EDRi-gram newsletter - Number 7.13, 1 July 2009

EDRI-gram newsletter edrigram at edri.org
Wed Jul 1 11:17:13 PDT 2009 

============================================================

           EDRi-gram

biweekly newsletter about digital civil rights in Europe

    Number 7.13, 1 July 2009


============================================================
Contents
============================================================

1. Article 29 Working Party on online social networking
2. Rapidshare forced by the court to filter more than 5000 tracks
3. Judge unbiased, no retrial for The Pirate Bay
4. 'Right to the silence of the chips' in the new EC Communication
5. Norway will not chase file-sharers
6. France: No to new EDVIGE!
7. Swedish court: IP addresses are personal data
8. The French Government acts like a bulldog with its three strikes law
9. ENDitorial: EU DP - state of the play, potential for enhancements
10. Recommended Reading
11. Agenda
12. About

============================================================
1. Article 29 Working Party on online social networking
============================================================

Article 29 Working Party issued on 22 June 2009 an opinion on how European
privacy laws affect social networking sites such as Facebook or Myspace.

The opinion states the social networking sites should be responsible for the
compliance to European privacy laws and, on the other hand, that users of
such sites should upload pictures or information about other individuals
only with the consent of the respective individuals.

Presently, social networking users share pictures and tag friends' images
without requiring a prior consent and generally, communicate publicly,
placing their own and others' private information on shared "walls".

The Data Protection Authorities recommend that users are given the opt out
choice and are warned of the privacy risks and on the personal data that is
being made available to others. The opinion says that "the homepage should
contain a link to a complaint facility covering data protection issues for
both members and non-members".

The group also draws attention to the processing of personal data on the
Internet for commercial purposes, recommending that before using the
collected data aimed for personalised advertisements, the sites should
obtain the prior consent of the respective users. Data on sensitive
topics such as race, religion or sexual orientation should not be processed
or passed on to advertisers and individuals should be allowed to adopt a
pseudonym. Special attention should be given to the processing of the
minors' personal data. This is an opinion that has been lately supported by
the European Commission which has announced future strong measures to
regulate online tailored ads.

The opinion also advises imposing limits on retaining the data of inactive
users believing that abandoned accounts, together with their accompanying
data, should be deleted.

The Article 29 Working Party's opinion is based on the principle that social
networking websites must be subject to the EU Data Protection Directive even
when their headquarters are outside the European Union space.

The group interprets the definition of "data controller" as covering  the
service providers who, therefore, must adhere to
privacy laws. Although an exception is made for personal or "household"
users, when users broadcast or gather information very widely via such
sites, they become data controllers themselves which could affect users who
organise concerts, human rights letter-writing campaigns or try to sell a
homemade product online.

The recommendations are not binding but show the trend in the legislative
measures that might be taken in the future at the national as well as EU
level. The group has focused lately on privacy issues related to search
engines and its initiatives have led to actions in this direction. The big
search engines such as Google, Microsoft and Yahoo!, have been pressed to
reduce the retention period of data collected from their users.

The opinion has implications on the way the responsibility of social
networks themselves is seen in carrying images and information that could
breach protecting privacy and security rules.

The European Commission has lately focused more on protecting citizens and
consumers' privacy and social networking websites are considered potentially
dangerous for inexpert users.

Information Society Commissioner Viviane Reding has shown her support to
this line of action and has kept pushing the major players in this field in
adopting a code of conduct meant to protect young users, threatening to
otherwise take further action to protect privacy.

Article 29 Data Protection Working Party - Opinion 5/2009 on online social
networking (12.06.2009)
English
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp163_en.pdf
German version
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2009_de.htm
French version
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2009_fr.htm

EU data monitors outline Facebook ground rules (25.06.2009)
http://euobserver.com/9/28370/?rk=1

EU privacy regulators eye online social networks (25.06.2009)
http://www.euractiv.com/en/infosociety/eu-privacy-regulators-eye-online-social-networks/article-183486

Citizens' privacy must become priority in digital age, says EU Commissioner
Reding (14.04.2009)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/571&format=HTML&aged=0&language=EN&guiLanguage=en

EDRI-gram: Behavioural targeting at the European Consumer Summit (8.04.2009)
http://www.edri.org/edri-gram/number7.7/behavoural-target-eu-consumers

============================================================
2. Rapidshare forced by the court to filter more than 5000 tracks
============================================================

The file-sharing site Rapidshare.de has recently lost another case to the
German copyright society GEMA, being ordered by the Regional Court in
Hamburg to "proactively filter" more than 5000 tracks from GEMA's catalogue.

In January 2008, another regional court in D|sseldorf had already found that
RapidShare was responsible for what its users uploaded to the service.
Hence, RapidShare implemented a screening process and maintained hashes of
files that were pulled down for infringement but GEMA was not contented with
this and went back to court.

GEMA created a software that can search web forums and extract links to
content that seem to infringe GEMA's copyrights but Rapidshare complained
that the software did not work. "It's questionable whether the application
can deal with mechanisms to prevent the scraping of links, open encrypted
files, accurately identify audio files or find links in forums that can't be
accessed by search engines," said Rapidshare CEO Bobby Chang.

In October 2008, the court decided the systems implemented by Rapidshare
were not efficient enough considering that "a business model that doesn't
use common methods of prevention cannot claim the protection of the law."

"The judgment states that the hosting service itself is now responsible for
making sure that none of the music tracks concerned are distributed via its
platform in the future. (...) This means that the copyright holder is no
longer required to perform the ongoing and complex checks," was GEMA's
statement.

The decision may imply that, in the future, user-generated content sites
located in Germany will need to take proactive, efficient measures to screen
copyrighted material.

"We do not consider the court's decision to be a breakthrough," said Chang,
who added:
"As other proceedings in similar disputes with GEMA have shown, there is
considerable disparity amongst the individual courts in some cases. Our
experience is that the courts of appeal tend to restrict the scope of the
decisions made by the lower courts."

Rapidshare has announced that they would appeal the verdict.

Rapidshare to appeal German court decision (29.06.2009)
http://www.afterdawn.com/news/archive/18325.cfm

Rapidshare stung with 24m fine (24.06.2009)
http://www.theregister.co.uk/2009/06/24/rapidshare_gema/

German Court Orders RapidShare to Proactively Filter Songs (23.06.2009)
http://www.dmwmedia.com/news/2009/06/23/german-court-orders-rapidshare-proactively-filter-songs

Achtung! RapidShare ordered to filter all user uploads (24.06.2009)
http://arstechnica.com/tech-policy/news/2009/06/achtung-rapidshare-hit-with-24m-fine-content-filter-rules.ars

EDRI-gram: RapidShare needs to check every file for copyright infringement
(8.10.2008)
http://www.edri.org/edrigram/number6.19/rapidshare-hamburg-decision

============================================================
3. Judge unbiased, no retrial for The Pirate Bay
============================================================

On 25 June 2009, Sweden's Court of Appeal ruled that judge Norstrvm in The
Pirate Bay (TPB) case was not biased as the lawyers representing TPB
founders had claimed. Therefore there will be no retrial for TPB in
Stockholm District Court.

The TPB lawyers had accused Norstrvm of being in a conflict of interests as
he was a member of several organizations funded by the recording industry
organization IFPI. The Court of Appeal acknowledged that the judge was a
member of organisations acting in the interests of rights holders, but
emphasized that copyright holders benefited of constitutional protection
under the Swedish law. "We have reached the conclusion that we do not agree
with the conflict of interest claim," said appeals court judge Anders Eka to
news agency TT. "For a judge to back the principles on which this
legislation rests cannot be considered bias," said the court ruling.

The court criticised Norstrvm for not having stated, before the trial, that
he was a member of those organizations but considered this was not
sufficient reason to declare the district court verdict null and void.

"This is part of a pattern. It shows that the Swedish legal system is no
longer to be trusted when it comes to copyright cases. It's a travesty of
justice quite simply", commented newly elected European Parliament member
Christian Engstrvm of the Swedish Pirate Party who added: "There are
certainly problems with the laws too but this also shows that the courts are
not capable of applying the laws in a correct manner. I've been a lay judge
for seven years and I've never seen an indictment as bad as the Pirate Bay
verdict. But that didn't stop the court from setting ridiculous sentences."

The Pirate Bay defendants can still appeal the results of the first trial.
One of them, Peter Sunde has stated: "The Pirate Bay will now file charges
against Sweden for violation for Human Rights. ... (The bias-judge is
himself biased...)".

The Pirate Bay faces now another legal case brought to court by the Dutch
anti-piracy organization BREIN which wants to close the file-sharing site in
the Netherlands and see three of TPB founders to court on 21 July. As the
organization was unable to find the exact whereabouts of the three men, it
used Twitter and Facebook social networking websites to deliver the court
summons.

"The internet works both for those who respect copyrights and those who
violate them. Now they know that the hearing will take place on July 21st in
Amsterdam," said BREIN CEO Tim Kuik.

However, it remains to be seen whether the summoned founders will show up.
Neij who is living in Bangkok, Thailand, claimed he had seen no summons on
the respective sites. "I have Twitter and Facebook accounts, but I haven't
seen anything about it," he told the TT news agency.

In a recent announcement posted by Thelocal.se on 30 June 2009, said that
The PirateBay "is set to be purchased for 60 million crowns (approx. $5.55
million euros) by Global Gaming Factory X (GGF), a company specializing in
internet cafi management software." GGF said in its statement that it wanted
content providers and copyright owners to get paid for content downloaded.
TPB has confirmed on their blog that they might get aquired by the above
mentioned company.

No retrial in Pirate Bay case (25.06.2009)
http://www.thelocal.se/20280/20090625/

Dutch Antipiracy Organization Takes Aim at Pirate Bay (24.06.2009)
http://www.pcworld.com/article/167273/dutch_antipiracy_organization_takes_aim_at_pirate_bay.html

Pirate Bay served with Dutch lawsuit via Twitter and Facebook (24.06.2009)
http://www.thelocal.se/20244/20090624/

Pirate Bay retrial denied; judge declared "unbiased"(25.06.2009)
http://arstechnica.com/tech-policy/news/2009/06/pirate-bay-retrial-denied-judge-declared-unbiased.ars

Swedish IT company to buy Pirate Bay (30.06.2009)
http://www.thelocal.se/20364/20090630/

============================================================
4. 'Right to the silence of the chips' in the new EC Communication
============================================================

A new communication from the European Commission to the other European
bodies on the RFID (radio-frequency identification) titled "Internet of
Things - An action plan for Europe" was made public on 18 June 2009.

The communication builds on the work of the Recommendation on the use of
RFID published on 12 May 2009 after a fifteen-month period of consultations.
The communication includes a 14-point action plan to address the main issues
raised from the RFID usage as discussed in the working group and in the
consultation period.

One of the most important action point is the launch of "a debate on the
technical and legal aspects of the 'right to silence of the chips', which
has been referred to under different names by different authors and
expresses the idea that individuals should be able to disconnect from their
networked environment at any time."

This is one of the main actions of the plan in order to allow the usage of
the RFID while respecting privacy and the protection of personal data, two
fundamental rights of the EU.

The communication underlines that these rights will have an influence on how
the Internet of Things is conceived but, at the same time, its development
will affect the way we understand privacy.

The European Commission also announced that in 2010 it intends to publish a
broader Communication on privacy and trust in the ubiquitous information
society.

The Communication makes it clear that "simply leaving the development of
Internet of Things to the private sector, and possibly to other world
regions is not a sensible option." Thus, the concept of governance of the
RFID usage will be initiated and promoted by the Commission in international
fora in order to establish a set of principles and to set up an
"architecture" with a sufficient level of decentralised management.

Communication from the Commission to the European Parliament:
Internet of Things - An action plan for Europe (18.06.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/commiot2009.pdf

EU lays out plans for the "internet of things" (18.06.2009)
http://www.v3.co.uk/computing/news/2244448/eu-prepares-mass-rfid

EDRi-gram: RFID and Informed Consent - Using and removing of RFID
functionality (5.12.2007)
http://www.edri.org/edrigram/number5.23/rfid-informed-consent

EDRi-gram: EU supports RFID with proper protection of consumers' privacy
(20.05.2009)
http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommandation

============================================================
5. Norway will not chase file-sharers
============================================================

The Norwegian data protection authority has decided that ISPs had to delete
all IP address-related data just 3 weeks after collection, a decision that
will make difficult to chase file-sharers.

The regulator started with two ISPs, Tele2 and Lyse Tele but the decision,
subject by the Personal Data Act, will apply to all ISPs in Norway. As
Norway is not a member of the European Union, it is not bound to comply to
the European data retention directive which says that this type of data must
be held for at least 6 months. In Norway, now, data retention can go from a
few days to five months.

The Norwegian telecom regulator has also recently ruled that the identity of
file-sharers can be disclosed to copyright holders only by court order. And
to make things even tougher for copyright holders, Simonsen law firm, the
only legal company having had a licence to track file-sharers, has seen it
expire with no renewal provided.

Simonsen has had the licence since 2006 having been enabled to monitor
alleged pirates and collect their IP addresses. The licence was however
temporary and it won't be renewed due to the very little debate on the
matter. Data protection authorities have requested legislative clarification
on what the license can and cannot do, but have not received the requested
information from the competent authorities.

Simonsen lawyer Espen Txndel said that his law firm would object against the
non-renewal of their license. "One can not deny (the copyright holders)
their right to protect their interests in this way," he said.

Anti-Piracy Lawyers Lose License To Chase Pirates (22.06.2009)
http://torrentfreak.com/anti-piracy-lawyers-loses-license-to-chase-pirates-090622/

Data Protection Makes Identifying Online Pirates a Nightmare (10.06.2009)
http://torrentfreak.com/data-protection-makes-identifying-online-pirates-a-nightmare-090610/

Norway organises the immunity of P2Ps (only in French, 25.06.2009)
http://www.numerama.com/magazine/13272-La-Norvege-organise-l-immunite-de-ses-P2Pistes.html

Anti-Piracy Lawyers Thwarted in Norway (23.06.2009)
http://www.tomsguide.com/us/Anti-Piracy-Twarted-Lawyers-License,news-4114.html

============================================================
6. France: No to new EDVIGE!
============================================================

A text of a draft law on Police Files initiated by the two French deputies
Delphine Batho and Jacques-Alain Binisti has been approved by the Laws
Commission of the National Assembly. The draft law contains a new form of
the EDVIGE file, nicknamed now EDVIGE 3.0.

EDVIGE was a new database created in June 2008 with the purpose of filing
"individuals, groups, organisations and moral persons which, due to their
individual or collective activity, are likely to attempt to public order".
Not only these persons will be filed (without any offence committed), but
also "those who undertake or have undertaken direct and non fortuitous
relations with them." Filing was supposed to start at age 13 and the
database would be used by French intelligence services and the
administrative police. Following a massive civil society protest, the
database was initially revised into EDVIRSP (or so-called EDVIGE 2.0) and
then withdrawn in December 2008.

Although it makes some significant progress, the text of the new law is
still not good enough in respecting the human rights, as underlined by a
common press release of several unions and civil society groups, among which
the EDRi-member IRIS.

One of the major concerns that the press release highlights is the generic
global tendency that wants to extend the methods and tools used for serious
crimes and terrorism acts to the "small delinquency".

The main step forward is that according to the new text every new Police
file needs to be stipulated by law. At the same time the "No to
EDVIGE" group considers that the law should go much further, including a
better democratic character of the CNIL (French Data Protection) by the
inclusion of some members proposed by the human rights activists. Also, the
new draft laws which receive a negative opinion from the CNIL should get an
opinion from the State Council (Conseil d'Itat) and all these opinions
need to be made public.

The new law proposal also includes new provisions for EDVIGE 3.0 which is
still covers all the children above13 years old. But this proposal goes even
further than the two earlier versions.

The definitions suggested in the new draft proposal introduce dangerous
provisions. Thus, the very large definitions of the attacks on the people's
security or goods cover activities of the police which are already supported
by other existing databases. The "No to EDVIGE" group asks for a limitation
of the acts of attacks to the State security and public security committed
with violence. Also the new file should not include minors.

The French organisations also criticized the qualification given to other
files, such as STIC (Systhme de traitement des infractions constaties -
Recorded offences treatment system), a huge police database, which records
also data on minors, without any age limitation.

Law proposal on Police Files: EDVIGE 3.0, still NO (only in French,
19.06.2009)
http://www.iris.sgdg.org/info-debat/comm-fichierspolice0609.html

Law proposal on Police Files (only in French, 7.05.2009)
http://www.assemblee-nationale.fr/13/propositions/pion1659.asp

The deputies want to frame the creation of police files (only in French,
18.06.2009)
http://www.lesechos.fr/info/france/4876857-les-deputes-veulent-encadrer-la-creation-de-fichiers-de-police.htm

EDRi-gram: ENDitorial: Massive mobilization against EDVIGE, the new French
database (16.07.2008)
http://www.edri.org/edrigram/number6.14/edvige-french-database

EDRi-gram: French EDVIGE decree withdrawn (4.12.2008)
http://www.edri.org/edri-gram/number6.23/edvige-retired

============================================================
7. Swedish court: IP addresses are personal data
============================================================

The Swedish Supreme Administrative Court ruled on 18 June that the IP
addresses are personal data in a case regarding APB (the Swedish Anti-Piracy
Bureau, Antipiratbyren), a lobby group representing copyright owners.

However, from the comments following the judgement, it became clear that
this ruling will not stop the implementation of the Swedish IPRED Directive
or the way the copyright holder representatives record and keep IP addresses
in order to identify alleged file-shares. Although the ruling means that
APB's methods for chasing filesharers by logging their IP addresses was in
violation of the Personal Data Act, the new IPRED law changed the situation.

A policy adviser at the Swedish Ministry of Justice explained to The
Register: "The rumours that this decision will kill off IPRED are wrong,
because the bill creating the law includes an exemption for rights holders -
they may request and keep IP numbers for this purpose."

Jonas Agnvall, a legal adviser with the Swedish Data Inspection Board,
says that the new IPRED law specifically allows the activities of IP logging
of the APB:
"I have not scrutinised the directive in detail, but as I understand do they
no longer need the legal exception whit the implementation of the
IPRED-law", Jonas Agnvall says to Computer Sweden.

He also added: "During the autumn we will inquire this and how these lobby
groups of copyright holders use the personal records. This we can do now
when it stands clear that IP addresses' really are personal records".

A week later, on the 25 June 2009, a first ruling on the new IPRED law was
given by the Solna District Court which decided that an ISP must hand
information revealing its customers based on the IP addresses given by five
publishers of audiobooks who were trying to identify some alleged copyright
offenders.

In this case, the Swedish broadband service provider Ephone was asked by the
five publishers to reveal who owned a server suspected of containing some
several hundred audio book titles. The ISP refused to say who was behind
the IP address, questioning if the matter was indeed a copyright
infringement since the FTP server was not publicly available and the access
to it was possible only to the persons that knew the password to access it.

In the decision of the Solna District Court, the judges ordered Ephone to
reveal the information regarding the customers that are using several IP
addresses under a penalty of 750 000 Swedish crowns fine (approx. 70 000
euros). The company also needed to pay the publishers' court costs.

Collecting IP Addresses Illegal in Sweden (18.06.2009)
http://torrentfreak.com/collecting-ip-addresses-illegal-sweden-090618/

Favorable court ruling do not save file-sharing (18.06.2009)
http://www.stockholmnews.com/more.aspx?NID=3440

Sweden: IP numbers are personal...unless you're a pirate (18.06.2009)
http://www.theregister.co.uk/2009/06/18/sweden_ip_law/

Publishers win anti-piracy law test case (25.06.2009)
http://www.thelocal.se/20274/20090625/

First IPRED case settled (only in Swedish, 25.06.2009)
http://www.svd.se/naringsliv/it/artikel_3115633.svd

============================================================
8. The French Government acts like a bulldog with its three strikes law
============================================================

Nicolas Sarkozy and the French Government want to go on with the new three
strikes draft law (called also Hadopi 2) which was presented to the Council
of Ministers on 24 June 2009.

The emergency procedure has been initiated and therefore the two chambers
will have only one reading for the text. The new text will be first
presented to the Senate on 8 and 9 July to be further on examined by the
deputies, presumably starting with 22 July.

The draft law including now five articles stipulates, besides the
disconnection of the alleged infringer which has to be decided by the court,
fines that can amount to 1 500 euros or 3 000 euros in case of repeated
offences.

The new version has reintroduced an extension previously rejected by the
deputies in the first text: a user can be condemned not only for "piracy"
through an online public communication service, but also for "piracy" by any
electronic communication means. This means that the judges will be able to
sanction "piracy" that was performed also by instant messaging services or
e-mails.

And, in order to soften the censure imposed by the Constitutional Council,
the new text introduces a legal instrument that would allow the justice
system to use simplified procedures in applying sanctions "against the
authors of illegal downloading. A fast and efficient treatment of the cases
will thus be ensured by means of penal ordinances".

So, the court can decide, by penal ordinance, to condemn an alleged
infringer to pay a fine in his absence. The text thus includes "Internet
piracy" on the same list of infringements with the use of hallucinogenic
drugs or violations of the traffic code.

The infringement is established by Hadopi authority officers who then notify
the police. Their reports are considered "truthful until proven otherwise"
which actually implies there is no presumption of innocence. Unfortunately,
the Constitutional Court seems to have left an open door for the culpability
presumption by saying that the legislator can exceptionally establish such
presumptions under certain conditions such as the respect of the defense
right.

The file is then sent to the public ministry which can choose the simplified
procedure and sends it to the president of the court who establishes without
prior debate a penal ordinance applying or not a fine. The subject of the
fine is never heard. The procedure gives the court president the possibility
to ask for a contradictory debate in which case the file is sent back to the
public ministry.

The penal ordinance is given by a sole judge, which is the president of the
court and includes the names and coordinates of the alleged infringer, the
date and place of the alleged infringement and the sanctions. The sanctions
are then carried out by the public ministry within a period of 10 days.

The user can make an appeal within 45 days and present himself in front
of a magistrate for a new judgment but the risk is that, in case the user is
found guilty, the sanction can be aggravated up to a maximum of 3 years in
prison and 300 000 euros of fine.

Actually, the new text introduces the three-strikes in an even harder
version: warning, fine and then disconnection. The only improvement is that
the disconnection can be decided only by the court and that is also shadowed
by the simplified procedure allowing for the penal ordinance.

Hadopi 2 starting on 8 July in the Senate (only in French, 26.06.2009)
http://www.numerama.com/magazine/13283-Hadopi-2-des-le-8-juillet-au-Senat.html

Hadopi 2: the surveillance of e-mails is back (only in French, 25.06.2009)
http://www.numerama.com/magazine/13273-Hadopi-2-la-surveillance-des-e-mails-fait-son-retour.html

Fine for illegal downloading, how does it work ? (only in French,
25.06.2009)
http://www.01net.com/editorial/503828/amende-pour-telechargement-illegal-comment-ca-marche/

Hadopi: and now, the fines... (MAJ) (only in French, 24.06.2009)
http://www.01net.com/editorial/503668/hadopi-et-maintenant-les-amendes-(maj)/

Draft law on the legal protection of literary and artistic copyright on the
Internet (only in French, 29.06.2009)
http://www.legifrance.gouv.fr/html/actualite/actualite_legislative/pl_protection_propriete_artist.html

The French Constitutional Council censures the 3 strikes law (17.06.2009)
http://www.edri.org/edri-gram/number7.12/3-strikes-censured-council-constitutional

============================================================
9. ENDitorial: EU DP - state of the play, potential for enhancements
============================================================

With the title "Personal data - more use, more protection?" the European
Commission organised on 19 and 20 May 2009 a data protection (DP) conference
in Brussels. The purpose of the conference was to look for new challenges
for privacy and to kick off a process towards a new quality of data
protection for the European Union. On invitation of the European Commission,
Andreas Krisch participated on behalf of EDRi.

The topics of the one and a half day conference included a wide range of
areas related to data protection. Amongst them: data protection in the area
of law enforcement, data retention, the role of businesses as well as
supervisory authorities and consumer protection.

Following the presentations on data retention by Kurt Alavaara (National
Police Board, Sweden) and Francis Stoliaroff (Ministry of Justice, France) a
long debate on the legitimacy of the data retention directive took place.
Spiros Simits (Goethe-University Frankfurt am Main) argued that data
retention not only is in violation of fundamental rights and against the
German constitution but also violates the fundamental principles of data
protection, especially the principle of purpose limitation.

Panellist Douwe Korff (London Metropolitan University) concured by saying
that for vague purpose specifications the interpretation is different
in the member states. While some countries differentiate between the
purposes of prevention and prosecution of crimes others simply subsume these
with the term "police purposes" with huge implications regarding the
access to retained data. Furthermore, he made clear that communication
traffic data is personal data.

Finally Waltraud Kotschy (Austrian Data Protection Commission) joined the
discussion and stated that, in her view, it will be impossible to keep the
access to retained data restricted to cases of terrorism and organised
crime. Already now there are discussions in Austria on access to data for
purposes of copyright enforcement. These and similar discussions will gain
momentum once data retention is in place.

For all presentations and discussions of the first day of the conference a
webcast of 15 minutes of discussion with English, German and French
translations is available on the EC website and definitely worth viewing.

The role of business and personal data protection was the title of my
presentation. Starting with a general overview of commercial data collection
on shopping and communication habits, financial, location and movement
information, I argued that in many cases commercial data collection leads to
the use of these data by the state. Examples for this include but are not
limited to the SWIFT case where US authorities accessed data on EU
financial transactions, PNR data where the EU grants the US access to
passenger information and plans to access these data as well, and the
mandatory data retention where EU member states retain and access data on
communications of 490 million people.

Given these practices, the significance of commercial data collection cannot
be overestimated and the 1983 ruling of the German Constitutional Court
reasoning that "... an as such inconsequential date can get a new
significance;" and that "insofar there is no 'inconsequential' date anymore
under the conditions of modern data processing", has more relevance today
than ever before.

At the same time, we see significant weaknesses at the counterparts of these
data controllers, the data protection authorities. On the one hand, they are
often confronted with very limited financial and personal resources and
therefore are also limited in their possibilities to enforce data protection
legislation. On the other hand, we also see problematic decisions - or at
least problematic reasoning - of data protection authorities (see Privacy
International on the UK Information Commissioner). In addition, it is also
clear that traditional means of oversight will be unable to cope with the
immense increase of the amount of data being processed. Present means for
individual data protection are also limited and often impose relatively high
financial risks for legal procedures in combination with relatively little
potential gains in individual cases.

Improvements of data protection and data protection legislation can
therefore be achieved by expanding the possibilities for individual data
(self-)protection (e.g. easier and less risky legal procedures; evaluation
of current practices regarding "informed consent" of data subjects), the
introduction of mandatory data breach notifications and punitive damages on
a per data basis in cases of data leaks. With regard to the area of
Radio Frequency Identification and the Internet of Things it will be
necessary to follow the developments carefully and to evaluate if current
data protection concepts still provide sufficient means to address the data
protection challenges introduced by these technologies.

Additionally, positive measures need to be also taken. Tools and mechanisms
that help businesses to prove and publicly communicate their compliance with
data protection legislation, like the European Privacy Seal (EuroPriSe),
should get a strong foundation in the European data protection legislation.
The introduction of mandatory data protection officers for companies would
not only help companies to establish data protection mechanisms in their
organisations and to work internally on improvements but would also bring
positive effects for the relationship between companies and their customers
by providing a competent contact person for questions related to data
protection.

Finally, better educational information on data protection is needed to
ensure that young people have access to relevant first hand information on
data protection and their possibilities to protect their privacy.

The future will show what this process towards a new quality of data
protection for the European Union brings. For the time being, it is to say
that the European Union has at least two faces when it comes to data
protection. On the one hand, important steps towards data protection in the
area of RFID and the Internet of Things are taken, but on the other hand,
the planned Stockholm Programme on Justice and Home Affairs policy for the
next five years describes the way towards a surveillance society in which
the floods of the digital tsunami threaten to overwhelm the data protection
rights of individuals in Europe.

Conference "Personal data - more use, more protection?" (19-20.05.2009)
http://ec.europa.eu/justice_home/news/events/news_events_en.htm#dp_conference_2009

Conference Programme "Personal data - more use, more
protection?"(19-20.05.2009)
http://ec.europa.eu/justice_home/news/events/conference_dp_2009/programme_en.pdf

Webcast of the discussion on data retention (Simits, Korff, Kotschy and
others) at the conference
http://webcast.ec.europa.eu/eutv/portal/jsf/_vi_fl_300_en/player/index_player.html?id=7249&pId=7239&startTime=0&locale=en#

Webcast of the presentation by Andreas Krisch "The Role of Business and
Personal Data Protection"
http://webcast.ec.europa.eu/eutv/portal/jsf/_vi_fl_300_en/player/index_player.html?id=7254&pId=7239&startTime=0&locale=en

PI calls for review of UK privacy regulator following series of failed
judgements (23.04.2009)
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-564402

European Privacy Seal (EuroPriSe)
https://www.european-privacy-seal.eu/

EDRi-gram: Stockholm programme - the new EU dangerous surveillance system
(17.06.2009)
http://www.edri.org/edri-gram/number7.12/stockholm-programme-eu-surveillance

EDRi-gram: EU supports RFID with proper protection of consumers' privacy
(20.05.2009)
http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommandation

EDRi-gram: 'Right to the silence of the chips' in the new EC Communication 
(1.07.2009)
http://www.edri.org/edri-gram/number7.13/right-silence-of-the-chips

(Contribution by Andreas Krisch - EDRi)

============================================================
10. Recommended Reading
============================================================

Briefing on the Interception Modernisation Programme by the LSE Policy
Engagement Network
http://www.lse.ac.uk/collections/informationSystems/research/policyEngagement/IMP_Briefing.pdf

Deep Packet Inspection and Internet Censorship: International
Convergence on an 'Integrated Technology of Control'
http://advocacy.globalvoicesonline.org/wp-content/plugins/download-monitor/download.php?id=14
http://advocacy.globalvoicesonline.org/2009/06/25/study-deep-packet-inspection-and-internet-censorship/

Final Report on the Content Online Platform
http://ec.europa.eu/avpolicy/docs/other_actions/col_platform_report.pdf
http://ec.europa.eu/avpolicy/other_actions/content_online/index_en.htm

============================================================
11. Agenda
============================================================

2-3 July 2009, Padova, Italy
3rd FLOSS International Workshop on Free/Libre Open Source Software
http://www.decon.unipd.it/personale/curri/manenti/floss/floss09.html

6-7 July 2009, Barcelona, Spain
Fifth Internet Law & Politics Conference organized by the Law and Political
Science Department of the Universitat Oberta de Catalunya
The Pros and Cons of Social Networking Sites.
http://www.uoc.edu/symposia/idp2009/engl/index.html

13-16 August 2009, Vierhouten, The Netherlands
Hacking at Random
http://www.har2009.org/

23-27 August 2009, Milan, Italy
World Library and Information Congress: 75th IFLA General Conference and
Council: "Libraries create futures: Building on cultural heritage"
http://www.ifla.org/IV/ifla75/index.htm

10-12 September 2009, Potsdam, Germany
5th ECPR General Conference, Potsdam
Section: Protest Politics
Panel: The Contentious Politics of Intellectual Property
http://www.ecpr.org.uk/potsdam/default.asp

16-18 September 2009, Crete, Greece
World Summit on the Knowledge Society WSKS 2009
http://www.open-knowledge-society.org/

17-18 September 2009, Amsterdam, Netherlands
Gikii, A Workshop on Law, Technology and Popular Culture
Institute for Information Law (IViR) - University of Amsterdam
http://www.law.ed.ac.uk/ahrc/gikii/2009.asp

21-23 October 2009, Istanbul, Turkey
eChallenges 2009
http://www.echallenges.org/e2009/default.asp

24-25 October 2009, Vienna, Austria
3rd European Privacy Open Space
http://www.privacyos.eu

25 October 2009, Vienna, Austria
Austrian Big Brother Awards
Deadline for nominations: 21 September 2009
http://www.bigbrotherawards.at/

16 October 2009, Bielefeld, Germany
10th German Big Brother Awards
Deadline for nominations: 15 July 2009
http://www.bigbrotherawards.de/

13-15 November 2009, Gothenburg, Sweden
Free Society Conference and Nordic Summit
http://www.fscons.org/

15-18 November 2009, Sharm El Sheikh, Egypt
UN Internet Governance Forum
http://www.intgovforum.org/

============================================================
12. About
============================================================

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edrigram-mk.php

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list