EDRi-gram newsletter - Number 9.22, 16 November 2011

EDRI-gram newsletter edrigram at edri.org
Wed Nov 16 09:06:17 PST 2011



biweekly newsletter about digital civil rights in Europe

Number 9.22, 16 November 2011


1. EDRi letter: EC proposes reduced retention periods for retained data
2. US court allows access to world-wide Twitter accounts data
3. Online Distribution of Audiovisual Works: EDRi's answer to the EC
4. Unlocking education in the Netherlands
5. EDRi Responds to BEREC's Consultation on Net Neutrality and Transparency
6. 2011 Public Voice Civil Society Conference: "Privacy is Freedom"
7. 33rd International DPA Conference in Mexico City
8. Will the new flawed EU-US PNR agreement be approved by the EP?
9. ENDitorial: Copyright combinatronics
10. Recommended Action
11. Recommended Reading
12. Agenda
13. About

1. EDRi letter: EC proposes reduced retention periods for retained data

In September 2011, European Digital Rights and 37 other NGOs sent a
detailed letter to the European Commission with regard to the current stage
of the review of the Data retention Directive - the impact assessment. The
purpose of the letter was to provide early input to the Commission, in order
to give maximum opportunity to take our concerns into account.
The response from the Commission acknowledges the problems with the
Directive. Without being specific, Commissioner Malmstrvm responded that the
maximum retention periods needs to be reduced and also pointed out that the
text must be improved with regard to its clarity. She also recognised and
accepted the need for a followup of the methodology detailed in the
Fundamental Rights Checklist and that cost-reimbursement for Internet
providers is a way of minimising access to retained traffic data.

The Commissioner promises improvements to resolve two problems in the
Directive: - the length of the maximum retention periods and the lack of
clarity (and therefore predictability) of the Directive. However, the
recognition of these two problems implies an acceptance of doubts regarding
the compliance of the current Directive with the Charter of Fundamental
Rights and the European Convention on Human Rights. .

This raises an important question: - in such circumstances, how can it be
appropriate to recognise the questionable legality of the Directive, on the
one hand, and undertake legal proceedings against Germany, Romania and
Sweden for failing to implement the Directive, on the other?

Rather disappointingly, the Commissioner decided to answer a question which
was not asked, namely how difficult it would be to get major improvements
past the Council of Ministers. While the political obstacles to an adequate
resolution of the data retention Directive's problems are certainly massive,
the current College of Commissioners took an oath, as individual citizens,
to defend the Charter on Fundamental Rights. This oath was without
exceptions, to cover challenging political environments. However, the
subtext of the Commissioner's response to civil society is clear - without a
shift in the positions of Member States, the Commission does not feel able
to resolve the deep problems with data retention.

Nonetheless, the tone of the letter is very positive and the constructive
engagement of civil society is clearly welcomed. EDRi and the co-signatories
of the letter will continue to engage constructively with the Commission.

Joint letter on data retention (26.09.2011)

Commissioner Malmstrvm's response (dated 31.10.2011)

Fundamental rights checklist

Oath to respect the EU Treaties and Charter:

(Contribution by Joe McNamee - EDRi)

2. US court allows access to world-wide Twitter accounts data

A US judge decided on 10 November 2011 that Twitter had to release to the US
authorities data on the Twitter accounts of people involved in WikiLeaks
founder Julian Assange case investigated by the US Justice Department.
The Twitter accounts in question belong to Icelandic MP and former WikiLeaks
volunteer Birgitta Jsnsdsttir, Seattle-based WikiLeaks volunteer Jacob
Appelbaum and Dutch XS4ALL Internet provider co-founder Rop Gonggrijp.
The judge's ruling is a response to the appeal made by the three twitter
account holders, thus backing up the previous decision in March of another

Even more worrying is the fact that the investigated people have found out
about the US first court's decision only because Twitter notified the
subscribers that prosecutors had obtained a court order for their account
information. Furthermore, the judge blocked the users' attempt to discover
whether other Internet companies had been ordered to release their data to
the US government.

"With this decision, the court is telling all users of online tools hosted
in the U.S. that the U.S. government will have secret access to their data,"
said Jonsdottir who expressed her intention to take the case to the Council
of Europe.

The court order of the appeal was criticised by IPU (Inter-Parliamentary
Union, the international organization of Parliaments with MPs from 157
countries), which adopted a resolution condemning the move which, in their
opinion, threatens free speech and may be in violation of Article 19 of the
Universal Declaration of Human Rights which gives everyone the right to
freedom of opinion and expression.

In seeking the respective information, US authorities used the Stored
Communications Act to demand that Twitter provide the internet protocol
addresses of users as well as bank account details, user names, screen names
or other identities, mailing and other addresses.

In the judge' opinion, "the information sought was clearly material to
establishing key facts related to an ongoing investigation and would have
assisted a grand jury in conducting an inquiry into the particular matters
under investigation."

Also extremely worrying is that he also considered that the Twitter users
had implicitly given their agreement to give over their IP addresses the
moment they signed up for an account and relinquished an expectation of

"Petitioners knew or should have known that their IP information was subject
to examination by Twitter, so they had a lessened expectation of privacy in
that information, particularly in light of their apparent consent to the
Twitter terms of service and privacy policy," wrote the judge in his

Basically, what this decision says is that US authorities can require
account information on any users of US-based online social networks,
irrespective of their location and citizenship. This brings forth very
serious concerns related to online privacy.

EFF Legal Director Cindy Cohn also expressed her concern that in a world
where Internet users place online more and more of their conversations,
experiences, pictures, locations and many other types of personal
information, the court's conclusion is that "records about you that are
collected by Internet services like Twitter, Facebook, Skype and Google are
fair game for warrantless searches by the government."

US court verdict 'huge blow' to privacy, says fomer WikiLeaks aide

Second judge gives DOJ access to WikiLeaks-related Twitter accounts

Privacy Loses in Twitter/Wikileaks Records Battle (10.11.2011)

3. Online Distribution of Audiovisual Works: EDRi's answer to the EC

Adapting the European policy to the digital environment would offer the
audiovisual industry access to an even broader audience and would give
the consumer greater access to cultural works. It is the opportunity to
redefine a simple and harmonised framework. It is a chance to achieve a
digital single market.

What creates obstacles to achieving this goal? Which interests should be
taken into account? What should the EU policy-maker do to offer a
satisfactory environment to both rightsholders and consumers?

EU policy must be user-friendly, innovation-friendly and creation-friendly.
The current framework somehow fails to take into account all those aspects
and to find the right balance between the interests at stake.

One of the essential aspects is access to culture. The current divided
market, particularly on the copyright aspects, creates barriers that prevent
EU citizens to access, use and enjoy cultural content such as the
audiovisual works. Nowadays, consumers consider the current copyright law
system as illegitimate, which explains the level of infringements. The
current system not only is not consumer-unfriendly but it also has an
economic downturn, it indeed stifles the development of new technology. Its
overly strict application of copyright, indefensible and ineffective
repressive enforcement measures are counterproductive.

There are numerous ways to improve the actual eco-environment without
putting aside any interests: harmonising the actual framework, minimising
the complexity and waste generated by intermediaries, micro-payments,
enabling the development of legal platforms to access, share and stream
audiovisual content, cross-border licensing, pan-European offers.

The achievement a digital single market should not be undermined by efforts
to create more restrictions over the use of content, such as limiting
exceptions and limitations to copyright. Equal access to culture should also
be recognised for people with disabilities and the copyright exception
should be made mandatory for that purpose.

The digital environment offers new perspectives, new possibilities and new
opportunities for the industries and for citizens and those opportunities
must be embraced by the EU. The right balance between economic and social
goals, the interests of creators and consumers can be found without putting
the interests of one above the others. More repressive enforcement will risk
making the legal framework even more illegitimate. What the EU needs is a
clear, simple and harmonised framework.

EC Green Paper on the Online Distribution of Audiovisual Works:

EDRi's answer to the consultation (11.2011)

(Contribution by Marie Humeau - EDRi)

4. Unlocking education in the Netherlands

Dutch schools are progressively locking out students from online
environments due to the use of proprietary web-technology
(Silverlight) and closed standards. This contravenes with the 2007
Netherlands Open in Connection policy framework that mandates the use
of open standards for all public sector organizations, including
educational institutions. In responding to questions by the Parliament
about this situation, the minister of Education, Marja van
Bijsterveldt, stated she was unwilling to force educational
institutions to comply with the official open standards policy.

The Dutch open standards policy framework calls for a mandatory use of
open standards in all public sector organizations (via comply or
explain). The ministry of education should have begun taking steps to
implement it four years ago. However, open standards have not become
an integral part of educational IT-procurement and thus are not
considered when purchasing, renewing or upgrading (educational)
IT-services, software and digital learning materials. The negligent
attitude of the ministry of education resulted in an increasing
vendor-lock, effectively locking out substantial and growing numbers
of students.

Through the "Unlocking education, for growth without limits" campaign,
Dutch activists are pushing for a more robust implementation of
the open standards policy, by making the use of open standards
mandatory for all publicly-funded institutions. The campaign is
supported by a various range of Dutch organizations (NLLGG, NLUUG, LPI
Netherlands, HCC!, ISOC.nl, Free Knowledge Institute and the Dutch
Pirate Party), the Free Software Foundation Europe and over 900
individuals who signed the petition. Arjan el Fassed, MP for the
Green party (GroenLinks), expressed dissatisfaction with the minister
of Education's answers. The next round of parliamentary questions is
being prepared in collaboration with the activists.

FSFE campaign page - Unlocking education, for growth without limits

The lack of open standards in secondary education (only in Dutch, 5.10.2011)

Answer to Parliamentary questions about the lack of open standards in
secondary education (only in Dutch, 28.10.2011)

Dutch government hands over education's keys to Microsoft (7.11.2011)

Dutch petition (only in Dutch, 27.09.2011)

International petition (28.09.2011)

(contribution from Jan Stedehouder - EDRi-member Vrijschrift - Netherlands)

5. EDRi Responds to BEREC's Consultation on Net Neutrality and Transparency

Net Neutrality is at the centre of the debate in almost every European
institution. The European Commission has been looking at this topic for more
than a year now and is moving more and more away from its initial position
to uphold net neutrality in Europe. In contrast to her own statements in
January 2010, Vice-President Neelie Kroes is now advocating a
wait-and-see-approach stressing the importance of transparency and the
ability to switch operators. In a speech during the EUHackathon on 9
November 2011, Kroes said she heard "allegations that some internet
providers throttle, degrade the quality of services". Earlier this year she
therefore asked the EU Telecom's regulator BEREC to go on a fact-finding
mission in order to prove these "allegations".

Net neutrality was also recently discussed in the European Parliament. The
Industry Committee just adopted a resolution which called on the BEREC to
swiftly publish the evidence emerging from its investigations. The
resolution emphasised that net neutrality is crucial for fundamental
freedoms, innovation and competition. Indeed, there is a growing number of
threats to it, such as blocking of applications and degradation of services.
These experiments with the essence of the Internet have sometimes been
transparently declared by operators themselves and reported by end users and
content providers, while at other times consumers' services have simply been
restricted, without notification or explanation. Not only do operators have
incentives to seize more control over internet traffic, they are also
increasingly under pressure from vested interests to take measures which run
counter to their role as a mere conduit.

On 2 November 2011, EDRi responded to the consultation on BEREC's
"transparency and net neutrality" which will be followed by a paper on
Quality of Service and a report on competition and discrimination issues
next year. BEREC's draft guidelines on transparency however, are in line
with the Commission's wait-and-see approach and argue that transparency is
an effective tool to achieve the regulatory objective of maintaining an open
and competitive Internet.

In its response, EDRi explains that transparency on service restrictions
will lead neither to sufficient protection nor to empowerment of end users.
In the light of numerous transparent and non-transparent violations of the
principle of net neutrality, EDRi expresses its deep concerns about the
Guidelines' apparent acceptance of restricted offers that provide limited
access to the Internet. EDRi fears that relying solely on transparency
requirements and on market forces will lead to the development of a
multiple-tier Internet, to the detriment of citizens' rights and the
competitive online marketplace. Few would be able to access premium managed
services and many would be left in the slow lane with a low quality and
restricted access to the Internet.

EDRi asks the BEREC to design regulatory tools for national regulatory
bodies to ensure that traffic management practices do not unsettle the
Internet ecosystem. The BEREC should promote narrowly-tailored measures to
protect net neutrality and the open Internet's core characteristic as a
unique platform for innovation and freedom of expression defined by end user

EDRi's response to the net neutrality consultation (2.11.2011)

BEREC guidelines on transparency and net neutrality (10.2011)

Speech given by Neelie Kroes on 9 November 2011during the EUHackathon

Net Neutrality Resolution as adopted by ITRE (7.11.2011)

EDRi-gram: Neelie Kroes on Net Neutrality (27.01.2010)

(Contribution by Kirsten Fiedler - EDRi)

6. 2011 Public Voice Civil Society Conference: "Privacy is Freedom"

The Public Voice meeting that took place on 31 October 2011 in Mexico City
began with a discussion of the 2009 Madrid declarations (both those from
DPAs and civil society). Most participants felt there had been little
progress towards implementation or acceptance by governments. Peter Schaar
(Federal DPC Germany) stressed that upholding the rights of data subjects
required independent oversight, and that CoE Convention 108 was still
available for regulating  transborder data flows, and was open to
third-countries. Discussions about multilateral vs. single global
instruments were becoming repetitive.

In the panel on Cultures of Privacy, Jacob Kohnstamm (Netherlands DPC &
Art.29 WP Chair) noted that databases were implicated in extensive human
rights violations during WW2, and the families of many Europeans had cause
to remember such risks. David Vladeck (FTC) saw his role not as "referee"
over different and clashing cultures, but to preserve consumer choice;
clicking through EULA "wordbarf" is not "meaningful" consent. He stated US
could not be more different from EU culture, but "we get to the same
result", citing FTC support for "Do Not Track".

Lara Ballard (US State Department) described an Egyptian activist creating a
database identifying members of the secret police (to name and shame them).
Flicker took down the pictures on copyright (not privacy) grounds. The
activist's view was that the secret police had invalidated their own right
to privacy, because their conduct undermined the rule of law itself. Ballard
was sceptical of nostrums about lack of Asian sense of privacy, (e.g.,
non-legal concepts of Japanese politeness are similar) and, cited
sociologist Irwin Altman on privacy as dynamically negotiated social
boundaries. She asserted EU DPCs were mistrustful of major US Internet
companies, but trusted their own governments. She praised the concept of
"accountability agents" and the APEC privacy process. Moderator Alberto
Cerda (Derechos Digitales - Chile) remarked that global agreements for the
enforcement of "intellectual property" already existed, but there seemed to
be little prospect of comparable treaties for privacy.

Zhou Hanhua (China - Social Science Academy) said although China had no
history of privacy, the real concerns of people were similar. China today
may have the worst of both worlds. People felt resigned to marketing privacy
invasions such as endemic mobile voice spam. China has still not enacted a
DP law (and the choice between US and EU systems was most difficult), but on
paper, Constitutional protections were similar to developed countries, and
culture is changing rapidly. Moez Chakchouk (Tunisia) spoke of their first
free election, and new constitution next year. Their main priority was to
transform the former censorship agency into a human rights and privacy
agency (sic). Cerda asked whether EU standards were too high (so few
countries attained adequacy), and Kohnstamm replied national authorities
couldn't do much without co-operation from the rest of the world. Schaar
said the EU should not lower standards, given European history; data
protection will stay a fundamental right in Europe.

Vladeck contrasted common-law vs. civil law cultures; in the EU privacy law
is very specific, in the US not. There was a vocabulary problem. To US ears,
rights mean what is in the US Constitution, "and why do I have to fill in a
form for the police when I check into a hotel in Europe?" - a right not
enforced isn't much of a right. US goals were similar to the EU. "There is
no difference between opt-in and opt-out given current technology" (sic).
Ballard re-iterated support for "accountability agents" ("a new legal regime
accountable to e.g. TRUSTe").

The panel on Raising Public Awareness on Privacy vs. Technology was
moderated by Pablo Molina (US), and began with a description of the new
Brazilian law from Danilo Doneda. Michael Donohue (OECD) stated that
transborder flows of data can be blocked only if there was no adequate
protection of sensitive data. Omer Tene said face recognition was not a new
issue (e.g. police line-ups). His view of consent was that an opt-out should
be sufficient if good information was provided. Thomas Nortvedt (TACD)
emphasized that consumers needed to be able to enforce rights.

Korina Velazquez (MEX) moderated the panel on Children's Privacy Online,
with contributions from Adriana Labardini (Mexico - Alconsumidor), Kristina
Irion (CEU Hungary), and Conchy Martin Rey (TACD). Neuro-marketing
techniques were discussed, and Jeff Chester remarked that the COPPA
legislation was unique in the US, in that it gave opt-in protection (to
minors). There were few answers to a question on when children should attain
legal independence from their parents for the exercise of privacy rights,
given the wide differences between individual children.

Dave Banisar (Article 19) led a conversation with Marc Rotenberg (EPIC) on
the relationship (both deprecated the word "balance") between Privacy and
Freedom of Expression. There were strong analogies between the right to
withhold identity and freedom of expression rights. Business obviously
prefers to conduct their activities unregulated. Banisar remarked that in
the UK, some attempted to justify "phone-hacking" in the name of free
expression, and Rotenberg recalled that Warren & Brandeis stipulated a
public interest exemption in their seminal article. Caspar Bowden asked if a
right of subject access to data in the private sector was feasible in the
US, and Rotenberg replied that the Federal Constitution normally doesn't
coerce private parties, but some state constitutions do. Probably "compelled
speech" cases can be distinguished (to allow a subject access right). EPIC
has pursued information self-determination rights, and this one is on their
"to do" list. The office of the EDPS pointed to the ECJ "Bavarian beer"
case, and their intervention to ensure FOI rights aren't subordinated to
privacy rights, in cases of public interest. Lara Ballard (US State
Department) asked whether government officials had privacy rights when
offering confidential advice. Dave Banisar said no, and deprecated the use
of the word privacy to mean "organizational secrecy".

Simon Davies (PI) moderated the panel on a Right to Forget. Marie-Helen
Boulanger (EU Commission) said the data subjects' existing rights needed to
be clarified, and that the impact of cheap data storage was that many traces
were left in online services. Data must be fully deleted when its processing
would be unlawful, e.g. when the retention period is not in line with the
purpose. However there is no "right to hide" in EU law. Regarding a right to
erasure of public records, it was preferable that unnecessary data was not
collected at all - data minimization remains a sound principle, in
conjunction with privacy-by-design. Peter Fleischer said Google merely
reflected the web, and should be allowed to index whatever is lawful on the
web, and mentioned a possible ECJ referral of the current Spanish case.
Alejandro Pisanty (Mexico) stressed the end-to-end principle of the Internet
(network flows should not depend on the content), and that
Mayer-Schvnberger's idea for self-deleting data would still leave metadata
traces behind, even after content was deleted. Banisar recalled that the
possibility for rehabilitation was an internationally accepted principle in
Freedom of Expression.

Chris Soghoian rounded on Fleischer's assertion that Google "deleted" search
data after nine months, pointing out that their actual practice
(IP-last-byte-deletion) did not even properly anonymize the data. The
important "right to be forgotten" is over the behavioural data we are
scarcely conscious is being collected, but the public debate mostly avoids
this issue, focussing on e.g. tagged photos. The major Internet companies
don't let the user delete behavioural data. Moreover there is the further
issue of aggregate data used to sort users automatically into marketing
buckets. Caspar Bowden asked why Google didn't permit users to delete web
history from a "parallel" logging system, only disclosed by an elliptical
reference in an FAQ outside the privacy statement.

Gus Hosein (PI) moderated the final panel on Government Databases. Caspar
Bowden (EDRi) summarised the effect of the US law FISAA 2008 1881a; that
Cloud providers within US jurisdiction may be coerced into wiretapping their
own datacentres (inside or outside the US) to conduct purely political
surveillance on non-US persons outside the US.

Meryem Marzouki (France - CNRS) made a plea for a data confinement doctrine
and its strict application by law, in response to the vulnerability of
mega-databases to malicious intrusions, technical breaches and unlawful use.
Katitza Rodriguez (EFF), Cedric Laurent (Access) and Jessica Matus Arenas
(Chile) provided analysis on national legislations on data protection and
access to information, respectively in Mexico, Colombia and Chile, as well
as commented the current situation in these countries.

Public Voice conference

Caspar Bowden's presentation at Public Voice event (31.10.2011)

(Contribution by Caspar Bowden - EDRi Observer)

7. 33rd International DPA Conference in Mexico City

The 33rd International Conference of Data Protection and Privacy
Commissioners was held in Mexico City, on 2-3 November 2011, hosted by IFAI
(The Mexican Federal Institute for Access to Information and Data
Protection). This year theme, "Privacy, the Global Age", showed the clear
willing of the organizers to make it a direct follow-up to the 31st
Conference held in Madrid and its adopted resolution on global standards. As
a matter of fact, Jacqueline Peschard, IFAI President, called in her opening
remarks for a plan of action to be proposed by this conference. This
commitment to take further steps was shared by most, though not all, of the
DPA (Data Protection Authorities) at the conference.

The two-days conference included four plenary sessions and four sets of four
parallel sessions. A useful innovation consisted in the presentation of
highlights from parallel sessions, to keep the audience updated of all
discussions. While the parallel sessions addressed a broad range of current
hot data protection issues, the plenary sessions focused on various aspects
of the "big and distributed data" challenge: "Observation, Analytics,
Innovation and Privacy", "The Drivers for Data Protection Law in Latin
America, Asia, and Africa", "Security in an Insecure World "and "One Data
Protection Community. Many Cultures, Threats and Risks".

The "big data challenge" was rather overstressed in the first plenary
session, especially through the keynote presentation by Ken Cukier (The
Economist), followed by two panel sessions.

In the first panel session, Jacob Kohnstamm, Peter Schaar and Marie Shroff
(DP Commissioners of The Netherlands, Germany and New Zealand, respectively)
and David Vladeck (FTC, USA) were asked whether the growth of data, its
mining and application challenge the way privacy enforcement agencies
protect individuals. The two European DP Commissioners insisted on the need
for a strict application of the legislation and more independent control
powers given to DPA, while the New Zealand Commissioner rather took the view
that there is a need to move from a focus of compliance to rules towards
being more strategic, identifiy the big risks, strategizing, and move to a
leadership mode or, as she said, "move from a negative mode to a positive
mode". The FTC representative insisted on the changing nature of big data
(collected from smartphones, sensors, social networks.), leading to the
importance of privacy by design. He acknowledged that "the burden has to be
on the company, not on the consumer, to protect the data".

In the second part of this session, gathering a panel of other stakeholders,
Gus Hosein (Privacy International) and Joel Reidenberg (Fordham Law School)
reminded the audience that the basic DP principles still applies. The former
warned that it would be a mistake to only focus on the use of big data while
forgetting about their collection process. The latter insisted on the need
to consider the broader systemic risks arising with big data, as they create
an unprecedented level of transparency of the citizen, who loses any
anonymity and choice capabilities, with the consent model breaking down.

One very informative sessions on new legal developments was the one dealing
with "changing laws in the US and the States".

Frangoise Lebail (EC DG Justice) presented the main features of the deep
reform the EU has undertaken in terms of privacy legislation. She made clear
that the revised legislation, to be adopted at the beginning of next year,
will leave less room for intrepretation for Member States, as the
disparities are currently huge: "no longer legal fragmentation", she said,
mentioning both the national legislations and the two sectors, public and
private, including sectors formerly falling under the 3rd pillar. Other
important new features include: data breach notification, better enforcement
of rights, harmonization and increase of DPAs resources and powers, stronger
cooperation between DPAs (a reflection on a cooperation mechanism is
ongoing). On International aspects, she mentioned the need for a
continuation of EU citizen protection, not only through the adequacy but
also through the interoperability of the different DP schemes.

Lawrence Strickling (NTIA, USA) also introduced the big changes undertaken
in the USA to strengthen the privacy regime towards a general regime of
consumer data privacy, with a large focus on the international
interoperability of DP systems. A white paper will be issued in the weeks to
come, valid for the entire Obama administration, developing a four-pillars
framework: (1) A consumer bill of rights, that should be enacted in
legislation; (2) Codes of conduct developed by stakeholders; (3) Enforcement
of these codes of conducts by FTC; and (4) International interoperability.
One probably needs to wait until this white paper will be made available to
understand the exact share of enforced legislation and of self-regulation
this framework will actually encompass, as well as to which extent industry
lobbies will impose their views in the so-called multi-stakeholder process
of codes of conduct development.

"International interoperability" seems thus to be the new buzzword, and the
most that would be conceded in international discussions on a global privacy
and data protection framework. Civil society, as well as many DPAs, expect
more, though. They expect global privacy and data protection standards, and
this was precisely the topic addressed at the session on "Global Standards
Linked to Global Value", organized and moderated by Lillie Coney (Electronic
Privacy Information Center).

During this session, Jvrg Polakiewicz (Council of Europe) introduced the
major features of the current revision of Convention 108 that will soon
been submitted to consultation, and insisted on the fact that this
Convention is and will still be open to signatures and ratifications by
third countries, being the ideal vehicle towards a global privacy and data
protection standard.

Rafel Garcia (Spanish DPA) reminded the main advances of the Madrid
Resolution on global standards, adopted at the 31st DPA two years ago, and
mentioned the progress, though slow, made since then.

Meryem Marzouki (EDRi) took as a starting point the Madrid Civil Society
Declaration on "Global Privacy Standards in a Global World" adopted at the
2009 Public Voice Civil Society Conference organized in Madrid, in liaison
with the DPA Conference. She identified 6 main steps for an urgent action
plan to implement the provisions of this Declaration. EDRi representative
also reacted to the way the "big data" issue (or rather propaganda, in view
of radical deregulation of privacy forced by technological determinism, as
many civil society representative analysed) was addressed during the
conference. Meryem Marzouki reminded that "privacy is a fundamental human
right, that shouldn't be adapted to new technical developments or economic
models". Asking to put this dialectic back on its feet, she added that "it
is rather the technical, economic and behavioral norms that should comply to
international human rights standards."

The next International Conference of Data Protection and Privacy
Commissioners will certainly bring interesting follow-up to this year
conference, especially with the new EU and US legislative frameworks, as
well as the revised Council of Europe Convention 108 being discussed. The
34th Conference will be held again in Latin America (Uruguay).

33rd DPA Conference, Mexico City (2-3.11.2011)

31st DPA Conference, Madrid (4-6.11. 2009)

The Madrid Civil Society Declaration (3.11.2009)

Meryem Marzouki (EDRi) Presentation (3.11.2011)

"Big data and Small Agencies" - Colin Bennet's Reflections on the 33rd DPA
Conference (7.11.2011)

(Contribution by Meryem Marzouki (EDRI member IRIS - France)

8. Will the new flawed EU-US PNR agreement be approved by the EP?

In May 2011, the European Commission's Legal Service said the EU-USA PNR
agreement on the transfer of personal data of travellers flying from Europe
to the US was not compatible with fundamental rights. Five months later a
new, but similarly flawed version, is now presented to the European

With the US side having kept pressing the EU on finalising the PNR
agreement, a new slightly changed version is now under discussion. Although
the new text still raises privacy concerns, it seems unlikely that the
European Parliament will reject this version.

Commissioner Malmstrvm presented details of the new EU-US agreement to the
German newspaper FAZ on 9 November 2011. While Parliamentarians
currently do not have the right to talk about details of the negotiations,
the Commission has apparently every right to go on a promotion campaign. The
text of the Agreement is available for Parliamentarians in a secret reading
room of the  EU-Parliament where they can only read it, but do not have the
right to take photos or notes. It is bizarre that there has been no reaction
so far by MEPs on the fact that the German newspaper got briefed before the
official briefing for the rapporteur and shadow rapporteurs which took place
only on 15 November. This is clearly in breach of art.
218(10) TFEU, which reads "The European Parliament shall be immediately and
fully informed at all stages of the procedure."

The retention period for the all data remains 15 years but now there are
restrictions for accesing that data after 10 years for serious crimes, such
as drug and human trafficking.

Also, under the draft deal, the data sent to US authorities would become  
"pseudonymous" after six months which means that some data would be masked  
out although still available in case of an event. Other data, including  
frequent flier info and payment/biling info will still be unmasked.

The data would remain in an "active" database easily accessible to US
officials for five years, and then would be transferred to a "dormant"
database which will require stricter conditions to be accessed. The US
police or intelligence officers can retrieve or black out the data only with
special permission from a superior.

"Whatever they did are just cosmetic changes, the substance of blanket data
retention has remained. And even if they say personal data will be
'anonymised' after six months, the US still keeps all the records for 15
years," said German Green MEP Jan Philipp Albrecht.

In his opinion, the agreement still violates EU data privacy rules as the US
will still access and store all private data, (including telephone numbers,
email addresses and even credit card data).

MEP Sophie in't Veld (LIBE / Netherlands), said that her group would wait
for legal advice before deciding on the vote but also expressed concern
regarding the fact that the text still allows the use of data for boarder
purposes than the fight against terrorism and organised crime. She also
showed her disappointment that after a long negotiation period, the final
version of the text is still only very little better than what MEPs have
continuously been asking for some years now.

"If this is what we are able to get out of our closest allies, what will
come out of negotiations with other countries? South Korea and Qatar are
also interested in PNR agreements, South Africa, Malaysia and Cuba are
preparing demands and it will be only a matter of time until Russia and
China will want this, too," stated Sophie in't Veld.

Michele Cercone, spokesman for EU Home Affairs Commissioner Cecilia
Malmstroem, stated however that, in their opinion, the new draft was a big
improvement to the last text: "The new agreement will guarantee that PNR
data will be used for restricted and well defined purposes, which are
fighting transnational crime and terrorism."

According to the proponents of the new treaty, the EU is not in the best
position to negotiate considering that European airlines will have to pass
travellers' information to the US authorities in order to be able to fly to
the US. By rejecting the agreement, the EU may put airlines in the position
to face potential law cases for infringing privacy regulations.

In October 2011, a PNR agreement with Australian was approved by MEPs but in
that case the retention period is only five and a half years and the data
transfer is limited to terrorism and organised crime.

Unhappy MEPs to approve passenger data deal (11.11.2011)

FAZ article with Commissioner Malmstrvm (only in German, 10.11.2011)

EU, US pen new passenger data deal to ease privacy fears (11.11.2011)

EDRi-gram: EU-US PNR agreement found incompatible with human rights

9. ENDitorial: Copyright combinatronics

Although the creation of the single market has been the primary focus of
the European Union for decades, it often seems that for every step
forward it takes two back. In that respect it's often rather interesting
to look at the mathematics as they play out in the different directives
that come out of Brussels.

The EU Copyright Directive outlines 21 different optional exceptions or
limitations to the right of reproduction of copyrighted works. Each
country implementing the directive can choose to either include or leave
out the exception clause.

If we imagine this as a set of 21 switches where each has two positions,
then to calculate the number of total possible configurations for these
switches we multiply together the number of options for each one:
2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2, or written more concisely,
2^21 (two to the power of twenty-one).

This gives us 2.097.152 different ways to implement the directive.

But it gets better. After the 21 exception clauses for reproduction
rights, there comes a paragraph stating that where the Member States may
provide exceptions or limitations for reproduction, they may provide
similarly an exception or limitation to the right of distribution.

This can be understood in at least two different ways, with radically
different results. On the one hand, if you have an exception on
reproduction then you may also have the same exception for distribution
(meaning we'd have 21 switches with 3 settings each), or on the other
hand, you may apply the same exception independently of each other
(meaning we'd have 42 switches with 2 settings each, or 21 switches with
4 settings - doesn't matter). The wording suggests the latter, but at
the same time it seems slightly absurd to have an "oh by the way you may
also" in a directive; there are other cleaner ways to approach this.
There is probably some literature that I'm unaware of about which one
they mean, but it's easier to do the math on both cases than it is to
navigate through commission and parliament documentation.

The first case is a three step process where each exception can be
either "off", "on for reproduction" or "on for reproduction and
distribution". This means we get three to the power of twenty-one
options, totalling 10.460.353.203.

The second case is a four step process where each exception can be
"off", "on for reproduction", "on for distribution", or "on for
reproduction and distribution". This gives us four to the power of
twenty-one options, totalling 4.398.046.511.104.

That's either ten billion or four trillion ways to implement the
copyright directive, depending on how you read article 5, paragraph 4.
It's very hard to visualize numbers of this size, but the larger number
is about fifteen times larger than the number of stars in our galaxy.

This back-of-envelope analysis doesn't even touch on the combinatorical
implications of different understandings of the details of articles 5.5,
6 and 7 in particular, and in general the rest of the directive, mostly
because they're less directly quantifiable. Let alone the distinction
between "exception" and "limitation", which could easily
bring the number up significantly.

This basically means that, a priori, there is a one in three hundred and
eighty million chance that any two member states come up with the same
implementation, taking the slightly better case. How does that serve the
ideal of a single market? It looks like internal dissolution about the
specifics of the exception clauses, with each country being difficult in
its own little way and no political hardheadedness forcing a tenable
solution, has yielded a completely useless directive in terms of

While it is true that all the member states could in theory decide on
the same exceptions, making this headache go away, the fact that they're
all optional suggests that, in each case, there was at least some strongly
for and some strongly against. At some point somebody must have gotten
so tired of debating the exceptions that they just lumped all of them
together under optional and decided to let the Member States figure it out.

What this shows is that the EU is not effectively managing to create a
single market, and through its policy on intellectual monopolies may
even be pushing the markets further apart. The question of who stands to
gain from this state of affairs is left as an exercise to the reader.

(Contribution by Smari McCarthy  -  International Modern Media Institute)

10. Recommended Action

Stop ACTA !

Beat the censor - online game

11. Recommended Reading

Civil society letter against the US SOPA law - Stop Online Piracy Act

EU charter creating "confusion" on human rights (11.11.2011)

Want to create a really strong password? Don't ask Google (8.11.2011)

INTA chairman defends secrecy (12.11.2011)

12. Agenda

24-25 November 2011, Vienna, Austria
"Our Internet - Our Rights, Our Freedoms"
Towards the Council of Europe Strategy on Internet Governance 2012 - 2015

30 November 2011, Brussels, Belgium
Horizon 2020: investing in the common good
Treating knowledge as a public good in EU research and innovation

27-30 December 2011, Berlin, Germany
28C3 - 28th Chaos Communication Congress

25-27 January 2012, Brussels, Belgium
Computers, Privacy and Data Protection 2012

14-15 June 2012, Stockholm, Sweden
EuroDIG 2012

9-10 July 2012, Barcelona, Spain
8th International Conference on Internet Law & Politics: Challenges and
Opportunities of Online Entertainment
Abstracts deadline: 20 December 2011

13. About

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 28 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.

All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.

This EDRi-gram has been published with financial support from the EU's
Fundamental Rights and Citizenship Programme.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at

Newsletter editor: Bogdan Manolea <edrigram at edri.org>

Information about EDRI and its members:

European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.

- EDRI-gram subscription information

subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users

- Newsletter archive

Back issues are available at:

- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list