The latest EDRi-gram

*The latest EDRi-gram arrives drenched in blood from Brussels.

======================================================================

EDRi-gram

fortnightly newsletter about digital civil rights in Europe

EDRi-gram 14.06, 23 March 2016
Read online: https://edri.org/edri-gram/14-06/

1. EDRi's input on violent extremism for UN Human Rights Commissioner
2. Lots to like in Advocate General’s opinion on free WiFi & copyright
3. Loopholes creeping into the Italian proposal on net neutrality
4. EPIC Intervenes in Privacy Case at European Court of Human Right
5. Danish government postpones plans to re-introduce session logging
6. Data protection bill in Turkish Parliament
7. The lobby-tomy 3: who are lobbying?
8. Recommended Action
9. Recommended Reading
10. Agenda
11. About

EDRi firmly condemns the Brussels terror attacks as well as other acts
of violence and terrorism around the world. While acknowledging the
importance of combating terrorism and violent extremism, EDRi is
concerned about the disproportionate and misguided responses by certain
UN countries in pursuit of this aim.

.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................

In this context, the United Nations (UN) Resolution 30/15 asked the
Office of the High Commissioner for Human Rights (OHCHR) to issue “a
report on the best practices and lessons learned” to show how human
rights protection and promotion contribute to prevent and counter
violent extremism. On 18 March, EDRi responded to UN Commissioner for
Human Rights' call for input.

Our response to the High Commissioner's consultation follows a joint
open letter to the Commissioner and a joint submission for the UN Human
Rights Council that EDRi co-signed on 4 February 2016.

First, we highlight the lack of accuracy, misuse and confusion between
and of the concepts of “terrorism” and “violent extremism”.

Secondly, EDRi provides input regarding the threat that
counter-terrorism measures is having vis-à-vis our human rights and
fundamental freedoms, such as the human right to privacy and the
fundamental right to data protection and freedom of expression.

Thirdly, we bring to the attention of the Commissioner the coercion
exerted by certain states of private entities without any
accountability, international human rights safeguards or respect of the
rule of law.

In light of the problems highlighted above, EDRi recommended the
Commissioner to follow the recommendations that EDRi-member Article 19
had already outlined. Stakeholders are invited to provide input to the
UN Commissioner for Human Rights and his office by 11 April 2016.

OHCHR: Human rights and preventing and countering violent extremism
http://www.ohchr.org/EN/Issues/RuleOfLaw/Pages/PCVE.aspx

EDRi: Input on human rights and preventing and countering violent
extremism (18.03.2016)
https://edri.org/files/2016-UN-consultation.pdf

Joint statement on Initiatives to "counter and prevent violent
extremism” raise serious human rights concerns (04.02.2016)
https://www.article19.org/data/files/Joint_Written_Submission_PVE_HRC31.pdf

Joint open letter for United Nations Human Rights Council regarding
panel discussion on “preventing and countering violent extremism and
human rights” (04.02.2016)
https://www.article19.org/data/files/Joint_Letter_to_High_Commissioner_PVE.pdf

UN HRC: Resolution on “violent extremism” undermines clarity (08.10.2015)
https://www.article19.org/resources.php/resource/38133/en/un-hrc:-resolution-on-%E2%80%9Cviolent-extremism%E2%80%9D-undermines-clarity

(Contribution by Maryant Fernández Pérez, EDRi)

Last week, Advocate General Szpunar published his opinion in the
McFadden-case before the Court of Justice of the European Union (CJEU).

The facts of the case

In 2010, Berlin businessman Tobias McFadden was offering free,
non-password protected WiFi to his customers. Sony Music claimed that
the network was being used to infringe their copyrighted material, and
applied for an injunction to bring this to an end, also demanding
compensation of their legal fees. The German Court of Appeal referred
the case to the CJEU in order to clarify the scope of McFadden's
liability, as well as the possible scope of the injunctions.

.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................

Legal issues

The issues that arose were, firstly, whether WiFi operators could be
asked to pay for illegal activities undertaken over their networks and,
secondly, whether an an injunction could be imposed to prevent
infringements by (I) terminating the internet connection infringing
users; (II) introducing password protection on the network in order to
identify users; and (III) monitoring users' communications in order to
detect infringements.

Related to this second topic, another question touched on in this case
is how specific injunctions must be. Is it up to the court to determine
the appropriate measures for compliance with an injunction, or can it be
left to the intermediary to a certain extent?

The Opinion

(Free) WiFi services are not liable for their users' infringements

Under European Union law, certain internet-related services are exempted
from liability for the activities of their users. One category of
protected intermediaries is the so-called 'mere conduit', where the
access provider is understood to be a “dumb pipe” between the user and
the Internet . But does it also include free WiFi hotspots?

Yes, according to AG Szpunar. He reasons that all necessary conditions
were met for McFadden to qualify as an 'information society service' and
as a 'mere conduit' for the purposes of the e-Commerce Directive. The
Opinion is a relatively straightforward application of the law and it
contains two important clarifications : Firstly, irrespective of
remuneration, WiFi access services provided by businesses can be
qualified as an economic activity, therefore allowing them to fall under
the e-Commerce framework. Secondly, he notes that the e-Commerce
liability exemptions also protect intermediaries against liability for
pre-litigation costs and court costs.

WiFi operators need not disconnect or monitor their users, nor introduce
password protections

It is important to note that the e-Commerce liability framework does not
shield intermediaries from injunctive relief. While they are exempt from
paying any damages, intermediaries can still be compelled to take action
in stopping illegal activity on their services. How far these duties can
go, has been the subject of much debate and speculation.
AG Szpunar concludes that the measures proposed (terminating the
connection of users, introducing passwords and monitoring
communications) do not meet the test established in earlier case law
that injunctions must strike a 'fair balance' between the competing
fundamental rights involved. These rights include the intermediary's
freedom to conduct a business as well as the users' rights to privacy
and to seek and impart information.
Regarding the termination of Internet connections, Szpunar makes clear
that any such measure is 'manifestly incompatible' with the fair balance
test, 'since it compromises the essence of the freedom to conduct
business of persons who, if only in ancillary fashion, pursue the
economic activity of providing Internet access'. This strong wording
leaves little doubt that disconnecting users from the Internet is off
the table when it comes to copyright enforcement.

Injunctions forcing WiFi operators to monitor the communications of
their customers are also rejected rather unambigiously. The AG concludes
that this amounts to a 'general monitoring obligation' as prohibited
under Article 15 of the e-Commerce Directive prohibits. The notion is
done away with without much further ado.

The question of password protection is likely the most interesting
aspect of the case for many readers, as codes and case law provide
little guidance on this issue. The AG notes that forcing password
protection can discourage or hinder usage of the WiFi service and thus
undermine the business model of the operator. The envisaged measure also
requires the otherwise technically unnecessary processing of users'
personal data. Szpunar comments that 'conferring an active, preventative
role on intermediary service providers would be inconsistent with their
particular status, which is protected under Directive 2000/31'. He adds
that open WiFi networks tend to have limited bandwidth and are therefore
not particularly susceptible to being used for copyright infringement;
and that open WiFi points offer great potential for innovation which
could be diminished by the introduction of password protection.
Therefore, forcing WiFi operators to introduce password protections is
not a proportionate strategy for copyright enforcement and does not
strike the necessary fair balance between the rights and interests involved.

Injunctions need to be specific (well, sometimes, at least)

In the earlier case of UPC Telekabel, the Court already held that
national courts issuing injunctions can leave it to intermediaries to
determine what specific measures must be taken to end an infringement
(assuming that this is permissible under national law). At issue was an
Austrian Erfolgsverbot, which specifies the desired outcome (i.e. ending
copyright infringements) but not the measures which must be taken to
that end. In that case, the Court reasoned that intermediaries are often
better placed to assess what is the most appropriate measure, in light
of their particular resources, abilities and legal obligations. On the
other hand, it can also be argued that such open-ended injunctions
create a great deal of legal uncertainty for the intermediary. In many
cases it would be impossible or disproportionate to end every single
infringement., so when can the intermediary be sure that it has done
enough? The Court in Telekabel tried to provide guidance by stating that
they must 'at least make [infringements] difficult' and 'have the effect
of seriously discouraging' infringements, but this still obviously
leaves a lot of room for interpretation, and, as illustrated by this
case, creates a serious risk of the adopted measures restricting the
fundamental freedoms of innocent users.
In this new opinion, Szpunar adopts a narrow view of the specificity of
injunctions, arguing that they cannot be applied in cases, 'in which the
very existence of appropriate measures is the subject of debate'. In
other words, where it is unclear which measures might strike a 'fair
balance' between the competing rights at stake, the Court must step in
and exercise its judgement rather than leaving the issue open to
interpretation by the intermediary.

Conclusion

The Opinion is certainly welcome and it is to be hoped that the broad
lines of the thinking are followed by the full Court ruling. Szpunar's
clarifications on the protection of free services, as well as on
immunity for pre-trial costs, are also helpful - not only for WiFi
services but to internet access services in general.

It is somewhat noteworthy that Szpunar relies on the WiFi operator's
freedom to conduct a business more heavily that on the rights of the users.

The specificity of injunctions may seem like a relatively obscure,
formalistic topic. However, looking at the range of possible
infringements of both citizens' and business' rights that could be
inflicted by either injunctions (or by inference, liability protections
not being extended to such operators) it is in fact a crucial matter in
the protection of digital rights. AG Szpunar, by emphasising the role of
the courts in striking a fair and predictable balance, lessens the
burden on intermediaries in a way which appears to give real meaning to
the “provided for by law” obligation in Article 52 of the EU Charter. In
this regard, it is encouraging that Szpunar writes: 'given that
determining what measures it is appropriate to adopt entails striking a
fair balance between the various fundamental rights involved, that task
ought to be undertaken by a court, rather than left entirely to the
addressee of an injunction'. (emphasis mine) However, the opinion fails
to address how much specificity and what national law safeguards are
necessary for the court order to be valid. The term 'entirely' does
suggest that intermediaries will continue to share at least in part the
responsibility to strike a fair balance when implementing the
injunction, as was already determined in UPC Telekabel.

More importantly, given the analysis of the Advocate General, it seems
logically impossible for EU legislators to impose any greater level of
liability on Internet providers than is currently the case, because
restrictions on fundamental rights would be virtually inevitable as a
consequence.

'Opinion of Advocate General Szpunar in Case C‑484/14 Tobias McFadden v
Sony Music Entertainment Germany GmbH' (16.03.2016)
http://curia.europa.eu/juris/document/document.jsf?text=&docid=175130&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=253730

'Open Wireless Advocates to European Court: Don't Make Us Lock Down Our
Networks' (02.06.2015)
https://www.eff.org/deeplinks/2015/06/open-wireless-advocates-european-court-dont-make-us-lock-down-our-networks

'Web-blocking in Austria – law with the law taken out' (22.10.2014)
https://edri.org/web-blocking-austria-law-with-the-law-taken-out/

'Staying safe on public Wi-Fi' (03.06.2015)
http://www.cnet.com/how-to/tips-to-stay-safe-on-public-wi-fi/

(Contribution by Paddy Leersen, EDRi intern)

The Italian legislative proposal on net neutrality is currently being
discussed by the Italian Parliament. Notwithstanding general provisions
on the equal treatment of traffic for Internet access services, its
amended text contains loopholes and provisions that raise concerns. The
text, now containing references to EU Regulation 2120/2015 on net
neutrality (and mobile roaming), generally fails to address its main
issues, including prioritisation of traffic.

.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................

In fact, while including a clause on equal treatment of traffic for
internet access services (art. 3(1)), it foresees at the same time the
possibility to differentiate among best-effort services and 'additional'
services (Art. 3(2)). According to the draft Italian law, those services
may prioritise classes of traffic, apparently without limitation. If
adopted, Internet access providers would be able to offer separate
prioritised services as long as they are not included in the general
Internet offer. Art. 3(2) of the Italian draft law states that:

“In accordance with implementation guidelines of Art. 3(5) of Regulation
2015/2120, ISPs may commercialise added-value services for
prioritisation of traffic classes in their network in order to satisfy
specific exigencies of business or home customers”.

If adopted as law, this would also mean that operators would be free to
offer an internet access subscription for €X capped at YMb, on top of
which customers can buy zero-rated services, that could be offered
à-là-carte or as a bouquet. This would severely restrict the freedom to
impart information for Italians. An Italian service provider, TIM, is
already offering a zero-rated video streaming service ('TimVision'),
which gives unlimited access to contents provided by TimVision and other
affiliated content providers without consuming gigabites. For the
moment, it only includes audiovisual entertainment, but TIM announced
that they are going to offer a 4k service on wired broadband and a
possibility to open it to other commercial partners.

Much of this scenario is, thankfully, not legally permitted. The
possibility of selling discriminatory services to business or home
customers is not mentioned in Article 3(5) of the EU Regulation. The
only criterion specified is that the increased quality is “necessary”
and a further multi-part test is specified in other parts of the
Regulation – namely that the specific level of quality is “required” by
the service, is “objectively necessary”, such services cannot be offered
as a replacement for Internet access services, they cannot be used to
give priority to specialised services over comparable content,
applications or services available and they cannot be provided to the
detriment of Internet access services.

Moreover, Art. 3(3) of the draft law establishes that ISPs shall not set
monthly rates depending on services or applications provided through
Internet access services. However, this provision refers only to
Internet access services, and any kind of paid prioritisation would be
allowed under the provision of additional services by ISPs. This is also
not in line with the EU Regulation.

The Italian draft text pays lip service to users' freedoms but does not
protect them. The law proposal affirms to guarantee end users freedom of
choice by allowing them to access preferred content and applications
through additional services. This is totally misleading, since the main
outcome of such fast- and slow-lanes is that these provisions would
overturn the openness principle of Internet, to the detriment to fair
competition, innovation and freedom of communication.

Given these facts, it seems clear that the legislative process in Italy
has added to, rather than removing the grey areas in the EU text, be out
of kilter, if not in outright contradiction with EU Regulation 2015/2120.

Italian draft proposal on Internet services provision for the protection
of competition and users' access freedom (only in Italian, 08.08.2014)
http://www.camera.it/_dati/leg17/lavori/stampati/pdf/17PDL0024880.pdf

Amendments to the Italian's draft proposal on Internet services
provision for the protection of competition and users' access freedom
http://documenti.camera.it/apps/emendamenti/getProposteEmendative.aspx?contenitorePortante=leg.17.eme.ac.2520&tipoSeduta=1&sedeEsame=referente&urnTestoRiferimento=urn:leg:17:2520:null:null:com:09:referente&tipoListaEmendamenti=1

TIMVision's offer on smartphones and tablets without consuming GBs (only
in Italian)
https://www.tim.it/offerte/tv-entertainment/film-e-tv/timvision

EU Regulation No. 531/2012 on roaming on public mobile communications
networks within the Union (25.11.2015)
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015R2120

(Contribution by Elisabetta Biasin, EDRi intern)

EPIC filed a third-party intervention with the European Court of Human
Rights in a significant case about mass surveillance and transatlantic
co-operation between intelligence agencies. The 10 Human Rights
Organizations and Others v the UK (24960/15) case involves a challenge
brought by NGOs from all around the world including Privacy
International, the American Civil Liberties Union, the Hungarian Civil
Liberties Union, and the Legal Resources Centre in South Africa.

.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................

The human rights organisations argue that surveillance by British and
U.S. intelligence organisations violate their rights to privacy and
freedom of expression. In support of the NGOs, EPIC provided the Court
with information concerning the scope and nature of surveillance
conducted by the US National Security Agency (NSA), which has a special
relevance to this case. Specifically, in its brief EPIC discusses:

(1) the NSA’s capacity for wide scale surveillance and the legal
structures in the United States governing NSA activities, including a
brief history of the surveillance activities revealed in documents
released by Edward Snowden,
(2) the impact of recent reform proposals in the US on privacy
protections for non-U.S. persons and, finally
(3) current trends in US and European surveillance law that are
undermining privacy, data protection, and security.

EPIC explained that the NSA's "technological capacities" enable "wide
scale surveillance" and that US statutes do not restrict surveillance of
non-U.S. persons abroad. "The NSA collects personal data from around the
world and transfer that data without adequate legal protections."
Article 19 also submitted a third-party intervention in the procedure to
highlight the chilling effect of mass surveillance and the importance of
source protection for NGOs.

The case is closely connected to others currently before the Court such
as the Big Brother Watch v the UK (58170/13) and the Bureau of
Investigative Journalism and Alice Ross v the UK (62322/14). The
difference between these two cases and the one EPIC is participating in
is the exhaustion of domestic remedies. It is up to the Court to assess
if the Investigatory Powers Tribunal’s procedure is considered “effective”.

The Court’s decision will have an important impact on the trend that
both the United States and EU Member States are moving toward laws and
measures that further undermine privacy and security. As Jameel Jaffer,
Deputy Legal Director of ACLU, has put it “Mass surveillance is
increasingly global, but so is resistance to it.”

EPIC’s third-party intervention
https://epic.org/amicus/echr/liberty-gchq/TenHumanRightsOrganizations-EPIC-Amicus-ECtHR-18032016.pdf

10 Human Rights Organizations and Others v the UK
http://hudoc.echr.coe.int/eng?i=001-159526

Article 19’s third-party intervention
https://www.article19.org/resources.php/resource/38293/en/ecthr:-bulk-interception-powers-violate-freedom-of-expression

Monike Ermeert: Europe: queue of complaints against snooping laws grows
by the month (12.03.2016)
http://policyreview.info/articles/news/europe-queue-complaints-against-snooping-laws-grows-month/397

The Guardian: GCHQ spied on Amnesty International, tribunal tells group
in email (02.07.2015)
http://www.theguardian.com/uk-news/2015/jul/01/gchq-spied-amnesty-international-tribunal-email

(Contribution by Fanny Hidvegi, EPIC)

When the EU data retention Directive was transposed into national law
after its adoption in 2006, Denmark implemented one of the most
excessive transpositions into national law. Danish Internet service
providers (ISPs) were required to retain session information (source and
destination IP addresses, port numbers, session type e.g. TCP or UDP,
and timestamp) for every 500th internet packet. In June 2014, the
response of the Danish government to the data retention judgment of the
Court of Justice of the European Union (CJEU) was to uphold the national
data retention law, but rules on session logging were repealed. The
Ministry of Justice could no longer argue for the necessity of session
logging when, after seven years of collecting detailed information about
internet usage for the entire population, the Danish Police could only
point to a single case, involving web banking fraud on a minor scale,
where this information had been useful.

.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................

The Ministry of Justice and the Danish Police were quite careful in
putting the official blame for the failure of session logging on the
specific implementation chosen by the ISPs. In June 2014, it was clearly
suggested that session logging could come back if the effectiveness
could somehow be improved. It only took seven months for the first
rumours about this to surface, and a year later, on 29 January 2016, the
Danish Telecom Industry Association and civil society organisations
(including IT-Pol Denmark) were summoned, at short notice, to a meeting
at the Ministry of Justice where the intention to re-introduce session
logging was announced.

The new session logging scheme was outlined at the meeting. Apparently,
the Ministry of Justice and the Danish Police held a secret internal
evaluation of the previous failed session logging scheme, and the new
proposal seems to be based entirely on this analysis. However, this
internal evaluation has not been subjected to any public scrutiny. An
analysis by IT-Pol Denmark identified several flaws in the arguments
used by the Ministry of Justice and the Danish Police, and the IT-Pol
analysis concludes that very little new information (if any at all) is
offered.

A statutory evaluation of the Danish data retention law is long overdue,
after the evaluation was postponed four times by the Danish Parliament.
Access to documents requests about the internal evaluation were denied
by the Ministry of Justice using various exemptions in the Danish
Freedom of Information Act. Rather ironically, the most detailed
evaluation of Danish session logging that is currently publicly
available has been produced by the British Home Office. The
Investigatory Powers Bill (IP Bill), presented to the British Parliament
in November 2015, also contains provisions for sessions logging, which
are called Internet connection records (ICRs) in the IP Bill. The Danish
and UK proposals are surprisingly similar, and both proposals come with
unsubstantiated claims that they will not repeat the prior Danish
failure with session logging.

While serious doubts about effectiveness remained unresolved, it quickly
became clear that the new Danish session logging proposal would be
extremely expensive. After a couple of weeks, the Danish Telecom
Industry Association estimated that the investment in equipment alone
would be 135 million euros plus unspecified annual operating costs.
Compared to the previous session logging scheme, the cost increase was
more than 10-fold, and the amount of data retained every day would
increase 20-fold. The Danish government initially claimed that this cost
estimate was too high, and an independent cost assessment report from
Ernst & Young was commissioned.

On 17 March 2016, the Danish situation took a surprising turn when the
Minister of Justice Søren Pind announced that the plans to re-introduce
session logging had been put on hold. The cost assessment report from
Ernst & Young confirms the estimates made by the Danish ISPs, and this
price tag is simply too expensive for the Minister of Justice. This also
solves a potential inconvenience for the Danish government since there
has been some internal debate within the government party as to whether
session logging is reasonable and proportionate.

For the time being, there will be no mass surveillance of Danish
Internet users through session logging. While this is clearly positive,
it is also disconcerting that the decision by the Minister of Justice is
based entirely on cost. In the public debate after 29 January, the
Minister of Justice has refused to even discuss the notion that
collecting information about every Internet session is surveillance,
even though paragraph 37 of the CJEU judgment clearly says that data
retention is surveillance and a particularly serious interference with
articles 7 and 8 of the Charter of Fundamental Rights (right to privacy
and data protection). The Minister of Justice has even complained (in a
Facebook post) that Danish media is not taking the threat of terrorism
seriously enough in its reporting of the public debate on session logging.

Session logging has become a true zombie in Danish surveillance
politics. Having been abandoned twice now, a new proposal could still
resurface in 6-12 months as the Ministry of Justice will now consult
with the Danish ISPs about a cheaper compromise solution for session
logging. However, it is highly questionable that a technical solution
can be found which, on one hand, has reasonable financial costs
(whatever that means) and, on the other hand, is sufficiently distinct
from the failed session logging scheme that was in place between 2007
and 2014. Needless to say, civil society is not invited to take part in
this dialogue, as privacy concerns of Danish citizens seem to be
completely ignored by the Ministry of Justice.

In the coming weeks, it will be interesting to see whether the surprise
Danish developments have any effect on the British parliamentary debate
about ICRs in the IP Bill. The Joint Committee for the Draft IP Bill
looked closely at the prior Danish experiences with session logging
(IT-Pol gave written and oral evidence to the Joint Committee), and the
most recent Danish cost assessment strongly suggests that ICR collection
will be much more expensive than the British government has anticipated.
Under the IP Bill, the Home Office will pay the financial costs of data
retention, but for ICRs the Home Office has only budgeted with 175
million pounds over a 10-year period.

EDRi-gram: Danish government plans to re-introduce session logging
(14.01.2015)
https://edri.org/danish-government-plans-to-re-introduce-session-logging/

Comparison of internet connection records in the Investigatory Powers
Bill with Danish Internet Session Logging legislation, Home Office of
British government (29.02.2016)
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/504189/Comparison_of_ICRs_with_Danish_Session_Logging.pdf

Note from IT-Pol Denmark about the new and old session logging scheme
(only in Danish, 04.03.2016)
https://itpol.dk/notater/notat-itpol-ny-gammel-sessionslogning

Britain to pay billions for monster internet surveillance network,
Computerweekly.com (21.03.2016)
http://www.computerweekly.com/news/4500279596/Britain-to-pay-billions-for-monster-internet-surveillance-network

(Contribution by: Jesper Lund, IT-Pol)

Turkey does not have a data protection law, but since 2003 there have
been numerous attempts to enact legislation in this area. The drafts of
such bills have been criticised for not being in accordance with the
contemporary approach to data protection. For example, the 2013 draft
envisaged the establishment of a seven-member Data Protection Authority,
of which four members were to be appointed by the government. The uproar
against the draft caused the government to withdraw it – as happened
with various previous proposals. Moreover, the government was concerned
by the disparity of the bill with 96/45/EC Directive, the EU Data
Protection Directive.

.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................

The government brought a revised bill to the Parliament in the beginning
of 2016, which is currently being discussed. About a quarter of the
bill's 33 items have already been adopted as of 22 arch 2016. Since the
ruling party (Justice and Development Party - AKP) has the majority in
the Parliament it is likely that the bill will be passed from the
Parliament this time.

However, the new bill is even worse than the previous ones. Besides
other problem areas, four members of the Data Protection Authority are
to be appointed by the government and three of them are to be appointed
by the President. The EU Directive requires data protection authorities
to „act with complete independence.“ Additionally, several government
agencies such as secret service and police force are given exception for
collecting and processing citizens' data without the knowledge of data
owners.

Turkey’s data protection draft law open to abuse: Expert
www.hurriyetdailynews.com/turkeys-data-protection-draft-law-open-to-abuse-expert-.aspx?pageID=238&nID=95796&NewsCatID=341

EU Directive 1995/46/EC
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

European Court of Justice rules on German DPA system
http://www.lexology.com/library/detail.aspx?g=dc79f450-22a4-4d51-97e7-9041a5aaf537

Did you know that there are 340,000 dentists in Europe? And that they
lobby about privacy? Who else lobbies? How do parties/groups create
coalitions to persuade policy makers? What's the mayor of Amsterdam
doing in Brussels? In this blog on the privacy lobby we describe the
different parties that are lobbying.

.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................

The new European data protection regulation probably is the most lobbied
piece of legislation thus far because the subject is very important and
touches upon almost every aspect of our daily lives and almost every
business. Therefore Bits of Freedom used the Dutch freedom of
information act to ask the government to publish all the lobby documents
they received on this new law. We published these documents on the Bits
of Freedom website with our analysis in a series of blogs.Which parties
lobby? What do they want? What does that mean for you? We have now
translated these 9 blogs into English for the EDRi-gram. This is part 3.

Authority and representativity
Right. So there are 340,000 dentists in Europe. Apart from that, there
are 73 Jewish genealogical societies who in total have about 10.000
members. Also, In an email to the ministry of justice, it becomes
apparent that the Inretail association acts on behalf of 6.000
shopkeepers and 16.000 shops in the “non-food” sector. This sector
entails “living and fashion, shoes and sports.”
These aren't just random facts. This “number-dropping” has a specific
aim: claiming authority and representativity to convince policy makers.
Many parties do this to underline the importance of their position and
arguments. In Brussels, this is particularly important: there are many
organizations that act on behalf of an entire sector on a European
level. Insurance Europe for example acts on behalf of the insurance
sector in the different member states.

Access
It also facilitates access. No longer have five different technology
companies to knock on a policy maker's door, but just one, which also
happens to know that policy maker very well because he's been there
quite often. This is why many organizations choose to be represented by
local consultants. Except individual companies – especially rich ones –
might be part of two or twenty-two such organisations.

The power of coalitions
It's even better if you can speak on behalf of an entire coalition. It
basically means: these points are really important, because
organizations from completely different sectors support them. If you
don't accept these points as a policy maker, you run the risk of
disregarding different sectors at once.
That is why some organizations launch new coalitions. Take a look at the
email from Ericsson to the Dutch permanent representation to the EU for
example, which announces wonderful news in a lobby document: a new
coalition has been started that contains different companies from
different sectors. And this coalition is very important: “With an
aggregated turnover of over € 100 billion and some 520,000 employees
worldwide, the Coalition members’ considerable presence allows them to
bring growth, progress and jobs to the EU’s economy.”
One coalition that lobbies a lot is called the ‘Industry Coalition for
Data Protection.’ Although the name suggests otherwise, they aren't
actually in favour of more data protection. Members are for example
advertising agencies, European Internet providers, media companies, and
the ‘Chamber of Commerce’, an American lobby organization. Taking just
one example, Microsoft is a member of nine of the associations that are
part of this “coalition”. Just how many voices does one company need?

Notable organizations
One thing stands out when going over the list of lobbying parties:
Google, Microsoft and Facebook aren't on this list. Does that mean they
didn't lobby? Well, they certainly did, as can be seen from the
Microsoft example above. Furthermore, these are documents we obtained
are just the lobbying letters.
The list also contains very eye-catching parties. Toy manufacturers for
example, the country Poland and the mayor of Amsterdam. The latter has
asked critical questions on behalf of city archives in an email to the
ministry of justice.
Regular customer

But who frequents the offices most often? That without a doubt is
VNO-NCW, who represents Dutch businesses. They alone send almost a tenth
of all the lobby letters.
Discussion behind closed doors

It's clear that there has been a lot of contact between businesses and
the government and that there have been discussions behind closed doors.
That in itself is important, but we will talk some more about this in a
later blog.

To be continued
Want to continue reading about this? On the Bits of Freedom website, you
can find all the lobby documents and the analysis. The next part in this
series is about the “innovation” argument.
For the series of blogs and documents, see the Bits of Freedom website
https://www.bof.nl/category/lobby-tomie/

Email by Council of European Dentists to Dutch perm rep (08.122014)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20141208-013-council-european-dentists.pdf

Letter by International Association of Jewish Genealogical Societies to
ministry of justice (29.08. 2013)
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/20130829-012-international-association-jewish-genealogical-societies.pdf

Email by INretail to ministry of justice (10.04.2014)
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/20140410-055-inretail.pdf

Email by Insurance Europe to Dutch perm rep (17.10.2014)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20141017-016-insurance-europe.pdf

Email by Cicero Group to Dutch perm rep (03.04.2015)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20131018-001-cicero-group.pdf

Email by CabinetDN to Dutch perm rep (25.03.2013)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20130325-055-cabinetdn.pdf

Email by CabinetDN to Dutch perm rep (26.11.2012)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20121126-069-cabinetdn.pdf

Email by Ericsson to Dutch perm rep (12.11.2015)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20150112-081-ericsson.pdf

Email by Digital Europe to Dutch perm rep (21.01.2014)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20140121-091-digitaleurope.pdf

Email by TechAmerica Europe to Dutch perm rep (15.01.2014)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20140115-028-tech-america-europe.pdf

Email by European-American Business Council to Dutch perm rep (18.10.2012)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20121018-050-european-american-business-council.pdf

Email by Toy Industries Europe to Dutch perm rep (03.02.2015)
https://www.bof.nl/static/lobby-tomie-documenten/EU/20150203-010-toy-industries-europe.pdf

Letter by Poland to ministry of economic affairs (date unknown)
https://www.bof.nl/static/lobby-tomie-documenten/EZ/00000000-09-polen.pdf

Letter by the municipality of Amsterdam to the ministry of justice
(23.04.2013)
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/20130423-009-gemeente-amsterdam.pdf

(Contribution by Floris Kreiken, Bits of Freedom)

Report net neutrality violations to "Respect My Net"
"Internet users should be in charge of their Internet connections.
Instead, however, Internet access providers increasingly undermine this
expectation and limit our online communications and behaviour. They do
this, for example, by blocking or restricting access to certain kinds of
online services, content and applications. The “Respect My Net” platform
will allow individuals to report such abusive behaviour by Internet
access providers."

http://respectmynet.eu/

EU consultation on “Intellectual Property Rights” enforcement – Have
your say!
EDRi's tool to assist citizens to respond to the public consultation on
the evaluation and modernisation of the legal framework for the
enforcement of “intellectual property rights” (IPR). The deadline to
submit responses using this tool is 7 April. However, you can use the
Commission's tool to respond until 15 April 2016.

http://youcan.fixcopyright.eu

Encryption - a matter of human rights
https://www.amnestyusa.org/sites/default/files/encryption_-_a_matter_of_human_rights_-_pol_40-3682-2016.pdf

CETA: Who pulled the plug on the right to regulate?
https://blog.ffii.org/

Guidance Security Measures for Personal Data Processing Article 22 of
Regulation 45/2001
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Guidelines/16-03-21_Guidance_ISRM_EN.pdf

Under Surveillance: Examining Facebook’s Spiral of Silence Effects in
the Wake of NSA Internet Monitoring
http://m.jmq.sagepub.com/content/early/2016/02/25/1077699016630255.full.pdf?ijkey=1jxrYu4cQPtA6&keytype=ref&siteid=spjmq

ECtHR: Bulk interception powers violate freedom of expression
https://www.article19.org/resources.php/resource/38293/en/ecthr:-bulk-interception-powers-violate-freedom-of-expression

30.03.2016, San Francisco, California, United States
RightsCon
https://rightscon.org/

30.03.2016, San Francisco, California, United States
Crypto Summit 2.0
https://www.accessnow.org/page/content/crypto-summit/

06.04.2016, Perugia, Italy
International Journalism Festival
http://www.journalismfestival.com/

20.04.2016, Barcelona, Spain
The 7th Biannual Surveillance and Society Conference
http://www.ssn2016.net

21.04.2016, Barcelona, Spain
Surveillance: Power, Performance and Trust – 7th biennial Surveillance &
Society conference
http://www.surveillance-studies.net/?p=1162

02.05.2016, Station Berlin
re:publica 2016
https://re-publica.de/

20.05.2016,
World Congress of the Hedonist International
http://worldcongress.hedonist-international.org/?lang=en

EDRi-gram is a fortnightly newsletter about digital civil rights by
European Digital Rights (EDRi), an association of civil and human rights
organisations from across Europe. EDRi takes an active interest in
developments in the EU accession countries and wants to share knowledge
and awareness through the EDRi-gram.

All contributions, suggestions for content, corrections or agenda-tips
are most welcome. Errors are corrected as soon as possible and are
visible on the EDRi website.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editors: Heini Jarvinen, Theresia Reinhold - edrigram@edri.org

Information about EDRi and its members: http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in
the EU. If you wish to help us promote digital rights, please consider
making a private donation.
https://edri.org/donate/

- EDRi-gram subscription information
subscribe by e-mail
To: edri-news-request@mailman.edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request@mailman.edri.org
Subject: unsubscribe

- EDRi-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay.
Translations are provided by Metamorphosis
http://www.metamorphosis.org.mk/mk/vesti/edri

- EDRi-gram in German
EDRI-gram is also available in German, with delay. Translations are
provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian
Association for Internet Users
http://www.unwatched.org/

- Newsletter archive
Back issues are available at:
http://www.edri.org/newsletters/

- Help
Please ask edrigram@edri.org if you have any problems with subscribing
or unsubscribing.