EDRi-gram newsletter - Number 9.23, 30 November 2011
EDRI-gram newsletter
edrigram at edri.org
Wed Nov 30 09:37:41 PST 2011
============================================================
EDRi-gram
biweekly newsletter about digital civil rights in Europe
Number 9.23, 30 November 2011
============================================================
Contents
============================================================
1. Scarlet v SABAM: a win for fundamental rights and Internet freedoms
2. Proposed US-EU PNR Agreement made public
3. Dutch Parliament: no discussions on ACTA if negotiations are still secret
4. Turkey launches Internet filtering scheme
5. US crackdown on global domain names and IP addresses continues
6. Italian Police blocks sites that had banners to alleged illegal websites
7. EU-US summit joint statement ignores European civil rights
8. Two years into the Stockholm Programme: on the way to e-Fortress Europe?
9. New Guidelines to RFID Privacy Impact Assessments
10. ENDitorial: Advocate General on Data Retention: Strange answer&question
11. Recommended Action
12. Recommended Reading
13. Agenda
14. About
============================================================
1. Scarlet v SABAM: a win for fundamental rights and Internet freedoms
============================================================
On 24 November 2011, the European Court of Justice decided that an Internet
service provider (ISP) can not be ordered to install a system of filtering
of all electronic communications and blocking certain content in order to
protect intellectual property rights. The Court largely based its decision
on the Charter of Fundamental Rights.
The ruling is hugely important for the openness of the Internet, and
therefore for the fundamental rights value and the economic value of the
Internet.
SABAM (the Belgian collective society - Sociiti belge des auteurs,
compositeurs et iditeurs) wanted the ISP Scarlet to install a generalised
filtering system for all incoming and outgoing electronic communications
passing through its services and to block potentially unlawful
communications. In First Instance, while refusing the liability of the ISP,
the Brussels Court concluded that the SABAM's claim was legitimate and that
a filtering system had to be deployed. Scarlet appealed and the case was
referred to the Court of Justice of the European Union.
In its decision, the Court of Justice ruled that a filtering and blocking
system for all its customers for an unlimited period, in abstracto and as
preventive measure, violates fundamental rights, more particularly the right
to privacy, freedom of communication and freedom of information. In
addition, it breaches the freedom of ISPs to conduct business.
The EU ruling underlines the importance of an open and neutral Internet,
respecting fundamental rights. The alternative would have lead to a
permanent surveillance and filtering of all European networks. The
consequences would have been catastrophic for democracy, civil rights and
the Internet economy. The role of Internet intermediaries is to provide the
infrastructures and services that allow users to access and use the
Internet, not to police the flows of traffic to privately enforce
intellectual property rights. By protecting ISPs, the ruling is likely to
preserve key elements of the online economy and society. The Court sought
the right balance between the interest of the rightsholders on the one hand
and the interests of the ISPs and of citizens on the other hand.
Internet blocking is not completely banned by the decision neither does it
deny ISPs' liability in every situation. On the former, the EU Court had to
rule on the liability of the type of blocking/filtering that was proposed.
On that point, it declared that the level of filtering and blocking asked
for in the case was too broad in terms of material and geographic scopes,
that the legitimate interests of society as a whole outweighed the other
interests at stake and that the unlimited and open-ended nature of the
blocking was excessive. As a result, the Court ruled that the proposed
measures were in violation of the European law. The Court could not have
made a ruling on unknown future technologies and developments or answered
questions it was not asked. On ISP liability, the ruling avoids the
circumvention of the existing EU law. In the current framework in the
e-commerce Directive (2000/31/EC), the ISP cannot be held liable for its
customers' behaviour when the ISP is unaware of illegal activity.
Far from creating a law free zone, the ruling sets safeguards to better
protect fundamental rights on the Internet. The decision re-establishes the
importance of the rule of law in the digital environment. Illegal behaviour
remains illegal but the policing stays the responsibility of the state, and
the liability stays on the person responsible for the illegal content.
ECJ Decision Scarlet vs Sabam (24.11.2011)
http://curia.europa.eu/jurisp/cgi-bin/gettext.pl?where=&lang=en&num=79888875C19100070&doc=T&ouvert=T&seance=ARRET
Press release and FAQ from EDRi (24.11.2011)
http://edri.org/scarlet_sabam_win
Press release from ECJ (24.11.2011)
http://curia.europa.eu/jcms/upload/docs/application/pdf/2011-11/cp110126en.pdf
(Contribution by Marie Humeau - EDRi)
============================================================
2. Proposed US-EU PNR Agreement made public
============================================================
On 17 November 2011, U.S. and EU officials initialled a proposed agreement
to authorize airlines to forward passenger name record (PNR) data to the
U.S. Department of Homeland Security (DHS). Although the agreement cannot
take effect without the approval of the European Parliament and the Council,
MEPs could read the proposed agreement only in a sealed room where they
could not take notes or make copies.
This week the complete text on which the European Parliament will vote has
finally been made public, revealing a failure to address the concerns raised
by the Parliament and continued shortfalls in data protection, due process,
and protection of fundamental rights.
In its resolution of 5 May 2010, the Parliament said that the PNR agreement
should take the form of a treaty, recognize the fundamental right to
freedom of movement, prohibit the use of PNR data for data mining or
profiling, and take into consideration "PNR data which may be available
from sources not covered by international agreements, such as computer
reservation systems located outside the EU." The proposed agreement
does not meet these criteria, and does not mention any of these issues.
The agreement would require that DHS copies of PNRs be "depersonalized"
after 6 months. But the "depersonalized" DHS copy of each PNR would still
include a unique record locator. There is no data protection law in the
U.S. for commercial data. So, at any time - secretly, without a court
order, and without violating U.S. law or the U.S.-EU agreement - the DHS
could use the record locator to obtain a copy of the complete PNR from the
computer reservation systems.
The agreement claims that all DHS access to PNR data will be logged. But
when individuals have requested these logs, both the DHS and European
airlines have said that they didn't exist. Without access logs, there can
be no accountability or oversight.
According to the agreement, any individual is entitled to "request" access
or corrections to their PNR data under the Freedom of Information Act
(FOIA). But most PNR data is exempt from FOIA. Under both the agreement
and U.S. law, you are entitled to request your PNR data, and the DHS is
entitled to say "No".
FOIA is not a data protection law. FOIA never requires any accounting of
usage or disclosure of data. FOIA never requires correction of records.
FOIA does not restrict what information is collected or how it is used.
U.S. courts have no authority under FOIA to take any action against misuse
or disclosure of personal information. The agreement says that individuals
may "seek" or "petition" for judicial review in U.S. courts. But such a
petition related to violations of the agreement would be denied.
The proposed agreement would protect travel companies against enforcement
of EU data protection laws, while failing to protect the rights of
travellers. Because the proposed agreement does not provide an adequate
level of protection for the processing of personal data, as required by
the EU Data Protection Directive and Article 8 of the Charter of
Fundamental Rights, EDRi recommends that the Council and the Parliament
should reject the proposed agreement.
Text of the PNR Agreement (23.11.2011)
http://www.ipex.eu/IPEXL-WEB/dossier/dossier.do?code=NLE&year=2011&number=0382
Analysis of the proposed U.S.-EU agreement on PNR transfers to the DHS
(with links to the full text in English, German, and French, 28.11.2011)
http://papersplease.org/wp/2011/11/28/revised-eu-us-agreement-on-pnr-data-still-protects-only-travel-companies-not-travelers/
Analysis of the proposed agreement by NoPNR! (only in in German, 28.11.2011)
http://www.nopnr.org/fluggastdaten-an-die-usa-analyse/
EDRi archive of articles about PNR
http://www.edri.org/issues/privacy/pnr
(Contribution by Edward Hasbrouck, PapersPlease.org - EDRi observer)
============================================================
3. Dutch Parliament: no discussions on ACTA if negotiations are still secret
============================================================
ACTA is creating quite some noise, not only internationally but also
domestically. National Parliaments, including the Dutch Parliament, will
have to decide whether they will approve ACTA or not. In order to
correctly assess the implications of ACTA, the Dutch Parliament
requested publication of all preparatory documents on ACTA.
The Dutch Minister of Economic Affairs, Agriculture and Innovation,
Maxime Verhagen, would only hand over these documents if
parliamentarians vowed not to reveal anything about these documents.
Last week, the Dutch Parliament debated the imposed restrictions. A majority
of the Parliament indicated that ACTA could not be discussed in
Parliament before all information on the negotiations is disclosed
without conditions.
EDRi-member Bits of Freedom sent, in preparation of this debate, a letter to
the Parliament that underlined the problems associated with ACTA and advised
to not accept the imposed restrictions, as these would prohibit the
Parliament from discussing the treaty freely in public and consult experts.
Dutch parliament refuses ACTA secrecy (23.11.2011)
http://acta.ffii.org/?p=924
Absurd obligation of confidentiality on ACTA blocks public debate (only in
Dutch, 21.11.2011)
https://www.bof.nl/2011/11/21/absurde-zwijgplicht-over-acta-blokkeert-publiek-debat/
Parliament demands moratorium on anti-counterfeiting treaty ACTA (only in
Dutch, 23.11.2011)
https://www.bof.nl/2011/11/23/kamer-eist-moratorium-op-anti-namaakverdrag-acta/
(Contribution by Rebecca Roskam EDRi-member Bits of Freedom volunteer -
Netherlands)
============================================================
4. Turkey launches Internet filtering scheme
============================================================
Turkish Information Technologies and Communications Authority (BTK) launched
the Internet safety scheme on 22 November 2011, as planned, but on a
voluntary basis, following the fierce criticism and opposition to the
original plans to introduce a mandatory filtering system.
Internet users may sign up with their ISPs for the free of charge filtering
system which blocks "objectionable content", being able to choose from three
variants: child, family and domestic. When an Internet user wants to choose
one of the filtering variants, BTK issues a new user name and password
enabling the user's access to the chosen filtering system. The users who
want to stop using the Internet filtering can change back to a standard
no-filter profile.
Although voluntary, the system still raises concerns, one of them being the
supervision of the system by a new committee called Child and Family
Profiles Criteria Working Committee which, in the opinion of law professor
Yaman Akdeniz of Bilgi University in Istanbul "... does not look independent
nor impartial." The professor also believes that the state authorities may
be in the position to impose moral values.
More worrying is the fact that the filter blocks not only adult content, but
some 130 search terms, including "separatist" content from the PKK and
Kurdish rights groups. "I also believe that the Turkish authorities are not
only trying to protect children but also adults from the 'so called harmful
content '," said Akdeniz.
Moreover, as frequently proven by liberty activists and IT experts,
filtering is not a real solution to solve real Internet threats to children.
Filters are easy to circumvent, costly and, in most of the case, can lead to
blocking innocent content in the process.
State censorship can be easily masked by apparently justified reasons such
as threats to family and children. Under the cover of protecting children,
governments may try to include political censorship by including on the
filtering list words that relate more to political criticism and opposition
than to child pornography or terrorism.
This Week in Internet Censorship: Opaque Censorship in Turkey, Russia, and
Britain (23.11.2011)
https://www.eff.org/deeplinks/2011/11/week-internet-censorship-opaque-censorship-turkey-russia-and-britain
New Internet filtering system available after 3-month test period
(21.11.2011)
http://www.todayszaman.com/news-263471-new-internet-filtering-system-available-after-3-month-test-period.html
EDRigram: Turkey postpones its Internet filtering plans (24.08.2011)
http://www.edri.org/edrigram/number9.16/turkey-postpones-internet-filtering
============================================================
5. US crackdown on global domain names and IP addresses continues
============================================================
US authorities have resumed their "Operation in Our Sites" in order to
attempt to fight counterfeit and piracy-related websites. During this
second annual "Cyber Monday" crackdown, the Immigration and Customs
Enforcement (ICE) has shut down 150 websites from all over the world.
The recent introduction of draft bills, such as the Stop Online Piracy Act
(SOPA) and PROTECT IP Act (PIPA) now aims at providing a legal basis for
domain names and IP address seizures. SOPA's broad definitions could indeed
mean that no online resource in the global Internet would be outside US
jurisdiction.
In response to these legislative proposals and repeated unilateral
measures against European websites, the European Parliament adopted a
resolution on 17 November 2011 in preparation of the EU/US summit stressing
"the need to protect the integrity of the global internet and freedom of
communication by refraining from unilateral measures to revoke IP
addresses or domain names." The joint EU/US summit declaration published on
28 November 2011 indeed says: "We share a commitment to a single, global
Internet, and will resist unilateral efforts to weaken the security,
reliability, or independence of its operations".
However, despite the big show of opposition to the US bills and the
Parliament's actions, Internet filtering and blocking schemes like SOPA
and PIPA are still on the agenda on the other side of the Atlantic
claiming worldwide jurisdiction for domain names and IP addresses. According
to recent reports, attempts to terminate the Internet's end-to-end
architecture also seem to get even closer to the core of the Internet. This
sort of access restriction is an experiment with key functions of the
Internet, increasing the risk of fragmentation of the global Internet and as
one co-chair of RIPE's DNS Working group stated, this gives restrictive
tools "to the bad guys".
Another attempt to govern the Internet is for instance the latest
international law enforcement action by the FBI against a large botnet.
During this action, the FBI, without a court order or without a legal
basis, took over the address blocks used by the botnet's nameservers and
then assigned those address blocks to Internet Systems Consortium's
(ISC) nameservers. The European Regional Internet Registry RIPE-NCC was
rather concerned about the implications of getting involved in policy
and governance issues and has now sued the public prosecutor's office to
get a judicial decision on the question whether they had sufficient
legal ground to order the temporary "lock" of the registrations. The
implications of RIPE having to respond to such orders, particularly due
to the very wide geographic coverage of its activities, would be very
severe indeed.
List of blocked web sites by the Immigration and Customs Enforcement (ICE)
(28.11.2011)
http://www.ice.gov/doclib/news/releases/2011/111128washingtondc.pdf
EU-US Summit Resolution by the European Parliament (15.11.2011)
http://www.europarl.europa.eu/sides/getDoc.do?type=MOTION&reference=P7-RC-2011-0577&language=EN
EU-US Summit Joint Declaraion (28.11.2011)
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/842
Civil society, human rights groups urge Congress to reject the Stop
Online Piracy Act (15.11.2011)
https://www.accessnow.org/policy-activism/press-blog/urge-congress-to-reject-sopa
IP Watch: Filtering and Blocking Closer To The Core Of The Internet?
(20.11.2011)
http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/
RIPE NCC Intends to Seek Clarification from Dutch Court on Police Order to
Temporarily Lock Registration (16.11.2011)
https://www.ripe.net/internet-coordination/news/about-ripe-ncc-and-ripe/ripe-ncc-to-seek-clarification-from-dutch-court-on-police-order-to-temporarily-lock-registration
(Contribution by Kirsten Fiedler - EDRi)
============================================================
6. Italian Police blocks sites that had banners to alleged illegal websites
============================================================
The Italian cybercrime police, Guardia di Finanza Agropoli, has recently
DNS blocked a series of websites that were offering links to content indexed
on BitTorrent, cyberlockers and eDonkey networks. Five of
the blocked sites belonged to Italianshare.net network, which were
allegedly releasing the links to the movies, games or music before their
commercial release. Two more websites that had nothing to do with that
network were also blocked.
According to Guardia di Finanza, the sites had advertising and donation
accounts operating through PayPal giving the authority the reason to
investigate them under commercial piracy and tax evasion accusations. The
on-going investigation has led to complaints filed by several anti-piracy
groups against the alleged leaders of the websites, resulting in the seizure
of their computer equipment.
But also two innocent websites, italianstylewebsite.net and
freeplayclub.org, have fallen victim of this action being, apparently by
mistake, associated to the investigated sites. The owners of the two
websites have both reacted by stating their sites were perfectly legal,
their only link with Italianshare.net being an exchange of banners. Their
sites hosted only legal links to free downloadable software of computer
games.
Furthermore, the two owners stated that they had received no previous
warning from the authorities and that initially they thought they had
problems with their DNS. Having not received any official notification, they
did not even know to whom to address in order to prove the legality of their
sites.
Fulvio Sarzana, the lawer of the alleged owner of Italianshare.net
network, stated that, after a first analysis, he believed there had been an
obvious anomaly of the preventive seizure procedure.
Sarzana's opinion is that the measures taken by the police are incompatible
with the free flow of information on the web, as well as the free expression
of thought in online forums. "The principle which we must begin with is
that any illegality should be suppressed and not encouraged, when you are
certain of course, without prejudice and preconceived ideas about the
navigability associated with the P2P service which was used for illegal
activity. And when the instruments used to preventively suppress are not in
the position to harm constitutional values or rights of third parties."
The lawyer warned on the fact that if such preventive seizure can be thus
used "without a scrupulous control of alternative means to repress illegal
content", this instrument can also be used in cases of defamation through
the information media or just blogs. "With a very strong impact upon the
freedom of information on the Internet."
Italianshare, the word to the defenders (only in Italian, 17.11.2011)
http://punto-informatico.it/3339573/PI/Interviste/italianshare-parola-alla-difesa.aspx
Free Play Club, a surprise seizure (only in Italian, 16.11.2011)
http://punto-informatico.it/3337434/PI/Lettere/free-play-club-un-sequestro-sorpresa.aspx#Scene_1
Italianstylewebsite / another surprise seizure (only in Italian, 17.11.2011)
http://punto-informatico.it/3339385/PI/Lettere/italianstylewebsite-altro-sequestro-sorpresa.aspx
Italian Anti-Piracy Blockade Takes Legit Sites Offline (18.11.2011)
http://torrentfreak.com/italian-anti-piracy-blockade-takes-legit-sites-offline-111118/
Cybercrime Police Shut Down Five File-Sharing Sites (11.11.2011)
http://torrentfreak.com/cybercrime-police-shut-down-five-file-sharing-sites-111111/
============================================================
7. EU-US summit joint statement ignores European civil rights
============================================================
A common statement issued at the EU-US summit that took place on 28 November
2011 at the White House in Washington included several aspects with direct
impact on digital civil rights that shows the US have succeeded again in
obtaining what they wanted, while the European Union representatives have
failed to protect the EU citizens fundamental rights, especially the right
to privacy.
The statement clearly states that while the PNR agreement was negotiated,
there is still no deadline for an EU-US data protection agreement.
"We welcome the successful completion of negotiations on a new Passenger
Name Record agreement, and look forward to its early adoption and
ratification" says item 18 of the statement which continues by mentioning
the intention to finalize negotiations on a "comprehensive EU-U.S. data
privacy and protection agreement that provides a high level of privacy
protection for all individuals and thereby facilitates the exchange of data
needed to fight crime and terrorism."
US have also pushed in support for the CoE Cybercrime Convention, but there
is nothing stated in relation with a commitment to ratify or at least start
to negotiate any of the fundamental rights conventions of the CoE. Also, the
US has rejected a request from the Commission to include net neutrality in
the statement, but they have managed to get in their wording on the
engagement with the private sector.
"We welcome the progress made by the EU-U.S. Working Group on Cyber-security
and Cyber-crime, notably the successful Cyber Atlantic 2011 exercise. We
endorse its ambitious goals for 2012, including combating online sexual
abuse of children; enhancing the security of domain names and Internet
Protocol addresses; promotion of international ratification, including by
all EU Member States, of the Budapest Convention on Cybercrime ideally by
year's end; establishing appropriate information exchange mechanisms to
jointly engage with the private sector; and confronting the unfair market
access barriers that European and U.S. technology companies face abroad,"
says item18 of the joint statement.
EU-U.S. Summit joint statement (28.11.2011)
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/842
============================================================
8. Two years into the Stockholm Programme: on the way to e-Fortress Europe?
============================================================
It has been two years now since the Stockholm Programme - a 5-year plan for
Justice and Home Affairs - was adopted. On 24 November 2011, an experts'
and activists' round table, organised in the European Parliament, raised
the question whether Europe was on its way to an e-Fortress. The
discussions focused on the proposal for so-called smart borders, the
processing of air passenger data (PNR) and the creation of a European
Border Surveillance System (EUROSUR).
With the introduction of smart borders, the European Commission aims at
implementing more effective border surveillance against "irregular
migration" by the use of drone planes, satellite and surveillance systems,
unmanned ground or marine vehicles and even combat robots. EUROSUR is a
further attempt by the European Commission to reduce the number of illegal
immigrants entering the European Union, to develop common tools and
instruments for Member States and to permit an EU-wide exchange of data. A
legislative proposal is expected to be published by the Commission around 7
December 2011.
Sergio Carrera, first speaker of the round table and senior research
fellow at the Centre for European Policy Studies (CEPS), criticised the
current policy making in the field of security saying that it was not
evidence based and that debates on necessity were non-existent, thus
fundamental rights always play a secondary role. During the development
of every new project, the presumption of innocence, the consent of
individuals and the principle of non-discrimination are rarely taken
into account. He doubted that the gaps of Frontex could be closed by
EUROSUR.
Owe Langfeldt and Gabriel Blaj from the EDPS stressed the importance
that the Commission should provide clear proof that future security
policy measures were necessary and effective after their implementation.
They also warned of a function creep, called for clear purpose
limitation and criticised that through the introduction of profiling,
for example via PNR agreements, a generalised suspicion was laid upon
society. Blaj added that the subgroup on borders and law enforcement of the
Article 29 Working Group has recently decided to react on the proposals by
the Commission.
Erich Tvpfer's (Cilip & Statewatch) short input focused on the corporate
interest in the field of security policy and on the fact that border and
security measures involve a powerful security-industry complex. Detailed
information can be found in "Arming Big Brother" analysis and in a report
for the Transnational Institute which explains how most of the European
security research projects have been outsourced to the corporations that
have the most to gain from their implementation and examines the EU
security-industrial complex.
An open debate followed the short presentations during which the
participants of the round table discussed future activities, possible
arguments, cooperation and initiatives. The debate centred on useful
arguments to counter those in favor of the introduction of more surveillance
measures. The participants agreed on the necessity of an evaluation of
existing systems, of impact and cost assessments. Highlighting the export of
Western surveillance technologies to the Middle East was suggested, in order
to name and shame companies. At the same time, It is crucial for civil
society to provide MEPs with counter-facts (regarding EU-PNR for instance).
Tony Bunyan, Director of Statewatch, summarized the debated issues at
the end of the event. He pointed out that a very first proposal for
EU-PNR already collapsed in 2007 when the European Parliament opposed
it. Now, the Parliament and the Commission only needed to be reminded of
their own history. However, Bunyan also emphasized the necessity of
campaigns outside the Parliament, from the "ground", which would be far
more effective than those that focus on winning a majority in the EP only.
European Commission Communication: Smart Border - options and the way ahead
(25.11.2011)
http://ec.europa.eu/home-affairs/news/intro/docs/20111025/20111025-680%20en.pdf
Statewatch Analysis: Arming Big Brother
http://www.statewatch.org/analyses/bigbrother.pdf
Transnational Institute : NeoConOpticon Report, The EU
Security-Industrial Complex
http://www.statewatch.org/analyses/neoconopticon-report.pdf
Programme of the event: Two Years into the Stockholm Programme - on the
way to e-Fortress Europe? (24.11.2011)
http://www.ska-keller.de/images/stories/files/roundtable_e-fortress-europe%20invitation.doc
(Contribution by Kirsten Fiedler - EDRi)
============================================================
9. New Guidelines to RFID Privacy Impact Assessments
============================================================
On 25 November 2011 the German Federal Office for Information Security (BSI)
and the Institute for Management Information Systems of the Vienna
University of Economics and Business (WU) held an expert symposium on RFID
Privacy Impact Assessments in Berlin and presented their BSI Privacy Impact
Assessment (PIA) Guidelines.
The PIA guidelines are based on the RFID PIA Framework, a kind of
co-regulation instrument that was signed by Vice President of the European
Commission Neelie Kroes and industry representatives earlier this year. The
goal of the guidelines is to explain the PIA Framework and to provide RFID
application operators with an in-depth understanding of the framework
terminology and proposed procedures. The methodology outlined in the
document is understood to be a concretion of the generic process outlined in
the PIA framework.
The PIA guidelines will help European RFID operators to ensure a high level
of data protection, which can be seen as an important aspect of quality and
a unique selling proposition for European companies, said Professor Sarah
Spiekermann, Head of the Institute for Management Information Systems. The
PIA guidelines are available from the symposium website. PIA case studies
for three different sectors will soon be published by BSI.
In his presentation at the symposium the German Federal Commissioner for
Data Protection and Freedom of Information, Peter Schaar, explained that,
while Data Protection Authorities (DPAs) might not be able to check each and
every PIA report, in future, the results of privacy impact assessments and
the implementation of their results will be important aspects in data
protection inspections. He therefore asked, that PIA reports and the data
protection goals identified in the course of the PIA process should be made
transparent to DPAs and individuals.
Furthermore, Mr. Schaar called for PIA frameworks being defined on the
European level and for the establishment of a European data protection
competence centre, which should work on technical means and measures for
data protection.
The European Data Protection Supervisor, Peter Hustinx, stressed in his
contribution the need to reduce the unhelpful diversity in EU member states'
data protection legislation. While there is no need to reinvent data
protection, it is necessary to make the current principles work better, to
improve the definition of responsibilities and to ensure a better
compliance, he said. With regard to privacy impact assessments, Mr. Hustinx
envisaged that these could be optional in some cases while being compulsory
in others.
A coherent European approach to the implementation of the RFID Privacy
Impact Assessment Framework will be in the centre of a conference organised
by the European Commission on 8 February 2012 in Brussels, where experiences
with the PIA Framework and the future of the European Commission's RFID
Recommendation will be discussed.
As EDRi already expressed earlier, the success of RFID Privacy Impact
Assessments will, to a large extend, depend on the quality of the
assessment. In particular, it will be crucial to address and eliminate risks
that stem from third parties and are not directly related with the RFID
applications operated by a given company, but facilitate the RFID tags
disseminated by the company.
Expert Symposium on RFID Privacy Impact Assessments, 25.11.2011, Austrian
Embassy Berlin
http://www.wu.ac.at/ec/events/piasymposium
RFID Privacy Impact Assessment Guidelines
http://www.wu.ac.at/ec/events/pia_guideline
Federal Office for Security in Information technology - RFID PIA (only in
German)
https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/RadioFrequencyIdentification/PIA/pia_node.html
EDRi-gram: EU supports RFID with proper protection of consumers' privacy
(20.05.2009)
http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommandation
EDRi-gram: RFID Privacy Impact Assessment Framework formally adopted
(06.04.2011)
http://www.edri.org/edrigram/number9.7/rfid-pia-adopted-eu
EDRi-gram: ENDitorial: RFID PIA: Check against delivery
http://www.edri.org/edrigram/number9.10/rfid-pia-check-against-delivery
European Commission Conference: 08.02.2012: Implementation of the RFID
Privacy Impact Assessment (PIA) Framework
Invitation:
http://ec.europa.eu/information_society/policy/rfid/documents/piaconferenceinvitation.pdf
Programme:
http://ec.europa.eu/information_society/policy/rfid/documents/piaconferenceprogramme.pdf
(Contribution by Andreas Krisch - EDRi)
============================================================
10. ENDitorial: Advocate General on Data Retention: Strange answer&question
============================================================
The Advocate General of the European Court of Justice recently issued an
opinion on the case of Bonnier Audio vs Perfect Communication Sweden (case
no. C-461/10). The question to be answered was whether data retention
Directive and/or articles 3, 4, 5 and 11 of the E-Privacy Directive prevent
Member States from permitting internet service providers in civil
proceedings to be ordered to give copyright holders information on
subscribers that allegedly infringed intellectual property rights, as
foreseen by Article 8 of the IPR Enforcement Directive. The
question partly seeks to answer itself, by explicitly demanding an
assumption that the measure is proportionate and that evidence has been
"adduced" evidence of an infringement.
The answer from the Advocate General is, "no", there is nothing in the Data
Retention Directive nor the E-Privacy Directive which would prevent a
national administration from imposing a measure requiring stored data to
be used to identify people within the scope of the IPR Enforcement
Directive. However, such information should be stored for the purpose of
possible disclosure to IPR holders, according to detailed national
provisions and compliant with EU law on data protection.
He bases this view on various elements. Firstly, regarding the Data
Retention Directive, he explains that this is not relevant in the context of
this specific case.
However, his views on the E-Privacy Directive are the most interesting and
difficult to comprehend. This analysis explains that Member States may
impose data retention for purposes outside the scope of the legal basis of
the Directives. This analysis was confirmed by the European Commission in a
declaration at the time of adoption of the Directive. As the Commission
explained in its position on the common position, "the present Directive
based on Article 95 of the Treaty cannot include substantive provisions on
law enforcement measures. It should neither prohibit nor approve any
particular measure Member States may deem necessary."
Article 15 of the E-Privacy Directive does explain that such an infringement
of the fundamental right to privacy must be adequately
justified - namely that any such measure be "necessary, appropriate and
proportionate measure within a democratic society to safeguard national
security (i.e. State security), defence, public security, and the
prevention, investigation, detection and prosecution of criminal offences or
of unauthorised use of the electronic communication system, as referred to
in Article 13(1) of Directive 95/46/EC." However, the Advocate General is
clear that the restrictions described in Article 15.1 of the E-Privacy
Directive must be respected for any data storage to be legal.
The Advocate General makes no effort to explain why such a measure would or
could be "necessary" as well as being proportionate (the question attempts
to preempt the court by explaining that proportionality is assumed). This is
surprising when we bear in mind the only position taken so far on long-term,
suspicionless retention of data on innocent citizens - the
Telefonica/Promusicae case. In that case, the Advocate General argued that
"(i)t may be doubted whether the storage of traffic data of all users
without any concrete suspicion - laying in a stock, as it were - is
compatible with fundamental rights." How did we move from a situation before
the adoption of the Charter of Fundamental Rights where an Advocate General
said that data retention per se is of questionable legality, to a position
now, under the Charter, where an Advocate General believes it is permissible
for narrow business interests - ignoring the fact that data retention was
explicitly implemented under the condition that it was for fighting "serious
crime"? Maybe the answer lies in the fact that the question demands that the
ECJ makes the very dubious assumption that the measure being imposed is
"proportionate".
Having ignored the part of the Telefonica/Promusicae case that highlighted
the serious dangers of data retention for fundamental rights, perhaps the
oddest interpretation is the one that relies on analysis in that case. The
Advocate General explains that, during the implementation of Directives in
national law, a fair balance of different fundamental rights must be
respected. This is odd because the case in question does not concern
implementation of EU Directives into national laws, it concerns the question
whether new, additional and unforeseen implementations of data retention are
forbidden by the relevant legislation or not.
Starting from this questionable logical basis, the Advocate General treats
private property "rights" of narrow business interests as fully equal to the
rights of citizens as a whole. While this is unfortunately, in abstract
terms, correct, he then fails to address the fact that, in specific terms,
it is not appropriate to treat narrow business interests as of equal value
as the privacy of the entire society. This position has, thankfully, already
been contradicted by the Court in last week's Scarlet/Sabam case, where the
judges ruled that "The protection of the right to intellectual property is
indeed enshrined in Article 17(2) of the Charter of Fundamental Rights of
the European Union. There is, however, nothing whatsoever in the wording of
that provision or in the Court's case-law to suggest that that right is
inviolable and must for that reason be absolutely protected."
However, the ultimate conclusion that the Advocate General comes to is
probably the only possible one as a result of the very leading way in which
the question was posed. Having been asked to assume that any such measure
was proportionate (and assuming that intellectual property breaches are
criminal offences), there is nothing in the Directives mentioned in the
question which would prevent a Member State from introducing a new law to
require data retention for intellectual property enforcement purposes - as
long as the minimum criteria set out in the E-Privacy Directive are
respected.
It is to be hoped that the Court will not restrict itself to the very
questionable assumption of proportionality and address necessity and
proportionality as well. If it does, the result should be quite different,
as Advocate General Kokott already pointed out in the Telefonica/Promusicae
case.
Commission Declaration
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52002PC0338:EN:HTML
Data Retention Directive
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF
E-Privacy Directive
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT
ECJ Cases:
Telefonica/Promusicae: Case C-275/06
Scarlet/Sabam: Case C-70/10
Bonnier Audio/Perfect Communications: Case: 461/10
all accessible at
http://curia.europa.eu/jcms/jcms/j_6/
(Contribution by Joe McNamee - EDRi)
============================================================
11. Recommended Action
============================================================
Stop ACTA!
http://www.edri.org/stopacta
============================================================
12. Recommended Reading
============================================================
EDPS calls for strengthening of proposed Regulation on the Internal Market
Information System (22.11.2011)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2011/EDPS-2011-11-IMI_EN.pdf
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-11-22_IMI_Opinion_EN.pdf
Sweden: Net Neutrality: Mobile Broadband Suppliers Discriminate Against
BitTorrent (22.11.2011)
http://torrentfreak.com/net-neutrality-mobile-broadband-suppliers-discriminate-against-bittorrent-111122/
http://www.iis.se/docs/N%C3%A4tneutralitet2011.pdf
Data losses from local authorities in UK (23.11.2011)
http://www.bigbrotherwatch.org.uk/home/2011/11/local-authority-data-loss-exposed.html
http://bigbrotherwatch.org.uk/la-data-loss-breakdown.pdf
============================================================
13. Agenda
============================================================
7 December 2011, Bruxelles, Belgium
"Self"-regulation: Should online companies police the Internet?
http://selfregulation.tumblr.com/
9 December 2011, The Hague, Amsterdam
Conference on internet freedom hosted by the Dutch Ministry of Foreign
Affairs
http://www.minbuza.nl/en/ministry/conference-on-internet-freedom/internetfreedom.html
27-30 December 2011, Berlin, Germany
28C3 - 28th Chaos Communication Congress
http://events.ccc.de/category/28c3/
http://events.ccc.de/congress/2011/
25-27 January 2012, Brussels, Belgium
Computers, Privacy and Data Protection 2012
http://www.cpdpconferences.org/
16-18 April 2012, Cambridge, UK
Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance
Education
OER12 and the OCW Consortium's Global Conference
http://conference.ocwconsortium.org/index.php/2012/uk
14-15 June 2012, Stockholm, Sweden
EuroDIG 2012
http://www.eurodig.org/
9-10 July 2012, Barcelona, Spain
8th International Conference on Internet Law & Politics: Challenges and
Opportunities of Online Entertainment
Abstracts deadline: 20 December 2011
http://edcp.uoc.edu/symposia/idp2012/cfp/?lang=en
============================================================
14. About
============================================================
EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 28 members based or with offices in 18 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge and
awareness through the EDRi-grams.
All contributions, suggestions for content, corrections or agenda-tips are
most welcome. Errors are corrected as soon as possible and are visible on
the EDRi website.
This EDRi-gram has been published with financial support from the EU's
Fundamental Rights and Citizenship Programme.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Bogdan Manolea <edrigram at edri.org>
Information about EDRI and its members:
http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in the
EU. If you wish to help us promote digital rights, please consider making a
private donation.
http://www.edri.org/about/sponsoring
http://flattr.com/thing/417077/edri-on-Flattr
- EDRI-gram subscription information
subscribe by e-mail
To: edri-news-request at edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request at edri.org
Subject: unsubscribe
- EDRI-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay. Translations
are provided by Metamorphosis
http://www.metamorphosis.org.mk/edri/2.html
- EDRI-gram in German
EDRI-gram is also available in German, with delay. Translations are provided
Andreas Krisch from the EDRI-member VIBE!AT - Austrian Association for
Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/edrigram
- Help
Please ask <edrigram at edri.org> if you have any problems with subscribing or
unsubscribing.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list