With only a few days to go before the 31 October deadline for the transposition of the new Directive for Privacy and Electronic Communications, on 13 October the Commission organised a public workshop about spam. More than 200 public and private stake-holders attended, ranging from government representatives to consumer & civil rights groups and from data protection authorities to spokespersons for both internet and mobile telephony companies. Later this year, the Commission will produce a (non-binding) communication based on the results of the workshop.
In his opening speech Erkki Liikanen, the Commissioner for Enterprise and the Information Society summed up 3 main tasks for member states after the entry into force of the directive; enforcement, consumer self-help and awareness and international co-operation.
Up to date, only Austria, Belgium, Denmark, Italy and Austria have enacted the opt-in regime, the other member states have yet to follow. When asked about the progress in negotiating a spam-ban with the United States, Liikanen referred to private anti-spam initiatives by US internet service providers. The United States currently don't even have an opt-out regime, and Liikanen remarked that it was very difficult to convince US politicians of the need to take measures, since they consider mail a very important communication channel with their constituency and are afraid of restricting it.
Discussing the need for complaints mechanisms, EDRI pleaded for Commission support for national or even Europe-wide spam-boxes as the easiest way for European citizens to get redress for complaints about spam. The representative from the European Coalition against Unsolicited Commercial Email (Eurocauce) supported the need for cross-border monitoring and enforcement. The Commission said they would gladly intensify collaboration with the Data Protection Authorities after the 31st of October. When asked by the Commission about their experiences with a national spam mailbox, representatives from the French and Belgian DPA answered that both pilot projects had stopped. Both concluded that a national initiative would never suffice, and called on the Commission to help with cross-border enforcement. Though the Commission saw no possibility for further (civil law) harmonisation of fines, the future framework decision on attacks against information systems will create a penal law solution against (fraudulent) spam.
In February 2004 the OECD will host a conference on spam. The Commission hopes this will encourage more countries to switch to an opt-in regime. Given the particularly slow implementation rate of the previous privacy directives, it comes as no surprise that the spam-ban will not be evaluated before 2006.
Commission: results of questionnaire (01.10.2003)
http://europa.eu.int/information_society/topics/ecomm/doc/highlights/c...
Last Monday, the European Parliament's Judicial Affairs Committee (JURI) should have discussed its Report on the Enforcement of Intellectual Property Rights. But the agenda was so overcrowded that the Rapporteur, French MEP Janelly Fourtou, could only make some introductory remarks before the session was over.
Overwhelmed by the large number of 199 amendments the Parliament's translation service failed to present translations into all of the EU's eleven official languages, leaving Parliamentarians with nothing more than English, Greek and Danish versions of the 159 page document, which were presented only hours before the discussion was going to take place.
Mrs. Fourtou, who would like to see the report become applicable law before the Enlargement of the Union and EU-wide Parliamentary elections next summer, had to announce that the initial schedule was going to be postponed.
Mrs. Fourtou has been under attack from a large number of her Parliament colleagues, even from within her own Conservative Group. She is criticised for introducing a set of amendments criminalising even small-scale file sharers - and for her defence of an article in the draft directive that constitutes a violation of the EU's rules of procedure.
Article 20 of the draft directive deals with criminal law provisions for infringements of intellectual property rights. Some of the sanctions foreseen pre-empt a possible decision by a Court of Justice on whether such an infringement has taken place at all, and therefore constitutes so-called substantive law. In the EU's complicated lawmaking process, which foresees different procedures for different fields of competence, creating substantive criminal law is still an intergovernmental competence and can not take place under the co-decision procedure.
4 of the amendments aim at deleting Article 20, but Mrs. Fourtou and Commission officials alike are not willing to even discuss this. The initial discussion of the Report will now, as it seems, take place either on Tuesday, November 4th - the date initially foreseen for the vote in the Committee - or on November 6. The vote in the Committee would then take place either on November 26 or the following day, which would mean the vote in Plenary would have to take place in the week following December 15.
EU Commission: Proposal for a Directive on measures and procedures to
ensure the enforcement of intellectual property rights COM (2003) 46
http://europa.eu.int/eur-lex/en/com/pdf/2003/com2003_0046en01.pdf
Janelly Fourtou's Draft Report on this Directive
http://www.europarl.eu.int/meetdocs/committees/juri/20031020/498789en....
199 Amendments to the Fourtou Report
http://www.europarl.eu.int/meetdocs/committees/juri/20031020/509224en....
Law Professors criticise IPR Enforcement Directive
http://www.cl.cam.ac.uk/ftp/users/rja14/cornish.pdf
(Contribution by Andreas Dietl, consultant on EU privacy issues)
European discussions can't agree on the appointment of a European privacy-czar. The European parliament insists on choosing Joaquín Bayo Delgado, who has no experience in data protection issues, as the new EU Data Protection Supervisor. The Council favours the Dutch Data Protection Commissioner Peter Hustinx.
Jorge Salvador Hernández Mollar, the President of the European Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE), recently made a move to break the blockade between the Parliament and the Council on the issue. In a letter sent on 10 October to Umberto Vattani, the Permanent Representative of Italy with the European Union, Mr. Hernández expresses the hope that "each institution should accept the first choice of the others", which seems to be diplomatic language meaning that the Council should accept the choice of the Parliament.
LIBE's indicative vote on 20 May 20 showed a slight but clear majority of votes for Joaquín Bayo Delgado, the only candidate from the nine-person list with no experience in Data Protection whatsoever. The Greek Council Presidency made it known to the Parliament that it would not accept this candidate. The Council instead favoured Peter Hustinx, the Dutch Data Protection Commissioner, who has indeed been very active on the international scene.
In an informal meeting following the vote both institutions agreed to disagree, sticking to their different candidates. The rules for the nomination of the Data Protection Commissioner and his Assistant did not foresee any procedure for such a situation. Blame it on the rules - since then, the silence between the Council and Parliament was only interrupted by occasional letters confirming to the respective other side that the authors were still not willing to leave their positions. Mr. Hernández, it seems, was hoping for the Greek Presidency to be replaced by Italy, whose government is politically closer to his own Spanish Popular Party. The two parties are also in the same Group within the European Parliament, the Conservative PPE. The fact that Italy has still not reacted, however, may be an indication that the split doesn't follow party lines, but that the question is understood as a national issue. The other outspoken backer of Mr. Bayo Delgado, besides Mr. Hernández, is Ana Terrón i Cusí. She is a member of the Social Democrat PSE Group, but she is Spanish, as are Hernández Mollar and Bayo Delgado.
The procedure of choosing an EU Data Protection Supervisor started one year ago.
EU Commission: EU Data Protection Supervisor
http://europa.eu.int/comm/internal_market/privacy/application_en.htm
Outsider recommended as new EU Data Protection Supervisor (EDRI-gram 9)
http://www.edri.org/cgi-bin/index?funktion=view&id=000100000098
EU data protection supervisor: contest not over yet (EDRI-gram 10)
http://www.edri.org/cgi-bin/index?funktion=view&id=000100000099
(Contribution by Andreas Dietl, consultant on EU privacy issues)
The Polish agency for Competition and Consumer Protection recently for the first time condoned a spammer. According to the agency, the Firm Edukacyjna Impuls Plus from the city of Grudziadz had violated the Provision of Electronic Services Bill by sending unsolicited commercial mail. The businessman was ordered to stop such actions and to publish a special announcement in the Gazeta Wyborcza (one of the most popular daily newspapers in Poland).
It is the first decision against a spammer in Poland and it is based on administrative law. Nobody has yet tried to challenge the phenomenon on the ground of private law.
The Polish law on the provision of electronic services was enacted on 18 July 2002, partially transposing both the directive on electronic commerce (2000/31/EC) and the directive on privacy and electronic communications (2002/58/EC).
The Polish regulation imposes a ban on sending unsolicited commercial messages to private persons by means of electronic communication, especially electronic mail. Legally, spamming is considered to be unfair competition in the interpretation of the law on Fighting Unfair Competition.
But the issue is quite complex. "The attempts to answer some questions connected with the use of information and communication technologies in a normative context, face many difficulties when it comes to defining certain terms" - the lawmakers said. One of the problems the Poles face is the fact that the law only protects against spam with a clear commercial character.
Legal analysis of the anti-spam decision (in Polish)
http://www.vagla.pl/skrypts/spam_delikt_nieuczciwej_konkurencji.htm
Polish - English translation service
http://www.translate.pl
(Contribution by Piotr VaGla Waglowski, Internet Society Poland)
A legal opinion commissioned by EDRI-member Privacy International and provided by the law firm Covington & Burling concludes that mandatory data retention plans in the EU are unlawful.
The opinion, which relates to an EU framework directive on the retention of communications data, has profound ramifications for ten EU states that have implemented, or are planning to implement, measures to place communications users under blanket surveillance.
The opinion states: "The data retention regime envisaged by the (EU) Framework Decision, and now appearing in various forms at the Member State level, is unlawful. Article 8 of the European Convention on Human Rights (ECHR) guarantees every individual the right to respect for his or her private life, subject only to narrow exceptions where government action is imperative. The Framework Decision and national laws similar to it would interfere with this right, by requiring the accumulation of large amounts of information bearing on individuals' private activities. This interference with the privacy rights of every user of European-based communications services cannot be justified under the limited exceptions envisaged by Article 8 because it is neither consistent with the rule of law nor necessary in a democratic society."
The opinion continues: "The indiscriminate collection of traffic data offends a core principle of the rule of law: that citizens should have notice of the circumstances in which the State may conduct surveillance, so that they can regulate their behaviour to avoid unwanted intrusions. Moreover, the data retention requirement would be so extensive as to be out of all proportion to the law enforcement objectives served. Under the case law of the European Court of Human Rights, such a disproportionate interference in the private lives of individuals cannot be said to be necessary in a democratic society."
A series of regulations (Statutory Instruments) recently laid before the UK Parliament intends to create a legal basis for comprehensive surveillance of communications. The regulations will allow an extensive list of public authorities access to records of individuals' telephone and Internet usage. This 'communications data' -- phone numbers and e-mail addresses contacted, web sites visited, locations of mobile phones, etc. - will be available to government without any judicial oversight. Not only does government want access to this information, but it also intends to oblige companies to keep personal data just in case it may be useful.
Privacy International
http://www.privacyinternational.org/
The European Union has taken steps towards the creation of an EU-wide health identity card. By 2008 there will be a new card with a microchip that can store a range of biometric and personal data. Approved by Union ministers in Luxembourg the plastic disk will slide into the credit-card pouch of a wallet or purse.
The European Health Insurance Card is intended to replace forms currently used by travellers who fall ill in other EU countries. Eventually it will replace a plethora of other complex forms needed for longer stays.
During the first phase - starting at 1 June 2004 - each country will be able to choose whether to include photographs, fingerprints and biometric data, such as eye measurements, on the 'national' side of the card. The ultimate objective is to have an electronic chip on the card as the technology improves.
European health insurance card
http://europa.eu.int/comm/employment_social/news/2003/feb/hicard_en.ht...
The Dutch Big Brother Awards were presented in front of a 300 person audience in Amsterdam on the 11th of October. With the Awards the person, company, governmental institution and initiative are rewarded for damaging the privacy of citizens in 2003 the most. The 4 winners of 2003 are: minister of Justice Piet Hein Donner; several major lawyer firms; the Immigration and Naturalisation Service and the legal proposal to introduce compulsory identification.
According to the jury minister Donner seems to have a personal mission in the destruction of the right to privacy. The minister was awarded for a long list of proposals and determined efforts to shift the balance between privacy and safety. The minister is in particular responsible for the law proposal for compulsory identification for all persons starting at 14 years.
The second Big Brother Award is awarded to several Dutch lawyer firms for using the services of investigation office Mariendijk. Under false pretence the office managed to extract very privacy-sensitive information from banks and social security offices.
The Immigration and Naturalisation Service (IND) deserves the Award with the storage of all e-mails of all employees for an undetermined period of time.
Finally the jury crowned the legal proposal for compulsory identification with an Orwellian Award. This proposal requires all persons to permanently wear ID from the age of 14. People unable to immediately show a valid passport, drivers license or identity card risk a fine of 2250 euro.
Since Privacy International presented the first Big Brother Awards in 1998, an international tradition has begun. By now, more than 40 ceremonies have taken place in 15 different countries. In the next two weeks several Award ceremonies are scheduled in Germany, Spain, Austria, Switzerland and Hungary (see agenda below).
Dutch Big Brother Awards
http://www.bigbrotherawards.nl/index_uk.html
Big Brother Awards International
http://www.bigbrotherawards.org/
The RightsWatch Project, a research project funded under the European Commission's Information Society Technology programme, produced a white paper on notice and take-down of websites.
During a 2 year project RightsWatch tried to develop consensus between providers, right holders and internet users about self-regulatory notice and takedown (NTD) procedures. The attempts miserably failed, since self-regulation requires at least some willingness to achieve consensus. While right holders insisted on immediate take-down after any (unsubstantiated) complaint, internet users objected against private censorship by internet providers and internet providers dreaded their position in the middle. European commission and parliament refused to solve this problem in the directive on electronic commerce (2000/31/EC), leaving it up to market forces to guarantee freedom of speech online, in stead of referring these complex issues to independent courts.
White Paper (October 2003)
http://www.rightswatch.com
From 15 to 26 September 2003 governments and civil society assembled in Geneva for the third preparatory conference for the World Summit on the Information Society. The two weeks ended with many key issues still unresolved, and with a last-minute proposal to reconvene for an extra session from 10 to 14 November.
EDRI members IRIS (FR) and Digital Rights (DK) participated as co-ordinators of the Human Rights caucus, currently made up of 32 organisations. EDRI-member EFFI also participated, as part of the Finish delegation. The HR caucus presented oral statements to the plenary government meetings, to the EU-group, and to the two governmental working groups on communication rights and privacy/security, respectively. Furthermore, drafting proposals were made both for the Declaration of Principles and Plan of Action.
Some of the key messages of the HR Caucus were:
The WSIS documents need to build on the human rights framework and standards and general HR principles on equal rights and non-discrimination must be ensured on all levels of IT policy and action plans. Secondly, the right to privacy should be acknowledged in a new Article 34a and thirdly, the concept of "information security" should not be used, as it may be used to legitimise censorship. Instead the term 'network security' is proposed.
The HR caucus also issued a petition against the nomination of General Habib Ammar as President of the preparatory committee of the second phase of the Summit to be held in Tunisia in 2005. Furthermore, the HR Caucus wrote a protest letter on the exclusion of Reporters sans Frontiers and Human Rights China from the WSIS process (see EDRI-gram 18).
Statements, input and Tunisia petition HR caucus
http://www.iris.sgdg.org/actions/smsi/hr-wsis/
(Contribution by Rikke Frank Joergensen, Digital Rights)
A number of well-known information security specialists have written an opinion on the security risk resulting from Microsoft's monopoly.
"Most of the world's computers run Microsoft's operating systems, thus most of the world's computers are vulnerable to the same viruses and worms at the same time. The only way to stop this is to avoid monoculture in computer operating systems, and for reasons just as reasonable and obvious as avoiding monoculture in farming."
The authors recommend government intervention "to confront the security effects of monopoly and acknowledge that competition policy is entangled with security policy from this point forward". They also have a few short-term recommendations for Microsoft such as publication of certain specifications.
One of the authors, Daniel Geer, Chief Technical Officer for @Stake, was fired because of the report. @stake said that Geer had been sacked because he had not gained its approval for release of the report, which presented opposing views to those of the company.
CyberInsecurity: The Cost of Monopoly
http://www.ccianet.org/papers/cyberinsecurity.pdf