*I would describe this one as verging on sinister.
======================================================================
EDRi-gram
fortnightly newsletter about digital civil rights in Europe
EDRi-gram 14.09, 4 May 2016
Read online: https://edri.org/edri-gram/14-09/
Contents
1. Dutch dragnet surveillance bill leaked
2. TTIP leaks confirm dangers for digital rights
3. The lobby-tomy 6: Not in my backyard
4. EUIPO publishes final report about "��Youth and Intellectual Property"
5. Please sue us
6. CETA will undermine EU Charter of Fundamental Rights
7. EU Trade Secrets Directive: A sad day for the freedom of expression
8. Recommended Action
9. Recommended Reading
10. Agenda
11. About
1. Dutch dragnet surveillance bill leaked
On 29 April, the final text for the Dutch dragnet surveillance bill was
leaked. It turns out that Minister of the Dutch Interior Ronald Plasterk
is still bent on granting the secret services the power to carry out
bulk interception of innocent citizens' communications.
.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................
How did we get here?
Ever since the law was announced in 2013, one of the main concerns of
the debate have been how the dragnet will function, and how extensive it
will actually be. Based on the draft that was released for public
consultation in September 2015, dragnet surveillance could definitely be
in our future. The explanatory memorandum didn'��t do much towards
clearing things up. The Dutch EDRi member Bits of Freedom wasn'��t alone
in voicing harsh criticism about what was being proposed.
The dragnet rears its head...
After months of silence, on 20 April, the Netherlands Broadcasting
Foundation NOS disclosed a number of examples of how the dragnet will be
implemented. The examples taken from a confidential document presented
to providers for consideration demonstrate that Plasterk plans to
interpret the law in a far broader manner than he said he would. The
number of citizens whose communication will be intercepted is overwhelming.
...and escapes through the meshes of the law
On 29 April, the Dutch newspaper Volkskrant leaked the bill for the new
Intelligence and Security Services Act. Conclusion: the dragnet is still
in place. So what was done with the tidal wave of criticism? As the
Dutch government reminds us: "The main points of criticism concerned the
following three issues: large dragnet, collaboration with foreign secret
services, and proper oversight."�� These issues needed addressing. But
apparently not that much.
The dragnet
As far as "��bulk"�� or "purpose-oriented" interception is concerned, not
much has changed, except the addition of the word
"investigation-assignment-oriented" to describe the nature of the
interception.
Although no definition of this word is given, the memorandum clearly
shows that "investigation-assignment-oriented" can be interpreted just
as creatively as "bulk"�� or "purpose-oriented". The memorandum hardly, if
at all, goes into the type of situations that might be envisaged. It's
not ruled out that the power could for instance be used to identify
�prison escapees'��, but that'��s about as concrete as it gets. It's
deplorable that concrete cases are presented to providers for cost
analysis purposes, but are not offered to the Council of State for a
proper assessment of the compatibility of such a law –�� and the manner in
which it will be implemented – with European law and the Dutch
constitution. What the explanatory memorandum does make very clear,
however, is that any limits imposed on the dragnet will have to come
from an oversight body after applying the law, not from the government
when creating it.
Third party hacking
The government still wants intelligence and security services to be able
to hack via a third party. This means that the services are allowed to
hack into the device of an innocent citizen in order to hack a target.
This, obviously, is totally unforeseeable for the citizen, and creates
major security risks for them.
Neither the loud criticism nor the results of the Privacy Impact
Assessment (PIA), which was commissioned by the government, have led to
the proposed power to be reconsidered. Third party hacking is �essential
for an effective implementation of the hacking powers'��. Yes, clauses
have been added to the draft offered for consultation about the
assessment and limitation of the damages to a third party, but this
doesn'��t resolve the main issue: the damages to a third party resulting
from being hacked by the government'��s services.
The government acknowledges the fact that, by hacking, vulnerabilities
in software will be exploited that can affect a large number of people
(for example a vulnerability in an Android-phone will not only affect a
suspect, but everyone with the same phone), but concludes that national
security outweighs personal security. Of course there is room, but not
an obligation, to report the vulnerabilities to "those responsible". Not
an obligation; a possibility.
Oversight
Oversight will be improved. In the explanatory memorandum, the
government states that heightened oversight is needed to match the
increased power, but it also states that oversight had to be improved
due to its conflicts with European law. The depiction of the situation
as presented by the government in the bill and in its press release, is,
shamefully, inaccurate.
As regards oversight, the minister has to request permission from an
independent committee consisting of (former) judges. The committee's
decision will be binding. However: if in a hurry, permission can be
requested afterwards, or while an investigation is in progress. If
permission is denied, the hitherto gathered information will have to be
destroyed.
What's striking is that a number of authorities will not have to be
sanctioned by the oversight committee, most remarkably the seizing of
traffic data. Whereas the Dutch government and European and Dutch courts
have stated that the seizure of such records constitutes an infringement
substantial enough for a judge to have to rule on it, in the case of
this bill the power does not require approval by the independent
oversight committee. Especially in light of previous European rulings,
this is an untenable situation.
For protected professions, there will be judicial review. Exercising
interception powers in cases concerning journalistic sources will be
subject to more scrutiny: in these cases the period for which a power is
allowed to be exercised is limited.
Exchange with foreign services
Nothing has been done regarding the criticism in the responses to the
consultation and in the PIA with regard to the lack of rules surrounding
the exchange of data with foreign services. The law imposes no
restrictions on the data that is to be transferred. The explanatory
memorandum does state that information about, or data from, Dutch
citizens can be filtered out. However, the government asserts that this
is not an obligation, and sometimes even undesirable.
Dutch dragnet surveillance bill leaked: our analysis (04.05.2016)
https://bof.nl/2016/05/04/dutch-dragnet-surveillance-bill-leaked/
(Contribution by Ton Siedsma and Evelyn Austin, EDRi member Bits of
Freedom, The Netherlands)
2. TTIP leaks confirm dangers for digital rights
On 2 May, Greenpeace has unveiled documents on the Transatlantic Trade
and Investment Partnership (TTIP), including the telecommunications
chapter and EU's Tactical State of Play of March 2016.
"The leaks show an ideological drive towards deregulation and law
enforcement by private companies," said Joe McNamee, Executive Director
of European Digital Rights (EDRi). "This would sweep away key European
success stories such as open and competitive telecommunications markets
and a legal framework based on transparency and the rule of law," he added.
EDRi has analysed two of the leaked TTIP documents, the
Telecommunications Chapter and the Tactical State of Play. Some of our
most important concerns include:
Telecommunications Chapter
- "Article X.5: Regulatory Flexibility" would give new and excessive
powers to telecom regulators, including the power for any national
telecom regulator to stop applying EU legislation on a service that the
EU or an EU Member State "classifies as a public telecommunications
service". Regulators would have the power to ignore democratically
agreed laws if it decided, entirely at its own discretion, that the
enforcement was not needed to "prevent unreasonable or discriminatory
practices" or, to protect consumers, for example.
- "Article X.6: Review of legislation" is even worse, as it gives
telecom authorities the power to repeal or modify EU legislation,
without any democratic accountability or responsibility.
- Article 48 refers to the confidentiality of electronic communications.
While the provision states that both the EU and the USA have to ensure
the confidentiality of electronic communications and related traffic
data, they should do this "without restricting trade in services". Would
a data protection or privacy measure constitute a trade restriction?
This point remains far from clear. What we do know is that decisions on
whether data protection and privacy rules are acceptable would not be
decided by the European Court of Justice and would not need to take our
fundamental rights into consideration.
EU's tactical State of Play (March 2016)
While the European Commission claims to be very transparent in its
reports, the public receives a non-complete state of play after each
round of negotiations. The leak is a real, internal state of play on the
negotiations, clearly reflecting the lobbying efforts of certain parts
of industry from both sides of the Atlantic. A first reading of the leak
has allowed us to identified developments on digital rights that are
worrisome:
- Regarding data flows, no progress has been, probably because of the
current discussions on the equally flawed EU-US "Privacy Shield". The
document states that these talks might be accelerated because US telecom
companies are "very interested in data flows".
- On encryption, it says that the EU and the US are discussing similar
wording as the one used in the Trans-Pacific Partnership (TPP). This is
bad news, as explained by EDRi-member EFF.
- Concerning so-called "Intellectual Property" (IP), the negotiators
seem to take lobbyists' wish list very seriously. According to the
leaked report, "[w]hen confronted with EU warning that bringing
sensitive proposals that would require changes in EU law to the table �
and doing it at a late stage of the negotiation � may have a negative
impact on stakeholders" (which would apparently not include citizens)
"and has very limited chances of being accepted", the US seemed to be
prepared to depart from the model of the TPP. Among the proposals the US
is thinking of tabling, it includes privatised enforcement measures,
that EDRi has been criticising since its inception because they bypass
the rule of law and lead to arbitrary corporate decision-making without
accountability (cf. "voluntary stakeholder initiatives"). As with ACTA,
the US is strongly supportive of "voluntary initiatives" as US-based
global giants already impose US copyright law on a global level. The EU
(as shown by the recent leak of the Communication on Platforms) supports
this approach.
In the leaks analysed by EDRi, there is no single mention of the public,
NGOs or civil society in general.
TTIP leak: Electronic communications / Telecommunications Chapter
http://ttip-leaks.org/agamemnon/doc4.pdf
TTIP leak: EU's Tactical State of Play (March 2016)
http://ttip-leaks.org/pandaros/doc16.pdf
EDRi's red lines on TTIP
https://edri.org/files/TTIP_redlines_20150112.pdf
EDRi booklet: TTIP and Digital Rights
https://edri.org/files/TTIP_and_DigitalRights_booklet_WEB.pdf
TTIP Resolution: document pool
https://edri.org/ttip-resolution-docpool/
(Contribution by Maryant Fernández Pérez, EDRi)
3. The lobby-tomy 6: Not in my backyard
Something you'll hear in policy debates on the environment: windmills
are a great idea and obviously good for the environment, but we don't
want them in our backyard. This argument doesn't just apply to the
debate on the environment, but apparently also in the debate on privacy
protection. Representatives from industry speak convincingly about what
privacy is good for others, but that they would rather not see the rules
applied to them.
.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................
The new European data protection regulation is the most lobbied piece of
legislation thus far because the subject is very important and touches
upon almost every aspect of our daily lives. Therefore EDRi member Bits
of Freedom used the Dutch freedom of information act to ask the
government to publish all the lobby documents they received on this new
law. Bits of Freedom published these documents on their website with
their analysis in a series of blogs. What parties lobby? What do they
want? What does that mean for you? These nine blogposts are now
translated into English for the EDRi-gram. This is part 6.
Everything is great, but...
The lobby letters all share a generally positive tone of voice. Many
letters start off with: �we welcome the provisions.� Other parties think
the regulation is an important step to further regulate the economy and
to increase consumer trust. These sentences are often followed by
a "��but"�, in which case the letter moves onwards to exceptions. The data
protection regulation contains numerous exceptions, with the main ones
at the end of the text, with the aim of defending research, archiving,
journalism, and religion. According to organisations, these exceptions
aren't enough, and therefore they lobbied for more.
Not for our sector!
These new rules are important, but also problematic for the lobbyists
for specific sectors. There are many letters from archives that say they
are unhappy. In a letter to the Dutch Ministry of Justice, the Cadastre
and the Chamber of Commerce say that the new privacy law should take
archives and registers better into account. They for example don't think
it would be fair if people could delete their data.
After all, this wasn't the case in the previous privacy law, they say.
According to that law, the right to restrict processing wasn't
applicable to these kinds of registers. Furthermore, the organisations
ask the government to critically evaluate the commercial reuse of public
sector information, by which they also refer to open data and privacy.
This is a relevant question. As they say in their letter, it �runs into
a lot of public resistance, based on privacy concerns.�
Medical research
What's also striking is that many Dutch health research institutions are
unhappy with the exceptions for scientific research. The Hartstichting
(heart foundation) says �we have our own ethical standards'��. In their
letter, they explain that they use different methods to obtain consent,
and that they employ their own ethical commissions to evaluate data
processing.
Judges
Judges also want an exception. In a letter of the "��European Network of
Councils of the Judiciary"��, a European body for the national councils of
the judiciary, they say that it would be worrisome if there were to be
insufficient exceptions for judges. They for example want to prevent
that correspondence or emails between judges is accessed as personal
data about the person they are discussing.
Housing corporations
According to housing corporations, the proposals "mean quite a lot".�� In
a letter to the Ministry of Justice, they claim to be sufficiently
regulated by "��all kinds of policy and legislation"�� in "��more or less
fragmented legislation, like for example the cookie law".��
Among other things, they think that they would face an information
obligation that would be too extensive under the current proposals. With
regards to the right to delete and the right to be forgotten, they say:
"Many organisations and in particular housing corporations have
complaints mechanisms and complaints commissions. An extension with more
complaints opportunities is an unreasonable burden. Also, the right to
delete can breach the retention obligation from the proposals."
That's a bit strange. Because there are already complaints mechanisms,
housing corporations want to take away people's ability to check the
accuracy of their data and the ability to remove superfluous information?
Housing corporations have more complaints. They think there are too many
burdens, the fines are disproportionate, and they think they should be
able to decide how organisations grant access to data. They think there
has been little recognition of local interests, and they therefore
propose to regulate privacy in a different way: not through one European
law, but through a series of obligations that can be translated by
Member States themselves in national legislation.
Not for our country!
And the same can be heard from other organisations. �Our country is
exceptional, so maybe we should do things differently.� In a letter to
the Ministry of Justice, Danske Medier, a large Scandinavian media
company, criticises the changes made by the European Parliament:
�Without any discussion � perhaps even by accident � they then wiped
away the legal prerequisite for telephone marketing to private
households, which is the traditional and most effective way of selling
news media in the Nordic countries.�
To them, it's also about making data available for other organisations:
"To a great extent, the high penetration of newspapers and other news
media in Norway, Sweden and Denmark is due to the fact that consumers in
these countries may be contacted by telephone by certain business
sectors, which are fundamental for a viable democracy."
The interesting thing about this is that it means that data processing
by third parties should be made easier in the whole of Europe, just to
satisfy the requirements of a business model often used by Scandinavian
media.
Can't we fix this ourselves?
CIO, the Dutch ecclesiastical counsel, is not happy with the current way
in which the exception for churches is phrased in the text. Dutch
churches have their own methods for registration and the administration
of data (SILA).
�We recommend you to choose a formulation that delivers more
possibilities and autonomy, so that an appropriate form of management
and processing of personal data can be formed for the Churches and where
the unique SILA system as we know it today is respected in the
Netherlands.�
At times justified, but no excuse
At times it can be justified to create exceptions like this. But it is
important to stay watchful in cases of self-regulation. Advertisement
companies for example also want more self-regulation, as they argue in a
letter to the Ministry of Justice. Is that because they have so much
confidence in their own ability, or because they want to evade legal
obligations?
Ironically, having lobbied for a vast number of exceptions in the EU
Regulation, industry groups are now complaining that... you guessed
it... there are too many exceptions in the Regulation.
To be continued
Want to continue reading about this? On the Bits of Freedom website, you
can find all the lobby documents and the analysis. The next part will be
about "�privacy schools".
The lobby-tomy 6: not in my backyard (only in Dutch, 25.11.2015)
https://www.bof.nl/2015/11/25/de-lobby-tomie-6-not-in-my-backyard/
Letter by KvK Nederland, Kadaster and RDW to ministry of justice (only
in Dutch, 16.04.2012)
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/20120416-001-kvk.pdf
Letter by Nederlandse Federatie van Universitair Medische Centra to
ministry of justice (26.03.2013)
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/20130326-008-nederlandse-federatie-universitair-medische-centra.pdf
Letter by European Network of Councils for the Judiciary to ministry of
justice (11.12.2013)
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/20131211-020-european-network-councils-for-the-judiciary.pdf
Letter by Aedes - Vereniging van woningcorporaties � to ministry of
justice (only in Dutch, 01/2013)
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/20140100-022-vereniging-woningcorporaties.pdf
Letter by Danske Medier to ministry of justice (23.05.2014)
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/20140523-026-dansk-medier.pdf
Letter by CIO to security and justice (only in Dutch, 23.05.2014)
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/20140523-027-interkerkelijk-contact-in-overheidszaken.pdf
Letter by World Federation of Advertisers and Allegro Group
https://www.bof.nl/static/lobby-tomie-documenten/VENJ/00000000-047-world-federation-advertiser-allegrogroup.pdf
(Contribution by Floris Kreiken, EDRi member Bits of Freedom, The
Netherlands)
4. EUIPO publishes final report about "Youth and Intellectual Property"��
On 6 April, the European Union Intellectual Property Office (EUIPO,
formerly known as OHIM) published its report on "��Youth and IP"��, which
followed the 2013 study on "European Citizens and Intellectual Property:
Perception, Awareness and Behaviour". The survey tracks citizens'
perception of "��intellectual property"�� (IP) and the relevant drivers of
consumer behaviour.
.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................
The study is relevant in light of a planned copyright reform on the
European level, which is supposed to replace the current outdated and
fragmented regime. The study is based on the views of over 26 500 young
Europeans, and examines the perception of young citizens related to
"��IP". It analyses the reasons behind infringements. Among other
conclusions, the report shows that law-abiding citizens do not just turn
into "criminals" when they go online. Unsurprisingly, the incoherence
and lack of modernisation of the current copyright regime brings
uncertainty of young EU citizens with regard to copyright.
- 22% of youth did not know if they were using legal or illegal sources
to access content.
- 13% used illegal sources by "accident", and 24% could not tell the
difference between legal and illegal source of digital content.
- On average, 78% of EU citizens said they always choose affordable
legal offers as opposed to illegal offers.
- 19% of EU citizens wondered whether a site for downloading music or
videos was legal, but only 12% tried to check it (42%/26% for those aged
15-24).
Furthermore, the survey sends another message: The gap between "IP"
perceptions and behaviour may also find its source in the fact that
Europeans feel "IP" mostly benefits businesses and an elite class.
Europeans name as the main beneficiaries of "IP":
- 43% big businesses and show businesses
- 37% inventors, 31% creators
- 20% artists, 16% SMEs
- 15% politicians
Finally, the report examines the reasons and justifications for the
intentional use of unauthorised sources amongst young people. The
results range from financial reasons to practicability and the desire to
protest against "rich artists". The report shows that 22% of youngsters
feel that downloading from an unauthorised source is acceptable if there
is no legal alternative, and 42% think downloading is acceptable when it
is for personal use.
If the new legal framework wants to bring an end to this outdated system
that is widely perceived as illegitimate, we must rethink which role and
purpose copyright should have in our society. Future-oriented
legislation must therefore go hand in hand with freedom of expression
and information, the right to science, and culture, balanced with a
appropriate remuneration for creators. The copyright reform initiated by
the European Commission needs to take all of these issues into
consideration and go for a broad, ambitious and innovative reform of the
EU copyright law, and not only paper over some of the problems.
EUIPO: Full report- Intellectual Property and Youth Scoreboard 2016
(04/2016)
https://euipo.europa.eu/tunnel-web/secure/webdav/guest/document_library/observatory/documents/IP_youth_scoreboard_study/IP_youth_scoreboard_study_en.pdf
EUIPO: Executive summary - Intellectual Property and Youth Scoreboard
2016 (04/2016)
https://euipo.europa.eu/tunnel-web/secure/webdav/guest/document_library/observatory/documents/IP_youth_scoreboard_study/executiveSummary/executive_summary_en.pdf
EDRi: Commission launches consultations on ancillary copyright and
panorama (06.04.2016)
https://edri.org/commission-launches-consultations-on-ancillary-copyright-and-panorama/
EDRi: Copyright reform: Restoring the facade of a decrepit building.
(16.12.2015)
https://edri.org/copyright-reform-restoring-the-facadeof-a-decrepit-building/
(Contribution by Claudius Determann, EDRi trainee)
5. Please sue us
Each of the Member States of the European Union is required to
incorporate European directives into national legislation. If a Member
State does not obey this obligation, the European Commission can sue
this country in the Court of Justice of the European Union (CJEU). But
what actions can a country take if such directives force it to adopt
legislation that contradicts its own constitution? From the European
Commission's perspective, Member States have an opportunity to raise
such concerns for a few weeks during the adoption process of a Directive
and, if it doesn't, all subsequent problems are the fault of the Member
State itself.
.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................
Being forced to do something you can't actually do
This transposition into national legislation also applied to the
Directive that forced telecom and Internet providers to retain data
concerning the location and communication behaviour of all their users,
also known as data retention Directive. Many Member States where unable
to meet this requirement. This resulted in the Commission starting a
number of infringement procedures against, among others, Romania,
Sweden, and Germany.
In order to get a good impression of what goes on behind closed doors,
Dutch EDRi member Bits of Freedom requested the Commission to disclose
all documents relating to five of these infringement procedures. A few
months later, we received thousands of sheets of paper. Now we know how
effortlessly national and European leaders blatantly ignore fundamental
practical and objections. Ironically, while Member States were taken to
court for failing to implement the repressive measures in the Directive,
no effort at all was devoted by the European Commission to enforcing
Article 10 of the Directive � collecting statistics that were supposed
to be used to assess whether the Directive was actually useful or not.
It's a tricky situation: being forced to implement certain rules,
despite them being contradictory to the country's constitution.
Please sue us
The preventive and persistent preservation of data concerning
everybody's location and communication behaviour is, fortunately, a
controversial policy. However, to some governments, this seems to be
irrelevant. In one of the obtained documents, the Commission describes
how a Czech minister viewed the implementation of this controversial
undertaking. His assessment: "��one day's headlines and then forgotten"��.
Some countries even encourage the Commission to start an infringement
procedure against them. Crazy, right? It's as if you'd approach a police
officer on the street and beg him or her to please give you a ticket.
But this is politics.
The politicians of the German ruling party CDU supported the
Commission's attempts to enforce the implementation of the Directive,
because such an infringement procedures increase the pressure on the
national debate. For the same reason, the German minister of Internal
Affairs (who wanted to see the Directive implemented) did not want the
Commission to amend the Directive. In the absence of a reform, the
pressure on her Liberal colleague at the Justice department (who refused
to implement the Directive) remained high. Similarly the Commission was
told by Romanian representatives that a warning against the country
would be "��helpful".
Keeping score is too much of an effort
"There is no scientific evidence that the invalidation has caused the
law enforcement agencies major difficulties. There is no evidence
indicating that invalidating the data retention Directive has had a
negative impact on the clear-up rate of criminal offences."
This is what the German Minister of Justice wrote in a letter to the
European Commission, after the data retention Directive was found to be
in violation of the constitution in Germany. It is clear-cut criticism
on the assumed � but never substantiated � need for a data retention
act.
For many countries, it is too much trouble to gather evidence that
supports the alleged need for a data retention act. The Czechs told the
Commission that maintaining statistical data (an unenforced obligation
under the Directive) was an enormous burden and that it was difficult to
obtain data from the police. Instead they indicated a preference to have
a conversation with other Member States and to learn from their best
practices. How to implement the Directive, without much need for working
out if it was serving any purpose?
A data retention act doesn't help anybody
The documents also give an impression of what is still ahead of us. For
instance, the Commission pressured Romania into introducing a new data
retention policy after the previous one was declared invalid. The
Commission did this despite the warning that there is a risk that a new
case would be brought to the Constitutional Court and that the new law
will be again declared unconstitutional.
The national legislator being disciplined over and over again calls for
additional complexity in the Commission's enforcement procedures. Their
lawyers wrote:
"By letter of 25 November 2008 [...] Romania informed the Commission
[...] that it adopted law no. 298/2008 [...]. Romania stated that these
measures constituted "��complete transposition" of [the data retention
Directive] into Romanian law. However, due to an internal omission, this
infringement procedure was not subsequently terminated, which should
have been done. On 23/11/2009, the Romanian constitutional Court
annulled the national law. This law longer exists.
Given those circumstances, it is necessary to close this case which
dealt with the situation prior to the annulment of the law by the
Romanian Constitutional Court. However, the Commission decided to open a
new procedure in order to make sure that [Romania] will transpose the
Directive, taking into account the legal situation which is currently in
force since the annulment of the law by the Romanian Constitutional Court."
That is quite a mess that benefits no-one, other than a handful of
lawyers. And this is what the Netherlands is about to do: adopting a new
data retention law (even though the European Directive itself has now
been overturned by the European court), while knowing that it will again
collapse in a Dutch or European court. Meanwhile, the investigative
agencies are left to deal with the consequences: they have no use for
investigative tools that can be declared illegal by a judge � indeed,
they were never able to show a use for the data in the first place. The
Dutch government should instead invest in something the police can
actually use.
Please sue us (only in Dutch, 23.03.2016)
https://bof.nl/2016/03/23/sleep-ons-voor-de-rechter-alsjeblieft/
(Contribution by Rejo Zenger, EDRi member Bits of Freedom, The Netherlands)
6. CETA will undermine EU Charter of Fundamental Rights
In February 2016, the European Commission and Canadian government
published the final draft text of the EU - Canada trade agreement
(CETA), prior to its approval or rejection by the Council of the
European Union, European Parliament and, possibly, national parliaments.
In October 2015, the Court of Justice of the European Union (CJEU)
invalidated the Safe Harbour data protection framework, because it
failed to provide an essentially equivalent protection of EU citizens
and residents' personal data in the United States. The Court confirmed
that cross-border data transfer frameworks need robust privacy and
personal data protection safeguards.
.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................
According to Foundation for a Free Information Infrastructure (FFII)'s
analysis, CETA is not compatible with the Charter of Fundamental Rights
of the European Union (EU).
After the conclusion of the CETA negotiations, the EU legal services
conducted a legal review of the trade agreement (so-called "legal
scrubbing"). However, this process did not bring the CETA text into line
with the Court's Safe Harbour ruling. This incompatibility means that
our privacy and data protection rights are under threat. This is
particularly relevant as Canada is a member of the "Five Eyes"
arrangement, a group of countries committed to (suspicionless) mass
surveillance.
CETA contains a general exception (Article 28.3 (2)), which is argued to
be there to reserve policy space. This general exception, however,
contains multiple strict conditions. In only two of 45 World Trade
Organisation cases (Article XX of the General Agreement on Tariffs and
Trade (GATT) and Article XIV of the General Agreement on Trade in
Services (GATS), states successfully invoked similar provisions.
Regarding privacy, the general exception additionally contains the
condition that EU laws on which measures to protect personal data would
be based must not be inconsistent with other provisions of CETA (Article
28.3 (2)(c)). To put it simply, the general exception that should allow
the EU to act to protect our privacy does not allow the EU to act
contrary what is agreed in CETA. This concession would become obligatory
and therefore, if adopted, CETA would de facto be placed above the EU
Charter of Fundamental Rights.
The FFII analysis gives a specific example of such a concession in CETA,
which can be found in Chapter 13 (Financial Services). Under CETA,
Article 13.15 establishes that the EU and Canada have to allow a
financial institution or a cross-border financial service supplier to
transfer information across borders. The related privacy standard is
weaker than the one in EU law. For instance, it contains the condition
that each Party needs to provide "adequate safeguards to protect
privacy", which international arbitrators do not have to read in the
light of the Charter of fundamental rights (as the EU Court of Justice
does). This is particularly relevant as CETA contains two international
dispute settlement mechanisms. In short, the privacy safeguard set in
Article 13.15 (2) falls short of the one in the Court's Safe Harbour
decision.
As a result, if adopted, CETA would create an international obligation
with a lower privacy standard. Conflicts over obligations in trade
agreements are decided by international trade and investment
arbitrators, not by supreme or human rights courts. CETA gives financial
institutions a carve out from regular privacy enforcement. CETA gives
financial institutions a "status aparte".
Negotiations behind closed doors and a failed legal scrubbing have led
to a text that is not compatible with the Charter of Fundamental Rights
of the European Union.
Final draft text of the EU - Canada trade agreement, CETA (29.02.2016)
http://trade.ec.europa.eu/doclib/docs/2016/february/tradoc_154329.pdf
European Court of Justice's Safe Harbour decision (06.10.2015)
http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=en&type=TXT&ancre=
EDRi: Transatlantic coalition of civil society groups: Privacy Shield is
not enough -�� renegotiation is needed (16.03.2016)
https://edri.org/transatlantic-coalition-of-civil-society-groups-privacy-shield-is-not-enough-renogitation-is-needed/
FFII: CETA and mass surveillance (13.04.2016)
https://blog.ffii.org/ceta-and-mass-surveillance/
FFII: CETA places itself above EU Charter of Fundamental Rights (14.04.2016)
https://blog.ffii.org/ceta-places-itself-above-eu-charter-of-fundamental-rights/
FFII: CETA will harm our privacy (15.04.2016)
https://blog.ffii.org/ceta-will-harm-our-privacy/
(Contribution by Ante Wessels, EDRi member Vrijschrift, the Netherlands)
7. EU Trade Secrets Directive: A sad day for the freedom of expression
On 14 April, the European Parliament adopted the deeply flawed EU Trade
Secrets Directive. This is a sad state of affairs, that does not reflect
well on the quality of the EU legislature, both on process and on substance.
On process, it started with Commission-sponsored research that was
deeply flawed and misleading. At no point has the Commission presented
compelling evidence of the existence of a clear need for EU-wide trade
secrets rules, let alone the far-reaching one we are getting now.
Furthermore, how credible is a plenary vote in which the translations of
the proposed text, finally adopted by the European Parliament, have at
times opposite meanings in the German version compared with the English
version?
.................................................................
Support our work - make a recurrent donation!
https://edri.org/supporters/
.................................................................
As it stands now, this Trade Secrets Directive does not really harmonise
EU trade secrets protections. Only three Member States have legislation
in civil law that protects trade secrets to some extent. It is more a
case of transatlantic regulatory convergence, since a very similar
proposal is going through to Congress.
The fact that this seems to be a prelude to the transatlantic regulatory
convergence that TTIP-proponents are talking about is not the biggest
problem. It completely departs from the problem it claims to address:
competitive advantages gained through unfair means. Instead it defines
trade secrets in such a broad way, namely information of commercial
interest, that it is bound to have a chilling effect on corporate
transparency, journalism, environmental activism, labour mobility and
IT-security research.
The recent Panama papers are a good example: each of the actors named in
them could, under the rules promulgated in this Directive, claim a
violation of a trade secret. The safeguards put in place through
amendments might be upheld in court, but the prospect of such a legal
challenge would in itself constitute a deterrent for the newspapers
involved.
It will in all likelihood take a long time after the implementation to
have the court system redress the most egregious censoring effects of
this Directive. In the meantime a lot of free speech will be supressed,
either directly or indirectly through its chilling effects.
EDRi: EU trade secrets Directive: threat to free speech, health,
environment and worker mobility (23.03.2015)
https://edri.org/trade-secrets-directive-statement/
(Contribution by Walter van Holst, EDRi-member Vrijschrift, The Netherlands)
8. Recommended Action
Respect my Net
Report cases of Net Neutrality violations: zero-rating, specialised
services, or the blocking, throttling or prioritisation of online services!
https://respectmynet.eu/
Save The Internet
Have your say on why REAL Net Neutrality matters. Send a message to your
national regulator to protect net neutrality!
https://savetheinternet.eu/
9. Recommended Reading
Chilling Effects: Online Surveillance and Wikipedia Use (27.05.2016)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2769645
Data Protection Regulation (04.05.2016)
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL%3A2016%3A119%3ATOC
The Crime of Speech (28.04.2016)
https://www.eff.org/deeplinks/2016/04/crime-speech
New Polish Anti-terrorism Law: every foreigner is a potential threat
(28.04.2016)
https://en.panoptykon.org/articles/new-polish-anti-terrorism-law-every-foreigner-potential-threat
CETA: ISDS and data protection (29.05.2016)
https://blog.ffii.org/ceta-isds-and-data-protection/
ECHR: Serious harm jurisdictional threshold must be respected (04.05.2016)
https://www.article19.org/resources.php/resource/38356/en/echr:-serious-harm-jurisdictional-threshold-must-be-respected
ECtHR: Free Expression and Data Protection must be balanced (15.04.2016)
https://www.article19.org/resources.php/resource/38335/en/ecthr:-free-expression-and-data-protection-must-be-balanced
ECtHR: Bulk interception powers violate freedom of expression (14.03.2016)
https://www.article19.org/resources.php/resource/38293/en/ecthr:-bulk-interception-powers-violate-freedom-of-expression
European Court of Human Rights: Kahdija Ismayilova v Azerbaijan
http://www.pen-international.org/wp-content/uploads/2016/04/Khadija-Ismayilova-Intervention.pdf
10. Agenda
11.05.2016, Brussels, Belgium
ALTER-EU Lobby Tour
https://www.eventbrite.com/e/lobby-tour-on-secretive-lobbying-in-brussels-and-the-need-for-a-legally-binding-lobby-register-tickets-25048278074
20.06.2016, Vienna, Austria
Fundamental Rights Forum
http://fundamentalrightsforum.eu/
22.06.2016, Esino Lario, Italy
Wikimania
https://wikimania2016.wikimedia.org/
29.06.2016, Eindhoven, the Netherlands
European Data Forum 2016
http://2016.data-forum.eu/
31.08.2016, Helsinki, FInland
MyData 2016
http://mydata2016.org/
14.10.2016, Brussels, Belgium
Freedom Not Fear 2016
12. About
EDRi-gram is a fortnightly newsletter about digital civil rights by
European Digital Rights (EDRi), an association of civil and human rights
organisations from across Europe. EDRi takes an active interest in
developments in the EU accession countries and wants to share knowledge
and awareness through the EDRi-gram.
All contributions, suggestions for content, corrections or agenda-tips
are most welcome. Errors are corrected as soon as possible and are
visible on the EDRi website.
Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/
Newsletter editor: Heini Jarvinen - edrigram@edri.org
Information about EDRi and its members: http://www.edri.org/
European Digital Rights needs your help in upholding digital rights in
the EU. If you wish to help us promote digital rights, please consider
making a private donation.
https://edri.org/donate/
- EDRi-gram subscription information
subscribe by e-mail
To: edri-news-request@mailman.edri.org
Subject: subscribe
You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: edri-news-request@mailman.edri.org
Subject: unsubscribe
- EDRi-gram in Macedonian
EDRI-gram is also available partly in Macedonian, with delay.
Translations are provided by Metamorphosis
http://www.metamorphosis.org.mk/mk/vesti/edri
- EDRi-gram in German
EDRI-gram is also available in German, with delay. Translations are
provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian
Association for Internet Users
http://www.unwatched.org/
- Newsletter archive
Back issues are available at:
http://www.edri.org/newsletters/
- Help
Please ask edrigram@edri.org if you have any problems with subscribing
or unsubscribing.
