Peter Hustinx, the Dutch data protection commissioner, will be elected today as the new EU data protection commissioner.
The Conference of Presidents, composed of the heads of the Political Groups in the European Parliament, decided to back-down from their original idea to give the position to the Spanish magistrate Joaquín Bayo Delgado. He will now be appointed Assistant Commissioner. The decision will be made public today, after the Council has approved.
Back in May Bayo Delgado, backed by an informal coalition of Spanish MEPs, won a test vote in the European Parliament Interior Affairs committee. Civil liberties organisations responded with surprise because he was the only candidate on the list with no record of data protection or privacy advocacy at all.
On the contrary Hustinx is well known, has many contacts with the Commission in Brussels and is a regular visitor and contributor to any events on EU Data Protection. By many Brussels insiders he was therefore regarded as the 'natural candidate'.
(Contribution by Andreas Dietl, EDRI EU affairs director)
On 16 December the European Commission presented the long-awaited outcome of its negotiations with the U.S. Department of Homeland Security on the transfer of Passenger Name Record (PNR) data to the U.S. As expected, the outcome is a foul compromise, creating a permanent breach of law.
According to European data protection principles, personal data can only be transferred from Europe if the recipient has an adequate level of data protection. In the case of PNR data, the Commission will always issue a finding of adequacy in order to legitimise the transfer already taking place. The outcome of the finding - quite a lengthy procedure - is thereby already anticipated: it has to be positive, or the EU Commission and the aviation industry would be in trouble.
The proposed solution for the problem is the development of 'push' system for data to be actively transmitted to the USA, after filtering out the unnecessary information. That future development is now also used to justify current practices.
In order to make the agreement more acceptable for the EU, the U.S. have reduced their demand from 60 data fields per passenger to 34, and promised to retain the data for 'only' 42 months instead of 50 years, as they had intended originally. In addition, they assure that the data will not be shared with any other agencies outside the homeland department. There is no way, however, to assure that any of this is going to happen.
The Commission says that Homeland's chief privacy officer "has agreed to receive and handle in an expedited manner representations from Data Protection Authorities in the EU on behalf of citizens who consider that their complaints have not been satisfactorily resolved by the department". But the chief privacy officer is not independent, she works under the department's chief Tom Ridge.
The European parliament responded divided. The rapporteur on this subject, Liberal MEP Johanna Boogerd-Quaak called on commissioner Bolkestein to bring the matter to the European Court of Justice himself, instead of waiting for parliament to do it.
Meanwhile, the European Union has a project of its own aiming at obliging third countries to transfer flight passengers' personal data. The report, going back to a Spanish initiative, is currently being dealt with in the LIBE Committee. It is being justified by the presumed need 'to combat illegal immigration effectively'. The big difference with the U.S. demands is however that, presently at least, the data comprises only "the number of the passport or travel documents used, nationality, first name and family name(s) and the date and place of birth", and are to be deleted "after the border checks on passengers have been completed". In the future the EU aims at "the creation of a multilateral framework for PNR Data Transfer within the International Civil Aviation Organisation (ICAO)". The intention is clear: When PNR transfer is part of an international agreement under the ICAO, a UN body, EU concerns with data protection will have to step back - and the Commission can avoid more lengthy negotiations.
Communication from the Commission to the Council and the Parliament:
Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach
(16.12.2003)
http://europa.eu.int/comm/internal_market/privacy/docs/adequacy/apis-c...
Statewatch: EU: Commission "compromises" and agrees on handing over
passenger data to USA (18.12.2003)
http://www.statewatch.org/news/2003/dec/11euuspassengerdeal.htm
Initiative of the Kingdom of Spain with a view to adopting a Council
Directive on the obligation of carriers to communicate passenger data
(25.03.2003)
http://www.europarl.eu.int/meetdocs/committees/libe/20031216/0761en.pd...
Edward Hasbrouck's Practical Nomad blog
http://hasbrouck.org/blog/archives/000090.html
(Contribution by Andreas Dietl, EDRI EU affairs director)
The first phase of the World Summit on Information Society (WSIS) ended in Geneva last week, after more than 18 months of preparatory process. Its 2 outcomes are a Declaration of Principles and a Plan of Action, both enthusiastically adopted by government representatives, though hardly discussed until the last hour.
A major outcome is also the civil society (CS) alternative Declaration. Entitled 'Shaping Information Societies for Human Needs', this document was proposed by CS as part of the official outcomes of the Summit, after having collectively decided that "their voices and the general interest they collectively expressed are not adequately reflected in the Summit documents." CS has previously provided 'Essential Benchmarks' against which the outcomes of the WSIS process and the commitment of all stakeholders to achieve its mandate will be assessed.
Many observers said that WSIS has been much ado about nothing. As a matter of fact, the most contentious issues have been delayed by government representatives to the second phase of WSIS, to be held in 2005. Among these issues are internet governance and so-called digital solidarity. They remain on top of the 'wait and see agenda', with non binding calls to the United Nations Secretary-General to establish on the one hand a Working Group 'in an open and inclusive process ... to investigate and make proposals for action, as appropriate, on the governance of Internet' and on the other hand a Task Force to complete "a thorough review of [existing financial mechanisms] adequacy in meeting the challenges of ICT for development".
Even the declaration from the Civil Society is full of cautious - and sometimes contradictory - statements, showing how diverse the CS groups are that participated in WSIS, and how difficult it is to build a common vision of the information society.
The official Declaration of principles and Plan of Action will be assessed by many regional and thematic civil society groups. One group has already done that, the WSIS CS Human Rights Caucus. Set up and coordinated by EDRI members, this group has been very active since the early beginnings of the WSIS process, in order to put human rights on the agenda. Now including more than 45 organisations from all over the world, the caucus held a press conference at the end of WSIS to express its relief that in the end, the WSIS Declaration included many principles supported by the caucus, after even the simplest references to the Universal Declaration on Human Rights had been debated and contested right up until the last hour.
However, the WSIS CS human rights caucus deplores the absence of any reference to the fundamental principle of non-discrimination as well as to international labour standards. It further deplores the continuing emphasis on the creation of a 'global culture of cyber-security' which aims at enhancing trade instead of implementing human rights. The caucus remains concerned that the rule of law and the regulatory framework are expected to 'reflect national realities' instead of being consistent with the international human rights treaties. Moreover, the Plan of Action is devoid of any mechanism to advance the human rights agenda, while the human rights caucus had proposed the establishment of an Independent Commission on the Information Society and Human Rights to monitor practices and policies on human rights and the information society. This is particularly urgent given the tendency in many countries - both North and South - to sacrifice human rights in the name of 'security'.
However, beyond all these major problems, WSIS has been a true success in showing the whole world - be it through contradictions and lack of concrete outcome - that information society is not just about pipes, and that the so-called digital divide simply reflects the social, economical, and cultural divide among and within the nations. This success is the major outcome of civil society participation to the first ever held UN Summit on Information and Communication issues, but there is still a long way ahead to realise CS aspirations of building information and communication societies that are people-centred, inclusive and equitable and "where development is framed by fundamental human rights and oriented towards achieving a more equitable distribution of resources".
Finally, WSIS provided great opportunities for civil society networking. Among the huge number of side events organised during WSIS, the World Forum on Communication Rights attracted a large international audience of human rights activists and grass-root organizations. The WSIS CS human rights caucus, which co-organised this Forum, held a session on 'Communication and Human Rights: No Development without Democracy, no Democracy without Development'. In addition to Aminata Traoré's strong keynote speech, the caucus provided a forum for voices that have been silenced by authoritarian governments. Sharon Hom from Human Rights in China and Souhayr Belhassen from the Tunisian Human Rights League were given the opportunity to demonstrate that, while China and Tunisia are not the only countries with serious human rights problems, they prove that infrastructure alone is not enough.
WSIS official documents (English, soon available in all 5 UN languages)
http://www.itu.int/wsis/
WSIS CS documents (English, French, Spanish) and reports on WSIS (English,
German)
http://www.worldsummit2003.de/
WSIS CS Human Rights Caucus actions, communications and documents (English,
French)
http://www.iris.sgdg.org/actions/smsi/hr-wsis/
World Forum on Communication Rights (English, French, Spanish)
http://www.communicationrights.org/
(Contribution by Meryem Marzouki, IRIS and co-coordinator of the WSIS CS Human Rights Caucus)
There will be no criminal sanctions in the proposed European directive on
the enforcement of intellectual property rights after all. In the previous
edition of EDRI-gram there was a report about an amendment of MEP Mercedes
Echerer (Greens, Austria) on Article 20 that would re-introduce sanctions
in criminal law, even for private and relatively small-scale infringements.
As it turned out, Mrs. Echerer later withdrew this amendement and replaced
it with a much much milder one, deleting the criminal law sanctions and
calling merely for 'appropriate sanctions'. The secretariat of the Legal
Affairs Committee (JURI) of the European Parliament could not keep up with
the different amendments from the Austrian MEP, and put an old version on
the voting list. Unknowingly, most MEPs voted in favour of the mild regime.
It seems that even Mrs. Echerer herself was uncertain which of her
amendments had gotten adopted.
The amendment may, however, still be challenged in the Plenary where,
according to the present schedule, the report will be voted between 9 and
11 February. (There is also a small chance that it will appear on the
earlier agenda of 28 and 29 January.) If the milder version is not
accepted, the version contained in the Commission Draft - including
criminal sanctions - will get adopted.
If this should happen, the criminal sanctions might be deleted by the
Council, who may with some justification claim that criminal law is a
so-called Third Pillar issue that must not be decided in the co-decision
procedure. It seems that the Council and the Commission have already found
agreement to deal with the issue of criminal law sanctions in a way
foreseen by the EU rules of procedure, namely in the form of a Framework
Decision. Such a decision is currently in 'a very early stage of
preparation' in the Justice and Home Affairs Directorate General of the
Commission.
Consolidated version of the JURI vote (05.12.2003)
http://www.miu-ft.org/~sama/P5_A(2003)0468_EN.pdf
(Contribution by Andreas Dietl, EDRI EU affairs director)
On 16 December the Dutch Lower House accepted a legal proposal to introduce compulsory identification for all persons from the age of fourteen. People unable to immediately show a valid passport, drivers license or (cheaper) identity-card risk a fine with a maximum of 2.250 Euro. Refusal will constitute a criminal offence. Every police-officer including military police, any extra-ordinary law enforcement agent and any police related supervisor/watcher may ask for proof of identity. According to the explanatory statement the police must have a reasonable cause related to her task to ask for ID, but there is no need for an actual suspicion of an offence.
In spite of criticism from the Dutch Data Protection Authority, the Association for the Jurisdiction, the Council of State (an advisory body to the government) and strong-worded last minute open letter from EDRI-member Privacy International, the Minister of Justice found a large parliamentary majority for his proposal, of conservatives, liberals, social democrats and Christian democrats.
Though formally there is only an obligation to show ID when asked, in practice carrying identification will be compulsory, given the examples of minister Piet Hein Donner. He mentioned the need to be able to demand ID from any (involuntary) witness to an accident, besides the need to be able to identify people that cycle on the pavement or allow their dogs to relieve themselves there.
Especially the 'eye-witness' argument offends a core principle of the rule of law: that citizens should have notice of the circumstances in which the State may conduct surveillance, so that they can regulate their behaviour to avoid unwanted intrusions.
In its open letter to all Members of Parliament, Privacy International announced that it would take legal steps and challenge this legislation in court, for violating the European Convention on Human Rights and the UN Declaration on the Rights of the Child.
Donner seems confident that the Senate will accept the proposal just as hastily as the Lower House, planning to introduce the new law by the 1st of January 2005.
Open letter Privacy International (06.12.2003)
http://www.bof.nl/docs/privacy_international_brief.pdf
Privacy on the Internet by Matej Kovacic is an interesting bi-lingual book about all the different aspects of privacy in the information society (English and Slovenian). The chapter about privacy of information and privacy of communication in Slovenia provides welcome insight in the state of affairs in this EU accession country.
Kovacic writes: "Although privacy of information is relatively well regulated by existing legislation, the problem is a serious disorder in practice, even though this field is subject to supervision by inspection agencies." Privacy of information is guaranteed constitutionally (and sanctioned in the Penal Code), by the Personal Data Protection Act and by the Convention for the protection of individals with regard to automatic processing of personal data. In its 2001 annual report, the Inspectorate for Personal Data Protection notes an increase in the number of complaints by individuals about privacy violations. These cases are about inadequate protection of data, databases with information from video surveillance without written consent, excessively long periods of personal data storage or storage of an excessive amount of personal data.
The new European directive on privacy and electronic communications (2002/58/EC) is having its devastating effects on data retention in Slovenia as well. According to Kovacic "A measure that is currently under preparation will oblige member states to legally bind telecommunications providers to store traffic data from 12 to 24 months. These data are already available to state authorities on the basis of court order."
ISBN 961-6455-09-5
http://www.mirovni-institut.si/eindex.htm