EDRi-gram newsletter - Number 11.23, 4 December 2013

“Rebuilding Trust in EU – US Data Flows” - some lowlights

On 27 November 2013, the European Commission finally published its Communication on the “Safe Harbor” agreement as part of a broader package on EU/US data flows.

Perhaps the most disappointing aspect of the Communication was the statement that the PNR agreement and other data sharing agreements work without substantiating any of those claims. Simply asking the United States if they breached the existing rules and blandly stating, in the absence of any credible evidence, that the agreements on passenger name records (PNR) and financial data tracking (TFTP) “meet the common security interests of the EU and US, whilst providing a high level of protection of personal data” provides no new information and offers no new insights. Indeed, the only thing that is new is the apparent belief of the European Commission that politely asking the US if they have been breaking any rules constitutes an investigation.

The claim about a high level of protection of personal data rings particularly hollow in the face of the revelations made public by Edward Snowden. These revelations that show a level of data collection by US agencies that has absolutely no regard for the fundamental principles of necessity and proportionality as international law.

It does not get much better when we look at the Commission's thirteen recommendations for the implementation of Safe Harbor. They are nothing more than recommendations. Instead of giving a clear signal on what must change in order to make the Safe Harbor exception tenable and credible in the light of the Commission's legal duties to protect the fundamental rights of EU citizens, the Commission leaves uncertainty on what may happen next. This is not good for citizens and it is not good for business.

The Commission veers of in the surreal with its recommendations regarding access to personal data by US authorities. It recommends that privacy policies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour. In light of the fact that, so far, several US based human rights organisations have had to resort to courts (with limited success) in order to get the US government to even disclose exactly this, one can but wonder about the basis for the Commission's faith in the ability of corporate entities to provide such disclosure.

Equally detached from reality are the Commission's recommendations on enforcement: none of them mentions the possibility of a loss of self-certification or wider implications for the Safe Harbour regimes in case of structural failures to meet compliance to its already too relaxed protections for EU citizens.

As it stands now, the US Safe Harbor regime is neither safe nor a harbour – more of a jagged rock sticking out of a stormy sea. The Commission's recommendations can logically only lead to a continuation of this charade. It has been said before: Safe Harbor is dead, so far we have not got around burying it. Time for a burial at sea?

Restoring Trust in EU-US data flows - Frequently Asked Questions (27.11.2013)

European Commission calls on the U.S. to restore trust in EU-U.S. data flows (27.11.2013)

European Parliament will rule on Net Neutrality

EDRi has waited for years for concrete proposals to enshrine the net neutrality principle in the European Union law. Since 2010, there has also been an increasing number of calls from the European Parliament to guarantee net neutrality. Finally, in September 2013, the European Commission has proposed a draft Regulation which aims at protecting the open internet in Europe. Vice President Neelie Kroes repeatedly stated that this proposal would include the "right to net neutrality".

Unfortunately, the draft Regulation proposed by Commissioner Kroes poses a serious threat to the internet as we know it. EDRi has analysed the three most important loopholes: specialised services, "freedom" of end-users and "Prevent or impede serious crime".

The good news is that it only takes a few modifications to turn the Commission's proposal into a meaningful means of protecting net neutrality, thereby ensuring that the Internet remains a barrier-free single market and a unique platform for social and cultural activity and democratic discourse.

Read EDRi's full analysis of the most important loopholes (26.11.2013)

EDRi's amendments (21.11.2013)

Booklet on net neutrality (26.11.2013)

Draft Regulation

Paris court orders search engines and ISPs to block websites

In a case dating back from December 2011, brought to court by the French Association of Cinema Producers, a group representing more than 120 companies including Paramount and Sony, together with other film industry organisations, the High Court of Paris has decided, on 28 November 2013, to order Google, Microsoft and Yahoo to completely de-list 16 video streaming sites from their search results.

The complaint targeted 16 domains connected to the popular Allostreaming, Fifostream and DPstream video portals and had previously received emergency interim measures. Last week the High Court of Paris ruled that the film industry had clearly demonstrated that the sites in question were “dedicated or virtually dedicated to the distribution of audiovisual works without the consent of their creators,” thus violating their copyrights.

Therefore, the search services of Google, Microsoft, Yahoo and local Orange were ordered to take all necessary measures to prevent the occurrence on their services of any results referring to any of the pages on the respective sites. Several ISPs, such as Free, Orange, Bouygues Télécom, SFR, Numéricable and Darty Télécom, were also asked to implement measures to prevent the access of their users to the infringing sites, including blocking.

The defendants have tried to argue that blocking the illegal streaming websites was inefficient as users can post mirror versions of the sites under different names and use forums to communicate locations of pirated content.

The court replied that "The impossibility of ensuring the complete and perfect execution of the decisions should not lead courts to ignore the content creators' intellectual property rights."

However, the costs incurred by the measures to be taken will not be supported by the search engines and ISPs “The cost of the measures ordered cannot be charged to the defendants who are required to implement them,” the decision reads.

Google, Microsoft, Yahoo and the ISPs have two weeks to implement the measures which are to last for 12 months.

What actually the industry groups want is to give the Association for the Fight Against Audiovisual Piracy (ALPA) the right to automatically denounce the Internet intermediaries of the occurrence of “mirrors” of the infringing sites, without going through a judge. ALPA has developed some software that can trace the occurrence of a mirror of a legally blocked site. The intention is to have the software recognised by the court and to be able to deal with the issue and order directly the blocking to the intermediaries. And all this on the basis of article L336-2 of the French Intellectual Property Code which allows the rightholders to ask any measure against anybody, in order to stop or prevent damages to their interests.

The court decided however that in case of the re-occurrence of the blocked sites, the parties involved would have to go through the judge and not through the software. Yet, it left an open door to private censorship, through “self regulation” by means of a cooperation between Internet actors and rightholders to censure mirror sites.

”For the first time, Internet sites will be blocked by ISPs in the name of copyright protection on the basis of vague provisions of HADOPI law voted in 2009. This is very bad news as the blocking appears as a very dangerous measure having in view especially the inevitable risk of over-blocking perfectly licit sites. But the encouragement of a cooperation between Internet actors and rightholders to censure mirror sites susceptible to occur in the future is even more concerning. (...) this ruling comes one more to endorse the private censorship forms that develop everywhere on the Internet undermining fundamental rights. The concerned Net actors must, from now on, clearly convey their refusal to play justice missions and act as private police” said Félix Tréguer, founding member of La Quadrature du Net.

The association has drafted a legal note to point out that the measures required by the rightholders are breaching the European law and to draw attention on the lack of legal basis for such requests.

The websites in question have already took measures to announce their visitors on the new domain names and other ways to access their content.

Court Orders Google, Microsoft & Yahoo to Make Pirate Sites Disappear (29.11.2013)

The Court orders blocking Allostreaming galaxy (only in French, 28.11.2013)

Paris court orders blocking of 16 video streaming sites (30.11.2013)

AlloStreaming: a first legal blocking of a streaming site, soon the private censure? (only in French, 28.11.2013)

DPstream organises its by-pass of ISP blocking (only in French, 3.12.2013)

Google in breach of the Dutch data protection act

The Dutch Data Protection Authority has recently issued a report concluding that Google is in breach of the Dutch Data Protection Act, with its new privacy policy.

The report is a result of the investigations carried out at the initiation of the French data protection authority (CNIL) on behalf of all European data protection authorities united in the Article 29 Working Party, following the introduction of Google’s new privacy policy on 1 March 2012. After this initial investigation the results of which were published in October 2012, six national privacy authorities, in France, Spain, Italy, Germany (Hamburg), the UK, and the Netherlands, have decided to initiate national investigations, based on their own national laws.

The Dutch legislation allows information to be gathered about individuals only for a particular purpose or business goal. Google gathers data, some of which are of a sensitive nature, such as banking information, location data or surfing behaviour, for the purposes of displaying personalised ads and to personalise services such as YouTube and Search. These data can be combined through Google’s different services, although these services serve entirely different purposes from the point of view of users.

The Dutch DPA found that Google combines the personal data from internet users, collected by its various services, without adequately providing specific information about the data it collects and without obtaining the users’ previous consent. "Google spins an invisible web of our personal data, without our consent. And that is forbidden by law", says Jacob Kohnstamm, the chairman of the Dutch data protection authority. In the authority’s opinion, Google should work harder to get "unambiguous" consent from users to combine data. The consent for the combining of personal data from different Google services cannot be obtained by accepting general (privacy) terms of service.

In response, Google argued it did give users detailed information about the data it was collecting and what would be done with it. "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the Dutch DPA throughout this process and will continue to do so going forward," was Google’s statement.

The Dutch DPA has invited Google to a hearing, before deciding whether it would take enforcement measures.

Dutch DPA: privacy policy Google in breach of data protection law (28.11.2013)

Dutch Data Protection Authority - Investigation into the combining of personal data by Google Report of Definitive Findings (English informal translation, 11.2013)

Dutch privacy watchdog says Google breaks data law (28.11.2013)

EDRi-gram 10.20: Google needs to improve its privacy practices (24.10.2012)

Google violated Dutch data protection laws, says watchdog (29.11.2013)

ECJ Advocate General: Forcing ISPs to block websites could be legal

The Austrian Supreme Court has sent a request to the European Court of Justice to clarify whether an ISP providing Internet access to those using an alleged illegal website was to be considered as an intermediary. It also asked for an interpretation of the EU rules on the content and procedure for the issuing of such an injunction.

The request comes in relation to a case initiated by Constantin Film against the Austrian ISP UPC with the purpose to prohibit UPC from allowing its customers to access a streaming site kino.to.

The complainants argued that the ISP was providing access to its subscribers to Kino.to, thus enabling the users to access their copyrighted material without permission.

In his legal advice to the European Court of Justice, Advocate General Pedro Cruz Villalón stated that Internet service providers may be ordered to block their customers from accessing known copyright infringing sites, according to that EU law. In his opinion, the ISP of the user of a website infringing copyright is also to be regarded as an intermediary whose services are used by a third party – that is the operator of the website - to infringe copyright and therefore also as a person against whom an injunction can be granted. In his opinion, that is apparent from the wording, context, spirit and purpose of the provision of EU law.

Although he believes that “it is incompatible with the weighing of the fundamental rights of the parties [freedom of information, freedom to do business, copyright protection] to prohibit an internet service provider generally and without ordering specific measures from allowing its customers to access a particular website that infringes copyright “, he however adds that “a specific blocking measure imposed on a provider relating to a specific website is not, in principle, disproportionate only because it entails not inconsiderable costs but can easily be circumvented without any special technical knowledge.”

While he emphasizes that rightholders must, as much as possible, claim directly against the operators of the illegal website or their providers, he also warns that, when weighing the fundamental rights, it must be taken into account that, in future, action could be taken in numerous similar cases against any provider before the national courts: “It is for the national courts, in the particular case, taking into account all relevant circumstances, to weigh the fundamental rights of the parties against each other and thus strike a fair balance between those fundamental rights.”

The Advocate General’s advice is not binding for the court, which will also rule on the case.

Court of Justice of the European Union PRESS RELEASE- Advocate General’s Opinion in Case C-314/12 (26.11.2013)

ISPs Can Be Required to Block Access to Pirate Sites, EU Court Hears (26.11.2013)

Web blocking could be illegal, says top EU legal adviser (15.04.2011)

EU Ruling Could Extend Internet Piracy Website Blocking to All ISPs (27.11.2013)

Ireland: Google ordered to remove Knowledge Graph result

On 28 November 2013, Google received an ex-parte interim order from an Irish court to block the publication of a photo image of convicted solicitor Thomas Byrne which appears as a search result alongside the profile of Irish Senator Thomas Byrne, a solicitor himself.

Google considers it cannot be held liable for what comes up in its search results, as it only creates a snapshot of content that is elsewhere on the internet and this so-called “caching defence” is covered by the EU’s e-commerce directive law, allowing ISPs to not be held liable for being a mere conduit for information.

However, Google is no longer a mere provider of search results reflecting the content of websites elsewhere on the internet as it currently offers a range of products and services that bring additional information to users, such as the “Knowledge Graph” that brings together a number of information sources on the internet, assembling them for search results, allowing users to provide feedback on each result, including the option to cite specific pieces of information and including images as “wrong”.

Thus, associated to Mr. Byrne’s biographical information, mainly from Wikipedia, there was a photo of convicted solicitor Thomas Byrne, resulted from Google’s “Image Search” facility which ranked pictures of the latter first, and did not differentiate between him and the politician.

Although, Mr. Byrnes considered that the publication had been done without malicious intention, he went to court as he had made three attempts to contact Google to have the photograph removed, without success. He also stated that he had also tried to use the self-correcting mechanism on the Google site to remove the material but had been unsuccessful as well.

Mr Justice Paul Gilligan granted the interim order under Section 33 of the Irish Defamation Act 2009, restraining the publication of the image of convicted solicitor Thomas Byrne’s image “as a photo and description” of the Senator, considering the publication was clearly defamatory and that Google Ireland Ltd had no defence to the claim.

There are critical voices that believe Google’s facility is gathering content from thousands of websites republishing it as their own, “for improved user experience” and that, although for the time being, Google isn’t running ads against Knowledge Graph results, there is no guarantee that it will not do that in the future.

Google has ended up in courts also for its autocomplete facility and lost cases in Ireland, Germany, Italy and France where courts have held the search engine responsible for algorithmic results presented in its autocomplete facility.

Following the ex parte injunction ordered by the court, the photograph of the convicted Thomas Byrne disappeared from Google’s Knowledge Graph result. Google could have avoided a legal action if it had reacted to the senator’s direct requests.

Not the result Google was searching for (30.11.2013)

FF’s Thomas Byrne blocks Google’s use of namesake’s image (28.11.2013)

Giving Google More Data for Knowledge Graphs May Not Be Optimal (9.10.2013)

No warrant Internet spying by French authorities

On 26 November 2013, the French National Assembly discussed the draft of the military programming law which could give the authorities the power to collect, without a judge warrant and in real time, telecom users’ data as a result of an amendment introduced by the Senate in first reading.

Presently the internal security code stipulates that the interception of electronic communications can be authorized in exceptional cases of investigations related to the national security and other serious crimes.

The draft proposes to complete the internal security code to explicitly authorize the gathering, from electronic communications providers, but also from hosting companies and Internet editors, any information or documents treated or kept by their electronic communications networks or services, including (but not limited) to data related to telephone numbers, IP address, geolocalisation of smartphones, the detailed information of a subscriber’s communications such as date, duration and phone numbers called.

Moreover, the draft eliminates any intervention of an independent judge leaving the authority to validate the interception requests to “a qualified person” designated by CNCIS (National Commission for the control of security interceptions) under the proposition of the Prime Minister.

Article 13 of the draft gives the possibility, under the Prime Minister’s authorization, to collect the data in real time, directly from the networks or operators for 30-day renewable periods.

And, as if this was not enough, the draft also extends the types of entities to which the authorities may require the interceptions to the content hosting companies as well, such as Google or Dailymotion.

On 20 November 2013, the Association of Internet Community Services (ASIC), denounced these new provisions and expressed concern regarding “the dirty race in the domain of Internet surveillance,” and asked the Government to stop this text.

“It is time that the French government sets up a moratorium on any adoption of new access powers to the Internet users’ data that would not be subject to any control or authorization by a judge. Faced with CNIL’s inaction, it is urgent that the Ministry of Justice itself launches immediately a complete audit of the current legal framework, of the manner in which this legal framework is pun into force by the authorities and of the extent of the respect of the individual rights and freedoms”, stated ASIC members.

Real time data collection by the State, illegal but cleared (update, only in French, 25.11.2013)

Internet Surveillance Internet : concerns over the military programming law (only in French, 27.11.2013)

Internet Surveillance, access to the users’ data: for a moratorium on the regime of exceptions! (only in French, 21.11.2013)

Military programming law : enlarged and institutionalised digital spying (only in French, 26.11.2013)

The Assembly adopts the real-time collection of data by the state (only in French, 29.11.2013)

A Move Towards Generalised Internet Surveillance in France? (4.12.2013)

CNIL was not asked for its opinion on the text related to access to connection data (only in French, 26.11.2013) http://www.cnil.fr/linstitution/actualite/article/article/loi-de-progr...

Bits of Freedom presents policy package against mass surveillance

On 4 December 2013 the EDRi member Dutch digital rights organisation Bits of Freedom launched a website petitioning the Dutch government to take numerous concrete measures to end mass surveillance. It officially presented the policy package to the Minister of Interior Affairs the day before.

On the campaign website, bespied-ons-niet.nl (translated as: 'don't spy on us'), a wide-ranging package of policy measures is set out. These range from diplomatic measures, to stopping plans to provide the Dutch secret services with the authority to intercept internet traffic on a broad scale. In addition, the organisation asks the government to invest heavily in defensive technologies, such as encryption and anonimisation technologies, making sure that these tools can be used by a broad public. On a European level, the Dutch government should advocate for measures such as termination of all data sharing agreements with the United States and suspension of negotiations over TAFTA.

The campaign was launched hot on the heels of the publication of a governmental report on the Dutch Secret Service Act (the Wet op de inlichtingen- en veiligheidsdiensten). In the so-called Dessens-report, it is concluded that the Act should be amended so as to give Dutch secret services the power to mass intercept internet traffic. It is simply incomprehensible that the Dutch government even considers such expansion after months of publications evidencing global mass surveillance based on documents provided by whistleblower Edward Snowden.

The campaign site

Bits of Freedom's reaction to the Dessens-report (2.12.2013)

(Contribution by Ot van Daalen - Bits of Freedom)

ENDitorial: Lessons from the failure of Licences for Europe

Now that the Licences for Europe has failed so comprehensively, it is time to reflect on what types of voluntary or self-regulatory initiatives are likely to work and which are likely to fail.

Last May, at the Stockholm Internet Forum, EDRi ran an “unconference” session, which brainstormed about what characteristics a self-regulatory initiative would need to have in order to be likely to succeed. Participants produced eight criteria. To avoid failures or counterproductive outcomes of such projects in the future, it would be valuable for the Commission to develop a comprehensive methodology for analysing the context and potential for success. Looking at the Licences for Europe framework through the prism of the “Stockholm Internet Forum” criteria, we can see that even these basic principles could have been valuable.

Criterion 1: Is the process internal or external to the intermediary?

This criterion was met to varying degrees by the different industry stakeholders. The ability to grant licences is clearly an internal process for rightsholders. However, for the users of content for various processes (text and data mining, video hosting, etc), the process issue is entirely external. So, we can say that the criterion is partly respected, but does clearly raise concerns

Criterion 2: Are there vested interests on the part of the intermediary?

There is an obvious vested interest for rightsholders to demand licensing of content in all available situations – or at least have the right to do so – because that allows them more control. There are also vested interests for the users of protected content to use special deals and market dominance to exploit voluntary arrangements. If the Commission had used this methodology, therefore, it would have raised a warning flag.

Criterion 3: How competitive is the market?

This varies widely. However, we know that there is major consolidation and dominance in certain major markets that were covered by the discussions. These competition problems range from the music industry to the video hosting industry (where YouTube is part of Google's very wide online activities). Another red flag.

Criterion 4: What is the (public) policy objective being pursued?

Even though the Commission launched the project and chaired it (i.e. it was clearly a Commission project), it insisted on maintaining a fiction that it was simply a facilitator and could not set the agenda or specify what problems needed to be addressed. Consequently, the public policy objective for the four working groups was not set in advance. Another red flag.

Criterion 5: Whose law is being implemented?

The point of the exercise was to move away from the limits of the existing chaotic legal framework. If we take protected content that is used for parody purposes, for example, there are four EU countries that have a specific copyright exception for this purpose and twenty-four that do not. A “voluntary” agreement between hosting providers and content providers to ask the latter to licence such activities (and a licence can always be revoked), would effectively negate the legal rights of citizens in the four countries that have implemented the exception. So, the law would be replace by a system where the citizens of those four countries would lose their rights. Another red flag.

Criterion 6: Are there regional variations of the impact of the measures?

This criterion is only relevant to the extent that it is covered by the previous point. The criterion covers situations where a voluntary measure would have different “real-world” outcomes in different world regions. No red flag.

Criterion 7: What is the responsibility of the intermediary for its interventions and does the citizen have a right of redress?

If we take the example of “user-generated content”, the intermediaries would restrict the rights of the individual through their terms of service (such as in the parody example in point 5 above) and thereby avoid responsibility for restrictions of legally “guaranteed” rights.

Criterion 8: What is the collateral damage for liability exceptions?

This criterion is not relevant.

So, in conclusion, of the eight criteria, points 2, 3, 4, 5 and 7 raise concerns, point 1 is partly relevant and only points 6 and 8 are not relevant.

While this methodology is quite crude, it is still more sophisticated than anything produced by the European Commission over the entire history of its support for “self-regulation” in the online environment. The fact that even this simple methodology could have helped to predict and avoid the problems of licences for Europe shows that a more structured and analytical approach to the issue of self-regulation in the online world is badly needed. There is an open question however – is the lack of an appropriate methodology from the European Commission due to a simple oversight or is the Commission afraid that such a methodology would prevent it from proposing self-regulation in circumstances that are politically appealing but impractical or damaging in the real world?

SIF Unconference: Enforcement through "self-"Regulation - who ever thought this was a good idea? (27.05.2013)

(Contribution by Joe McNamee - EDRi)

Recommended Action

EDRi looks for a Community and Communications Manager Deadline for applications: 6 December 2013

Recommended Reading

Swiss ISPs Condemn “Useless” Blocking Proposals From Secret Piracy Talks (25.11.2013)

Third Committee Approves Text Titled ‘Right to Privacy in the Digital Age’, as It Takes Action on 18 Draft Resolutions

International Olympic Committee Demands 2014 Olympics Piracy Takedowns & Blocks “Within Minutes” (21.11.2013)

Vodafone Iceland hacked: 70k client accounts made available on p2p networks (30.11.2013)

Facebook trashes its “principles” as it blocks human rights pages in Pakistan (28.11.2013)

Supreme Court of Belgium Orders ISPs to Police the Internet for Pirate Bay Proxies (20.11.2013)


27–30 December 2013, Hamburg, Germany
30C3 – 30th Chaos Communication Congress

22-24 January 2014, Brussels, Belgium
CPDP 2014: Reforming data protection: The Global Perspective

1-2 February 2014, Brussels, Belgium

3-5 March 2014, San Francisco, California, USA
RightsCon: Silicon Valley

19-20 March 2014, Athens, Greece
European Data Forum 2014 (EDF2014)
CfP by 10 December 2013

24-25 April 2014, Barcelona, Spain
SSN 2014: Surveillance Ambiguities & Assymetries

28-29 April 2014, Newcastle upon Tyne, United Kingdom
OER14: building communities of open practice

3-4 July 2014, Barcelona, Spain
10th International Conference on Internet Law & Politics: Big Data: A decade of transformations.
Abstracts deadline: 10 December 2013