EDRi-gram newsletter - Number 11.21, 6 November 2013

EU Council worries that data protection reform is too fast

The recent EU Council allegedly decided to slow down the speed of the reform of data protection arguing that it was moving too fast. Germany, for example, was reportedly worried about "not moving too quickly". By a strange coincidence, this is exactly the same argument used by the main lobbying groups. However, if the data protection reform is moving too "quickly", it is difficult to imagine what "slow" might look like.

The process of reforming the European data protection framework started in 2009 with a stakeholder consultation, followed by another consultation in 2011, a 119-page Communication from the Commission in 2011, a resolution from the Parliament in 2011, a proposal from the Commission in January 2012 and a vote of the responsible committee in the European Parliament in October 2013.

Each Member State government in the EU has developed a negotiating position and took part in working groups, discussions and numerous meetings with lobbyists.

The following non-exhaustive list describes the steps that were taken until now by each institution. Direct links are not provided for all items but one can check every event against the institutions' websites.

The following European Parliament Committees have already carried out analyses of the proposals and finalised their respective views of the dossier:

IMCO - Internal Market and Consumer Protection ITRE - Industry, Research and Energy JURI - Legal Affairs EMPL - Employment LIBE - Civil Liberties

1. Commission

      - May 2009 Launch of a public consultation by the Commission
      - November 2010 First Commission's memorandum on data protection
      - June 2011 Speech of Vice-President Viviane Reding at British
        Bankers' Association Data Protection and Privacy Conference
      - November 2011 Speech of Vice-President Viviane Reding at
        Industry Coalition for Data Protection - American Chamber of
        Commerce to the European Union
      - January 2011
            - End of the second public consultation
            - Official discussion with the Council and
        Member States representatives
      - May 2012 Speech of Vice-President Viviane Reding at Spring
        Conference of European Data Protection Authorities
      - June 2012 Justice Council
      - December 2012 Speech of Vice-President Viviane Reding at the
        Annual European Data Protection and Privacy Conference
      - January 2012: Proposal of the Commission with impact
        assessment, factsheets and public opinion surveys
      - February 2013 The Proposed General Data Protection
        Regulation: The Consistency Mechanism Explained
      - March 2012
            - Commission MEMO for Justice Council
            - Speeches of Vice-President Viviane Reding in the
        Justice Council and at the Annual Cloud Computing Conference
            - Meeting with German Minister of Interior on data
      - June 2013 Vice-President Reding's intervention during Justice
        Council Press Conference
      - October 2013 Vice-President Reding's intervention at the
        Justice Council on the data protection reform and the
        one-stop shop principle

2. Council of the European Union (id est Council of Ministers)

      - January 2011 Official discussion with Commission and Member
        States representatives
      - May 2012 Informal dinner of Heads of State or Government
      - June 2012 Debates in Home and Justice Affairs and Economic
        and Financial Affairs
      - September 2012 Debates in Economic and Financial Affairs,
        General Affairs and Home and Justice Affairs
      - October 2012 Debate Home and Justice Affairs
      - November 2012 Debate Home and Justice Affairs
      - December 2012 Legislative deliberations and press release.
        Progress report of the Cypriot Presidency of the Council of
        the European Union.
      - February 2013 Comparative table: Commission proposal for a
        General Data Protection Regulation - 1995 Data Protection
      - March 2013
            - Legislative deliberations and note from the Council
        Presidency on the implementation of risk-based approach and
        flexibility for the Public Sector
            - Debate Home and Justice Affairs
      - May 2013
            - Compromise Text Proposed by the Irish Presidency
        (Chapters I-IV) and note from the Irish Presidency
            - Debate Economic and Financial Affairs
      - June 2013
            - Debate Home and Justice Affairs
            - Council conclusions following the Commission
        Communication on the European Information Exchange Model
      - July 2013 Working group on Information Exchange and Data
        Protection (DAPIX)
      - October 2013
            - Debate Home and Justice Affairs and discussion with
        Commissioner for Justice, Viviane Reding
            - Council supports "one-stop-shop" principle
            - Conclusions and statements of Heads of State and
      - Autumn 2013 Informal negotiations with the European Parliament

3. European Parliament

      1. Draft opinions
            - September 2012 IMCO
            - October 2012 JURI
            - November 2012 EMPL and ITRE
      2. Final opinions
            - January 2013 IMCO
            - February 2013 ITRE
            - March 2013 EMPL and JURI
      3. IMCO, JURI, EMPL and ITRE hearings, meetings and studies
            - May 2012 ITRE exchange of views
            - June 2012
                  - IMCO working group on E-Commerce, including
      data protection
                  - IMCO exchange of views
            - July 2012 JURI debate
            - November 2012
                  - ITRE debate
                  - IMCO debate
                  - EMPL debate
                  - JURI debate
            - December 2012
                  - IMCO debate
                  - ITRE hearing of industry and civil society
                  - ITRE study on «Impact on EU Innovation and
      Competitiveness» of the European Data Regulation
                  - JURI exchange of views
            - January 2013
                  - ITRE debate
                  - EMPL debate
                  - JURI debate
            - February 2013
                  - EMPL debate
                  - JURI debate
            - September 2013 ITRE study on «Data and Security
      Breaches and Cyber-Security Strategies in the EU and its
      International Counterparts»

4. LIBE report

            - January 2013 Draft
            - March 2013
                  - 3133 amendments to draft report
                  - Rapporteur's draft report on amendments
                  - Vote postponed
            - June 2013 Vote postponed again
            - October 2013 Vote
      5. LIBE hearings, meetings and studies
            - September 2011 Study: «Towards a New EU Legal
      Framework for Data Protection and Privacy       - Challenges,
      Principles and the Role of the European Parliament»
            - February 2012 Committee referral announced in
      Parliament, 1st reading/single reading
            - May 2012
                  - Workshop (industry, civil society and
                  - Exchange of views with the Commission
            - July 2012 Working Document 1
            - October 2012 Working Documents 2 and 3
            - March 2013
                  - Study: «Protection of Personal Data in
      Work-Related Relations»
                  - Debate with European Data Protection
      Supervisor, Article 29 Working Party, Irish Presidency and
      Commission's and Council's representatives
            - May 2013
                  - Meeting with European Data Protection
                  - Debate
            - June 2013
                  - Exchange of views with Commissioner for
      Justice, Viviane Reding
                  - Meeting on Passenger Name Record and Data
      protection regulation
            - July 2013
                  - Debate
                  - Meeting with Lithuanian Presidency of the
            - September 2013
                  - Four Inquiry Meetings on PRISM scandal
                  - Leaflet with studies related to Data
            - October 2013
                  - Three Inquiry Meetings on PRISM scandal
                  - Interparliamentary Committee Meeting
                  - Study on Mass surveillance
      6. Others
            - September 2012 Directorate General for Internal
      Policies on Economic and Scientific Policy of the European
      Parliament, Study on «Reforming the Data Protection Package»
            - May 2013 European Parliament Policy Department
      Studies on Data Protection Issues – Leaflet and Seminar
            - September 2013 Directorate General for Internal
      Policies on Economic and Scientific Policy of the European
      Parliament, Study on «The US surveillance programmes and their
      impact on EU citizens' fundamental rights»

4. National Parliaments

      - March 2012 Resolution of the French Senate, Reasoned Opinion
        of the Swedish Parliament and Decision of the German
      - April 2012 Reasoned Opinion of the Italian Chamber of
        Deputies and Reasoned Opinion of the Belgian Chamber of
      - May 2012 Letter from the Dutch Senate Standing Committee for
        Immigration & Asylum/Justice and Home Affairs Council and
        Final Statement of the Czech Senate
      - October 2012 Report by the UK Justice Select Committee

5. Others

      - January 2012 Opinion of Article 29 Working Party
      - February 2012 Opinion of European Union Agency Fundamental Rights
      - March 2012 Opinion of European Data Protection Supervisor
      - July 2012 Opinion of European Economic and Social Committee on the General Data Protection Regulation and of Article 29 Working Party

Council worried about moving too quickly (31.10.2013)

Lobbyists worried about moving too quickly (31.10.2013)

(Contribution by Xavier Gillard, EDRI intern)

NSA's long data collection arm reaches everybody

The new revelations from Snowden show that NSA seems to spy on everybody, allies or enemies alike, collecting data form everywhere and everyone, in order to get a “diplomatic advantage” over allies such as France and Germany or an “economic advantage” over countries such as Japan or Brazil. Or even more?

NY Times explains that not only NSA is demanding the data it gathers, but also other agency’s “customers” are asking for different data from NSA. And "customers" means in this context "not only the White House, Pentagon, FBI and CIA, but also spread across the Departments of State and Energy, Homeland Security and Commerce and the United States Trade Representative (USTR)."

But USTR is in fact the US administration counterpart that is negotiating with the European Commission on TTIP - the planned EU/US free trade agreement. Which sheds a new light on the whole TTIP process. Also a new light on the news already reported by EDRi on 13 June 2013 - that the European Commission watered down its proposed Data Protection Regulation to weaken rules for transferring data to law enforcement authorities outside the EU.

Der Spiegel magazine has claimed that a report shows that NSA has been spying on German Chancellor Angela Merkel's mobile phone since 2002. Following this disclosure, the Chancellor phoned the US president who apologised to the German chancellor and promised he knew nothing of the alleged phone monitoring.

Yet, on 27 October 2013, Bild newspaper quoted US intelligence sources stating that NSA head Keith Alexander briefed Obama about the covert operation targeting Merkel in 2010, personally.

According to Der Spiegel, a unit called Special Collection Services, based on the fourth floor of the US embassy in Berlin, was in charge with monitoring communications in the German government quarter, including Mrs Merkel’s communications. Similar units were based in around 80 locations all over the world.

Germany's Interior Minister Hans-Peter Friedrich told Bild that such an operation would be illegal in Germany, considering that those responsible for such an operation should be held accountable.

Germany and France said on 25 October 2013 that they wanted the US to sign a no-spy deal by the end of the year.

Also Spain has started reacting by asking explanations from the US officials after having been confirmed that Spanish politicians and members of the Parliament had been also targeted by NSA. Only that Spain is in a more delicate position than France or Germany as its relations to the US is a priority.

All these disclosures have put US government and NSA in a delicate position. The White House has ordered a review of NSA’s domestic and foreign intelligence collection.

“From N.S.A.’s point of view, it’s a disaster. Every new disclosure reinforces the notion that the agency needs to be reined in. There are political consequences, and there will be operational consequences,” said Matthew M. Aid, an intelligence historian, author of a 2009 book on the NSA.

US bugged Merkel's phone from 2002 until 2013, report claims
(27.10.2013) http://www.bbc.co.uk/news/world-europe-24690055?print=true

Merkel’s cell phone has been on U.S. eavesdropping list since 2002 (only in German, 26.10.2013)

No Morsel Too Minuscule for All-Consuming N.S.A. (2.11.2013)

Washington controlled millions of calls and spied politicians in Spain (only in Spanish, 24.10.2013)

NSA FILES: DECODED – What the revelations mean for you (1.11.2013)

Data protection in TTIP/TAFTA – how to make a bad situation worse (13.06.2013)

The Russian govt seeks to increase its control over the Internet

The Russian security authorities are taking new measures to expand their surveillance of the Internet by requiring ISPs to store all traffic temporarily and make it available to the Federal Security Service (FSB).

According to an article published by newspaper Kommersant, Vympelkom, the owner of the mobile network Beeline, made a complaint to the Ministry of Communications about the new decree made public on the 21 October 2013, developed by the Ministry together with the FSB, which will require ISPs to monitor all Internet traffic, including IP addresses, telephone numbers, and usernames.

The decree, which is to come into force in July 2014, also requires that ISPs store the traffic for 12 hours after collection and grant the security services exclusive access to the data. Vympelkom argues that the decree infringes several articles of the Russian Constitution, including the rights to privacy and due process.

Julius Tai, Managing partner of law firm Bartolius, believes that the order is violating not only the Constitution but also the Criminal Code, the Criminal Procedure Code and the Law on the protection of personal data. "The existing legal and technical possibilities of access to personal data of Internet users and law enforcement agencies are enough. The unlimited expansion of these opportunities will lead to a violation of the rights of ordinary citizens ..." said Mr. Tai

FSB is already monitoring the Internet through SORM, the System for Operative Investigative Activities, which requires ISPs to place “black boxes” on their servers, routing all internet traffic through FSB offices in real time, and to keep track of IP addresses and user IDs.

According to blogger Eldar Murtazin, an analyst at the Mobile Research Group, as FSB does not have the resources or the technology to effectively monitor all Internet traffic in real time, it would actually outsource the initial data collection and storage to the ISPs and the 12-hour storing requirement would serve as a buffer.

Of course, this will also involve large costs on the ISPs which have to buy and maintain themselves the necessary data-gathering equipment as the decree says nothing about the authorities providing any financing for this.

Russian Internet Surveillance: Meet the New Boss, Same as the Old Boss (1.11.2013)

Russian spy agency seeks to expand Internet surveillance (21.10.2013)

Federal Security Server (only in Russian, 21.10.2013)

Slovakia: Court orders an ISP to stop breaching Net Neutrality

The first instance court - District Court in Bratislava I, issued on 24 October 2013 a preliminary injunction prohibiting continuance of net neutrality breach by one of the Internet access providers. The injunction was granted in a ongoing unfair competition law case between two ISPs, Slovak Antik and Dutch UPC.

The case already started in March 2013, when UPC blocked Internet Protocol television (IPTV) service provided by Antik via infrastructure of UPC by blocking its public IP address. This meant that customers who used Internet access from UPC, were technically precluded from using IPTV service of Antik (set-top boxes wouldn't work for them). UPC did this apparently in order to block competition on its infrastructure, trying "to help" its own cable TV retransmission service. The case is therefore about two vertically integrated competitors, who both compete not only on the market of Internet access, but also on the market of TV retransmission.

After this became public, I personally and EISi feared that this bad example of UPC blockage might be followed by other ISPs pursuing their commercial interests, thus leading to a totally balkanized Internet access in Slovakia. For this reason, I authored a short opinion on behalf of Slovak based think-thank European Information Society Institute (EISi) outlining applicable existing laws to net neutrality in Slovakia. The opinion stresses that despite the non-existence of explicit net neutrality principle in Slovak telecommunication laws, many, but not all, instances of net neutrality breach can actionable even under existing antitrust, unfair competition and consumer laws. The case of Antik v. UPC was found to very likely breach both unfair competition and consumer laws (as with lot of cases, UPC is not dominant here and even "plays" alone).

The argument was that in B2B relationships, blocking a competitor´s service (IPTV) on its own infrastructure that is provided as a service on a different market (market for Internet access), leads to acquiring of unfair commercial benefit, because it cuts all consumers of Internet access, also of access to competing TV retransmission (cutting part of the market for itself by default). Otherwise, any vertically integrated ISP (as he has strong business incentives) could block out any competitor that provides its services using Internet.

Moreover, another argument was that consumer´s rights might be infringed upon in two ways:

a) by misleadingly labelling and selling the service as "flat rate" Internet access, when the service in fact does not provide general access to Internet (transparency argument), and

b) by materially distorting the economic behaviour of the consumer, because the consumer base of UPC is technically cut from different competing services on an unrelated market, thus leading it artificially to decide for UPC TV retransmission (discrimination argument).

Last but not least, it was highlighted that even if Antik would provide its retransmission service without appropriate license (i.e. conduct unfair competition himself), UPC can only self-protect itself from this allegedly unfair conduct if there is no collateral damage on consumers. Otherwise, self defence, does not apply because the wrongful behaviour is also directed against those who are not acting wrongfully. Thus, the consumer cannot become a hostage of two rivalry ISPs.

After several PR battles of both companies, Antik hired a technical expert to document the blockage and decided to sue UPC claiming that such blockage or degradation of its service amounts to unfair competition. The action of Antik puts forward our B2B arguments, namely that blockage or degradation within this competitive relationship contradicts the general clause of unfair competition set in Section 44(1) of the Commercial Code.

The District Court in Bratislava I now granted an injunction (8 Ncb/90/2013-321) against UPC prohibiting it from blocking or degrading the IPTV service on its infrastructure for its Internet access consumers. Preliminarily, the court found the arguments of the plaintiff convincing in ex parte proceedings. UPC, in the meantime, has removed the block, but announced to continue to fight the legal battle, as it considered it to be of a great importance for the industry. The preliminary injunction can be still appealed. Antik now has to file the lawsuit itself within a month.

I and UPC apparently agree at least on this last point. The case is of a great importance. But for consumers. For exactly this reason, EISi, which also acts as (digital) consumer association, is currently considering to intervene in the case, to add a so much needed consumer perspective to it.

As both of the above consumer arguments we make (transparency & discrimination) have their basis in the Union law, namely the Unfair Commercial Practices Directive (2005/29/EC), I would welcome all your feedback and experience you might have from other jurisdictions.

Expert opinion to violations of network neutrality (only in Slovak,26.03.2013)

UPC allows set top boxes Antik on its network (only in Slovak, 29.10.2013)

Original blog post - The Slovak Court Orders an ISP to Stop Breaching the Net Neutrality (31.10.2013)

(Contribution by Martin Husovec - Legal Counsel & Researcher at EISi)

Europe v Facebook’s Irish complaint again on the table

The Irish High Court has decided to review the lack of reaction of the Irish Data Protection Commissioner (DPC) in relation to the PRISM scandal.

This decision is a result of DPC’s reaction to student group Europe v Facebook (EvF) which had filed a complaint against Facebook Ireland Ltd, considering that it violated data protection laws by “exporting data” to its US-based parent company. "If a European subsidiary sends user data to the American parent company, this is considered an “export” of personal data. Under EU law, an export of data is only allowed if the European subsidiary can ensure an “adequate level or protection” in the foreign country,” stated EvF.

EvF also alleged that Facebook had cooperated with NSA within PRISM programme. However, in July 2013, DPC Billy Hawkes claimed that there was "nothing to investigate" as Facebook had acted within the terms of the “Safe Harbor” EU-US data-sharing agreement which allows transatlantic data transmission if US companies self-certify that they meet EU privacy requirements. The commissioner added that the agreement also permited data sharing if law enforcement authorities requested it.

Austrian data privacy campaigner Max Schrems, member of EvF, has challenged the refusal of the commissioner to investigate the Dublin-based Facebook subsidiary and asked him to investigate Edward Snowden’s allegations that it shared European user data with US authorities. He also asked DPC to investigate whether companies under its jurisdiction were in breach of EU data protection regulations. His complaint was dismissed as “frivolous and vexatious”.

“The DPC simply wanted to get this hot potato off his table instead of doing his job. But when it comes to the fundamental rights of millions of users and the biggest surveillance scandal in years, he will have to take responsibility and do something about it,” said Schrems. With the High Court’s decision, the DPC must now react. EvF hopes for a ruling in the next six months.

Schrems has filed similar Prism-related complaints in several European countries, as the ones against Microsoft and Skype in Luxembourg and against Yahoo in Germany, which are still being investigated by the competent data protection authorities.

Facebook decision can be reviewed (24.10.2013)

Facebook 'PRISM' decision to be reviewed by Irish High Court (24.10.2013)

PRISM: Irish DPC's Refusal to investigate Facebook being reviewed by High Court (24.10.2013)

ENDitorial: EP draft report on private copy levies – serious or satire?

French Socialist MEP Françoise Castex published her draft report on private copying levies on 9 October. The biggest question that the document raises is... are you serious, Ms Castex?

The policy issue being addressed is that “creators” are meant to be “compensated” for private copies that are made of legally acquired content, such as music or printed material. In some EU countries there are no levies, in some EU countries there are low levels of levies. In France, Ms Castex' country, the levies are by far the highest in Europe, generating a well-funded copyright industry that is very effective at lobbying to protect its own interests.

There is therefore a huge problem to be addressed – should we have this extraordinarily inefficient tax, where every euro generated costs 52 cents to collect? Should we be compensating artists – or anyone – for losses that have never been documented? These and many other important questions are diligently avoided by Ms Castex, who prefers to focus on sophistry, misinformation and misdirection.

On the key point of how the levies should be calculated, Ms Castex chooses not to argue for a scientific analysis of whether or not there is a loss that should be compensated. Instead, she argues that there should be a “negotiating arrangement for the rates applicable” and then argues against herself, suggesting that there should be a consultation to “simplify procedures” to ensure “fairness and objectivity”... objectivity that would be impossible if her suggestion that the levels be negotiated were to be accepted. In the increasingly tense Castex vs Castex debate about the calculation of the amount that should be charged, Castex also argues that “levies should be calculated on the basis of the possible harm to rightsholders” (rather than, for example... the negotiating arrangement that she also supports?).

Even though the issue is entirely irrelevant to the problem of private copying levies as the money is collected permits copying of legally obtained content, Castex argues that taxpayers (“Member States”) should additionally redirect their (which?) “anti-pirate” (sic) campaigns to propaganda that highlights “the benefits of private copying levies”. She does not indicate what benefits she is referring to or where the logical link to piracy may or may not be. Bizarrely, she also argues that 25% of the money collected should be actively withheld from the artists and spent on promoting “creative and performance arts”.

Faced with the fact that audiovisual and audio products are increasingly provided on a per-view basis, Castex launches another bitter argument with herself. She says that contractual arrangements (licensing, in other words) “cannot be allowed to prevail to the detriment of private copying exemption arrangements” but also that “licence-granting practices are being viewed as an alternative to the system of private copying levies”. The bottom line is that private copying is being restricted by technological restrictions. While it is illegal under EU law to circumvent these restrictions, even if this circumvention is to allow private copying that is permitted (and paid for through levies), Castex does not propose legalising circumvention. She also does not propose the banning of such technologies. Instead, she calls for their “elimination” - but does not indicate how this should be done. One imagines that if she wanted them to be banned by law, that is what she would have said. We know what she doesn't mean. What she does mean, on the other hand, is less clear.

It is in the area of statistics where the draft report is its most absurd. The text omits any reference to the cost of the levies to the consumer and whether this is appropriate. It argues that levies represent a “small proportion” of the turnover of equipment manufacturers (possibly because they are equipment manufacturers and not broadcasters or music retailers), yet is “a considerable amount for artists”. Which artists? French artists, whose government imposes high levies, British artists, whose government imposes no levies? We have no way of knowing – Castex chooses not to tell us. She points out that 600 million Euro is collected and that the cultural industries employ 5 million people. If those 5 million people are relevant in this context, they are relevant to the tune of, on average, 32 cents per day per job. Are any of those jobs relying on the 32 cents per day on average, that are received from private copying levies? We don't know. Ms Castex chooses not to tell us.

Are the 5 million jobs in the cultural sector even relevant in this context? We don't know. Is there any point in such a directionless, chaotic report? We don't know.

Draft Report in Private Copy levies (20.09.2013)

Compensation for private copying - an economic analysis of alternative models (05.2011)

(Contribution by Joe McNamee - EDRi)

Recommended Action

The Assises de la Justice - a forum on EU justice policies - seeks to generate ideas which will contribute directly to shaping the European Union's justice policy over the coming years. The Commission is looking for contributions from anyone with an interest in the issues which will be discussed during the conference, and more broadly on the future justice policy of the European Union.

You are invited to submit your contributions to this debate until the end of 2013. In order to feed the debate during the Assises de la justice, preliminary contributions should be submitted by Monday 11 November.

See also discussion paper on fundamental rights

Recommended Reading

EDRi paper on Net Neutrality (11.2013)

Privacy and Surveillance are the Elephant in the Room at OGP Summit (1.11.2013)

Tim Berners-Lee demands countries deliver on open data promises (31.10.2013)

Registrars Clash at Verisign Over Seized “Pirate” Site Domains (3.11.2013)

Germany and Brazil introduce UN resolution affirming right to privacy, condemning mass surveillance (1.11.2013)

Russian Facebook Not Responsible For Users’ Pirate Music Uploads (26.10.2013)


19-20 November 2013, Berlin, Germany
Berlin Open Access Conference: 10th anniversary of the Berlin Declaration

27–30 December 2013, Hamburg, Germany
30C3 – 30th Chaos Communication Congress

22-24 January 2014, Brussels, Belgium
CPDP 2014: Reforming data protection: The Global Perspective

3-5 March 2014, San Francisco, California, USA
RightsCon: Silicon Valley

19-20 March 2014, Athens, Greece
European Data Forum 2014 (EDF2014)
CfP by 10 December 2013

24-25 April 2014, Barcelona, Spain
SSN 2014: Surveillance Ambiguities & Assymetries

28-29 April 2014, Newcastle upon Tyne, United Kingdom
OER14: building communities of open practice