============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 9.10, 18 May 2011 ============================================================ Contents ============================================================ 1. EU and China adopt harmonised approach to censorship 2. Data retention in EU Council Meeting 3. Belgium Senate deletes the repressive part of the three strikes draft law 4. Dutch ISPs admit to using deep packet inspection 5. CoE refuses to start investigation on biometrics 6. Ireland adopts innovation agenda on intellectual property 7. UK police has bought surveillance software to track online movements 8. Google found guilty in Belgium for newspapers' copyright infringement 9. Privatised enforcement series E: Online trading platforms sell out 10. CFP 2011 Conference to address the Future of Technology and Human Rights 11. ENDitorial: RFID PIA: Check against delivery 12. Recommended Action 13. Recommended Reading 14. Agenda 15. About ============================================================ 1. EU and China adopt harmonised approach to censorship ============================================================ The European Union and China appear to have agreed to share their preferred approaches to censorship, producing a model that is a perfect mix between current EU and Chinese policies. On 20 April 2011, at an event in the European Parliament entitled "Creative Industries: Innovation for Growth", the French European Commissioner for the Internal Market, Michel Barnier, announced plans to make focus on Internet providers to enforce intellectual property. He explained that he did not want to "criminalise" consumers and therefore would put the pressure on online intermediaries (who will then police and punish the consumers instead). Eight days later, on 28 April, the Beijing Copyright Bureau decided to follow exactly the same model. In its "Guiding Framework for the Protection of Copyright for Network Dissemination," it proposes a range of obligations on Internet intermediaries such as: -180-day data retention for the name and IP address of users, if the intermediary provides file-sharing or hosting services. This is fractionally more liberal than the most liberal approach permitted by the European Commission, which requires data retention for a minimum of six months; - deterring and restraining (sic) those who upload unlicensed material, including terminating the offending users' service (as appears in the preparatory works of the ACTA agreement, supported by the EU) and also reporting these infringing acts to copyright law enforcement authorities; - employing "effective technical measures to prevent users uploading or linking to copyrighted works" (as supported by the EU in its input to the European Court of Justice in the Scarlet/Sabam case (C-70/10). While the developments in relation to copyright show China's willingness to learn from the EU's planned repressive measures, the traffic is not entirely one-way, as shown by the recent revelations on the Hungarian Presidency's "virtual Schengen" proposal. In 2008, the French EU Presidency developed plans for a "Cybercrime Platform" to be run by Europol, as a means of collecting reports of illicit/unwanted content from across Europe, acting as an "information hub" with the reasonably obvious intention of a harmonised approach to blocking web content. This approach was further developed in the Internal Security Strategy from 2010, which said ominously that "while the very structure of the internet knows no boundaries, jurisdiction for prosecuting cybercrime still stops at national borders. Member States need to pool their efforts at EU level. The High Tech Crime Centre at Europol already plays an important coordinating role for law enforcement, but further action is needed." The European Commission immediately took the initiative and offered funding for projects that supported "the blocking of access to child pornography or blocking the access to illegal Internet content through public-private cooperation" - expanding blocking both to content of any kind and to extra-judicial blocking, in contravention of the European Convention on Human Rights and the EU Charter of Fundamental Rights. As a result, European police forces were given a grant of 324 059 Euro to lobby for blocking in the EU. All of these developments have now led to the proposal for a "Great Firewall of Europe", as demonstrated by an EU Council presentation published this week by EDRi. This would harmonise the EU's approach to content that it wished to stop at the EU's borders, following the same logic as the "Great Firewall of China" which censors unwanted content from outside China's jurisdiction. Ironically, both the European Commission and Council of Ministers are now claiming that such a blocking plan was never the intention and are distancing themselves from the proposal - even to the point of rewriting the minutes of the meeting where the proposal was discussed. In summary, therefore, the EU/China internal policy on censorship will be based on the European model of censorship by proxy, whereby Internet intermediaries undertake the work. For unwanted traffic from outside the EU, the Chinese model of a "virtual border" is being pushed forward, despite recent protestations of innocence from the EU institutions. Hungarian presidency rewriting of history of meeting http://register.consilium.europa.eu/pdf/en/11/st07/st07181-co01.en11.pdf Virtual Schengen documents released by EU Council (12.05.2011) http://www.edri.org/virtual_schengen Commission input to ECJ on Scarlet/Sabam (only in French, 13.01.2011) http://www.mlex.com/itm/Attachments/2011-01-13_1B8G0W13A97M04RY/C70_10%20FR%... ACTA Draft: No Internet for Copyright Scofflaws (24.03.2010) http://www.wired.com/threatlevel/2010/03/terminate-copyright-scofflaws/ EU Internal Security Strategy http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/113055.... French Presidency work programme http://www.eu2008.fr/webdav/site/PFUE/shared/ProgrammePFUE/Programme_EN.pdf EU Communication: Internal Security Strategy (22.11.2010) http://www.statewatch.org/news/2010/nov/eu-com-internal-security-strategy-no... Chinese copyright office: Guiding Framework on the Protection of Copyright for Network Dissemination (28.04.2011) http://www.r2g.net/english/english_news_article_1004.htm EU information management instruments (20.07.2010) http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/10/349&type=HTML Council and Commission distance themselves from blocking plans (only in German, 16.05.2011) http://www.spiegel.de/netzwelt/netzpolitik/0,1518,762783,00.html Commission funding - ISEC 2010 action grants http://bit.ly/mE9noz (Contribution by Joe McNamee - EDRi) ============================================================ 2. Data retention in EU Council Meeting ============================================================ The EU Council Working Group of Justice and Home Affairs had a first discussion on 12 May 2011 on the European Commission implementation report on the data retention directive. The Commission agreed that the implementation has been uneven, both in terms of retention periods, as well as in respecting data protection principles. The working group discussed issues related to a common definition of "organised crime", that was opposed by some, on the basis of infringing the rights of Member States to govern their own affairs on entirely internal processes ("subsidiarity"). This was just a preliminary discussion, where some member states claimed that data retention was necessary, favouring a two year retention period. Only a few countries brought forward the idea of the "quick freeze" as an alternative solution. The next schedule presented by the Commission includes several public meetings, the first with civil society on 8 June 2011. After that, the impact assessment should be finalized after the Summer and, by the end of 2011, the European Commission wishes to present its proposal to amend the data retention directive. Press release: 3085th Council meeting - Justice and Home Affairs (12.05.2011) http://www.consilium.europa.eu/uedocs/NewsWord/en/jha/121967.doc EDRi-gram: Top 10 misleading statements of the European Commission on data retention (20.04.2011) http://www.edri.org/edrigram/number9.8/data-retention-evaluation ============================================================ 3. Belgium Senate deletes the repressive part of the three strikes draft law ============================================================ The Belgium version of the French Hadopi three strikes law was significantly changed by the Commission of Finance and Economical Affairs (COMFINECO) of the Belgium Senate during a hearing organised on 11 May 2011 on copyright and Internet. The proposal, initially submitted in 2010 and re-tabled at the beginning of 2011, was amended by the removal of a series of articles which actually referred to the three strikes system. NURPA (the Net Users' Rights Protection Association) warns that the proposed law, although amputated, still raises certain concerns and draws the attention especially to article 12 which "requires the settling of agreement between private actors and allows the limitation of the Internet user's freedom of usage". The article stipulates that the agreement signed with the ISPs "determines the limits and conditions under which a user that has access to a public online communication service can use it to exchange works protected by copyright or related right(s)." Inspired also by the French Hadopi law, the proposed Belgium law introduces the creation of a Council for the protection of copyright on the Internet that would have as its main task to establish a list of legal offers. It is not clear which criteria will be used to determine what offers will be legal and which will be the means to keep such a list updated and complete. "Instead of seeing the Internet as an opportunity to reduce the number of intermediaries between the public and the artists, the text only continues to place the copyright collective societies in the centre of the revenue perception. There are innovating initiatives and a freedom of artistic distribution that should be encouraged rather than playing in the hands of the private societies" stated Daniel Faucon, spokesperson for NURPA. Two contradictory opinions also marked the COMFINECO hearing, one according to which the service providers would incite to illegal downloading and therefore should be made responsible and a second one that is closer to net neutrality, meaning that the service providers should not be held accountable for the content exchanged on the Internet. The Belgium HADOPI amputated in its repressive part (only in French, 12.05.2011) http://nurpa.be/actualites/2011/05/HADOPI-belge-amputee-partie-repressive.ht... The Belgium Hadopi is buried, but filtering is not (only in French, 12.05.2011) http://www.numerama.com/magazine/18776-la-hadopi-belge-est-enterree-mais-pas... EDRi-gram: Four strikes law returns to Belgium (9.05.2011) http://www.edri.org/edrigram/number9.5/belgium-four-strikes-law-returns ============================================================ 4. Dutch ISPs admit to using deep packet inspection ============================================================ During an investors day on 10 May 2011 in London, Dutch Internet service provider KPN admitted to using deep packet inspection (DPI) technology, to determine the use of certain applications by its mobile internet customers. Vodafone soon followed with an announcement that it used this technology for traffic shaping. The Dutch minister of Economic Affairs within days announced an investigation into KPN's practices and promised to publish the results within two weeks. The recent revelations come after Dutch telecom giant KPN announced that it will start charging mobile internet users extra for the use of certain applications, such as internet telephony. This is a hot topic in The Netherlands, as net neutrality rules will soon be discussed in the Dutch parliament. Dutch digital rights organisation Bits of Freedom is concerned that the application of DPI by KPN is a violation of the Dutch law and called for customers to lodge a complaint with the public prosecutor. Article on use of DPI by KPN (12.05.2011) http://webwereld.nl/nieuws/106656/kpn-luistert-abonnees-af-met-deep-packet-i... Press release Bits of Freedom (12.05.2011) https://www.bof.nl/2011/05/12/persbericht-bits-of-freedom-roept-kpn-abonnees... (contribution by Ot van Daalen - EDRi-member Bits of Freedom, Netherlands) ============================================================ 5. CoE refuses to start investigation on biometrics ============================================================ In an answer to the 31 March 2011 petition calling the Council of Europe (CoE) to start an in-depth survey under Article 52 of the European Convention on Human Rights, Thorbjxrn Jagland, the Secretary General of the CoE refused to start an investigation on the collection and storage of citizens' biometric data by member states. In his answer, Secretary General Jagland mainly points to the CoE Resolution 1797, adopted in March 2011. He does stress the need to take steps to ensure that relevant existing legal frameworks, including European data protection Convention 108, be enhanced and modernised. However, the Secretary General doesn't explain his refusal to investigate the legality of the current national biometric schemes. Instead, Mr. Jagland refers to various other Council of Europe bodies, such as the Parliamentary Assembly, the commissioner for Human Rights and the Consultative Committee of Convention 108. In a first reaction to the response from Strasbourg, an alliance spokesperson said: "The lack of protection of citizens rights against government use of biometrics is stunning. Moreover, the digital fingerscan technique itself is immature. For example a government test in the Netherlands, published after our petition, showed biometric verification failure rates of 21%. A test by the mayor of the city of Roermond revealed that for no less than one in every five persons collecting travel documents, the initial fingerprint scan had been so bad that it wasn't verifiable. So how can you ever reach the goals of the Passport Laws by storing these on the document chip? This confirms once again that an in-depth survey has to be conducted soon on whether the human rights guarantees and conditions of necessity (effectiveness, proportionality, subsidiarity and safety guarantees) set by the European Convention on Human Rights and the data protection Convention are indeed upheld in the countries involved." The more than 80 petition signatories from 27 countries, including EDRi, include - among others - digital, civil and human rights defenders, media, legal and medical organisations, academia, politicians and personal victims without a passport because of objections involving the biometric storage. Petition to Council of Europe on government use of citizens biometrics (updated on 12.05.2011) https://www.privacyinternational.org/article/petition-council-europe-governm... Answer of Council of Europe (29.04.2011) http://yfrog.com/z/h4yfwslj EDRi-gram: NGOs ask CoE to investigate government collection of biometrics (6.04.2011) http://www.edri.org/edrigram/number9.7/petition-coe-biometrics ============================================================ 6. Ireland adopts innovation agenda on intellectual property ============================================================ Richard Bruton, the Irish Minister for Enterprise, Jobs and Innovation, said that he was determined that the Irish government should make whatever changes were necessary to allow innovative digital companies to reach their full potential in Ireland. He said that some companies have complained that the current copyright legislation did not cater well for the digital environment and created barriers to innovation and to the establishment of new business models. For this reason, he has proposed research into how the current copyright law could be amended in such a way so that it would foster innovation. In order to achieve the aforementioned goal, Mr Bruton set up the Copyright Review Committee which, in the words of the Department of Enterprise, Trade and Innovation, has the following tasks: (1) Examine the present national copyright legislation and identify any areas that are perceived to create barriers to innovation; (2) Identify solutions for removing these barriers and make recommendations as to how these solutions might be implemented through changes to national legislation; (3) Examine the US style "fair use" doctrine to see if it would be appropriate in an Irish/EU context; (4) If it transpires that national copyright legislation requires to be amended but cannot be amended, (bearing in mind that Irish copyright legislation is bound by the European Communities Directives on Copyright and Related Rights and other international obligations) make recommendations for changes to the EU Directives that will eliminate the barriers to innovation and optimise the balance between protecting creativity and promoting and facilitating innovation. After completing these four tasks, the Copyright Review Committee will present a Report to the Government with a set of recommendations for legislative change. The Review will start with a consultation. All interested parties are invited to submit their views for inclusion in the review. The Chair of the Review Committee will be Dr. Eoin O'Dell of Trinity College, Dublin. The other members of the Review Committee will be Professor Stephen Hedley (University College Cork) and Ms. Patricia McGovern (DFMG Solicitors). The deadline for sending submissions is the end of June 2011. Consultation on the Review of the Copyright and Related Rights Act 2000, Department of Enterprise, Trade and Innovation of Ireland (09.05.2011) http://www.deti.ie/science/ipr/copyright_review_2011.htm Radical copyright law reform to boost Ireland's digital economy?(09.05.2011) http://siliconrepublic.com/new-media/item/21695-radical-copyright-law-refor (Contribution by Daniel Dimov - intern at EDRI) ============================================================ 7. UK police has bought surveillance software to track online movements ============================================================ Civil liberties groups have shown great concern about the UK Metropolitan police force's possible use of Geotime surveillance software that can map nearly every move in the digital world of "suspect" individuals. The Geotime security programme, that has recently been purchased by Britain Metropolitan Police, is used by the US military and is able to show an individual's movements and communications with other people on a three-dimensional graphic. It can be used to put up information gathered from social networking sites, satellite navigation equipment, mobile phones, financial transactions and IP network logs, creating a 3D graphic of correlations between actions, people and places. The use of such a tool is seen as a threat to personal privacy. Alex Hanff, the campaigns manager at Privacy International, showed concern that by the aggregation of "millions and millions of pieces of microdata, a very high-resolution picture of somebody" might be obtained. This could also be used by the government and police "for the benefit of commercial gain," and therefore, asked the UK police to explain who would decide how this software will be used in the future. "This latest tool could also be used in a wholly invasive way and could fly in the face of the role of the police to facilitate rather than impede the activities of democratic protesters," said Sarah McSherry, a partner at Christian Khan Solicitors, representing several protesters in cases against the Metropolitan police. Daniel Hamilton, director of the Big Brother Watch privacy blog, stated for ZDNet UK that "the ability to build up such a comprehensive record of any person's movements represents a significant threat to personal privacy." According to Geotime's website, the programme displays data from various sources, allowing the user to navigate the data with a timeline and animated display and the links between entities "can represent communications, relationships, transactions, message logs etc and are visualised over time to reveal temporal patterns and behaviours." The representatives of The Metropolitan police stated it was "in the process of evaluating the Geotime software to explore how it could possibly be used to assist us in understanding patterns in data relating to both space and time" and that it had not yet taken a final decision on whether the software would be adopted permanently. A spokesperson from the Ministry of Defence said the software was also under investigation by the ministry. This comes at a time when data retention has become a main issue of discussion being increasingly challenged and criticised and as the UK already exercises a high level of surveillance of individuals' online activities. According to the Guardian, Catt, an 86-year-old man without any criminal record, has recently been granted permission to sue a secretive police unit for having kept, on a clandestine database, a detailed record of his presence at more than 55 peace and human rights peaceful protests over a four-year period. The respective unit has been compiling a huge, nationwide database of thousands of protesters for more than ten years already. The police claims the unit only monitors so-called "domestic extremists" (which in Catt's case is a very exaggerated statement) and that the "minor" surveillance of Catt was a "part of a far wider picture of information which it is necessary for the police to continue to monitor in order to plan to maintain the peace, minimise the risks of criminal offending and adequately to detect and prosecute offenders". Police buy software to map suspects' digital movements (11.05.2011) http://www.guardian.co.uk/uk/2011/may/11/police-software-maps-digital-moveme... Metropolitan Police trials GeoTime tracking software (12.05.2011) http://www.zdnet.co.uk/news/security-management/2011/05/12/metropolitan-poli... Privacy storm after police buy software that maps suspects' digital movements (12.05.2011) http://www.dailymail.co.uk/sciencetech/article-1386191/Privacy-storm-police-... Protester to sue police over secret surveillance (3.05.2011) http://www.guardian.co.uk/uk/2011/may/03/protester-sue-police-secret-surveil... ============================================================ 8. Google found guilty in Belgium for newspapers' copyright infringement ============================================================ Google lost its appeal in front of the Belgian appeals court which upheld an earlier ruling, having found the company guilty of infringing the copyright of newspapers, in the case introduced in 2006 by Copiepresse. In 2006, Copiepress, an agency acting for newspapers, sued Google for allegedly infringing the copyright of newspapers when linking, on its Google News service, to content from newspaper websites or copies of sections of stories. A Belgian judge ruled that Google had to remove all the content referring to Belgian newspaper stories from its services and the Court of First Instance in Belgium upheld that ruling in February 2007. Google appealed the decision and argued that Google News was fully consistent with applicable copyright laws and considered that US law should have applied in the case because the company posts the articles of the Belgian sites from the US. However, the court, based on the Berne Convention, estimated that only the Belgian law could be applicable and that the distribution through the Google.be website of works that are protected by copyright in Belgium was illegal and that it did not matter that the posts were made automatically by robots from abroad. The court also estimated that one didn't need to read the entire article to understand the information posted by Google, that Google News could not be assimilated with press review and it infringed the paternity right by not mentioning the name of the author. The court's decision asked Google to remove all links to material from Belgian newspapers in French (the rulings do not apply to Flemish newspapers). Failing to comply with the court's decision may bring Google a fine of about 25 000 Euro per day. "References with short titles and direct links to the sources is not only legal, but also encourages the users to read the online newspapers" stated Al Verney, spokesperson for Google. While Copiepress welcomes the decision, Google reminded the agency that it is not the only search engine making reference to online contents but that actually, this is common practice with most search engines. It also seems Google wants to bring the case to a higher court. Google infringes copyright when its services link to newspaper sites, Belgian court rules (10.05.2011) http://www.out-law.com/default.aspx?page=11911 Court's decision (only in French, 5.05.2011) http://copiepresse.be/Copiepresse5mai2011.pdf Google Busted for Copyright Violation in Belgium (7.05.2011) http://www.pcworld.com/article/227379/google_busted_for_copyright_violation_... Copiepresse press release (only in French, 5.05.2011) http://www.copiepresse.be/Communique%20de%20presse%20condamnation%20Google.p... Google loses the Copiepresse case in appeal (only in French, 9.05.2011) http://datanews.rnews.be/fr/ict/actualite/apercu/2011/05/09/google-perd-le-p... New condemnation of Google News in Belgium (only in French, 9.05.2011) http://lexpansion.lexpress.fr/high-tech/nouvelle-condamnation-de-google-news... EDRi-gram: Belgium court backs decision against Google (14.02.2007) http://www.edri.org/edrigram/number5.3/google-belgium ============================================================ 9. Privatised enforcement series E: Online trading platforms sell out ============================================================ In a bizarrely designed document, looking like a mix between a wedding invitation and an accident in a blue ink factory, leading online retailers Amazon, eBay and Priceminister have sold out the interests of their consumers in a "memorandum of understanding" with a range of luxury goods and copyright groups. In return, they have received a non-binding commitment not to be sued by the rightsholders for twelve months. Under the agreement, the Internet platforms agree to take responsibility "to assess the completeness and validity of " reports from rightsholders of counterfeit goods being sold through their services and, based on this extra-judicial notice, not only to remove the listings of the alleged counterfeit material but also to take "deterrent measures against such sellers". Furthermore, for reasons that are not explicitly explained, Internet platforms will receive lists of words "commonly used for the purpose of offering for sale of 'obvious' counterfeit goods" which they will "take into consideration". Up to the limits imposed by data protection law, "Internet Platforms commit to disclose, upon request, relevant information including the identity and contact details of alleged infringers and their user names". On the other side, the rightsholders undertake to make requests for personal information "in good faith" and in accordance with the law. With regard to sellers who are adjudged by the online retailer to have repeatedly broken the law, the Internet platforms undertake to "implement and enforce deterrent repeat infringer policies, according to their internal guidelines" including temporary or permanent suspension of the seller. These deterrent measures are to be implemented taking into account a number of factors, including the "apparent intent of the alleged infringer". The policing by the Internet platforms will, in turn, be policed by the rightsholders who, subject to data protection law "commit to provide information to Internet Platforms concerning those sellers they believe to be repeat infringers and commit to provide feedback to Internet Platforms on the effectiveness of Internet Platforms' policies regarding repeat infringers (e.g. if rights owners feel that there has been a failure to take measures against a repeat infringer). In the entire document, which consists of 47 paragraphs, just one is devoted to the enforcement of the law by law enforcement authorities. Memorandum of Understanding (4.05.2011) http://ec.europa.eu/internal_market/iprenforcement/docs/memorandum_04052011_... (Contribution by Joe McNamee - EDRi) ============================================================ 10. CFP 2011 Conference to address the Future of Technology and Human Rights ============================================================ The 21st Annual Computers Freedom and Privacy Conference (CFP 2011) will be held on 14 - 16 June 2011 in Washington DC, USA, at the Georgetown University Law Center. CFP conferences traditionally look at the technology and policy space with an eye toward predicting what innovation might bring in relation to human rights. It is a yearly gathering of activists, thinkers, government, legislative, NGOs, business to discuss differing views on controversial issues related to technology and policy. The conference is open to the general public. "The Future is Now" is the theme of this year conference. Participants will address emerging issues such as the role of social media in the democracy movement in the Middle East and North Africa; technology and social media to support human rights; the impact of mobile personal computing technology on freedom and privacy; smart grid, e-health records, consumer location-based advertising. cybersecurity, cloud computing, net neutrality, federated ID, ubiquitous surveillance. The program is structured around three days, with the 1st day dedicated to privacy issues, the second to human rights and Freedoms, and the third to computing and technology. A particular effort has been undertaken this year to increase the international scope of the conference. Keynote addresses will be given daily by prominent speakers, including Alessandro Acquisti (CMU), Mona Altahawy (Columnist), Dannah Boyd (Microsoft), Agnhs Callamard (Article 19), Cameron Kerry (US DoC), Edith Ramirez (FTC Commissioner), Bruce Schneir (BT). EDRi is involved both in the organization and in the participation to this event through representatives of its members and observers. Meryem Marzouki (France) chairs the 'Human Rights and Freedom' day program subcommitte, and will be moderating a session on "MENA Beyond Stereotypes: Technology of Good and Evil Before, During and After Revolutions". Katarzyna Szymielewicz (Poland), Ralf Bendrath (Germany), Cedric Laurent (Belgium), and others will address "The Global Challenge of Mandatory Data Retention Schemes". European issues and persectives will also be highlighted during the session on "A Clash of Civilizations: The EU and US Negotiate the Future of Privacy", with the participation of Jan Philipp Albrecht, German MEP. Together with the many other panels on currently hot issues in Europe, such as the debate on technical intermediaries immunity or liability or the impact on minorities and migrants of airport security measures and PNR data collection, these sessions promise a very exciting conference this year. All about CFP 2011 - Program, Speakers, Committee, Registration (14-16.06.2011) http://www.cfp.org/2011 (contribution by Meryem Marzouki - EDRi) ============================================================ 11. ENDitorial: RFID PIA: Check against delivery ============================================================ In the context of the Hungarian Presidency of the European Council, the European Commission and the Hungarian Innovation Office jointly organised the IoT 2011 conference on the Internet of Things, earlier this week. One of the main sessions was devoted to privacy and data protection in the IoT age. The main points of the presentations in this session included the high importance of technology design for any form of Internet regulation (with reference to Lessig's "Code is law"), the need for a reduction of bureaucracy in data protection and the importance of accurate information on the consequences of IoT applications for individuals' privacy. The experts stressed that it was important to maintain the existing data protection principles also in an IoT age and that commercial competition must not take place at the cost of reduced data protection standards. Risk assessments like the RFID Privacy Impact Assessment (PIA) were mentioned as an important tool that also enables end users (the data subjects) to take informed decisions regarding the processing of their personal data. RFID and PIAs also became a topic during the Questions and Answers of the following session, where Christian Plenge, Head of Architecture, Frameworks & Innovation at METRO Systems GmbH (a company of one of the worlds largest retailers, Metro Group), informed the audience that Metro had decided to leave RFID tags on their products active after the point of sale and to offer their customers the possibility to deactivate the tags on request. An option which, according to Mr. Plenge, was only chosen once so far, when a data protection group was given a tour in an RFID-equipped store. This statement is of particular interest as the European Commission's recommendation on RFID data protection suggests at points 11 and 12, that retailers deactivate or remove RFID tags at the point of sale unless consumers give their informed consent or a PIA concludes that the tags do not represent a likely threat to privacy or the protection of personal data. When being asked by EDRi if his statements could be understood that way that Metro Group has decided not to follow the European Commissions recommendation, Mr. Plenge said that the PIA they had conducted had concluded that there was no likely threat to privacy or the protection of personal data and that their activities were therefore in line with the EC recommendation. This view is also promoted on the website of Metro's Future Store Initiative, which claims that Metros RFID use is "in full compliance with existing provisions" and that their "transponders, ..., do not store any personal consumer information". The Electronic Product Code (EPC; which is a worldwide unique identifier) would only refer to product and process information and "(p)ersonal data is neither disseminated nor stored". For an audience not familiar with the data protection problems of RFID applications and the discussions in the European Commission's RFID Expert Group and elsewhere, this statement might be convincing at first sight. The fact is however, that the question whether unique identifiers stored on RFID tags constitute personal data or not, has been discussed at length at various occasions and that Metro was well involved in these debates. As a result of these debates - and of the process leading to the RFID PIA framework - the answer to this question formally given in not one but actually two working papers of the Article 29 Working Party (WP175 and WP180): "... when a unique identifier is associated to a person, it falls in the definition of personal data set forth in Directive 95/46/EC, regardless of the fact that the 'social identity' (name, address, etc.) of the person remains unknown (i.e. he is 'identifiable' but not necessarily 'identified')." (WP175, p. 8) In the case of Metro's RFID use, this means that Metro - contrary to their public statements - is in fact processing personal data of their customers (the EPCs) and that Metro puts the personal data of their customers at risk (which e.g. could be tracked by third parties without their knowledge) by not deactivating the RFID tags at the point of sale and not taking any other measures to mitigate the risks (at least as far as we know from Mr. Plenge and the above mentioned corporate website). Mr. Plenge's statement at the European Commission's IoT 2011 conference is of particular importance as it was made several weeks after European Commission Vice President Neelie Kroes, representatives of the European RFID industry, the chairman of the Article 29 Data Protection Working Party and the executive director of ENISA formally signed the RFID Privacy Impact Assessment Framework as a tool of industry self regulation for data protection compliant RFID applications. Before the signing ceremony took place, this framework was formally endorsed by the Art. 29 Working Party with working paper 180, in which the Working Party reconfirmed their above mentioned statement on unique identifiers being personal data. Mr. Plenge's statement that, besides the visit of a data protection group, none of their customers ever requested that RFID tags on products should be deactivated, highlights the drawback of opt-out regimes. Most of the customers of retail stores are not data protection or RFID experts but ordinary citizens. They need to trust the retailers to be given accurate information and cannot base their shopping habits on general suspicion. Therefore consumers are not aware of any threats to their privacy and expect to have their personal data protected by default. It is therefore not a lack of interest but a lack of knowledge that leads to this total of zero deactivated RFID tags. That it is not possible to sufficiently inform consumers about the data protection risks of RFID applications at the point of sale was - by the way - often claimed by industry representatives in the past couple of years of RFID data protection discussions. This is one of the reasons why EDRi always advocated for an opt-in regime instead of an opt-out one. This current example of Metro Group's strategy is not only important because this company is one of the worlds largest retailers, the actions of which affect the data protection rights of a large number of individuals, but also because it gives an example of the practical value of self regulation tools like the RFID PIA framework. In our EDRi-gram article on the signing ceremony we wrote amongst others: "The RFID PIA Framework is an important milestone on the way to the implementation of privacy friendly RFID applications. Now it is important that industry quickly but thoroughly implements the PIA in practice." As the Metro example suggests it is the word "thoroughly" that needs to be emphasised in this statement. At Point 20 of the RFID recommendation, the European Commission announced that it would "provide a report on the implementation of this Recommendation, its effectiveness and its impact on operators and consumers," in particular as regards the measures recommended for RFID applications used in the retail trade, before the end of May 2012. In our view, it is important to make sure that global players like Metro Group are as well covered by this report as small and medium sized RFID operators, as their level of adoption not only affects a large number of individuals but also predetermines the level of compliance of the whole industry. Point 5 of the RFID recommendation suggests that RFID operators make the results of their privacy impact assessments available to the competent authorities (the national data protection authorities; DPAs) at least six weeks before the deployment of the application. EDRi calls on the national DPAs, the European Data Protection Supervisor and the Article 29 Working Party to make a meaningful use of this opportunity by at least checking if the PIA was conducted on the basis of a correct definition of personal data and by providing statistics about how many PIA reports were made available to them, in which member states, and by which industries. EDRi is well aware that this request comes at a time when most DPAs suffer from a lack of funding, staff and time. But we think that it is very important - also for the future use of such tools in other areas - to ensure that privacy risk assessments are carried out properly. The RFID PIA Framework is an important milestone but we need to check against delivery. IoT 2011 http://www.iot-budapest.eu/ EDRi-gram 9.7: RFID Privacy Impact Assessment Framework formally adopted (6.04.2011) http://www.edri.org/edrigram/number9.7/rfid-pia-adopted-eu EC recommendation (12.05.2009) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:122:0047:005... Metro Group Future Store Initiative: Privacy at METRO GROUP (last accessed on 18.05.2011) http://www.future-store.org/fsi-internet/html/en/1674/index.html Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (13.07.2010) http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp175_en.pdf Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (11.02.2011) http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en.pdf http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_annex_en... (Contribution by Andreas Krisch - EDRi) ============================================================ 12. Recommended Action ============================================================ European Commission: Public Consultation on Cloud Computing Deadline: 31 August 2011 http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=cloudcomputing&lang=en ============================================================ 13. Recommended Reading ============================================================ UK: A review of Intellectual Property and Growth - An independent report by Ian Hargreaves (05.2011) http://www.ipo.gov.uk/ipreview.htm http://www.thepublicdomain.org/2011/05/18/the-hargreaves-review-is-published... Demonstrators take to streets across Turkey to protest Internet bans (15.05.2011) http://www.todayszaman.com/newsDetail_getNewsById.action?newsId=244062 ============================================================ 14. Agenda ============================================================ 30-31 May 2011, Belgrade, Serbia Pan-European dialogue on Internet governance (EuroDIG) http://www.eurodig.org/ 2-3 June 2011, Krakow, Poland 4th International Conference on Multimedia, Communication, Services and Security organized by AGH in the scope of and under the auspices of INDECT project http://mcss2011.indect-project.eu/ 3 June 2011, Florence, Italy E-privacy 2011 and Big Brother Awards 2011 http://e-privacy.winstonsmith.org/ 4-5 June 2011, Bonn, Germany PolitCamp 2011 http://11.politcamp.org 12-15 June 2011, Bled, Slovenia 24th Bled eConference, eFuture: Creating Solutions for the Individual, Organisations and Society http://www.bledconference.org/index.php/eConference/2011 14-16 June 2011, Washington DC, USA CFP 2011 - Computers, Freedom & Privacy "The Future is Now" http://www.cfp.org/2011/wiki/index.php/Main_Page 11-12 July 2011, Barcelona, Spain 7th International Conference on Internet, Law & Politics (IDP 2011): Net Neutrality and other challenges for the future of the Internet http://edcp.uoc.edu/symposia/lang/en/idp2011/?lang=en 24-30 July 2011, Meissen, Germany European Summer School on Internet Governance 2011 http://www.euro-ssig.eu/ 27 - 30 October 2011, Barcelona, Spain Free Culture Forum 2011 http://fcforum.net/ ============================================================ 15. About ============================================================ EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 28 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE