Building on the analysis produced for the European Commission's initial data protection consultation in 2009, European Digital Rights has submitted its second round of comments on the review of the 1995 Data Protection Directive.
One of EDRi's primary concerns with regard to the existing legal framework is the lack of predictability - due to vast differences in the way basic parts of the Directive are understood by Member States' authorities and courts as well as the powers and resources of national data protection authorities. This led EDRi to the conclusion that a directly applicable EU Regulation is needed, rather than the current situation, where 27 Member States have to implement a Directive into their national law, leading to these diverging implementations.
Another core problem to address is the plummeting costs of data processing which causes more and more data to be collected and used. Such processing will lead to ever-greater risks being taken with personal data unless legal provisions ensure that the risk-reward balance for data processors is adapted appropriately.
Processing of personal data by states comes in for particular criticism in EDRi's submission. The actions of Member States must be consistent with what they expect from private companies, and there are many examples of this not being the case. There are numerous examples of electronic patient records, e-government systems and public transport payment systems which do not respect “privacy by design”, data minimization and other key principles. Worse still, the broad exception given to Council of Europe Member States in that institution's Recommendation on profiling, which accepts in principle that the most basic of privacy protections, may be set aside by European governments.
Regarding data processing by companies, EDRi welcomes many of the policies described in the Commission Communication, such as data minimization, the right to be forgotten, rights of access and erasure of data etc, but points out that many of these rights are already in the existing legislation. The task at hand, therefore, is not to re-legislate for existing rights, but to establish why these rights are not readily enforceable.
Concerning new technologies, EDRi suggests that there are three trends which need to be taken into account - the exponential growth in personal data processing capabilities, the growing disconnection between data processing and physical location and the Internet of Things.
In order to improve implementation, EDRi called for increased implementation powers for national data protection authorities (DPAs) as well as a targeted reduction in the administrative burden. The reduction of the administrative burden should (and must) lead to national DPAs having more time and resources to devote to practical improvements in privacy protection for data subjects.
Both the change of legal environment as a result of the Lisbon Treaty and the increasing trend for data collected by private companies to be used for policing purposes means that it is essential to include data collected for policing purposes in the Directive. A strong data protection framework is the minimum price that should be paid for the levels of police and security cooperation that are currently demanded and enacted within the EU and between the EU and third states.
EDRi believes that a Regulation would be a better instrument to ensure clarification and simplification of rules for international data transfers. EDRi believes that the current “safe harbour” exceptions result in an opaque and unaccountable situation for data subjects. At the same time, EDRi feels very strongly about retaining the base principle that personal data should not be exported to jurisdictions without safeguards that are materially similar to those within the European Free Trade Area.
Finally, EDRi drew attention to a separate consultation that overlaps with the Commission's work on Data Protection - the Communication on the IPR Enforcement Directive. This latter Communication seeks to undermine the fundamental right to privacy by suggesting an opaque effort to “rebalance” rights to the benefit of so-called property rights. It is entirely and obviously unacceptable that the European Commission can simultaneously be negotiating ratification of the European Convention on Human Rights and seeking to undermine its core provisions.
A leaked draft of the European Commission's (EC) Green Paper on gambling provides some valuable insights into the Commission's views on web blocking. Firstly, contrary to Commissioner Malmström's repeated promises to the contrary, the leak shows that the Commission has no objections in principle to blocking being used against content other than child abuse. The document states that blocking of unlicensed gambling websites “might be justified”. The draft policy document goes on to describe what it sees as a key advantage of DNS blocking - that it can be used to hijack users' connections to direct them to approved sites.
Nonetheless, while in favour of blocking in principle, the document explicitly recognises that blocking is “technically challenging and costly” and that blocking will leave a “significant” residual level of illegal sites publicly available. In particular, and this is of importance for blocking in relation to child abuse material, the document says that regular updating of a blocking list will be “costly” - a point studiously avoided by the European Commission in the blocking debate so far.
Meanwhile, the Civil Liberties Committee of the European Parliament is getting ready for its vote on blocking next week. 342 amendments have been tabled to the Child Exploitation Directive as a whole, with 45 addressing the issue of Internet blocking. While there is a large consensus that blocking should not be mandatory on Member States, there is a wide divergence of opinion on whether blocking should be promoted or not by the Directive and whether “non-legislative” measures should be encouraged as a means of achieving blocking.
Among MEPs that have been diligently working on the dossier in the 22 months since the original proposal was made, there is widespread agreement that neither blocking nor non-legislative measures should not be promoted. However, numerous amendments have been tabled by MEPs that have never spoken in a single debate on the issue. When the vote happens, therefore, all will hang on the efforts by activists to contact MEPs and persuade them that blocking is dangerous and that extra-judicial actions by Internet access providers to restrict access to content would be wrong and contrary to the most basic principles of fundamental rights.
The Hungarian EU Presidency was met on 19 January 2011 with opposition and criticism due to the controversial media legislation Hungary has recently introduced. Some MEPs displayed white banners that read “censored”.
Viktor Orban, the Hungarian Prime-Minister started his speech by stating that the Hungarian government was willing to change the legislation if the European Commission finds it to be at fault, as the law is presently under its legal review to establish whether it contravenes the EU law. Orban added that Hungary would follow the EC opinion provided it was scrupulously objective, and insisted that Hungary should be treated like any other EU member state. Also, that a separation should be made between Hungary's EU presidency and Hungary's internal affairs.
Several MEPs expressed the opinion that the legislation ought to be scrapped entirely. The new law establishes a Media Council (MC) to ensure “balanced” reporting, and requires all media types to be registered, including online media such as forums and blogs.
Miklos Haraszti, former OSCE Representative on Freedom of the Media, explained that there are actually five interconnected legislative acts introduced in Hungary since June 2010 that were passed in a rush, at the end of the year, without any consultation.
According to the corroborated legislation, all media (including the Internet) are bound to provide “comprehensive, factual, up-to-date, objective and balanced coverage on local, national and European issues that may be of interest for the general public and on any event bearing relevance to the citizens of the Republic of Hungary and members of the Hungarian nation.” In Haraszti's opinion, the obligation of the registration for all news providers (including print and Internet-based ) is specifically forbidden in the Council of Europe guidelines.
The new Hungarian legislation stipulates high penalties, from 90 000 to 722000 Euro for infringements such as the provision of content that may potentially hurt any community. In order to verify the violations, MC may access any data, including legally protected information.. Refusal to offer the required data may bring a fine of up to180 000 Euro to any media provider..
The legislation thus puts the entire media under the power of a single governmental authority and, according to Judit Bayer, associate professor of media law at King Sigismund College in Budapest, the law is “unquestionably a serious attack on press freedom, and contrary to Article 2 of Lisbon Treaty, Article 10 of the European Convention of Human Rights and Article 19 of the International Covenant on Civil and Political Rights.”
On 21 January 2011, the European Commission sent a letter to the Hungarian government, giving them two weeks to answer the concerns related to this law. In case of an inadequate answer, Hungary may face legal action.
“The commission services have serious doubts as to the compatibility of the Hungarian legislation with Union law,” wrote Vice-President of the Commission in charge of the Digital Agenda, , Neelie Kroes.
The letter also refers to the provisions of the law that allow Hungary to fine broadcasters based outside the country for what is deemed hate speech, as well as the mandatory registration of all media, including websites, which appear to be incompatible with EU rules.
Based on a request for access to public information, Dnevnik daily newspaper has been able to access and publish information showing that a third of the wiretaps in Bulgaria have no proper legal coverage, being performed without an authorisation from a judge.
This is possible due to a “flexible” formulation of the procedure for requesting the interception of a person's communications. An internal directive issued by Boris Velchev, the prosecutor-general allows prosecutors to request eavesdropping without the authorisation of a judge when a criminal investigation has been opened.
According to Dvevnik, based on this procedure, 2 767 such cases of illegal eavesdropping have already taken place in seven months. The daily also revealed that, according to economists, Bulgaria spends 50 times more than the UK on eavesdropping.
While the Bulgarian press reveals a significant increase of eavesdropping under the government of Boyko Borissov, the Bulgarian Prime-Minister justifies the government eavesdropping as an important instrument in fighting organised crime.
The European Commission has recently requested information from the Bulgarian authorities related to the legality of the eavesdropping activities, following leaks into Galeria tabloid concerning taped phone conversations in which apparently Boyko Borissov spoke of the need to “protect” a controversial businessperson from customs checks. As a result of the scandal in the press, Borissov asked for a vote of confidence in the Parliament, which he won on 20 January 2011.
The ALDE group submitted on 21 January 2011 a question to the Commission asking clarifications over the application of the Bulgarian wiretap law, which infringes the Bulgarian Constitution, the provisions of the Lisbon Treaty, the ECHR and the European Charter of Fundamental Rights.
“The current Bulgarian scandal over the escalating use of Special Intelligence Means is a stain on the image of Bulgaria in the same way as the Hungarian media law this week taints the international image of that country. The data collected from the special services in Bulgaria is leaking widely and the only independent mechanism for control over the special services has been abolished. There is a widespread paranoia spreading amongst Bulgarian society. The European Commission should step in and uphold the rights of Bulgarian citizens under EU law before this situation gets out of hand,” said ALDE MEP Stanimir Ilchev.
The European Commission is expected to present a report in February on progress made by Bulgaria under the Cooperation and Verification Mechanism monitoring procedure.
In an open letter sent to the European institutions, several Romanian NGOs, including EDRi-member APTI Romania, demanded stopping data retention in Europe, following the decisions of the Constitutional Courts in Romania and Germany.
The letter asks the European Commission to take advantage of the evaluation process of the Data Retention Directive in order to correct the mistakes of the past and to nullify the Directive, as it has been shown there are difficulties in obtaining the relevant data regarding the efficiency of such a system. The Commission has also received clear examples of abuses and adverse effects on privacy.
The signatories underline that a Romanian implementation of the EU Directive on data retention is impossible, after the 2009 decision of the Constitutional Court that considered that the fundamental scope of the law (and thus of the Directive) - legal obligation to continuously and indiscriminately store telecommunication data- is unconstitutional.
They are also asking the competent European institutions to take note of the irreconcilable conflict between the telecommunication data retention and the human right to privacy and to act accordingly to respect the principles in the Charter of Fundamental Rights of the European Union.
The text is meant to remind, support and respect the decision of the Romanian Constitutional Court and not to put an EU Member State in a position that will breach its constitutional texts: “The decision stipulates that keeping all traffic data for all Romanian citizens is a measure that breaches human rights, as foreseen by the Romanian Constitution. Thus 'the legal obligation with a continuous character, generally applicable, of data retention (…) harms in an unacceptable way the exercise of the right to privacy or the freedom of expression.'”
The Spanish data protection authority (AEPD) has recently been focusing on a privacy-related campaign against major Internet intermediaries, accusing them to “have crossed the red line” in regard to protection of personal data on the Internet. Facebook, Google or Myspace are under scrutiny for their privacy policies and how they are respected.
On 17 January 2010, AEPD accused Google of invading personal privacy of users, arguing the company was in breach of the “right to be forgotten”, the Spanish law allowing people to control information about them. The Spanish Authority ordered the search engine company to remove links to more than 100 Spanish online articles and to delete links to websites that contained out of date or inaccurate information about a specific individual that complained to the AEPD.
Google argues that deleting results “would be a form of censorship”, that the company, as an intermediary, is not liable for the content of the materials it links to. Moreover deleting content is not the role of search engines but of publishers.
“We are disappointed by the actions of the Spanish privacy regulator. Spanish and European law rightly hold the publisher of the material responsible for its content. Requiring intermediaries like search engines to censor material published by others would have a profound, chilling effect on free expression without protecting people's privacy,” stated Peter Barron, Google's director of external relations for Europe.
But even if Google loses the case, the articles blocked by the search engine will still be available on the websites of the newspapers and journals that published the respective articles. However, Google will have to delete information about the concerned individuals from its Spanish site and respond to another 88 cases also brought to the Spanish regulator.
The case is closely followed by the European Union because its outcomes may have implications outside Spain, having in view that EU has already announced looking at how the application of the right to be forgotten is implemented in the online world. “Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will. What happens if you want to permanently delete your profile on a social networking site? Can this be done easily? The right to be forgotten is essential in today's digital world.” said Viviane Reding, European Commission's Vice-president, in a statement made in November 2010.
With France at the Presidency of the G20 group in 2011, Nicolas Sarkozy has recently announced the intention to convene a G20 meeting to discuss Internet and copyright issues, before the full G20 summit of heads of state and government in Cannes in November.
The French President has had the same discourse for some time now, having pushed the idea of a “civilised” Internet on various occasions since the signature in November 2007 of the so-called “Olivennes agreement”, which established the Hadopi authority.
The subject of a “civilised” Internet will also be discussed during the G8 meeting that will take place in Deauville, France, on 26 and 27 May 2011. “We will table a central question, that of a civilised Internet (….).We cannot consume as never before images, music, authors, creation, and not ensure the property rights for the person who put all the emotion, talent and creativity (…). The day we no longer remunerate the creation, we will kill the creation” said Sarkozy.
In the French government's opinion, expressed by Deputy Muriel Marland-Militello, France is the “world's pioneer of the civilised Internet”, thanks to Hadopi.
A pioneer who obstinately continues its efforts to promote its repressive three-strikes system with every occasion. In October 2010, an international conference on online freedom of expression was supposed to be organised by French minister of Foreign Affairs Bernard Kouchner.
A letter sent by Nicolas Sarkozy to Houchner shows that Sarkozy was trying to take the opportunity of the conference to promote Hadopi law establishing the three-strikes system.
In Sarkozy's opinion, the conference provided “the opportunity to promote the balanced regulatory initiatives carried on by France during these past three years, and in particular the HADOPI law in the field of copyright.”
In the meantime, Hadopi presented on 23 January 2011, on the occasion of MIDEM 2011 (Marché International du Disque et de l'Edition Musicale - International Market of the Record and Musical Edition) the results of its first study, performed between 25 October and 4 November 2010, on Internet usage in France.
The study revealed that half of the French Internet users engage in alleged illegal downloads. A rather unpleasant finding for Hadopi is that 29 % of the “pirates” admit to having started downloading during the last 6 months, meaning after the introduction of Hadopi law and the issuing of the first warnings by the authority. Moreover 50% of the “pirates” stated they did not intend to change their habits, irrespective of the authority's actions.
The study has also revealed that the persons who illegally download cultural goods are also the ones that spend more on culture than others who do not. The main obstacle to legal consumption of digital cultural goods is the price for 37% of users, while for 21% of them the reason is a lack of offer diversity, and only 13% state they are more used to “illegal consumption.”
The findings of the report are not quite in favour of Hadopi and only prove the inefficiency of the system.
European Digital Rights has published a study on the scale of measures being undertaken to outsource policing activities to private companies in the Internet environment and its significance for fundamental rights, transparency and openness on the Internet.
Internet intermediaries around the world are taking on more important roles in their states' efforts to address the dissemination of illegal online content and this trend is likely to become stronger as we move into a new environment of “extra-judicial sanctions” against consumers. With some notable exceptions, these activities are being forced onto Internet intermediaries rather than being demanded by them.
The study found that the term “self-regulation” is being inappropriately used to describe what is not self-regulation at all, but the monitoring, policing and even punishing of alleged illegal activities of citizens. Proposed legislation and “non-binding guidelines” are forcing intermediaries into a position in which they can no longer avail themselves of legal protections - where they are obliged, in effect, to police private online communications, often in blatant disregard of legal safeguards and even to impose sanctions for alleged infringements.
Should Internet intermediaries become privatised enforcement systems? The measures recently taken by Visa, Mastercard, PayPal and EveryDNS against WikiLeaks are a case in point. Even without WikiLeaks being charged with any particular crime, private companies have acted unilaterally against it.
The devolved enforcement initiatives documented in the report aim to persuade industry to engage in a vigilante system of monitoring and sanctioning; the report catalogues current international proposals, which include:
The encouragement of extra-legal measures to limit access to information, proactive policing of the Internet and the exclusion of law enforcement authorities in investigating serious crimes are factors that contribute to the weakening of the rule of law and democracy. Indeed, by taking responsibility away from legal authorities, such measures can result in serious crime, such as the publication of child abuse material online, being addressed by industry through cosmetic measures (such as blocking) rather than proper investigation and prosecution.
While these appear to be regressive steps away from freedom, the study found, for instance, that the European Commission appears far from perturbed by the dangers for fundamental rights of this approach and appears keen to export the approach. This process is gradually strangling the openness that is at the core of the Internet. This openness has enhanced democracy, has shaken dictatorships and has boosted economies worldwide. This openness is what we will lose through privatised policing of the Internet by private companies - what will we gain?