Exceptionally, as a result of some problems with our mail server, we could not send the EDRi-gram newsletter by email in due time to all our subscribers.
The web version has been published in due time, but the newsletter will be send probably on Thursday, 2 February 2012, when we estimate that the mail server problem will be fixed.
Apologies for these problems!
This article is also available in:
Deutsch: Frequently Asked Questions zu ACTA
French:FAQ sur l’ACTA par Joe McNamee, coordinateur à l’EDRI
Romanian:Întrebări frecvente despre ACTA
1. Does ACTA require countries to impose "three strikes" rules?
Countries that ratify ACTA are required to encourage "cooperation" between private companies to enforce the law. Such cooperation is intended to be extensive, including the disconnection of end-users on the basis of decisions taken by private industry. This is proven by a leaked document published by the European Parliament itself (footnote 6, page 4):
"An example of such a policy is providing for the termination in
appropriate circumstances of subscriptions and accounts in the service
provider's system or network of repeat infringers"
2. So companies are not obliged to impose repressive measures against consumers?
Companies are threatened with criminal sanctions if they derive "indirect" economic benefit from infringements and/or if they are deemed (possibly as a result of failing to take repressive measures, for example) to have "aided and abetted" one or more infringements. So, they can either take repressive measures, or they are welcome to take these risks, if they prefer.
3. But is ACTA completely in line with existing EU law?
Criminal sanctions for IPR enforcement are not part of EU law - in fact, the only proposal ever made failed. Moreover, the criminal sanctions in ACTA go beyond what was discussed in the failed proposal. For example, the European Parliament demanded exceptions for private copying and "fair use" for activities such as criticism, comment, news reporting, teaching, scholarship or research. There are many other points where the compliance with EU law is dubious - for example, the almost limitless damages that can be imposed under ACTA based on retail price rather the actual damage incurred.
4. But still, is it good to create a "level playing field" of implementation of IPR law?
ACTA seeks to export parts of EU law, in the unexplained assumption that they will have the same impact elsewhere, in completely different legal environments. For example, ACTA requires extensive transmission of personal data of consumers to rights holders and unspecified "voluntary" policing by rights holders. Within the EU, the E-Privacy Directive and the general Data Protection Directive create a context which allows a degree of protection for consumers. Creating dangers without meaningful safeguards is a risk for democracy and the rule of law for citizens of our trading partners where such safeguards either do not exist at all or are more limited. This runs directly counter to the Treaty on European Union, which requires the EU to support democracy and the rule of law in its international relations. We cannot break one law for the sake of imposing another.
5. At least where we are imposing our law on ourselves, there is no danger, right?
Many of the provisions (access to personal data, for example) in ACTA come from the Intellectual Property Enforcement Directive (IPRED). These provisions have caused serious problems in some European countries - such as in the United Kingdom, where the data were used to coerce and, according to one member of the House of Lords "blackmail" consumers. Once these provisions are put into ACTA, the European Union will be under an international legal obligation not to change them. The European Commission's review process for IPRED is scheduled to start after ACTA is scheduled to be adopted by the European Parliament - i.e. the European Union will decide not to make significant changes to IPRED before assessing its impact.
6. At a time of economic crisis, surely it is good to promote economic growth in a trade agreement?
The European Parliament's independent study on ACTA argues that "there is a point at which further strengthening IPRs becomes counterproductive and could in fact hamper innovation". The European Commission refused to undertake an impact assessment, so there is no analysis whatsoever as to whether the very extensive measures proposed in ACTA are, in the study's words, "counter productive".
Similarly, ACTA "encourages" policing of networks by intermediaries (access providers, web hosting providers, payment providers, search engines, advertising networks etc). No analysis has been undertaken to assess the very real danger that this policing activity will be used to keep European companies out of foreign markets. Worse still, as these are extra-legal "voluntary" measures, it would be particularly difficult to obtain a ruling from the World Trade Organisation to fight any such protectionism.
7. But it must be good to establish a benchmark for the world to follow?
The problem is that the closed, secretive nature of the ACTA negotiations, which deliberately avoided agreed and established multilateral forums, has created a benchmark in counterproductive diplomacy. As the European Parliament study says "the major emerging economies, China, Brazil and India appear not to have been formally invited to participate," leading India to champion the cause of Less Developed Countries (LDCs) in the TRIPS council, where it complained about the "exclusion of a vast majority of countries, including developing countries and LDCs".
8. At least, in a globalised world, ACTA will help European online businesses, won't it?
ACTA requires states that are party to it to encourage law enforcement by private companies. Often, these will be in other countries, with different copyright regimes and different degrees of liability. At any given moment, therefore, online companies would be at risk of having their service removed from search engines, payments being blocked by payment service providers, their domain name (like www.edri.org) removed by the company that they paid to register it (the registrar), the company that manages the registry of domain names or advertising network - or being blocked by Internet providers abroad, seeking to protect their businesses from competition.
9. This is all exaggeration - there is no threat to free speech and democracy, is there?
A conservative member of the German parliament unintentionally put multiple copyright-protected images on his website. Large numbers of visits to the page led to a "commercial scale" reproduction of the image. He received an "indirect economic" advantage by not paying for the images and his service provider arguably "aided and abetted" the "infringement" by not taking action against this repeat "offender". Is he or his Internet provider a criminal? According to ACTA, they are. This is a threat to free speech and democracy.
10. Why are national parliaments and the European Parliament voting on ACTA - and hasn't it already been signed, so isn't the process finished?
ACTA partly falls outside the scope of EU law (the so-called acquis communautaire). The part that falls outside the scope of EU law (criminal sanctions) needs to be approved by each Member State. The part that is inside the scope of the EU can be decided and ratified at EU level. The EU can only accept or reject the entire text - although there is nothing to stop it from setting internal guidelines for itself on how it should be implemented in practice.
Signing an international agreement is not like signing a contract - it simply opens the decision-making process within a government.
(Contribution by Joe McNamee - EDRi)
This article is also available in:
Deutsch: Die Datenschutzwoche 2012: Datenschutz-Konferenz und BarCamp
The week from 22 to 26 January 2012 was rather busy for everyone involved in European data protection issues.
First of all, the European Commission has launched its proposals for revision of the data protection framework. In the same week, the European Data Protection Supervisor (EDPS) published a survey on the performance of all 58 EU bodies in key areas and showed that EU institutions have different levels of data protection compliance. The publication of the two draft legal instruments, the Regulation (replacing the existing Data Protection Directive from 1995) and the Directive (on data exchange in the area of policing), are therefore a first step in a long process towards the harmonisation of European data protection rules. EDRi has welcomed the proposal for a Regulation, as a single, directly applicable instrument which is needed to secure greater respect for and awareness of the fundamental right to data protection and to privacy for European citizens.
Secondly, the Computers, Privacy and Data Protection Conference (CPDP) took place from 25 to 27 January 2012. Three EDRi speakers made presentations and defended our views and concerns. Meryem Marzouki spoke for EDRi regarding the modernisation of the Council of Europe (CoE) Convention 108. Joe McNamee explained the consequences of copyright enforcement for citizens' privacy. Finally, Walter Van Holst gave EDRi's first comments on the proposal for a data protection regulation.
On the day before the start of the CPDP, EDRi organised a BarCamp on data protection and privacy in cooperation with Vrije Universiteit Brussel and the Facultés Universitaires Saint-Louis. This was an excellent opportunity for activists to work on various topics such as the right to be forgotten, PNR, the new Directive and a focus for civil society regarding the new Regulation.
Finally, the Privacy Day was celebrated internationally on 28 January. The day aims at promoting the importance of data protection and privacy. In April 2006, the CoE decided to start celebrating the Data Protection Day on 28 January in Europe which corresponds to the opening for signature of Convention 108. The Convention is, like the 1995 Directive, also in the process of being modernised and a first draft with the proposed changes was published on 18 January 2012.
EDRi: Initial comments on the Proposal for a Data Protection Regulation
Meryem Marzouki's presentation at CPDP 2012: Modernizing Council of Europe
Convention 108: Comments and Recommendations from a Civil Society
General Report: Measuring compliance with Regulation (EC) 45/2001 in EU
institutions and bodies ("Survey 2011") Measuring compliance with
Regulation (EC) 45/2001 (23.01.2012)
The Register: Microsoft exec says Safe Harbor framework is "alive and well"
EDRi BarCamp (24.01.2012)
Computers, Privacy and Data Protection Conference 2012
Convention 108 and the proposed changes (01.2012)
(Contribution by Kirsten Fiedler - EDRi)
This article is also available in:
Deutsch: Polizei setzt häufig Stille SMS zur Ortung Verdächtiger ein
One issue that came out during the 28th Chaos Communication Congress held in Berlin between 27 and 30 December 2011, was the use of the so called "Silent SMS" by the police in Germany to track down suspects.
The Silent SMS, also called Flash-SMS is a SMS allowing the user to send a message to another mobile phone without the knowledge of the recipient. "The message is rejected by the recipient mobile, and leaves no trace. In return, the sender gets a message from a mobile operator confirming that the Silent SMS has been received," as it is explained by the developers from the Silent Services, company who created some of the first software necessary to send such SMSs.
Mobile security expert Karsten Nohl and his colleague Luca Melette, announced during their presentation at the Congress, that in Germany, in 2010, the police sent thousands of Silent SMS meant to locate suspects.
Silent SMS were initially meant to allow operators to acknowledge whether a mobile phone was switched on and test the network without advising the users. However, they have proven useful for the tracking down of suspects by the police in several countries. Silent SMS allow the precise location of a mobile phone by using the GSM network.
"We can locate a user by identifying the three antennas closest to his mobile, then triangulating the distance according to the speed it takes for a signal to make a return trip. A mobile phone updates its presence on the network regularly, but when the person moves, the information is not updated immediately. By sending a Silent SMS, the location of the mobile is instantly updated. This is very useful because it allows you to locate someone at a given time, depending on the airwaves" explained Karsten Nohl.
According to Mathias Monroy, a journalist with Heise Online, this surveillance technology is largely used because it falls in a gray area from the legal point of view, the law being unclear whether a Silent SMS can be considered as communication. "The state found that it was not one, since there is no content. This is useful, because if it is not a communication, it does not fall under the framework of the inviolability of telecommunications described in Article 10 of the German Constitution."
On 6 December 2011, the German Interior Minister Hans-Peter Friedrich announced that German police and intelligence have sent about 440 000 Silent SMS a year.
Although no official recognition was offered by French officials, police and intelligence services work with Deveryware, a "geolocation operator" which combines cellular localization, GPS, and other "real-time location" techniques. The company was evasive when questioned by OWNI.eu on whether Silent SMS were one of these techniques: "Regretfully we are unable to provide an answer, given the confidentiality imposed on us by legal requisitions. Deveryware's applications enable investigators to map and compile a history of a suspect's movements."
In the Netherlands the police has been used the technique since 2006. During a case in February 2011 when 11 Somalian people were arrested for terrorism, the public prosecutor admitted, for the e-zine Webwereld, that the practice was a normal part of the wiretap process in drug cases, organised crime, people trafficking and possible suicide. There is no need for a separate court order as the technique implies only location data.
When the question was raised in the Dutch Parliament in March 2011, the Minister of Justice answered that this "investigation means has been applied for a long time in a number of criminal investigation cases. This means is only being applied when there is already a wiretap on that telephone number." He also added that Silent SMS has been used in several cases and the judge has always found this means lawful.
Nohl showed during his presentation at the 28th Chaos Communication Congress that the technique together with easily procurable tools can be used by attackers to make a mobile phone initiate phone calls and send text messages. He noted that some users have already received bills of thousands of euros for calls and texts to Caribbean premium rate services. The researcher also called on the mobile network operators, network equipment suppliers and device manufacturers to implement techniques to improve GSM encryption mechanisms in order to give protection against such kind of attacks. The techniques are already available but are not used.
Getting the Message? Police Track Phones with Silent SMS (30.01.2012)
28C3: New attacks on GSM mobiles and security measures shown
28c3: Defending mobile phones (28.12.2011)
Each quarter a million Silent SMS (only in German, 22.11.2011)
Custom, Federal Police and Protection of the Constitution sent more than
440,000 SMSs in 2010 (only in German, 13.12.2011)
Investigation used very often Stealth SMS (only in Dutch, 4.02.2011)
This article is also available in:
Deutsch: Lobbyarbeit für ACTA erreicht neue Dimensionen
When the Commission calls for ACTA support, the chosen ones in industry happily follow. Going back a few months, in November 2011, at an International Fragrance Association event, Pedro Velasco Martins from the European Commission (DG Trade, Deputy Head of Unit, Public Procurement and Intellectual Property) warned parts of industry that the civil society was speaking out loudly on ACTA and that they were losing the public opinion.
In January 2012, under the umbrella of the New York-based International Trade Mark Association, 28 federations and associations released a paper called "ACTA - Why you should support it". Last week, the European Commission launched an intensive lobby -campaign meant for the European Parliament. In three documents, DG TRADE tries to convince the European Parliamentarians that ACTA is simply misunderstood and that it is really important for EU's competitiveness, and seeks to argue that ACTA is the appropriate and balanced tool to protect intellectual property rights, which respect the rights of citizens and consumers.
Amongst the very interesting arguments developed by the European Commission and the trade mark lobby, some are even more intriguing such as the alleged competitive advantage that ACTA would give to EU countries, the balanced approach of ACTA and the sufficient "safeguards" provided by the Agreement. Those allegations can't be left without any comments.
When arguing that ACTA will have a positive impact on EU competitiveness, do they consider that exacerbating the current patchwork of copyright law amongst EU Member States is the solution for better competitiveness? The EU is already at a significant competitive disadvantage due to the incoherence and inconsistency caused by the European rules on copyright - now they propose adding 27 different versions of criminal sanctions to destroy any hope of a "fit for purpose" legal system developing in Europe. Does the Commission or the US-based lobby group wonder why the global Internet success stories are already based in the USA, where the system is and will be more flexible and harmonised? Far from helping innovation in Europe, ACTA will have a chilling effect on innovation in the EU and will benefit the USA, which already has an innovation-friendly single market, when EU is struggling with a complex, non-harmonised and chaotic copyright regime. Moreover, the USA will not consider itself bound by ACTA while the EU will be legally bound.
According to this lobbying effort, ACTA is a balanced agreement, and the adequate tool for the protection of the sectors in need, which preserve the safeguards to the rights of citizens and consumers. If the agreement is so balanced, why do the so-called safeguards in ACTA appear to be so meaningless? ACTA refers to unclear, undefined and non-existing safeguards. The phrasing of ACTA is indeed unsatisfactory. The digital chapter, for example, underlined the need to preserve "fundamental principles", does it refer to fundamental rights? - if so, why does the text not say so? "Fair process" is not even a concept of international law, let alone a "fundamental principle".
Those "safeguards" are even more undermined by footnote 13 associated to Article 27. It explains that limitations on liability of Internet service providers can only be permitted if the interests of rightsholders are first taken into account. The problem here is that the Court of Justice of the European Union has ruled that one set of rights should not be given precedence over another. The fair balance between, on the one hand, intellectual property rights and the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information on the other is not achieved by favouring the sole interests of rightsholders. When it comes to fundamental rights, robust safeguards are needed. It is not the case that ACTA's safeguards are weak, it is that they are illusory...
Although they seek to assert that ACTA will not limit civil liberties, they fail to explain how prioritising repressive measures aimed for copyright protection over fundamental rights such as the right to privacy or freedom of communication without guarantees of due process and equality of arms will not have any limitation effects on fundamental rights. In Europe, such an approach violates the European Convention on Human Rights and the EU Charter of Fundamental Rights. If you add to this the legitimisation and promotion of privatised enforcement outside the rule of law within ACTA, you end up with a clear violation of Article 21 of the TEU which requires the European Union to support democracy and the rule of law in the context of its international relations.
In this context, the Development Committee of the European Parliament revealed its draft opinion on ACTA containing many factual errors. EDRi is concerned about many elements in the draft, such as the compliance of ACTA with the EU acquis. The criminal chapter for example is completely outside the EU acquis and as underlined in the European Parliament's DG Expo study conducted in 2011, ACTA "is significantly more stringent and rightholder friendly than the TRIPS Agreement".
Last week, as a protest against the whole ACTA process, the French MEP Kader Arif (S&D) resigned of its function as rapporteur on ACTA. The European Parliament will soon officially be seized on ACTA and one can only hope that the democracy will then make its way through.
INTA: ACTA - Why you should support it (01.2012)
European Parliament Directorate-General for External Policies of the Union,
"The Anti-Counterfeiting Trade Agreement (ACTA): An Assessment" (06.2011)
(see page 6 and page 39)
US Congress is not bound by ACTA, according to White House answers to Senate
Finance on ACTA and TPP negotiations (19.04.2011)
Draft Opinion on ACTA - European Parliament INTA Committe
(Contribution by Marie Humeau -EDRi)
This article is also available in:
Deutsch: ACTA-"Aufstand" in Polen
Polish youth apparently decided to break the stereotypes about the nation's passiveness and lack of interest in Internet politics. As soon as the Polish government announced that ACTA would be signed on 26 January, we became witnesses of an amazing movement. Hundreds of thousands joined protest groups created on Facebook, Polish MEPs announced they have received more than 100 000 e-mails encouraging them to vote against ACTA, petitions and appeals to Polish decision makers gained massive support.
On the top of this real and enthusiastic social movement, a group of self-proclaimed "hackers" started attacks on government servers (mostly DDOS), affecting mainly the Parliament, Prime Minister and the Ministry of Culture (responsible for ACTA dossier in Poland). Media immediately associated the attacks with Anonymous although this attribution wasn't confirmed. Apparently there was a split within the hacking community, which resulted in a few acts of denouncing. Nevertheless, social activity on ACTA and popular outrage continues and further protests are expected on 3 February.
Civic organisations are planning to organise an improvised Congress of the Free Internet on 4 and 5 February in order to meet activists from various groups and help them articulate their strategy. Many groups believe that this fight should be continued and extended beyond the issue of ACTA. Panoptykon Foundation, a member of EDRi, is involved in conceptual work and preparations. The foundation feels the burden of responsibility since it was the one which the communicated governmental plans to sign ACTA to the mainstream media (on 19 January) and prepared the ground for protesters with its earlier work. The foundation has been dealing a lot with ACTA over the last year, publishing numerous materials and sending appeals to decision makers both in Warsaw and Brussels. All of a sudden its effort, so far almost unnoticed, made perfect sense. Everybody who needed could reuse its arguments, papers and appeals for their own activity.
What is the government's response? Massive social protests supported by legal experts, mainsteam media and authorities such as the Ombudsman and the Data Protection Authority had no effect of the government's decision to sign ACTA. The Polish ambassador signed the treaty in Tokyo together with the majority of the EU Member States. The Prime Minister promised to organise real and open public consultations on ACTA - after its signing but before its ratification. For the protesters and experts criticising ACTA that promise was not enough. It is clear that this is not the end of the game, while the political situation is very dynamic. The protesters are turning more and more against the government itself. The flood of critique on ACTA and the way the Prime Minister and the Minister of Culture dealt with this "hot potato" is coming from all directions, including from within the government. Many expect further political shifts and interesting developments. We shall see.
(contribution by Katarzyna Szymielewicz - EDRi-member Panoptykon Foundation - Poland)
This article is also available in:
Deutsch: Das FAVA Gesetz – ein neuer Versuch zur Beschneidung der Bürgerrech...
There is a wide (and mainly unjustified) hype, in Italy, about a draft law proposed by a Mr. Fava, an MP belonging to the right wing party "Northern League". He asked the Italian Parliament to burden the ISP's shoulders with a duty of pre-emptive control (and consequent liability in case of lack of) for the wrongdoings of its users in the counterfeit milieu.
Mr.Fava's proposal is nothing but the last of a series of draft laws proposed during the past ten years, aimed at this same target, and supported by the endorsing MPs as a way to fight child pornography, defamation, copyright and - finally - the selling of counterfeit goods.
None of these proposals have ever outcome in a law, nevertheless they spread the wrong message that, on the Internet, the principle of the "personal liability" i.e. every person is responsible for his own actions - doesn't work. The same, indeed, is true for Fava's bill. Coming to the specific topic, Mr. Fava proposed the amendment of the legislative decree 70/2003 enforcing in Italy the EU E-commerce directive to widen the ISPs'liability.
Technically speaking, Mr. Fava's proposal has no ground. Counterfeit is, in Italy, a crime, and criminal law already punishes both the author of the crime and whoever gives him support (as associate or accomplishes.) Thus, if an ISP is found actually supporting a counterfeit crime (or any other kind of crime) can be prosecuted within the current legal framework, without the need of additional provisions.
Furthermore, as said, the legislative decree Mr. Fava wants to amend is the verbatim enforcement of an EU directive that contains none of what Mr.Fava wishes. Thus, the Italian Parliament has no "jurisdiction" over a European Union's settled law.
But why, then, did this proposed bill raise so many concerns? First, "digital rights" and "free speech" have fallen into media "blending machine" and civil rights issues are often "blurred" with claims of immunity for third party rights infringements. So, a cultural alliance between non-specialized journalists and opinionists invariably leads to threatening claims about the end of free speech and to the same invariably useless facebook fanboys' indignation.
Copyright, trademark and patent laws are actually damaging the essence itself of the civil rights (look at Apple's attempt to gain control over ideas through IP law-backed lawsuits) but this has nothing to do with the immunity asked by those who want to be free to download LOST's last season for free. The problem is that the journalists don't want to enter what is a perceived as complicated line of thinking, fearing to bore the readers. They want a cheeseburger-like stuff: easy to "cook", fast to deliver and "tasty" to eat. So long if that's junk food. Of course this is not an absolute statement, but a recognition of what often happens into the wild of the media frenziness.
Second, MPs are always seeking for industry support and vice-versa. This time (late according to software, entertainment, media and publisher industry) is the moment of the fashion manufacturing industry to try to shift the liability of users on the ISPs shoulders. This is the issue that Mr. Fava's proposal wants to deal with.
Third, despite the "ISP liabililty war" that has been fought in Italy for at least fifteen years, the Telco and ISPs industry didn't set up a long-term strategy to counter the attempt of both the governments and some specific industry sectors to obtain laws protecting very narrow interests. The result is a "stop-and-go" activity that only handles the urgency of a specific situation. No energy is allocated on the spreading of a cultural framework that shows how the protection of civil rights is a valuable asset for both the industry and the government.
In conclusion, Mr.Fava's bill is nothing but another nail in the coffin of civil rights protection because, again, it shifts the focus of the attention from the true threats against the citizens to the claimed "protection" of limited economic interests. It will not stop criminals, while it will put the rights of honest people in danger.
Amendment suggested by Mr. Fava (only in Italian, 12.2011)
Copyright, the beautiful country of the SOPA (only in Italian, 20.01.2012)
Intermediaries, private removals? (only in Italian,19.12.2011)
Towards an Italian SOPA? (30.01.2012)
(Contribution by by Andrea Monti - EDRi-member ALCEI, Italy)
This article is also available in:
Deutsch: Twitter führt länderspezifische Zensur ein
Twitter announced on 21 January 2012, on its official blog, its intention to introduce geolocation censorship, meaning that certain tweets will be censored in some countries based on different criteria according to the respective countries' legal framework.
Although a year ago Twitter, in its post "The Tweets must flow", declared in favour of free expression and proved to be a very useful instrument in the revolutions of the Arab world, supporting the coordination of the mass protests Egypt and by-passing the government censorship in Syria, it has now decided to change its policy.
Twitter's decision was justified by the "different ideas about the contours of freedom of expression" in the countries. "Some differ so much from our ideas that we will not be able to exist there. Others are similar but, for historical or cultural reasons, restrict certain types of content, such as France or Germany, which ban pro-Nazi content."
Twitter's decision was right away met with criticism from twitters and freedom of speech campaigners. Many of its users declared boycott on 28 January. Reporters Without Borders has expressed its concern in a letter sent to Twitter Executive Chairman Jack Dorsey urging him to reconsider this decision that violates freedom of expression.
Twitter argued that it would apply the geotagging system on a case-by-case basis, when governments or organisations complain about individual tweets. It also stated that the process will be a transparent one by posting the government removal demands on the Chilling Effects website.
EDRi-member EFF (Electronic Frontier Foundation), one of the partners in the Chilling Effects project, supports Twitter in its argument that the overall effect of the decision will be less censorship rather than more censorship, as the company already used to take things down, only it did it for all users. It also advises users on how to circumvent the blocking. When a message is blocked, "that tweet will not simply disappear-there will be a message informing you that content has been blocked due to your geographical location. Fortunately, your geographical location is easy to change on the Internet. You can use a proxy or a Tor exit node located in another country. Read Write Web also suggests that you can circumvent per-country censorship by simply changing the country listed in your profile."
Reporters Without Borders considers as vague Twitter's explanation that if it receives "a valid and properly scoped request from an authorized entity," it may respond by withholding access to certain content in a certain country, notifying the content's author at the same time. In the organisation's opinion this may leave room for abuse.
"Are you going to act in response to a court decision? Or, as is the case in China, will just a phone call from a government official or a local police station suffice to justify denying access to content? Are you going to limit yourselves to censoring tweets after they have been posted or, if faced with a flood of official requests, will you establish a system of prior censorship based on subjects or keyword defined by censors?" asks Reporters Without Borders in its letter.
One of the main concerns in also that the site will no longer act as a support in helping dissidents in countries with strong censorship such as China.
US civil liberties website, Demand Progress made an appeal to Twitter: "Twitter's importance as an open platform has been demonstrated time and again this year. We need you to keep fighting for and enabling freedom of expression - not rationalize away totalitarianism as a legitimate 'different idea'"
Letter to Twitter Executive Chairman Jack Dorsey urging him not to cooperate
with censors (22.01.2012)
Tweets still must flow (26.01.2012)
Twitter users threaten boycott over censorship accusation (27.01.2012)
What Does Twitter's Country-by-Country Takedown System Mean for Freedom of
Twitter uncloaks a year's worth of DMCA takedown notices, 4,410 in all
This article is also available in:
Deutsch: Belgien: Big Brother Awards 2012
Big Brother is everywhere! Numerous institutions, individuals and organizations do not comply with privacy rules and regulations. The Flemish "Liga voor Mensenrechten", an EDRi member and the Wallonian "Ligue des droits de l'hommes" joined forces in their fight against today's "Big Brother" culture!
Therefore, they organized, in collaboration with Vrije Universiteit Brussel and deBuren, the second edition of the "Big Brother Awards" on 26 January 2012, a night on which the nation's largest privacy violators are exposed and privacy protectors are rewarded. They critically questioned the many initiatives regarding surveillance, identity checks in the nightlife or recreational areas, body scanners, the unsavoury practices of Google, Apple or others.
During 7 weeks, the public was able to vote on nine privacy-infringers, which the Liga and the Ligue had selected. With more than 20% of the votes, the public chose a convincing winner. Although the word "loser" might be better used here, as the honour attached to a Big Brother Award is slightly questionable. The jury experts also selected 3 initiatives which infringe the privacy of innocent citizens. This, in itself, proves that privacy-infringements are still taking place on a daily basis.
Therefore it was time to introduce Big Brother to denounce the infringers. Privacy-experts from home and abroad gathered for a thought-provoking award-show. The Jury selected the following 3 winners, in 3 categories:
In the category "Enterprises" the award went to the Mobib-card from MIVB/STIB, as the chip card raises concerns about the safety of the personal data on the card and the anonymity of the user.
In the category "Media and Technology", the planned introduction of the smart grids was chosen. In their current form, the smart meters do not comply with the demands of the European Treaty for Human Rights in terms of respect for privacy, and raise questions concerning the safety of the recorded data.
In the category "Authority", the Police of the Westkust wins the award for their VIP project ("Very Irritating Police" - seriously, that's what it is called) against loiters and the disproportionate rise of CCTV at Westkust.
The Police of the Westkust received the price of the public as well, with 1470 out of more than 5000 votes.
Here are the main three reasons why the Westkust Police deserved the Big Brother Award: - The foundations of law are reversed: everyone is guilty until proven innocent; - The measures are disproportionate to the right to privacy, and - Security must not take precedence over personal freedom.
During the event, the Human Rights Leagues also handed out the Winston Award, a positive prize for a person or organization which works to protect the privacy of citizens. The Winston Award went to Yoogle!, from Constant vzw, an online game, miniature Web 2.0 allowing users to take a look behind the scenes of online data-gathering by playing different actors of the personal data market and by participating in the manoeuvres of each other.
Big Brother Awards Belgian 2012
Yoogle! - online game
(Contribution by Caroline de Geest - EDRi-member Liga voor Mensenrechten - Belgium)
This article is also available in:
Deutsch: ENDitorial: Erste EDRi-Stellungnahme zur Datenschutzverordnung
EDRi welcomes the European Commission's proposal for a new data protection Regulation. Europe needs a comprehensive reform in order to ensure the protection of its citizens' personal data and privacy, while enhancing legal certainty and competitiveness in a single digital market. Since the "inter-service" draft was leaked in December, there has been a significant lobbying effort by certain foreign governments and industries. Although, as a result, some of the provisions seem to have been watered down or downgraded, and although there are still areas of concern, we are pleased to see that the proposal still highlights the importance of key principles such as the need for a clear "legitimate ground" for processing, transparency, fairness, "purpose-limitation", "privacy by design", and data minimisation.
This is a first, positive step in a long legislative process that in the end will hopefully secure greater respect for and awareness of the fundamental right to data protection and to privacy for European citizens.
Why we need a Regulation (and not a Directive) An EU wide, unified approach to securing an appropriately high level of data protection, and to the safeguarding of essential elements of democratic societies such as privacy and free speech is long overdue. It is crucial in a fast changing digital environment.
European Court of Justice case-law over the past 15 years shows that many Member States met neither the substantive nor the procedural/enforcement requirements of EU data protection law in full. Data protection legislation is moreover highly fragmented: legislators and regulators in the 27 EU Member States implement the Directive in 27 different ways. Harmonisation in the form of a single, directly applicable instrument is indeed needed to ensure legal certainty in the single European market - for citizens and businesses alike.
Scope According to Article 3(2) of the Regulation, its provisions will also apply to processing by non-EU entities if the processing activities of those entities are related to the offering of goods or services to EU data subjects, or to the monitoring of EU citizens' behaviour. This replaces the rather unclear "use of equipment" test of the Directive. EDRi welcomes these new rules on territorial scope.
The right to be forgotten and free speech issues The"right to be forgotten" (Art. 17) is basically a re-affirmation and strengthening of the already existing right to deletion of personal data after the purpose for which they were processed has been fulfilled (Art.12 of Directive 95/46/EC). The current draft proposal goes further than the 1995 Directive by proposing the right to erasure if the data are no longer necessary or if the data subject withdraws his/her consent, and by including rules aimed at the erasure of any public Internet link to, copy or replication of the personal data relating to the data subject which the data subject is seeking to have removed. This especially applies "in relation to personal data which are made available by the data subject while he or she was a child". However, the provision has been weakened since the last leak, now requiring merely that the data controller "shall take all reasonable steps" to inform third parties that the user wishes to erase any links to or copies of the material.
EDRi also believes that as currently draft, the article could have serious (if perhaps unintended) implications for freedom of speech. Even though one of the aims of this article is to counter the loss of purpose limitations in social media, it must be carefully drafted to avoid its potential misuse as a tool for censorship.
Overall, in EDRi's view, the "right to be forgotten" article was not particularly well drafted. EDRi would therefore like to see the text clarified and strengthened, but also feels that the underlying thinking is a step in the right direction.
Data portability in general (Article 18) Individuals will be given the right to demand that an organisation should transfer any or all information held about them to a third party in a format which the individual determines. This increases the control that individuals have over data which identifies them and makes it easier for them to transfer business or employment relationships. The text does not clarify who will be required to cover associated costs of such an exercise. In EDRi's view, this should not be at the expense of the data subject. Other than that, EDRi welcomes this new principle.
Right to Data Portability in relation to social networks The right to data portability mentioned above includes the right to move account information from one social media service to another and to benefit from privacy-friendly alternatives. This right is limited by a rather poorly-drafted requirement on the format to be used for stored data. It is important that users have a right to their electronically stored data, "in an electronic format which is commonly used" rather than only having the right to obtain the data if they are stored in such a format. This is a very good start to deal for dealing with the network externalities and related natural monopolies of networking platforms such as social networks. But in EDRi's view, in order to work, this should include an inter-connection or inter-operability provision.
Privacy by Design/Default EDRi also welcomes the new provisions regarding privacy by design / by default of Article 23, since it is essential that companies consider privacy at each stage of product development. However, in EDRi's view, an effective implementation mechanism of "privacy by design" is needed. This could be created by the introduction of an obligation to conduct privacy impact assessments, which aim to ensure that privacy concerns are built into every part of the life cycle of a product or service.
EDRi also welcomes the support given by the proposed Regulation to European Certification processes, provided that (like the current European Privacy Seal, EuroPriSe), they apply the highest and strictest European data protection standards.
Data breach notification Articles 31and 32 introduce an obligation to notify personal data breaches, in principle within 24 hours (but with some sensible flexibility built in). Moreover, individual users should be notified of a leak if the leak is "likely to adversely affect the protection of the personal data or privacy" of the users. In EDRi's view, it is essential that customers are informed if their personal information have been compromised, so that they can protect themselves by, for example, changing passwords or getting new credit cards. This broad obligation to report data breaches is very important, but the articles do not provide for a central public register of data leakage. In EDRi's opinion, this provision can therefore be further improved.
Transfer of personal data to a third country (Article 42) Under the proposed new Regulation, as under the current Directive, personal data may only be transferred to a third country if certain criteria are met to ensure an appropriate level of protection of those personal data. However, Article 42 has been watered down and, in EDRi's opinion, rendered almost meaningless since the very first leaked draft of the Regulation. The leaked version of the new Regulation indicated that barriers imposed on for foreign judicial authorities regarding the to access of European data outside fell beyond the scope of the agreed legal frameworks. It stated that in cases where a third country requests the disclosure of personal data, the controller or processor had to obtain prior authorisation for the transfer from its local supervisory authority. The initial goal of this article was clearly to address extra-territorial actions by third countries such as the USA, acting under the PATRIOT Act or the Foreign Intelligence Surveillance Act (FISA). The Article has, however, been totally emasculated, by only imposing the condition that the third country has "adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument". EDRi and other civil society groups will forcefully oppose this new text.
According to the US Department of Commerce recent lobbying , Article 42 of the proposed Regulation might affect US-registered companies located in the EU and their ability to conduct business in the US. It is noteworthy that the US currently uses instruments such as the Foreign Intelligence Surveillance Act (FISA) and the Patriot Act to retrieve data on (e.g.) the political activities of foreign individuals, who may have no links whatsoever with the USA, via companies with US offices. This legal vacuum was meant to be addressed by article 42. It has not been. EDRi believes that this will be one of the most important areas of debate. We will insist that the EU rules will ensure full respect for the civil and political rights of EU citizens, also against encroachment from U.S. authorities.
Fines EDRi welcomes the idea of having a range of different sanctions available for specific types of data protection violations (Art. 79). As part of the European harmonisation of data protection legislation, national authorities will have greater power to impose penalties for infringements. The fines clearly need to have a serious dissuasive effect, therefore it is sensible (as in with competition policy) to make them dependent on the gross annual turnover of a company. However we note that, since the last leak, the maximum fine of 5% of global turnover has regrettably been reduced to 2% and minimum fines have been deleted. In EDRi's view, this reduction in maximum fines is unwarranted.
Finally: EDRi will provide it's a comprehensive analysis later, on the full proposed framework, Regulation and Directive. In the meantime, we welcome Commissioner Reding's proposals as a positive first step in the long process of updating privacy and data protection for EU citizens in the digital environment.
US lobbying against draft Data Protection Regulation (22.12.2011)
EDRi-gram: US continue pushing on EU Commission against Data Protection
(Contribution by Kirsten Fiedler - EDRi)
This article is also available in:
Read&share the EDRi papers!
Activist Guide to the Brussels Maze
EU Survellance: A summary of current EU surveillance and security measures
How the Internet works - a guide for policy-makers
This article is also available in:
UK: Smart meters for energy to be voluntary (1.02.2012)
Plans to force households to have energy smart meters installed have been shelved over health and privacy fears.
Infographic: Hollywood's long war on technology (8.01.2012)
This article is also available in:
4-5 February 2012, Brussels, Belgium
FOSDEM 2012 - Free and Open source Software Developers' European Meeting
25 February 2012, Szeged, Hungary
Copyright and Human Rights in the Information Age: Conflict or Harmonious Coexistence
7 March 2012, Amsterdam, Netherlands
Big Brother Awards Netherlands 2012
16 March 2012, Rotterdam, Netherlands
EPSIplatform Conference: Taking government data re-use to the next level!
30 March - 1 April 2012, Berlin, Germany
Wikimedia Chapters Meeting 2012
13 April 2012, Biefeld, Germany
Big Brother Awards Germany
16-18 April 2012, Cambridge, UK
Cambridge 2012: Innovation and Impact - Openly Collaborating to Enhance Education OER12 and the OCW Consortium's Global Conference
2-4 May 2012, Berlin, Germany
Re:Publica 2012: ACTION!
14-15 June 2012, Stockholm, Sweden
20-22 June 2012, Paris, France
2012 World Open Educational Resources Congress
9-10 July 2012, Barcelona, Spain
8th International Conference on Internet Law & Politics: Challenges and Opportunities of Online Entertainment
11-13 July 2012, Vigo, Spain
The 12th Privacy Enhancing Technologies Symposium (PETS 2012)
12-14 September 2012, Louvain-la-Neuve, Belgium
Building Institutions for Sustainable Scientific, Cultural and genetic Resources Commons.
7-10 October 2012, Amsterdam, Netherlands
2012 Amsterdam Privacy Confernece