============================================================ EDRi-gram biweekly newsletter about digital civil rights in Europe Number 9.24, 14 December 2011 ============================================================ Contents ============================================================ Support EDRi! 1. Council of Europe and European Commission initiatives on Internet freedom 2. Brief overview of the leaked EU Data Protection Regulation 3. Russian Government's new attempts to censor the Internet 4. European Parliament: raising awareness on "self"-regulation 5. Austria: Petition against Data Retention Directive 6. German web blocking law repealed 7. A fair Internet for all? 8. Transatlantic data privacy in debate at Privacy Conference 9. UK: Medical records in the open data programme? 10. Recommended Action 11. Recommended Reading 12. Agenda 13. About ============================================================ Support EDRi! ============================================================ Increasingly, your digital freedom is under threat. And unfortunately, mostly as a result of European rules. Europe agreed to transfer your travel data wholesale to the US. Europe obliged your telephone provider to store your location, sometimes for up to two years. And Europe is considering blocking websites and domain names. The list goes on. This needs to stop. European Digital Rights (EDRi) defends your digital freedom in Europe and needs your help. With a continuous stream of proposals that risk eroding digital civil rights in Europe, your donation could make a huge difference. The main goal at the moment is to keep funding the Brussels office. This would allow us to continue to fight on all fronts mentioned below. If you didn't know yet, EDRi is a European non-governmental digital rights organisation. We defend rights such as the freedom of expression, privacy, data protection and access to knowledge. EDRi was founded in 2002 by 10 organisations from 7 European countries. Since then, EDRi membership has grown consistently. Currently, EDRi represents 28 organisations from 18 countries in Europe. To find out more about our activities, you can read our Annual Reports 2009 and 2010 or continue in reading EDRi-gram to be update on a regular basis. If you wish to help EDRi promote privacy and fundamental rights by supporting our specialised office in Brussels, you may donate now to: European Digital Rights Aisbl Bank account nr.: 733-0215021-02 IBAN: BE32 7330 2150 2102 BIC: KREDBEBB Beyond donations, you can always support EDRi! Read and Share our Annual reports http://www.edri.org/files/EDRi-yearly-reports-2009-2010.pdf Flattr Us! http://flattr.com/thing/417077/edri-on-Flattr Promote the subscription to EDRi-gram, our free bi-weekly newsletter on digital civil rights in Europe http://www.edri.org/edrigram/subscribe Add a link or image to your website. Here are some images you might use: http://edri.org/images/EDRi-animated-gif.gif http://edri.org/images/EDRi_donate-300_250.png http://edri.org/images/edri_Rebuilding.jpg Volunteer! If you have some time and effort to spare we are always looking for volunteers to help us in our work. Let us know what you're good at and how you may help and we'll find a way to collaborate together. http://www.edri.org/about/contact Follow us on Twitter! http://twitter.com/#!/edri_org Check out EDRi on YouTube and Vimeo http://www.youtube.com/user/EDRiorg http://vimeo.com/edri This is the last issue of EDRi-gram for this year, so we would like to thank our loyal readers for their time, hints and feedback!! Stay tuned for the next EDRi-gram, which will be published on 18 January 2012. ============================================================ 1. Council of Europe and European Commission initiatives on Internet freedom ============================================================ On 8 December, the Council of Europe launched a very important Declaration on "the protection of freedom of expression and freedom of assembly and association with regard to privately operated Internet platforms and online service providers." The text picks up many of the themes and priorities of EDRi's study, published in January of this year, on the "Slide from Self-Regulation to Corporate Censorship". The text explains that "although privately operated, they are a significant part of the public sphere through facilitating debate on issues of public interest; in some cases, they can fulfil, similar to traditional media, the role of a social "watchdog" and have demonstrated their usefulness in bringing positive real-life change". In the context of the positive obligations of states party to the Convention on Human Rights to defend the rights in that instrument, the Declaration explains that "direct or indirect political influence or pressure on new media actors may lead to interference with the exercise of freedom of expression, access to information and transparency, not only at a national level but, given their global reach, also in a broader international context." The resolution explains that "the companies concerned are not immune to undue interference; their decisions sometimes stem from direct political pressure or from politically motivated economic compulsion, invoking justification on the basis of compliance with their terms of service". The text concludes by alerting "member States to the gravity of violations of Articles 10 and 11 of the European Convention on Human Rights which might result from politically motivated pressure exerted on privately operated Internet platforms and online service providers, and of other attacks against websites of independent media, human rights defenders, dissidents, whistleblowers and new media actors." Four days after the Council of Europe Ministerial Declaration was launched, European Commissioner Vice President Neelie Kroes launched a "no disconnect strategy" to "uphold the EU's commitment to ensure human rights and fundamental freedoms are respected both online and off-line, and that internet and other information and communication technology (ICT) can remain a driver of political freedom, democratic development and economic growth." The ambition of the announcement is quite limited in the first instance - only addressing breaches of freedom of communication where "Europe perceives that a vibrant and open Internet is not the norm or where grave human rights abuses take place." While this lack of ambition is likely to come in for a degree of criticism, it is nonetheless a step forward and should be recognized and applauded as such. One reason for the lack of ambition is the large range of restrictive measures imposed by European countries in generally unsuccessful attempts to enforce copyright. Currently, these include policies such as Internet blocking, abuses of personal data and legal coercion of unconvicted citizens. As if to underline the self-consciously contradictory nature of the EU's policies in this area, Commissioner Kroes asked the unrepentant German (alleged) plagiarist Mr Karl-Theodor zu Guttenburg (originally described as representing US pressure group CSIS.org. that is not on the EU transparency register) to work on the project with her. Mr zu Guttenberg is best known for being shown to have copied his PhD thesis and, as a result, having to resign from his former post as German Defence Minister. He is also infamous for, together with his wife, launching a proposal for mandatory web blocking in Germany. Commissioner Kroes' obviously refined sense of irony failed to impress a large number of online commentators, with a flurry of criticism appearing on social media and on the Commissioner's blog. Commissioner Kroes' response to criticism (13.12.2011) http://blogs.ec.europa.eu/neelie-kroes/no-disconnect-response-issue/ EDRi study - "Slide from Self-Regulation to Corporate Censorship" (24.01.2011) http://www.edri.org/files/EDRI_selfreg_final_20110124.pdf Council of Europe Committee of Ministers Declaration on the protection of freedom of expression and freedom of assembly and association with regard to privately operated Internet platforms and online service providers (7.12.2011) https://wcd.coe.int/ViewDoc.jsp?Ref=Decl%2807.12.2011%29&Language=lanEnglish&Ver=original&BackColorInternet=C3C3C3&BackColorIntranet=EDB021&BackColorLogged=F5D383 European Commission press release - Digital Agenda: Karl-Theodor zu Guttenberg invited by Kroes to promote internet freedom globally (12.12.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/1525&format=HTML&aged=0&language=EN&guiLanguage=en Mr zu Guttenberg's Phd scandal (1.03.2011) http://www.guardian.co.uk/world/2011/mar/01/german-defence-minister-resigns-... Mrs zu Guttenberg's child protection activities (19.10.2011) http://www.guardian.co.uk/world/2010/oct/19/paedophile-entrapment-tv-show-ge... Legal coercion of EU citizens for copyright enforcement http://en.wikipedia.org/wiki/ACS:Law (Contribution by Joe McNamee - EDRi) ============================================================ 2. Brief overview of the leaked EU Data Protection Regulation ============================================================ Last week, Europe was able to get a first glance at the "General Data Protection Regulation" thanks to a leak by Statewatch. It is due to be officially published on 25 January 2012 and will repeal the outdated Data Protection Directive from 1995. It keeps the Directive's key principles but also aims at taking into account the technological developments. It aims at greater harmonisation and more "coherent" rules: "Differences in the level of protection of the rights and freedoms of individuals may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law." The draft regulation introduces new rights and new definitions. Sensitive data are now redefined to cover genetic and biometric data. The definition of a data subject is mildly extended to a person who can be identified directly or indirectly by the controller or "any natural or legal person". New rights include clearer rights on data portability. It also introduces mandatory reporting of data breaches as well as new competences and powers for supervisory authorities in terms of independence and capacity. Moreover, the regulation (article 63) establishes a European Data Protection Board which is going to replace the existing Article 29 Working Party. Article 2 of the Regulation defines the scope and states that it also "applies to the processing of personal data of data subjects residing in the Union not carried out in the context of the activities of an establishment of a controller in the Union, where the processing activities are directed to such data subjects, or serve to monitor the behaviour of such data subjects." It will thus apply to businesses that have entities in Europe, use equipment in the EU to process data or who have data processing activities directed to EU data subjects or served to monitor their behaviour. Users can still make requests to access their data and ask for erasure. This "right to be forgotten" (Art. 15) is basically a re-packaging of the already existing right to deletion after the purpose has been fulfilled (Art. 12 of Directive 95/46/EC). The current draft proposal goes further than the 1995 Directive proposing the right to erasure if the data are no longer necessary or if the data subject withdraws his/her consent, including the right to erasure of any public Internet link to, copy or replication of personal data relating to the data subject in any public communication service. This especially applies "in relation to personal data which are made available by the data subject while he or she was a child". It has already been argued that the article on the right to be forgotten was not particularly well drafted and could therefore have serious and obviously unintended implications for freedom of speech. Even though one of the aims of this article is to counter the loss of purpose limitations in social media, it must be carefully drafted to avoid its potential misuse as a tool for censorship. It has also been criticised as data controllers, for instance blogs or other independent media that do not comply with the 'right to be forgotten', could be fined between 500 and 600 000 Euros. One of the elements of the draft regulation that can be applauded is represented by articles 37 and 42 which regulate data processing by third countries. Data can be transferred to a third country only if certain criteria are met to ensure the level of protection of individuals for the protection of personal data. Article 42 addresses extra-territorial actions by third countries such as the USA Patriot Act and the USA Foreign Intelligence Surveillance Act and imposes barriers for foreign judicial authorities to access European data. This article is particularly interesting with regard to the US requests for European data such as the request for twitter account details of European citizens that might be related to WikiLeaks. Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) http://www.statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-co... 9 Reasons Why a 'Right to be Forgotten' is Really Wrong (8.12.2011) http://www.jorisvanhoboken.nl/?m=201112 A quick review of the draft EU Data Protection Regulation- Privacy International (8.12.2011) https://www.privacyinternational.org/article/quick-review-draft-eu-data-prot... (Contribution by Kirsten Fiedler - EDRi) ============================================================ 3. Russian Government's new attempts to censor the Internet ============================================================ Especially during the period before and immediately after the Russian parliamentary elections of 4 December 2011, government censorship attacked not only traditional media, but also the Internet, which plays now a very important role in the political debate in Russia with more than 51 million users. An order from the Federal Security Service (FSB) asked social network Vkontakte, with more than 5 million Russian users, to block the websites of seven groups calling for demonstrations during the election days. As the network refused to obey, Pavel Durov, its founder and director general, was summoned to the Saint Petersburg prosecutor's office. "This unreasonable order aims to deprive Internet users of the freedom of expression, opinion and assembly. The authorities are using prevention of violence as a pretext for reinforcing control of the Internet," Reporters Without Borders said. The Ria Novosti news agency was also allegedly ordered to clear its website of any foreign news reports critical of Putin. Grigory Okhotin, recently resigned from Inosmi, a Ria Novosti offshoot translating foreign media articles into Russian and posting them on its website, stated on 26 November that he had received an internal email from the head of the Internet department asking all employees "not to post any article hostile to Putin and United Russia on the site" during the week prior to the elections. Also, reporters, photographers and bloggers that are critical to the government were arrested either in the days previous to the elections or while peacefully protesting in Moscow against the results of the parliamentary elections and the irregularities that accompanied the polling. Even regional forums were targeted. On 15 November, the police went to the web-hosting company Agava Hosting and seized the server of Kostroma Jedis, the region's most popular forum with 12 000 daily visitors, for having posted two satirical videos criticizing governor Igor Slyunyayev. Besides these attempts to stop protests directly, the Government also used cyber attacks against blogs and Twitter accounts which have been flooded with pro-government messages. Furthermore, several websites that are critical of the government were blocked by Distributed Denial of Service attacks before and during the elections. For instance, LiveJournal, a blog platform hosting many anti-government blogs, was made inaccessible for three days starting with 1 December. Russia is classified as a "country under surveillance" in the latest Reporters Without Borders press freedom index, and is part of the "Enemies of the Internet" list in its latest report. Vkontakte social network targeted by security services (9.12.2011) http://en.rsf.org/russia-journalists-and-bloggers-arrested-06-12-2011,41519.... Political debate disrupted by cyber-attacks and arrests (5.12.2011) http://en.rsf.org/russie-government-tightens-control-of-all-01-12-2011,41489... Russia: Election Day DDoS-alypse (5.12.2011) http://globalvoicesonline.org/2011/12/05/russia-election-day-ddos-alypse/ Russia: The Revolt of "Net Hamsters" (5.12.2011) http://globalvoicesonline.org/2011/12/05/russia-the-revolt-of-net-hamsters/ ============================================================ 4. European Parliament: raising awareness on "self"-regulation ============================================================ What better way to raise awareness on private policing on the Internet than to organise a workshop in the European Parliament and let the stakeholders answer the question: "Self-regulation: Should online companies police the internet?" On 7 December 2011 MEP Marietje Schaake organized, with support from EDRi, an event on this issue. Among the speakers were representatives from the European Commission, the content and internet industries and civil society. Representatives from the European Commission constituted the first panel. Werner Stengg, from Directorate General Internal Market and Services, Head of Unit Online Services, said, with regard to the E-commerce Directive, there was no need for revision but a need for clarification on the "Notice and Takedown" (now significantly broadened to "Notice and Action" - which would cover any action by any intermediary rather than just hosting and mere conduit providers). However three major, partially contradictory, issues were raised in the consultation that need to be further discussed for 3 reasons: 1) takedowns are slow or not happening; 2) fragmentation of the rules; 3) there are civil rights at stake (particularly due to incentives to takedown content leading to excessive takedowns; no fair appeal procedure; lack of transparency). On 11 January 2012, there will be a communication on the E-commerce Directive. He agreed that the important issue was the liability regime, however he had no idea on the outcome of his ongoing work on "Notice and Action". He said that the Commission did not reject the idea of "Notice and Notice". They are going to take every solution proposed into account and analyse the pros and cons, before making any decision. Detailed analysis on this point will not be in the Communication but will follow in the second half of 2012. Nicole Dewandre, special advisor to the Director General advisor for Directorate General Information Society, talked about the Corporate Social Responsibility (CSR) communication, which puts into place 2 actions: firstly, a multistakeholder approach to Corporate Social Responsibility and secondly, the improvement of self- and co-regulation processes. The DG focuses on the Internet and the digital transition. In the first round of questions, the audience raised the question on how the right to fair trial/due process is going to be guaranteed, especially as there are already examples of monitoring uploaded content operated via the content ID platform. The 2003 inter-institutional agreement between the Commission, Council and Parliament, which excludes self-regulation in cases where fundamental rights are involved, was also evoked. However, no conclusive response was given by DG InfSo on that concern. Finally, the issue of how the concept of "do not track" would be implemented was raised, due to doubts of some participants that this was working as a self-regulation initiative. Wouldn't more regulation be a better solution more than self-regulation? In the second panel, Chris Ancliff, General Counsel of Warner Music Group, and member of the board of directors of IFPI (International Federation of Phonographic Industry) stated that ISPs help illegal content and businesses to flourish. According to him, ISPs, search engines, credit card companies and advertisers have their role to play in the enforcement of copyright law. In his mind, asking ISPs to block access was not unreasonable. He also said that ISPs have much to gain in the process and that the only losers would be the pirates. Joe McNamee of EDRi briefly described ten of the main misunderstandings that led to self-regulation proposed by some policy-makers and industry representatives. For example, he underlined that "self"-regulation is not an isolated issue, that ISPs were not the right entities to enforce criminal sanctions and that it often had unintended negative consequences on copyright. Chris Smith, representing composers and songwriters, focused on the question of "who feeds the artist?" He also said that the ISPs must take responsibility for the environment they created and are benefitting from. According to the President of EuroISPA, Malcolm Hutty, Internet intermediaries find themselves in the middle of an argument with EDRi on one side and IFPI on the other. The issue however is far broader than copyright since many different parties are interested in having ISPs police the internet. ISPs face an important problem, how do deal with potentially illegal content without causing harm to other interests? Transparency on network management and removed material is important, but are ISPs the competent and adequate bodies to deal with illegal/potentially illegal content? Since blocking measures must be regulated, transparent and proportionate, adequate safeguards must be put into place and he welcomed the Directive on sexual exploitation of children on this point (which rejected mandatory EU-wide blocking). Safeguards in that Directive mean new rights granted to the citizens. Technical measures are sometimes not possible and have consequences on reliability and effectiveness. Jermyn Brooks gave a brief introduction to the Global Network Initiative (GNI) which was created as a multi-stakeholder initiative in order to provide maximum transparency for users and set global standards for industry in a self-regulatory model. In his opinion, self-regulation would be a good solution to keep up with a quickly changing environment. However it should not replace due process. GNI is looking for the right balance between the principles of freedom of expression and privacy and security. Marietje Schaake underlined the fact that there was a hierarchy between fundamental rights. She asked if the cost of enforcement was not disproportionate to the benefits. To perfectly end the workshop, Malcolm Hutty stressed the necessity of applying the rule of law to the online environment. "Self"-regulation: Should online companies police the internet? http://selfregulation.tumblr.com/post/13295080515/self-regulation-should-onl... Joe McNamee's speech (7.12.2011) http://www.edri.org/files/presentation_7_Dec_2011.pdf Video of the event - summary (14.12.2011) https://www.youtube.com/watch?v=t9LR31m2yTA (Contribution by Marie Humeau - EDRi) ============================================================ 5. Austria: Petition against Data Retention Directive ============================================================ Today, 14 December 2011, the Austrian Arbeitskreis Vorratsdaten (Working Group against Data Retention Austria - AKVorrat.at) handed over a petition to the Austrian Parliament, asking for the government to be obliged to engage against the Data Retention Directive at the EU level and to evaluate the whole set of existing anti-terror legislation. Six years after the Data Retention Directive passed the European Parliament, but only a few months after it was transposed into the national law, the activists of AKVorrat presented the petition together with 4.471 Signatures to the vice-director of the Austrian Parliament, Susanne Janistyn. The Austrian Parliament has only recently introduced the possibility to sign petitions online on its website, after they have been successfully submitted on paper. Therefore, today's event in the Parliament only marks a mid-term goal for AKVorrat. Starting form Monday next week a broad online campaign will be launched to reach the goal of 10 000 signatures online. Austrian citizens starting from the age of 16 are entitled to sign petitions on the Parliament's website. While data retention is the most prominent issue of the campaign, the petition also targets the countless number of laws implemented with the argument of fighting terrorism. Therefore, the Austrian Parliament is asked to evaluate all of these laws and to abolish them, if they are found not to be proportionate or necessary in a democratic society. Only in April this year the Data Retention Directive was transposed into the national Austrian law, which will come into force on 1 April 2012. From this date on, Austrian citizens will have the opportunity to file complaints against this law with the Constitutional Court of Austria. AKVorrat is committed to use this opportunity extensively. The Austrian Working Group to abolish the EU data retention directive visits the vice-director of the Parliament Susanne Janistyn (14.12.2011) https://www.vibe.at/node/52 Online-Campaign "Stoppt die Vorratsdatenspeicherung!" (only in German) http://www.zeichnemit.at/ Arbeitskreis Vorratsdaten Vsterreich (AKVorrat.at) (only in German) http://www.akvorrat.at EDRi-gram 9.9:Data Retention has arrived in Austria (4.05.2011) http://www.edri.org/edrigram/number9.9/austrian-data-retention-law (contribution by Andreas Krisch - EDRi-member VIBE!AT - Austria) ============================================================ 6. German web blocking law repealed ============================================================ After more than two years of discussions and opposition, on 1 December 2011, the German Parliament has finally taken the decision to drop the Access Impediment Act, the law that proposed blocking access to websites deemed to have child pornographic content. The decision was already considered by the German Government in April 2011 after the law had proven inefficient for its initial purpose of fighting child pornography and after being largely opposed by freedom activists. An online petition to have the law overturned was signed by 130 000 people. The decision to have such sites blocked was "ineffective, counterproductive and represented the beginning of internet censorship," said EDRi-member Chaos Computer Club. The law was asking ISPs to ban a list of websites compiled and considered as "dubious" by the Federal Criminal Police Office. As in other cases, the blocking measures proved to be easy to circumvent and therefore inefficient. "Internet blockings are pointless. I need around five minutes to reconfigure my browser if I want to view that material," said programmer and Pirate Party member Stephan Urbach. According to many experts, the only efficient method is deleting content. "For years, the Internet industry has been working on the continued improvement of successful deletion. This includes securing any evidence to the end of criminal prosecution as well as international cooperation. Now, it only takes us a few days to take illegal content off the net," stated Oliver S|me, Vice-President of German Internet Industry Association. According to Justice Minister Leutheusser-Schnarrenberger, the German decision to abolish the Access Impediment Act will influence the decisions taken at the European level. The next steps are now with the Federal Council that needs to accept the law, the President to sign it and then to be published in the German Federal Law Gazette. Bundestag looks to delete child pornography websites (2.12.2011) http://www.dw-world.de/dw/article/0,,15575254,00.html Access Impediment Act repealed (only in German, 1.12.2011) http://mogis-verein.de/2011/12/01/zugangserschwerungsgesetz-aufgehoben/ Access Impediment Act repealed (only in German, 1.12.2011) http://www.internet-law.de/2011/12/zugangserschwerungsgesetz-aufgehoben.html EDRi-gram: German Internet blocking law to be withdrawn (6.04.2011) http://www.edri.org/edrigram/number9.7/germany-internet-blocking-law ============================================================ 7. A fair Internet for all? ============================================================ On 1 December 2011, the European Parliament's European People's Party (EPP) group presented their strategy paper "A fair Internet for all - Strengthening Our Citizens' Rights and Securing a Fair Business Environment in the Internet". In this webstreamed hearing, the MEPs discussed the main issues of the paper such as net and "search" neutrality, social networks, online behavioural advertising, anonymity of users, cloud computing and intellectual property rights. This was followed by an exchange of views with Google, Facebook and Microsoft and the German Federal data protection commission - who are, ostensibly "the" stakeholders in European Internet regulation. Unfortunately, the EPP did not invite any civil society representatives. The strategy paper acknowledges that the Internet has created a new world of possibilities and is an essential tool for communication, innovation, and economic growth. It contains many positive elements such as a very strong chapter on Net neutrality. The EPP group recognises that a neutral and open free Internet represents guiding principle which must be preserved as a policy objective. The group therefore urges the Commission to adopt further measures to guarantee Net neutrality. Furthermore, the text defends privacy by design, strong data protection rules in general and the need for better harmonisation in order to avoid forum shopping. European standards should be applied by companies where data is collected within the EU and transferred to third countries. While being a solid document overall, there is also some lack of coherence on certain points. In section 3.a of its strategy paper, the EPP suggests to further explore a "modification of the liability regime for intermediaries". However, the EPP (and the European Parliament as a whole) has already given its consent to the Free Trade Agreement with South Korea in 2010, which basically copies the articles on intermediary liability of the E-Commerce Directive into the Agreement and binds the European Union with regard to the intermediary liability regime. Furthermore, this proposal contradicts the EPP's principled position on net neutrality, which strongly speaks in favour of the defence of the neutral role of Internet intermediaries. The EPP also adopts a very good position on profiling, stating that such practices should be prohibited, but unfortunately has also given its consent to agreements that allow profiling and data mining, such as the passenger name record (PNR agreements) with third countries, such as Australia. Hidden in its very last section on quality journalism online, the EPP's paper introduces ancillary copyright provisions. It should be noted that in September 2011, the German government announced to be in the process of preparing a draft legislative proposal for ancillary copyright provisions. This push for ancillary copyright provisions on a European level has already been demanded by German chancellor Angela Merkel. However, ancillary copyright provisions have already been harshly criticised by civil rights groups, such as the initiative IGEL, stating that such provision would limit the freedom of communication. The introduction of new copyright provisions seems indeed unnecessary since publishers are already protected by copyright provisions and get usually extensive rights by journalists through contracts or general terms and conditions. Overall, the EPP's strategy paper contains many good points and its adoption should help facilitate discussions on the contradictions between principles and practice that it has brought to light. EPP Strategy Paper "Fair, Open and Secure Internet" (1.12.2011) http://eppgroup.mobi/press/peve11/docs/111201wg-internet-strategy-paper_enII... Video - EPP presents its strategy paper (1.12.2011) http://www.dailymotion.com/video/xmo39f_a-fair-internet-for-all-epp-group-pr... Initiative IGEL against ancillary copyright provisions (only in German) http://leistungsschutzrecht.info/unterstuetzer (Contribution by Kirsten Fiedler - EDRi) ============================================================ 8. Transatlantic data privacy in debate at Privacy Conference ============================================================ The 2nd edition of the Annual European Data Protection and Privacy Conference took place on 6 December 2011, mostly featuring speakers pulled from its corporate sponsors, although it also included a few key European institutions' representatives and data protection officials. There was no place here for the civil society's voices apart from a representative from BEUC, the European Consumers' Organisation. The most interesting part of the conference were Viviane Reding and Cameron Kerry's prepared speeches about the "Transatlantic solutions for data privacy", the Vice President and Commissioner for Justice, Fundamental Rights and Citizenship of the European Commission, and the General Counsel at the US Department of Commerce respectively. Ms. Reding announced that her office wants to "create a level playing field for companies", is "against inconsistent rules because they are against business". She also recommended the adoption and use of binding corporate rules in that regard; and explained that she is in favour of the rule of "main establishment" to decide when the EU data protection rules apply to companies. She announced the following four rules as being the most important ones of the upcoming European Commission's data protection regulatory framework: an easier access to one's own personal data, a right to data portability, the acknowledgement of the right to forget, and clearer rules for international data transfers. She also made the point that, although she favours cloud computing in Europe, strong data protection rules are good for business because they enhance consumers' confidence. Worth noting is the point she made about the US government agency's proposal for a Commercial Privacy Bill of Rights. Although in principle in its favour, she did not agree with the use of only voluntary codes of conduct. Cameron Kerry announced that his department would soon release a White Paper promoting consumer privacy that would provide a roadmap for the US Government and consist of four pillars: 1) a consumer privacy Bill of Rights to provide protections for consumers and greater certainty for businesses, and provide a uniform set of standards that expands on the notice and choice principles; 2) it will convene multi-stakeholder processes including EU entities to develop legally enforceable codes of conduct that expand on the Bill of Rights, based on a voluntary participation by both consumers and businesses, and enforceable by the Federal Trade Commission (FTC) once participants would agree to abide by them; 3) "effective, fair and consistent" enforcement by the FTC; 4) a global interoperability in which "the Bill of Rights is a strong step towards an international consensus on international privacy principles". Although his speech sounded more like the usual Department of Commerce's discourse considering privacy as an impediment to the benefits of free trade, and unrestricted flows of information as enabling economic growth, Mr. Kerry had a point when he alluded to the misconception some Europeans have when they consider Americans as careless about privacy, and pinpointed the deployment of data breach notification rules in the US as having had a powerful incentive on companies' compliance with privacy rules. During the next session about "Ensuring co-ordinated and harmonised data protection laws across the EU", Jacob Kohnstamm, Chairman of the Article 29 Data Protection Working Party, emphasized that enforcing the rule of establishment of the new data protection framework would only work if data protection authorities are given much stronger enforcement powers and their level of coordination is increased, without which "a level playing field in the EU is impossible". Industry representatives all concurred on the need to implement the "main establishment" rule, some saying that binding corporate rules would limit the risk of forum shopping. Stephen Deadman from Vodafone argued that the EU data protection regime is too legalistic ("we need less rules, not more") while it should focus more on operational privacy. John Vassallo of Microsoft, also in favour of the "main establishment" rule, insisted that in order to avoid forum shopping, the criterion should be the "primary physical infrastructure for processing data, the actual servers" and that a clearer and more harmonized legal framework must be promoted. Joan Antokol from Park Legal showed, through various examples based on her health privacy practitioner's experience, the ways some European rules are incoherent and should be harmonized across all EU Member States, while the focus should be to eliminate rules and expenses that do bring added value to protect individuals' privacy. In a second session entitled "What will the effect of the new privacy rules be on the online lives of EU citizens?", Marie-Helene Boulanger from the Data Protection Unit of the European Commission stated that a recent survey of European consumers shows that the expectation of individuals with regard to the protection of their personal data is decreasing, pointing to the fact that 70% of Europeans are concerned about the secondary use of their data without consent, and the increasing demand of individuals for the notification of data breaches by companies. Richard Allan of Facebook, asked how his company complied in practice with the subject access right of the Data Protection Directive and how it reacted to the string of complaints by an Austrian law student before the Irish Data Protection Commissioner, argued that his company had started discussions with the Irish authority to try to iron out the scope of subject access requests in practice, although he avoided to answer the more specific question as to whether that right to access also included the meta-data associated with each Facebook user's profile. In the session about "Rebuilding consumer confidence in data protection laws", Kostas Rossoglou of BEUC argued about the need for stronger redress and compensation rules, including a right to collective redress; also that self-regulation is only a solution if it fully complies with the law, benefits consumers, and is effectively enforced, which has according to him, never been the case thus far. David Smith of the UK Data Protection Authority said that his office was interested in seeing trustmarks and seals developed in a simple and effective way; that fines drive compliance; and that individuals' access rights should be simple to use, whereas it is generally hard to exercise in practice. On the last panel entitled "What shape for globalised data protection and privacy laws in the 21st century?", Peter Hustinx, the European Data Protection Supervisor, stated about the prospective European data protection legal framework that the criterion of application would be enhanced with a "targeting" rule: whether the data protection rules apply will depend on whether the data controllers are considered to target EU-based individuals when processing their personal data, or monitor them online. He also added that the meaning and scope of the concept of "adequate protection" would likely be clarified by the European Commission. Event webpage http://www.eu-ems.com/summary.asp?event_id=97&page_id=681 (Contribution by Cedric Laurant - EDRi observer) ============================================================ 9. UK: Medical records in the open data programme? ============================================================ British Prime Minister David Cameron announced that, under his "open data" programme, all UK medical records will in future be made available to researchers in both academia and the pharmaceutical industry, unless patients opt out. They will be "anonymised"; at present this process consists of replacing patients' names with the combination of postcode plus date of birth, by which most citizens can easily be re-identified. Everyone 'to be research patient', says David Cameron (5.12.2011) http://www.bbc.co.uk/news/uk-16026827 NHS open data plans 'death of privacy' (5.12.2011) http://www.ehi.co.uk/news/acute-care/7376/nhs-open-data-plans-%27death-of-pr... Further Detail on Open Data Measures in the Autumn Statement 2011 (29.11.2011) http://www.cabinetoffice.gov.uk/resource-library/open-data-measures-autumn-s... How anonymous is NHS patient data? (12.12.2011) http://www.guardian.co.uk/healthcare-network/2011/dec/12/nhs-patient-data-an... Here we go again (4.12.2011) http://www.lightbluetouchpaper.org/2011/12/04/here-we-go-again/ Anonymity is hard to do well - scientific papers http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c09.pdf http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006 (Contribution by Ross Anderson - EDRi-member FIPR -UK) ============================================================ 10. Recommended Action ============================================================ CSISAC, the Civil Society Information Society Advisory Council to the OECD, of which EDRI is a founding and steering committee member, is looking for its Community Manager and Liaison to OECD. If you are a brilliant and experienced community manager, people-motivator, public-interest advocate, while being a diplomat, knowledgeable and showing strong interest in policy related to the internet, telecommunications and information society, check the job offer and full job description at http://csisac.org/2011/12/csisac_job_opening_community_m.php Deadline for applications by email: 31 December 2011 ============================================================ 11. Recommended Reading ============================================================ Digital Agenda: Turning government data into gold (12.12.2011) http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/1524&format=HTML&aged=0&language=EN&guiLanguage=en http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/891&format=HTML&aged=0&language=EN&guiLanguage=en EDPS opinion on EU-US Passenger Name Record agreement (13.12.2011) http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consul... http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/P... The State of Surveillance: The Data (1.12.2011) http://www.bigbrotherinc.org/ Global Information Society Watch report 2011 - Internet rights and democratisation http://giswatch.org/en/2011 Internet censorship against streaming in France? (1.12.2011) https://www.laquadrature.net/en/internet-censorship-against-streaming-in-fra... ============================================================ 12. Agenda ============================================================ 27-30 December 2011, Berlin, Germany 28C3 - 28th Chaos Communication Congress http://events.ccc.de/category/28c3/ http://events.ccc.de/congress/2011/ 25-27 January 2012, Brussels, Belgium Computers, Privacy and Data Protection 2012 http://www.cpdpconferences.org/ 26 January 2012, Schaarbeek, Belgium Big Brother Awards Belgium http://www.bigbrotherawards.be/ 25 February 2012, Szeged, Hungary Copyright and Human Rights in the Information Age: Conflict or Harmonious Coexistence CfP by 16 January 2012 http://www.juris.u-szeged.hu/english/news/conference-on-copyright 16-18 April 2012, Cambridge, UK Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance Education OER12 and the OCW Consortium's Global Conference http://conference.ocwconsortium.org/index.php/2012/uk 14-15 June 2012, Stockholm, Sweden EuroDIG 2012 Submissions open by 31 December 2011 http://www.eurodig.org/ 9-10 July 2012, Barcelona, Spain 8th International Conference on Internet Law & Politics: Challenges and Opportunities of Online Entertainment Abstracts deadline: 20 December 2011 http://edcp.uoc.edu/symposia/idp2012/cfp/?lang=en 12-14 September 2012, Louvain-la-Neuve, Belgium Building Institutions for Sustainable Scientific, Cultural and genetic Resources Commons. Call for abstracts deadline: 15 January 2012 http://biogov.uclouvain.be/iasc/index.php ============================================================ 13. About ============================================================ The next EDRi-gram will be published on 18 January 2012. EDRi-gram is a biweekly newsletter about digital civil rights in Europe. Currently EDRi has 28 members based or with offices in 18 different countries in Europe. European Digital Rights takes an active interest in developments in the EU accession countries and wants to share knowledge and awareness through the EDRi-grams. All contributions, suggestions for content, corrections or agenda-tips are most welcome. Errors are corrected as soon as possible and are visible on the EDRi website. This EDRi-gram has been published with financial support from the EU's Fundamental Rights and Citizenship Programme. Except where otherwise noted, this newsletter is licensed under the Creative Commons Attribution 3.0 License. See the full text at http://creativecommons.org/licenses/by/3.0/ Newsletter editor: Bogdan Manolea <edrigram@edri.org> Information about EDRI and its members: http://www.edri.org/ European Digital Rights needs your help in upholding digital rights in the EU. If you wish to help us promote digital rights, please consider making a private donation. http://www.edri.org/about/sponsoring http://flattr.com/thing/417077/edri-on-Flattr - EDRI-gram subscription information subscribe by e-mail To: edri-news-request@edri.org Subject: subscribe You will receive an automated e-mail asking to confirm your request. Unsubscribe by e-mail To: edri-news-request@edri.org Subject: unsubscribe - EDRI-gram in Macedonian EDRI-gram is also available partly in Macedonian, with delay. Translations are provided by Metamorphosis http://www.metamorphosis.org.mk/edri/2.html - EDRI-gram in German EDRI-gram is also available in German, with delay. Translations are provided Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for Internet Users http://www.unwatched.org/ - Newsletter archive Back issues are available at: http://www.edri.org/edrigram - Help Please ask <edrigram@edri.org> if you have any problems with subscribing or unsubscribing. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE