EDRI-gram newsletter - Number 6.2, 30 January 2008
EDRI-gram newsletter
edrigram at edri.org
Wed Jan 30 12:35:24 PST 2008
============================================================
EDRI-gram
biweekly newsletter about digital civil rights in Europe
Number 6.2, 30 January 2008
============================================================
Contents
============================================================
1. ECJ decision on handing traffic information in civil cases
2. European Parliament hearing on Internet privacy issues
3. Personal sensitive data keep on being lost in UK
4. New spying tools patented by Microsoft
5. YouTube blocked once more in Turkey
6. Bulgarian Big Brother Awards
***European Data Protection Day - 28.01.2008 - special section***
7. Key privacy concerns in Denmark 2007
8. Key privacy concerns in Czech Republic 2007
9. Key privacy concerns in Ireland 2007
10. Key privacy concerns in France 2007
11. Key privacy concerns in Romania 2007
12. Key privacy concerns in Netherlands 2007
13. Main data protection concerns with the EU policy developments in 2007
14. Agenda
15. About
============================================================
1. ECJ decision on handing traffic information in civil cases
============================================================
The European Court of Justice (ECJ) has decided on 29 January 2008 in the
case of Productores de Mzsica de Espaqa Promusicae vs. Telefsnica de
Espaqa
considering that the European law "does not require member states to lay
down an obligation to disclose personal data in the context of civil
proceedings". However, the decision allows the national courts to do that
if the national interpretation requires so: "As to those directives, their
provisions are relatively general, since they have to be applied to a large
number of different situations which may arise in any of the Member States."
The decision came in the case where the Spanish music Association Promusicae
asked the ISP Telefonica to hand over the names and addresses of the
subscribers that allegedly distributed copyrighted songs via the p2p
software Kazaa. Telefonica refused, considering that it could do that only
in a criminal investigation or in matters of public security and national
defence. The company based its position on the Spanish implementation of the
E-commerce directive. A Spanish Court of Madrid asked the ECJto decide on
the conformity of the Spanish act to the EU law on this matter.
The Advocate General Juliane Kokott's opinion published on 18 July 2007
was positive for the ISPs, suggesting that the member states exclusion of
revealing personal data from Internet traffic in the copyright infringement
civil law cases was compatible with the EU law.
However, the ECJ final decision was limited to claiming that the
European Directives invoked in this case "do not require the Member States
to lay down (...) an obligation to communicate personal data in order to
ensure effective protection of copyright in the context of civil
proceedings." This confirms that the EU law does not directly require the
national courts to disclose the personal data in civil cases of copyright
infringement.
At the same time, the decision considers that it is acceptable for national
laws to allow forcing of disclosure in civil proceedings, taking
into consideration their balance of fundamental rights : "(...)when
implementing the measures transposing those directives, the authorities and
courts of the Member States must not only interpret their national law in a
manner consistent with those directives but also make sure that they do not
rely on an interpretation of them which would be in conflict with those
fundamental rights or with the other general principles of Community law,
such as the principle of proportionality. "
Intellectual property lawyer Iain Connor, a partner with Pinsent Masons,
considered the ruling could be bad news for ISPs in the UK : "You could
potentially get people who want to host material effectively forum shopping
and going to ISPs in places where disclosure would not be ordered."
Meryem Marzouki, president of the EDRi-member IRIS France, considers the
decision as more in favour of the copyright holders demands and insists that
the ruling is a step backward if reffered to the Advocate General's opinion
in this case that the EU legislation on personal data protection should
prevail on the Community law on e-commerce, copyright protection and IP
enforcement.
C-275/06 - Promusicae vs Telefonica - ECJ decision (29.01.2008)
http://www.bailii.org/eu/cases/EUECJ/2008/C27506.html
Countries can choose whether or not to force disclosure of file-sharers
(29.01.2008)
http://www.out-law.com/page-8836
Court delivers a blow to record companies on internet piracy (30.01.2008)
http://business.timesonline.co.uk/tol/business/law/article3273960.ece
EU supremes: ISPs don't always have to finger filesharers (29.01.2008)
http://www.theregister.co.uk/2008/01/29/eu_supreme_civil_isp_filesharing_case_law/
EDRi-gram: ECJ's Advocate General says no handing traffic information in
civil cases (1.08.2007)
http://www.edri.org/edrigram/number5.15/traffic-data-civil-cases
============================================================
2. European Parliament hearing on Internet privacy issues
============================================================
During a hearing of the European Parliament (EP)'s Civil Liberties
Committee, on 21 January 2008, serious data protection concerns were raised
by the practice of large Internet companies that monitor the online
behaviour of their users in order to provide online advertisers with the
necessary information to better target their ads.
The main debate turned around the Google-Double Click deal that is now being
examined by the European Commission and that was already approved in the US
in December 2007 by the Federal Trade Commission.
Google criticised MEPs and rights advocates of trying "to take a privacy
case and shoehorn it into a competition law review" but Sophie In 't Veld,
replied to these accusations: "The reason you want to have the data is
because it gives you a competitive advantage. It is business. I don't think
they can be completely disconnected."
Representatives of the industry and consumer protection bodies addressed the
EP Civil Liberties Committee claiming that the tracking down of online
behaviour is threatening to personal privacy and that there is no guarantee
these data are used only for advertisement targeting. MEP Stavros
Lambrinidis of Greece expressed the worries related to the lack of a
communitary legislation that ensures the personal data are used only for
advertising purposes saying that "there is no EU legislation per se to
ensure that information targeting behaviour for marketing purposes will not
be used for other activities that far exceed the initial purpose."
In his turn, EDPS Peter Hustinx said: "Community law on data protection
does apply on the Internet, it applies to both online and offline realities
(...) existing rules do apply and do provide safeguards".
Google's Global Privacy Counsel Peter Fleischer stated that the merger
between Google and DoubleClick would not lead to the creation of a single
database with consumer-related information, as "DoubleClick does not own its
customers' data". He also added that the online ad company "can only use the
data it processes from serving ads to provide aggregate reporting. The data
is owned by the publishers or advertisers that DoubleClick works for (...)
DoubleClick customers would be very displeased if one tried to undo their
contractual relationships by sharing information between advertisers".
The merger case is now with DG Competition being examined for potential
violations of antitrust rules in the online advertising intermediary market.
The European Commission is to decide whether or not to authorise the merger
on 2 April 2008.
One issue that was also strongly debated was that of the IP address being
considered personal data or not. In the opinion of the EU group of data
privacy regulators, the IP address should generally be considered as
personal information.
Google's view has been expressed by Fleischer who stated: "There is no black
or white answer: sometimes an IP address can be considered as personal data
and sometimes not, it depends on the context, and which personal information
it reveals." But Marc Rotenberg, the Executive Director of the Electronic
Privacy Information Center contradicted this statement: I wish this was the
case, but we are moving towards the IP6 model, for which it will be even
more the case that IP addresses will be personably identifiable".
Peter Scharr, Germany's data protection commissioner who leads the EU
Article 29 Data Protection Working Group which is preparing a report on the
compliance with EU data protection acts of the privacy policies of Internet
search engines operated by Google, Yahoo, Microsoft and others, said that if
someone could be identified by an IP address "then it has to be regarded as
personal data."
Do Internet companies protect personal data well enough? (26.01.2008)
http://www.neurope.eu/articles/82144.php
Google-DoubleClick deal likely to win EU go-ahead (25.01.2008)
http://www.reuters.com/article/reutersEdge/idUSL2589361220080125
Internet privacy concerns cause very public row in Brussels (23.01.2008)
http://afp.google.com/article/ALeqM5hQ47Tl9N_w06bGdc5UBcXzg1lPRA
EU data regulator says Internet addresses are personal information
(21.01.2008)
http://www.siliconvalley.com/news/ci_8035260?nclick_check=1
Google seeks to allay privacy fears over DoubleClick merger (22.01.2008)
http://www.euractiv.com/en/infosociety/google-seeks-allay-privacy-fears-doubleclick-merger/article-169785
EDRi-gram: EC announces a larger investigation of the Google-DoubleClick
deal (26.11.2007)
http://www.edri.org/edrigram/number5.22/in-depth-google
============================================================
3. Personal sensitive data keep on being lost in UK
============================================================
Many documents with confidential data including benefit claims, passport
photocopies and mortgage payments were found on 17 January 2008 lost on a
roundabout near Exeter Airport in Devon, UK.
Mr Karl-Heinz Korzenietz, the finder of the documents, told BBC News: "I
thought first of all it was rubbish. But when I looked at the papers I
discovered they were highly sensitive. I was shocked and surprised that
sensitive papers like this would just be lost like that." Mr Korzenietz has
also said that this was the second time he found such kind of documents.
On 6 November he found another set of similar documents that he handed over
to the Royal Mail depot in Exeter which returned the documents to TNT
carrier. However, TNT said they were unaware of any missing data and
stated they were not the only company providing services to the government.
The Ministry of Defence (MoD) has also disclosed the theft on 9 January
2008, from a Royal Navy officer, of a laptop containing details on more than
600 000 people including Royal Navy, Royal Marine and RAF recruits, as well
as other people wanting to join the services. The MoD has approached the
security and intelligence agencies and, although the Joint
Terrorism Analysis Centre, considered the threat as low, the ministry
approached the banks and individuals whose data were in the missing
database. The respective data included passport information, family details,
national insurance numbers, driving licence details and even medical
information.
According to Conservatives and Liberal Democrats the theft raises further
concerns related to the government's plans for identity cards considering
that the government would have to convince the public that it could safely
manage the identity card system.
These two incidents continue the series of personal data losses that have
lately occurred in UK. In October 2007, two discs containing an unencrypted
copy of the entire child benefit database were lost in transit between HM
Revenue and Customs and the National Audit Office. In December 2007, a hard
drive with a driving theory test database containing details on 3 million
candidates was lost in the US and at the beginning of 2008 personal details
of hospital patients were lost by the NHS.
Conservative MP Chris Grayling said: "You would have thought after the child
benefits fiasco every department would have doubled and trebled their
efforts. The fact that this hasn't happened is incompetence of the highest
degree."
On 10 August 2007, the House of Lords Committee on Science and
Technology published a report on "Personal Internet Security" recommending a
Security Breach Notification law that would require companies that leaked
personal data to notify this event to the people concerned. Unfortunately,
in October 2007, the Government turned down the Committee's recommendation.
Richard Clayton, specialist adviser for the Committee and an EDRi-member of
the Foundation for Information Policy Research, commented: "What's needed of
course is a security breach notification law, so that everyone (not just
Government departments as here) is forced to notify people when they lose
personal data AND forced to notify a central clearing house, so that
researchers can start to build up patterns and observe commonalities, so as
to better advise the holders of personal data what they -- as a group -- are
doing wrong."
The Defence Secretary, Des Browne, gave a statement to the House of
Commons on 21 January 2008 saying that in fact three laptops had been
stolen over the previous two years. The head of the Civil Service has
now issued instructions that laptops holding sensitive personal data
must not be removed from offices.
Personal data found on roundabout (18.01.2008)
http://news.bbc.co.uk/1/hi/england/devon/7197048.stm
Recruits' banks alerted after theft of laptop (21.01.2008)
http://www.guardian.co.uk/idcards/story/0,,2244251,00.html
EDRi-gram: UK government loses personal data on 25 million citizens
(21.11.2007)
http://www.edri.org/edrigram/number5.22/personal-data-lost-uk
Personal Internet Security - House of Lords Science and Technology Committee
5th Report of Session 2006-7 (10.08.2007)
http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf
House of Lords Inquiry: Personal Internet Security (10.08.2007)
http://www.lightbluetouchpaper.org/2007/08/10/house-of-lords-inquiry-personal-internet-security
Government ignores Personal Internet Security (29.10.2007)
http://www.lightbluetouchpaper.org/2007/10/29/government-ignores-personal-internet-security/
============================================================
4. New spying tools patented by Microsoft
============================================================
According to The Times, a patent application has been filed by Microsoft for
a computer software that can monitor the employees' performance and state,
by means of wireless sensors linking workers to their computers.
The system, considered by Microsoft a "unique monitoring system", is capable
of measuring employees' movements, heart rate, blood pressure, brain
signals, body temperature or face expression and can even "automatically
detect frustration or stress in the user" and "offer and provide assistance
accordingly". This can lead to the creation of psychological profiles and
the Unions fear that employees could be dismissed on the basis of such
profiles.
The Information Commissioner, privacy advocates and civil liberties groups
highly criticise the application. "This system involves intrusion into every
single aspect of the lives of the employees. It raises very serious privacy
issues" stated Hugh Tomlinson, QC, an expert on data protection law at
Matrix Chambers while The Information Commissioner's Office said: "Imposing
this level of intrusion on employees could only be justified in exceptional
circumstances."
According to legal experts from law firm Eversheds, Microsoft will face
major legal problems if they want to implement the system all around the
world. Jonathan Armstrong, a partner in the company, told vnunet.com that
the situation was especially complicated due to the international nature of
Microsoft business.
The application was confirmed by the US Patent Office and could be granted
within a year.
Another patent application of the company is a method to collect information
about the users of cell phones, Internet, card-credits, geolocation systems
in order to target advertising. Microsoft like other large companies such as
Google who earn from clicks on ads, have thought of gathering personal
information on Internet users in order to provide more tailored
advertisements that may better catch the users' eye.
According to the Microsoft application, "an advertising component employs
the user profile in connection with the delivery of an advertisement."
Credit card information may be used to create a "payment history," and data
relayed by cell-phone towers can also be used to locate users, and to
"tailor search and advertising during online experiences so as to better
interpret queries to search engines, to better target advertisements."
Brendon Lynch, Microsoft director of privacy strategy, stated that the
application "will first be reviewed against our privacy standards to ensure
that privacy is protected."
Microsoft seeks patent for office 'spy' software (16.01.2008)
http://technology.timesonline.co.uk/tol/news/tech_and_web/article3193480.ece
Microsoft ponders offline profiling of Web users (23.01.2008)
http://www.marketwatch.com/news/story/microsoft-ponders-offline-profiling-web/story.aspx?guid=%7BF0D7FACF-0072-43C6-B341-B934D7E84635%7D&dist=hplatest
Microsoft faces legal challenge to 'spy' software (18.01.2008)
http://www.vnunet.com/vnunet/news/2207545/microsoft-faces-legal
============================================================
5. YouTube blocked once more in Turkey
============================================================
An order issued by a Turkish court on 17 January 2008 blocked once again the
access to Google's YouTube Web site on account of allegedly insulting clips
referring to the country's founding father, Mustafa Kemal Ataturk.
The ban lasted for 6 days and as no statements have been made by Turk
Telekom which has implemented the ban or by YouTube representatives, it is
not yet known whether the ban was lifted because the clips under question
were removed.
The situation seems to be a repeated pattern as YouTube was first banned in
March 2007 for similar allegations until the video considered disrespectful
were removed by the site. A second time, in September, a Turkish court from
the eastern city of Sivas decided to order the ISPs to block the access to
YouTube for a video considered offending to Ataturk, President Abdullah Gul,
Prime Minister Recep Tayyip Erdogan and the Turkish army but the ban was not
implemented.
The bans on YouTube are an expression of the problems Turkey has with
freedom of expression. Turkish writers and journalists have been on trial
for having allegedly brought insults to "Turkishness" and the country, which
is seeking European Union membership, is already under EU pressure to
improve the situation. The EU also asks Turkey to abolish an article in its
penal code considered to violate free speech.
This situation is highly criticized in the country as well. Journalist Emre
Akvz from Sabat considers that this ban places Turkey into the range
undemocratic regimes and gives those that oppose the adherence of Turkey to
the EU the occasion to say: "We told you these guys are pro-ban. They lack
tolerance. They cannot bear hearing criticism. Here is the evidence." Posta
journalist Mehmet Barlas' opinion is that "Can we now say that we have taken
the virtual world under our control by banning YouTube? No. The virtual
world is incredibly large, it is both close and far away and a digital
world," and also added: "Blocking full access to a Web site, although
possible to block only those controversial videos in this information era,
is like blocking access to a school due to an unruly student or banning
civil aviation due to an accident".
Turkey is not the only country having blocked YouTube. In 2007, the Thai
government banned the site for almost four months for some clips considered
offensive to King Bhumibol Adulyadej, Thailand's monarch and in Morocco the
site could not be accessed after some users posted videos that were
criticising the way in which Morocco was treating people of Western Sahara.
The government has not admitted having blocked the site trying to accuse a
technical fault but being unable to explain why the fault affected only
YouTube site.
Turkey Bans YouTube for Second Time (20.01.2008)
http://ap.google.com/article/ALeqM5iKUx9hP8rzGIKGJC5_Ml7OViYraQD8U9PRM00
Access to YouTube Resumes in Turkey (24.01.2008)
http://ap.google.com/article/ALeqM5iKUx9hP8rzGIKGJC5_Ml7OViYraQD8UCF7L80
YouTube ban reduces Turkey to the ranks of backward states (23.01.2008)
http://www.todayszaman.com/tz-web/yazarDetay.do?haberno=132231
Turkey once again blocks access to YouTube (22.01.2008)
http://www.todayszaman.com/tz-web/detaylar.do?load=detay&link=132195
EDRi-gram: Turkey blocks again YouTube (26.09.2007)
http://www.edri.org/edrigram/number5.18/turkey-youtube
============================================================
6. Bulgarian Big Brother Awards
============================================================
On 28 January 2008, the Access to Information Programme and EDRi-member
Internet Society Bulgaria presented the Big Brother negative awards.
The Big Brother award was presented to the Ministry of Interior for
publishing data from the passports and criminal conviction records of two
BBC journalists who were shooting a documentary in Bulgaria.
The Sramota (or Shame diploma) was presented to the Bulgarian Council of
Ministers for their decision to publish in the State Gazette of October
2007 the names, permanent addresses and the personal numbers of the owners
of land, which were expropriated for the construction of the south road
circle in Sofia.
Among the nominees for the anti-award this year were also the Traffic
Police, the Registry Agency at the Ministry of Justice, as well as the
Commission for Data Protection itself.
On 28 January, when the Big Brother Awards Ceremony was held in Bulgaria,
coincides with the European Data Protection Day. The date marks the adoption
of Convention 108 of the Council of Europe for the protection of individuals
with regard to automatic processing of personal data.
The Big Brother Awards ceremony was held in Bulgaria for the fourth time.
The last ceremony was held in 2005.
Big Brother Awards Bulgaria (only in Bulgarian, 28.01.2008)
http://bg.bigbrotherawards.org/
The "Big Brother" Awards Ceremony Held in Bulgaria (28.01.2008)
http://www.aip-bg.org/documents/bb_eng_2008.htm
Bulgarian Big Brother Awards - 2007 (28.01.2008)
http://blog.veni.com/?p=439
(contribution by Veni Markovski - EDRi-member ISOC Bulgaria)
============================================================
***European Data Protection Day - 28.01.2008 - special EDRI-gram section***
============================================================
28 January is the European Data Protection Day. For the second time, in
2008, this date marks the anniversary of the Council of Europe's Convention
108, the first legally binding international instrument related to data
protection.
This section of the EDRi-gram is dedicated to the European Data Protection
Day and marks the main privacy developments from some European countries, as
reported by EDRi members.
European data protection day activities - 28.01.2008
http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Data_Protection_Day_default.asp
============================================================
7. Key privacy concerns in Denmark 2007
============================================================
a. Data Retention - a reality
15 September 2007 - data retention became a reality in Denmark. The
administrative order, which sets the scope and conditions for data
retention, was approved on 28 September 2006 with an implementation deadline
of one year. The order, which was drafted by the Ministry of Justice, had
been underway for more than four years. The Act providing for data retention
was approved by the Danish Parliament already in June 2002 as part of the
Danish "anti-terrorism package," which extended the scope of Section 786 of
the Administration of Justice Act (Act No. 378 of 6 June 2002).
The administrative order regulates in more details the obligations of the
telecommunications providers and further implements the recently adopted EU
Directive on Data Retention. On some issues the order goes further than the
EU Directive, e.g. session logging. The order applies only to commercial
ISPs, excluding non commercial ISPs, libraries, universities and smaller
housing associations. There is no obligation on ISPs to invest in new
systems, but the law demands 24/7 point of contact at ISPs and security
clearing of relevant ISP personnel.For fixed lines and mobile phones
(including voice, voicemail, call forwarding, conference calls, SMS, MMS)
the retained data are: phone number, user ID (e.g. customer number), name
and address of customer, IMSI / IMEI number, unsuccessful call attempts,
first and last cells ID and physical location (mobile communication), and
date and time for start and end of communication. For Internet use, the
retained data are session logging (first and last or every 500 package), IP
address, port number and transport protocol, user ID, phone number for
dialup access, location and ID of hot spots, date and time for start and end
of communication. For email and VoIP the order covers the ISPs own email
services (and not hotmail, gmail, etc) and all VoIP services. The retained
data are sender and receiver, user ID, email address, date, time and
duration of communication.
During the 4-year drafting period, the proposed scheme for mandatory data
retention was heavily criticized by the Telecom and IT industry, the Data
Protection Agency, the Human Rights Institute, and non-governmental
organizations for being privacy invasive, disproportionate and inconsistent,
i.e. letting private companies store large amounts of personal information,
while at the same time being easy to evade, because of the many exemptions,
such as libraries and universities.
b. Extended means of surveillance
On 1 June 2007 an Act on TV Surveillance, which replaced the previous Act
Prohibiting Video Surveillance was adopted in the Parliament (Act. no. 162
of 1 June 2007).
The bill gives private enterprises such as banks, gas stations, hotels,
shops etc. extended powers to perform surveillance on areas related
to their property. The police may set quality standards for the recordings.
General surveillance of public areas such as public streets and squares are
not allowed for private parties, however the police may perform
surveillance in any public area if it is found necessary to prevent or
investigate crime. Both public and private surveillance must comply with the
Danish Data Protection Act, i.e. requirements of deletion of data after max.
30 days. However, there is no longer a duty to notify the Data Protection
Agency prior to installing surveillance equipment.
c. Extended access to personal information
On 8 June 2006, an Act amending the Administration of Justice Act, Act
Prohibiting Video Surveillance etc., and Act on Air Traffic (Strengthening
of the efforts to fight terrorism etc.) was adopted in Parliament (Act No.
542 of 8 June 2006). The bill was presented as the second "anti-terrorism
package" in Denmark. The amendment to the Administration of Justice Act
gives the Police Intelligence Service increased powers to exchange
information with the Defense Intelligence Service and to collect information
from other public authorities, e.g. hospitals, schools, libraries, social
services etc. without a warrant. Concerning phone tapping in relation to
criminal investigations, this is now targeted to individuals rather than
means of communication, for instance a specific landline. This implies that
all the phones a person may use may be tapped. Also, the notification of the
individual may be omitted or postponed for a fixed period of time if the
notification is considered to be detrimental to the investigation. The
amendment of the Act Prohibiting Video Surveillance gives the police
increased powers to demand of public offices and private parties that they
install and conduct video surveillance. The amendment of the Air Traffic Act
obliges airline companies to register and keep data on passengers and crews
for one year and to provide the Police Intelligence Service with electronic
access to the data, without a warrant.
Draft Administrative Order on data retention in Denmark (19.07.2006)
http://www.edri.org/edrigram/number4.14/denmark
EU Data retention directive and its implementation in Denmark (in Danish
only)
http://logningsdirektivet.dk/
CCTV (in Danish only)
http://www.update.dk/cfje/Lovbasen.nsf/ID/LB04720872
Privacyforum.dk - about CCTV (in Danish only, 21.11.2006)
http://www.privacyforum.dk/?p=25
Act No. 542 of 8 June 2006 (in Danish only, 8.06.2006)
http://www.ft.dk/doc.aspx?/Samling/20051/lovforslag/L217/index.htm
(contribution by Rikke Frank Joergensen - Digital Rights Denmark)
============================================================
8. Key privacy concerns in Czech Republik 2007
============================================================
Last year has seen an increased number attempts from government bodies to
extend their powers and make it easier to access people's private
information. To name a few, there were legal proposals to increase the
number of agencies authorized to access and process electronic
communication data collected by telecommunication companies under the
Data Retention law, national DNA database enlargement, plans for various
administrative database sharing, introduction of even more CCTV systems
and the pressure on air travel operators to share records about their
passengers. The introduction of biometric into travel documents data as a
mean of identification and the use of contactless chip technologies
still suffers from lack of respect of people's privacy. Citizens continue
to loose control over their personal data with the same speed or no
visible slowdown.
a. National DNA database
There has been a substantial expansion of the number of DNA samples and
profiles in 2007 - up to 40 000 records. The new legislation which went
into force in 2006 has allowed Police to take samples from not only the
accused, but also uncharged suspects or from any other person related to the
investigation in any unspecified way, which practically means from anybody.
Moreover, the new law made it possible to take DNA samples from all
prisoners found guilty of intentional crimes as well as people under
protected health treatment. There has been a murder related investigation in
the city of Sternberk, where DNA samples were taken from all men of a
certain age, whilst no information was given about the process of
destruction of those samples belonging to innocent people after the
investigation.
b. Data Retention
EU directive 2006/24/EC on the retention of data generated or
processed in connection with the provision of publicly available
electronic communications services been implemented into the national
legislation since the beginning of 2006. In 2007 the Police routinely used
the data for investigation. However, there are no official statistics of the
number of accesses nor on the efficiency of the measure. In November 2007 a
proposal was made by the Minister of Industry and Trade, Mr. Rmman, to allow
the secret service and the military intelligence a direct access to those
data. He has abandoned the idea only temporarily after a strong negative
reaction from the media and politicians.
c. PNR
The provisional agreement on transfer of Passenger Name Records
expired at the middle of 2007. The new agreement has been accepted
by the Czech government outside the ordinary legislative process due
to the lack of time. Only the Czech Data Protection Agency was
consulted. By its official opinion, the new agreement is worse in
respect to privacy than the previous one, namely because the agreement
doesn't contain any safeguards against the US interlinking the data with
other databases, using it for other purposes or exporting the data into
third countries with different regimes of privacy protection. The Czech
government has accepted the agreement with reservation.
d. CCTV surveillance
Both the Ministry of Interior and various city magistrates continue to
invest in CCTV systems. The current number of CCTVs in Prague is 400
and keeps increasing. The Prague City Hall has announced its plans to
enclose the whole city in the circular system of interlinked cameras
with a license plate number recognition capabilities combined with speed
cameras in order to register all vehicles entering or leaving the city.
There has been a case well covered by the media of a misuse of the CCTV
system to peek into a private flat on a crossroad in Pilsen in Summer 2007.
The images have appeared on the Internet.
e. Contacless chip cards
In Summer 2007, the Prague City Hall introduced a universal service card
for all citizens of Prague. It's supposed to be used for parking
payments, access to libraries, as a travel card, electronic wallet and a key
for online communication.
As demonstrated publicly by EDRi-member Iuridicum Remedium, anybody with a
standard RFID reader was able to obtain the personal data (name, date of
birth, sex) from the card, from a distance, without the cardholder's
consent. Despite the producer's claims on the enhanced security of the chip,
the actual implementation of the system did not put any focus on the
cardholders' security and left the card at factory defaults. Neither has it
ever been explained why the personal data should be on the contactless chip
in the first place.
After the campaign, the City Hall has decided to stop putting the data
on the chip and fix the already issued ones. But the fact that many
services which used to be available anonymously are no longer anonymous
(e.g. parking) remains a major unresolved problem.
f. eGovernment
The recent developments on the eGovernment front give other reasons to
worry. There is almost no discussion about the privacy safeguards and
how they are going to be implemented. The available documentation
contains many plans on processing and interlinking people's personal
data including the broad specification of whom this data will be made
available and how the data is going to be shared. The privacy aspects of
the system, which will potentially concern the majority of the
population, have been left out completely. The proposal made by an
independent working group for a time limited ad-hoc identifiers has not
been taken into consideration.
EDRi-gram: Prague will anonymise RFID city cards (1.08.2007)
http://www.edri.org/edrigram/number5.15/rfid-prague-cards
EDRi-gram: Government attempts of increased level of surveillance in Czech
Republic (7.11.2007)
http://www.edri.org/edrigram/number5.21/terrorism-act-czech
More information (in Czech only)
http://www.iure.cz
(contribution by Filip Pospmsil and Marek Tich}, EDRi-member Iuridicum
Remedium - Czech Republic)
============================================================
9. Key privacy concerns in Ireland 2007
============================================================
a. Data Retention Litigation
The Digital Rights Ireland litigation against data retention, which was
started in September 2006, continues before the High Court. This action
challenges both the Directive and also Ireland's domestic data retention
laws. It alleges that those laws are procedurally flawed and are also in
breach of the right to privacy guaranteed under the Irish Constitution and
Article 8 of the European Convention on Human Rights. It also argues that
data retention will have a chilling effect on the Constitutional and ECHR
rights to freedom of expression and association. In addition, the action
argues that the tracking of the movements of any person carrying a mobile
telephone interferes with the right to travel under the Constitution. The
action alleges that these infringements of personal rights are neither
proportionate nor necessary in a democratic society.
At the time of writing the action is at the interlocutory stages and awaits
a full hearing. Two preliminary matters are currently before the court. The
Irish Human Rights Commission (a statutory body) has made an application for
permission to intervene in the case as an amicus curiae. The defendants have
also indicated their intention to challenge the locus standi of Digital
Rights Ireland to bring the case. Both applications have yet to be ruled on
by the court.
b. Implementation of the Data Retention Directive
The Irish Government has confirmed reports that it intends to implement the
Data Retention Directive by an order of a Minister rather than legislation
passed by Parliament. Ireland did not avail of the derogation under the
Directive to delay implementation in respect of internet traffic data.
Consequently Ireland is now late in implementation and has received a
warning letter from the Commission. The Government has decided to implement
the Directive notwithstanding its own challenge to the legal basis of the
Directive, which is before the European Court of Justice and awaits a
hearing.
The decision to implement the Directive by Ministerial order has been
criticised for excluding democratic oversight by legislators and as being
taken without proper consultation. Paul Durrant, director of the Internet
Service Providers Association of Ireland (ISPAI) has said that:
"The ISPAI is disappointed that such an all pervasive measure . . . should
be enacted without being subjected to the full rigours of (parliamentary)
debate and the public exposure that brings."
Digital Rights Ireland said that:
"It is incredible that the Government proposes to introduce a law which
would require every Internet user to be monitored without any warrant or
prior judicial approval, without any public consultation and without any
debate or vote in Parliament. A law of this gravity should not be made by
stealth.
The Department of Justice appears to be relying on the "urgency" of the
matter to justify bypassing Parliament. But the European law being
implemented was passed in February 2006. The Department has had two years to
introduce a law and it cannot rely on its own delay to justify sidelining
democratic scrutiny.
In any case, it is inappropriate to implement this law whilst it is under
court challenge. The Irish government itself has challenged the validity of
the law before the European Court of Justice. Digital Rights Ireland has
also brought a High Court action challenging the European law. These
proposals will effectively pre-empt the judgment of the courts."
Alarm bells ring over data retention (7.12.2007)
http://www.techno-culture.com/?p=131
E-Mail and chat data to be stored 'within a month' (19.01.2008)
http://www.ireland.com/newspaper/frontpage/2008/0119/1200605160420.html
DRI condemns backdoor implementation of surveillance laws (19.01.2008)
http://www.digitalrights.ie/2008/01/19/dri-condemns-backdoor-implementation-of-surveillance-laws/
(contribution by TJ McIntyre - EDRi-member Digital Rights Ireland)
============================================================
10. Key privacy concerns in France 2007
============================================================
6 January 2008 was the 30th anniversary of the French Data Protection Act.
But no one really cared. The only French contribution to this 2nd European
DP day has been the publication by the CNIL (French DP Authority) of a poll
result that it commissioned in November 2007. The poll indicates that 50% of
the asked persons know the CNIL. However, only 26% of them feel they are
informed well enough on their rights in terms of personal data protection,
and 61% consider that the constitution of databases is breaching their right
to privacy. Moreover, a former study on Internet usages conducted in June
2007 reveals that the mostly cited barrier to Internet use is the fear that
personal data are not protected enough (by 29% of the Internet users and 23%
of non Internet users). In summary, French people seem better aware of and
more concerned by the possible violations of their privacy rights.
Unfortunately, the CNIL has not published the entire poll result. Otherwise,
we might have had some explanations to the apparent paradox between this
increasing awareness and the growing development of privacy and data
protection violations by the French legislation and regulation without much
opposition. 2007, a year of presidential and legislative elections, has seen
further extensions of police powers, major provisions for the control of
migrants, most notably using biometrics and genetic data, massive extension
of children databases and the confirmation that intellectual property rights
prevail on privacy rights in France.
a. Further extensions of police powers
Since data retention law is already in place with access to data granted to
police and intelligence services, new developments are rather related to the
implementation and use of the system. To ease the collection and processing
of traffic data directly by the police intelligence forces, a new technical
platform for the interception of traffic data in all types of communication
systems was put into operation in May by the French Ministry of Interior,
covering communication data related to text messages, mobile or Internet. It
is expected that this platform will process 20 000 requests yearly. In terms
of legislative developments, the French law for the prevention of
delinquency of March 2007, introduced a new provision granting dedicated law
enforcement authorities with new powers to fight child sexual abuses, since
they now can use pseudonyms when they participate in electronic exchanges
for the purpose of investigations, and they can also detain and provide
illegal content for the same purpose. However, they cannot use these
possibilities for crime incitement.
b. Migrants under total control
Whether they ask for a short or long stay visa in French consulates abroad
or they cross any frontier to enter the country (and in the near future to
leave it), migrants are traced and filed. If they are caught in illegal stay
status, they're filed. If, even as legal residents, they choose to return to
their country of origin and benefit from an assistance mechanism for this,
they're filed. If they're legal residents, they're filed too, and they're
filed again if they want to bring their families. Files contain their
personal data, their biometric data, their genetic data, as well as data on
their families, including young children. 2007 has seen major developments
to achieve this total control of foreigners, resulting in their assimilation
to criminals. The immigration law of March 2007 has introduced DNA testing
to prove family links for foreign candidates applying for a more than 3
months visa on family regrouping grounds. It also introduced the requirement
that the beneficiaries of financial support (foreigners voluntarily
returning home) have their photograph and digital fingerprints taken and
stored in yet another biometric database. An administrative decree of
December 2007 created the ELOI database, aimed at facilitating the expulsion
of illegal migrants. A previous version of the text was cancelled in March
2007 by the French highest administrative court, after 4 French NGOs filed a
case against the Interior ministry. While the new version of the decree
requires fewer data to be kept on French citizens and associations in
contact with these illegal migrants, personal data of the migrants and their
families remain filed, and kept during 3 years after their expulsion.
Finally, another decree published in November 2007 created the VISABIO
biometric database, containing the photograph and the 10 fingerprints of all
foreigners requesting visas, including children over 6. Other data in
VISABIO are related to the foreigner's entry and exit from the territory.
These data are kept for 5 years.
c. Children under surveillance
Children start to be filed at age 3, as soon as they enter elementary
school. This is the result of "Base-ilhves", a database set up by the
ministry of Education. "Base-ilhves" has been created as an "experiment"
since 2004, and is currently being generalized. It contains personal data on
the children and their families, including psychosocial data, and a huge
number of information on their competence, skills and problems. Most of the
data are to be kept during 15 years. Such data were supposed to be accessed
only by educators and social actors. However, the French law for the
prevention of delinquency of March 2007 granted new powers to Mayors (as
elementary and primary schools are within their managerial jurisdiction).
Mayors may now "share the professional secret" with many social actors and
thus they are granted access to "Base-ilhves", for the purpose of
preventing
delinquency. After important protests from NGOs, parents associations and
some schools directors, the ministry of Education accepted in October 2007
to remove from "Base-ilhves" data related to citizenship, date of arrival
in
France and "language and culture of origin" of the child. However, protests
are increasing and national petitions have been launched to demand the
suppression of this file.
d. IPR holders granted private police powers
The French Data Protection Act allows, since its August 2004 revision,
intellectual property rights societies to create private records of rights
infringers through the collection of their IP addresses in P2P networks, the
use of automatic software for such a collection being subject to CNIL
approval. Accordingly, the CNIL decided on October 2005 to reject the
introduction of surveillance devices proposed by Sacem and other 3 author
and producer associations asking for the automatic tracing of infringements
of the intellectual property code. In May 2007, the highest administrative
court cancelled this decision. The court found that the proposed device are
not disproportionate, and are acceptable considering the extent of the
piracy phenomenon in France. The author and producer associations have thus
resubmitted their request to the CNIL and obtained its agreement in
November 2007. Still in November 2007, an agreement was signed between some
French ISPs and the music and movie representatives in order to act directly
against the big illegal file-sharers. French ISPs would then spy on their
users to see if they are big file-sharers. Those who would be identified
could get first a formal warning, but then they could be even cut-off or
suspended. The agreement foresees also the possibility to have a national
register of the subscribers that were suspended. But the agreement is not
applicable yet, since there is no authority created yet to apply it.
EDRi-gram: ENDitorial: French law on delinquency: the threat to FoE is
elsewhere (14.03.2007)
http://www.edri.org/edrigram/number5.5/enditorial-french-law-delinquency
EDRi-gram: The French Ministry of Interior has a new interception platform
(6.06.2007)
http://www.edri.org/edrigram/number5.11/french-interior-interceptation
EDRi-gram: French High Court cancels the creation of illegal migrants
database (13.03.2007)
http://www.edri.org/edrigram/number5.5/france-cancels-database
EDRi-gram: DNA tests proposed in France for family visa
applicants(26.09.2007)
http://www.edri.org/edrigram/number5.18/dna-test-france-visa
EDRi-gram: Update on DNA and biometrics in French immigration
law(24.10.2007)
http://www.edri.org/edrigram/number4.20/dna-french-immigration-law
EDRi-gram: ELOI - a French database to manage the expulsion of illegal
migrants (16.01.2008)
http://www.edri.org/edrigram/number6.1/eloi-french-database
More details on "Base-ilhves" and the protest actions (only in French)
http://www.ldh-toulon.net/spip.php?rubrique141
http://www.ldh-toulon.net/spip.php?rubrique106
EDRi-gram: French State Council allows tracing P2P users (6.06.2007)
http://www.edri.org/edrigram/number5.11/france-tracing-p2p
EDRi-gram: Is the IP address still a personal data in France? (12.09.2007)
http://www.edri.org/edrigram/number5.17/ip-personal-data-fr
EDRi-gram: French ISPs agree to spy on Internet users to stop online piracy
(10.10.2007)
http://www.edri.org/edrigram/number5.19/french-isp-piracy
EDRi-gram: New agreement between the French ISPs and record industries
(5.12.2007)
http://www.edri.org/edrigram/number5.23/french-agreement-piracy
(Contribution by Meryem Marzouki, EDRI member IRIS - France)
============================================================
11. Key privacy concerns in Romania 2007
============================================================
Privacy and data protection seems not to be a hot topic for the Romanian
society. The media is generally ignoring the topic, unless something related
to an important public figure is making the subject out of the ordinary. The
Romanian Data Protection Authority has failed in becoming a privacy public
supporter and has rather emerged as a data protection controller's register.
Under these general circumstances, 2007 was rather a calm year, where the
main success of the government in the field of privacy - the non-adoption of
the data retention law - was obtained by mistake only due to bureaucratic
reasons.
a. Data retention
The first draft of the data retention law that needs to implement the EU
directive was presented for public consultations in May 2007 by the Minsitry
of IT&C, but after receiving some comments and organizing a public meeting
to discuss the draft law, the subject seems to have disappeared in the
folders of the ministries, probably also because no one, except the European
Commission, seems to care too much about the law. Therefore, the official
deadline of the implementation of the EU directive passed, without the
draft being adopted by the Government. And suddenly and without any public
notice the project re-appeared in December 2007 on the Ministry of IT&C list
of documents in public consultation. The new draft seems similar to the old
one, but it is clear that the Government is on the verge to adopt the act
through an Emergency Ordinance. That means, in accordance with the previous
year experience and a Balkan style of twisting the meaning of constitutional
wording, that the fact the official EC deadline has passed transforms the
matter into a national emergency that requires the approval of the law
directly by the Government, leaving the parliamentary debates on the subject
on a secondary plan. For now - there are no indications if this will
happened and exactly when.
b. Romanian DPA
The Romanian Data Protection Authority, created only in the late part of
2006, has been trying to get the data protection issues out in the public
debate and, so far, has succeeded in organizing several information
sessions - especially with the public institutions and banking sector. This
has been so far a much more positive approach than we've seen in any year
since the adoption of the data protection laws in 2002, but the activity of
the Romanian DPA is far from being satisfactory. Especially if we take into
consideration the lack of a strong public position on any privacy issues,
present in the Romanian state or European activities.
However, the Romanian DPA took two important decisions in reducing its
bureaucratic work and making more interesting for data controllers to
register with them: to eliminate the registration taxes and the fees for
data transfer to other countries, and to allow the electronic registration
of data controllers.
c. CCTV
Many public and private institutions install CCTV systems as a "perfect
way" to increase security of their activities and the regulation of these
systems seems to be non-existent, as the cameras appear everywhere over
night, without any kind of notification to the DPA. The authority has
presented a draft decision on its website to limit CCTV usage and better
explain the rights and obligations, but since 2006 this has been just a
project.
d. Illegal wiretapping
One of the first court decisions in the matter of illegal wiretapping is
also worth mentioning The decision taken in May 2007 by the Bucharest
Tribunal was published only in July and, as far as we know for the first
time in the Romanian history, the court declared the wiretapping made by the
Romanian Secret Service were illegal and awarded moral damages of 50 000 RON
(approx. 14 000 Euros) for privacy infringement. The court, arguing with the
European Court of Human Rights cases of Rotaru vs. Romania and Klass
vs.Germany, notes that in this specific case there was "no subsequent
control of the wiretaping basis by an independent and impartial authority."
Romanian Data Protection Authority
http://www.dataprotection.ro
Romanian Secret Service illeagal wiretaping (only in Romanian, 11.07.2007)
http://legi-internet.ro/blogs/index.php?title=sri_ul_asculta_ilegal_telefoanele
Draft Romanian DPA decision on CCTV (only in Romanian)
http://www.dataprotection.ro/images/PDF/decizie_videosupraveghere.pdf
EDRi-gram: Romanian Prosecutors want easy access to communication data
(31.01.2007)
http://www.edri.org/edrigram/number5.2/romania-diicot
EDRi-gram: First draft on data retention law in Romania (9.05.2007)
http://www.edri.org/edrigram/number5.9/data-retention-romania
(contribution by Bogdan Manolea - EDRi-member APTI Romania)
============================================================
12. Key privacy concerns in Netherlands 2007
============================================================
The nominees and winners of the Dutch Big Brother Awards 2007 showed it
clearly: a proper level of data protection in The Netherlands cannot be
taken for granted. A number of big projects and ongoing legislative
efforts threaten the state of data protection in the Netherlands. The
government shows no signs of taking critics seriously. The disinterest
of the public and ease with which a majority of Dutch citizens are
willing to hand over their privacy for a promise of security, led the
jury of the Big Brother Awards declare the Dutch citizen the winner.
Other winners were the plans for an Electronic Child Dossier, the
National Railways for the RFID transit card system and De Nederlandsche
Bank for its reaction to the SWIFT scandal.
The Electronic Child Dossier is exemplary for data protection in the
Netherlands. The Child Dossier aims to improve child care by building an
extensive digital dossier of each young individual. Apart from
reasonable doubt that the project will result in significant
improvements in child care, the dossier seriously infringes the privacy
of children, their parents and young adults as well. The file will be
updated for every child until they reach the age of nineteen, after
which it will be kept for another 15 years. The dataset is very broadly
defined and will contain a wide variety of medical and psychosocial
data, including all sorts of subjective opinions about children and
their parents. Access restrictions are already insufficient and there is
ongoing pressure to relax them.
The RFID Transit card is another project that is problematic from the
perspective of data protection. Very recently, the Dutch Data Protection
Authority concluded that the current design of the system does not
respect data protection legislation. The system would entail the lengthy
storage of all travel movements in identifiable form. The system, which
is being tested in a number of Dutch cities, has other serious flaws
that make its future uncertain. Some critical parts of it have recently
been hacked, creating a serious political issue.
On the legislative front, the implementation of the data retention
directive is presently debated in the Dutch Parliament. Although in
early 2006, a majority of the Parliament seemed to agree that retention
periods in the Netherlands would be limited, the government now opted
for the almost maximum retention term of 18 months both for phone and
internet records. The Parliament is also passing legislation that gives
the Dutch Intelligence and Security Agency (AIVD) the power to claim
complete data files from the private and public sector. The new powers
are specifically directed at the transit, the electronic communications
and the financial sector, but also others could be targeted. The
legislation will allow the agency to profit maximally from the increased
storage of personal data in these sectors, resulting from data retention
legislation and the RFID public transport system discussed above.
A recent report "Data voor Daadkracht" on personal data processing in
the law enforcement and security sector, contained some serious
criticism with regard to the ongoing erosion of data protection in this
sector. It critically examined current data collection processed by law
enforcement and security agencies and warned the government that an
administration that is increasingly reproached for risking to loose the
value of privacy out of sight, has to worry. The government reacted by
rejecting the main conclusions of the report and installing a new
commission which will take another look at "security and the personal
sphere". More specifically the government wants the commission to
consider that "law enforcement officials and social workers sometimes
feel restricted by norms and practices protecting privacy, personal data
in particular. Therefore, the commission will analyse how possible
obstacles can be removed that law enforcement officials and care takers
experience in their work."
Finally, of special interest for data protection in the digital age are
the guidelines for publications of personal data on the Web of the Dutch
Data Protection Authority. The guidelines address a variety of issues,
ranging from the question about the responsibility of intermediaries,
the status of IP addresses, the special care expected from online
services to children and the exception for the media. The guidelines
have been translated into English.
Winner Dutch Big Brother Awards 2007: 'You' (26.09.2007)
http://www.bigbrotherawards.nl/index_uk.html
Dutch RFID Transit Card Hacked (21.01.2008)
http://www.schneier.com/blog/archives/2008/01/dutch_rfid_tran.html
Commission Security and Personal Sphere installed (in Dutch only,
17.01.2008)
http://www.justitie.nl/actueel/persberichten/archief-2008/80117commissie-veiligheid-en-persoonlijke-levenssfeer-geinstalleerd.aspx
Privacy legislation also applies on the Internet - Guidelines finalised
on the publication of personal data on the Internet (11.12.2007)
http://www.dutchdpa.nl/documenten/en_pb_2007_privacy_legislation_internet.shtml
(Contribution by Joris van Hoboken - EDRi-member Bits of Freedom -
Netherlands)
============================================================
13. Main data protection concerns with the EU policy developments in 2007
============================================================
The Lisbon Treaty was signed in December 2007. Notwithstanding the
many critics raised by this Treaty, the text, when ratified by all
member States, will bring two major improvements to the EU and its
citizens. First, the Charter of Fundamental Rights of the European
Union will become part of the Community acquis, including its
articles 7 (Respect for private and family life) and 8 (Protection of
personal data). Secondly, the Treaty will allow the accession of the EU
to the European Convention on Human Rights and, hence, will give EU
citizens the possibility of being protected against abuses of their
human rights by EU institutions. This improvement would be much
welcome, especially - though not exclusively - considering the
current inadequacy of data protection under third pillar (justice and
home affairs). But 2007 has also brought its share of concerns
regarding privacy and personal data protection developments at the EU
level. Besides the SWIFT scandal allowing the access by the USA to
the European financial transactions, the case of the Google-
Doubleclick merger currently under investigation by the European
Commission (although mainly regarding competition issues), the
continuous concerns related to data retention by search engines, most
notably Google, even though the company announced a slight reduction
of the data retention duration, and the development of RFID chips,
main concerns with the European Union policy in 2007 are related to
PNR data, biometric and genetic data sharing and the still inadequate
level of data protection under third pillar.
"All governments have the duty to protect their citizens from the
terrorist threat, but the response should be lawful, intelligent and
effective", the Secretary General of the Council of Europe stated, on
the occasion of the Data Protection Day. "I am concerned that some of
the recent arrangements for data exchange, which were introduced at
the insistence of the US Government, fail to meet these criteria", he
opportunely added.
a. Passengers name records (PNR)
In June 2007, a final agreement was reached between EU and USA on
European PNR (Passengers Name Records) data, 4 years after the USA
and the EC - illegally - agreed to give the US custom officials
direct access to the personal data of passengers flying to, from and
through the United States. It took a lot of protest campaigns, like
the one initiated by EDRI in May 2003, fierce criticism from the
European Parliament and the Article 29 Group, and an annulment by the
European Court of Justice, to finally get to this point. The
agreement reduced the dataset from 34 to 19 pieces including name,
contact information, payment details, travel agency, itinerary and
baggage information, but excluding sensitive data such as ethnicity.
The data may be kept during a total period of 15 years. It was
claimed that for the first time, EU citizens will also be covered by
the US Privacy Act which means they can enforce their rights in US
courts. However, only 3 months after this agreement, the US
government announced some changes in its Privacy Act that give
exemptions from responding to requests for personal information held
to DHS (Department of Homeland Security) and ATS (Automated Targeting
System). The agreement received harsh criticism from the EU Parliament,
Article 29 Working Group, and the European data protection supervisor
(EDPS).
Later in the year, the EU announced its project of creating its own
European PNR system. The plan, put forward in November by the EC, is
similar to the EU-US agreement. The EU will have to collect 19 pieces
of personal data on air passengers coming into and leaving the EU
space, including phone number, e-mail address, travel agent, full
itinerary, billing data and baggage information. The information will
be collected in analysis units that will make a "risk assessment" of
the traveller, which could lead to the questioning or even refusal of
the entry. The data is to be kept for five years and then another
eight years in a "dormant" database. This plan has already been
criticized by the Parliament, the Article 29 Group and the EDPS, but
will certainly see major developments in 2008. Some member States
have already adopted such measures at national level.
b. Biometric and genetic data sharing
The European Visa Information System (VIS) will probably be the
biggest biometric database in the world. VIS will store data on up to
70 million people concerning visas for visits to or transit through
the Schengen area. This data will include biometrics (photographs and
fingerprints) and written information such as the name, address and
occupation of the applicant, date and place of the application, and
any decision taken by the Member State responsible to issue, refuse,
annul, revoke or extend the visa. Citizens of more than 100 countries
need a visa to enter the EU. Latest discussions of end 2007 were only
debating issues related to maximum age at which children should be exempted
from having their 10 fingerprints taken: the Parliament says 12, the Council
wants 5.
But the EU also wants to store and share biometric data of EU
citizens and residents, beyond the data to be gathered through
biometric passports and ID cards. In June 2007, it has been agreed
that the Pr|m Treaty, originally signed by 7 EU countries in May
2005, will be included in EU legislation with very little
modifications. The decision creates the largest pan-European network
of police databases, sharing DNA profiles, fingerprints and other
personal and non personal data. The agreement has not taken into
account the advice from the EDPS, who published in December 2007 an
opinion on the implementation of this agreement.
c. Inadequate data protection under third pillar
As the data processed and shared by police and judicial authorities
increase, the need for adequate personal data protection rules under
third pillar becomes more and more urgent. A draft Council Framework
Decision on the protection of personal data processed in the
framework of police and judicial co-operation in criminal matters has
been proposed by the EC since October 2005, but is still pending,
despite the numerous EDPS opinions in this regard. According to the
EDPS, the current draft of December 2007 provides only minimal
harmonization and guarantees, and would only be applicable to
personal data exchanged with other Member States and not to the
domestic data processing.
EDRI page on biometrics
http://www.edri.org/issues/technology/biometrics
EDRI page on PNR
http://www.edri.org/issues/privacy/pnr
EDRI page on privacy
http://www.edri.org/issues/privacy
EDPS Opinions
http://www.edps.europa.eu/EDPSWEB/edps/lang/en/pid/25
Article 29 Working Group
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm
(Contribution by Meryem Marzouki, EDRI member IRIS - France)
============================================================
14. Agenda
============================================================
11 February 2008, Aachen, Germany
PET Convention 2008.1 - informal workshop on Privacy Enhancing Techniques
http://www.pet-con.org/index.php/PET_Convention_2008.1
12 February 2008, Brussels, Belgium
European ICT standardisation policy at a crossroad: A new direction for
global success
http://ec.europa.eu/enterprise/ict/policy/standards/cf2008_en.htm
14 February 2008, Brussels, Belgium
eIdentity workshop
http://www.epractice.eu/workshop/eidentity
23-24 February 2008, Brussels, Belgium
Research Room @ FOSDEM: Libre software communities meet research community -
Introducing Research Friendly
http://libresoft.es/Activities/Research_activities/fosdem2008
10-12 March 2008, Geneva, Switzerland
WIPO Standing Committee on Copyright and Related Rights: Sixteenth Session
http://www.wipo.int/meetings/en/details.jsp?meeting_id=14502
15 March 2008, London, UK
OKCon 2008 - Open Knowledge: Applications, Tools and Services
http://www.okfn.org/okcon/
2-4 April 2008, Berlin, Germany
re:publica - The Critical Mass
http://www.re-publica.de
28-29 April 2008, Vienna, Austria
PRISE Final Conference -Towards privacy enhancing security technologies -
the next steps
Call for papers until 1 February 2008
http://www.prise.oeaw.ac.at/conference.htm
15- 17 May 2008, Ljubljana, Slovenia
EURAM Conference 2008 - Track "Creating Value Through Digital Commons"
How collective management of IPRs, open innovation models, and digital
communities shape the industrial dynamics in the XXI century.
http://www.euram2008.org
30-31 May 2008, Bucharest, Romania
eLiberatica 2008 - The benefits of Open and Free Technologies
http://www.eliberatica.ro/2008/
17-18 June 2008, Seoul, Korea
The Future of the Internet Economy - OECD Ministerial Meeting
http://www.oecd.org/FutureInternet
23-25 July 2008, Leuven, Belgium
The 8th Privacy Enhancing Technologies Symposium (PETS 2008)
http://petsymposium.org/2008/
============================================================
15. About
============================================================
EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 28 members based or with offices in 17 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 2.0 License. See the full text at
http://creativecommons.org/licenses/by/2.0/
Newsletter editor: Bogdan Manolea <edrigram at edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list