EDRI-gram newsletter - Number 5.9, 9 May 2007

EDRI-gram newsletter edrigram at edri.org
Wed May 9 10:27:16 PDT 2007



biweekly newsletter about digital civil rights in Europe

    Number 5.9, 9 May 2007


1. European Commission supports Privacy Enhancing Technologies
2. EDPS advises against new data protection framework decision
3. PNR deal ratification postponed by the Czech Senate
4. RapidShare sues German rights holder association
5. The EDPS Annual Report for 2006 shows more concern for data protection
6. Failure of the Scottish e-voting system
7. First draft on data retention law in Romania
8. New calls for computer online searches by German authorities
9. Recommended Action
10. Agenda
11. About

1. European Commission supports Privacy Enhancing Technologies

Commissioner Franco Frattini, who is responsible for the legislation
concerning co-operation between European police as well as data protection
of European police, has shown public support for privacy enhancing
technologies (PETs). Frattini's position is surprising taking into
consideration its open support for other privacy-invasive projects such as
the data retention directive, EU-US PNR agreement or the planned EU
fingerprint database.

A public statement published by the European Commission (EC) on 2 May 2007
directly supports PETs, expecting them to improve the protection of privacy
as well as help fulfil the data protection rules.

"The use of PETs would be complementary to the existing legal framework and
enforcement mechanisms. In fact the intervention of different actors in the
data processing and the existence of the different national jurisdictions
involved could make enforcement of the legal framework difficult."

The PETs mentioned in the Commission's communication are: the automatic
anonymisation after a certain lapse of time, encryption tools,
cookie-cutters or the Platform for Privacy Preferences (P3P). These PETs
could ensure that "breaches of the data protection rules and violations of
individual's rights are not only something forbidden...but also technically
more difficult".

The communication shows the plans of the EC in this field through activities
such as identifying the need and technological requirements of PETs,
promoting use of PETs by the industry, ensuring respect for appropriate
standards in the protection of personal data through PETs and promoting the
use of PETs by public authorities. It also aims at direct support by
funding research on PETs: Europe contributed over 18 million Euro to PET
research as part of its 6th Framework Programme (2002-06), and this is
expected to increase significantly in the coming years.

Frattini also advanced the idea of a pan-European system of "privacy seals"
that will help the consumers.

Privacy Enhancing Technologies (PETs) (2.05.2007)

Euro Data watchdog warns of database creep (3.05.2007)

2. EDPS advises against new data protection framework decision

The European Data Protection Supervisor (EDPS) has shown serious concerns in
his opinion on the Commission's new Council Framework Decision proposal
regarding the protection of personal data processed in the framework of
police and judicial co-operation in criminal matters.

Although appreciative of the German presidency's efforts, Peter Hustinx
advised the Council against adopting the proposal considering it failed to
provide appropriate data protection. EDPS believes that a Framework Decision
on the protection of personal data in the third pillar is essential in the
development of an area of freedom, security and justice and that "the
growing importance of the police and judicial cooperation in criminal
matters as well as the actions stemming from the Hague Programme have
highlighted the necessity of common standards in the protection of personal
data in the third pillar". At the same time, Hustinx underlines that some of
the aspects of the proposal are not in agreement with the EU Treaty and some
are even below the standards of the Council of Europe Convention 108 of

"We need to ensure high standards to guarantee both the citizens rights and
the efficiency in police and judicial cooperation. Unfortunately, this
proposal does not meet the expectations" stated the EDPS.

Two important issues Hustinx opposes to are the extension of the proposal
scope to third pillar data processing by Europol and Eurojust and the
creation of a new joint supervisory authority before including adequate
protection measures for the citizens' data when such data are exchanged
between member states and third parties.

In his opinion, the lack of proper and broad level of data protection will
make information exchanges "subject to different national "rules of origin"
and "double standards" that strongly affect efficiency in law enforcement
cooperation while not improving the protection of personal data".

The EDPS considers some essential data protection provisions have been taken
out from the previous text thus weakening the level of protection of
citizens and also finds the legislative quality of the text as
unsatisfactory. "Apart from the choice of legal instrument, several
provisions do not fulfil the requirements of the common guidelines for the
quality of drafting of Community legislation. In particular, the text is
not drafted clearly, simply and precisely, which makes it difficult for the
citizens to identify their rights and obligations unambiguously".

Two of the aspects that are not properly covered by the proposal are the
limitation of the further purposes for which personal
data may be processed, and the lack of specific and strict conditions for
the data exchanges with non-law enforcement authorities.

The opinion shows there are no adequate provisions related to the quality of
data. There are no provisions regarding the differentiation of data
categories based on the accuracy degree and reliability, no distinction
between data based on facts and data based on personal opinions or
assessment. "The lack of such a common requirement could actually undermine
the data being exchanged between police authorities as they will not be able
to ascertain whether the data can be construed as "evidence", "fact", "hard
intelligence" or "soft intelligence". This could have the consequence of not
only hampering security operations and intelligence."

The privacy watchdog especially objects to the way of handling the exchange
of DNA data and urges on caution regarding the introduction of biometric
data in passports. He remarked that, in the fight against crime, data
protection adequate measures had very often been disregarded for the sake of

Third pillar data protection: EDPS strongly advises Council not to adopt
current proposal without significant improvements (30.04.07)

Third opinion of the European Data Protection Supervisor on the Proposal for
a Council Framework Decision on the protection of personal data processed in
the framework of police and judicial co-operation in criminal matters

EU Data Protection Supervisor warns against networking police databases

3. PNR deal ratification postponed by the Czech Senate

The ratification by the Czech Parliament of the proposed agreement between
the European Union and the Unites States of America on the processing and
transfer of passenger name record (PNR) data has been taken off the agenda
based on the position of the Green Party MPs.

On 23 April 2007, EDRI-member Iuridicum Remedium - Czech Republic sent a
written appeal to the members of the Green Party parliamentary club,
recommending them to vote against the ratification of the proposed agreement
between the European Union and the Unites States of America on the
processing and transfer of passenger name record (PNR) data for the
following reasons:

The scope of the agreement submitted for approval as parliamentary paper
no. 162 by the Ministry of Foreign Affairs and the Ministry of Transport has
been (in comparison with the former agreement repealed by the European
Court of Justice) "widened substantially (more data requested, considerable
weakening if not complete elimination of the purpose limitation, sharing
with more and unspecified agencies and countries, undefined retention
periods, allowing for more frequent and earlier pushing of data, no
guarantees for a definitive switch to the PUSH system, the virtual abolition
of the joint evaluation) whereas the protection of personal data of EU
citizens and means of legal redress are at best unclear, and probably weaker
than under the previous agreement."

Further concerns were raised about the "precedent this agreement may set for
future agreements with the US on PNR, or on other categories of data (such
as bank account details as in the case of SWIFT, or records of
telecommunications). The lack of democratic legitimacy regarding rules on
the transfer of data must be remedied as a matter of urgency."

Moreover, the Department of Homeland Security has been using PNR data in
the system called the Automated Targeting System, which violates both EU and
US data protection laws. It uses passenger personal data for "risk
assessment scoring" and retains the data for up to 40 years.

In January 2007, Privacy International and ACLU called for repeal of the
EU-US agreement on data transfers on this basis.

Decision on the Agreement between the EU and USA passenger name record
postponed by the Czech Senate (only in Czech, 25.04.2007)

EU original text of the PNR Agreement -submitted as parliamentary paper
n.162 (27.10.2006)

EDRI-gram: Travellers privacy and European Union (30.07.2006)

(Thanks to Marek Tichy - EDRI-member Iuridicum Remedium, Czech Republic)

4. RapidShare sues German rights holder association

Rapidshare AG sued the German society for musical performing and mechanical
reproduction rights (GEMA) in order to clarify the legal situation regarding
free file hosting in Germany.

The counter-attack from Rapidshare, a well-known free file hosting provider
based in Switzerland, comes after the suit initiated in Germany by GEMA in
January 2007 for distributing MP3 files on Rapidshare.com. GEMA won a
preliminary injunction in the first lawsuit that was upheld by the appeal in
March of  the District Court of Cologne.

The District Court in Cologne had considered that Rapidshare was liable for
copyright infringements even if the works were uploaded by the users and not
by the provider.

As a result of the GEMA action, Rapidshare was forced to stop the
distribution of works from the GEMA catalogue and to actively monitor
uploads of these works.

Rapidshare argues that this activity is close to impossible and is not
covered by the German copyright law either. Rapidshare CEO Bobby Chang
considers that people have the right to make backup copies of their music
and that it is practically impossible to distinguish between legal and
unauthorized uses of MP3s.

"We are confident that it is possible to solve the conflict with GEMA while
at the same time paying tribute to innovation" said Chang.

Rapidshare sues rights holders (19.04.2007)

RapidShare AG press release (only in German, 18.04.2007)

EDRI-gram: Temporary injunction against RapidShare.de (31.01.2007)

5. The EDPS Annual Report for 2006 shows more concern for data protection

The European Data Protection Supervisor (EDPS) has issued its report for
2006 that includes activities and events as well as the main trends of the
past year and draws conclusions related to complaints, developments in
security, justice, freedom and new technologies with possible impact on
personal data protection.

One of the conclusions of the report is that while the number of complaints
has increased, it is still low and only 20% of the complaints made in 2006
were valid.

"A large majority of the complaints received continued to fall outside of
the supervisory competences of the EDPS, for instance because they dealt
exclusively with processing of personal data on the level of the member
states, where national Data Protection Authorities are competent," said the

The report shows that data protection continues to be a significant
challenge and more work is needed to make data protection rules and
practices be implemented in the European laws and "to develop a data
protection culture as part of good governance".

It also states concern regarding the increasing tendency of authorities to
establish central databases and large scale IT systems. According to EDPS,
state databases continuously exceed their function, not always to the
benefit of people and there is "the risk of illegitimate use" of these
databases. "The EDPS has observed a trend in that once a database has been
established, access to it is extended to more authorities, for other
purposes than those for which it was set up."

He believes that the cooperation between the police forces and the judiciary
systems have been developed without a proper protection for the citizens'
data protection rights.

European Data Protection Supervisor - Annual Report 2006 - Executive Summary

European Data Protection Supervisor- Annual Report 2006

Most complaints to EU privacy watchdog are misdirected (2.05.2007)

6. Failure of the Scottish e-voting system

The electronic voting system used in the Scottish Parliamentary Elections on
3 May 2007 went on as the security experts had worned and the Scotland
Office announced an urgent investigation on the "serious technical failures"
having delayed the announcement of results in several areas.

Several counts were delayed and about 140 000 votes (approx. 7% of the total
votes cast) may be discounted because of the problems that occurred with the
new electronic counting system, used for the first time in Scotland.

The independent Electoral Commission, set up by the Parliament to monitor
elections, had previously advised against the system with different types of
election used by the UK Department for Constitutional Affairs (DCA) in the
elections for the local councils, the Scottish Parliament and the Welsh

The experimental system included early voting in person up to two
weeks in advance, internet voting, touch-phone telephone voting or
e-counting as was the case for the Scottish Parliament.

In spite of the testing in advance, problems with the automatic counting
system occurred causing the suspension of the counting for some time.

DRS Data Services, which supplied the electronic counting machines, stated
to BBC that the delays had been caused by a "small issue" that their
technical staff was doing efforts to solve. "The e-counting system has not
crashed. This is a temporary interruption to one small aspect of the overall
process," said the company spokeswomen.

However, the system was described as a fiasco by the thirty experts from
North America invited to witness the new electronic voting system.

Robert Richie, executive director of US-based organisation Fair Vote,
considered as "totally unacceptable to have so many votes spoiled" and
stated: "We were also very concerned about the lack of uniform standards in
judging what votes were rejected and which were deemed to be valid".

The Electoral Commission will perform an extended statutory review into the
election. The Scotland Office spokesman said: "It is important that they
look as a matter of urgency into delays in postal ballots, the high number
of spoiled ballot papers, and the performance of the electronic counting

E-voting policy review after Scottish ballot chaos (4.05.2007)

Inquiry launched into Scottish voting confusion (4.05.2007)

International experts slam ballot fiasco (6.05.2007)

Security fear over internet voting (2.05.2007)

Vote early, vote often (1.05.2007)

7. First draft on data retention law in Romania

A first draft law for the implementation of the data retention directive was
presented at the end of April 2007 by the Romanian Ministry of
Communications and Information Technology for public consultation. The
ministry also organized on 26 April a public debate on the draft law.

The first draft was achieved in cooperation with a number of public bodies
including the Ministry of Justice, Ministry of Internal Affairs or the
Romanian Data Protection Authority.

The text proposing a 12-month period of traffic data retention, without any
explanatory reports, has received criticism from ISPs and other telecom
operators that believe it puts a high financial burden on them. The draft
clearly specifies that the content of the communications cannot be retained
by the operators, considering the retention of the content as well as any
retained data transfer without a proper judicial authorization as crimes.
The retained data should be deleted at the end of the 12 month period.

Only the electronic communication providers that have notified the
Regulatory Authority are subject to data retention obligations and there are
no provisions for the hosting or other online service providers.

The retained data can be accessed by prosecutors only in the penal cases
related to organized crime and terrorism crimes and with a proper specific
judged-approved access authorization. The prosecutor can ask, through a
specific ordinance, for access to the data as a provisional measure, if this
is necessary due to specific circumstances that could otherwise put in
danger the penal investigation. But in this case, the prosecutor's decision
together with the data needs to be confirmed by a judge in 48 hours. If a
judge does not confirm the prosecutor's ordinance, all the accessed data
will be destroyed.

The very detailed procedure regarding access by prosecutors to the retained
data is in opposition with Article 16 of the draft text that allows,  "in
case of a threat to the national security", the request of the retained data
by "the specific bodies, as explained in the laws on national security".
The vagueness of this article was criticized in the public debate, the
participants considering that this could leave room for discriminatory
access by the Romanian secret services.

As regards the type of data retained, the Romanian draft is only a
translation of the European Directive on data retention. The public
consultation will end on 10 May 2007 and the text could be approved by the
Government and then sent to the Parliament for consideration.

Draft law on data retention by public electronic communication providers
(only in Romanian, 04.2007)

MCIT Publicly Debates the Retention of Data Generated or Processed in
Connection with the Provision of Publicly available electronic 
communications services or of public communications networks (26.04.2007)

EDRI - Member APTI - Romania - Opinion of the draft data retention law (only
in Romanian, 9.05.2007)

8. New calls for computer online searches by German authorities

The German authorities seem to have a higher desire to push for a legal
basis of the online searches of personal computers in Germany, despite the
Federal Supreme Court decision in February 2007 that, according to the
German Code of Criminal Procedure, decided that online police snooping was

Wolfgang Schduble, The German Federal Minister of the Interior, has asked
again to adopt stricter security rules that are essential in the fight
against terror. Schduble said that terrorists were beginning to set their
sights on Germany and "These days the Internet is the place where terrorists
from all over the world arrange to meet". This is why it is essential to
make the online searches of computers a legal possibility for the German law

The online searches of computers by the secret services have been a reality
in Germany since 2005, following an order to do so by then-Interior Minister
Otto Schily. The statement was admitted by the Chancellor's Office that did
not reveal the number of searches. The German Government stated that it did
not see any breach of the privacy of telecommunications in these actions.

Gisela Piltz, spokesperson for home affairs from the FDP in the Bundestag,
who forced the government to admit the searches, said that "the cat is out
of the bag".

The Social Democratic Party has accused Mr. Schduble of engaging in a
"hypocritical debate" and the new approach is like "a recipe for asking for

The German Supreme Court president, Hans-J|rgen Papier, told the Frankfurt
Press Club that the politicians were going too far in asking for greater
security and they were forgetting that the state is also obliged of ensuring
civil rights.

Minister of the Interior renews call for legal online PC search option

German government admits it is already conducting online searches

EDRI-gram: Online police searches found illegal in Germany (14.02.2007)

EDRI-gram: Proposal of computers online searching in Germany (20.12.2006)

9. Recommended Action

Public consultation on the Regulation regarding public access to European
Parliament, Council and Commission documents (Regulation 1049/2001).

For Dutch readers - Petition for more flexible contracts for members of
the rights collecting society which allow them to choose the conditions
under which to release their own music and use CC licenses.

10. Agenda

15-16 May 2007, Brussels, Belgium
The European Patent Conference - EUROPACO-2

18 May 2007, Oxford, UK
Global Internet Filtering Conference 2007
The OpenNet Initiative is holding its first public conference to discuss the
current state of play of Internet filtering worldwide.

18-19 May 2007, Brasov, Romania
eLiberatica - The Benefits of Open and Free Technologies - Romanian IT Open
Source and Free Software Conference

26 May 2007, Zurich, Switzerland
Creative Commons Switzerland - Launch Event

11-15 June 2007, Geneva, Switzerland
Provisional Committee on Proposals Related to a WIPO Development Agenda:
Fourth Session

11-12 June 2007, Strasbourg, France
Council of Europe - Octopus Interface 2007 - Cooperation against Cybercrime

12 June 2007, Berlin, Germany
German Federal Commissioner for Data Protection and Freedom of Information -
Symposium "Data Protection in Europe"

14 June 2007, Paris, France
ENISA/EEMA European eIdentity conference - Next Generation Electronic
Identity - eID beyond PKI

15-17 June 2007, Dubrovnik, Croatia
Creative Commons iSummit 2007

17-22 June 2007 Seville, Spain
19th Annual FIRST Conference, "Private Lives and Corporate Risk"

18-22 June 2007, Geneva, Switzerland
Second Special Session of the Standing Committee on Copyright and Related
Rights (SCCR)

11. About

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 25 members from 16 European countries.
European Digital Rights takes an active interest in developments in the EU
accession countries and wants to share knowledge and awareness through the
EDRI-grams. All contributions, suggestions for content, corrections or
agenda-tips are most welcome. Errors are corrected as soon as possible and
visibly on the EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 2.0 License. See the full text at

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.

unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users

- Newsletter archive

Back issues are available at:

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list