EDRi-gram newsletter - Number 9.7, 6 April 2011

EDRI-gram newsletter edrigram at edri.org
Wed Apr 6 11:35:10 PDT 2011



biweekly newsletter about digital civil rights in Europe

Number 9.7, 7 April 2011


1. Czech Constitutional Court rejects data retention legislation
2. EDRi responds to IPR Enforcement consultation
3. EDPS criticizes the EU PNR scheme
4. Ten Internet Rights & Principles for Human Rights and Social Justice
5. Judicial Review of the Digital Economy Act
6. German Internet blocking law to be withdrawn
7. 80 NGOs ask CoE to investigate government collection of biometrics
8. RFID Privacy Impact Assessment Framework formally adopted
9. Website blocking and suspension discussions in the UK
10. Big Brother Awards Germany 2011
11. Privatised online enforcement series: B. Is "self-regulation" worse than
12. ENDitorial Data Retention: Is the EC trying to dig itself out of a hole?
13. Recommended Action
14. Recommended Reading
15. Agenda
16. About

1. Czech Constitutional Court rejects data retention legislation

The Czech Constitutional Court declared national data retention legislation
unconstitutional on 31 March 2011. This is part of the Electronic
Communications Act and its implementing legislation according to which
records of e-mails, phone calls, and SMS as well as websites accesses of
every citizen should be retained by telecommunications companies for a time
period of six months, as an implementation of the Data Retention Directive.
This court decision followed previous decisions of the constitutional courts
of Germany and Romania.

The complaint filed with the Constitutional Court was prepared by activists
from EDRi-member Czech civic rights organisation Iuridicum Remedium and 51
MPs from the Civic Democratic Party (ODS) and the Green Party (SZ) who
signed it in March 2010.

The Constitutional Court decision criticizes the Czech transposition of the
Data Retention Directive. The Czech legislation requires the retaining of a
larger number of data than the directive demands, where the use of data is
not limited to investigating terrorism and serious organised crime. There
was a lack of the principle of subsidiarity in the legislation related to
eavesdropping, although these data are equally sensitive. This has led to a
large number of requests for such data by the police. The national
legislation lacked, according to the constitutional court, clear and
detailed rules for the protection of personal data as well as the obligation
to inform the person whose data has been requested.

The court said that EU law was not part of the constitution of the Czech
Republic and that the directive could therefore not be reviewed by the
Constitutional Court. According to the court decision, the content of the
Data Retention Directive gives the Czech Republic sufficient space for
its constitutionally conformal transposition. However, the Constitutional
Court has doubts about the necessity and proportionality of the data
retention principle in the obiter dictum paragraphs (p. 55-57). The court
doubted whether the blanket monitoring of the communications of all citizens
in terms of intensity of intervention into the private sphere is necessary
and appropriate. The court also doubted the effectiveness of the use of the
retained data in combating crime, particularly with reference to the
possibility of anonymising communications. The police statistics show that
despite a significant increase in the number of requests for traffic and
location data, this did not translate into a proportional number of
committed and solved crimes.

The Constitutional Court also regards certain provisions of the
Criminal Act concerning the use of such data by authorities engaged in
criminal proceeding as highly questionable and it called on MPs to consider
its modification. According to the Court, it will be necessary to consider
each individual case in which data have already been requested in order to
be used in criminal proceedings, with respect to the principle of
proportionality regarding privacy rights infringement.

Text of the complaint (only in Czech)

Text of the court decision (only in Czech) - to be translated in English in
the next 2 weeks

Constitutional Court: Spying on Communication Declared Unconstitutional

Constitutional Court invalidates telecommunications data retention
law (1.04.2011)

Czech Republic: Constitutional Court Overturns Parts of Data Retention Law

(Contribution by Jan Voboril - EDRi-member IuRe - Czech Republic)

2. EDRi responds to IPR Enforcement consultation

European Digital Rights has submitted on 31 March 2011 its response to the
European Commission's consultation on the implementation of the IPR
Enforcement Directive.

The response examines the claims made by the Commission, the evidence (or
lack thereof) for its assumptions and the lessons that it draws and fails to
draw from the experience of European citizens with the implementation of the
Directive. The first section of the response deals with the overall approach
of the Commission and its reaction to what it calls "ubiquitous"
unauthorised filesharing online. EDRi questions whether many of the
assumptions regarding the "cost" of such filesharing are correct,
particularly with a growing body of research indicating that the impact is
either zero or close to zero.

This leads on to a more fundamental question of the legitimacy of current
copyright legislation. If breaches really are "ubiquitous," is a response
which is mainly or wholly based on repression either proportionate or
effective? With equally ubiquitous problems concerning the cost, the format
and the availability of audiovisual material, would it not be better to
properly service the market rather enforce respect for a broken market?

With regard to criminal law and unauthorised access to audiovisual content,
EDRi argues that the Commission's current approach of treating
"counterfeiting and piracy" as one phenomenon, as if the causes and
solutions for counterfeit medication are the same as for private music
downloading, is simply wrong. Indeed, worst than that, treating both as the
same can only result in either counterfeit drugs being subject to unduly
weak countermeasures or unauthorised access to audiovisual material being
treated disproportionally harshly.

The response pays particular attention to the vague and dangerous assertion
that the fundamental right to privacy can somehow be re-balanced against the
right, included in the Charter of Fundamental Rights, to property. The
response points out that a balance between rights can never be done in the
abstract, rendering the whole approach by the Commission meaningless. It
goes on to point to the UNESCO Convention on Protection and Promotion of the
Diversity of Cultural Expressions (which the EU collectively and almost all
Member States individually have signed up to), which, in article 2, explains
that cultural diversity can be protected and promoted only if human rights
and fundamental freedoms, such as freedom of expression, information and
communication, as well as the ability of individuals to choose cultural
expressions, are guaranteed."

In its report, the Commission also subtly mentions that "it could be useful
to clarify that injunctions should not depend on the liability of the
intermediary". What this means in practice is that courts could ignore the
provisions of the E-Commerce Directive on "mere conduit" (regarding access
to illegal material) and on the imposition of a "general obligation to
monitor". The Commission's view - and the view that it has given to the
European Court of Justice in the Scarlet/Sabam case - is that national
courts may (and should) impose monitoring, blocking and filtering
obligations on Internet service providers and that the E-Commerce Directive
should not prevent them from doing this. The Commission's analysis fails to
acknowledge, let alone address, how this would be compatible with the
European Charter of Fundamental Rights - the same Charter that it so eagerly
uses to defend the weakening of the fundamental right to privacy.

The EDRi response concludes by listing a set of issues to be addressed in
any impact assessment used to justify a re-opening and extension of the IPR
Enforcement Directive.

EDRi response to IPRED Consultation (31.03.2011)

Report on the enforcement of intellectual property rights (COM(2010) 779)

Analysis of the application of Directive 2004/48/EC on the enforcement of
intellectual property rights in the Member States (SEC(2010) 1589)

(Contribution by Joe McNamee - EDRi)

3. EDPS criticizes the EU PNR scheme

Peter Hustinx, the European Data Protection Supervisor (EDPS) issued on 25
March 2011 his opinion on the European Commission's proposal to oblige
airline carriers to provide EU Member States with personal data (PNR) on
passengers entering or leaving the EU space, with the declared purpose to
fight serious crime and terrorism.

On 2 February 2011, the European Commission made a new proposal for a PNR
Directive, to extend the passenger-tracking systems already in use in the UK
and US to all flights to and from the EU. PNR data may include personal
information such as home addresses, email addresses, mobile phone numbers,
frequent flyer information, and even credit card information.

In the EDPS' opinion, although the new proposal is an improved version as
compared to the previous document released in 2007, particularly due to the
addition of data protection safeguards, the restriction of the proposal's
scope and the conditions for PNR data processing under EU data protection
law, it is still unjustified.

The EDPS draws attention to the fact that the Proposal does not meet
"the essential prerequisite to any development of a PNR scheme - i.e.
compliance with necessity and proportionality principles".

The EDPS emphasizes that the need to collect or store massive amounts of
personal data must be substantiated by a clear demonstration of the
relationship between use and result (necessity principle). Hustinx believes
the proposal and the accompanying Impact Assessment fail to demonstrate the
necessity and the proportionality of a large collection of PNR data for the
purpose of the systematic assessment of all passengers.

The EDPS raises concerns related to the use of PNR data "in a systematic
and indiscriminate way" and believes that the only measure compliant with
data protection requirements would be the use of PNR data on cases when
there is a serious threat established by concrete indicators on a
case-by-case basis.

Hustinx makes a series of recommendations, among which a further limitation
of the proposal's scope that would exclude minor crimes and the possibility
for Member States to extend its reach. He also questions the
inclusion of serious crimes which have no relation to terrorism.

One recommendation is the limitation of the data retention period to 30
days, except for cases which require further investigation. The data
should be retained in an identifiable form.

The EDPS recommends a higher standard of safeguards, especially in relation
to the data subjects' rights and transfers to third countries.

While welcoming the fact that sensitive data were not included in the list
of data to be collected, the EDPS still considers the list to be too
extensive and recommends its further reduction in agreement with
the recommendations of the Article 29 Working Party and the EDPS.

Hustinx says that an assessment of the EU PNR system "should be based on
comprehensive data, including the number of persons effectively convicted -
and not only prosecuted - on the basis of the processing of their data." He
also recommends the assessment of the system "in a broader perspective
including the ongoing general evaluation of all EU instruments in the field
of information exchange management launched by the Commission in January
2010. In particular, the results of the current work on the European
Information Exchange Model expected for 2012 should be taken into
consideration in the assessment of the need for an EU PNR scheme."

Meanwhile, the UK Home Office has expressed concern over the delay of the
draft PNR Directive and has shown its support for the extension of any
passenger-tracking system to flights between EU countries as well as those
outside EU territory. The House of Lords has recently urged the
Government to opt in to the proposal, ensuring its change to include all
international flights.

EU Passenger Name Record: proposed system fails to meet necessity
requirement, says EDPS (28.03.2011)

Opinion of the European Data Protection Supervisor on the Proposal for a
Directive of the European Parliament and of the Council on the use of
Passenger Name Record data for the prevention, detection, investigation and
prosecution of terrorist offences and serious crime (25.03.2011)

PNR should be deleted after 30 days, says EU privacy watchdog (1.04.2011)

EDRi-gram: Commission's proposal for PNR Directive fails to impress MEPs

4. Ten Internet Rights & Principles for Human Rights and Social Justice

The Internet Rights and Principles Dynamic Coalition (DC-IRP) launched on 31
March 2011 its "10 Internet Rights and Principles" for an Internet
governance rooted in human rights and social justice.

These 10 Internet Rights and Principles are part of a global initiative
undertaken in the framework of the UN Internet Governance Forum (IGF), by
the DC-IRP to develop a comprehensive Charter of Human Rights and Principles
for the Internet. In addition to the 10 Internet Rights and Principles, the
Charter is built into two sections. The first interprets human rights and
defines principles that stem from these rights for the purposes and concerns
of the information society. The second section addresses the roles that
different actors and stakeholders should play in order to uphold these
rights and principles.

This Charter is not an attempt to create new rights, but to reinterpret and
explain universal human rights standards in a new context - the Internet.
The Charter re-emphasizes that human rights apply online as they do offline:
human rights standards, as defined in international law, are non-negotiable.
The Charter also identifies principles, deriving from human rights, which
are necessary to preserve the Internet as a medium for civil, political,
economic, social and cultural development. It describes the responsibilities
that states have in relation to the Internet as well as the part that all
individuals and society organs have to play, considering that the Internet
is, through its design, a trans-boundary multi-stakeholder environment where
no single entity has control.

In this context, the 10 Internet Rights and Principles outline the core
demands in order to defend and expand the Internet as a space which is
empowering, open and accessible to all. To this end, they identify the main
requirements that should be met in the online environment, with regards to:
universality and equality; rights and social justice; accessibility;
expression and association; privacy and data protection; life, liberty and
security; diversity; network equality; standards and regulation; and
Governance. Such guidelines for policy and practice are much needed at a
time where human rights and social justice are under a double threat on the
Internet, from governments (both authoritarian and democratic) who seek to
control it, and from businesses who seek to monetise it.

The 10 Internet Rights and Principles were launched at the second expert
meeting on "Freedom of Expression and the Internet" in Stockholm, convened
on 30-31 March 2011 by the Swedish Ministry for Foreign Affairs. The UN
Special Rapporteur for Freedom of Opinion and Expression and the OSCE
Representative on Freedom of the Media, who attended this launching event,
welcomed this initiative.

The DC-IRP is an international multi-stakeholder network of people and
organisations - among them a number of EDRi members and observers - who are
working to uphold human rights on and through the Internet. Its Charter is
currently released as a beta version, and the Coalition welcomes comments
and contributions on its website. The 10 Internet Rights and Principles
derive from the Charter, distilling it down into 10 core demands. They are
already available in more than 15 languages, with further translations still

DC-IRP main website with the 10 Internet Rights and Principles

DC-IRP website dedicated to its Charter

Second Expert Meeting on Human Rights and the Internet Stockholm

(Contribution by Meryem Marzouki, EDRi-member IRIS - France)

5. Judicial Review of the Digital Economy Act

In July 2010 UK ISPs TalkTalk and BT filed papers seeking a Judicial Review
(JR) of the Digital Economy Act, and were then granted a hearing. In the UK,
JRs are rare. They can be brought when there is concern that a UK law
contradicts over-riding legislation (e.g. European law). They sought the
Review on four grounds: that the UK government didn't notify the EU as
required under the Technical Standards Directive; that the Act does not
comply with e-privacy laws; that the Act does not comply with e-commerce
legislation; and that the Act has a "disproportionate" effect on ISPs,
businesses and the public. More recently a fifth ground was added, related
to the Costs Sharing Order and its consistency with the "Authorisation

The hearing began on 23 March and finished on 28 March 2011.

The Claimants BT and TalkTalk were joined by Consumer Focus
and Article 19, who submitted evidence of the "chilling effect" of the
DEAct. EDRi-member Open Rights Group submitted evidence as a "friend of the
court", covering primarily the effect on public Wi-Fi provision, the privacy
questions, and the weaknesses of IP evidence. As well as legal submissions
from Francis Davey, we submitted a witness statement from Jim Killock and an
expert report on the technical questions behind a reliance on IP address
evidence from Richard Clayton.

The primary Defendant is the Secretary of State for Business, Skills and
Industry (ie the Minister in charge of the department that was responsible
for the Bill / Act the time of passing). They were joined by the BPI, the
British Video Association Limited, Broadcasting Entertainment Cinematograph
and Theatre Union, Equity, Film Distributors' Association, the Premier
League, the MPA, The Musicians Union, Producers Alliance for Cinema and
Television, and Unit.

A full daily summary of the JR hearing is up on our blog. There seemed (to
this not-legally-trained observer) to be two key points and one interesting
observation. First, that the Defence spent a long time arguing that the
substantive powers to which the grounds of the JR should apply are not
contained in the Act and will be in the yet-to-be-published final 'Initial
Obligations Code'. A key question for the Judge is the extent to which
the Act determines the important substantive details concerning the
obligations on ISPs and consumers, which would make it possible for the
Judge to decide on whether the Act as it stands with or without the IOC is
in breach of EU law - or whether in fact it is the IOC that will in effect
enact substantive powers.

Second, the judge was very careful in his assessment of the nature of the
"proportionality" test he was being asked to consider, and the extent to
which he was being asked to make a judgement on the policy judgements that
Parliament have made. He seemed to be reluctant to be drawn into a judgement
on the accuracy or wisdom of a public policy assessment.

One interesting point is that many of the arguments that policy wonks
might think are most important, for example concerning how robust the
evidence used to justify the Act is, or the likely benefits of the Act, were
seemingly some of the least important in legal terms.

It is very hard indeed to guess which way the Judge will fall. He listened
carefully to all arguments. The Judge said that he'll take his time to
consider the submissions; we expect (speculation) that this means 6 to 8
weeks from the end of the hearing.

Judicial review of the Digital Economy Act (8.07.2010)

Digital Economy Act 2010 to Face Judicial Review (9.12.2010)

Submission to the Judicial Review of the Digital Economy Act (1.02.2011)

DEA Judicial Review - Day 1 (23.03.2011)

(Contribution by Peter Bradwell - EDRi-member Open Rights Group - UK)

6. German Internet blocking law to be withdrawn

On 5 April 2011, Germany's governing conservative and liberal
parties agreed in a coalition committee meeting that the disputed law on
Internet blocking of child abuse material (Zugangserschwerungsgesetz,
ZugErschwG, "Access Impediment Act") will be dropped.

The law had been enacted by the previous parliament in June 2009, but it had
never been fully implemented after the newly elected coalition decided to
only use the law's provisions for take-down, not those for blocking. After a
one-year "trial period", the new consensus seems to be that the law will be
withdrawn through a new act of the Parliament.

There is speculation that the decision could be part of a wider "package
deal" that might see Germany's data retention revived after the German
Constitutional Court had declared the previous data retention law partly
unconstitutional, but this was denied by speakers for Germany's liberal
party, FDP. German digital rights groups welcomed the decision on the
blocking law, but they will be watching how it is implemented in detail.

Last EDRi-gram article on Germany's Internet blocking law, reporting on
the law's history and a pending constitutional challenge that would be
rendered obsolete if the law is now withdrawn (23.02.2011)

EDRi-gram on the ruling against Germany's data retention law (10.03.2010)

(Contribution by Sebastian Lisken, EDRI member FoeBuD)

7. 80 NGOs ask CoE to investigate government collection of biometrics

An international alliance of organisations, including EDRi and several
EDRi-members, and individuals from 27 countries has lodged a petition
calling on the Council of Europe to start an in-depth survey on the
collection and storage of biometric data by member states.

European governments are increasingly demanding the storage of biometric
data (fingerprints and facial scans) from individuals. These include storage
on contactless "RFID" chips in passports and/or ID cards. Some are going
even further by implementing database storage e.g. France, Lithuania and the

The alliance of more than 80 signatories has asked Secretary General
Thorbjxrn Jagland of the Council of Europe to urgently request the countries
involved to explain under Article 52 ECHR whether their national law on this
subject is in line with the European Convention on Human Rights (ECHR) and
rulings of the European Court of Human Rights.

In the petition to Strasbourg the alliance states: "It is vital to obtain an
overview of the current 'patchwork' of different national laws that regulate
this sensitive and important subject. An in-depth survey has to be conducted
on whether the human rights guarantees and conditions of necessity
(proportionality, subsidiarity and safety guarantees) set by the Convention
are indeed upheld."

These rights include the protection of human treatment (Article 3 ECHR),
safety (Article 5), a fair trial (the privilege against self-incrimination
and presumption of innocence) (Article 6), physical integrity and family and
private life (Article 8), effective national legal remedies (Article 13),
non-discrimination (Article 14) and the right to leave your country (Article
2 Protocol 4).

"Article 52 clearly designates the Secretary General of the Council of
Europe as the guardian of the fundamental rights placed at risk by this
practice. We would like to emphasize that national biometric registration
legislation (often in combination with other laws) should not 'lead to
destroying democracy on the ground of defending it'", the alliance warns.

"In a democratic society the collection of the biometrics of an entire
population is a disproportionate and for other reasons unnecessary
interference with the right to privacy and other rights like the presumption
of innocence, protected by the Convention. Because of these concerns the
United Kingdom Government recently abandoned the policy of collecting
fingerprints of citizens. Yet most countries are keen to fingerprint groups
and populations of people who have committed no crime, thus increasing the
chances of identity fraud", says Simon Davies of Privacy International,
which co-ordinated the online petition initiative.

The signatories include, amongst others, digital, civil and human rights
defenders, media, legal and medical organisations, academia, politicians and
personal victims without a passport because of objections involving the
biometric storage.

The press release in other languages: Dutch, French, German, Spanish,
Lithuanian and Slovak - for immediate publication (see bottom of the page)

Text of petition (with the list of signatories) (31.03.2011)

EDRi-gram: Final call for petition on government use of citizens' biometrics

Highlights of the petition (6.03.2011)

(Thanks to Robin Caron from the Alliance)

8. RFID Privacy Impact Assessment Framework formally adopted

The Privacy Impact Assessment Framework for RFID applications (RFID PIA) was
officially signed by European Commission Vice President Neelie Kroes,
representatives of the RFID industry, the chairman of the Article 29 Working
Party, Jacob Kohnstamm, and the Executive Director of the European Network
and Information Security Agency (ENISA), Udo Helmbrecht. The ceremony took
place today, 6 April 2011, in the European Commission's Berlaymont building
in Brussels.

In its 2009 recommendation on the implementation of privacy and data
protection principles in RFID applications, the European Commission
suggested that the RFID industry should develop a framework for RFID privacy
and data protection impact assessments. In the months following this
recommendation a first draft PIA framework was developed by an informal
working group of industry representatives to which EDRi and other
stakeholders were also invited to contribute their views.

This first draft RFID PIA framework was submitted for endorsement to the
Article 29 Working Party, which did not endorse the framework but published
on 13 July 2010 in its working paper no. 175 a request for improvements.
Further improvements were suggested by ENISA in July 2010.

In January 2011 a revised PIA Framework was submitted to the Article 29
Working Party, which formally endorsed it by publishing the framework as
an annex to its working paper no.180 on 11.02.2011.

In EDRi's opinion the RFID PIA Framework, that was formally signed today,
properly follows a risk assessment methodology, which addresses the data
protection targets defined in the European data protection legal framework
and provides therefore a sound basis for a meaningful assessment of data
protection risks for RFID applications.

The RFID PIA Framework is an important milestone on the way to the
implementation of privacy friendly RFID applications. Now it is important
that industry quickly but thoroughly implements the PIA in practice.

Today's formal signing ceremony took place before the background of the
German Big Brother Awards, which were presented in Bielefeld only a few days
earlier. One of the unpopular awards was given to the European Fashion Label
Peuterey for violating the data protection rights of their customers by
secretly tagging their fashion products with RFID chips.

The next twelve months will show how the new RFID PIA Framework is
received by industry, as the European Commission is expected to present its
report on the implementation of the RFID recommendation, its effectiveness
and its impact on operators and consumers in May 2012.

EDRi sincerely hopes that today's important milestone will be followed by a
number of serious implementation efforts and that last week's German Big
Brother Award was the last one in Europe that will be awarded to a RFID

Commission Recommendation on the implementation of privacy and
data protection principles in applications supported by radio-frequency
identification (12.05.2009)

EDRi-gram 7.10: EU supports RFID with proper protection of consumers'
privacy (20.05.2009)

Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a
Privacy and Data Protection Impact Assessment Framework for RFID

ENISA Opinion on the Industry Proposal for a Privacy and Data Protection
Impact Assessment Framework for RFID Applications (31.03.2010)

EDRi-gram 8.15: ENDitorial: Industry RFID PIA: not endorsed in its current
form (28.07.2010)

Article 29 Working Party: Opinion 9/2011 on the revised Industry Proposal
for a Privacy and Data Protection Impact Assessment Framework for RFID

Annex: Privacy and Data Protection Impact Assessment Framework for RFID

(contribution by Andreas Krisch - EDRi)

9. Website blocking and suspension discussions in the UK

UK Minister Ed Vaizey is involved in discussions for private blocking
schemes to prevent access to copyright infringing websites. This follows the
delays in implementing the Digital Economy Act. It is believed by the
EDRi-member Open Rights Group and others that music and film lobby groups
are pushing for private measures that would avoid the need for legaislation
and potentially human rights considerations such as due process and freedom
of expression.

Nominet, the .uk registry is also engaging a wide range of bodies to create
procedures for suspension of domains believed to be involved in criminal
activity. Over the last two years, they have been suspending domains on
request from the police, with appeals procedure but no examination of the
legal and human rights implications. The consultation therefore presents a
step forward in creating transparency but also a longer term danger, as
registry suspensions could be abused as a short cut for law enforcement

Silence from the website blocking Working Group (5.04.2011)

Nominet talks about domain suspensions (5.04.2011)

(Contribution by Jim Killock - EDRi-member Open Rights Group - UK)

10. Big Brother Awards Germany 2011

The eleventh German Big Brother Awards were bestowed on Friday 1 April
2011 in Bielefeld, Germany. Organized by EDRi member FoeBuD, the
ceremony featured eight negative awards in various categories.

In the "Communication" category, Facebook was one winner for
"systematically poking its nose into people and their relationships,
behind the friendly fagade of an ostensibly free service". In the awards
speech, Facebook was described as a "gated community" on the Internet,
comparing it, in several aspects, to the closed housing estates found in
an increasing number of places across the world.

Another "Communication" award went to Apple for virtually "blackmailing"
its customers into accepting a dubious privacy policy as part of a terms
and conditions document that, when displayed on the iPhone, takes up 117
pages. Consent to the privacy conditions should be voluntary, according
to Germany's data protection law, but without consent, the iPhone's
functions are reduced to telephony. With consent, Apple and partners
receive excessive amounts of data, including the device's location.

One winner in the "Workplace" category was German car maker Daimler, one
of several employers that demand blood tests from their employees, which,
in most cases, was not required by industrial law - in the words of the
award speech, a form of modern-day vampirism.

Another "Workplace" award went to the German Customs authority, for
promoting a certification named "Authorized Economic Operator" (AEO) to
companies with international business relationships. The certification
involves checking each employee against EU or US anti-terror lists. This
use of personal data has no legal foundation, meaning that German
Customs encourage companies to use their employees' personal data in an
illegal way.

In the "Technology" category, the fashion brand Peuterey was cited for
introducing RFID in clothing, not as theft-prevention attachments but
sewn into jackets under a label saying "do not remove this label".

The "Consumer Protection" award went to a publishing house called
"Knowledge and Information" (Verlag f|r Wissen und Information) that
doesn't actually produce and trade its own books but asks schools to
distribute book coupons which can only be redeemed if names and
addresses of the pupil and at least one parent are supplied. A blogger's
investigation uncovered that the "publisher's"s business model was mainly
a partnership with financial investment advisers and with a manufacturer
of vitamin pills. Those that accepted and used the coupons were offered a
telephone "interview" on the subject of "learning, health, and future".

One award was actually collected by its winner (only the third time that
this has happened in eleven years): Gert Wagner, head of the "census
commission" that promotes this year's German census, defended the
project against the accusation that it collects excessive and dangerous
amounts of data, with too little information and without legal recourse.
Mr Wagner's courage was appreciated, but when he attempted to put down
his critics as "living in a parallel universe" and stressed that the
census was justified by the mere fact that it had proper legal
foundation, it did not win him many friends in the audience.

The winner in the "Politics" category was the Interior Minister in the
state of Lower Saxony, Uwe Sch|nemann, for the first known use of a
police drone for clandestine monitoring of a public gathering during
protests against a nuclear waste transport to Germany's main storage
facility at Gorleben in the Wendland region.

The audience award for the most "impressive, surprising, shocking, or
outrageous" winner went to Facebook, on just over a third of the votes.
Nominations for the next Big Brother Awards are open until the end of
this year.

BigBrotherAwards Germany 2011 (1.04.2011)

(Contribution by Sebastian Lisken - EDRi-member FoeBuD)

11. Privatised online enforcement series:
B. Is "self-regulation" worse than useless?

Much of the policy with regard to "self-regulation" in the context of
illegal online content is developed on the basis that anything that industry
can do to help fight crime is automatically a good thing. The assumption is
that, however distasteful it is that private companies should be regulating
and enforcing the law in the online world, it is better that "somebody" is
doing "something". The reality is, however, very different.

The first area where Internet intermediaries started enforcing the law is in
relation to child abuse images. The European Commission funds "hotlines" to
receive reports of child abuse images and these send reports to law
enforcement authorities and Internet hosting providers and, sometimes,
Internet access providers. Law enforcement authorities are supposed to play
their role in investigation and prosecution, while Internet providers are
supposed to play their role, in diligently and within the rule of law,
removing content that has been shown to be illegal and supporting collection
of evidence by law enforcement authorities.

At a recent meeting of the European Commission "dialogue" on dissemination
of illegal content within the European Union", the Safer Internet Unit of
the Commission gave a different and more worrying analysis. A representative
explained that many EU police forces did not prioritise online child abuse
and even if it was on the priority list in some countries, it was at the
bottom. The proposal was made, therefore, that hotlines should send reports
directly to Internet hosting providers to delete the websites. The fact that
this would facilitate and propagate the alleged inaction of the police
appears not to be a consideration.

This approach is confirmed by the European Commission's guidelines for
co-funded hotlines on notice and takedown (that are, unsurprisingly, not
publicly available), which suggest that agreements should be signed between
the hotlines and the police. These guidelines suggest that "the agreement
should preferably stipulate a deadline for the police to react after which
the hotline would proceed with giving notice". In other words, law
enforcement authorities would be assured that, if they remained wholly
inactive for an agreed period, the evidence of their failure to address
serious crimes would be diligently hidden by the hotlines, in cooperation
with well-meaning "industry self-regulation".

This is, unfortunately, far from the only example. As mentioned above,
hotlines also contact Internet access providers. In some countries, these
take it upon themselves to undertake technically limited "blocking" against
sites identified as being illegal. In Sweden, for example, ISPs "block"
sites and receive an updated list from the police every two weeks. The
pointlessness of this whole process is shown by the fact that, while the
lists are updated every 14 days, the British hotline, the IWF, has produced
statistics showing that the average length of time the sites remain online
is only twelve days. In other words, on average, there are no functioning
sites at all on the "blocking" list one day out of every seven.

Unfortunately, this activity is not just useless, it is worse than useless.
In a speech given to the German Parliament, a Danish police official
explained that, having "blocked" the websites domestically, the police in
that country do not see any point in communicating evidence of serious
crimes against children to the police forces in the United States and
Russia, because they probably wouldn't be interested. It is difficult to
imagine another crime which would be treated in such a trivial way.

Reports from the European Commission are that there will be a major push to
increase the "safer internet" budget, which is currently being reviewed. As
yet, there are no signs that any lessons are being learned regarding the
failures of "self-regulation" under the current programme.

Internet Watch Foundation Annual Report 2010

EDRi-gram: Dialogue on illegal online content (28.06.2010)

Child abuse is difficult to stop on the web (only in Swedish, 29.09.2010)

Danish police statement

Privatised Online Enforcement Series
A. Abandonment of the rule of law (23.03.2011)

(Contribution by Joe McNamee - EDRi)

12.ENDitorial: Data retention: Is the EC trying to dig itself out of a hole?

The Data Retention Directive was adopted in 2006 in very controversial
circumstances. Article 15 of the Directive placed a clear obligation on the
European Commission (EC), to submit "no later than 15 September 2010" a
report on the evaluation of the Directive and its impact on economic
operators and consumers". Today is the 203rd day since that evaluation
report was due to be published. This raises the obvious question - why has
the Commission, as "guardian of the treaties" failed to respect its legal
obligation and when will it finally comply?

The main reason for the delay is that some crucial mistakes were made at the
beginning of the review process. Firstly, the Commission failed to recognise
that, under the Charter on Fundamental Rights, the Directive is only legal
if it is both "necessary and genuinely meet(s) objectives of general
interest." Its second mistake was to reach its conclusion ("data retention
is here to stay") before starting the research, thereby limiting its scope
and assuming that the Member States would have answers to its questions
about the assumed value of data retention. The Commission then limited
itself further by not seeking any information from Member States that had
not implemented the Directive. This definitively prevented the Commission
from being able to compare how much essential extra data is stored as a
result of the Directive, thereby making the legislation "necessary".

As a result, when the Commission asked for data in the second quarter of
2010, it received little useable information from the Member States. As a
result, Commissioner Malmstrvm made a personal plea to Member States during
the July 15 Justice and Home Affairs Council, followed by a letter (linked
below) from the Commission to Member States. The letter betrays the
Commission's disregard for the Charter (which each Commissioner swore a
legally binding oath to support) by showing that it is not seeking to
demonstrate "necessity" - "without this information it will be difficult for
the Commission to adequately demonstrate that the Directive is useful". It
further lowered the level of evidence it was requesting by asking for
examples of where data retained under the Directive "played a determining
role", rather than asking for examples of where data that would not
otherwise have been retained played a determining role.

Having created this untenable situation, the Commission managed to dig
itself even deeper during the "Taking on the Data Retention Directive"
conference in December 2010. For reasons that are far from obvious,
Commissioner Malmstrvm made a speech arguing that "data retention is here to
stay", despite the fact that inadequate information had been received from
the Member States (who mostly ignored her personal plea at the July Council
meeting) and despite the fact that her services were still months away from
being able to provide a useable summary of the paltry information that was
provided by the Member States.

So, where are we now? The Home Affairs Directorate General (DG HOME) of the
European Commission submitted a draft evaluation report at the end of
February, resplendent in blank spaces where the Member State information
should have been put, for review by colleagues from the rest of the
Commission. These have now provided their feedback which, by all accounts,
did not lavish praise on the work done so far. When and how the DG HOME will
update the document based on this feedback is not yet clear - what is clear
is the disastrous position their prejudging of the outcome of this process
has created.

The Commission has simply no basis, on the weak evidence presented by the
Member States, to argue that the value added to law enforcement by the
Directive shows that it is "necessary" (and therefore legal). It therefore
cannot move forward with a revision of the Directive. For the same reason,
it cannot opt simply to do nothing. It also cannot refine the Directive by
learning from the experience of Member States, like Germany and Romania,
that have not implemented the Directive, for the simple reason that it did
not request any information from those countries. And, having pandered to
the wishes of certain large Member States by proclaiming that "data
retention is here to stay," even a tactical retreat seems politically
difficult, even if it is legally and practically the only reasonable step

Perhaps the Commission should stop digging and start listening, learning
from the insightful words of a Swedish Liberal MEP on the day that the
Directive was adopted in the European Parliament. "This is a difficult issue
on which to adopt a position. Reflection is required, together with a solid
factual basis in relation to the privacy aspect, the technical consequences
and the actual costs for telecommunications operators and thus consumers."

Data retention Directive

Letter from the Commission to Member States (27.06.2011)

Czech Constitutional Court rejects Data Retention Law (31.03.2011)

EDRi-gram: Romanian Constitutional Court Decision against Data Retention

EDRi-gram: German Federal Constitutional Court Rejects Data Retention Law

Commissioner Malmstrvm's "data retention is here to stay" speech (3.12.2010)

Explanations of vote in the Euopean Parliament on the Data Retention

(Contribution by Joe McNamee - EDRi)

13. Recommended Action

Public consultation on on-line gambling in the Single Market. The final
questions in the Green Paper asks about the value of, and options for,
blocking of gambling websites.
Deadline: 31 July 2011

14. Recommended Reading

Paul de Hert / Rocco Bellanova: Transatlantic Cooperation on Travelers'
Data Processing: From Sorting Countries to Sorting Individuals
(Migration Policy Institute, 2011)

European Data Protection Commissioners insist on the need for a
comprehensive EU approach to data protection (6.04.2011)

EU survey: 72% of Europeans not informed about their fundamental rights  

15. Agenda

7-8 April 2011, Amsterdam, Netherlands
European Legal Network Conference "Free Software law for the next ten years"

13-15 April 2011, Berlin, Germany
Re:publica XI: Conference about blogs, social media and the digital society

5-6 May 2011, Milano, Italy
The European Thematic Network on Legal Aspects of Public Sector
Information - public conference

17-18 May 2011, Berlin Germany
European Data Protection Reform & International Data Protection Compliance

30-31 May 2011, Belgrade, Serbia
Pan-European dialogue on Internet governance (EuroDIG)

2-3 June 2011, Krakow, Poland
4th International Conference on Multimedia, Communication, Services and
Security organized by AGH in the scope of and under the auspices of INDECT

12-15 June 2011, Bled, Slovenia
24th Bled eConference, eFuture: Creating Solutions for the Individual,
Organisations and Society

14-16 June 2011, Washington DC, USA
CFP 2011 - Computers, Freedom & Privacy
"The Future is Now"

11-12 July 2011, Barcelona, Spain
7th International Conference on Internet, Law & Politics (IDP 2011): Net
Neutrality and other challenges for the future of the Internet

16. About

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 29 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users

- Newsletter archive

Back issues are available at:

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list