This article is also available in:
Deutsch: EDRi und EuroISPA gegen Forderung der Kommission nach Notice&Take-...
EDRi and the European ISP Association (EuroISPA) have prepared a joint civil society/industry position on the European Commission's draft informal recommendation for the takedown of websites which have been accused of being illegal.
The recommendation's scope is nominally restricted to child abuse websites, terrorism and racism. However, the proposal already represents a "mission creep" of aspects of policies used for the removal of child abuse websites and, therefore, further "mission creep" into other areas can be considered inevitable.
The Commission's proposals cover three different scenarios:
a) requests for takedown of websites from law enforcement authorities, legal injunctions and formal legal orders; In this case, the Commission proposed that ISPs should delete websites without further deliberation.
b) notification by law enforcement authorities, complaint hotlines or "other body duly authorised or tasked under national law to monitor Internet content"; In this case, the Commission also proposed that ISPs should delete the websites in question without any further deliberation.
c) notifications from citizens. In this case, the Commission proposed that ISPs should delete the websites in question if they were convinced that they are illegal.
The Commission goes on to suggest that Internet hosting providers could change their terms and conditions to give themselves more legal security when deleting websites.
In the joint letter, the associations argued that the assumption was that the websites were illegal whereas, in fact, no judicial ruling would have been made in most cases before the site was deleted. Furthermore, no subsequent judicial ruling has even been foreseen in this "cooperation".
The letter goes on to question why the proposal was made without any analysis of existing notice systems, the possible negative impact on subsequent investigation and prosecution of the criminals participating in such illegal activities (would these takedowns be undertaken instead of proper investigations/prosecutions?), the size of the problem and the changing practical implementations of the definitions of terrorism and hate speech.
EDRi and EuroISPA pointed out the legal obligations of the EU Member States with regard to the right to communication as defined in the European Convention on Human Rights and the International Covenant on Civil and Political Rights and also reminded the Commission of its own assessment of restrictions to these rights. For example, in the impact assessment for the child exploitation Directive, the Commission points to "the requirement that the interference in this fundamental right must be prescribed by law".
The letter concludes by stating that "finally, and surprisingly, in the context of 'public private cooperation', there is no obligation on public authorities to take responsibility for the enforcement process and to then investigate and prosecute the individuals behind the sites that are the subject of take down notices. The draft recommendations place the legal burden and the onus for the most urgent action on private companies, passing the risk from public authorities to private companies. This omission means that the draft recommendations risk not only infringing the fundamental rights of the accused, but also could seriously compromise the fight against illegal content through the legitimate, established means of law enforcement. Specifically, there is a real danger that enforcement agencies could exploit providers' terms of service to act against suspected legal infringements outside formal legal structures, undermining transparency, public accountability and legal certainty."
EDRi/EuroISPA letter (9.07.2010)
http://www.edri.org/files/090710_dialogue_NTD_illegal_content_EuroISPA...
EC's draft recommendations for Public-Private Cooperation (04.2010)
http://www.edri.org/files/Draft_Recommendations.pdf
Child exploitation impact assessment (25.03.2010)
http://eur-lex.europa.eu/LexUriServ/LexUriSer.do?uri=SEC:2009:0355:FIN...
(Contribution by Joe McNamee - EDRi)
This article is also available in:
Deutsch: WP29 Datenschutzgruppe kritisiert Umsetzung der Vorratsdatenspeicherun...
Article 29 Working Party (WP29) adopted during their meeting on 12-14 July 2010 a report on the implementation of the European data retention directive 2006/24/EC reaching the conclusion that the directive is currently not applied in a homogenous manner by all EU member states.
The report, which is a result of a joint inquiry performed by data protection authorities in EU member states, shows that the European directive is interpreted and implemented differently in the EU countries. According to the directive, the member states may choose a retention period between 6-24 months.
"The Article 29 Working Party is concerned to find that the directive does not seem to have been consistently implemented at domestic level. In particular it appears that it has been interpreted by Member States as if it was leaving open the decision on its scope," says the report.
Moreover, it is very difficult to assess the results of the directive due to the lack of significant statistics from the member states. WP29 is therefore calling on the European Commission to take its findings into consideration before taking a decision. The European Commission is to decide over the impact of the directive by 15 September 2010 and whether it has to be amended or repealled.
The report shows that, in many cases, more data are being retained than is allowed. The data retention directive provides a limited list of traffic data to be retained while the retention of data related to the communication content is explicitly prohibited. It seems however that such data are yet retained and that several ISPs retain websites URLs, headers of e-mail messages and even recipients of e-mail messages in "Carbon Copy". For phone traffic, it has come out that the location of the caller is retained at the start of the call but it is also monitored continuously.
WP29 mainly believes that the directive should be applied in a harmonised way in all EU countries and the report includes a series of recommendations for the change of the directive that would bring about a common ground but also ensure improved individuals' privacy rights, a more secure data transmission and standardized handover procedures.
"There are significant discrepancies as for the retention of Internet services traffic data categories, and the retention periods are also found to vary significantly in the individual Member States, whilst a more uniform picture emerges as far the retention of telephone traffic data categories is concerned. In many Member States' national laws a shorter retention period than the maximum allowed by the Directive proves to be the preferred option," says the report.
Therefore, the group recommends the maximum retention period allowed be shortened and consistency be endured by removing the countries' right to choose a period. "In order to attain a level playing field the maximum retention period should be reduced and to set a single, shorter term to be complied with by all providers throughout the EU."
A lack of consistency also appears to occur in the type and amount of security measures related to the gathering of data. "Regarding information security, no homogeneous picture was found based on the enforcement exercise; indeed, the security measures can be said to vary with the providers' business size. Whilst larger providers were found to deploy technical and organisational measures that could ensure the appropriate security level for the retained traffic data, smaller providers would appear to afford lower security standards; indeed, most of them - mainly on account of cost-containment strategies - are unable to implement top IT security solutions protecting the traffic data," reads the report.
The group recommends also the strengthening of the traffic data security. "In a broader perspective, the overall security of traffic data 'per se' should be re-considered by the Commission." The report advises also that telecoms companies should be ordered to protect data with certain specified measures.
The data protection group hopes that the European Commission will take its recommendations into account when deciding on the fate of the European data retention directive.
This opinion comes in line wih the statement of over100 organisations (including EDRi) from 23 European countries who asked in June 2010 the EU Commissioners to entirly repeal the data retention directive.
Report 01/2010 on the second joint enforcement action: Compliance at
national level of Telecom Providers and ISPs with the obligations required
from national traffic data retention legislation (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en...
Annex to the report (situation per countries) (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_an...
Privacy watchdogs urge more data retention harmonisation (16.07.2010)
http://www.out-law.com:80/page-11231
EDRi-gram: Data retention - time for evidence-based decision making
(30.06.2010)
http://www.edri.org/edrigram/number8.13/data-retention-challange
This article is also available in:
Deutsch: Deutschland: Hosting-Unternehmen müssen keine Wortfilter einsetzen
The Higher Regional Court of Düsseldorf decided on 21 July 2010 that RapidShare, as a hosting company, is not guilty of copyright infringement.
RapidShare has faced several cases in court for copyright infringement and in December 2009 lost a case in a local German court to Capelight Pictures movie studio which accused the site of not having taken all reasonable measures to counter the illegal distribution of one of its films.
However, after RapidShare appealed the decision, the Higher Regional Court of Düsseldorf overturned the 2009 decision. The court ruled that the hosting company had already taken more actions against breaches of copyright on its platform than it was reasonably expected to. After Capelight Pictures had found on Rapidshare eight of its films, it requested their removal which Rapidshare did and also blocked the account of the user having posted them. It also took other measures to prevent a further violation.
The film studio claimed the hosting company could have taken further measures but the Higher Regional Court decided that filtering by key words was not an obligation of the hosting company.
The other measures invoked by Capelight Pictures were rejected as well. A manual control over all files posted on the site was considered impossible as it would impose to the hosting site an unbearable human and financial effort and, at the same time, would bring harm to the users' private life. Blocking all files with the same extension (.rar for instance) would also bring about over-blocking and furthermore, the format says nothing about the content of the file.
"The ruling is a further step in the right direction. The previously common practice of copyright holders (suing) RapidShare on the off-chance there might be something to be gained from it, misunderstanding the realities it is operating within and showing contempt for its business model, will no longer bear fruit. The newest court rulings in Germany and the USA indicate this very clearly,"stated RapidShare lawyer Daniel Raimer.
Christian Schmid, founder and CEO of RapidShare, also commented: "We are also pleased with the ruling because it is connected to a claim for compensation of costs. Copyright holders should therefore think very carefully in future about whether they wouldn't prefer to save themselves some time and above all the expense of suing RapidShare for something for which the company cannot be held liable."
This is the second decision of the kind obtained by RapidShare this year in Germany. The company also won a similar case in May 2010, in the US.
RapidShare Scores Another Win Against Movie Studio (22.07.2010)
http://torrentfreak.com/rapidshare-scores-another-win-against-movie-st...
RapidShare Wins New Procedure Against Capelight Pictures (22.07.2010) http://www.examiner.comv/p479053~RapidShare_Wins_New_Procedure_Against...
Opposing keyword filtering, RapidShare won a victory in Germany (only in
French, 23.07.2010)
http://www.numerama.com/magazine/16290-oppose-au-filtrage-par-mots-cle...
OLG Düsseldorf decides in favour of Rapidshare (only in German, 23.07.2010)
http://www.golem.de/1007/76709.html
This article is also available in:
Deutsch: Niederländischer Internetdienste-Anbieter muss The Pirate Bay nicht s...
The Court of The Hague, in a decision of 19 July 2010, dismissed a request by Dutch copyright enforcement organisation Brein to order Internet provider Ziggo to block access to The Pirate Bay.
In its decision in summary proceedings, the court states that it is only possible to grant a blocking order with regard to The Pirate Bay if Brein also shows that Ziggo's customers are using The Pirate Bay to infringe copyright. Brein did not prove this and blocking The Pirate Bay would affect all Ziggo's subscribers and not just the ones using The Pirate Bay.
In addition, the court also noted that a blocking order can only be granted if there are no less intrusive measures available. The court notes that going after individual infringers can be considered less intrusive. Brein has not done so.
Brein has lodged main proceedings to order Ziggo to block The Pirate Bay and has announced that it will appeal the decision in summary proceedings.
Decision (only in Dutch, 19.07.2010)
http://www.rechtspraak.nl/ljn.asp?ljn=BN1445
Dutch enforcement organisation requests blocking The Pirate Bay (5.05.2010)
http://www.edri.org/edrigram/number8.9/brein-asks-ziggo-blocking-pirat...
(Contribution by Ot van Daalen - EDRi-member Bits of Freedom - Netherlands)
This article is also available in:
Deutsch: Italien: Neuer Gesetzesentwurf gefährdet Meinungsfreiheit von Blogger...
A group of Italian bloggers and journalists have made an appeal "No Legge Bavaglio alla rete" (No Gag Law to the Net) to support the campaign against a draft law that will add new barriers to freedom of expression on the Internet. The draft law, called Wiretapping Bill which is going to be discussed by the Italian Parliament on 29 July 2010, has raised many concerns from magistrates and journalists as well.
The present appeal refers to Article 1, paragraph 29 of the bill which extends the rectification obligation of the written press to all online publishers, including bloggers. According to the respective paragraph, "those responsible for information websites" will be obliged to post corrections within 48 hours from any complaint regarding website content (whether blog, opinion, comment or simple information), in the same form in which the contested content was originally put online. In case of non-compliance, the authors face fines of up to 25 000 euro.
An amendment to the paragraph was introduced by deputies Roberto Cassinelli and Roberto Zaccaria trying to soften the initial text, by proposing a longer period for the publication of the rectification and a 10 times lower fine. Among the changes introduced by the amendment there was the annulment of the rectification obligation for those web sites which had a limited number of visitors. Unfortunately, on 21 July 2010, the amendment was considered unacceptable, from a procedural point of view, and rejected without justification by Giulia Bongiorno, President of the Parliamentary Justice Commission.
Besides the limitation to the freedom of expression, forcing bloggers to rectify within 48 hours will lead to closing down many of the blogs as this will practically be an impossible task. This implies that a blogger must register with a legal domicile with some authority, facing the same bureaucratic formalities as the written press and that he (she) will have to connect to the Internet every single day in order to check whether there is a request for correction and place the correction in due time. This would definitely discourage bloggers who will hesitate to write on economical or political issues that might bother certain personalities.
Italian Internet users and bloggers are decided to increase their protest against the law in an attempt to influence the Italian Parliament in its decision, that could be taken on 29 July 2010.
"The Bill cannot be allowed to pass as it currently stands. We demand full and open Parliamentary debate on Article 1, paragraph 29 of the Bill, including consideration of the above amendments. Access to the Internet is set to become a fundamental human right in hundreds of countries around the world. We cannot force citizens to renounce that right here in our country," says the appeal "No Legge Bavaglio alla Rete".
DDL interceptions, amendment rejected (only in Italian, 23.07.2010)
http://punto-informatico.it/2952457/PI/News/ddl-intercettazioni-boccia...
That paragraph 29 kills blogs.We call it unacceptable! (only in Italian,
22.07.2010)
http://www.valigiablu.it/doc/160/quel-comma-29-ammazza-i-blog-inammiss...
No to the Law gagging the Net (24.07.2010)
http://ilnichilista.wordpress.com:80/2010/07/24/no-legge-bavaglio-alla...
With one swift attack - gagging the Web (only in Italian, 23.07.2010)
http://espresso.repubblica.it/dettaglio/colpo-di-mano-bavaglio-al-web/...
Italy: Internet press freedom under threat (27.07.2010)
http://www.opendemocracy.net/arianna-ciccone/italy-internet-press-free...
This article is also available in:
Deutsch: EDRi im Konsultationsverfahren zur Kreativindustrie
European Digital Rights has responded to the consultation organised by DG Culture of the European Commission on unlocking the potential of the cultural and creative industries.
The consultation defines its subject matter very widely and also covers both the online and offline environment.
EDRi's response builds on a range of analyses and statements made recently in or by the European institutions to illustrate the urgent need for a new, credible and sustainable approach to creativity online. It supports the view expressed in the consultation document that "ability to create social experiences and networking is now a factor in competitiveness." EDRi points to a recent study undertaken for the European Parliament which states that "existent models are often too rigid to allow full realisation of the possibilities of the digital mode of content production and distribution." As a result, we urge the European Commission to overhaul the chaotic and divisive regime for exceptions and limitations that creates, rather than removes, barriers to the internal market.
In the same vein, EDRi supports the analysis of the regulation on collecting societies recently carried out by EU Competition Commissioner Almunia, who says that "the fragmented national monopoly model and the de facto allocation of customers can no longer stand in their current form. Unregulated monopolies are not a great solution." It is crucial that barriers to the availability of creative content be removed in order to maximize the availability of content to consumers.
Finally, the EDRi document raises the dangers associated with treating Internet access providers as "gatekeepers" to the Internet. Currently, the European Commission, through "self-regulatory" discussions with internet intermediaries is trying to encourage removal of websites without judicial orders, surveillance of and warnings to users of peer to peer networks and large-scale funding for extra-judicial blocking of "illegal" online content. Increased involvement of online intermediaries in their consumers' use of the Internet, and blocking in particular, will increase the potential for non-neutral Internet access, thereby limiting the potential for online innovation and creating a competitive bottleneck - to the detriment of both creators and citizens.
Consultation document - Green paper - Unlocking the potential of cultural
and creative industries
http://ec.europa.eu/culture/our-policy-development/doc/GreenPaper_crea...
EDRi answer to consultation (28.07.2010)
http://www.edri.org/files/cci_consultation_edri_100728.pdf
European Parliament study (05.2010)
http://www.europarl.europa.eu/activities/committees/studies/download.d...
Speech by Commissioner Almunia (7.07.2010)
http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/10/365
(Contribution by Joe McNamee - EDRi)
This article is also available in:
Deutsch: ENDitorial: Keine Zustimmung zur RFID-Folgenabschätzung der Industrie
On 13 July 2010, the Article 29 Working Party adopted an opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (Industry RFID PIA framework) in which it concludes it would not endorse the proposed document in its current form. Another opinion on this framework published by the European Network and Information Security Agency (ENISA) earlier this month also identified some major issues and areas of improvement.
In its analysis, the Article 29 Working Party identified three critical concerns:
The first is that no section of the Industry RFID PIA framework explicitly requires the RFID operator to identify or uncover privacy risks associated with an RFID application and that it therefore is not possible to evaluate if the measures proposed by the operator are adequate or proportionate to the risks, since these risks have not been identified in the first place.
Secondly, based on its opinion on the concept of personal data, the Article 29 Working Party clarifies with regard to RFID-tags containing a unique serial number (e.g. the Electronic Product Code, EPC) that "if the tag is carried by a person (...), and if the tag contains a unique ID, then by definition the tag contains personal data" and that this is the case "regardless of the fact that the 'social identity' (name, address etc.) of the person remains unknown". Therefore, the Working Party explains that it is not sufficient to consider whether the location of persons will be monitored through RFID applications but that it is also crucial to analyse the risk of unauthorized monitoring beyond the perimeter of the application. The Industry RFID PIA framework fails to explicitly address this issue.
Thirdly, the Working Party refers to item11 and 12 of the RFID Recommendation on RFID in the retail sector, and clarifies that these provisions mean that deactivation at the point of sale is the default behaviour unless the PIA concludes that tags remaining operational do not represent a likely threat to privacy or the protection of personal data.
In its opinion, ENISA concentrates on the methodological part of the framework and states that it "finds in this draft a very good starting point towards establishing a PIA framework." However, the major issue identified by ENISA is that the framework "is not based or does not follow a tested and comprehensive risk methodological basis, e.g. a risk management and an impact assessment methodology." Based on this major shortcoming, a lot of subsequent issues with the framework were identified by ENISA and recommendations given on how to address these shortcomings. In accordance with the concerns raised by the Article 29 Working Party, ENISA also states that the PIA process does not provide clear guidelines to identify the major risks and impacts of RFID applications regarding privacy and data protection.
Together, the opinions of the Article 29 Working Party and the ENISA, are an important contribution to the ongoing European debate on how to protect privacy and personal data in the area of RFID. A debate that culminated in May 2009 is the promising RFID Recommendation of the European Commission, part of which the Industry RFID PIA framework tries to implement.
While it is good to see that the European data protection and network security organisations responsibly and tirelessly provide their expertise to advance a privacy friendly development, it is rather strange that Industry - years after the RFID data protection debate started - still seems to have no full understanding of certain basic data protection principles (like the concept of personal data) and of what the obligations of RFID operators are.
This assumed lack of understanding results in a clear delay of the implementation of the RFID Recommendation, as the final RFID PIA framework was expected to be ready twelve months after the adoption of the Recommendation. Today, more than 14 months after the Recommendation was adopted, only a "starting point" for such a framework is available and a final result is not foreseable in the near future, if the recommendations of ENISA and the Article 29 Working Party are taken seriously and the pace of the past months is maintained.
European Digital Rights and its members will use the coming weeks to assess this unsatisfying development and decide on how to best contribute to a timely development towards a proper protection of the fundamental rights to data protection and privacy in the area of RFID.
Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a
Privacy and Data Protection Impact Assessment Framework for RFID
Applications (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp175_en...
ENISA: Opinion on the Industry Proposal for a Privacy and Data Protection
Impact Assessment Framework for RFID Applications of March 31, 2010 (July
2010)
http://www.enisa.europa.eu/media/news-items/enisa-opinion-on-pia
Article 29 Working Party: Opinion 4/2007 on the concept of personal data
(20.06.2007)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en...
EDRi-gram: Industry proposed RFID Privacy Impact Assessment Framework
(19.05.2010)
http://www.edri.org/edrigram/number8.10/rfid-privacy-impact-assesment-...
Commission Recommendation on the implementation of privacy and data
protection principles in applications supported by radio-frequency
identification (12.05.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/recommen...
EDRi-gram: EP calls for a clear legal framework for the Internet of Things
(30.06.2010)
http://www.edri.org/edrigram/number8.13/european-parliament-on-interne...
(Contribution by Andreas Krisch - EDRi)
This article is also available in:
Deutsch: Lesestoff
Overview of data sharing - EU information management instruments
(20.07.2010)
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/10/349&am...
http://ec.europa.eu/commission_2010-2014/malmstrom/archive/overview_in...
EDPS calls for a comprehensive data protection framework for the Internal
Market Information System (27.07.2010)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/...
FSFE Welcomes New 'Software Interactions' Document From The European Legal
Network (19.07.2010)
http://www.fsfe.org/news/2010/news-20100719-01.en.html
This article is also available in:
Deutsch: Agenda
29-31 July 2010, Freiburg, Germany
IADIS - International Conference ICT, Society and Human Beings 2010
http://www.ict-conf.org/
2-6 August 2010, Helsingborg, Sweden
Privacy and Identity Management for Life (PrimeLife/IFIP Summer School 2010)
http://www.cs.kau.se/IFIP-summerschool/
31 August - 3 September 2010, Budapest, Hungary
OpenOffice 2010 Conference
http://www.ooocon.org/index.php/ooocon/2010
11 September 2010, Europe
International action day "Freedom not Fear - Stop the Surveillance Mania!"
http://wiki.vorratsdatenspeicherung.de/Freedom_Not_Fear_2010
13-17 September 2010, Crete, Greece
Privacy and Security in the Future Internet
3rd Network and Information Security (NIS'10) Summer School
http://www.nis-summer-school.eu
14-16 September 2010, Vilnius, Lithuania
Internet Governance Forum 2010
http://igf2010.lt/
20-21 September 2010, Helsinki Finland
Finnish Internet Forum
http://internetforum.fi
8-9 October 2010, Berlin, Germany
The 3rd Free Culture Research Conference
http://wikis.fu-berlin.de/display/fcrc/Home
25-26 October 2010, Jerusalem, Israel
OECD Conference on "Privacy, Technology and Global Data Flows", celebrating
the 30th anniversary of the OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data
http://www.oecd.org/sti/privacyanniversary
27-29 October 2010, Jerusalem, Israel
The 32nd Annual International Conference of Data Protection and Privacy
Commissioners
http://www.privacyconference2010.org/
28-31 October 2010, Barcelona, Spain
oXcars and Free Culture Forum 2010, the biggest free culture event of all
time
http://exgae.net/oxcars10
http://fcforum.net/10
3-5 November 2010, Barcelona, Spain
The Fifth International Conference on Legal, Security and Privacy Issues in
IT Law. Call for papers deadline: 10 September 2010
http://www.lspi.net/
17 November 2010, Gent, Belgium
Big Brother Awards 2010 Belgium
http://www.winuwprivacy.be/kandidaten