EDRi-gram newsletter - Number 11.20, 23 October 2013

Data protection vote – one step forward, two big steps backwards

The European Parliament's Civil Liberties Committee held a crucial vote on Monday evening, 21 October 2013, on the future of privacy and data protection in Europe.

We applaud Parliamentarians for supporting – and even improving - several important and valuable elements of the original Commission proposal. We are particularly happy that the Committee chose to overturn the Commission's proposal to allow Member States the scope to exempt themselves from the rules on profiling.

Nonetheless, we are shocked and disappointed that Parliamentarians voted to introduce massive loopholes that undermine the whole proposal.

“If allowed to stand, this vote would launch an 'open season' for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder” said Joe McNamee, Executive Director of European Digital Rights. “This is all the more disappointing because it undermines and negates much of the good work that has been done,” he added.

Despite almost daily stories of data being lost, mislaid, breached and trafficked to and by foreign governments, our elected representatives adopted a text saying that corporate tracking and profiling of individuals should not be understood as significantly affecting our rights and our freedoms.

The Committee extended the range of circumstances in which companies can process an individual's data without their consent - and made the rules far less easy to understand.

These huge loopholes are all the more disappointing when we consider that MEPs agreed to support several positive measures elsewhere in the text. These measures include an adequate level of sanctions in case of abuses, data breach notifications, data portability and data protection by design and by default.

The problematic compromises adopted are:

Compromise 4

Compromise 6

Compromise 20

EDPS - An important and welcome step towards stronger and more effective data protection in Europe

Tough negotiations for the law enforcement data protection directive

On Monday, 21 October 2013 the Civil Liberties, Justice and Home Affairs Committee of the European Parliament adopted reports on the General Data Protection Regulation and the Directive for the police and justice sector.

In the past months, the Directive covering personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties has not attracted as much attention as the Regulation, but is in fact part of the data protection package. The Directive aims to ensure that the Member States replace the existing fragmented legislation with a coherent legal framework for the processing and exchange of personal data within the EU and with third countries.

The negotiating mandate for the Directive was adopted by 47 votes to four, with one abstention. The Parliament now has a clear mandate to start negotiations with the Member States and, according to the Committee’s homepage, it expects to reach a common agreement before the European elections in May 2014. The inter-institutional talks will start as soon as the Member States will have agreed on their own position.

However, the upcoming negotiations with the European Commission, the Council and the Member States are likely to face fundamental difficulties. EDRi had insight into a document from the Working Party on Information Exchange and Data Protection (DAPIX) session from 4 October 2013, where the Member States discussed the proposed Directive.

In this session, the Member States and the Commission focused discussions on articles one to seven. It became clear, that there are still fundamental reservations against the Directive. Germany, Great Britain, Denmark, the Czech Republic, Slovenia, Sweden and Austria raised the question of the added value compared to the Framework Decision 2008/977/JI. Several Member States consider the Directive as a defiance to the subsidiary principle and some referred to the lack of legal competences of the European Union - Denmark, the Czech Republic, Slovenia, Great Britain, Sweden, and Germany. Italy, Spain, Germany, Hungary, Poland and Portugal stated their reservations on the whole Directive. Only France supported the choice of instrument.

There was widespread consent between the Member States to adopt stricter rules than laid out in the Directive and that there should be the establishment of minimum standards (mentioned explicitly by Germany, Great Britain, Czech Republic, Austria, Sweden, and the Netherlands). Furthermore, the majority of Member States claimed an extension of the scope to the protection against threats to public safety and maintenance of public order, according to a proposal put forward by Romania. Germany, the Czech Republic, Estonia and Hungary criticised that the EU institutions are not within the scope of the Directive.

It became clear that article four (Principles relating to personal data processing) and article seven (Lawfulness of processing) - and the interaction of both articles in particular - needed further explanation. The deletion of articles five and six proposed by the Irish presidency was generally welcomed, especially by Belgium, Great Britain, the Czech Republic, Denmark, Germany and Sweden. Under article seven, the question whether the consent of the person concerned should be added or not was intensely discussed – apart from Austria all Member States seemed to be in favour. The Commission generally rejected this solution.

The document we had access to only covered articles one to seven, but it definitely gives a foretaste of how complicated the negotiations after the Parliament’s adoption of the Directive with the Member States might become.

Civil Liberties MEPs pave the way for stronger data protection in the EU (21.10.2013)

EP LIBE Committee

Q&A on EU data protection reform (22.10.2013)

Danish EU Presidency - Council working parties

Summary analysis of European Commission proposal for a Data Protection Directive in the law enforcement sector (19.09.2012)

(Contribution by Karim Khattab - EDRi intern & Kirsten Fiedler - EDRi)

France is demanding explanations from the US over NSA surveillance

On 21 October 2013, the French government summoned Charles Rivkin, the US ambassador in France, demanding urgent explanation regarding the revelations by Le Monde that, according to the documents released by Edward Snowden, NSA has intercepted French citizens’ phone and internet communications, at a massive scale.

Le Monde revealed on that day that, during a 30-day period in December 2012 and January 2013, more than 70 million French phone calls were intercepted and text messages were also swept based on keywords. The interceptions appear to have targeted not only people with suspected terrorist links but also people in business, politics and the French administration, under a programme codenamed US-985D.

According to the information obtained by Le Monde, when a telephone number is used in France, it activates a signal which automatically triggers the recording of the call. It seems this type of surveillance system picks up SMS messages and their content as well, by using key words. NSA then apparently stores the history of the connections or the meta-data.

The French prime minister, Jean-Marc Ayrault, demanded the US to provide "clear answers, justifying the reasons these practices were used and above all creating the conditions of transparency so these practices can be put to an end". The White House’s first response was that the US "gathers foreign intelligence of the type gathered by all nations".

"These kinds of practices between partners, that violate privacy, are totally unacceptable. We must quickly assure that these practices aren't repeated," also stated French Foreign Minister Laurent Fabius at an EU foreign ministers meeting in Luxembourg on the same day. The day was rich in events as U.S. President Barack Obama and French President Francois Hollande also had a phone discussion on the subject.

A news release from Hollande's office said he expressed his "deep disapproval with regard to these practices" and stated that such alleged activities would be unacceptable between allies and friends. The press release also states that the two presidents agreed that French and American intelligence services would cooperate to investigate the issue.

"The President and President Hollande discussed recent disclosures in the press -- some of which have distorted our activities and some of which raise legitimate questions for our friends and allies about how these capabilities are employed. The President made clear that the United States has begun to review the way that we gather intelligence, so that we properly balance the legitimate security concerns of our citizens and allies with the privacy concerns that all people share," says a news release from the White House.

This is not the only time France had issues with NSA spying activities. In July, Hollande threatened to suspend negotiations for a transatlantic free trade agreement after reports in the Guardian and Der Spiegel that the NSA spied on EU offices and European diplomatic missions in Washington and at the UN in New York.

Yet, also in July, Le Monde reported that France runs its own vast electronic surveillance operation, intercepting and stocking data from citizens' phone and internet activity, using similar methods to the NSA's Prism programme.

Snowden leaks: France summons US envoy over NSA surveillance claims (21.10.2013)

France in the NSA's crosshair : phone networks under surveillance (21.10.2013)

How NSA spies on France (only in French, 21.10.2013)

Editorial of "Le Monde": fighting Big Brother (only in French, 21.10.2013)

US spy agency targets French firms (21.10.2013)

Report: U.S. intercepts French phone calls on a 'massive scale' (22.10.2013)

ECtHR: Internet news portal liable for the offensive online comments

The European Court of Human Rights (ECtHR) ruled on 10 October 2013 in the case Delfi AS vs. Estonia that an Internet news portal was liable for the offensive comments that were posted by the readers underneath its online articles.

The Court held that the finding of liability by the Estonian courts was a justified and proportionate restriction on the portal’s right to freedom of expression, in particular, because: - the comments were highly offensive; - the portal failed to prevent them from becoming public, profited from their existence, allowed their authors to remain anonymous; and, - the fine imposed by the Estonian courts was not excessive.

Even though the portal had argued that the EU Directive on Electronic Commerce, as transposed into the Estonian law, had made the case exempt from liability, the Court found that it was for national courts to resolve issues of interpretation of domestic law, and therefore did not address the issue under EU law.

The decision was heavily debated by the freedom of speech advocates that criticized the ruling for failing "to understand the role of Internet intermediaries as the gateway to the exercise of free expression."

EDRi-member Article 19 pointed out that the decision is "a deeply concerning precedent for freedom of expression in several respects. It also displays a worrying lack of understanding of the issues surrounding intermediary liability and the way in which the Internet works."

The Court has thus failed to appreciate the purpose of the EU E-Commerce Directive provisions concerning hosting liability and has considered that the news portal should have prevented defamatory and other clearly unlawful comments from being made public. But that is actually contradictory to article 15 of the Directive which prohibits Member States from imposing monitoring obligations on information society services, including actively seeking “facts or circumstances indicating illegal activity.”

At the same time, the Court ignored the relevant international standards developed by the UN Special Rapporteur on Freedom of Expression in this area in his thematic report on the Internet where he clearly recommended that “censorship measures should never be delegated to private entities, and that no one should be held liable for content on the Internet of which they are not the author.”

The decision of the Court Chamber is not final though. During the three-month period following its delivery, any party may request that the case be referred to the Grand Chamber of the Court. If such a request is made, a panel of five judges considers whether the case deserves further examination. In that event, the Grand Chamber will hear the case and deliver a final judgement. If the referral request is refused, the Chamber judgement will become final on that day.

Press release - Making an Internet news portal liable for the offensive online comments of its readers was justified (10.10.2013)

Full Text - DELFI AS v. ESTONIA (10.10.2013)

European Court strikes serious blow to free speech online (14.10.2013)

European ruling spells trouble for online comment (11.10.2013)

Increased level of online censorship in Italy

AGECOM, Italy’s independent Electronic Communications Authority, is on the verge of undertaking the power of ordering the removal of any online content that it deems to be in violation of the copyright law, without the need of the parliament or court approval.

Despite strong criticism from NGOs, ISPs, other companies or legal practitioners, the authority’ new Draft Regulation on Copyright Protection on Electronic Communication Networks allows it to black out foreign sites and take down Italian ones alleged to have infringed the copyright law, within 48 hours, without any court decision.

The legislation is to be passed definitively in November 2013 after a decision from the European Union.

AGCOM’s bill will give the authority the power to order Internet access providers to disclose private information about subscribers and give them to the right holders. Any website “inciting, aiding and abetting” copyright infringement, even indirectly” will permit its complete seizure.

An alliance of organizations including the consumer groups, lawyers, and business have initiated a campaign to oppose the measures introduced by the bill which risk to turn ISPs into online censors, are totally inefficient and may lead to over-blocking and abuse.

The alliance has also sent an open letter to Laura Boldrini, the president of the lower house of the Italian Parliament urging the assembly to take the matter into its own hands and suspend the draft regulation.

On 1 October 2013, EDRi member Article 19 issued a detailed opinion on the bill showing concern that it “provides for the blocking of entire websites, domain names or IP addresses. These measures are both ineffective and deeply inimical to free expression due to the high risks of over-blocking. We are also concerned that blocking powers would be entrusted to a regulator rather than the courts.”

In more disturbing news from Italy on the stupid IPR enforcement measures, on the 17 October 2013, following a complaint from the music industry group FIMI, several big torrent sites were put on the ISPs blacklist by orders of the Bergamo court. Besides ExtraTorrent, 1337x, H33T, TorrentHound, Italian ISPs may have to block a whole range of IP addresses associated with The Pirate Bay, including some with authorized content. (such as their mail server). The Observatory on The Internet Censorship In Italy counts now over 6000 websites that are being blocked in Italy.

Freedom of the web at risk in Italy: Copyright to hide censorship (6.10.2013)

Petition - Help us say NO to Italian internet censorship!

Italy: Draft Regulation on Copyright Protection on Electronic Communication (1.10.2013)

Agcom, the new web sheriff does not listen to critics (only in Italian, 7.10.2013)

Open Letter to President Boldrini (only in Italian, 14.10.2013)

Italian Court Orders ISPs to Block Several Major Torrent Sites (17.10.2013)

Observatory on The Internet Censorship In Italy

The Major illicit portals obscured. Provincial Command Bergamo (only in Italian, 16.10.2013)

European Court of Justice: Fingerprints in electronic passport are OK

The European Court of Justice ruled on 17 October 2013 that the inclusion of the fingerprints in the EU electronic passports is lawful.

While the Court acknowledged that taking and storing of fingerprints in passports constitutes an infringement of the rights to respect for private life and the protection of personal data, it ruled that security is more important than privacy and such measures are justified for the purpose of preventing any fraudulent use of passports.

The ruling also claims that the measure of taking fingerprints is not that sensitive, because it "involves no more than the taking of prints of two fingers, which can, moreover, generally be seen by others, so that this is not an operation of an intimate nature."

The decision admits that the electronic passports are not flawless, but argues that "the fact that the method is not wholly reliable is not decisive. Although that method does not prevent all unauthorised persons from being accepted, it is enough that it significantly reduces the likelihood of such acceptance that would exist if that method were not used."

At the same time, the Court emphasized that the Regulation allows the storage of fingerprints only in the electronic passport that will be held by the owner and that it cannot be interpreted "as providing a legal basis for the centralised storage of data collected or for the use of such data for purposes other than that of preventing illegal entry into the EU”.

This is not the only case where the ECJ will be asked to rule on biometric passports, with another one where Dutch applicants had been refused the issuing of their passports because they did not accept to provide their fingerprints, that were stored in a database.

Gus Hosein from Privacy International explained Bloomberg BNA that "the court had 'narrowly interpreted' EU law, and there was potential for challenges against the taking of fingerprints for inclusion in passports to be brought before the European Court of Human Rights. The court ruling was the 'perpetuation of a stupid mistake' made by the European Parliament when it approved the collection of fingerprints for passports."

But the EU seems to try to get to the next level of fingerprinting regular people in its new 1 billion Euro Smart Borders proposal that would include all personal details and the 10 fingerprints of all non-EU citizens over 12 years old who want to enter the European Union. All being held in one database.

Press release: Including fingerprints in passports is lawful (17.10.2013)

Full Judgement - Michael Schwarz vs. Stadt Bochum (17.10.2013)

Security trumps privacy, EU court says (17.10.2013)

EU Collection of Fingerprints for Passports Threatens Privacy, but Is Lawful, ECJ Rules (21.10.2013)

EDRi-gram: ECJ to rule on the biometric passports (10.10.2012)

After 3 years: French authority Hadopi keeps proving its uselessness

After three years of existence, Hadopi French authority in charge with the infamous three-strikes gradual response system, has succeeded in proving nothing but a large waste of public money.

To mark its 3-year anniversary, Hadopi has issued its activity report which shows that, to the day, it has succeeded in ordering 1 sole Internet disconnection and, on the other hand, it has experienced large bureaucratic problems and issues with identifying subscribers.

Hadopi has sent a total of 1.912 million notifications to French Internet subscribers as strike one, 186 153 follow-up letters as strike 2 and has caused 1 disconnection as strike 3.

Only for 2013, Hapodi costs the French taxpayers 5.4 million Euro, large part of it spent to answer subscribers who make request regarding the name of the works for which they receive the notification. As the Ministry of Culture refused to allow for the names of the works to be included in the notification, the law stipulates Hadopi has to answer to the subscribers upon request. Therefore, in 2012-2013, there were 73210 contacts by phone or email with Internet subscribers out of which 81.73% were related to the content of the notification.

Hadopi believes that a modification of the legislation in this sense would be beneficial and would not affect the confidentiality of the communication if the receiver is the owner of the subscription.

Moreover, to contact subscribers, Hadopi has to go via Internet ISPs. The initial amount of the first notifications was thus reduced to 7.718 million as, apparently, there were multiple allegations against the same subscriber. The report says that 88% of these allegations were successfully matched against named subscribers.

Following the 186 453 letters sent for strike 2, there were 663 cases for which Hadopi was to decide whether to submit them to the court which resulted in 51 submissions to the courts for penalties. Most of these appear to have incurred a fine of between 35 and 450 Euro. Only one got a 15-day disconnection penalty.

Furthermore, Hadopi had other further expenses with the so-called “educational” program which involves taking the message into schools and educational establishments.

So, not only the system has proven inefficient for the declared purpose of cutting down illegal sharing of copyrighted works, but it also triggers high expenses from the public money.

The French government intends to incorporate Hadopi within the Conseil supérieur de l'audiovisuel (CSA) which might cut down some expenses but which does not entirely eliminate the system.

Hadopi: a blunt example of public money waste (only in French,10.10.2013)

Hadopi turns three – bon anniversaire? (14.10.2013)

HADOPI annual report for 2012-2013

EDRi-gram: The French three strikes system gave up on Internet disconnection (17.03.2013)

Skype is investigated in Luxembourg for its relations to NSA

Skype, owned now by Microsoft, has entered the attention of Gerard Lommel, Luxembourg’s Data Protection Commissioner, as a result of the documents revealed by Edward Snowden in the PRISM affair.

Gerard Lommel has put Skype under investigation over its possible secret collaboration with NSA, within PRISM spy programme, and the company could face criminal and administrative sanctions, including a ban on passing users' communications to the US intelligence agency.

If the investigation proves Skype has secretly shared personal data with the NSA, it could also be fined for being in violation of the country's data-protection laws, as the company has its headquarters in the European country. Luxembourg’s constitution has a strong legislation protecting the right to privacy and establishing that secrecy of correspondence as inviolable, except for cases allowed by the law which says that the surveillance of communications can occur only with judicial approval or by authorization of a tribunal selected by the prime minister.

Skype was founded in Scandinavia in 2003 with the purpose to allow audio, video and chat conversations through an encrypted peer-to-peer internet connection, which was not routed over a centralised network like conventional phone calls. Due to its reputation for privacy and security Skype has started being used by millions of people, including journalists and activists.

According to the NSA leaked documents, in February 2011, Skype got a directive to comply with NSA surveillance signed by the US attorney general. Skype was acquired by Microsoft in May 20111 when it appears that its relationship with the NSA has intensified.

In a letter obtained by the Guardian, sent to Privacy International in September 2012, Skype's corporate vice president Mark Gillett suggested that group video calls and instant messages could be obtained by law enforcement as they were routed through its central servers and "may be temporarily stored." Yet, Gillett also stated on another occasion that audio and one-to-one video calls made by using Skype's "full client" on computers were encrypted and did not pass through central servers, which implies that the company could not help authorities intercept them.

"Skype promoted itself as a fantastic tool for secure communications around the world, but quickly caved to government pressure and can no longer be trusted to protect user privacy," said Eric King, head of research at human rights group Privacy International.

Skype told the Guardian that it would not comment upon its compliance with US surveillance or answer to technical questions about how it turns over calls to the authorities. It also stated that the world needed "a more open and public discussion" about the balance between privacy and security while accusing the US government of opposing it.

"Microsoft believes the US constitution guarantees our freedom to share more information with the public, yet the government is stopping us," said a spokesperson for Skype referring to an ongoing legal case in which Microsoft is seeking permission to disclose more information about the number of surveillance requests it receives.

Skype under investigation in Luxembourg over link to NSA (11.10.2013)

Skype faces Luxembourg probe over NSA Prism program – report (11.10.2013)

Recommended Action

Say your views on the Europe & the Internet in a global context
Deadline: 8 November 2013

Internet Governance: I want your views! (9.10.2013)

Recommended Reading

MEPs call for suspension of EU-US bank data deal in response to NSA snooping (23.10.2013)

Russia: FSB wants more access to Internet users’ information (21.10.2013)

Will The Canada-EU Trade Agreement Harm Our Freedoms Online? (20.10.2013)

A Copyright Masquerade - How Corporate Lobbying Threatens Online Freedoms by Monica Horten (10.2013)

Results of the consultation on Open Research Data

Working Document 02/2013 providing guidance on obtaining consent for cookies (WP208)

100 questions on surveillance to Polish authorities (10.2013)


21-27 October 2013, Worldwide
Open Access week

22-25 October 2013, Bali, Indonesia
Internet Governance Forum 2013

24-25 October 2013, Barcelona, Spain
Oxcars and Free Culture Forum 2013

24 October 2013, Ljubljana, Slovenia
The LAPSI 2.0 Conference: “The new PSI directive: What’s next?”

25-27 October 2013, Siegen, Germany
Cyberpeace - FIfF Annual Meeting 2013

19-20 November 2013, Berlin, Germany
Berlin Open Access Conference: 10th anniversary of the Berlin Declaration

27–30 December 2013, Hamburg, Germany
30C3 – 30th Chaos Communication Congress

22-24 January 2014, Brussels, Belgium
CPDP 2014: Reforming data protection: The Global Perspective

3-5 March 2014, San Francisco, California, USA
RightsCon: Silicon Valley

19-20 March 2014, Athens, Greece
European Data Forum 2014 (EDF2014)
CfP by 10 December 2013

24-25 April 2014, Barcelona, Spain
SSN 2014: Surveillance Ambiguities & Assymetries

28-29 April 2014, Newcastle upon Tyne, United Kingdom
OER14: building communities of open practice