EDRi-gram newsletter - Number 7.2, 28 January 2009
EDRI-gram newsletter
edrigram at edri.org
Wed Jan 28 13:33:30 PST 2009
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 7.2, 28 January 2009
Special issue - Data protection day
============================================================
Contents
============================================================
Data Protection Day
1. EU proposal puts confidential communications data at risk
2. Privacy and data protection in the Netherlands in 2008
3. Data protection in Italy: Loudly more of the same
4. Romania: Is really privacy a topic in the public debate?
5. UK: Phorm threat
6. Macedonia: Privacy Developments in 2008
7. Austria: Some EU data protection policy developments in 2008
8. France: Who have they forgotten to control today?
9. Germany: A new fundamental right, a privacy mass movement + surveillance
10. Some EU data protection policy developments in 2008
11. Towards International Data Protection Standards
12. Recommended Action
13. Recommended Reading
14. Agenda
15. About
============================================================
Data Protection Day
============================================================
28 January is the European Data Protection Day. For the third time, in 2009,
this date marks the anniversary of the Council of Europe's Convention 108,
the first legally binding international instrument related to data
protection.
This issue of the EDRi-gram is dedicated to the European Data Protection Day
and marks the privacy developments in some European countries in the
past year, as reported by EDRi members. It also includes a warning from
major civil society groups and the EDPS on the adoption of the "voluntary
data retention" in the telecom package.
European data protection day activities - 28.01.2009
http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Default_DP_Day_en.asp
============================================================
1. EU proposal puts confidential communications data at risk
============================================================
Civil liberties groups La Quadrature du Net, European Digital Rights (EDRi),
AK Vorrat, and Netzpolitik.org are urging the European Parliament to heed
advice given by the European Data Protection Supervisor Peter Hustinx and
scrap plans dubbed "voluntary data retention".
"A proposal currently discussed in the European Parliament as part of the
'telecom package' would allow providers to collect a potentially unlimited
amount of sensitive, confidential communications data including our
telephone and e-mail contacts, the geographic position of our mobile phones
and the websites we visit on the Internet", warns Patrick Breyer of German
privacy watchdog AK Vorrat. "Apart from the creation of vast data pools that
could go far beyond what is being collected under the directive on data
retention, the proposal would also permit the passing on of traffic data to
other companies for 'security purposes'. We must not let a potentially
unlimited amount of confidential data be exposed to risks of disclosure or
abuse in this way", he also said.
"This proposal is lobbied for under the guise of 'security', but what it
really means is that users and citizens would have no expectation of privacy
on the Internet anymore," adds Ralf Bendrath from EDRi. "This is a clear
breach of the European tradition of considering privacy a fundamental human
right."
In a paper published earlier this month, European Data Protection Supervisor
Peter Hustinx joined the critics, warning the proposal would constitute a
"risk of abuse" and "may be interpreted as enabling the collection and
processing of traffic data for security purposes for an unspecified period
of time." Hustinx reached "the conclusion that the best outcome would be for
the proposed Article 6.6(a) to be deleted altogether" - a view firmly shared
by La Quadrature du Net, EDRi, netzpolitik.org and AK Vorrat.
"A few months before the elections, citizens will have the opportunity to
see if the Members of European Parliament are willing to protect their
privacy", declares Jirimie Zimmermann, co-founder of the citizen's
initiative La Quadrature du Net. "Every citizen should inform their MEPs and
ask them to massively reject this article 6 (6a) of the ePrivacy directive.
Other crucial issues about content and network neutrality are at stake as
well.We must remind MEPs that they were elected to protect Europeans'
fundamental rights and freedom rather than abolishing them in favour of
particular interests."
In a letter of September last year, 11 German civil liberties, journalists,
lawyers and consumer protection organisations "urgently" asked the
Commission, the Council and Parliament to scrap the proposed article 6 (6a)
and "maintain the successful regulation of traffic data" which they say has
"proven to constitute the best guarantee for our safety in information
society."
Second opinion of the European Data Protection Supervisor on the review of
Directive 2002/58/EC concerning the processing of personal data and the
protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications) (9.01.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2009/09-01-09_ePricacy_2_EN.pdf
Open leter to MEP rapporteurs (8.12.2008)
http://www.laquadrature.net/files/20081208_LaQuadrature_letter-rapporteurs-tp-second-reading_EN.pdf
Resistance against watering down of traffic data protection (29.10.08)
http://www.vorratsdatenspeicherung.de/content/view/271/79/lang,en/
Position on the processing of traffic data for "security purposes"
(27.01.2009)
http://www.vorratsdatenspeicherung.de/images/wg_esecurity_position.pdf
============================================================
2. Privacy and data protection in the Netherlands in 2008
============================================================
The year 2008 did not improve the course of privacy and data protection in
the Netherlands. The public debate focused on data collection systems
related to fundamental aspects of Dutch citizens' lives, such as
communications, health and movement. Unfortunately, there are no signs that
concerns or incidental public outcry over privacy will lead to significant
improvements to the design of the systems or reconsideration of their goals,
merit and impact on society.
After years of negotiations, the Dutch Data Protection Authority (DPA)
approved the data protection guarantees in the smart card system for the
public transport sector. Besides other major implementation problems, the
smart card system introduces a major privacy concern due to the planned
registration of all travel movements of users of the Dutch public transport
system in a central database. At the end of 2008, the DPA approved the
system after receiving guarantees that only derived data would be used for
marketing purposes with an opt-out and that for any processing of personal
travel movements opt-in will be sought. As there are no hard guarantees
that all personal travel data will be deleted or that the system will not
make it possible to access travel movements in identifiable form, many have
expressed their disappointment with the approval. Another transport related
privacy problem that re-entered the public debate in 2008 was the planned
system for road charging. The current design for the system entails the
collection of details about personal travel movements.
The Dutch Parliament considered the data retention implementation law in the
first half of 2008. In this context, a group of prominent academics voiced
their concern that Dutch society is turning into a control society and a
police state. After the Parliament adopted the law, lowering the data
retention term from 18 to 12 months, the Senate has been critically looking
at the proposal ever since. The Senate has also another law under
consideration that would streamline access for the national security agency
to datasets in the public, communications, transport and financial sector.
Probably the most prominent discussion about privacy took place in the
health sector. The Electronic Patient File (EPD), a centralized system for
the collection and exchange of medical data for use by medical
professionals, caused widespread privacy concerns and generated 170 000
objections. Like the public transport smart card, the EPD has major
implementation problems and has recently been postponed. A similar national
dossier system for children, proposed to improve child care by building an
extensive digital dossier of each young individual, is still on the
political agenda. The broadly defined dataset, including medical data,
psychosocial data and subjective opinions about children and their parents,
will be updated for all children until they reach the age of nineteen, after
which it will be kept for another 15 years.
Finally, a government commissioned report on the balance between privacy and
security in the public sector was published. The report, titled "Do it
simply, Simply do it", concludes that government and public agencies should
be pragmatic, but do much more to protect privacy and deal with the possible
tension between privacy and security while doing their work. The report
gives a number of recommendations and a reference framework for dealing with
privacy and security issues. It advises to "keep it simple, facilitate and
ensure that security and privacy are mutually reinforcing as far as
possible." The report has been widely interpreted in the media as a call to
stop addressing fundamental questions related to the widespread processing
of personal data in the public sector.
EDRi-gram: Dutch Parliament lowers data retention term to 12 months
(4.06.2008)
http://www.edri.org/edrigram/number6.11/nl-data-retention-12-months
Report, 'DO IT SIMPLY - SIMPLY DO IT, to protect security and privacy', (in
Dutch, Bijlage 4 = English Summary, 22.01.2009)
http://www.minbzk.nl/aspx/download.aspx?file=/contents/pages/96602/rapportgewoondoenbeschermenvanveiligheidenpersoonlijkelevenssfeer.pdf
OV-Chipkaart roll-out creeps forward (16.01.2009)
http://www.railwaygazette.com/news_view/article/2009/01/9219/ov_chipkaart_roll_out_creeps_forward.html
(Contribution by Joris van Hoboken)
============================================================
3. Data protection in Italy: Loudly more of the same
============================================================
I am sorry to say that I am skeptical about "days" dedicated to this or that
cause or problem. They are often ignored, sometimes briefly celebrated,
rarely leave any relevant trace over time. There are so many that we shall
soon have one a week - and it won't be more relevant than brunch on Sunday.
On the loud and confusing current debate in Italy about data protection, the
situation could be summarised in four words. More of the same. There has
been a lot of wiretapping (sometimes real, sometimes imaginary or
overstated) for over sixty years (actually also long before that, but it's
reasonable to start from when Italy returned to democracy and freedom after
World War Two). And of course it extended to electronic
networks since the very beginning. It's a notorious, though rarely
published, fact that there were legitimate police forces, as well as
"undercover" spies by secret services or private interests, including
scamsters and organised crime, lurking since the days when networking was
based on BBSs or newsgroups and the extended use of the internet was not yet
developed.
Privacy and data protection were practically ignored until a poorly
conceived law was instated in 1996, creating a bureaucratic body called
"Ufficio del Garante" that was supposed to be an "ombudsman" but, de facto,
has rarely done anything in that role, being much more concerned with
complicated and inefficient formalistic ruling and with occasional attention
to the specific cases of politicians or "famous people" being
embarrassed in their "privacy" or spied in legal or illegal ways.
The currently loud debate is more confusing than it is meaningful. While
everybody is saying that it's about the rights of citizens, the truth is
that it relates to the conflicting interests of politicians and mass media.
There have been, over the years, many episodes (and discussions) about
intercepting private telephone conversations, or online communication -
sometimes legally, sometimes not - including some invasive spying done
secretly by individuals or departments in telecoms - in addition to ISPs
being forced by authorities or police to spy on their customers. Another
source of aggressive debate is the "leaking" to the press of recorded
conversations, including private dialogues unrelated to any criminal
investigation.
At this stage, it's hard to understand what is actually happening and what
may happen in the next few days or weeks - or maybe never. Italy's Prime
Minister has publicly announced that he will make "shattering revelations",
but we don't know if and when he, or some government spokesman, will
actually do so - and what the "scandal" might imply. There is threatening
talk about new legislation, but so far no indication of what, when and how.
Also the issue of data retention is discussed in contradictory and confusing
statements, some proclaiming the need to extend it in size and time and some
saying the opposite (more for the cost and organisation problems of
generating and maintaining vast databases than for the protection of
citizens' privacy).
Is this just more inconclusive noise, as has happened many times, or will it
lead to some action on a national scale or (as has been suggested) as
recommendations to the European Union and/or on a wider international scale,
maybe including the G8 meeting to be hosted in Italy in July 2009?
Quite simply, we don't know. And, as far as we can tell, nobody (so far) has
a clear idea of what those rulings or suggestions might imply. There may be
some news in the next few days, or it could take much longer, or it could
vanish (if only for a while) from the political and media scene as other
priorities prevail. Right now, we can only wait and see.
EDRi-gram: ENDitorial- Seizures and other abuses - from bad to worse
(22.10.2008)
http://www.edri.org/edri-gram/number6.20/seizures-and-other-abuses
ALCEI - Data Retention
http://www.alcei.org/?cat=4
Data retention - not only a privacy issue - Civil rights and ambiguity of
crime "prevention" (24.01.2004)
http://gandalf.it/free/datret.htm
Internet freedom, privacy and culture in Italy (and the activity of NGOs)
(02.2000)
http://gandalf.it/free/ifp.htm
(contribution by Giancarlo Livraghi - EDRi-member ALCEI - Italy)
============================================================
4. Romania: Is really privacy a topic in the public debate?
============================================================
Privacy is a sporadic keyword in the Romanian mass-media. And even less used
in public speech. Becoming an ideal motivation only when talking about some
local stars' private life and their juicy intricacies, the real debate on
the most important issues lacks completely. The Human Rights Committees in
the Parliament seem unfamiliar with the topic and the Data Protection
Authority prefers to keep its quiet status. What to discuss anyway?
A law on the Police DNA database was approved by the Parliament in 2008.
The subject did not seem to be appealing for any public debate and the
Chamber of Deputies Human Rights Committee did not see even a minor problem
with that version, so they adopted it unanimously with no amendments. No
reference or report from the data protection authority was considered
useful, but a "simple reference" to law 677/2001 was indicated. The deletion
of the stored data is possible only by decision of the court or prosecutors
that are investigating the case. Therefore, if they forget about that, you
need to start your own case on this. The law foresees a number of 30 crimes
for which collecting DNA is possible.
The April Eurobarometer that investigated perceptions on data protection
among EU citizens shows that 79% of the Romanians have no idea that there is
a law in the field of personal data. I might add to that: if the other 21%
were asked to name it, probably at least 19% would have found that they were
wrong.
The same study reveals that Romania is number one in EU countries with the
percentage of the people (47%) not knowing that there are laws allowing
you to have access to your personal data kept by others. Not surprising with
a Data Protection Authority which is understaffed and has insignificant
powers or will to be an active voice in the public sphere.
But let's be more positive. How can you not be happy when you might find,
after you finish your master courses at the prestigious Academy of Economic
Sciences (ASE) in Bucharest, that you have an account at a Romanian Bank
without signing any act or being informed about it. Isn't it funny to get a
bank statement home from a bank account you had no idea about? The bad part
is that there is no money in it, only the traditional bank commission. The
Representative of ASE must be right: the students are to blame, because they
did not check the ASE web page.
And let's be smart. We may find already a few websites presenting now real
databases of Personal Numerical Code (CNP) or just simulated CNP that seem
real. CNP is a piece of 13-figure data on everyone's ID, which should be the
"master identifier". One of the reason of these databases is that some
telecom operators are asking for the CNP data to activate some extra-options
on the pre-paid cards. Should we care?
The Romanian Government decided to start issuing biometric passports
starting with 1 January 2009, after postponing it a couple of times.
Although most of the public comments against the law involved arguments
related with the "corporate conspiracy", "devil's hand" or "666 dangerous
number", a court case has been initiated by a lawyer in order to stop its
application on privacy grounds. It remains to be seen what the judge will
decide.
The data retention law was approved by the Parliament, even though all the
major key-actors involved in the discussion have agreed that it is useless
and it will not work. But they have supported it, because Romania can't make
a stand in front of the EU. Not yet, at least. Funny enough, the law
includes the first crime related to the misuse of personal data (the
intentional access to the data without a proper authorization is a crime
punished with prison from 6 months to 2 years.)
Even funnier, after the draft law has received almost no comments and little
interest from the media and general public, the day it entered into force
someone discovered it in the Official Journal and a public outcry started
with tons of newspaper articles on the new law, stating that the law "will
keep all the content of communications, including phone calls, SMSs and
emails."
Politicians started to appear on TV claiming privacy breach, when only 3
months before they raised their hands to support the same law. Another
brave action - an online petition - gathered a lot of signatures claiming
that the Romanian Government will create an "archive of all emails sent
by Romanians." All this when the new law says - in black and white - that
the content is not kept. But saying that, you are already a protector of the
government intrusion into the private life.
So, I am wrong - privacy is in the public debate. With the totally wrong
subject and no legal arguments, but it is somewhere there. Shouldn't we be
happy?
EDRi-gram: Romanian Govt adopts Data retention law, but calls it inefficient
(27.02.2008)
http://www.edri.org/edrigram/number6.4/romania-data-retention
EDRi-gram: Eurobarometers on data protection in EU (23.04.2008)
http://www.edri.org/edrigram/number6.8/eurobarometer-data-protection
Over 300 master students from ASE accuse the institution of opening bank
accounts without their knowledge (only in Romanian, 24.04.2008)
http://economie.hotnews.ro/stiri-finante_banci-2866018-peste-300-fosti-masteranzi-ase-acuza-institutia-deschis-conturi-bancare-fara-stirea-lor.htm
Law 76/2008 - Police DNA Database (only in Romanian)
http://www.cdep.ro/proiecte/2008/000/10/8/leg_pl018_08.pdf
Some things about biometric passports (only in Romanian, 27.01.2009)
http://legi-internet.ro/blogs/index.php/2009/01/27/citeva-chestii-pasapoartele-biometrice
(contribution by Bogdan Manolea, EDRi-member APTI - Romania)
============================================================
5. UK: Phorm threat
============================================================
One particular commercial threat to internet privacy should be looked at
very closely by our fellow European Digital Rights campaigners.
That threat is Phorm: an invasive and probably illegal web advertising
technology that could soon be coming to you.
Phorm works by looking at the web traffic between you (an ISP client) and
the sites you visit. Phorm examines the content of the web pages you visit,
and logs keyword information derived from it. Phorm can then deliver adverts
to you based on keyword information.
For instance, if you visit car related sites, and make searches for new car
models, you would start seeing car adverts when you visit Phorm's partner's
websites.
UK EDRi-member Open Right Group (ORG) was alerted last March on the serious
privacy concerns Phorm poses, and has been working hard to establish what is
really being advocated.
We believe the technology is fundamentally invasive and illegal. Permission
to examine data moving from website visitor and owner must be approved in
advance by both parties. Not obtaining permission from both parties is
illegal.
Yet UK ISPs such as BT and Virgin are not seeking to gain permission from
website owners.
Seeing web traffic as belonging to sender and receiver is the right way to
view privacy on the net. The data on websites belongs to many people, and
the data exchanged and the relationship between a client and a website owner
should remain private.
Despite these obvious privacy and legal worries, Phorm could soon be on the
agenda in your country too.
ISPs are interested because it gives them the potential to dominate the
internet advertising sector.
Many 'content creators' and EU governments could be interested in Phorm,
because they perceive ad revenues to be slipping from traditional domestic
outlets.
This is why you need to be interested, as Phorm's invasive technology could
easily be seen to be a panacea for Europe's advertising market troubles.
Foundation for information policy research - Open Letter to the Information
Commissioner (17.03.2008)
http://www.fipr.org/080317icoletter.html
The Phorm storm (12.03.2008)
http://www.openrightsgroup.org/2008/03/12/the-phorm-storm/
4 good reasons not to take part in the BT Webwise trial (30.09.2008)
http://www.openrightsgroup.org/2008/09/30/4-good-reasons-not-to-take-part-in-the-bt-webwise-trial/
What BERR want from Phorm - and what we think they're missing (19.09.2008)
http://www.openrightsgroup.org/2008/09/19/what-berr-want-from-phorm-and-what-we-think-theyre-missing/
The Phorm "Webwise" System (18.05.2008)
http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf
(contribution by Jim Killock, EDRi-member Open Rights Group - UK)
============================================================
6. Macedonia: Privacy Developments in 2008
============================================================
Even though the Constitution of the Republic of Macedonia and the Law on
Personal Data Protection (LPDP), the Criminal Code, Law on Organization and
Operation of State Administrative Bodies and other laws recognize and
protect the rights of privacy, data protection and secrecy of
communications, the implementation of these protections has met with major
difficulties during 2008.
A small number of Macedonian NGOs cover the issue of privacy, and during
2008 their main concerns involved the protection of human rights of children
on the Internet-including the privacy of children-and the protection of
privacy by the police and law enforcement agencies.
In July 2008, the Parliament ratified the Additional Protocol of the
Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data regarding supervisory authorities and
trans-border data flow. This document was signed on 4 January 2008. In July
2008, the Parliament also enacted the Law that amends the LPDP and increased
the fines for spamming. Both pieces of legislation (the Additional Protocol
and the amendments) came into force on August 19, 2008.
The main amendments and modifications were made for the harmonization with
the EU acquis and CoE Convention, adding specific provisions regarding video
surveillance, the independence of the Directorate for Personal Data
Protection and the simplification of the notification and complaint handling
procedures.
For the period of 2007-2008, the Directorate gave priority to public
awareness on the right of personal data protection. In cooperation with the
EDRI-member Metamorphosis Foundation it implemented the Norwegian model on
raising public awareness for youngsters, through creation of educational
content and conducting public events in three secondary schools.
During 2008, Metamorphosis Foundation implemented the Children's Rights on
the Internet - Safe and Protected (CRISP) project, co-funded by the European
Initiative for Democracy and Human Rights (EIDHR) and Metamorphosis. It
included establishment of a network of 12 NGOs working on the promotion and
safeguarding of children's rights online in cooperation with the Directorate
for Personal Data Protection. Project activities included developing a
curriculum and educational resources in Macedonian and Albanian, available
both offline and online, and conducting trainings. The trainings covered 50
primary and 20 secondary schools with participation of 8,482 children, 1,138
parents and 1,170 teachers from 12 cities and 7 villages from all parts of
Macedonia.
A public panel on privacy in Macedonia held on 26 August 2008, as part of a
public consultation to elaborate the Macedonia Report for Privacy and Human
Rights Report 2008, reiterated the assertions from the previous year that
there has been no public knowledge about cases of implementation of privacy
protection provisions of the Law on Electronic Communications, and spamming
remains widespread practice in the Macedonian business sector. Moreover, at
least one company continues to provide spamming services for other
companies, and the number of Macedonian legal entities who have a privacy
policy remains insignificant.
Even though wiretapping is regulated and unauthorized wiretapping is
prohibited, the wiretapping cases initiated in the past have not reached
closure in court. The most notable example is the process against the state
initiated by 17 journalists who have been subject to surveillance in the
"Big Ear" affair of 2001. Over seven years, four different judges have
unsuccessfully presided over this trial, and it was finally resolved at a
retrial in June 2007. The state was found guilty, but the 17 plaintiffs
stated that they remain dissatisfied with the compensation and the whole
process. Their representatives stated that they won't discontinue the trial
already underway at the European Court of Human Rights in Strasbourg, based
on their complaint. In September 2008, the Appellate court confirmed the
verdict of the basic court, but lowered the damages from the initial 6.000
Euros to approximately 4.000 Euros per journalist. The journalists have
stated that "they are not satisfied with the compensation, and the precedent
sets a signal that the violation of human rights is cheap in Macedonia."
After the Parliamentary elections of June 2008, the Government and the
Parliament used an unjustified fast-track procedure, to adopt changes and
amendments to over 164 laws in July and 17 laws in the following month
without any public debate. These changes included amendments of the Criminal
Procedure Code and the Law on Communication Interception that widened the
powers of surveillance for the law enforcement agencies.
Prominent NGOs such as Foundation Open Society Institute - Macedonia,
Association for Criminal Justice and Criminology of Macedonia and Helsinki
Committee for Human Rights of the Republic of Macedonia condemned the
legalization of preventive surveillance and removal of need to justify
special investigative measures with evidence of reasonable doubt before the
judiciary. The NGOs warned that these changes can turn Macedonia from a
state based on a rule of law into a "police state unconcerned with respect
of basic human rights and freedoms."
In practice, even the older, stricter legislation was not enforced. The
Parliamentary Committee for the supervision of the application of
communication interception techniques by the Ministry of the Interior and
the Ministry of Defense was denied access to data and did not issue any
reports during 2008.
Metamorphosis Foundation also provided opportunities for raising awareness
of opinion and decision makers, for instance, by including data protection
sessions within the 2008 agenda of the Fourth International Conference
e-Society.mk focused on ICT in Education.
In order to raise the public awareness also, Metamorphosis also formed an
ad-hoc coalition of NGOs and other institutions to celebrate the Freedom Not
Fear Day in Macedonia. FNF coincided with the public holiday of 11 October -
the Day of uprising against fascism in World War II, and involved organizing
public debate at the faculty of law and distribution of information on video
surveillance on university campuses and the centre of Skopje, including an
infostand and public survey. Several thousands of people were reached by
these activities, and most citizens expressed concerns about various ways of
"spying" conducted by the Government, corporations and individuals which
threaten their privacy.
During 2008, legal experts and human rights activists raised concerns about
the extensive use of detention and violation of privacy and the presumption
of innocence. The Macedonian Helsinki Committee and the Human Rights Project
continuously condemned spectacular arrests by the police, which included
inviting the media to film the handcuffed suspects escorted by law
enforcement officers. Only one TV station with license for national
coverage, TV Telma, adopted a policy to no longer broadcast such arrests and
police-escorted transports.
Reacting changes in the legislation the Helsinki Committee also organized
public debate on the reasonable expectations in regard to privacy protection
versus efficiency in the fight against crime and corruption in a state of
laws on 25 November 2005. However, state representatives failed to appear at
the debate and provide arguments that would alleviate the concerns raised by
the representatives of the civil and academic sector.
Metamorphosis Foundation
http://www.metamorphosis.org.mk
International Conference e-Society.mk
http://www.e-society.mk
Macedonia: Public outcry over new legislation for preventive surveillance
http://www.metamorphosis.org.mk/content/view/1198/4/lang,en/
Freedom Not Fear in Macedonia (10-11.10.2008)
http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2008/Skopje
Debate on Privacy in Macedonia (26.08.2008)
http://www.metamorphosis.org.mk/content/view/1250/3/lang,en/
Appellate court confirms: The Big Ear Journalists were
wiretapped (only in Macedonian, 2.09.2008)
http://www.vecer.com.mk/?ItemID=C50F895AE5A071478301A8CF24F47A51
Decree for enacting the Law for changing and amending the Law on Personal
Data Protection (only in Macedonian, 19.08.2008)
http://dzlp.mk:8500/FILES/1164/PUBLIC/CONTENT/57980790416419030709141_FILES/ZAKON_ZA_IZMENUVAWE_I_DOPOLNUVAWE_NA_ZAKONOT_ZA_ZA%5BTITA_NA_LI%5ENI_PODATOCI.pdf
Fees ranging from 500 to 2000 Euros for unwanted spam-messages (only in
Macedonian, 29.08.2008)
http://www.dnevnik.com.mk/?itemID=1FD6BF9F94C51940AA425A047194D9B5&arc=1
Debate on Privacy in Macedonia, Metamorphosis Foundation (29.09.2008)
http://www.metamorphosis.org.mk/content/view/1250/3/lang,en/
Directorate of Data Protection in Macedonia - Legal grounds for the
protection of personal data in the national legislation
http://www.ceecprivacy.org/main.php?s=2&k=macedonia
Helsinki Committee for Human Rights of the Republic of Macedonia
http://www.mhc.org.mk
Human Rights Support Project
http://www.hrsp.org.mk
(contribution by EDRi-member Metamorphosis Foundation - Macedonia)
============================================================
7. Austria: Some EU data protection policy developments in 2008
============================================================
In Austria the international data protection day on 28 January will pass by
widely unrecognised. This year, as already in 2008, the Data Protection
Commission (DSK; the Austrian Data Protection Authority) and the Data
Protection Council (DSR; a political advisory board) will together organise
a meeting for a strictly limited amount of interested persons (max. 100
participants) where they will present European and international
developments in data protection. In contrary to 2008, where they were
confronted with by far more than 100 registrations, the event was promoted
very poorly. On the homepage of the DSK and on the 'Data Protection Day'
website on the Council of Europe website it is not even mentioned!
This situation is somewhat symptomatic for Austrian data protection. Data
protection here usually is not for the masses, it is an administrative task
that rather involves formalised decisions than public debate and open
discussions. It's a pity that the organisers of this years event chose to
maintain the access restrictions. Opening the event for a broader audience
would have given the option for further development towards an annual
Austrian Data Protection Conference. For this year the chance is gone but
there is another chance next year. We'll keep you informed.
The following paragraphs provide a summary of major developments in the past
year with regard to legislative initiatives, surveillance trends and
important data breaches. Finally an outlook to the coming years will be
presented.
Legislative Initiatives
On 6. December 2007 the Austrian Parliament adopted a reform of the law on
security police. Ten minutes before midnight of that day (the last
parliamentary session of the year) members of the governing parties (Social
Democrats and Conservatives) tabled an amendment that significantly
increased the surveillance possibilities for security police, while ignoring
the usual parliamentarian workflow of discussing amendments in the relevant
committee before voting. Result of this initiative is that mobile
telecommunication and Internet providers have to provide location
information of mobile phones and IP addresses on request of security police.
A court permission is not required! In the first five weeks of 2008 location
data of 82 mobile phone users and the identity of 2.766 subscribers were
requested. According to an article published in the Austrian newspaper "Die
Presse" there are 32 such requests per day. The members of the Parliament
who tabled the mentioned amendment received the Austrian Big Brother Award
2008. Several complaints against the law were filed with the Austrian
Constitutional Court.
In April 2008 an amendment to the Data Protection Act 2000 was published for
comments. Key elements are legal requirements for video surveillance by
private operators, new requirements for private businesses with at least 20
employees to create the position of a data protection supervisors and
harmonisation of responsibilities (the federal government gets all data
protection competences). Currently the Data Protection Commission has to
approve video surveillance installations of private operators. According to
the proposed amendment video surveillance will be allowed in future if
dangerous attacks or criminal offences were committed in that area within
the last 10 years, or if expensive objects worth more than 100.000 EUR or of
exceptional artistic value need to be protected. Video surveillance needs to
be properly announced and will remain prohibited in toilets and changing
rooms. Furthermore the amendment proposes a centralised database of all
private video surveillance installations. If needed the police will be
allowed to access the data of these cameras. In general the retention of
video data will be limited to 48 hours, which can be extended on request to
the DSK. In future it will not be required to file realtime
video-surveillance with the DSK. Police access to highway video surveillance
is envisaged and fortunate discoveries may be used for penal action. Due to
the premature reelections of the Austrian Parliament in 2008 the amendment
to the Data Protection Act 2000 finally did not make its way through the
legislative process. It is expected to re-appear in 2009.
On the proposal of the European Commission on the use of Passenger Name
Record data, a Social Democrat MPs tabled a motion for resolution with the
Austrian Parliament. They proposed to wait for the decision of the European
Court on the structural similar data retention directive and on the entering
into force of the Lisbon treaty. Furthermore they ask to consider the
opinion of Article 29 working group on the Commission proposal, since there
are severe data protection concerns.
Data retention - The data retention directive is still not implemented in
Austria. There are no known plans to do so in the near future.
On biometric passports the Council of Ministers decided in June 2008, that
fingerprints of the two index fingers (if existing) will be stored on an
RFID chip on the passport. The data additionally will be stored for up to
four months at the Staatsdruckerei, which produces the passports. Currently
the parliamentarian decision making process is ongoing: On 21.01.2009 the
National Council adopted the respective law with votes of all represented
parties except the Greens. The Federal Council will vote on it on
27.01.2009, one day before the International Data Protection Day. It is
expected that the law will not be rejected there.
In 2007 the Federal Minister of the Interior and the Federal Minister of
Justice agreed on the implementation of hidden uses of remote forensic
software (so called federal trojan horses) and established a working group
to work on the details of the legal and technical issues. In April 2008 the
working group published its final report. The experts claimed that from a
constitutional point of view a number of fundamental rights are affected
which limit the implementation of such online-searches and constitute
warranty deeds for the state.
Surveillance Trends
The major surveillance trends of 2008 all focus on uses of video
surveillance. In traffic control we saw the introduction of systems for
automated checking of road tax vignettes, automated scanning of vehicle
number plates where the collected data is checked against a wanted vehicles
list, and the use of video surveillance for the execution of speed limits
(section control). In the case of section control Austrian highest courts
decided that it only may be used on a case by case order of the competent
Minister, including a detailed description of the special setup.
Other examples of increased video surveillance are the pilot-use of
video-surveillance in trains of Vienna's underground, where data are stored
for 48 hours, video surveillance in trains from the Austrian Railway and
video surveillance in residential buildings owned by the City of Vienna
where garages, elevators and rooms for dust bin storage will be monitored.
The pilot phase of the so called dust bin monitoring was approved by the DSK
and will last until end 2009. Aim is the protection against vandalism.
Important data breaches
In 2008 the case of a teenage asylum seeker and her family received lots of
media coverage in Austria. When the pressure on the Ministry of the Interior
was too intense, personal data on a family member from the police
information system EKIS and from the police file index leaked to the public.
Pictures from these files together with a corresponding press release were
published on the Internet by a senior official of the Ministry. Police
investigations on this data leakage are ongoing.
The administration of the residential buildings of the City of Vienna,
Wiener Wohnen, sent a questionnaire to all 220 000 renters of their flats
asking for their opinion on their flat, their neighbours, the surrounding of
the building, the security situation, their administration and the City of
Vienna. Wiener Wohnen offered that the questionnaire could be returned
anonymously by blacking the Name printed on the form. The responsible City
Council said, that the barcode on the second page of the form only would be
used as a reference to the administrative district the answer came from.
This was in the best case misleading, since the barcode contained the
renters complete customer number, which allowed for a personalisation of the
answers given on the questionnaire. The director of Wiener Wohnen received
the Austrian Big Brother Award 2008.
Outlook
After the premature reelections in 2008 a new government took office last
year. Their government programme includes the following topics relevant to
data protection: The use of remote forensic software (so called federal
trojan horses) by police will be allowed. It will be clarified that the DSK
is not competent in cases where the Criminial Investigation Department is
active in cases of criminal law. The cooperation with Schengen partners will
be intensified, common Visa- and Biometric-Centers will be established,
possible cooperation with external service providers (outsourcing) will be
analysed. A DNA-Offensive aims for a nationwide collection and analysis of
DNA samples and will serve as a basis for new application areas. Electronic
health records will gain increased importance.
The implementation of the data retention directive is not mentioned in the
government programme. A decision of the Constitutional Court on the
complaints against the law on Security Police is expected in 2009.
At this years election of the Austrian Students Union in May 2009 the
Federal Government wants to run an e-voting pilot. The Austrian Students
Union strongly opposes these plans due to unresolved legal and technical
questions. Also the Data Protection Council advised to refrain from this
plans. This pilot election is commonly considered to be a test-case for the
use of e-voting in elections to the Austrian Parliament.
Data Protection Commission
http://www.dsk.gv.at/
Law on Security Police (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/BNR/BNR_00181/pmh.shtml
Die Presse on access to location information and IP addresses by Security
Police (only in German)
http://diepresse.com/home/panorama/oesterreich/370803/index.do
Austrian Big Brother Awards (only in German)
http://www.bigbrotherawards.at/2008
Proposed amendment to the Data Protection Act 2000 (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/ME/ME_00182/pmh.shtml
Motion for a resolution on PNR-data (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/A/A_00651/pmh.shtml
Parliamentary decision on biometric passports (only in German)
http://www.parlament.gv.at/PG/PR/JAHR_2009/PK0023/PK0023.shtml
Final report of the working group on remote forensic software (so called
federal trojan horses)(only in German)
http://www.justiz.gv.at/_cms_upload/_docs/AG_OnlineDurchsuchung_Endbericht.pdf
Government programme of the Austrian Federal Government (only in German)
http://www.oevp.at/Common/Downloads/Regierungsprogramm2008-2013.pdf
Opinion of the Data Protection Council on E-Voting at the elections to the
Austrian Students Union (only in German)
http://www.bundeskanzleramt.at/DocView.axd?CobId=31084
(contribution by Michael Hofer and Andreas Krisch - EDRi member VIBE!AT)
============================================================
8. France: Who have they forgotten to control today?
============================================================
The CNIL, the French Data Protection Authority, has published on 20 January
2009 a report on a massive control operation it conducted on the STIC
("Systhme de traitement des infractions constaties" or "Recorded offences
treatment system"), a huge police database. The report reveals that the STIC
is consulted by each one of the 100.000 authorised policemen 200 times a
year on average. This immediately reminded me the old British Telecom's
slogan: "who have you forgotten to call today?"
Police files have been the main concern in France in 2008, especially after
the creation, by decrees published on 1st July 2008, of two new intelligence
databases, EDVIGE and CRISTINA. CRISTINA aims at "Centralising inland
intelligence for homeland security and national interests", and is covered
by the defence secret, which means that no one knows any detail on this
file. This is not the case of EDVIGE, which has generated such a massive
mobilization in the society that the government had finally to withdraw the
EDVIGE decree in November 2008.
EDVIGE would have systematically gathered information on any person having
applied for or exercised a political, union or economical mandate or playing
a significant institutional, economical, social or religious part as well as
information on any person, starting from the age of 13, considered by the
police as a "suspect" potentially capable of disrupting the public order.
After the strong opposition of a large number of associations, political
parties, unions and individuals, with a petition signed by almost 220.000
individuals and 1200 associations, a complaint filed by 12 labour unions and
rights organizations, among them EDRI-member IRIS, before the French highest
administrative court, and a huge national day against EDVIGE on 16 October
where 10.000 persons took part in demonstrations in 60 French cities, the
government finally had to react. It announced a modified project, called
EDVIRSP, not yet published. While the new file would explicitly exclude
information related to people's health or sexual orientation, it would keep
other sensitive personal data such as ethnical origin, as well as political,
philosophical, religious opinions or union affiliation, and would still
allow the police to store data on minors starting at the age of 13 if they
are considered a threat to public safety.
CNIL's President said that "the STIC is more dangerous than EDVIGE", because
of the huge number of errors the CNIL has found in the STIC. But the main
difference is that the CNIL will never be able to establish errors in
EDVIGE, contrarily to the STIC, because EDVIGE will never contain any fact,
but simply presumption of facts that could be committed.
The STIC is dangerous enough, however. The file exists since 1995, but was
officially created only in 2001. The CNIL report established that the STIC
now concerns half of the French population, without any age limitation. An
individual is registered in the STIC by the police after an offence has been
committed. The point is that one can be registered either as a victim, or as
the suspected author of the offence. Then the file is supposed to be updated
after a court decision, which might find that the suspected author is not
guilty. But the CNIL report findings are that this update very seldom
occurs, and that sometimes a victim is mistakenly registered as a suspect.
All in all, the STIC error rate found by the CNIL is 83%. Not only this
error rate is 'staggering' as CNIL's President commented, but also it has
major social consequences, since in 2003 a law extended the STIC's purposes
to the records checking of people applying to a large range of jobs,
especially in the security field. The report evaluates to 1 million the
number of persons who weren't hired, or were fired from their jobs, simply
because they were wrongly recorded in the STIC, sometimes because they
actually were a victim, sometimes because their situation wasn't updated
after a court decision. STIC opponents warned against these dangers as early
as 10 years ago. Here we are now.
In December 2008, another report commissioned by the French Ministry of
Interior has inventoried some 45 police files, whereas 34 were already in
place in 2006. Some of them contain biometric and genetic data.
Among the biometric files, a centralized population database is currently
being established, with the decree on French biometric passport having been
published on 30 April 2008. A complaint filed against the French government
by EDRI-member IRIS and the French Human Rights League is still pending.
Main arguments of the complaint are: the collection of 8 digital
fingerprints of the passport holder (whereas the European Council regulation
requires only 2), the fact that this also applies to children starting from
age 6, and the creation of a centralized database containing all information
on the passport holder, including biometric data.
Another pending complaint against the French government concerns the ELOI
database, created to manage the expulsion of illegal migrants. The complaint
has been filed by EDRI-member IRIS, with the French Human Rights League and
two other French organizations for the support of migrants. This database
has been created by decree on 26 December 2007, after the same organizations
won a previous complaint against a first version of ELOI. For the
plaintiffs, a data retention period of 3 years, as well as the collection of
migrants' children data, remain violating the French and European
legislation on data protection.
These files are only examples of a strong and enduring trend in France,
which consist in huge centralized population databases, increased use of
biometric and genetic data, considering migrants as a target, and, last but
not least, specifically targeting children.
Year 2008 has shown however that the concern is growing in the general
public, and this is a good sign. While the French have not really reacted to
data retention issues, they seem to start considering that police databases
and other files created by other administrations, especially when they
concern children, are now going too far. When the government is facing
massive citizen mobilisation, it has to go backwards. This is the lesson
learnt with EDVIGE in 2008.
Year 2009 needs to be carefully watched out, though. The law implementing
the "graduated response" or the "three strikes approach" against filesharers
is expected to pass this year. New measures to fight cybercrime have also
been announced. EDVIRSP, the new version of EDVIGE, is expected soon. And
the draft law on biometric ID cards is ready for months, and will probably
be submitted to the Parliament as soon as things will calm down on the
privacy front.
CNIL Report: Conclusions on the control of the STIC (only in
French, 20.01.2009)
http://www.cnil.fr/fileadmin/documents/approfondir/dossier/Controles_Sanctions/CNIL-Conclusions_des_controles_STIC.pdf
IRIS Press Release: ' CNIL's control of the STIC: a healthy exercise, but
timorous conclusions' (only in French, 23.01.2009)
http://www.iris.sgdg.org/info-debat/comm-stic0109.html
EDRI-gram: French EDVIGE decree withdrawn (3.12.2008)
http://www.edri.org/edri-gram/number6.23/edvige-retired
French Interior Ministry Report: 'Better controlling mechanisms
implementation to better protect freedoms' (11.12.2008, only in French)
http://lesrapports.ladocumentationfrancaise.fr/BRP/084000748/0000.pdf
EDRI-gram: Complaint Against The French Govt To Annul The Biometric Passport
Decree (16.07.2008)
http://www.edri.org/edrigram/number6.14/complaint-french-biometric-passport
EDRI-gram: Eloi - A French Database To Manage The Expulsion Of Illegal
Migrants (16.01.2008)
http://www.edri.org/edrigram/number6.1/eloi-french-database
(Contribution by Meryem Marzouki, EDRI member IRIS - France)
============================================================
9. Privacy in Germany 2008: A new fundamental right, a privacy mass
movement, and the usual surveillance suspects
============================================================
The year of 2008 can be marked as the year where privacy moved high on the
public agenda in Germany. On 1st of January, the law on data retention went
into effect, which made Germany drop from number one to seven in the country
ranking published by Privacy International. At the same day, a
constitutional challenge was submitted at the supreme court. The German
working group on data retention and its allies managed to have more than
34,000 people participate in this case - the largest constitutional
complaint ever seen in German history. The paperwork had to be brought to
the constitutional court in huge moving boxes, which also offered a nice
photo opportunity for everyone wanting to demonstrate how many people oppose
data retention.
In February we saw the constitutional court decision on secret online
searches of peoples' hard drives (the "federal trojan"). The court limited
the use of this tool for cases where there are "factual indications of a
concrete danger" in a specific case for the life, body and freedom of
persons or for the foundations of the state or the existence of humans,
government agencies may use these measures after approval by a judge. The
decision was widely considered a landmark ruling, because it also
constituted a new "basic right to the confidentiality and integrity of
information-technological systems" as part of the general personality rights
in the German constitution.
In March, the Chaos Computer Club published the fingerprint of the federal
minister for the interior, Wolfgang Schduble. This sparked high public
attention and made frontpage news, and proved that biometric athentication
as introduced in the German passport and identity card is not safe at all.
Inspired by the recent successes, the growing number of privacy activists
held a de-central action day in May. Different kinds of activities, like
demonstrations, flash mobs, information booths, privacy parties, workshops,
and cultural activities took place in all over Germany.
Over the summer, some of the biggest German companies helped in raising
public awareness of the risks of large data collections. Almost every week,
there were reports on a big supermarket chain spying on its employees, on
cd-roms with tens of thousands of customer data sets from call centers -
including bank account numbers - being sold on the grey market, on the
largest German telecommunications provider using retained traffic data for
spying on its supervisory board and on high-ranking union members, on an
airline using its booking system to spy on critical journalists, on two
large universities accidentially making all student data available online,
or on a big mobile phone provider "losing" 17 million customer data sets.
The Federal Government, under building public pressure, introduced some
small changes for the federal data protection law, but at the same time
continued its push for more surveillance measures in the hands of the
federal criminal agency (Bundeskriminalamt, BKA). These included the secret
online searches the constitutional court had just cut down to very
exceptional circumstances a few months earlier. The German public discussed
these moves very critically, especially since journalists are exempted from
special protections that are given to priests, criminal defense lawyers, and
doctors.
Because of the public concern and debate about privacy risks, the call to
another mass street protest was even more successful than ever before. The
"Freedom not Fear"action day on 11th October was the biggest privacy event
of the year. In Berlin, between 50,000 and 70,000 persons protested
peacefully against data retention and other forms of "surveillance mania",
making it the biggest privacy demonstration in German history. Privacy
activists in many cities all over the world participated with very diverse
and creative kinds of activities and turned this day into the first
international action day "Freedom not Fear".
The anti-surveillance protests finally kicked off some serious discussion
within the Social Democratic Party in a number of the German ldnder
(states). This resulted in a loss of the majority for the law on the federal
criminal agency (BKA) in the second chamber (Bundesrat) in the first vote.
It only was passed weeks later, after some changes were introduced, and with
heavy pressure from leading federal Social Democrats. The new law is still
seen as unconstitutional by many legal and privacy experts and in January
2009 a case was submitted to the constitutional court.
Privacy activists in the fall of 2008 also campaigned against the retention
on flight passenger name records, forcing Brigitte Zypries, the German
minister of justice, to freeze her plans on the matter until after the
federal elections in the fall of 2009. More recently, the working group on
data retention attacked the "voluntary data retention" proposed in the EU
telecom package, as well as the renewed data exchange agreements between the
EU and the USA.
EDRi-gram: Germany: New basic right to privacy of computer systems
(27.02.2008)
http://www.edri.org/edrigram/number6.4/germany-constitutional-searches
EDRi-gram: German constitutional challenge on Data Retention (12.03.2008)
http://www.edri.org/edrigram/number6.5/germany-data-retention
EDRi-gram: Fingerprinting the fingerprint proponent (9.04.2008)
http://www.edri.org/edrigram/number6.7/fingerprint-schauble
EDRi-gram: German Protests in over 30 cities against surveillance(2.07.2008)
http://www.edri.org/edrigram/number6.13/german-protests-surveillance
EDRi-gram: International Action Day "Freedom not Fear" (22.10.2008)
http://www.edri.org/edri-gram/number6.20/freedom-not-fear-international-day
(contribution by Annika Kremer, Working Group on Data Retention, and Ralf
Bendrath, EDRi member Netzwerk Neue Medien - Germany)
============================================================
10. Some EU data protection policy developments in 2008
============================================================
Will the 2008 be remembered as the Data Retention implementation year or the
first Freedom not Fear day? As always with the conclusions, we might answer
better this question in 2009 or 2018. But let's look at some facts from the
last year now
One of the main hot privacy topics during 2008 was related to the
implementation of the EU data retention Directive 2006/24/EC in several
European countries. Despite the fact that data retention has been resisted
in some countries in Europe, with 15 March 2009 as the final day for
starting to retain Internet-related data, most of the EU member states
adopted data retention laws only in 2008. The reactions have been strong,
but in just a few cases led to the review of the respective laws.
Germany has seen large debates and protests after the adoption of the data
retention law at the end of 2007. In February 2008, the German Working Group
on Data Retention submitted to the German Federal Constitutional Court the
mandates of over 34 000 citizens willing to fight against the storage of
their telecommunications. A preliminary decision taken by the Court on 19
March 2008 supported the case, considering that parts of the German act are
unconstitutional pending review.
In Bulgaria, on 11 December 2008, the Bulgarian Supreme Administrative Court
(SAC) annulled article 5 of the national legislation that implements the
Data retention Directive, following a lawsuit initiated by Access to
Information Program(AIP). Article 5 of the Bulgarian Regulation # 40 that
was issued by the State Agency on Information Technologies and Communication
and the Ministry of Interior provided for a "passive access through a
computer terminal" by the Ministry of Interior, as well as access without
court permission by security services and other law enforcement bodies, to
all retained data by Internet and mobile communication providers.
The European Court of Justice (ECJ) is still considering the action started
on 6 July 2006 by Ireland against the Council of the European Union and
European Parliament on the formal grounds for adopting the Data Retention
Directive.
A first hearing of the action by ECJ took place on 1 June 2008 in
Luxembourg. The legal basis of the data retention directive was supported by
the European Parliament and Council, but also by the Commission, Spain,
Netherlands and EDPS, Peter Hustinx. On 14 October 2008, the ECJ Advocate
General gave his opinion on the case considering the data retention
directive was founded on an appropriate legal basis, therefore recommending
the dismissal of the action. The decision of the Court will be made public
on 10 February 2009.
The German Working Group on Data Retention drafted an amicus curiae brief in
this case claiming that the data retention directive was also illegal on
human rights grounds, breaching the right to respect for private life and
correspondence, the freedom of expression and the protection of property.
The German Group was joined by several civil liberties NGOs and professional
associations, including EDRi.
It appears that the ECJ will not look into those aspects, but a future
action is possible in asking the European Court to consider the
compatibility with human rights. This could be initiated by the German
Federal Constitutional Court as an issue realted with the action from the
German Working Group of Data Retention and/or by the Irish courts, following
the action initiated by EDRi-member Digital Rights Ireland.
An international day of action against data retention took place on 11
October under the name "Freedom not Fear". During that day, protests took
place in more than 15 countries worldwide against surveillance measures such
as the collection and retention of all telecommunications data. The
surveillance of air travellers and the biometric registration of citizens
was another subject of the "Freedom not Fear" day, as 2008 has seen
developments on the issue.
The PNR US-EU agreement continued to raise questions and worries with many
negotiations between the US government and the European Commission. In
March, the German Working Group on Data Retention published two applications
to the European Court of Justice contesting the transfer of PNR data to the
US arguing that the collection of all PNR data violated the basic right to
privacy and protection of our personal data, authorities were given an
unforeseeable use of the data for other purposes, and that passengers'
sensitive data were not effectively protected against access. A recent
report from US Department of Homeland Security (DHS) regarding the Passenger
Name Record (PNR) information from the EU-US flights confirms a number of
major disfunctionalities, that proves the DHS did not comply with the EU
agreement or with the US legislation in its use of PNR.
At the European level, despite the large opposition, the European Council
decided to extend the PNR scheme to the EU space, following the position of
some governments which expressed their intention to even extend the PNR
scheme to all types of travel and even among EU countries.
The text proposed in October 2008 included the choice of individual states
to take the measure at the national level meaning that PNR would be
collected by all Member States on all flights in and out of the EU and the
choice of surveying intra-community flights belonged to the Member States.
The attempt to pile up DNA databases was continued in 2008 with the UK as
leader. However the European Court of Human Rights (ECHR) decision taken on
4 December in the Marper case could change the way things are working today.
ECHR confirmed that, in agreement with Article 8 of the European Convention
on Human Rights, the retention of cellular samples, fingerprints and DNA
profiles constituted an infringement of the right for private life.
On 24 September 2008, the Telecom Package of rules governing the Internet
and telecoms sectors proposed by the European Commission was approved by the
European Parliament in the first reading. Despite the amendments brought by
the EP, the package is still worrying the civil rights groups, both on data
retention and IP issues. The voluntary data retention issue is one of the
major hot topics contested by the civil society (see also the first article
in this EDRi-gram).
A promising amendment was proposed by the European Parliament to the
ePrivacy Directive that included the obligation of the information society
services providers to notify personal data related security breaches to the
national authorities which was suggested by the European Data Protection
Supervisor's opinion in April. But the new texts suggested by the Commission
and the Council seem to contradict the Parliament and the final decision
will probably be taken in the second reading, estimated for April 2009.
We can not wish to have a conclusion that may clear the waters. The
optimists will look at the full part of the glass where we might see the
ECHR Marper
case. The pesmists mights see the EU PNR scheme or some strange provisions
of the Telecom Package.
EDRI page on data retention
http://www.edri.org/issues/privacy/dataretention
EDRI page on PNR
http://www.edri.org/issues/privacy/pnr
EDRI page on biometrics
http://www.edri.org/issues/technology/biometrics
EDRi page on privacy
http://www.edri.org/issues/privacy
National data retention policies
https://wiki.vorratsdatenspeicherung.de/Transposition
============================================================
11. Towards International Data Protection Standards
============================================================
In October 2008, the 30th International Conference of Privacy and Data
Protection Commissioners in Strassbourg adopted a resolution on the urgent
need for protecting privacy in a borderless world, and for reaching a Joint
Proposal for setting International Standards on Privacy and Personal Data
Protection.
Following this resolution, the Spanish Data Protection Authority (DPA) - as
the organiser of the 31st international DPA Conference to be held in
November 2009 - has set up a working group on drafting this Joint Proposal.
The first meeting of this working group was held on invitation of the
Spanisch DPA and the DPA of Catalonia on 12 January in Barcelona.
Participants in this meeting were not only the interested international Data
Protection Authorities but also data protection experts from academia,
businesses and civil society, amongst which EDRi.
EDRi very much welcomes this standardisation initative of the International
Conference of Privacy and Data Protection Commissioners. Provided that the
defined standards are not set below the requirements of the current European
data protection legislation - which is very unlikely to happen - an
international standard on data protection will not only serve as an
important tool for international data exchange but also as a worldwide
benchmark for data protection legislation. Besides that, it provides the
opportunity to work on issues that are likely to cause difficulties with
emerging technologies (like for example the concept of the data controller
in RFID environments or cloud computing).
As this one day meeting clearly showed, the creation of an international
standard on Privacy and Personal Data Protection is not an easy task and it
is by far unclear whether this task can possibly be completed by the next
International Conference of Privacy and Data Protection Commissioners in
November 2009 in Madrid. But with the draft document provided by the
organisers of the meeting and the inputs provided by the participants in the
meeting a first step is already taken. In the following months the working
group will go into the details and present the outcomes at the Madrid
conference.
Resolution on the urgent need for protecting privacy in a borderless world,
and for reaching a Joint Proposal for setting International Standards on
Privacy and Personal Data Protection adopted by the 30th International
Conference of Privacy and Data Protection Commissioners (17.10.2008)
http://www.privacyconference2008.org/adopted_resolutions/STRASBOURG2008/resolution_international_standards_en.pdf
Announcement of the Barcelona Meeting by the DPA of Catalonia (only in
Spanish, 8.01.2009)
http://www.apdcat.net/noticia.php?not_id=93
Intervention of the director of the DPA of Catalonia (only in Spanish,
14.01.2009)
http://www.apdcat.net/noticia.php?not_id=97
Press statement of the Spanish DPA (only in Spanish, 13.01.2009)
https://www.agpd.es/portalweb/revista_prensa/revista_prensa/2009/notas_prensa/common/enero/090113_np_reunion_barcelona_estandares_privacidad.pdf
(contribution by Andreas Krisch - EDRi)
============================================================
12. Recommended Action
============================================================
Declaration to Reject the Copyright Term Extension Directive with
signatories (01.2009)
http://www.edri.org/files/Joint_Statement_Final.pdf
Reject term extension directive (21.01.2009)
http://www.edri.org/reject-term-extention-directive
============================================================
13. Recommended Reading
============================================================
Article 29 Working Party - The 2007 Annual Report
English
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_en.htm
German
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_de.htm
French
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_fr.htm
============================================================
14. Agenda
============================================================
3-4 February 2009, Victoria, British Columbia, Canada
10th Annual Privacy and Security Conference "Life in a Digital Fishbowl: A
Struggle for Survival or a Sea of Opportunity?"
http://www.rebootconference.com/privacy2009/
7-8 February 2009, Brussels, Belgium
Free and Open source Software Developers' European Meeting (FOSDEM)
http://www.fosdem.org/2009/
18-20 March 2009, Athens, Greece
WebSci'09: Society On-Line
http://www.websci09.org/
27-29 March 2009, Manchaster, UK
Oekonux Conference: Free Software and Beyond The World of Peer Production
http://www.oekonux-conference.org/
29-31 March 2009, Edinburgh, UK
Governance Of New Technologies: The Transformation Of Medicine, Information
Technology And Intellectual Property" An International Interdisciplinary
Conference
http://www.law.ed.ac.uk/ahrc/conference09/
1-3 April 2009, Berlin, Germany
re:publica 2009 "Shift happens"
http://www.re-publica.de/09/
Subconference: 2nd European Privacy Open Space
http://www.privacyos.eu/
13-14 May 2009 Uppsala, Sweden
Mashing-up Culture: The Rise of User-generated Content
http://www.counter2010.org/workshop_call
24-28 May 2009, Venice, Italy
ICIMP 2009, The Fourth International Conference on Internet Monitoring
and Protection
http://www.iaria.org/conferences2009/ICIMP09.html
1-4 June 2009, Washington, DC, USA
Computers Freedom and Privacy 2009
http://www.cfp2009.org/
5 June 2009, London, UK
The Second Multidisciplinary Workshop on Identity in the Information
Society (IDIS 09): "Identity and the Impact of Technology"
Call for papers, deadline 13 March 2009
http://is2.lse.ac.uk/idis/2009/
2-3 July 2009, Padova, Italy
3rd FLOSS International Workshop on Free/Libre Open Source Software
Paper submission by 31 March 2009
http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html
13-16 August 2009, Vierhouten, The Netherlands
Hacking at Random
http://www.har2009.org/
23-27 August 2009, Milan, Italy
World Library and Information Congress: 75th IFLA General Conference and
Council: "Libraries create futures: Building on cultural heritage"
http://www.ifla.org/IV/ifla75/index.htm
10-12 September 2009, Potsdam, Germany
5th ECPR General Conference, Potsdam
Section: Protest Politics
Panel: The Contentious Politics of Intellectual Property
First proposals to be submitted by 1 February 2009
http://www.ecpr.org.uk/potsdam/default.asp
16-18 September 2009, Crete, Greece
World Summit on the Knowledge Society WSKS 2009
http://www.open-knowledge-society.org/
October 2009, Istanbul, Turkey
eChallenges 2009
Call for papers by 27 February 2009
http://www.echallenges.org/e2009/default.asp?page=c4p
15-18 November 2009, Sharm El Sheikh, Egypt
UN Internet Governance Forum
http://www.intgovforum.org/
============================================================
15. About
============================================================
EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram at edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list