============================================================ EDRI-gram biweekly newsletter about digital civil rights in Europe Number 6.2, 30 January 2008 ============================================================ Contents ============================================================ 1. ECJ decision on handing traffic information in civil cases 2. European Parliament hearing on Internet privacy issues 3. Personal sensitive data keep on being lost in UK 4. New spying tools patented by Microsoft 5. YouTube blocked once more in Turkey 6. Bulgarian Big Brother Awards ***European Data Protection Day - 28.01.2008 - special section*** 7. Key privacy concerns in Denmark 2007 8. Key privacy concerns in Czech Republic 2007 9. Key privacy concerns in Ireland 2007 10. Key privacy concerns in France 2007 11. Key privacy concerns in Romania 2007 12. Key privacy concerns in Netherlands 2007 13. Main data protection concerns with the EU policy developments in 2007 14. Agenda 15. About ============================================================ 1. ECJ decision on handing traffic information in civil cases ============================================================ The European Court of Justice (ECJ) has decided on 29 January 2008 in the case of Productores de Mzsica de Espaqa Promusicae vs. Telefsnica de Espaqa considering that the European law "does not require member states to lay down an obligation to disclose personal data in the context of civil proceedings". However, the decision allows the national courts to do that if the national interpretation requires so: "As to those directives, their provisions are relatively general, since they have to be applied to a large number of different situations which may arise in any of the Member States." The decision came in the case where the Spanish music Association Promusicae asked the ISP Telefonica to hand over the names and addresses of the subscribers that allegedly distributed copyrighted songs via the p2p software Kazaa. Telefonica refused, considering that it could do that only in a criminal investigation or in matters of public security and national defence. The company based its position on the Spanish implementation of the E-commerce directive. A Spanish Court of Madrid asked the ECJto decide on the conformity of the Spanish act to the EU law on this matter. The Advocate General Juliane Kokott's opinion published on 18 July 2007 was positive for the ISPs, suggesting that the member states exclusion of revealing personal data from Internet traffic in the copyright infringement civil law cases was compatible with the EU law. However, the ECJ final decision was limited to claiming that the European Directives invoked in this case "do not require the Member States to lay down (...) an obligation to communicate personal data in order to ensure effective protection of copyright in the context of civil proceedings." This confirms that the EU law does not directly require the national courts to disclose the personal data in civil cases of copyright infringement. At the same time, the decision considers that it is acceptable for national laws to allow forcing of disclosure in civil proceedings, taking into consideration their balance of fundamental rights : "(...)when implementing the measures transposing those directives, the authorities and courts of the Member States must not only interpret their national law in a manner consistent with those directives but also make sure that they do not rely on an interpretation of them which would be in conflict with those fundamental rights or with the other general principles of Community law, such as the principle of proportionality. " Intellectual property lawyer Iain Connor, a partner with Pinsent Masons, considered the ruling could be bad news for ISPs in the UK : "You could potentially get people who want to host material effectively forum shopping and going to ISPs in places where disclosure would not be ordered." Meryem Marzouki, president of the EDRi-member IRIS France, considers the decision as more in favour of the copyright holders demands and insists that the ruling is a step backward if reffered to the Advocate General's opinion in this case that the EU legislation on personal data protection should prevail on the Community law on e-commerce, copyright protection and IP enforcement. C-275/06 - Promusicae vs Telefonica - ECJ decision (29.01.2008) http://www.bailii.org/eu/cases/EUECJ/2008/C27506.html Countries can choose whether or not to force disclosure of file-sharers (29.01.2008) http://www.out-law.com/page-8836 Court delivers a blow to record companies on internet piracy (30.01.2008) http://business.timesonline.co.uk/tol/business/law/article3273960.ece EU supremes: ISPs don't always have to finger filesharers (29.01.2008) http://www.theregister.co.uk/2008/01/29/eu_supreme_civil_isp_filesharing_cas... EDRi-gram: ECJ's Advocate General says no handing traffic information in civil cases (1.08.2007) http://www.edri.org/edrigram/number5.15/traffic-data-civil-cases ============================================================ 2. European Parliament hearing on Internet privacy issues ============================================================ During a hearing of the European Parliament (EP)'s Civil Liberties Committee, on 21 January 2008, serious data protection concerns were raised by the practice of large Internet companies that monitor the online behaviour of their users in order to provide online advertisers with the necessary information to better target their ads. The main debate turned around the Google-Double Click deal that is now being examined by the European Commission and that was already approved in the US in December 2007 by the Federal Trade Commission. Google criticised MEPs and rights advocates of trying "to take a privacy case and shoehorn it into a competition law review" but Sophie In 't Veld, replied to these accusations: "The reason you want to have the data is because it gives you a competitive advantage. It is business. I don't think they can be completely disconnected." Representatives of the industry and consumer protection bodies addressed the EP Civil Liberties Committee claiming that the tracking down of online behaviour is threatening to personal privacy and that there is no guarantee these data are used only for advertisement targeting. MEP Stavros Lambrinidis of Greece expressed the worries related to the lack of a communitary legislation that ensures the personal data are used only for advertising purposes saying that "there is no EU legislation per se to ensure that information targeting behaviour for marketing purposes will not be used for other activities that far exceed the initial purpose." In his turn, EDPS Peter Hustinx said: "Community law on data protection does apply on the Internet, it applies to both online and offline realities (...) existing rules do apply and do provide safeguards". Google's Global Privacy Counsel Peter Fleischer stated that the merger between Google and DoubleClick would not lead to the creation of a single database with consumer-related information, as "DoubleClick does not own its customers' data". He also added that the online ad company "can only use the data it processes from serving ads to provide aggregate reporting. The data is owned by the publishers or advertisers that DoubleClick works for (...) DoubleClick customers would be very displeased if one tried to undo their contractual relationships by sharing information between advertisers". The merger case is now with DG Competition being examined for potential violations of antitrust rules in the online advertising intermediary market. The European Commission is to decide whether or not to authorise the merger on 2 April 2008. One issue that was also strongly debated was that of the IP address being considered personal data or not. In the opinion of the EU group of data privacy regulators, the IP address should generally be considered as personal information. Google's view has been expressed by Fleischer who stated: "There is no black or white answer: sometimes an IP address can be considered as personal data and sometimes not, it depends on the context, and which personal information it reveals." But Marc Rotenberg, the Executive Director of the Electronic Privacy Information Center contradicted this statement: I wish this was the case, but we are moving towards the IP6 model, for which it will be even more the case that IP addresses will be personably identifiable". Peter Scharr, Germany's data protection commissioner who leads the EU Article 29 Data Protection Working Group which is preparing a report on the compliance with EU data protection acts of the privacy policies of Internet search engines operated by Google, Yahoo, Microsoft and others, said that if someone could be identified by an IP address "then it has to be regarded as personal data." Do Internet companies protect personal data well enough? (26.01.2008) http://www.neurope.eu/articles/82144.php Google-DoubleClick deal likely to win EU go-ahead (25.01.2008) http://www.reuters.com/article/reutersEdge/idUSL2589361220080125 Internet privacy concerns cause very public row in Brussels (23.01.2008) http://afp.google.com/article/ALeqM5hQ47Tl9N_w06bGdc5UBcXzg1lPRA EU data regulator says Internet addresses are personal information (21.01.2008) http://www.siliconvalley.com/news/ci_8035260?nclick_check=1 Google seeks to allay privacy fears over DoubleClick merger (22.01.2008) http://www.euractiv.com/en/infosociety/google-seeks-allay-privacy-fears-doub... EDRi-gram: EC announces a larger investigation of the Google-DoubleClick deal (26.11.2007) http://www.edri.org/edrigram/number5.22/in-depth-google ============================================================ 3. Personal sensitive data keep on being lost in UK ============================================================ Many documents with confidential data including benefit claims, passport photocopies and mortgage payments were found on 17 January 2008 lost on a roundabout near Exeter Airport in Devon, UK. Mr Karl-Heinz Korzenietz, the finder of the documents, told BBC News: "I thought first of all it was rubbish. But when I looked at the papers I discovered they were highly sensitive. I was shocked and surprised that sensitive papers like this would just be lost like that." Mr Korzenietz has also said that this was the second time he found such kind of documents. On 6 November he found another set of similar documents that he handed over to the Royal Mail depot in Exeter which returned the documents to TNT carrier. However, TNT said they were unaware of any missing data and stated they were not the only company providing services to the government. The Ministry of Defence (MoD) has also disclosed the theft on 9 January 2008, from a Royal Navy officer, of a laptop containing details on more than 600 000 people including Royal Navy, Royal Marine and RAF recruits, as well as other people wanting to join the services. The MoD has approached the security and intelligence agencies and, although the Joint Terrorism Analysis Centre, considered the threat as low, the ministry approached the banks and individuals whose data were in the missing database. The respective data included passport information, family details, national insurance numbers, driving licence details and even medical information. According to Conservatives and Liberal Democrats the theft raises further concerns related to the government's plans for identity cards considering that the government would have to convince the public that it could safely manage the identity card system. These two incidents continue the series of personal data losses that have lately occurred in UK. In October 2007, two discs containing an unencrypted copy of the entire child benefit database were lost in transit between HM Revenue and Customs and the National Audit Office. In December 2007, a hard drive with a driving theory test database containing details on 3 million candidates was lost in the US and at the beginning of 2008 personal details of hospital patients were lost by the NHS. Conservative MP Chris Grayling said: "You would have thought after the child benefits fiasco every department would have doubled and trebled their efforts. The fact that this hasn't happened is incompetence of the highest degree." On 10 August 2007, the House of Lords Committee on Science and Technology published a report on "Personal Internet Security" recommending a Security Breach Notification law that would require companies that leaked personal data to notify this event to the people concerned. Unfortunately, in October 2007, the Government turned down the Committee's recommendation. Richard Clayton, specialist adviser for the Committee and an EDRi-member of the Foundation for Information Policy Research, commented: "What's needed of course is a security breach notification law, so that everyone (not just Government departments as here) is forced to notify people when they lose personal data AND forced to notify a central clearing house, so that researchers can start to build up patterns and observe commonalities, so as to better advise the holders of personal data what they -- as a group -- are doing wrong." The Defence Secretary, Des Browne, gave a statement to the House of Commons on 21 January 2008 saying that in fact three laptops had been stolen over the previous two years. The head of the Civil Service has now issued instructions that laptops holding sensitive personal data must not be removed from offices. Personal data found on roundabout (18.01.2008) http://news.bbc.co.uk/1/hi/england/devon/7197048.stm Recruits' banks alerted after theft of laptop (21.01.2008) http://www.guardian.co.uk/idcards/story/0,,2244251,00.html EDRi-gram: UK government loses personal data on 25 million citizens (21.11.2007) http://www.edri.org/edrigram/number5.22/personal-data-lost-uk Personal Internet Security - House of Lords Science and Technology Committee 5th Report of Session 2006-7 (10.08.2007) http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i... House of Lords Inquiry: Personal Internet Security (10.08.2007) http://www.lightbluetouchpaper.org/2007/08/10/house-of-lords-inquiry-persona... Government ignores Personal Internet Security (29.10.2007) http://www.lightbluetouchpaper.org/2007/10/29/government-ignores-personal-in... ============================================================ 4. New spying tools patented by Microsoft ============================================================ According to The Times, a patent application has been filed by Microsoft for a computer software that can monitor the employees' performance and state, by means of wireless sensors linking workers to their computers. The system, considered by Microsoft a "unique monitoring system", is capable of measuring employees' movements, heart rate, blood pressure, brain signals, body temperature or face expression and can even "automatically detect frustration or stress in the user" and "offer and provide assistance accordingly". This can lead to the creation of psychological profiles and the Unions fear that employees could be dismissed on the basis of such profiles. The Information Commissioner, privacy advocates and civil liberties groups highly criticise the application. "This system involves intrusion into every single aspect of the lives of the employees. It raises very serious privacy issues" stated Hugh Tomlinson, QC, an expert on data protection law at Matrix Chambers while The Information Commissioner's Office said: "Imposing this level of intrusion on employees could only be justified in exceptional circumstances." According to legal experts from law firm Eversheds, Microsoft will face major legal problems if they want to implement the system all around the world. Jonathan Armstrong, a partner in the company, told vnunet.com that the situation was especially complicated due to the international nature of Microsoft business. The application was confirmed by the US Patent Office and could be granted within a year. Another patent application of the company is a method to collect information about the users of cell phones, Internet, card-credits, geolocation systems in order to target advertising. Microsoft like other large companies such as Google who earn from clicks on ads, have thought of gathering personal information on Internet users in order to provide more tailored advertisements that may better catch the users' eye. According to the Microsoft application, "an advertising component employs the user profile in connection with the delivery of an advertisement." Credit card information may be used to create a "payment history," and data relayed by cell-phone towers can also be used to locate users, and to "tailor search and advertising during online experiences so as to better interpret queries to search engines, to better target advertisements." Brendon Lynch, Microsoft director of privacy strategy, stated that the application "will first be reviewed against our privacy standards to ensure that privacy is protected." Microsoft seeks patent for office 'spy' software (16.01.2008) http://technology.timesonline.co.uk/tol/news/tech_and_web/article3193480.ece Microsoft ponders offline profiling of Web users (23.01.2008) http://www.marketwatch.com/news/story/microsoft-ponders-offline-profiling-web/story.aspx?guid=%7BF0D7FACF-0072-43C6-B341-B934D7E84635%7D&dist=hplatest Microsoft faces legal challenge to 'spy' software (18.01.2008) http://www.vnunet.com/vnunet/news/2207545/microsoft-faces-legal ============================================================ 5. YouTube blocked once more in Turkey ============================================================ An order issued by a Turkish court on 17 January 2008 blocked once again the access to Google's YouTube Web site on account of allegedly insulting clips referring to the country's founding father, Mustafa Kemal Ataturk. The ban lasted for 6 days and as no statements have been made by Turk Telekom which has implemented the ban or by YouTube representatives, it is not yet known whether the ban was lifted because the clips under question were removed. The situation seems to be a repeated pattern as YouTube was first banned in March 2007 for similar allegations until the video considered disrespectful were removed by the site. A second time, in September, a Turkish court from the eastern city of Sivas decided to order the ISPs to block the access to YouTube for a video considered offending to Ataturk, President Abdullah Gul, Prime Minister Recep Tayyip Erdogan and the Turkish army but the ban was not implemented. The bans on YouTube are an expression of the problems Turkey has with freedom of expression. Turkish writers and journalists have been on trial for having allegedly brought insults to "Turkishness" and the country, which is seeking European Union membership, is already under EU pressure to improve the situation. The EU also asks Turkey to abolish an article in its penal code considered to violate free speech. This situation is highly criticized in the country as well. Journalist Emre Akvz from Sabat considers that this ban places Turkey into the range undemocratic regimes and gives those that oppose the adherence of Turkey to the EU the occasion to say: "We told you these guys are pro-ban. They lack tolerance. They cannot bear hearing criticism. Here is the evidence." Posta journalist Mehmet Barlas' opinion is that "Can we now say that we have taken the virtual world under our control by banning YouTube? No. The virtual world is incredibly large, it is both close and far away and a digital world," and also added: "Blocking full access to a Web site, although possible to block only those controversial videos in this information era, is like blocking access to a school due to an unruly student or banning civil aviation due to an accident". Turkey is not the only country having blocked YouTube. In 2007, the Thai government banned the site for almost four months for some clips considered offensive to King Bhumibol Adulyadej, Thailand's monarch and in Morocco the site could not be accessed after some users posted videos that were criticising the way in which Morocco was treating people of Western Sahara. The government has not admitted having blocked the site trying to accuse a technical fault but being unable to explain why the fault affected only YouTube site. Turkey Bans YouTube for Second Time (20.01.2008) http://ap.google.com/article/ALeqM5iKUx9hP8rzGIKGJC5_Ml7OViYraQD8U9PRM00 Access to YouTube Resumes in Turkey (24.01.2008) http://ap.google.com/article/ALeqM5iKUx9hP8rzGIKGJC5_Ml7OViYraQD8UCF7L80 YouTube ban reduces Turkey to the ranks of backward states (23.01.2008) http://www.todayszaman.com/tz-web/yazarDetay.do?haberno=132231 Turkey once again blocks access to YouTube (22.01.2008) http://www.todayszaman.com/tz-web/detaylar.do?load=detay&link=132195 EDRi-gram: Turkey blocks again YouTube (26.09.2007) http://www.edri.org/edrigram/number5.18/turkey-youtube ============================================================ 6. Bulgarian Big Brother Awards ============================================================ On 28 January 2008, the Access to Information Programme and EDRi-member Internet Society Bulgaria presented the Big Brother negative awards. The Big Brother award was presented to the Ministry of Interior for publishing data from the passports and criminal conviction records of two BBC journalists who were shooting a documentary in Bulgaria. The Sramota (or Shame diploma) was presented to the Bulgarian Council of Ministers for their decision to publish in the State Gazette of October 2007 the names, permanent addresses and the personal numbers of the owners of land, which were expropriated for the construction of the south road circle in Sofia. Among the nominees for the anti-award this year were also the Traffic Police, the Registry Agency at the Ministry of Justice, as well as the Commission for Data Protection itself. On 28 January, when the Big Brother Awards Ceremony was held in Bulgaria, coincides with the European Data Protection Day. The date marks the adoption of Convention 108 of the Council of Europe for the protection of individuals with regard to automatic processing of personal data. The Big Brother Awards ceremony was held in Bulgaria for the fourth time. The last ceremony was held in 2005. Big Brother Awards Bulgaria (only in Bulgarian, 28.01.2008) http://bg.bigbrotherawards.org/ The "Big Brother" Awards Ceremony Held in Bulgaria (28.01.2008) http://www.aip-bg.org/documents/bb_eng_2008.htm Bulgarian Big Brother Awards - 2007 (28.01.2008) http://blog.veni.com/?p=439 (contribution by Veni Markovski - EDRi-member ISOC Bulgaria) ============================================================ ***European Data Protection Day - 28.01.2008 - special EDRI-gram section*** ============================================================ 28 January is the European Data Protection Day. For the second time, in 2008, this date marks the anniversary of the Council of Europe's Convention 108, the first legally binding international instrument related to data protection. This section of the EDRi-gram is dedicated to the European Data Protection Day and marks the main privacy developments from some European countries, as reported by EDRi members. European data protection day activities - 28.01.2008 http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Data... ============================================================ 7. Key privacy concerns in Denmark 2007 ============================================================ a. Data Retention - a reality 15 September 2007 - data retention became a reality in Denmark. The administrative order, which sets the scope and conditions for data retention, was approved on 28 September 2006 with an implementation deadline of one year. The order, which was drafted by the Ministry of Justice, had been underway for more than four years. The Act providing for data retention was approved by the Danish Parliament already in June 2002 as part of the Danish "anti-terrorism package," which extended the scope of Section 786 of the Administration of Justice Act (Act No. 378 of 6 June 2002). The administrative order regulates in more details the obligations of the telecommunications providers and further implements the recently adopted EU Directive on Data Retention. On some issues the order goes further than the EU Directive, e.g. session logging. The order applies only to commercial ISPs, excluding non commercial ISPs, libraries, universities and smaller housing associations. There is no obligation on ISPs to invest in new systems, but the law demands 24/7 point of contact at ISPs and security clearing of relevant ISP personnel.For fixed lines and mobile phones (including voice, voicemail, call forwarding, conference calls, SMS, MMS) the retained data are: phone number, user ID (e.g. customer number), name and address of customer, IMSI / IMEI number, unsuccessful call attempts, first and last cells ID and physical location (mobile communication), and date and time for start and end of communication. For Internet use, the retained data are session logging (first and last or every 500 package), IP address, port number and transport protocol, user ID, phone number for dialup access, location and ID of hot spots, date and time for start and end of communication. For email and VoIP the order covers the ISPs own email services (and not hotmail, gmail, etc) and all VoIP services. The retained data are sender and receiver, user ID, email address, date, time and duration of communication. During the 4-year drafting period, the proposed scheme for mandatory data retention was heavily criticized by the Telecom and IT industry, the Data Protection Agency, the Human Rights Institute, and non-governmental organizations for being privacy invasive, disproportionate and inconsistent, i.e. letting private companies store large amounts of personal information, while at the same time being easy to evade, because of the many exemptions, such as libraries and universities. b. Extended means of surveillance On 1 June 2007 an Act on TV Surveillance, which replaced the previous Act Prohibiting Video Surveillance was adopted in the Parliament (Act. no. 162 of 1 June 2007). The bill gives private enterprises such as banks, gas stations, hotels, shops etc. extended powers to perform surveillance on areas related to their property. The police may set quality standards for the recordings. General surveillance of public areas such as public streets and squares are not allowed for private parties, however the police may perform surveillance in any public area if it is found necessary to prevent or investigate crime. Both public and private surveillance must comply with the Danish Data Protection Act, i.e. requirements of deletion of data after max. 30 days. However, there is no longer a duty to notify the Data Protection Agency prior to installing surveillance equipment. c. Extended access to personal information On 8 June 2006, an Act amending the Administration of Justice Act, Act Prohibiting Video Surveillance etc., and Act on Air Traffic (Strengthening of the efforts to fight terrorism etc.) was adopted in Parliament (Act No. 542 of 8 June 2006). The bill was presented as the second "anti-terrorism package" in Denmark. The amendment to the Administration of Justice Act gives the Police Intelligence Service increased powers to exchange information with the Defense Intelligence Service and to collect information from other public authorities, e.g. hospitals, schools, libraries, social services etc. without a warrant. Concerning phone tapping in relation to criminal investigations, this is now targeted to individuals rather than means of communication, for instance a specific landline. This implies that all the phones a person may use may be tapped. Also, the notification of the individual may be omitted or postponed for a fixed period of time if the notification is considered to be detrimental to the investigation. The amendment of the Act Prohibiting Video Surveillance gives the police increased powers to demand of public offices and private parties that they install and conduct video surveillance. The amendment of the Air Traffic Act obliges airline companies to register and keep data on passengers and crews for one year and to provide the Police Intelligence Service with electronic access to the data, without a warrant. Draft Administrative Order on data retention in Denmark (19.07.2006) http://www.edri.org/edrigram/number4.14/denmark EU Data retention directive and its implementation in Denmark (in Danish only) http://logningsdirektivet.dk/ CCTV (in Danish only) http://www.update.dk/cfje/Lovbasen.nsf/ID/LB04720872 Privacyforum.dk - about CCTV (in Danish only, 21.11.2006) http://www.privacyforum.dk/?p=25 Act No. 542 of 8 June 2006 (in Danish only, 8.06.2006) http://www.ft.dk/doc.aspx?/Samling/20051/lovforslag/L217/index.htm (contribution by Rikke Frank Joergensen - Digital Rights Denmark) ============================================================ 8. Key privacy concerns in Czech Republik 2007 ============================================================ Last year has seen an increased number attempts from government bodies to extend their powers and make it easier to access people's private information. To name a few, there were legal proposals to increase the number of agencies authorized to access and process electronic communication data collected by telecommunication companies under the Data Retention law, national DNA database enlargement, plans for various administrative database sharing, introduction of even more CCTV systems and the pressure on air travel operators to share records about their passengers. The introduction of biometric into travel documents data as a mean of identification and the use of contactless chip technologies still suffers from lack of respect of people's privacy. Citizens continue to loose control over their personal data with the same speed or no visible slowdown. a. National DNA database There has been a substantial expansion of the number of DNA samples and profiles in 2007 - up to 40 000 records. The new legislation which went into force in 2006 has allowed Police to take samples from not only the accused, but also uncharged suspects or from any other person related to the investigation in any unspecified way, which practically means from anybody. Moreover, the new law made it possible to take DNA samples from all prisoners found guilty of intentional crimes as well as people under protected health treatment. There has been a murder related investigation in the city of Sternberk, where DNA samples were taken from all men of a certain age, whilst no information was given about the process of destruction of those samples belonging to innocent people after the investigation. b. Data Retention EU directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services been implemented into the national legislation since the beginning of 2006. In 2007 the Police routinely used the data for investigation. However, there are no official statistics of the number of accesses nor on the efficiency of the measure. In November 2007 a proposal was made by the Minister of Industry and Trade, Mr. Rmman, to allow the secret service and the military intelligence a direct access to those data. He has abandoned the idea only temporarily after a strong negative reaction from the media and politicians. c. PNR The provisional agreement on transfer of Passenger Name Records expired at the middle of 2007. The new agreement has been accepted by the Czech government outside the ordinary legislative process due to the lack of time. Only the Czech Data Protection Agency was consulted. By its official opinion, the new agreement is worse in respect to privacy than the previous one, namely because the agreement doesn't contain any safeguards against the US interlinking the data with other databases, using it for other purposes or exporting the data into third countries with different regimes of privacy protection. The Czech government has accepted the agreement with reservation. d. CCTV surveillance Both the Ministry of Interior and various city magistrates continue to invest in CCTV systems. The current number of CCTVs in Prague is 400 and keeps increasing. The Prague City Hall has announced its plans to enclose the whole city in the circular system of interlinked cameras with a license plate number recognition capabilities combined with speed cameras in order to register all vehicles entering or leaving the city. There has been a case well covered by the media of a misuse of the CCTV system to peek into a private flat on a crossroad in Pilsen in Summer 2007. The images have appeared on the Internet. e. Contacless chip cards In Summer 2007, the Prague City Hall introduced a universal service card for all citizens of Prague. It's supposed to be used for parking payments, access to libraries, as a travel card, electronic wallet and a key for online communication. As demonstrated publicly by EDRi-member Iuridicum Remedium, anybody with a standard RFID reader was able to obtain the personal data (name, date of birth, sex) from the card, from a distance, without the cardholder's consent. Despite the producer's claims on the enhanced security of the chip, the actual implementation of the system did not put any focus on the cardholders' security and left the card at factory defaults. Neither has it ever been explained why the personal data should be on the contactless chip in the first place. After the campaign, the City Hall has decided to stop putting the data on the chip and fix the already issued ones. But the fact that many services which used to be available anonymously are no longer anonymous (e.g. parking) remains a major unresolved problem. f. eGovernment The recent developments on the eGovernment front give other reasons to worry. There is almost no discussion about the privacy safeguards and how they are going to be implemented. The available documentation contains many plans on processing and interlinking people's personal data including the broad specification of whom this data will be made available and how the data is going to be shared. The privacy aspects of the system, which will potentially concern the majority of the population, have been left out completely. The proposal made by an independent working group for a time limited ad-hoc identifiers has not been taken into consideration. EDRi-gram: Prague will anonymise RFID city cards (1.08.2007) http://www.edri.org/edrigram/number5.15/rfid-prague-cards EDRi-gram: Government attempts of increased level of surveillance in Czech Republic (7.11.2007) http://www.edri.org/edrigram/number5.21/terrorism-act-czech More information (in Czech only) http://www.iure.cz (contribution by Filip Pospmsil and Marek Tich}, EDRi-member Iuridicum Remedium - Czech Republic) ============================================================ 9. Key privacy concerns in Ireland 2007 ============================================================ a. Data Retention Litigation The Digital Rights Ireland litigation against data retention, which was started in September 2006, continues before the High Court. This action challenges both the Directive and also Ireland's domestic data retention laws. It alleges that those laws are procedurally flawed and are also in breach of the right to privacy guaranteed under the Irish Constitution and Article 8 of the European Convention on Human Rights. It also argues that data retention will have a chilling effect on the Constitutional and ECHR rights to freedom of expression and association. In addition, the action argues that the tracking of the movements of any person carrying a mobile telephone interferes with the right to travel under the Constitution. The action alleges that these infringements of personal rights are neither proportionate nor necessary in a democratic society. At the time of writing the action is at the interlocutory stages and awaits a full hearing. Two preliminary matters are currently before the court. The Irish Human Rights Commission (a statutory body) has made an application for permission to intervene in the case as an amicus curiae. The defendants have also indicated their intention to challenge the locus standi of Digital Rights Ireland to bring the case. Both applications have yet to be ruled on by the court. b. Implementation of the Data Retention Directive The Irish Government has confirmed reports that it intends to implement the Data Retention Directive by an order of a Minister rather than legislation passed by Parliament. Ireland did not avail of the derogation under the Directive to delay implementation in respect of internet traffic data. Consequently Ireland is now late in implementation and has received a warning letter from the Commission. The Government has decided to implement the Directive notwithstanding its own challenge to the legal basis of the Directive, which is before the European Court of Justice and awaits a hearing. The decision to implement the Directive by Ministerial order has been criticised for excluding democratic oversight by legislators and as being taken without proper consultation. Paul Durrant, director of the Internet Service Providers Association of Ireland (ISPAI) has said that: "The ISPAI is disappointed that such an all pervasive measure . . . should be enacted without being subjected to the full rigours of (parliamentary) debate and the public exposure that brings." Digital Rights Ireland said that: "It is incredible that the Government proposes to introduce a law which would require every Internet user to be monitored without any warrant or prior judicial approval, without any public consultation and without any debate or vote in Parliament. A law of this gravity should not be made by stealth. The Department of Justice appears to be relying on the "urgency" of the matter to justify bypassing Parliament. But the European law being implemented was passed in February 2006. The Department has had two years to introduce a law and it cannot rely on its own delay to justify sidelining democratic scrutiny. In any case, it is inappropriate to implement this law whilst it is under court challenge. The Irish government itself has challenged the validity of the law before the European Court of Justice. Digital Rights Ireland has also brought a High Court action challenging the European law. These proposals will effectively pre-empt the judgment of the courts." Alarm bells ring over data retention (7.12.2007) http://www.techno-culture.com/?p=131 E-Mail and chat data to be stored 'within a month' (19.01.2008) http://www.ireland.com/newspaper/frontpage/2008/0119/1200605160420.html DRI condemns backdoor implementation of surveillance laws (19.01.2008) http://www.digitalrights.ie/2008/01/19/dri-condemns-backdoor-implementation-... (contribution by TJ McIntyre - EDRi-member Digital Rights Ireland) ============================================================ 10. Key privacy concerns in France 2007 ============================================================ 6 January 2008 was the 30th anniversary of the French Data Protection Act. But no one really cared. The only French contribution to this 2nd European DP day has been the publication by the CNIL (French DP Authority) of a poll result that it commissioned in November 2007. The poll indicates that 50% of the asked persons know the CNIL. However, only 26% of them feel they are informed well enough on their rights in terms of personal data protection, and 61% consider that the constitution of databases is breaching their right to privacy. Moreover, a former study on Internet usages conducted in June 2007 reveals that the mostly cited barrier to Internet use is the fear that personal data are not protected enough (by 29% of the Internet users and 23% of non Internet users). In summary, French people seem better aware of and more concerned by the possible violations of their privacy rights. Unfortunately, the CNIL has not published the entire poll result. Otherwise, we might have had some explanations to the apparent paradox between this increasing awareness and the growing development of privacy and data protection violations by the French legislation and regulation without much opposition. 2007, a year of presidential and legislative elections, has seen further extensions of police powers, major provisions for the control of migrants, most notably using biometrics and genetic data, massive extension of children databases and the confirmation that intellectual property rights prevail on privacy rights in France. a. Further extensions of police powers Since data retention law is already in place with access to data granted to police and intelligence services, new developments are rather related to the implementation and use of the system. To ease the collection and processing of traffic data directly by the police intelligence forces, a new technical platform for the interception of traffic data in all types of communication systems was put into operation in May by the French Ministry of Interior, covering communication data related to text messages, mobile or Internet. It is expected that this platform will process 20 000 requests yearly. In terms of legislative developments, the French law for the prevention of delinquency of March 2007, introduced a new provision granting dedicated law enforcement authorities with new powers to fight child sexual abuses, since they now can use pseudonyms when they participate in electronic exchanges for the purpose of investigations, and they can also detain and provide illegal content for the same purpose. However, they cannot use these possibilities for crime incitement. b. Migrants under total control Whether they ask for a short or long stay visa in French consulates abroad or they cross any frontier to enter the country (and in the near future to leave it), migrants are traced and filed. If they are caught in illegal stay status, they're filed. If, even as legal residents, they choose to return to their country of origin and benefit from an assistance mechanism for this, they're filed. If they're legal residents, they're filed too, and they're filed again if they want to bring their families. Files contain their personal data, their biometric data, their genetic data, as well as data on their families, including young children. 2007 has seen major developments to achieve this total control of foreigners, resulting in their assimilation to criminals. The immigration law of March 2007 has introduced DNA testing to prove family links for foreign candidates applying for a more than 3 months visa on family regrouping grounds. It also introduced the requirement that the beneficiaries of financial support (foreigners voluntarily returning home) have their photograph and digital fingerprints taken and stored in yet another biometric database. An administrative decree of December 2007 created the ELOI database, aimed at facilitating the expulsion of illegal migrants. A previous version of the text was cancelled in March 2007 by the French highest administrative court, after 4 French NGOs filed a case against the Interior ministry. While the new version of the decree requires fewer data to be kept on French citizens and associations in contact with these illegal migrants, personal data of the migrants and their families remain filed, and kept during 3 years after their expulsion. Finally, another decree published in November 2007 created the VISABIO biometric database, containing the photograph and the 10 fingerprints of all foreigners requesting visas, including children over 6. Other data in VISABIO are related to the foreigner's entry and exit from the territory. These data are kept for 5 years. c. Children under surveillance Children start to be filed at age 3, as soon as they enter elementary school. This is the result of "Base-ilhves", a database set up by the ministry of Education. "Base-ilhves" has been created as an "experiment" since 2004, and is currently being generalized. It contains personal data on the children and their families, including psychosocial data, and a huge number of information on their competence, skills and problems. Most of the data are to be kept during 15 years. Such data were supposed to be accessed only by educators and social actors. However, the French law for the prevention of delinquency of March 2007 granted new powers to Mayors (as elementary and primary schools are within their managerial jurisdiction). Mayors may now "share the professional secret" with many social actors and thus they are granted access to "Base-ilhves", for the purpose of preventing delinquency. After important protests from NGOs, parents associations and some schools directors, the ministry of Education accepted in October 2007 to remove from "Base-ilhves" data related to citizenship, date of arrival in France and "language and culture of origin" of the child. However, protests are increasing and national petitions have been launched to demand the suppression of this file. d. IPR holders granted private police powers The French Data Protection Act allows, since its August 2004 revision, intellectual property rights societies to create private records of rights infringers through the collection of their IP addresses in P2P networks, the use of automatic software for such a collection being subject to CNIL approval. Accordingly, the CNIL decided on October 2005 to reject the introduction of surveillance devices proposed by Sacem and other 3 author and producer associations asking for the automatic tracing of infringements of the intellectual property code. In May 2007, the highest administrative court cancelled this decision. The court found that the proposed device are not disproportionate, and are acceptable considering the extent of the piracy phenomenon in France. The author and producer associations have thus resubmitted their request to the CNIL and obtained its agreement in November 2007. Still in November 2007, an agreement was signed between some French ISPs and the music and movie representatives in order to act directly against the big illegal file-sharers. French ISPs would then spy on their users to see if they are big file-sharers. Those who would be identified could get first a formal warning, but then they could be even cut-off or suspended. The agreement foresees also the possibility to have a national register of the subscribers that were suspended. But the agreement is not applicable yet, since there is no authority created yet to apply it. EDRi-gram: ENDitorial: French law on delinquency: the threat to FoE is elsewhere (14.03.2007) http://www.edri.org/edrigram/number5.5/enditorial-french-law-delinquency EDRi-gram: The French Ministry of Interior has a new interception platform (6.06.2007) http://www.edri.org/edrigram/number5.11/french-interior-interceptation EDRi-gram: French High Court cancels the creation of illegal migrants database (13.03.2007) http://www.edri.org/edrigram/number5.5/france-cancels-database EDRi-gram: DNA tests proposed in France for family visa applicants(26.09.2007) http://www.edri.org/edrigram/number5.18/dna-test-france-visa EDRi-gram: Update on DNA and biometrics in French immigration law(24.10.2007) http://www.edri.org/edrigram/number4.20/dna-french-immigration-law EDRi-gram: ELOI - a French database to manage the expulsion of illegal migrants (16.01.2008) http://www.edri.org/edrigram/number6.1/eloi-french-database More details on "Base-ilhves" and the protest actions (only in French) http://www.ldh-toulon.net/spip.php?rubrique141 http://www.ldh-toulon.net/spip.php?rubrique106 EDRi-gram: French State Council allows tracing P2P users (6.06.2007) http://www.edri.org/edrigram/number5.11/france-tracing-p2p EDRi-gram: Is the IP address still a personal data in France? (12.09.2007) http://www.edri.org/edrigram/number5.17/ip-personal-data-fr EDRi-gram: French ISPs agree to spy on Internet users to stop online piracy (10.10.2007) http://www.edri.org/edrigram/number5.19/french-isp-piracy EDRi-gram: New agreement between the French ISPs and record industries (5.12.2007) http://www.edri.org/edrigram/number5.23/french-agreement-piracy (Contribution by Meryem Marzouki, EDRI member IRIS - France) ============================================================ 11. Key privacy concerns in Romania 2007 ============================================================ Privacy and data protection seems not to be a hot topic for the Romanian society. The media is generally ignoring the topic, unless something related to an important public figure is making the subject out of the ordinary. The Romanian Data Protection Authority has failed in becoming a privacy public supporter and has rather emerged as a data protection controller's register. Under these general circumstances, 2007 was rather a calm year, where the main success of the government in the field of privacy - the non-adoption of the data retention law - was obtained by mistake only due to bureaucratic reasons. a. Data retention The first draft of the data retention law that needs to implement the EU directive was presented for public consultations in May 2007 by the Minsitry of IT&C, but after receiving some comments and organizing a public meeting to discuss the draft law, the subject seems to have disappeared in the folders of the ministries, probably also because no one, except the European Commission, seems to care too much about the law. Therefore, the official deadline of the implementation of the EU directive passed, without the draft being adopted by the Government. And suddenly and without any public notice the project re-appeared in December 2007 on the Ministry of IT&C list of documents in public consultation. The new draft seems similar to the old one, but it is clear that the Government is on the verge to adopt the act through an Emergency Ordinance. That means, in accordance with the previous year experience and a Balkan style of twisting the meaning of constitutional wording, that the fact the official EC deadline has passed transforms the matter into a national emergency that requires the approval of the law directly by the Government, leaving the parliamentary debates on the subject on a secondary plan. For now - there are no indications if this will happened and exactly when. b. Romanian DPA The Romanian Data Protection Authority, created only in the late part of 2006, has been trying to get the data protection issues out in the public debate and, so far, has succeeded in organizing several information sessions - especially with the public institutions and banking sector. This has been so far a much more positive approach than we've seen in any year since the adoption of the data protection laws in 2002, but the activity of the Romanian DPA is far from being satisfactory. Especially if we take into consideration the lack of a strong public position on any privacy issues, present in the Romanian state or European activities. However, the Romanian DPA took two important decisions in reducing its bureaucratic work and making more interesting for data controllers to register with them: to eliminate the registration taxes and the fees for data transfer to other countries, and to allow the electronic registration of data controllers. c. CCTV Many public and private institutions install CCTV systems as a "perfect way" to increase security of their activities and the regulation of these systems seems to be non-existent, as the cameras appear everywhere over night, without any kind of notification to the DPA. The authority has presented a draft decision on its website to limit CCTV usage and better explain the rights and obligations, but since 2006 this has been just a project. d. Illegal wiretapping One of the first court decisions in the matter of illegal wiretapping is also worth mentioning The decision taken in May 2007 by the Bucharest Tribunal was published only in July and, as far as we know for the first time in the Romanian history, the court declared the wiretapping made by the Romanian Secret Service were illegal and awarded moral damages of 50 000 RON (approx. 14 000 Euros) for privacy infringement. The court, arguing with the European Court of Human Rights cases of Rotaru vs. Romania and Klass vs.Germany, notes that in this specific case there was "no subsequent control of the wiretaping basis by an independent and impartial authority." Romanian Data Protection Authority http://www.dataprotection.ro Romanian Secret Service illeagal wiretaping (only in Romanian, 11.07.2007) http://legi-internet.ro/blogs/index.php?title=sri_ul_asculta_ilegal_telefoan... Draft Romanian DPA decision on CCTV (only in Romanian) http://www.dataprotection.ro/images/PDF/decizie_videosupraveghere.pdf EDRi-gram: Romanian Prosecutors want easy access to communication data (31.01.2007) http://www.edri.org/edrigram/number5.2/romania-diicot EDRi-gram: First draft on data retention law in Romania (9.05.2007) http://www.edri.org/edrigram/number5.9/data-retention-romania (contribution by Bogdan Manolea - EDRi-member APTI Romania) ============================================================ 12. Key privacy concerns in Netherlands 2007 ============================================================ The nominees and winners of the Dutch Big Brother Awards 2007 showed it clearly: a proper level of data protection in The Netherlands cannot be taken for granted. A number of big projects and ongoing legislative efforts threaten the state of data protection in the Netherlands. The government shows no signs of taking critics seriously. The disinterest of the public and ease with which a majority of Dutch citizens are willing to hand over their privacy for a promise of security, led the jury of the Big Brother Awards declare the Dutch citizen the winner. Other winners were the plans for an Electronic Child Dossier, the National Railways for the RFID transit card system and De Nederlandsche Bank for its reaction to the SWIFT scandal. The Electronic Child Dossier is exemplary for data protection in the Netherlands. The Child Dossier aims to improve child care by building an extensive digital dossier of each young individual. Apart from reasonable doubt that the project will result in significant improvements in child care, the dossier seriously infringes the privacy of children, their parents and young adults as well. The file will be updated for every child until they reach the age of nineteen, after which it will be kept for another 15 years. The dataset is very broadly defined and will contain a wide variety of medical and psychosocial data, including all sorts of subjective opinions about children and their parents. Access restrictions are already insufficient and there is ongoing pressure to relax them. The RFID Transit card is another project that is problematic from the perspective of data protection. Very recently, the Dutch Data Protection Authority concluded that the current design of the system does not respect data protection legislation. The system would entail the lengthy storage of all travel movements in identifiable form. The system, which is being tested in a number of Dutch cities, has other serious flaws that make its future uncertain. Some critical parts of it have recently been hacked, creating a serious political issue. On the legislative front, the implementation of the data retention directive is presently debated in the Dutch Parliament. Although in early 2006, a majority of the Parliament seemed to agree that retention periods in the Netherlands would be limited, the government now opted for the almost maximum retention term of 18 months both for phone and internet records. The Parliament is also passing legislation that gives the Dutch Intelligence and Security Agency (AIVD) the power to claim complete data files from the private and public sector. The new powers are specifically directed at the transit, the electronic communications and the financial sector, but also others could be targeted. The legislation will allow the agency to profit maximally from the increased storage of personal data in these sectors, resulting from data retention legislation and the RFID public transport system discussed above. A recent report "Data voor Daadkracht" on personal data processing in the law enforcement and security sector, contained some serious criticism with regard to the ongoing erosion of data protection in this sector. It critically examined current data collection processed by law enforcement and security agencies and warned the government that an administration that is increasingly reproached for risking to loose the value of privacy out of sight, has to worry. The government reacted by rejecting the main conclusions of the report and installing a new commission which will take another look at "security and the personal sphere". More specifically the government wants the commission to consider that "law enforcement officials and social workers sometimes feel restricted by norms and practices protecting privacy, personal data in particular. Therefore, the commission will analyse how possible obstacles can be removed that law enforcement officials and care takers experience in their work." Finally, of special interest for data protection in the digital age are the guidelines for publications of personal data on the Web of the Dutch Data Protection Authority. The guidelines address a variety of issues, ranging from the question about the responsibility of intermediaries, the status of IP addresses, the special care expected from online services to children and the exception for the media. The guidelines have been translated into English. Winner Dutch Big Brother Awards 2007: 'You' (26.09.2007) http://www.bigbrotherawards.nl/index_uk.html Dutch RFID Transit Card Hacked (21.01.2008) http://www.schneier.com/blog/archives/2008/01/dutch_rfid_tran.html Commission Security and Personal Sphere installed (in Dutch only, 17.01.2008) http://www.justitie.nl/actueel/persberichten/archief-2008/80117commissie-vei... Privacy legislation also applies on the Internet - Guidelines finalised on the publication of personal data on the Internet (11.12.2007) http://www.dutchdpa.nl/documenten/en_pb_2007_privacy_legislation_internet.sh... (Contribution by Joris van Hoboken - EDRi-member Bits of Freedom - Netherlands) ============================================================ 13. Main data protection concerns with the EU policy developments in 2007 ============================================================ The Lisbon Treaty was signed in December 2007. Notwithstanding the many critics raised by this Treaty, the text, when ratified by all member States, will bring two major improvements to the EU and its citizens. First, the Charter of Fundamental Rights of the European Union will become part of the Community acquis, including its articles 7 (Respect for private and family life) and 8 (Protection of personal data). Secondly, the Treaty will allow the accession of the EU to the European Convention on Human Rights and, hence, will give EU citizens the possibility of being protected against abuses of their human rights by EU institutions. This improvement would be much welcome, especially - though not exclusively - considering the current inadequacy of data protection under third pillar (justice and home affairs). But 2007 has also brought its share of concerns regarding privacy and personal data protection developments at the EU level. Besides the SWIFT scandal allowing the access by the USA to the European financial transactions, the case of the Google- Doubleclick merger currently under investigation by the European Commission (although mainly regarding competition issues), the continuous concerns related to data retention by search engines, most notably Google, even though the company announced a slight reduction of the data retention duration, and the development of RFID chips, main concerns with the European Union policy in 2007 are related to PNR data, biometric and genetic data sharing and the still inadequate level of data protection under third pillar. "All governments have the duty to protect their citizens from the terrorist threat, but the response should be lawful, intelligent and effective", the Secretary General of the Council of Europe stated, on the occasion of the Data Protection Day. "I am concerned that some of the recent arrangements for data exchange, which were introduced at the insistence of the US Government, fail to meet these criteria", he opportunely added. a. Passengers name records (PNR) In June 2007, a final agreement was reached between EU and USA on European PNR (Passengers Name Records) data, 4 years after the USA and the EC - illegally - agreed to give the US custom officials direct access to the personal data of passengers flying to, from and through the United States. It took a lot of protest campaigns, like the one initiated by EDRI in May 2003, fierce criticism from the European Parliament and the Article 29 Group, and an annulment by the European Court of Justice, to finally get to this point. The agreement reduced the dataset from 34 to 19 pieces including name, contact information, payment details, travel agency, itinerary and baggage information, but excluding sensitive data such as ethnicity. The data may be kept during a total period of 15 years. It was claimed that for the first time, EU citizens will also be covered by the US Privacy Act which means they can enforce their rights in US courts. However, only 3 months after this agreement, the US government announced some changes in its Privacy Act that give exemptions from responding to requests for personal information held to DHS (Department of Homeland Security) and ATS (Automated Targeting System). The agreement received harsh criticism from the EU Parliament, Article 29 Working Group, and the European data protection supervisor (EDPS). Later in the year, the EU announced its project of creating its own European PNR system. The plan, put forward in November by the EC, is similar to the EU-US agreement. The EU will have to collect 19 pieces of personal data on air passengers coming into and leaving the EU space, including phone number, e-mail address, travel agent, full itinerary, billing data and baggage information. The information will be collected in analysis units that will make a "risk assessment" of the traveller, which could lead to the questioning or even refusal of the entry. The data is to be kept for five years and then another eight years in a "dormant" database. This plan has already been criticized by the Parliament, the Article 29 Group and the EDPS, but will certainly see major developments in 2008. Some member States have already adopted such measures at national level. b. Biometric and genetic data sharing The European Visa Information System (VIS) will probably be the biggest biometric database in the world. VIS will store data on up to 70 million people concerning visas for visits to or transit through the Schengen area. This data will include biometrics (photographs and fingerprints) and written information such as the name, address and occupation of the applicant, date and place of the application, and any decision taken by the Member State responsible to issue, refuse, annul, revoke or extend the visa. Citizens of more than 100 countries need a visa to enter the EU. Latest discussions of end 2007 were only debating issues related to maximum age at which children should be exempted from having their 10 fingerprints taken: the Parliament says 12, the Council wants 5. But the EU also wants to store and share biometric data of EU citizens and residents, beyond the data to be gathered through biometric passports and ID cards. In June 2007, it has been agreed that the Pr|m Treaty, originally signed by 7 EU countries in May 2005, will be included in EU legislation with very little modifications. The decision creates the largest pan-European network of police databases, sharing DNA profiles, fingerprints and other personal and non personal data. The agreement has not taken into account the advice from the EDPS, who published in December 2007 an opinion on the implementation of this agreement. c. Inadequate data protection under third pillar As the data processed and shared by police and judicial authorities increase, the need for adequate personal data protection rules under third pillar becomes more and more urgent. A draft Council Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters has been proposed by the EC since October 2005, but is still pending, despite the numerous EDPS opinions in this regard. According to the EDPS, the current draft of December 2007 provides only minimal harmonization and guarantees, and would only be applicable to personal data exchanged with other Member States and not to the domestic data processing. EDRI page on biometrics http://www.edri.org/issues/technology/biometrics EDRI page on PNR http://www.edri.org/issues/privacy/pnr EDRI page on privacy http://www.edri.org/issues/privacy EDPS Opinions http://www.edps.europa.eu/EDPSWEB/edps/lang/en/pid/25 Article 29 Working Group http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm (Contribution by Meryem Marzouki, EDRI member IRIS - France) ============================================================ 14. Agenda ============================================================ 11 February 2008, Aachen, Germany PET Convention 2008.1 - informal workshop on Privacy Enhancing Techniques http://www.pet-con.org/index.php/PET_Convention_2008.1 12 February 2008, Brussels, Belgium European ICT standardisation policy at a crossroad: A new direction for global success http://ec.europa.eu/enterprise/ict/policy/standards/cf2008_en.htm 14 February 2008, Brussels, Belgium eIdentity workshop http://www.epractice.eu/workshop/eidentity 23-24 February 2008, Brussels, Belgium Research Room @ FOSDEM: Libre software communities meet research community - Introducing Research Friendly http://libresoft.es/Activities/Research_activities/fosdem2008 10-12 March 2008, Geneva, Switzerland WIPO Standing Committee on Copyright and Related Rights: Sixteenth Session http://www.wipo.int/meetings/en/details.jsp?meeting_id=14502 15 March 2008, London, UK OKCon 2008 - Open Knowledge: Applications, Tools and Services http://www.okfn.org/okcon/ 2-4 April 2008, Berlin, Germany re:publica - The Critical Mass http://www.re-publica.de 28-29 April 2008, Vienna, Austria PRISE Final Conference -Towards privacy enhancing security technologies - the next steps Call for papers until 1 February 2008 http://www.prise.oeaw.ac.at/conference.htm 15- 17 May 2008, Ljubljana, Slovenia EURAM Conference 2008 - Track "Creating Value Through Digital Commons" How collective management of IPRs, open innovation models, and digital communities shape the industrial dynamics in the XXI century. http://www.euram2008.org 30-31 May 2008, Bucharest, Romania eLiberatica 2008 - The benefits of Open and Free Technologies http://www.eliberatica.ro/2008/ 17-18 June 2008, Seoul, Korea The Future of the Internet Economy - OECD Ministerial Meeting http://www.oecd.org/FutureInternet 23-25 July 2008, Leuven, Belgium The 8th Privacy Enhancing Technologies Symposium (PETS 2008) http://petsymposium.org/2008/ ============================================================ 15. About ============================================================ EDRI-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRI has 28 members based or with offices in 17 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRI-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and visibly on the EDRI website. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 2.0 License. See the full text at http://creativecommons.org/licenses/by/2.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edrigram-mk.php - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE