EDRi-gram newsletter - Number 8.13, 30 June 2010

EDRI-gram newsletter edrigram at edri.org
Wed Jun 30 07:55:45 PDT 2010



biweekly newsletter about digital civil rights in Europe

    Number 8.13, 30 June 2010


1. Data retention - time for evidence-based decision making
2. Same privacy concerns for the new SWIFT treaty
3. ACTA - new criminal sanctions for non-commercial copyright uses?
4. EP calls for a clear legal framework for the Internet of Things
5. Article 29 WP issues opinion on cookies in the new ePrivacy Directive
6. Increased pressure on Turkey to stop Internet blocking
7. Iceland - first steps for a new media haven
8. ENDitorial: Council of Europe draft Recommendation on Profiling
9. Recommended Action
10. Recommended Reading
11. Agenda
12. About

1. Data retention - time for evidence-based decision making

In June 2010 the European Parliament adopted a farcical "written
declaration" ostensibly on the creation of an "early warning system" to
fight pedophiles. Funded by unknown sources, the MEPs in charge (Zaborska
from the Czech Republic and Motti from Italy) put together the Declaration
in order to promote the retention of communications data and the extension
of this practice to "search engines".

After tabling the declaration, a highly polished, American-style lobby
campaign went into operation. The lobbying neatly avoided mentioning data
retention in any of the associated printed materials, in any of the e-mails
sent to MEPs and on the campaign's website.

The MEPs involved and their staff harangued and harassed parliamentarians,
even to the point of putting lobbying material on their desks in the
Parliament's hemicycle itself - with the simple message of "sign to fight
sexual harassment" using a picture of a vulnerable-looking child. Mainly as
a result of the large number of parliamentarians that signed due to
mistakenly trusting what they were told about the content of the
declaration, it was adopted.

The Declaration has now been sent to the European Commission, where Cecillia
Malmstrvm, who vehemently opposed the Data Retention Directive in her
previous job as a Member of the European Parliament, needs to decide how to
respond. Having indicated in the Swedish press that such an approach would
be disproportionate, there are reasons to be hopeful that her position will
be firm and favourable to citizens' rights. To make Commissioner Malmstrom's
task even easier, she took an oath in May of this year to respect the
Charter of Fundamental Rights of the European Union.

Unequivocal opposition to such extreme proposals is important, particularly
at the moment. By the end of this week, the relevant Directorate-General of
the Commission will have completed its first draft assessment of the Data
Retention Directive, which will then be reviewed by the Commissioner. This
will then be followed by a second round of drafting, consultation with the
other parts of the Commission and adoption of the final report, probably in
the second half of September. In the absence of evidence to suggest that
data retention has served any useful purpose, it is to be hoped that the
Commissioner will maintain her opposition to the Directive and propose
appropriate and ambitious amendments, removing obligations on all Member
States to impose long-term blanket data retention on all citizens.

This process is all the more important as a result of developments in the
Council of Europe, which will soon adopt its Recommendation on Profiling.
The current and almost final version of that text lends credibility to
Member States that wish to exploit retained data to assign "profiles" to
innocent citizens. The Recommendation exempts Member States from having to
apply three important chapters: on lawfulness, data quality and sensitive
data. In 2008, a report prepared for the Council of Europe pointed out that
registration of internet users is "likely to have a chilling effect not just
on journalists but on any users that wish to access public or legal, but
controversial materials." The implementation of profiling would make this
serious chilling effect seem minor in comparison.

Campaigning against the Data Retention Directive is already in full swing.
More than 100 organisations (including EDRi) from 23 European countries
asked last week EU Commissioners Malmstrvm, Reding and Kroes in a joint
letter to "propose the repeal of the EU requirements regarding data
retention in favour of a system of expedited preservation and targeted
collection of traffic data". Among the signatories are civil liberties, data
protection and human rights associations as well as crisis line and
emergency call operators, professional associations of journalists, jurists
and doctors, trade unions, consumer organisations and industry associations.

Study undertaken for the Council of Europe on the effects of anti-terror
legislation (11.2008)

Written declaration 29 website

Oath sworn by Commissioners (3.05.2010)

Draft Council of Europe Recommendation on profiling (3.06.2010)

Data retention Directive

Malmstrom says no to Google Storage (only in Swedish, 28.06.2010)

Letter to Commissioner (22.06.2010)

Civil society calls for an end to compulsory telecommunications data
retention (28.06.2010)

(Contribution by Joe McNamee - EDRi)

2. Same privacy concerns for the new SWIFT treaty

The agreement between the EU and USA on the transfer of bank data through
SWIFT was signed on 28 June 2010 after the Spanish Presidency of the Council
of Ministers has accepted some of the changes on the text proposed by MEPs,
but with no significant improvements from the Agreement rejected by the
European Parliament in February 2010.

The text of the new SWIFT Agreement will now probably be rushed through the
next European Parliament plenary session in Strasbourg (5-8 July).

After the draft agreement was initiated by Commissioner Cecilia Malmstrvm on
10 June, MEPs asked for changes to the text concerning the bulk transfer of
data, the creation of an EU counterpart to the US Terrorist Finance Tracking
Programme (TFTP), and EU oversight of TFTP data-processing in the US.

Unfortunately, the new adopted text still allows for bulk data transfers.
The Parliament would have liked to replace bulk data with targeted searches
carried out by an EU-based authority but according to MEP Birgit Sippel, "We
cannot reduce the problem of bulk data for the moment as we do not have the
technical capability."

The retention period is still 5 years and there is no real system in
place from the US on a binding legal redress. The US Privacy Act court
clauses only apply to US citizens and legal residents. Therefore there is
currently no right of judicial review for foreign citizens and residents
(including EU) under the US law.

Another key critique to the current text is the role of Europol that should
authorize the data transfer requests from the US. Besides the fact that
Europol is not a judicial authority, as requested by the European Parliament
in May 2010 Resolution, the incentive from this agency to limit the amount
of data being transferred is extremely reduced due to the fact that they can
actually request data searches from the US.

On 25 June, EDPS Peter Hustinx expressed his concerns related to the
transfer of bulk amounts of bank data to the U.S. authorities and pointed
out the key elements to be improved for data protection, especially as
regarding data retention periods, enforceability of the citizens' data
protection rights, judicial oversight and independent supervision. "I am
fully aware that the fight against terrorism and terrorism financing may
require restrictions to the right to the protection of personal data.
However, in view of the intrusive nature of the draft agreement, which
allows transfers of data in bulk to the US, the necessity of such scheme
should first be unambiguously established, especially in relation to already
existing instruments. Would this be the case, other key elements should
however be improved in order to meet the conditions of the EU legal
framework for data protection."

As MEP Alexander Alvaro told EurActiv, in terms of the agreement, the
European Commission will write a framework for the extraction of data on US
soil in order to set up an EU equivalent to TFTP and in case after five
years this is not in place, the Commission will have to renegotiate or
terminate the present agreement. But the present text automatically extends
for one more year if nothing happens. It does not have to be renewed, it
just has to be actively terminated.

EU, US sign SWIFT agreement (28.06.2010)

EU wins concessions on US bank data-sharing deal (25.06.2010)

EU-US new draft agreement on financial data transfers: EDPS calls for
further data protection improvements (22.06.2010)

EDRi-gram: New SWIFT agreement as bad as the rejected one (16.06.2010)

3. ACTA - new criminal sanctions for non-commercial copyright uses?

A new round of negotiations on the Anti-Counterfeiting Trade Agreement
(ACTA) is in progress until 1 July 2010 at Luzern, Switzerland between 11
parties including the EU.

A document leaked from the EU Presidency dated 7 April 2010 shows that EU
member states intended to introduce under ACTA more criminal sanctions for
copyright infringements even for non-commercial reasons.

The EU Presidency document stated that the position of the EU Member States
is still under examination with regard to article 2.14.1 covering copyright
or related rights infringements. Some proposals of this article explicitly
plan to apply criminal sanctions to "infringements that have no direct or
indirect motivation of financial gain".

"The ACTA agreement, by its opacity and undemocratic nature, allows criminal
sanctions to be simply negotiated. The leaked document shows that the EU
Member States are willing to impose prison sanctions for non-commercial
usages of copyrighted works on the Internet as well as for 'inciting and
aiding', a notion so broad that it could cover any Internet service or
speech questioning copyright policies. EU citizens should interrogate their
governments about their support to policies that obviously attack freedom of
speech, privacy and innovation" says Jirimie Zimmermann, spokesperson for
La Quadrature du Net.

ACTA will also hinder access to medicine by preventing the production and
the exportation of generic molecules. "ACTA would affect the access to
treatments worldwide, because it will hinder the access to cheap generic
drugs. Without generic drugs, it would have never been possible for 4
millions people to have access to antiretroviral drugs. If concluded, ACTA
would be a terrible stepback for millions of people living with HIV
worldwide," stated Pauline Londeix, spokesperson for Act Up-Paris.

Some countries, such as India, threatened to establish a coalition of
countries against the treaty as they believe ACTA is in conflict with
international trade law, and it undermines the balance of rights,
obligations and flexibilities that already exists within international law.

The Swiss Pirate Party together with their Pirate colleagues from Germany
and Switzerland organised a rally at the Lucerne train station. The Pirate
parties and a group of 12 non-governmental organisations are also having
short meetings with the Swiss and other delegations.

The Berne Declaration, Midecins Sans Frontihres , ACT UP Paris, Knowledge
Ecology International, Oxfam, La Quadrature du Net, Third World Network, and
representatives of the Washington College of Law issued on 23 June an urgent
ACTA Communique, which attracted a huge number of signatories from MEPs,
academics and NGOs. The document states that the new treaty will encourage
internet service providers to police the activities of internet users by
holding internet providers responsible for the actions of subscribers,
conditioning safe harbours on adopting policing policies, and by requiring
parties to encourage cooperation between service providers and rights
holders. It will also encourage this surveillance, and the potential for
punitive disconnections by private actors, without adequate court oversight
or due process.

In a joint statement of the European associations of fixed and mobile
telecoms operators, European internet service providers, cable companies and
digital media organisations have also warned that the "proposed obligation
on online providers to reveal the identity of their subscribers directly to
right holders violates the existing EU data protection obligations."

Also, the International Trademark Association and the International Chamber
of Commerce's Business Action to Stop Counterfeiting and Piracy submitted
joint recommendations and comments on the ACTA text and recommended
maintaining the "original, narrow scope of ACTA to trademark counterfeiting
and copyright piracy for ACTA's effective implementation in different
countries." According to them, "the scope of draft text of the agreement
includes a wide range of intellectual property rights, which risks diluting
the focus and overall strength of the trade agreement."

International Experts Find that Pending Anti-Counterfeiting Trade Agreement
Threatens Public Interests (23.06.2010)

Leak: EU pushes for criminalizing non-commercial usages in ACTA (24.06.2010)

ACTA: International 'three strikes', surveillance and worse (23.06.2010)

The ACTA casino must be closed (28.06.2010)

Geist: Developing world opposition mounts to anti-counterfeiting agreement

Scope Of Anti-Counterfeiting Agreement Again A Big Issue In Round Nine

EDRi-gram: ACTA: European Commission transparently ignores European
Parliament (21.04.2010)

4. EP calls for a clear legal framework for the Internet of Things

In a resolution on the Internet of Things, adopted on 15 June 2010, the
European Parliament (EP) welcomes the communication of the Commission on
the topic and in principle endorses the broad outlines of the action plan to
promote the Internet of Things.

The Parliament however takes the view that the development of new
applications and the actual functioning and business potential of the
Internet of Things will be intrinsically linked to the trust European
consumers have in the system, and points out that trust exists when doubts
about potential threats to privacy and health are clarified. It stresses
that this trust must be based on a clear legal framework, including rules
governing the control, collection, processing and use of the data collected
and transmitted by the Internet of Things and the types of consent needed
from consumers.

The Parliament further notes that the Internet of Things will lead to the
collection of truly massive amounts of data and calls on the Commission, in
this connection, to submit a proposal for the adaptation of the European
Data Protection Directive with a view to address the data collected and
transmitted by the Internet of Things.

In the view of the Parliament, respect for privacy and the protection of
personal data together with openness and interoperability are the only ways
the Internet of Things will gain wider social acceptance. The EP firmly
believes that all users should have control over their personal data and
stresses that a precondition for promoting technology is the introduction of
legal provisions to reinforce respect for the fundamental values and for the
protection of personal data and privacy.

In the context of privacy by design, the European Parliament also notes the
opinion of the European Data Protection Supervisor (EDPS) on this topic, who
stressed the importance of Privacy by Design as the guiding
principle and highlighted that in the context of RFID, the existing data
protection rules need to be complemented with additional rules imposing
specific safeguards, particularly making it mandatory to embed technical
solutions (Privacy by Design) in RFID technology. He furthermore expressed
his concern that RFID operators in the retail sector may overlook the
possibility for RFID tags to be monitored by unwanted third parties and
thinks it is conceivable that self-regulation will not deliver the expected
results. He therefore called upon the Commission to be ready to propose
legislative instruments regulating the main issues of RFID usage in case the
effective implementation of the existing legal framework fails.

This call for a regulation of the main issues of RFID usage now obviously
gained support from the European Parliament which, in addition, underlines
that RFID applications must be operated in accordance with the rules on
privacy and data protection enshrined in Articles 7 and 8 of the Charter of
Fundamental Rights of the European Union.

The resolution of the Parliament not only addresses the European Commission
but also calls on manufacturers to secure the right to "chip silence" and
calls for RFID application operators to take all reasonable steps to ensure
that data does not relate to an identified or identifiable natural person
unless such data is processed in compliance with the applicable principles
and legal rules on data protection.

It is the believe of the Parliament that a general principle should be
adopted whereby Internet of Things technologies should be designed to
collect and use only the absolute minimum amount of data needed to perform
their function, and should prevent from collecting any supplementary data.
It calls for a significant amount of the data shared by the Internet of
Things to be made anonymous before being transmitted, in order to secure

The European Parliament believes in the importance of ensuring that all
fundamental rights - not only privacy - are protected in the process of
developing the Internet of Things and calls on the Commission to monitor
closely the implementation of the European regulations already adopted in
this area and to present, by the end of the year, a timetable for the
guidelines it intends to propose at the EU level for improving the safety of
the Internet of Things and of RFID applications.

As EDRi-gram reported earlier this year the resolution was drafted by MEP
Maria Badia i Cutchet, rapporteur to the European Parliament's Committee on
Industry, Research and Energy (ITRE) including opinions of the Committees on
International Trade, Internal Market and Consumer Protection and Legal

The EP Resolution has to be seen not only in the context of the European
Commission's communication on the Internet of Things and the EDPS opinion on
Privacy by Design, but also of the European Commission's RFID recommendation
and the Industry proposal for an RFID Privacy Impact Assessment, which
unfortunately fails to identify a single specific risk.

In this context, the resolution of the European Parliament can be seen as
another strong signal towards the European Commission to act without undue
delay to effectively protect the fundamental rights of individuals affected
by RFID and other technologies related to the Internet of Things and towards
manufacturers and RFID application operators to take their obligations
serious and effectively secure privacy and data protection rights of all
persons affected by their products and applications.

European Parliament resolution of 15 June 2010 on the Internet of Things
(2009/2224(INI)) (15.06.2010)

Communication to the European Parliament, the Council, the EESC and the
committee of the Regions: Internet of Things - An action plan for Europe

EDRi-gram: EP, EDPS and EDRi on RFID and the Internet of Things (24.03.2010)

EDRi-gram: Industry proposed RFID Privacy Impact Assessment Framework

Commission Recommendation on the implementation of privacy and data
protection principles in applications supported by radio-frequency
identification (12.05.2009)

(Contribution by Andreas Krisch - EDRi)

5. Article 29 WP issues opinion on cookies in the new ePrivacy Directive

The Article 29 Data Protection Working Party (WP) representing the European
data protection authorities published on 24 June an opinion clarifying the
application of the data protection rules in online behavioural advertising,
with a focus on the new text of the ePrivacy Directive.

Article 29 Working Party believes that while online behavioural advertising
may be beneficial for businesses and users alike, it still raises personal
data protection and privacy issues. The opinion states that the advertising
providers using tracking cookies are bound, through the revised ePrivacy
Directive, to obtain the informed consent of their users before the
installation of tracking devices such as cookies. According to the
Directive, storing and accessing information on users' computers is lawful
only "on condition that the subscriber or user concerned has given his or
her consent, having been provided with clear and comprehensive information
about the purposes of the processing". The only except is in the case a
cookie is absolutely necessary for the provision of a certain service
required explicitly by a user.

In its Opinion, the Working Party asks for simple and effective mechanisms
by means of which users can give their consent for online behavioural
advertising but also simple and effective mechanisms by means of which they
can withdraw their consent. Presently, allowing cookies is a default setting
with three out of the four major used browsers and Article 29 WP believes
that the users not changing a default setting does not necessarily means
consent. The users should be clearly informed, in an understandable manner,
on the purposes of tracking and given the choice of having their behaviour
browsed or not.

"Average data subjects are not aware of the tracking of their online
behaviour, the purposes of the tracking, etc. They are not always aware of
how to use browser settings to reject cookies, even if this is included in
privacy policies," says the opinion.

However, the Working Party considered the consent may be given to an
advertising network and not to every single website. "....the consent
obtained to place the cookie and use the information to send targeting
advertising would cover subsequent 'readings' of the cookie that take place
every time the user visits a website partner of the ad network provider
which initially placed the cookie." Article 29 WP also said that this
consent should expire after a year, and that each advertising network should
request consent again after that period. It also said that the consent could
be withdrawn at any time.

The Internet Advertising Bureau Europe, the European Publishers Council and
other advertising and publishers' trade bodies reacted to this opinion by
issuing a statement saying: "The industry believes this is a gross
misinterpretation of the intention of the Directive and a misrepresentation
of the type of data typically collected and processed for the purposes of
serving interest-based advertising to consumers on our websites."

The Article 29 WG's opinion is based on the opinion presented on 23 June
2010 during EP Privacy Platform Meeting by Belgian Data Protection
Supervisor Mr. Debeuckelaere which focused on "Transparency, Information,
Consent". During  the meeting, aspects of behavioural advertising were
discussed by more than 100 representatives from industry, privacy activists,
EU institutions, governments and European data protection supervisors.

The representatives of Privacy International and the Electronic Frontier
Foundation argued that the user control tools do not allow for the complete
erasure of profiles, and some data collection, for example by flash cookies,
remains invisible and outside the control of the user.

During the meeting, Mrs Sophia In 't Veld, rapporteur for competition issues
in the Economic Affairs committee, suggested that besides consent and
transparency, a key word should be "choice". "Often internet users are more
or less obliged to give their consent, as there is no alternative. Users
must have a real choice, otherwise it is just token consent", said In 't
Veld who also pointed out the necessity of having a single set of data
protection rules that would apply to the private as well as the public
sectors. "We must regulate the use of personal data for commercial purposes,
but the same standards of data protection should apply to the use of those
same data by public authorities for law enforcement purposes. We often do
not realise how government agencies are using data collected by companies
for commercial purposes. But different rules apply to the private and public
sectors. That must be corrected".

Article 29 Data Protection Working Party Opt-out is not sufficient

Opt-out is not sufficient - European Data Protection Authorities clarify EU
rules on online behavioural Advertising (22.06.2010)

Cookie consent can't be implied from browser settings, say privacy watchdogs

Transparency, Choice and Consent key words for cookies (24.06.2010)

6. Increased pressure on Turkey to stop Internet blocking

As Turkey continues its ban on Google's YouTube and other services, it
attracts more and more criticism. After Turkey's President Abdullah Gul
himself has taken position against its own government in this matter, it is
now OSCE turn to react.

On 22 June 2010, Dunja Mijatovic, the OSCE Representative on Freedom of the
Media, asked the Turkish authorities to restore access to Google's YouTube
and other services and change the much-criticized Law No. 5651 (so-called
Internet Law) in order to be in line with international standards on free
expression. "I ask the Turkish authorities to revoke the blocking provisions
that prevent citizens from being part of today's global information society.
I also ask them to carry out a very much needed reform of Law No. 5651,"
said Mijatovic.

OSCE representative has sent a letter to Turkish Foreign Minister Ahmet
Davutoglu, showing concern about the new blocking decisions taken at the
beginning of June when the ban was extended to other Google services such as
Google Translate or Google Docs.

The Turkish Communication Minister Binali Yildirim has lately argued that
the reason of banning Google services is related to tax disputes and has
accused Google of infringing the Turkish law and of failing to cooperate
with the Turkish authorities. "This site is waging a battle against the
Turkish." But not even the flawed Internet Law includes tax disputes among
the reasons for blocking websites, as was pointed out by Mijatovic who
added: "My office has been promoting the urgent reform of Law No. 5651,
because it considerably limits freedom of expression and severely restricts
citizens' right to access information."

Google, in its turn, is confident it complies with tax laws in every country
where it operates. "We are currently in discussion with the Turkish
authorities about this, and are confident we comply with Turkish law. We
report profits in Turkey which are appropriate for the activities of our
Turkish operations," was Google's statement.

A petition has been signed by hundreds of Internet users denouncing the ban
as an affront to "free speech and rights to access information" and calling
for Binali Yildirim's resignation. Three information technology groups are
challenging the ban in courts.

Richard Howitt, a British member of the European Parliament and advocate of
Turkey's European Union membership, has warned Turkey that the ban puts "the
country alongside Iran, North Korea and Vietnam as one of the world's worst
offenders for cyber censorship" and the country cannot expect to be
considered as a serious candidate for the EU as long as it continues to
censor the Internet.

On 18 June 2010, as a protest against the decision taken by the Turkish
Government, a group of hackers co-ordinated a DoS attack that
lasted 10 hours against the websites of the Ministry of Transportation,
Information and Communication Technologies Authority and the
Telecommunications Communication Presidency, the authorities that have been
directly involved in the banning.

OSCE media freedom representative asks Turkey to withdraw recent Internet
blocking provisions, calls for urgent reform of law (22.06.2010)

Turkey tightens Internet control in YouTube feud (26.06.2010)

OSCE calls on Turkey to stop blocking YouTube (22.06.2010)

Access Denied to Turkish Censorship Authorities' websites (18.06.2010)

EDRi-gram: Turkey extends the censorship of YouTube (16.06.2010)

7. Iceland - first steps for a new media haven

Iceland's Parliament has recently accepted a proposal by Icelandic Modern
Media Initiative (IMMI) asking the Icelandic Government to find "ways to
strengthen freedoms of expression and information freedom in Iceland, (and
provide) strong protections for sources and whistleblowers."

The proposal from IMMI came after secret dealings by a few banks in Iceland
in 2009 leading to enormous debts and the lack of regulation and control,
almost bankrupted the entire country. The initiative comes also in relation
to website Wikileaks, who made those Icelandese dealings public and which
has a policy to make public secretly-submitted documents and materials.

Its approval by the Parliament may turn Iceland into a haven for media, with
one of the strongest freedom of expression and whistleblowing protection
laws. "We can create a comprehensive policy and legal framework to protect
the free expression needed for investigative journalism and other
politically important publishing," says IMMI.

The IMMI has proposed several legal reforms including the limitation of the
scope of an exception to existing source protection laws, the increase of
protections for whistleblowers employed by the state and the creation of a
law similar to the free speech-protecting anti-SLAPP (Strategic Litigation
against Public Participation) law of California.

The plan intends to take advantage of protections in Iceland for material
published from web servers based there. "Iceland could become an ideal
environment for Internet-based international media and publishers to
register their services, start-ups, data centers and human rights
organizations. It could be a lever for the economy and create new work
employment opportunities," says the initiative.

Speaking at a meeting of the European Parliament on 21 June, MP Birgitta
Jsnsdsttir said the Icelandic initiative "pulls together the best
legislation from around the world to promote transparency" and suggested
that such measures for the protection of sources may also be brought in
Europe. "The right and ability to communicate knowledge is above most other
rights. We must take care when regulating freedom of speech, because that
speech is what all other rights are founded upon," said Jsnsdsttir.

For those who suffer from breaches of confidence, according to Struan
Robertson, a technology lawyer with Pinsent Masons, there will be some
safeguards. "If Iceland is granting immunity to websites that host leaked
documents, and if it's prepared to reject take-down orders from foreign
courts, that gives the overseas content owner a real problem when the threat
of domestic sanctions fails to deter a leak. The proposal does not affect
copyright law, though. So it may be that take-down demands based on
copyright infringement will be more effective than those based on breach of

Icelandic parliament backs 'free speech haven' plan (21.06.2010)

Videos of proposal's vote (only in Icelandic)

Icelandic Modern Media Initiative (IMMI)

A Vision of Iceland as a Haven for Journalists (21.02.2010)

EU 'must act as role model' in promoting free speech (23.06.2010)

8. ENDitorial: Council of Europe draft Recommendation on Profiling

Approximately in parallel to the work of the EU's Article 29 Committee on
cookies, the Council of Europe has been preparing a wider Recommendation on
profiling. The document has been discussed for over a year, with a
consultation on an earlier draft having been organised at the end of 2009.

While obviously responding to the increasing options offered by the digital
environment with regard to public and private sector profiling, the text
attempts to cover the online and offline environments. The document makes
some pertinent statements - in addition to acknowledging the positive
benefits of more targeted services, it points out that "the lack of
transparency or even "invisibility" of profiling and the lack of accuracy
that may derive from the automatic application of pre-established rules of
inference can pose significant risks for the individual's rights and
freedoms," that "violate the principle of non-discrimination" and that
profiling could expose individuals to particularly high risks of
discrimination and attacks on their personal rights and dignity. However, it
then does little to mitigate these risk and, worse still, appears to
increase the chances of such risks being taken with personal data by public

The text copies and pastes definitions from the Convention on Data
Protection which seem rather incongruous in this context in the absence of
more detailed analysis and practical analysis. From the profiling
organisation's perspective, it seems obvious that data should and will be
"adequate, relevant and not excessive in relation to the purposes for which
they are collected or for which they will be processed". Generally, however,
a lot of questions are left open, such as what could be understood by
"informed consent", procedures for providing access to and correction of
data which is indirectly personally identifiable.

Overall, the current draft text does little to clarify the core issues of
effective communication to consumers, informed consent, access to and
correction of data and the "right to be forgotten". Earlier drafts of the
proposal were neutral on the use of profiling by states, indicating that the
Recommendation was aimed at the private sector, leaving the choice to
Member States to extend it to the public sector if they so wished. This was
replaced in the most recent version, which seems to assume the use of
profiling by state authorities and implicitly accepts that, when

Member States can both use profiling and avoid implementation of a large
swathe of the Recommendation covering lawfulness, information
and the rights of data subjects. Bearing in mind the dangers to fundamental
rights identified and enumerated in the text and previous positions taken by
the Council of Europe, it appears unlikely that implicit and uncritical
support for profiling is the intention of the Recommendation.

Draft Recommendation on the Protection of Individuals with regard to
automatic processing of personal data in the framework of profiling June
2010 (3.06.2010)

Draft Recommendation on the Protection of Individuals with regard to
automatic processing of personal data in the framework of profiling

EDRi Consultation Response (3.11.2009)

(Contribution by Joe McNamee - EDRi)

9. Recommended Action

Public consultation on the open internet and net neutrality. DG Information
Society and Media has launched a public consultation on key questions
arising from the issue of net neutrality.
The consultation covers such issues as whether internet providers should be
allowed to adopt certain traffic management practices, prioritising one kind
of internet traffic over another; whether such traffic management practices
may create problems and have unfair effects for users; whether the level of
competition between different internet service providers and the
transparency requirements of the new telecom framework may be sufficient to
avoid potential problems by allowing consumers' choice; and whether the EU
needs to act further to ensure fairness in the internet market, or whether
industry should take the lead.

European Commissions4 public consultation on the future direction of EU
trade policy
Call open until 28 July 2010

10. Recommended Reading

The European Court of Justice defines the scope of the protection of
personal data in the context of access to documents of the Union
institutions. Judgment of the Court of Justice in Case C-28/08: Commission v
Bavarian Lager

OFCOM: No need for net neutrality

11. Agenda

9-11 July 2010, Gdansk, Poland
Wikimedia 2010 - the 6th annual Wikimedia Conference

25-31 July 2010, Meissen, Germany
European Summer School on Internet Governance

29-31 July 2010, Freiburg, Germany
IADIS - International Conference ICT, Society and Human Beings 2010

2-6 August 2010, Helsingborg, Sweden
Privacy and Identity Management for Life (PrimeLife/IFIP Summer School 2010)

31 August - 3 September 2010, Budapest, Hungary
OpenOffice 2010 Conference

13-17 September 2010, Crete, Greece
Privacy and Security in the Future Internet
3rd Network and Information Security (NIS'10) Summer School

14-16 September 2010, Vilnius, Lithuania
Internet Governance Forum 2010

8-9 October 2010, Berlin, Germany
The 3rd Free Culture Research Conference

25-26 October 2010, Jerusalem, Israel
OECD Conference on "Privacy, Technology and Global Data Flows", celebrating
the 30th anniversary of the OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data

27-29 October 2010, Jerusalem, Israel
The 32nd Annual International Conference of Data Protection and Privacy

28-31 October 2010, Barcelona, Spain
oXcars and Free Culture Forum 2010, the biggest free culture event of all

3-5 November 2010, Barcelona, Spain
The Fifth International Conference on Legal, Security and Privacy Issues in
IT Law. Call for papers deadline: 10 September 2010

17 November 2010, Gent, Belgium
Big Brother Awards 2010 Belgium

12. About

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 27 members based or with offices in 17 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and visibly on the
EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users

- Newsletter archive

Back issues are available at:

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list