policy remains insignificant. Even though wiretapping is regulated and unauthorized wiretapping is prohibited, the wiretapping cases initiated in the past have not reached closure in court. The most notable example is the process against the state initiated by 17 journalists who have been subject to surveillance in the "Big Ear" affair of 2001. Over seven years, four different judges have unsuccessfully presided over this trial, and it was finally resolved at a retrial in June 2007. The state was found guilty, but the 17 plaintiffs stated that they remain dissatisfied with the compensation and the whole process. Their representatives stated that they won't discontinue the trial already underway at the European Court of Human Rights in Strasbourg, based on their complaint. In September 2008, the Appellate court confirmed the verdict of the basic court, but lowered the damages from the initial 6.000 Euros to approximately 4.000 Euros per journalist. The journalists have stated that "they are not satisfied with the compensation, and the precedent sets a signal that the violation of human rights is cheap in Macedonia." After the Parliamentary elections of June 2008, the Government and the Parliament used an unjustified fast-track procedure, to adopt changes and amendments to over 164 laws in July and 17 laws in the following month without any public debate. These changes included amendments of the Criminal Procedure Code and the Law on Communication Interception that widened the powers of surveillance for the law enforcement agencies. Prominent NGOs such as Foundation Open Society Institute - Macedonia, Association for Criminal Justice and Criminology of Macedonia and Helsinki Committee for Human Rights of the Republic of Macedonia condemned the legalization of preventive surveillance and removal of need to justify special investigative measures with evidence of reasonable doubt before the judiciary. The NGOs warned that these changes can turn Macedonia from a state based on a rule of law into a "police state unconcerned with respect of basic human rights and freedoms." In practice, even the older, stricter legislation was not enforced. The Parliamentary Committee for the supervision of the application of communication interception techniques by the Ministry of the Interior and the Ministry of Defense was denied access to data and did not issue any reports during 2008. Metamorphosis Foundation also provided opportunities for raising awareness of opinion and decision makers, for instance, by including data protection sessions within the 2008 agenda of the Fourth International Conference e-Society.mk focused on ICT in Education. In order to raise the public awareness also, Metamorphosis also formed an ad-hoc coalition of NGOs and other institutions to celebrate the Freedom Not Fear Day in Macedonia. FNF coincided with the public holiday of 11 October - the Day of uprising against fascism in World War II, and involved organizing public debate at the faculty of law and distribution of information on video surveillance on university campuses and the centre of Skopje, including an infostand and public survey. Several thousands of people were reached by these activities, and most citizens expressed concerns about various ways of "spying" conducted by the Government, corporations and individuals which threaten their privacy. During 2008, legal experts and human rights activists raised concerns about the extensive use of detention and violation of privacy and the presumption of innocence. The Macedonian Helsinki Committee and the Human Rights Project continuously condemned spectacular arrests by the police, which included inviting the media to film the handcuffed suspects escorted by law enforcement officers. Only one TV station with license for national coverage, TV Telma, adopted a policy to no longer broadcast such arrests and police-escorted transports. Reacting changes in the legislation the Helsinki Committee also organized public debate on the reasonable expectations in regard to privacy protection versus efficiency in the fight against crime and corruption in a state of laws on 25 November 2005. However, state representatives failed to appear at the debate and provide arguments that would alleviate the concerns raised by the representatives of the civil and academic sector. Metamorphosis Foundation http://www.metamorphosis.org.mk International Conference e-Society.mk http://www.e-society.mk Macedonia: Public outcry over new legislation for preventive surveillance http://www.metamorphosis.org.mk/content/view/1198/4/lang,en/ Freedom Not Fear in Macedonia (10-11.10.2008) http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2008/Skopje Debate on Privacy in Macedonia (26.08.2008) http://www.metamorphosis.org.mk/content/view/1250/3/lang,en/ Appellate court confirms: The Big Ear Journalists were wiretapped (only in Macedonian, 2.09.2008) http://www.vecer.com.mk/?ItemID=C50F895AE5A071478301A8CF24F47A51 Decree for enacting the Law for changing and amending the Law on Personal Data Protection (only in Macedonian, 19.08.2008) http://dzlp.mk:8500/FILES/1164/PUBLIC/CONTENT/57980790416419030709141_FILES/... Fees ranging from 500 to 2000 Euros for unwanted spam-messages (only in Macedonian, 29.08.2008) http://www.dnevnik.com.mk/?itemID=1FD6BF9F94C51940AA425A047194D9B5&arc=1 Debate on Privacy in Macedonia, Metamorphosis Foundation (29.09.2008) http://www.metamorphosis.org.mk/content/view/1250/3/lang,en/ Directorate of Data Protection in Macedonia - Legal grounds for the protection of personal data in the national legislation http://www.ceecprivacy.org/main.php?s=2&k=macedonia Helsinki Committee for Human Rights of the Republic of Macedonia http://www.mhc.org.mk Human Rights Support Project http://www.hrsp.org.mk (contribution by EDRi-member Metamorphosis Foundation - Macedonia) ============================================================ 7. Austria: Some EU data protection policy developments in 2008 ============================================================ In Austria the international data protection day on 28 January will pass by widely unrecognised. This year, as already in 2008, the Data Protection Commission (DSK; the Austrian Data Protection Authority) and the Data Protection Council (DSR; a political advisory board) will together organise a meeting for a strictly limited amount of interested persons (max. 100 participants) where they will present European and international developments in data protection. In contrary to 2008, where they were confronted with by far more than 100 registrations, the event was promoted very poorly. On the homepage of the DSK and on the 'Data Protection Day' website on the Council of Europe website it is not even mentioned! This situation is somewhat symptomatic for Austrian data protection. Data protection here usually is not for the masses, it is an administrative task that rather involves formalised decisions than public debate and open discussions. It's a pity that the organisers of this years event chose to maintain the access restrictions. Opening the event for a broader audience would have given the option for further development towards an annual Austrian Data Protection Conference. For this year the chance is gone but there is another chance next year. We'll keep you informed. The following paragraphs provide a summary of major developments in the past year with regard to legislative initiatives, surveillance trends and important data breaches. Finally an outlook to the coming years will be presented. Legislative Initiatives On 6. December 2007 the Austrian Parliament adopted a reform of the law on security police. Ten minutes before midnight of that day (the last parliamentary session of the year) members of the governing parties (Social Democrats and Conservatives) tabled an amendment that significantly increased the surveillance possibilities for security police, while ignoring the usual parliamentarian workflow of discussing amendments in the relevant committee before voting. Result of this initiative is that mobile telecommunication and Internet providers have to provide location information of mobile phones and IP addresses on request of security police. A court permission is not required! In the first five weeks of 2008 location data of 82 mobile phone users and the identity of 2.766 subscribers were requested. According to an article published in the Austrian newspaper "Die Presse" there are 32 such requests per day. The members of the Parliament who tabled the mentioned amendment received the Austrian Big Brother Award 2008. Several complaints against the law were filed with the Austrian Constitutional Court. In April 2008 an amendment to the Data Protection Act 2000 was published for comments. Key elements are legal requirements for video surveillance by private operators, new requirements for private businesses with at least 20 employees to create the position of a data protection supervisors and harmonisation of responsibilities (the federal government gets all data protection competences). Currently the Data Protection Commission has to approve video surveillance installations of private operators. According to the proposed amendment video surveillance will be allowed in future if dangerous attacks or criminal offences were committed in that area within the last 10 years, or if expensive objects worth more than 100.000 EUR or of exceptional artistic value need to be protected. Video surveillance needs to be properly announced and will remain prohibited in toilets and changing rooms. Furthermore the amendment proposes a centralised database of all private video surveillance installations. If needed the police will be allowed to access the data of these cameras. In general the retention of video data will be limited to 48 hours, which can be extended on request to the DSK. In future it will not be required to file realtime video-surveillance with the DSK. Police access to highway video surveillance is envisaged and fortunate discoveries may be used for penal action. Due to the premature reelections of the Austrian Parliament in 2008 the amendment to the Data Protection Act 2000 finally did not make its way through the legislative process. It is expected to re-appear in 2009. On the proposal of the European Commission on the use of Passenger Name Record data, a Social Democrat MPs tabled a motion for resolution with the Austrian Parliament. They proposed to wait for the decision of the European Court on the structural similar data retention directive and on the entering into force of the Lisbon treaty. Furthermore they ask to consider the opinion of Article 29 working group on the Commission proposal, since there are severe data protection concerns. Data retention - The data retention directive is still not implemented in Austria. There are no known plans to do so in the near future. On biometric passports the Council of Ministers decided in June 2008, that fingerprints of the two index fingers (if existing) will be stored on an RFID chip on the passport. The data additionally will be stored for up to four months at the Staatsdruckerei, which produces the passports. Currently the parliamentarian decision making process is ongoing: On 21.01.2009 the National Council adopted the respective law with votes of all represented parties except the Greens. The Federal Council will vote on it on 27.01.2009, one day before the International Data Protection Day. It is expected that the law will not be rejected there. In 2007 the Federal Minister of the Interior and the Federal Minister of Justice agreed on the implementation of hidden uses of remote forensic software (so called federal trojan horses) and established a working group to work on the details of the legal and technical issues. In April 2008 the working group published its final report. The experts claimed that from a constitutional point of view a number of fundamental rights are affected which limit the implementation of such online-searches and constitute warranty deeds for the state. Surveillance Trends The major surveillance trends of 2008 all focus on uses of video surveillance. In traffic control we saw the introduction of systems for automated checking of road tax vignettes, automated scanning of vehicle number plates where the collected data is checked against a wanted vehicles list, and the use of video surveillance for the execution of speed limits (section control). In the case of section control Austrian highest courts decided that it only may be used on a case by case order of the competent Minister, including a detailed description of the special setup. Other examples of increased video surveillance are the pilot-use of video-surveillance in trains of Vienna's underground, where data are stored for 48 hours, video surveillance in trains from the Austrian Railway and video surveillance in residential buildings owned by the City of Vienna where garages, elevators and rooms for dust bin storage will be monitored. The pilot phase of the so called dust bin monitoring was approved by the DSK and will last until end 2009. Aim is the protection against vandalism. Important data breaches In 2008 the case of a teenage asylum seeker and her family received lots of media coverage in Austria. When the pressure on the Ministry of the Interior was too intense, personal data on a family member from the police information system EKIS and from the police file index leaked to the public. Pictures from these files together with a corresponding press release were published on the Internet by a senior official of the Ministry. Police investigations on this data leakage are ongoing. The administration of the residential buildings of the City of Vienna, Wiener Wohnen, sent a questionnaire to all 220 000 renters of their flats asking for their opinion on their flat, their neighbours, the surrounding of the building, the security situation, their administration and the City of Vienna. Wiener Wohnen offered that the questionnaire could be returned anonymously by blacking the Name printed on the form. The responsible City Council said, that the barcode on the second page of the form only would be used as a reference to the administrative district the answer came from. This was in the best case misleading, since the barcode contained the renters complete customer number, which allowed for a personalisation of the answers given on the questionnaire. The director of Wiener Wohnen received the Austrian Big Brother Award 2008. Outlook After the premature reelections in 2008 a new government took office last year. Their government programme includes the following topics relevant to data protection: The use of remote forensic software (so called federal trojan horses) by police will be allowed. It will be clarified that the DSK is not competent in cases where the Criminial Investigation Department is active in cases of criminal law. The cooperation with Schengen partners will be intensified, common Visa- and Biometric-Centers will be established, possible cooperation with external service providers (outsourcing) will be analysed. A DNA-Offensive aims for a nationwide collection and analysis of DNA samples and will serve as a basis for new application areas. Electronic health records will gain increased importance. The implementation of the data retention directive is not mentioned in the government programme. A decision of the Constitutional Court on the complaints against the law on Security Police is expected in 2009. At this years election of the Austrian Students Union in May 2009 the Federal Government wants to run an e-voting pilot. The Austrian Students Union strongly opposes these plans due to unresolved legal and technical questions. Also the Data Protection Council advised to refrain from this plans. This pilot election is commonly considered to be a test-case for the use of e-voting in elections to the Austrian Parliament. Data Protection Commission http://www.dsk.gv.at/ Law on Security Police (only in German) http://www.parlament.gv.at/PG/DE/XXIII/BNR/BNR_00181/pmh.shtml Die Presse on access to location information and IP addresses by Security Police (only in German) http://diepresse.com/home/panorama/oesterreich/370803/index.do Austrian Big Brother Awards (only in German) http://www.bigbrotherawards.at/2008 Proposed amendment to the Data Protection Act 2000 (only in German) http://www.parlament.gv.at/PG/DE/XXIII/ME/ME_00182/pmh.shtml Motion for a resolution on PNR-data (only in German) http://www.parlament.gv.at/PG/DE/XXIII/A/A_00651/pmh.shtml Parliamentary decision on biometric passports (only in German) http://www.parlament.gv.at/PG/PR/JAHR_2009/PK0023/PK0023.shtml Final report of the working group on remote forensic software (so called federal trojan horses)(only in German) http://www.justiz.gv.at/_cms_upload/_docs/AG_OnlineDurchsuchung_Endbericht.p... Government programme of the Austrian Federal Government (only in German) http://www.oevp.at/Common/Downloads/Regierungsprogramm2008-2013.pdf Opinion of the Data Protection Council on E-Voting at the elections to the Austrian Students Union (only in German) http://www.bundeskanzleramt.at/DocView.axd?CobId=31084 (contribution by Michael Hofer and Andreas Krisch - EDRi member VIBE!AT) ============================================================ 8. France: Who have they forgotten to control today? ============================================================ The CNIL, the French Data Protection Authority, has published on 20 January 2009 a report on a massive control operation it conducted on the STIC ("Systhme de traitement des infractions constaties" or "Recorded offences treatment system"), a huge police database. The report reveals that the STIC is consulted by each one of the 100.000 authorised policemen 200 times a year on average. This immediately reminded me the old British Telecom's slogan: "who have you forgotten to call today?" Police files have been the main concern in France in 2008, especially after the creation, by decrees published on 1st July 2008, of two new intelligence databases, EDVIGE and CRISTINA. CRISTINA aims at "Centralising inland intelligence for homeland security and national interests", and is covered by the defence secret, which means that no one knows any detail on this file. This is not the case of EDVIGE, which has generated such a massive mobilization in the society that the government had finally to withdraw the EDVIGE decree in November 2008. EDVIGE would have systematically gathered information on any person having applied for or exercised a political, union or economical mandate or playing a significant institutional, economical, social or religious part as well as information on any person, starting from the age of 13, considered by the police as a "suspect" potentially capable of disrupting the public order. After the strong opposition of a large number of associations, political parties, unions and individuals, with a petition signed by almost 220.000 individuals and 1200 associations, a complaint filed by 12 labour unions and rights organizations, among them EDRI-member IRIS, before the French highest administrative court, and a huge national day against EDVIGE on 16 October where 10.000 persons took part in demonstrations in 60 French cities, the government finally had to react. It announced a modified project, called EDVIRSP, not yet published. While the new file would explicitly exclude information related to people's health or sexual orientation, it would keep other sensitive personal data such as ethnical origin, as well as political, philosophical, religious opinions or union affiliation, and would still allow the police to store data on minors starting at the age of 13 if they are considered a threat to public safety. CNIL's President said that "the STIC is more dangerous than EDVIGE", because of the huge number of errors the CNIL has found in the STIC. But the main difference is that the CNIL will never be able to establish errors in EDVIGE, contrarily to the STIC, because EDVIGE will never contain any fact, but simply presumption of facts that could be committed. The STIC is dangerous enough, however. The file exists since 1995, but was officially created only in 2001. The CNIL report established that the STIC now concerns half of the French population, without any age limitation. An individual is registered in the STIC by the police after an offence has been committed. The point is that one can be registered either as a victim, or as the suspected author of the offence. Then the file is supposed to be updated after a court decision, which might find that the suspected author is not guilty. But the CNIL report findings are that this update very seldom occurs, and that sometimes a victim is mistakenly registered as a suspect. All in all, the STIC error rate found by the CNIL is 83%. Not only this error rate is 'staggering' as CNIL's President commented, but also it has major social consequences, since in 2003 a law extended the STIC's purposes to the records checking of people applying to a large range of jobs, especially in the security field. The report evaluates to 1 million the number of persons who weren't hired, or were fired from their jobs, simply because they were wrongly recorded in the STIC, sometimes because they actually were a victim, sometimes because their situation wasn't updated after a court decision. STIC opponents warned against these dangers as early as 10 years ago. Here we are now. In December 2008, another report commissioned by the French Ministry of Interior has inventoried some 45 police files, whereas 34 were already in place in 2006. Some of them contain biometric and genetic data. Among the biometric files, a centralized population database is currently being established, with the decree on French biometric passport having been published on 30 April 2008. A complaint filed against the French government by EDRI-member IRIS and the French Human Rights League is still pending. Main arguments of the complaint are: the collection of 8 digital fingerprints of the passport holder (whereas the European Council regulation requires only 2), the fact that this also applies to children starting from age 6, and the creation of a centralized database containing all information on the passport holder, including biometric data. Another pending complaint against the French government concerns the ELOI database, created to manage the expulsion of illegal migrants. The complaint has been filed by EDRI-member IRIS, with the French Human Rights League and two other French organizations for the support of migrants. This database has been created by decree on 26 December 2007, after the same organizations won a previous complaint against a first version of ELOI. For the plaintiffs, a data retention period of 3 years, as well as the collection of migrants' children data, remain violating the French and European legislation on data protection. These files are only examples of a strong and enduring trend in France, which consist in huge centralized population databases, increased use of biometric and genetic data, considering migrants as a target, and, last but not least, specifically targeting children. Year 2008 has shown however that the concern is growing in the general public, and this is a good sign. While the French have not really reacted to data retention issues, they seem to start considering that police databases and other files created by other administrations, especially when they concern children, are now going too far. When the government is facing massive citizen mobilisation, it has to go backwards. This is the lesson learnt with EDVIGE in 2008. Year 2009 needs to be carefully watched out, though. The law implementing the "graduated response" or the "three strikes approach" against filesharers is expected to pass this year. New measures to fight cybercrime have also been announced. EDVIRSP, the new version of EDVIGE, is expected soon. And the draft law on biometric ID cards is ready for months, and will probably be submitted to the Parliament as soon as things will calm down on the privacy front. CNIL Report: Conclusions on the control of the STIC (only in French, 20.01.2009) http://www.cnil.fr/fileadmin/documents/approfondir/dossier/Controles_Sanctio... IRIS Press Release: ' CNIL's control of the STIC: a healthy exercise, but timorous conclusions' (only in French, 23.01.2009) http://www.iris.sgdg.org/info-debat/comm-stic0109.html EDRI-gram: French EDVIGE decree withdrawn (3.12.2008) http://www.edri.org/edri-gram/number6.23/edvige-retired French Interior Ministry Report: 'Better controlling mechanisms implementation to better protect freedoms' (11.12.2008, only in French) http://lesrapports.ladocumentationfrancaise.fr/BRP/084000748/0000.pdf EDRI-gram: Complaint Against The French Govt To Annul The Biometric Passport Decree (16.07.2008) http://www.edri.org/edrigram/number6.14/complaint-french-biometric-passport EDRI-gram: Eloi - A French Database To Manage The Expulsion Of Illegal Migrants (16.01.2008) http://www.edri.org/edrigram/number6.1/eloi-french-database (Contribution by Meryem Marzouki, EDRI member IRIS - France) ============================================================ 9. Privacy in Germany 2008: A new fundamental right, a privacy mass movement, and the usual surveillance suspects ============================================================ The year of 2008 can be marked as the year where privacy moved high on the public agenda in Germany. On 1st of January, the law on data retention went into effect, which made Germany drop from number one to seven in the country ranking published by Privacy International. At the same day, a constitutional challenge was submitted at the supreme court. The German working group on data retention and its allies managed to have more than 34,000 people participate in this case - the largest constitutional complaint ever seen in German history. The paperwork had to be brought to the constitutional court in huge moving boxes, which also offered a nice photo opportunity for everyone wanting to demonstrate how many people oppose data retention. In February we saw the constitutional court decision on secret online searches of peoples' hard drives (the "federal trojan"). The court limited the use of this tool for cases where there are "factual indications of a concrete danger" in a specific case for the life, body and freedom of persons or for the foundations of the state or the existence of humans, government agencies may use these measures after approval by a judge. The decision was widely considered a landmark ruling, because it also constituted a new "basic right to the confidentiality and integrity of information-technological systems" as part of the general personality rights in the German constitution. In March, the Chaos Computer Club published the fingerprint of the federal minister for the interior, Wolfgang Schduble. This sparked high public attention and made frontpage news, and proved that biometric athentication as introduced in the German passport and identity card is not safe at all. Inspired by the recent successes, the growing number of privacy activists held a de-central action day in May. Different kinds of activities, like demonstrations, flash mobs, information booths, privacy parties, workshops, and cultural activities took place in all over Germany. Over the summer, some of the biggest German companies helped in raising public awareness of the risks of large data collections. Almost every week, there were reports on a big supermarket chain spying on its employees, on cd-roms with tens of thousands of customer data sets from call centers - including bank account numbers - being sold on the grey market, on the largest German telecommunications provider using retained traffic data for spying on its supervisory board and on high-ranking union members, on an airline using its booking system to spy on critical journalists, on two large universities accidentially making all student data available online, or on a big mobile phone provider "losing" 17 million customer data sets. The Federal Government, under building public pressure, introduced some small changes for the federal data protection law, but at the same time continued its push for more surveillance measures in the hands of the federal criminal agency (Bundeskriminalamt, BKA). These included the secret online searches the constitutional court had just cut down to very exceptional circumstances a few months earlier. The German public discussed these moves very critically, especially since journalists are exempted from special protections that are given to priests, criminal defense lawyers, and doctors. Because of the public concern and debate about privacy risks, the call to another mass street protest was even more successful than ever before. The "Freedom not Fear"action day on 11th October was the biggest privacy event of the year. In Berlin, between 50,000 and 70,000 persons protested peacefully against data retention and other forms of "surveillance mania", making it the biggest privacy demonstration in German history. Privacy activists in many cities all over the world participated with very diverse and creative kinds of activities and turned this day into the first international action day "Freedom not Fear". The anti-surveillance protests finally kicked off some serious discussion within the Social Democratic Party in a number of the German ldnder (states). This resulted in a loss of the majority for the law on the federal criminal agency (BKA) in the second chamber (Bundesrat) in the first vote. It only was passed weeks later, after some changes were introduced, and with heavy pressure from leading federal Social Democrats. The new law is still seen as unconstitutional by many legal and privacy experts and in January 2009 a case was submitted to the constitutional court. Privacy activists in the fall of 2008 also campaigned against the retention on flight passenger name records, forcing Brigitte Zypries, the German minister of justice, to freeze her plans on the matter until after the federal elections in the fall of 2009. More recently, the working group on data retention attacked the "voluntary data retention" proposed in the EU telecom package, as well as the renewed data exchange agreements between the EU and the USA. EDRi-gram: Germany: New basic right to privacy of computer systems (27.02.2008) http://www.edri.org/edrigram/number6.4/germany-constitutional-searches EDRi-gram: German constitutional challenge on Data Retention (12.03.2008) http://www.edri.org/edrigram/number6.5/germany-data-retention EDRi-gram: Fingerprinting the fingerprint proponent (9.04.2008) http://www.edri.org/edrigram/number6.7/fingerprint-schauble EDRi-gram: German Protests in over 30 cities against surveillance(2.07.2008) http://www.edri.org/edrigram/number6.13/german-protests-surveillance EDRi-gram: International Action Day "Freedom not Fear" (22.10.2008) http://www.edri.org/edri-gram/number6.20/freedom-not-fear-international-day (contribution by Annika Kremer, Working Group on Data Retention, and Ralf Bendrath, EDRi member Netzwerk Neue Medien - Germany) ============================================================ 10. Some EU data protection policy developments in 2008 ============================================================ Will the 2008 be remembered as the Data Retention implementation year or the first Freedom not Fear day? As always with the conclusions, we might answer better this question in 2009 or 2018. But let's look at some facts from the last year now One of the main hot privacy topics during 2008 was related to the implementation of the EU data retention Directive 2006/24/EC in several European countries. Despite the fact that data retention has been resisted in some countries in Europe, with 15 March 2009 as the final day for starting to retain Internet-related data, most of the EU member states adopted data retention laws only in 2008. The reactions have been strong, but in just a few cases led to the review of the respective laws. Germany has seen large debates and protests after the adoption of the data retention law at the end of 2007. In February 2008, the German Working Group on Data Retention submitted to the German Federal Constitutional Court the mandates of over 34 000 citizens willing to fight against the storage of their telecommunications. A preliminary decision taken by the Court on 19 March 2008 supported the case, considering that parts of the German act are unconstitutional pending review. In Bulgaria, on 11 December 2008, the Bulgarian Supreme Administrative Court (SAC) annulled article 5 of the national legislation that implements the Data retention Directive, following a lawsuit initiated by Access to Information Program(AIP). Article 5 of the Bulgarian Regulation # 40 that was issued by the State Agency on Information Technologies and Communication and the Ministry of Interior provided for a "passive access through a computer terminal" by the Ministry of Interior, as well as access without court permission by security services and other law enforcement bodies, to all retained data by Internet and mobile communication providers. The European Court of Justice (ECJ) is still considering the action started on 6 July 2006 by Ireland against the Council of the European Union and European Parliament on the formal grounds for adopting the Data Retention Directive. A first hearing of the action by ECJ took place on 1 June 2008 in Luxembourg. The legal basis of the data retention directive was supported by the European Parliament and Council, but also by the Commission, Spain, Netherlands and EDPS, Peter Hustinx. On 14 October 2008, the ECJ Advocate General gave his opinion on the case considering the data retention directive was founded on an appropriate legal basis, therefore recommending the dismissal of the action. The decision of the Court will be made public on 10 February 2009. The German Working Group on Data Retention drafted an amicus curiae brief in this case claiming that the data retention directive was also illegal on human rights grounds, breaching the right to respect for private life and correspondence, the freedom of expression and the protection of property. The German Group was joined by several civil liberties NGOs and professional associations, including EDRi. It appears that the ECJ will not look into those aspects, but a future action is possible in asking the European Court to consider the compatibility with human rights. This could be initiated by the German Federal Constitutional Court as an issue realted with the action from the German Working Group of Data Retention and/or by the Irish courts, following the action initiated by EDRi-member Digital Rights Ireland. An international day of action against data retention took place on 11 October under the name "Freedom not Fear". During that day, protests took place in more than 15 countries worldwide against surveillance measures such as the collection and retention of all telecommunications data. The surveillance of air travellers and the biometric registration of citizens was another subject of the "Freedom not Fear" day, as 2008 has seen developments on the issue. The PNR US-EU agreement continued to raise questions and worries with many negotiations between the US government and the European Commission. In March, the German Working Group on Data Retention published two applications to the European Court of Justice contesting the transfer of PNR data to the US arguing that the collection of all PNR data violated the basic right to privacy and protection of our personal data, authorities were given an unforeseeable use of the data for other purposes, and that passengers' sensitive data were not effectively protected against access. A recent report from US Department of Homeland Security (DHS) regarding the Passenger Name Record (PNR) information from the EU-US flights confirms a number of major disfunctionalities, that proves the DHS did not comply with the EU agreement or with the US legislation in its use of PNR. At the European level, despite the large opposition, the European Council decided to extend the PNR scheme to the EU space, following the position of some governments which expressed their intention to even extend the PNR scheme to all types of travel and even among EU countries. The text proposed in October 2008 included the choice of individual states to take the measure at the national level meaning that PNR would be collected by all Member States on all flights in and out of the EU and the choice of surveying intra-community flights belonged to the Member States. The attempt to pile up DNA databases was continued in 2008 with the UK as leader. However the European Court of Human Rights (ECHR) decision taken on 4 December in the Marper case could change the way things are working today. ECHR confirmed that, in agreement with Article 8 of the European Convention on Human Rights, the retention of cellular samples, fingerprints and DNA profiles constituted an infringement of the right for private life. On 24 September 2008, the Telecom Package of rules governing the Internet and telecoms sectors proposed by the European Commission was approved by the European Parliament in the first reading. Despite the amendments brought by the EP, the package is still worrying the civil rights groups, both on data retention and IP issues. The voluntary data retention issue is one of the major hot topics contested by the civil society (see also the first article in this EDRi-gram). A promising amendment was proposed by the European Parliament to the ePrivacy Directive that included the obligation of the information society services providers to notify personal data related security breaches to the national authorities which was suggested by the European Data Protection Supervisor's opinion in April. But the new texts suggested by the Commission and the Council seem to contradict the Parliament and the final decision will probably be taken in the second reading, estimated for April 2009. We can not wish to have a conclusion that may clear the waters. The optimists will look at the full part of the glass where we might see the ECHR Marper case. The pesmists mights see the EU PNR scheme or some strange provisions of the Telecom Package. EDRI page on data retention http://www.edri.org/issues/privacy/dataretention EDRI page on PNR http://www.edri.org/issues/privacy/pnr EDRI page on biometrics http://www.edri.org/issues/technology/biometrics EDRi page on privacy http://www.edri.org/issues/privacy National data retention policies https://wiki.vorratsdatenspeicherung.de/Transposition ============================================================ 11. Towards International Data Protection Standards ============================================================ In October 2008, the 30th International Conference of Privacy and Data Protection Commissioners in Strassbourg adopted a resolution on the urgent need for protecting privacy in a borderless world, and for reaching a Joint Proposal for setting International Standards on Privacy and Personal Data Protection. Following this resolution, the Spanish Data Protection Authority (DPA) - as the organiser of the 31st international DPA Conference to be held in November 2009 - has set up a working group on drafting this Joint Proposal. The first meeting of this working group was held on invitation of the Spanisch DPA and the DPA of Catalonia on 12 January in Barcelona. Participants in this meeting were not only the interested international Data Protection Authorities but also data protection experts from academia, businesses and civil society, amongst which EDRi. EDRi very much welcomes this standardisation initative of the International Conference of Privacy and Data Protection Commissioners. Provided that the defined standards are not set below the requirements of the current European data protection legislation - which is very unlikely to happen - an international standard on data protection will not only serve as an important tool for international data exchange but also as a worldwide benchmark for data protection legislation. Besides that, it provides the opportunity to work on issues that are likely to cause difficulties with emerging technologies (like for example the concept of the data controller in RFID environments or cloud computing). As this one day meeting clearly showed, the creation of an international standard on Privacy and Personal Data Protection is not an easy task and it is by far unclear whether this task can possibly be completed by the next International Conference of Privacy and Data Protection Commissioners in November 2009 in Madrid. But with the draft document provided by the organisers of the meeting and the inputs provided by the participants in the meeting a first step is already taken. In the following months the working group will go into the details and present the outcomes at the Madrid conference. Resolution on the urgent need for protecting privacy in a borderless world, and for reaching a Joint Proposal for setting International Standards on Privacy and Personal Data Protection adopted by the 30th International Conference of Privacy and Data Protection Commissioners (17.10.2008) http://www.privacyconference2008.org/adopted_resolutions/STRASBOURG2008/reso... Announcement of the Barcelona Meeting by the DPA of Catalonia (only in Spanish, 8.01.2009) http://www.apdcat.net/noticia.php?not_id=93 Intervention of the director of the DPA of Catalonia (only in Spanish, 14.01.2009) http://www.apdcat.net/noticia.php?not_id=97 Press statement of the Spanish DPA (only in Spanish, 13.01.2009) https://www.agpd.es/portalweb/revista_prensa/revista_prensa/2009/notas_prens... (contribution by Andreas Krisch - EDRi) ============================================================ 12. Recommended Action ============================================================ Declaration to Reject the Copyright Term Extension Directive with signatories (01.2009) http://www.edri.org/files/Joint_Statement_Final.pdf Reject term extension directive (21.01.2009) http://www.edri.org/reject-term-extention-directive ============================================================ 13. Recommended Reading ============================================================ Article 29 Working Party - The 2007 Annual Report English http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_en.... German http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_de.... French http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_fr.... ============================================================ 14. Agenda ============================================================ 3-4 February 2009, Victoria, British Columbia, Canada 10th Annual Privacy and Security Conference "Life in a Digital Fishbowl: A Struggle for Survival or a Sea of Opportunity?" http://www.rebootconference.com/privacy2009/ 7-8 February 2009, Brussels, Belgium Free and Open source Software Developers' European Meeting (FOSDEM) http://www.fosdem.org/2009/ 18-20 March 2009, Athens, Greece WebSci'09: Society On-Line http://www.websci09.org/ 27-29 March 2009, Manchaster, UK Oekonux Conference: Free Software and Beyond The World of Peer Production http://www.oekonux-conference.org/ 29-31 March 2009, Edinburgh, UK Governance Of New Technologies: The Transformation Of Medicine, Information Technology And Intellectual Property" An International Interdisciplinary Conference http://www.law.ed.ac.uk/ahrc/conference09/ 1-3 April 2009, Berlin, Germany re:publica 2009 "Shift happens" http://www.re-publica.de/09/ Subconference: 2nd European Privacy Open Space http://www.privacyos.eu/ 13-14 May 2009 Uppsala, Sweden Mashing-up Culture: The Rise of User-generated Content http://www.counter2010.org/workshop_call 24-28 May 2009, Venice, Italy ICIMP 2009, The Fourth International Conference on Internet Monitoring and Protection http://www.iaria.org/conferences2009/ICIMP09.html 1-4 June 2009, Washington, DC, USA Computers Freedom and Privacy 2009 http://www.cfp2009.org/ 5 June 2009, London, UK The Second Multidisciplinary Workshop on Identity in the Information Society (IDIS 09): "Identity and the Impact of Technology" Call for papers, deadline 13 March 2009 http://is2.lse.ac.uk/idis/2009/ 2-3 July 2009, Padova, Italy 3rd FLOSS International Workshop on Free/Libre Open Source Software Paper submission by 31 March 2009 http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html 13-16 August 2009, Vierhouten, The Netherlands Hacking at Random http://www.har2009.org/ 23-27 August 2009, Milan, Italy World Library and Information Congress: 75th IFLA General Conference and Council: "Libraries create futures: Building on cultural heritage" http://www.ifla.org/IV/ifla75/index.htm 10-12 September 2009, Potsdam, Germany 5th ECPR General Conference, Potsdam Section: Protest Politics Panel: The Contentious Politics of Intellectual Property First proposals to be submitted by 1 February 2009 http://www.ecpr.org.uk/potsdam/default.asp 16-18 September 2009, Crete, Greece World Summit on the Knowledge Society WSKS 2009 http://www.open-knowledge-society.org/ October 2009, Istanbul, Turkey eChallenges 2009 Call for papers by 27 February 2009 http://www.echallenges.org/e2009/default.asp?page=c4p 15-18 November 2009, Sharm El Sheikh, Egypt UN Internet Governance Forum http://www.intgovforum.org/ ============================================================ 15. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 29 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE