EDRi-gram newsletter - Number 8.20, 20 October 2010

Wed Oct 20 11:49:24 PDT 2010

============================================================

           EDRi-gram

biweekly newsletter about digital civil rights in Europe

    Number 8.20, 20 October 2010

============================================================
Contents
============================================================

1. Guidelines for more rigorous respect of the Fundamental Rights Charter
2. Facebook applications raise new privacy concerns again
3. French DNS management must respect constitutional freedoms
4. Danish tax authorities want to mirror hard disks of private companies
5. Informal discussion in European Parliament on net neutrality
6. Lives put at risk by communications data retention
7. European Commission high-level discussions on data protection
8. UK Government will introduce an open data licence
9. Spanish DPA opens infringement procedures for Google Streetview
10. ENDitorial: Irish court rejects music industry demands for three strikes
11. Recommended Action
12. Recommended Reading
13. Agenda
14. About

============================================================
1. Guidelines for more rigorous respect of the Fundamental Rights Charter
============================================================

The European Commission has adopted a strategy which is aimed at ensuring
that the EU Charter of Fundamental Rights is respected at every stage of the
EU legislative process. At the initiative of Commissioner Reding, the
intention is to create a template to make it easier for the Commission to
measure its own respect for the Charter and, by extension, to give the
public a clearer yardstick by which to measure the actions of the
Commission.

As is Commissioner Reding's trademark, the Communication is very ambitious,
arguing that the "Union must be exemplary" in matters of fundamental rights
and demands that "the Charter must serve as compass for the Union's
policies and their implementation by the Member States."

Since the adoption of the Lisbon Treaty, which made the Charter legally
binding, all Commissioners took a personal oath to respect the Charter.
However, in the absence of a methodology to incorporate this into policy
development, the Commission has struggled to "mainstream" this new element
of legislative development into all of its activities. For example, when the
Commission re-tabled the draft Framework Decision on Child Exploitation, it
changed the proposal in a way which, according to its own impact assessment,
was contrary to the European Convention on Fundamental Rights (the
"meaning and rights" of which are incorporated into the Charter).

One of the clearest pedagogical elements of the Communication is a
"Fundamental Rights 'Check List'", listing the questions that the Commission
must ask at each stage of the legislative process when assessing the
possible impact of the proposed legislation. This is to be repeated at each
step of all legislative processes, from preparatory consultations thorough
the impact assessment process and the legislative process. This includes,
"using all means at its disposal" to fight noncompliant amendments tabled by
other institutions.

It is, unfortunately, very obvious that the Communication will not solve all
or even most of the failures of the Commission with regard to respect for
fundamental rights protected by the Charter and Convention of Fundamental
Rights. However, it is also clear that the Communication establishes a new
and very clear set of standards and guidelines against which the Commission
can now be measured. This is an important step in the right direction and a
significant achievement by Commissioner Reding.

European Commission adopts strategy to ensure respect for EU Charter of
Fundamental Rights (19.10.2010)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1348&format=HTML&aged=0&language=EN&guiLanguage=en

European Commission Communication - Strategy for the effective
implementation of the Charter of Fundamental Rights by the European Union
(19.10.2010)
http://ec.europa.eu/justice/news/intro/doc/com_2010_573_4_en.pdf

(Contribution by Joe McNamee - EDRi)

============================================================
2. Facebook applications raise new privacy concerns again
============================================================

Facebook continues to raise concerns related to the privacy of its users'
personal data. According to an investigation made by Wall Street Journal
(WSJ), Facebook applications such as FarmVille have been supplying
identifying information of its users to several online advertising and
tracking companies.

Already in May 2010 it was revealed that under certain circumstances, when a
user was clicking on an ad, Facebook was transmitting its ID codes that were
used to look up individual profiles, including the user's real name, age,
hometown and other data. Although Facebook has interrupted the practice, it
has now come Facebook applications were doing the same practice.

The practice affects millions of users including those who have placed their
data under the strictest privacy settings. According to WSJ, at least ten of
the most popular Facebook applications also transmitted personal information
about the user's friends to external companies.

Two Facebook users from California, David Gould and Mike Robertson, have
filed a federal lawsuit against the social network for allegedly sharing
their real names and other private information with some advertisers,
considering Facebook was thus in direct violation of the federal law that
protects the privacy of electronic communications, the California
computer-crime law as well as the company's own privacy policy.

"A Facebook user ID may be inadvertently shared by a user's Internet browser
or by an application," stated a spokesman from Facebook on 16 October 2010,
who added that the company would introduce new technology to address the
problem.

According to the company, there is no basis for the law suit. As a Facebook
user's ID is a public part of any Facebook profile, anyone can use this
number to look up a person's name, by using a standard Web browser, even if
that person has posted Facebook information as private. Facebook IDs reveal
information that the users have set to share with everyone.

Most applications on Facebook are created by independent software developers
and it is not yet clear whether their developers knew that their
applications were transmitting Facebook ID numbers. The applications use a
common Web standard, known as a "referer" which passes on the address of the
last page viewed when a user clicks on a link. On Facebook and other
social-networking sites, referers can expose a user's identity.

While the supporters of online tracking argue that this kind of surveillance
is benign when being carried out anonymously, WSJ has found out that
RapLeaf, a data-collection firm, had linked Facebook users' ID information
obtained from applications to its own database of Internet users. The
company is selling its database and has transmitted Facebook IDs to several
other firms.

"We didn't do it on purpose," stated Joel Jewitt, vice president of business
development for RapLeaf.

After being contacted by the WSJ, Facebook has changed its system so that
the ID codes are no longer sent to other websites and has apparently also
shut down some applications transmitting user IDs. Since 15 October, the
users having tried to access certain applications have received an error
message being reverted to Facebook's home screen.
"We have taken immediate action to disable all applications that violate our
terms," a Facebook spokesman said.

Facebook in Privacy Breach (18.10.2010)
http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html

Facebook apps 'leaking details to advertisers' (18.10.2010)
http://www.guardian.co.uk/technology/2010/oct/18/facebook-apps-data-privacy

Facebook Faces Suit Over Earlier Breach (17.10.2010)
http://blogs.wsj.com/digits/2010/10/17/facebook-faces-suit-over-earlier-breach/

EDRi-gram: Facebook under pressure for not observing its privacy principles
(19.05.2010)
http://www.edri.org/edrigram/number8.10/privacy-google-article-29

============================================================
3. French DNS management must respect constitutional freedoms
============================================================

In a ruling issued on 6 October 2010, the French Constitutional Council
affirmed the constitutional value of domain names. According to this
decision, which applies to the whole French DNS, a domain name attribution,
renewal, transfer or cancellation process must not only respect intellectual
property rights, but also freedom of expression and freedom of
entrepreneurship.

The ruling was issued in the framework of a new procedure, that allows
questioning the constitutionality of an existing law in the course of legal
proceedings related to the application of the given law. In this case, the
plaintiff was questioning the constitutionality of article L.45 of the
French Posts and Electronic Communication Code, adopted in 2004 as part of
the French law on trust in the digital economy ('Loi pour la confiance dans
l'iconomie numirique' or LCEN). This article provides that the French Domain
Name System (DNS) registries are appointed by the government; that each
French ccTLD is managed by a unique registry; and that the government
ensures that domain names are attributed by these registries "in view of the
general interest, according to non discriminatory rules made publicly
available and ensuring the respect, by the domain name holder, of
intellectual property rights".

The ruling follows the plaintiff argument that the article in question
was infringing Article 34 of the Constitution which provides, inter alia,
that "law shall lay down the basic principles of (...) systems of ownership,
property rights and civil and commercial obligations". Therefore, due to the
absence of precise enough safeguards, Article L.45 of the French Posts and
Electronic Communication Code gives the Administration and the designed
registries too much latitude regarding the management of the French DNS. In
particular, the Constitutional Council found that, as currently defined, the
law indeed protects intellectual property rights but neither freedom of
expression nor freedom of entrepreneurship, since the last two may be
restricted by the registry through denial of a domain name registration or
renewal, or through its transfer or cancellation.

AFNIC, the main French registry, manages the .fr as well as .re (Riunion
Island), .pm (Saint-Pierre and Miquelon), .tf (French Southern and Antarctic
Territories), .wf (Wallis and Futuna) and .yt (Mayotte). Other French ccTLDs
are managed by different registries; .mq (Martinique), .gp (Guadeloupe) and
.gf (French Guiana) are delegated to registrars; while.nc (New Caledonia)
and .pf (French Polynesia) are administrated by the respective territories.
The ccTLDs of the two other French territories (Saint Barthelemy and Saint
Martin) have no assigned registries yet, and the corresponding domains (.bl
and .mf) are not yet present in the root zone. All these registries have to
comply with the provision of Article L.45 of the French Posts and Electronic
Communication Code.

As a result of this decision, the law should now be amended by 1 July
2011. The Constitutional Council gave this delay in order to avoid a major
disruption that would otherwise threaten the legal continuity and security
of the French domain name space. After this deadline, any decision from the
government and/or from the registries designed pursuant to current Article
L.45 of the French Posts and Electronic Communication Code would be deemed
illegal.

It must be noted that this ruling only concerns registries designated by the
French government, according to the provisions having been found
unconstitutional. It does not extend to any other ccTLD than that of the
French national territory, nor to any gTLD. Furthermore, the Constitutional
Council decision has no impact on the question of whether the registration
of a domain name implies any property rights over this name or only the
right to use this name for the registration period.

However, and this is the major outcome of this decision, such a ruling may
be seen as a breakthrough from a political point of view for all those who
consider domain names as one of the means of freedom of expression and
communication in the digital environment.

French Constitutional Council decision and related dossier (only in French,
06.10.2010)
http://www.conseil-constitutionnel.fr/conseil-constitutionnel/francais/les-decisions/acces-par-date/decisions-depuis-1959/2010/2010-45-qpc/decision-n-2010-45-qpc-du-06-octobre-2010.49663.html

AFNIC (.fr registry) webiste
http://www.afnic.fr

(Contribution by Meryem Marzouki, French EDRI-member IRIS)

============================================================
4. Danish tax authorities want to mirror hard disks of private companies
============================================================

A new proposed law would allow the Danish tax authorities to simply mirror
entire hard disks of companies without a court order and before they have a
reason to suspect the company  has engaged in unlawful activities.

The proposal adds the following two paragraphs to the law of tax auditing
(unofficial translation):

"Paragraph. 6. Customs and tax administration can make identical
electronic copies (mirrors) of the content of electronic media that
falls under the control of the customs and tax administrations, and can
take the copied material away for subsequent review. The copied material
must be deleted, if the customs and tax administration determines
that the material does not contain information that is relevant for the
control exercised by the customs and tax administration. However, if the
customs and tax agency decides to proceed with the case, the copied
material must be deleted only after the case is finally decided.

Paragraph. 7. The minister of taxation determines, after submission to
the National Board of Taxation, further rules regarding the customs and
tax administration's right to make identical electronic copies (mirrors)
of the data content of electronic media, that are part of an inspection,
including rules on the retention and deletion of the copied material. "

In the comments to the proposal, the issue of proportionality in relation
to the Human Rights Convention article 8.2 is discussed. It was concluded
that since the tax authorities will only use mirroring in cases where
they would otherwise not get the necessary information, and only after
they have determined in each case that less drastic measures would not
be sufficient, then the impact on the individuals subject to the control
is limited.

The tax authorities argue the law will make their job easier, they
promise not to abuse their new powers, and are willing to make
adjustments if the consultation should point out minor problems.

The proposal from the liberal/conservative government is supported by
the largest opposition party, the Social Democrats, as Nick Hfkkerup said to
Berlingske newspaper. He wants to ensure that the mirrors are only used
for taxation, with the exception that if the tax authorities happen to
discover child abuse images, it should be reported to the police.

Conversely, the proposal has met hard criticism from the Danish Data
Protection Agency, major medias, think tank CEPOS, blogs, etc.

Draft law (only in Danish, 1.09.2010)
https://www.borger.dk/Lovgivning/Hoeringsportalen/dl.aspx?hpid=24994

Civil liberty under pressure (only in Danish, 4.10.2010)
http://www.berlingske.dk/ledere/borgerlig-frihed-under-pres

Tax authorities requires free access to the hard disk (only in Danish,
4.10.2010)
http://www.business.dk/oekonomi/skat-kraever-fri-adgang-til-harddisken

Politicians welcomed the mirroring (only in Danish, 4.10.2010)
http://www.business.dk/oekonomi/politikere-ser-positivt-paa-spejling

(Contribution by Niels Elgaard Larsen, EDRI-member IT-POL Denmark)

============================================================
5. Informal discussion in European Parliament on net neutrality
============================================================

For possibly the first time since the adoption of the "telecoms package", an
informal discussion on the issue of "net neutrality" took place at a
breakfast meeting hosted by Catherine Trautmann MEP. This happened ahead of
upcoming the net neutrality "summit" planned to take place in the European
Parliament.

None of the positions defended by the industry or consumer representatives
were particularly surprising, with Telefonica arguing that the "nightmare"
of increased demands of their services had to be responded to by increased
"management". In the same way as roads are not built to cope with maximum
possible demands, it would be wasteful to build networks to have enough
capacity to cope with maximum demand. Skype argued that the virtuous circle
created by the open Internet, whereby openness fosters innovation which
attracts more users, which increases the incentives to innovate, must be
protected. Skype and the European Consumers Bureau (BEUC) argued that
research shows clearly that transparency is insufficient to protect
consumers from non-neutral access providers because of the difficulties
involved in changing broadband providers.

The Commission said that there were over 300 responses to the recently
closed net neutrality consultation and that the priority was to ensure a
level playing field and to avoid fragmentation. The issue of deep packet
inspection, which BEUC said should be banned, was avoided by the Commission,
which argued that other technologies "must be possible".

During the debate, both Ivailo Kalfin (S+D, Bulgaria) and Edit Herczog (S+D,
Hungary) briefly raised the thorny issue of content regulation, presumably
because increased interference with citizens' communications for business
purposes will make it harder for access providers to avoid caving in to
demands to restrict or monitor access to data on the basis of government
requests or media pressure. Telefonica (whose subsidiary O2 accidentally
blocked the entirely innocent Imgur website because the "technology behind
the service is more far reaching than anticipated and on occasion a site
which should not be blocked may be") said that it was not interested in
censoring online material.

EDRi response to Commission consultation on net neutrality (30.09.2010)
http://www.edri.org/docs/netneutralityreaction300910.pdf

(Contribution by Joe McNamee - EDRi)

============================================================
6. Lives put at risk by communications data retention
============================================================

A report published on 8 October 2010 by German civil liberties activists
reveals that human lives are put at risk by the retention of all
telecommunication data.

According to the report, the data retention policy has endangered scientific
research, caused unemployment, encouraged corruption, promoted the abuse of
personal data and hindered the prosecution of crime.

The report gives examples of cases when the registration of communication
data failed to help the police in stopping criminals and how criminals might
have used more discreet ways of communicating and internet cafes to disguise
the origin and destination of messages.

Crisis lines have also been hindered in their work to persuade potential
perpetrators not to commit violent crimes by the traceability of anonymous
calls.

Already a 2009 study showed that the communications data retention law had
resulted in 12.8% of those surveyed already using an anonymisation
service, 6.4% moving to a service provider that didn't store data and
5.1% using internet cafis, The report also revealed that journalists had
lost their sources for fear of being traced.

The legislation also opened the door to abuse. In 2006, a T-Mobile co-worker
sold a database containing the personal data of 17 million customers,
including private addresses and secret numbers of politicians, ministers, an
ex-federal president, industrial leaders, billionaires and religious
leaders.

"Even if one investigation was facilitated by collecting all call details,
the policy has frustrated many other investigations and put human lives at
risk," stated the Working Group on Data Retention adding: "Blanket and
indiscriminate recording of details on every phone call, e-mail and internet
connection was useless for the prosecution of crime and totally
disproportionate."

In June 2010, more than 100 organisations (including EDRi) from 23
European countries sent a letter to EU Commissioners Malmstrvm, Reding and
Kroes asking for the data retention law to be repealed and be replaced by "a
system of expedited preservation and targeted collection of traffic data".

Communications data retention puts human lives at risk! (8.10.2010)
http://www.vorratsdatenspeicherung.de/content/view/390/55/lang,en/

Data retention boosts crime, says civil liberties group (8.10.2010)
http://www.computerweekly.com/Articles/2010/10/08/243246/Data-retention-boosts-crime-says-civil-liberties-group.htm

Liberties Groups' Report (only in German, 13.10.2010)
http://wiki.vorratsdatenspeicherung.de/images/Bericht_Sicherheit-vor-Sammelwut.pdf

Civil society calls for an end to compulsory telecommunications data
retention (28.06.2010)
http://www.vorratsdatenspeicherung.de/content/view/370/79/lang,en/

EDRi-gram: German civil society calls for a definitive end to telecom data
retention (21.04.2010)
http://www.edri.org/edrigram/number8.8/german-ngos-repeal-data-retention

============================================================
7. European Commission high-level discussions on data protection
============================================================

Commissioner Reding recently invited a wide variety of representatives from
industry, civil society, academia and law enforcement bodies to a high-level
meeting in the European Commission headquarters in Brussels. The dossier is
clearly a major priority for Ms Reding, who was very keen to discuss the
minutiae of the legislation with experts.

One of the most interesting elements of the discussions was the apparently
unanimous agreement across all stakeholders that the current data protection
regime is fragmented, ineffective and out of date. This environment
unfortunately leads to civil society groups and industry representatives
argue about jurisdiction rules when a key reason that jurisdiction is a
major issue is not jurisdiction itself, it is incoherence in implementation
of the Directive that makes both citizens and business afraid of having to
interact with foreign authorities with varying and sometimes unpredictable
interpretations of the Directive.

Industry speakers were also keen to reduce bureaucracy - one representative
said that the move of a data centre from Germany to the Switzerland costs
half a million euro in data protection-related legal fees. A number of
industry speakers were in favour of more detailed ex post checks and a
reduction in ex ante obligations. The Commission is clearly open to finding
ways of reducing the bureaucracy involved in data protection, although no
public statement has been made yet on what that could mean in practice.

The next stage in this process will be the publication next week of a
Communication by the European Commission establishing the broad direction
that the Commission intends to take with regard to updating existing
elements of the Directive and broadening the scope to a take account of the
Lisbon Treaty, which brings the former "third pillar" (police and judicial
cooperation) within the scope of the Treaty. One interesting question is
whether the Commission will seriously consider proposing a Regulation
(directly applicable on all Member States) as a way of overcoming the
current fragmentation in the implementation of the Directive.

European Commission Data Protection:
http://ec.europa.eu/justice/policies/privacy/index_en.htm

EDRi response to the first round of consultations (23.12.2009)
http://www.edri.org/files/Response%20EDRi%20on%20personal%20data%20consultation.pdf

(Contribution by Joe McNamee - EDRi)

============================================================
8. UK Government will introduce an open data licence
============================================================

A perpetual, royalty-free licence called Open Government Licence (OGL)
allowing the re-use of Governmental and public information will be
introduced by the UK Government.

"The Government grants a worldwide, royalty-free, perpetual and
non-exclusive licence under the conditions laid out in the OGL. The OGL
governs the re-use of public sector information, including material produced
by government departments, Parliaments, agencies, local authorities and
Trading Funds, but excludes personal data," is the government's statement.

According to the National Archives the licence will replace the present
Click-Use Licence and will also cover Crown Copyright, databases and source
codes. Moreover, OGL will not require the registration of users or a formal
application to get permission to re-use data.

The licence is meant to make governmental activities more transparent and to
enable and encourage the civil society and private sector to re-use this
information, assisting them in promoting creative and innovative activities.
It will be machine readable and therefore flexible, being able to work in
parallel with other licensing models recognised internationally such as
Creative Commons.

"We believe (transparency) is the best way for the public to hold
politicians and public bodies to account, encourage innovation and deliver
better value for money in public spending," said Francis Maude, Minister for
the Cabinet Office.

The types of information to be used and re-used will cover "non-personal
information collected and produced by government and the public sector,
including works subject to copyright and database right (much of this
information will be accessible on public sector web sites or already
published by the public sector), previously unpublished datasets released by
the public sector on portals, such as data.gov.uk and original and open
source software and source code."

The Government has also issued a framework governing the use of the licence
by Government departments and other public bodies.

"The UK Government Licensing Framework (UKGLF) provides a policy and legal
overview for licensing the re-use of public sector information both in
central government and the wider public sector. It sets out best practice,
standardises the licensing principles for government information and
recommends the use of the UK Open Government Licence (OGL) for public sector
information."

The framework makes it compulsory for central Government departments and
agencies to use the OGL for their freely available public information and is
intended to meet the needs and interests of community groups and social
organisations, the information re-user community in the private sector and
civil society and the public data developer community.

Government publishes open data license (7.10.2010)
http://www.out-law.com//default.aspx?page=11426

UK Government Licensing Framework for public sector information
http://www.nationalarchives.gov.uk/documents/uk-government-licensing-framework.pdf

EDRi-gram: New governmental usage of open licenses in the Netherlands and UK
(7.04.2010)
http://www.edri.org/edrigram/number8.7/open-content-government-uk-netherlands

============================================================
9. Spanish DPA opens infringement procedures for Google Streetview
============================================================

The Spanish Data Protection Agency (AEPD) has opened an infringement
proceeding against Google after completing the preliminary inspection
activities which started in May on the collection and storage without
consent of Wi-Fi networks location data and traffic data associated with
them (payload) by the vehicles used to photograph streets of several Spanish
cities, for the company's Street View application.

Moreover, once the infringement proceeding has been initiated, the AEPD has
forwarded to the court the final inspection report, and according to the
Administrative Procedure law, has adjourned the proceedings, pending the
outcome of criminal proceedings in which the company is involved in the
Court of Instruction No. 45 of Madrid.

The opening of an infringement proceeding by the Spanish Data Protection
Agency follows the conclusion of the investigations carried out by the
AEPD's inspection, which have revealed the presence of signs of a total of
five violations -two serious and three very serious- of the Spanish Data
Protection Act. Two of them are attributable to Google in its capacity as
responsible for providing the service and designing the software that
collects data for the Street View service. The other three are attributable
to Google Spain, as Google representatives in Spain are responsible for
collecting and storing the data in Spain and for transferring
it to the United States.

Specifically, the investigations carried out by the Spanish
DPA have verified the collection and storage by Google vehicles of
personal data of various types transmitted through open Wi-Fi networks.
Between the typology of personal data transmitted through these Wi- Fi
networks, the AEPD has established the collection and storage by Google of
email addresses, with names and surnames, addresses associated with email
messages or instant messaging, access to social network accounts and
websites or user names and passwords with personal data identifying its
owners and, in some cases, allowing access to special sensitive data, among
others.

Furthermore, the investigation established the collection by Google of
location and identification data of wireless networks, such as SSID,
identifiers or names of the Wi-Fi network, that in some cases, contains the
real name of the subscriber, and the MAC addresses- that identify the
router, connected devices and the geographic position in which they were
collected.

In addition, it has been established the international transfer of personal
data by Google to United States, without demonstrating the compliance of the
guarantees provided by the Data Protection Act that authorizes the
international transfers.

In this regard, the decision starting the infringement proceedings charges
both Google Spain and Google Inc with the commission of serious violations
of the Organic Act 15/1999 - subject to fines from 60 000 euro to 300 000
euro each - due to the processing of personal data without the consent of
the data subject, as well as very serious violations of collecting
and processing of personal data with special protection or without the
explicit consent of the data subject, as stated by the Data Protection Act.

Also, Google Spain is charged with another very serious violation of the
Organic Law because of the international transfer of data to the United
States of America without the guarantees foreseen by the Data Protection
Act.

By virtue of section 7 of the Royal Decree 1398/1993, the Spanish Data
Protection Agency had to adjourn the administrative proceedings because of
the criminal proceedings started by the First-instance Court number 45 of
Madrid.

Once the criminal proceedings are finalised, the Spanish Data Protection
Agency will resume the administrative proceedings in accordance with the
legal procedural rules, In that sense, the affected entities will have a
term for bringing pleadings or evidence, before the final resolution of the
Authority deciding on the infringements and on their legal categorisation is
determined.

Press release in Spanish (18.10.2010)
https://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/notas_prensa/common/octubre/101018_np_google.pdf

(Thanks to Spanish DPA Press Release)

============================================================
10. ENDitorial: Irish court rejects music industry demands for three strikes
============================================================

On 11 October 2010, Mr. Justice Peter Charleton of the Irish High Court gave
judgment in EMI and Others v. UPC , rejecting music industry claims that
broadband provider UPC was responsible under Irish law for policing their
users and preventing copyright infringement by them.

In this case, EMI, Sony, Universal, Warner and WEA sought an injunction
which would require UPC to introduce a three strikes system and to block
users' access to The Pirate Bay. This followed the music industry's success
in an earlier case against Eircom (Ireland's largest ISP). In that case,
Eircom settled and agreed to establish a three strikes system and not to
oppose the application to court to block access to The Pirate Bay. In two
subsequent decisions arising from that settlement, Charleton J. held that
(a) the court had the power to order Eircom to block access to particular
sites and (b) that the three strikes system which was agreed between Eircom
and the music industry did not conflict with data protection law.

Unlike Eircom, however, UPC fought the music industry action, leading for
the first time in the Irish courts to a full, contested hearing on the
obligations of internet service providers in relation to filesharing.

In a lengthy judgment, Charleton J. found that UPC users were engaged in
extensive illegal downloading and uploading. He found that it would be
possible for UPC to effectively reduce this by making use of systems such as
CopySense peer to peer filtering or the detection and disconnection of users
who are making available infringing copies, and made a specific finding that
such systems would be accurate, practicable and not disproportionately
expensive or burdensome. He found that other remedies available to the music
industry, in particular identifying infringing users and bringing action
against them, were inadequate. He also found that no privacy interest was
implicated by the monitoring which these systems would entail.

Charleton J. also held that the blocking of The Pirate Bay would be "both
educative and helpful", rejecting expert testimony that blocking would be
easily evaded and futile.

Notwithstanding these findings, however, Charleton J. held that, under the
Irish law, the court did not have the authority to grant an injunction
requiring an ISP to introduce such systems or to block access to particular
sites. The relevant Irish law was identified as section 40(4) of the
Copyright and Related Rights Act 2000, which provides that:

"where a person who provides facilities [to make a work available to the
public] is notified by the owner of the copyright in the work concerned that
those facilities are being used to infringe the copyright in that work and
that person fails to remove that infringing material as soon as practicable
thereafter that person shall also be liable for the infringement."

The court found that this section, referring to the removal of infringing
material, primarily envisaged situations where a defendant hosted material
rather than simply permitted transit of material. Consequently, it could not
be used to justify the grant of an injunction in relation to transit, and
Charleton J. acknowledged that his earlier decision ordering Eircom to block
access to The Pirate Bay was incorrect.

Charleton J. went on to consider the effect of the European law and in
particular the E-Commerce Directive and the Copyright Directive. He found
that Article 15 of the E-Commerce Directive (prohibiting a general
obligation to monitor) was irrelevant, holding that the use of deep packet
inspection:

"is not the seeking of information which is in the course of transmission.
Instead, it identifies the nature of transmissions, whether encrypted or
otherwise, by reference to the ports which they use, and the protocol
employed, so as to identify peer-to-peer communication. UPC does this
already for legitimate commercial purposes related to the management of
transmissions. If it suited, they could also easily identify the file # of
copyright works and block them or divert the search in aid of theft to a
legal site. This is not a general search for information."

He also held that UPC was a mere conduit for the purposes of the E-Commerce
Directive, but that this, nevertheless, left open the possibility for a
court to require an internet provider to terminate or prevent an
infringement, and went on to hold that the Copyright Directive required
Member States to introduce laws which would provide for these remedies.
Consequently, as the Irish law did not provide for these remedies Charleton
J. found that Ireland "is not yet fully in compliance with its obligations
under European law".

Following this judgment, and in particular its finding that Irish law has
failed to correctly implement the Copyright Directive, it is likely that the
issue of filesharing will be high on the political agenda in Ireland.
Representatives of the music industry have already called for legislative
intervention, and have also threatened to sue the Irish state for losses
caused by failure to tackle filesharing.

Against this, however, the judgment can be criticised on a number of fronts.
Concern has been expressed about the figures relied on by the judge for the
extent of piracy, which have been described as inflated. The confident
description of deep packet inspection as not involving a "general duty to
monitor" is also unusual in light of the preliminary reference to the
European Court of Justice in SABAM v. Scarlet (Tiscali) in which this would
seem to be a live issue. Similarly, the claim that no privacy issues are
involved in three strikes and blocking systems seems to be undermined by the
fact that the Data Protection Commissioner took no part in these proceedings
so that an important viewpoint went unrepresented, and also fails to take
account of developments elsewhere (such as Switzerland) where opposite
conclusions have been reached.

It is also unclear where this leaves the three strikes and blocking systems
which Eircom has already introduced. To date there has been no indication
from Eircom as to whether it intends to continue with these systems despite
the ruling, and despite the competitive disadvantage which it would appear
to impose on it.

EMI v. UPC (Unreported, High Court, 11.10.2010)
http://www.scribd.com/doc/39104491/EMI-v-UPC

John Collins and Ronan McGreevy, "Music labels to rethink fight against
piracy" (12.10.2010)
http://www.irishtimes.com/newspaper/frontpage/2010/1012/1224280879811.html

Ronan McGreevy, "U2 manager criticises UPC defence", Irish Times
(14.10.2010)
http://www.irishtimes.com/newspaper/breaking/2010/1014/breaking52.html

Justin Mason, "Aslan's hard times, from the UPC judgment", taint.org
(11.10.2010)
http://taint.org/2010/10/11/231501a.html

Rossa McMahon, "Strike 1?", A Clatter of the Law (13.10.2010)
http://aclatterofthelaw.com/2010/10/13/strike-one/

(Contribution by TJ McIntyre - EDRi-member Digital Rights Ireland)

============================================================
11. Recommended Action
============================================================

An on-line survey on the PSI Directive
The Digital Agenda for Europe lists the revision of the Directive 2003/98/EC
on the re-use of public sector information (PSI Directive) among its first
key actions. It highlights that governments can stimulate content markets by
making PSI available on transparent, effective and non-discriminatory terms.
Deadline: 30 November 2010
http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=psidirective2010

Technolife debate: social and ethical implications of biometrics and
mobility
http://biometrics.kertechno.net/

============================================================
12. Recommended Reading
============================================================

Opinion of the European Data Protection Supervisor on the Communication from
the Commission on the global approach to transfers
of Passenger Name Record (PNR) data to third countries (19.10.2010)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2010/10-10-18_PNR_EN.pdf

New microshort film on the Public Domain Calculators (12.10.2010)
http://blog.okfn.org/2010/10/12/new-microshort-film-on-the-public-domain-calculators/

Brussels: There are no guarantees in terms of controlling the secret
police in Macedonia (14.10.2010)
http://metamorphosis.org.mk/macedonia/brisel-nema-garancii-kako-da-se-kontrolira-tajnata-policija.html

============================================================
13. Agenda
============================================================

25 October 2010, Brussels, Belgium
Hearing by the European Parliament's Committee on Civil Liberties,
Justice, and Home Affairs (LIBE): "Data Protection in a Transatlantic
Perspective. Future EU-US data protection agreement in the framework of
police and judicial cooperation in criminal matters", 15.00-18.30, Room
ASP 3E002.
Programme
http://www.europarl.europa.eu/document/activities/cont/201010/20101013ATT86832/20101013ATT86832EN.pdf
Live-Stream
http://www.europarl.europa.eu/wps-europarl-internet/frd/live/live-video?language=en

25-26 October 2010, Jerusalem, Israel
OECD Conference on "Privacy, Technology and Global Data Flows", celebrating
the 30th anniversary of the OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data
http://www.oecd.org/sti/privacyanniversary

26 October 2010, Brussels, Belgium
Future Internet Architecture (FIArch)
Open Workshop on the Future Internet Architecture Limitations
http://ec.europa.eu/information_society/activities/foi/research/fiarch/index_en.htm

27-29 October 2010, Jerusalem, Israel
The 32nd Annual International Conference of Data Protection and Privacy
Commissioners
http://www.privacyconference2010.org/

28-31 October 2010, Barcelona, Spain
oXcars and Free Culture Forum 2010, the biggest free culture event of all
time
http://exgae.net/oxcars10
http://fcforum.net/10

3-5 November 2010, Barcelona, Spain
The Fifth International Conference on Legal, Security and Privacy Issues in
IT Law.
http://www.lspi.net/

5-7 November 2010, Cologne, Germany
Transparency, Work, Surveillance
Joint Annual Meeting of FIfF and DVD
http://fiff.de/veranstaltungen/fiff-jahrestagungen/JT2010/jt2010_uebersicht

5-7 November 2010, Gothenburg, Sweden
Free Society Conference and Nordic Summit
http://www.fscons.org/

17 November 2010, Gent, Belgium
Big Brother Awards 2010 Belgium
http://www.winuwprivacy.be/kandidaten

27-30 December 2010, Berlin, Germany
27th Chaos Communication Congress (27C3)
http://events.ccc.de/congress/2010

25-28 January 2011, Brussels, Belgium
The annual Conference Computers, Privacy & Data Protection CPDP 2011
European Data Protection: In Good Health?
Submission deadline for Full Papers and Position Papers: 16 November 2010
http://www.cpdpconferences.org/

============================================================
14. About
============================================================

EDRI-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRI has 27 members based or with offices in 17 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRI-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the
EDRI website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edri/2.html

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE