This article is also available in:
Deutsch: EDRi-Mitglied FoeBuD bekommt neuen Namen
EDRi member FoeBuD (Germany) has changed its name to “digitalcourage” on 17 November 2012, on the occasion of the organisation’s 25th anniversary.
The old name had been a quickly constructed satirical acronym – a parody on the bureaucratic and cumbersome language used by the state’s telecommunications authority, which was also the monopoly provider of telecom services, at the time. As FoeBuD developed into a privacy and digital rights organisation active on the national level and beyond, it had become apparent for some time that the obscure name had turned from an in-joke to an obstacle for the group's publicity. Obviously, digitalcourage will continue to mention its (much loved) old name to maintain a link with its history.
This article is also available in:
Deutsch: CleanIT oder Wie war noch mal die Frage?
Few people know that CleanIT was born from another failed project – the European Commission-led “dialogue on illegal online content”. In that “dialogue”, the European Commission (DG HOME) sought to persuade Internet hosting companies to delete websites containing alleged hate speech, terrorist content and child abuse material “more quickly”.
During a year and a half of discussion, the Commission was unable to identify any instances of websites being left online for an unacceptably long period of time, nor any evidence that current practices were not functioning efficiently. Ultimately, the project failed because: a. the problem it was trying to solve was never identified; b. no safeguards were foreseen to protect free speech in cases of incorrect accusations; and c. it had no specific targets.
After the failure of the Commission project, 400 000 Euro was given to the CleanIT initiative in order to address one of the three issues – terrorism. The suggestion was that unspecified technology companies could take action against unspecified problems in order to address undefined “terrorist use of the Internet”. Unsurprisingly, due to the lack of focus of the project, the first year of “work” had only produced a 23-page list of sometimes extreme, sometimes illegal and always unfocussed suggestions of things that could, theoretically, be done to address the unspecified problems the project was set up to solve. After that 23-page list was made available to the public by EDRi, many (but not all) of its excesses were removed, ahead of the second-last CleanIT meeting, which took place recently in Vienna.
In the Vienna discussion, it was argued that there were adequate mentions of fundamental rights and proportionality. The only small problem with that view is that the whole point of a legal system is that it is for the courts to decide when laws respect fundamental rights and are proportionate. The whole point of CleanIT is, in contrast, that it would work on the basis of “voluntary” actions taken outside the rule of law by internet companies – often by companies that are not even European. Ironically, while the CleanIT project proudly proclaims that its purpose is to create “a public-private partnership where a non-legislative framework will be developed,” it was argued in Vienna that this framework was not intended to circumvent the law.
After the Vienna meeting, only 16 months after its launch, the project reached approximately the point that it was at when it started. In the absence of an identified problem, what can ISPs do in order to act efficiently if they feel that somebody is communicating in a way that they do not feel happy with? How can terms of service be written in a way that is vague enough to allow ISPs to do take arbitrary action against subscribers, if this seems appropriate? In other words, how can ISPs do, with regard to terrorism, what SOPA and ACTA proposed doing with regard to copyright infringement – undermine and circumvent the rule of law, the presumption of innocence and due process of law?
In the meantime, the United Nations has publicly asked Member States and Internet companies to breach international law as a means of enforcing the law. The UNODC called for states to enter into “informal relationships or understandings with ISPs (both domestic and foreign) that might hold data relevant for law enforcement purposes about procedures for making such data available for law enforcement investigations.” This unequivocally contradicts the International Covenant on Civil and Political Rights, which states that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence.”
In summary, CleanIT has worked out that somebody should definitely do something about some forms of terrorist (however it is defined) use of the Internet. We look forward with trepidation to the next document to come out of this project.
CleanIT leak
http://edri.org/cleanIT
UNODC's report
http://www.edri.org/UN-threat-for-Internet
Swiss Pirate Party support for CleanIT
http://www.pirateparty.ch/Official_Statement_Clean_IT_Project
CleanIT
http://cleanitproject.eu
Factsheet
http://cleanitproject.eu/wp-content/uploads/2012/07/Factsheet-Clean-IT...
(Contribution by Joe McNamee - EDRi)
This article is also available in:
Deutsch: EDRi zur geplanten Richtlinie über kollektive Rechteverwertung
On 11 July 2012, the European Commission published a proposal for a Directive on collective management of copyright and related rights and multi-territorial licensing of rights in musical works for online uses in the internal market. EDRi warmly welcomes the Commission's willingness to ensure the development of the European Single Market.
The proposal focuses on the transparency and improvement of: i) citizens' access to cultural content and services, ii) access to licences for commercial users and iii) remuneration and promotion of their works for creators.
EDRi wholeheartedly agrees with the objectives pursued by the European Commission: better governance and greater transparency for collecting societies adaptation of the licensing system to the digital era and reducing barriers to the Single Market by encouraging and facilitating multi-territorial licensing. This will benefit not only the creators but also service providers, innovators and end users.
The proposal has two aspects. The first part of the Directive deals with the collecting societies to ensure better governance and transparency, and the second part is supposed to encourage and facilitate multi-territorial licences for musical works. Although EDRi generally agrees with the objectives of the proposal, there are still major loopholes in the current proposal, and this is regrettable.
While the proposal aims to achieve better governance, greater transparency and competition, it does not solve the lack of freedom of choice for artists. More flexibility should be allowed to improve the potential to adapt to technological and market change that would give creators genuine freedom of choice.
EDRi believes that some terms should be clearly defined, such as transparency, diligence and efficiency of governance, because the alternative is legal uncertainty and a failure to achieve the goal of the proposal. Moreover, the relationship between collecting societies and commercial users also needs to be rebalanced. The current wording creates an unbalanced situation that would affect the services provided and would have a negative impact on the attractiveness and availability of legal offers.
EDRi regrets the reference in the proposal to “a right to compensation” that appears to be an implicit reference to private copy levies. This mixes not only two different issues but it also creates confusion while adding nothing.
Finally, concerning collecting societies themselves, EDRi foresees a significant loophole concerning liability and sanctions. There is a lack of ambition in seeking to ensure effective enforcement and good legislation is nothing without good enforcement.
Concerning the second aspect of the proposal, EDRi welcomes the focus on multi-territorial licences as it is an essential instrument to achieve the European Single Market. However, EDRi deplores the lack of clarity of music licensing for audiovisual services and the lack of transparency regarding repertoires. EDRi would also like to see a more innovation friendly framework in the proposal. Indeed, the proposal does not solve the problem of the time consuming and costly negotiations, which hold back the launch of new and innovative services. The proposal does not offer any solution for jurisdiction problems that could arise. EDRi believes that it is a cross-border issue that must be dealt effectively on a European level.
All in all, EDRi welcomes the proposal as it is the right step to an effective European Single Market, but thinks that there is significant room for improvement to allow better harmonisation and greater enforcement.
The proposal is currently being discussed in the European Parliament. The lead Committee is JURI and the ITRE, IMCO and CULT Committees will also deliver opinions. EDRi hopes that the Members of the European Parliament will improve the proposed text to ensure a successful harmonisation.
EDRi's initial comments
http://edri.org/files/EDRI_crm_comments.pdf
Directive on collective management of copyright and related rights and
multi-territorial licensing of rights in musical works for online uses
in the internal market (11.07.2012)
http://ec.europa.eu/internal_market/copyright/docs/management/com-2012...
(Contribution by Marie Humeau - EDRi)
This article is also available in:
Deutsch: Überraschung: Facebook hält nichts von der geplanten Datenschutzvero...
Facebook has recently issued a 40-page lobbying paper with the company’s position on the proposed European data protection regulation, opposing several of its provisions. “The new legislative framework should focus on encouraging best practice by companies like Facebook rather than on setting out detailed technical rules that will not stand the test of time and may be frustrating and costly for both service providers and users,” says the paper on its first page.
The document was not made public by Facebook, but was obtained by the Europe vs. Facebook group via a FoI request to the Irish DPA.
Facebook opposes a cooperation between the European Data Protection Authorities (DPAs) in enforcing the law, preferring to be subject only to the Irish DPA ruling - which seems to be a more business oriented office, using an euphemism. The EU wants to have more cooperation, so that single member states, such as Ireland and UK, cannot undermine the EU data protection level.
What else does Facebook oppose to? It opposes the explicit consent by users, the “privacy by default”, the "right to be forgotten" as well as the 18 age limit for consent to data processing, being in favour of the age of 13. It also opposes to the provision that users can insist for the removal of the information that others post about them, as well as to the provisions regarding data breach notifications. “...even the most minor breaches must be reported to the DPA.”
The company is strictly opposing the heavy fines for breaching data protection laws, arguing that these may lead to less data protection because of less cooperation with the authorities, and more cost for the state, adding: “Facebook is concerned that the magnitude of potential fines will create a disincentive for innovation and associated job creation among internet service companies. This could be a major blow for the European Union given that the Internet sector is widely recognized as the major driver of job creation and growth in an otherwise moribund economic environment.”
And, of course, Facebook also wants an easier data transfer of data out of the EU/EEA countries.
It is surprising though that Facebook did not ask for the principles of the "privacy is dead" doctrine to be included in the new data protection framework.
Facebook’s views on the proposed data protection regulation (summary by
europe-v-facebook.org) (30.03.2012)
http://www.europe-v-facebook.org/FOI_Facebook_Lobbying.pdf
FOI Response:Facebook’s Lobbying Papers and Irish Position on new EU
Data Protection Regulation (17.11.2012)
http://www.europe-v-facebook.org/EN/en.html
This article is also available in:
Deutsch: Bringt uns die Datenschutz-Verordnung unabsichtlich "Three Strike...
The European Commission proposed a new framework for protection of personal data in the EU earlier this year. While it has been the subject of probably more lobbying than any other piece of legislation in this history of modern politics anywhere in the world, there has not been a similar upsurge in interest from citizens' groups across Europe.
While EDRi has been working hard on the Regulation and Directive proposed by the Commission, the texts are long, complex and difficult to understand. The huge industry lobby and the lack of corresponding reaction from citizens risks creating a framework which is meaningless and significantly worse than the current legislation.
The Regulation proposed by the Commission is a solid proposal, although there are just a few “weak links” in the chain of protections of personal data. If these are not fixed, then the fundamental right to privacy will be seriously undermined. The avalanche of lobbying over recent months means that not alone are the weak points not being addressed, but they are being further weakened, to the point of threatening to destroy the entire meaning of the proposal. This article looks at just one of these weak points - “legitimate interest”.
One of the six grounds on which personal data can legally be processed is the “legitimate interest” of the data processor. The other five are consent, necessity for performance of a contract, a legal obligation that the data processor is subject to, the vital interests of the data subject (i.e the citizen) and the public interest/exercise of official authority. This provision is already in the existing European Directive on data protection and is already causing problems.
The main reason that “legitimate interest” is a problem is that there is no guidance as to what type of activity would be considered to be so important that none of the other legal grounds for processing would be feasible for the data controller. For example, when can a data controller act on the basis of “legitimate interest” and when should he obtain specific and informed consent instead? Worse still, the decision on whether “legitimate interest” is an acceptable basis for processing the data is initially made by the data controller (i.e. the company you give your data to) and is only questioned if a citizen takes a court case against the particular processing activity. Alternatively, the citizen can make a complaint to the data protection authority – who may (or may not, depending on the outcome of the legislative process) be able to impose fines - if the data protection authority was prepared to take the risk and cost of an appeal being made to the courts against its decision.
This then brings us to “three strikes”. In Ireland, the ISP Eircom runs a “voluntary” “three strikes” system. Under that system, personal data is collected online by agents of the music industry (without authorisation of the citizens whose data are being processed), passed on to Eircom (again without authorisation) and then Eircom further processes the data (again without authorisation) to “warn” its customers that they have been alleged to have broken the law and, after two warnings, the customer is subject to sanctions.
The Irish High Court ruled that these activities are legal because it was “completely within the legitimate standing of Eircom to act and to be seen to act as a body which upholds the law”. Under the current legal framework, data protection experts believe that this decision was very questionable, although the ineffective implementation of data protection law in Ireland is infamous, so the ruling was no great surprise. The fact that the collection of data, which were being collected for the specific purpose of identifying persons, were ruled not to be personally identifiable information, was something more of a shock, even by Irish standards.
The question now is whether the proposed new Data Protection Regulation could be amended in ways to export the very weak interpretations in Ireland to the rest of Europe?
Irish MEP Seán Kelly, MEP responsible for the Opinion in the Industry Research and Energy Committee in the European Parliament has tabled several amendments that may inadvertently go in this direction:
1. He has changed the text which says “The legitimate interests of a controller may provide a legal basis for processing” to say “The legitimate interests of a controller,**or of the third party or parties in whose interest the data is processed**,” may provide a legal basis for the processing. This greatly expands the possible use of this provision and would cover, for example, the policing and enforcement in a “three strikes” regime.
2. He then extended the possibilities for non-consensual use of personal data, by tabling an amendment saying that “legitimate interest” can be used as a legal basis for processing that is “not compatible” with the original reason for collecting the data.
Of course, in the fullness of time, it is likely that a competent court or data protection authority would reach the conclusion that a “voluntary” three strikes system runs contrary to the right to due process of law, to the presumption of innocence and to the protection of the fundamental right of privacy. However, each particular instance of a company deciding that its own interests outweigh those of the citizen would need to be tested individually in court... eventually... if and when a citizen had the time and resources to test the issue in court. Alternatively, as the Irish Data Protection Commissioner tried and failed to do, the data protection authority could make a ruling and attempt to defend it in court.
And all of this leaves just one small question – if, whenever you give your data to a company, they are within their rights to give those data to a different company and that company is entitled (unless and until a court tells them otherwise) to reuse your data for purposes that are incompatible with the reasons you handed over your data in the first place... what exactly is the value of the legislation?
This is just one of several loopholes which are being broadened due to industry lobbying.
European Commission's reform package
http://ec.europa.eu/justice/data-protection/index_en.htm
Irish high court ruling
http://www.courts.ie/__80256F2B00356A6B.nsf/0/7E52F4A2660D884080257707...,
EDRi comments on the data protection reform
http://wwww.protectmydata.eu
(Contribution by Joe McNamee - EDRi)
This article is also available in:
Deutsch: Ungarn: Die Freiheit des Internets steht auf dem Spiel
Restrictions on freedom of expression and on access to information would be two repercussions of recently drafted changes to Hungary’s Criminal Code. The law would allow the government to “block” and potentially delete online material if hosting providers fail to respond to notice-and-take-down procedures.
While Internet service providers would not be liable for user content, they would be obliged to “block” websites placed on the National Media and Telecommunication Authority’s blacklist following a court order. The Ministry of Justice considers temporary prevention of access “absolutely necessary to obstruct online criminal activity and for crime prevention”. The measures would shelter Internet users from criminal content, such as child pornography, or from material that may incite crime, such as hate speech, or so the conventional thinking goes. In fact, “blocking” has been shown to be ineffective in practice. It also carries risks of interfering with a criminal investigation by signalling that illegal content has been detected by the authorities.
The proposed bill does not explain how the kind of illegal content that easily escapes blocking measures—by using proxy servers, for instance— would be dealt with. Nor has the problem of illegal content delivery through backdoor systems been addressed.
Details concerning the implementation of interception measures are vague. It is not clear what the government means by “file deletion”, or whether temporary prevention of access to content would require blocking an IP address, domain name or URL.
The HCLU published an opinion that raises a number of concerns about the draft regulation. It states that the possibility of unduly restricting rights would be exacerbated by its shortcomings, which include technically flawed and vaguely worded provisions and measures that limit rights on the basis of alleged offenses rather than convicted offenses. These deficiencies would increase the likelihood that legal content could be unlawfully censored. The authors also point out that there are no provisions to allow the right of appeal to innocent users who would suffer damages from having their content wrongly removed from the Internet.
The proposed solutions have been called “disproportionately severe”, “unnecessary” and “unconstitutional” by the Hungarian Convent Providers Association (MTE). It issued a statement in which it argues that the legal system already contains procedures for determining legal infringements. These provide even stronger sanctions in the case of proven offenses. It worries that if hosting providers fail to follow the procedures outlined in the regulatory initiative they would also share civil and criminal responsibility. This would have even more serious consequences for society.
In a global survey of Internet freedom by Freedom House, Hungary was ranked among the top 5 out of 47 countries only months ago. Hungary’s commitment to press freedom has been questioned since it introduced widely criticized media laws and refused to assign a radio frequency to a station known to be critical of the current government. The survey highlighted the fact that Hungary’s media regulations cover traditional media only. The Constitutional Court ruled that online press must be exempted from the media laws in December of 2011, but the amendments made by the Parliament in May 2012 modified the regulations so that they would be applicable to online media too.
Insult, defamation and libel are criminal offenses under Hungarian law. Here, as elsewhere, slander is regularly invoked for political or economic reasons. Occasionally, however, domestic courts favour the plaintiff for reasons that are not easy to understand. In one notorious ruling the Supreme Court convicted a journalist for having used derisory language in an opinion about the Tokay of a state-owned winery; the European Court of Human Rights overruled the decision last year.
At a time when more and more Hungarians are fed up with having to choose between ideological media cocoons, the independent sources of news that blogs, and other tools of mass communication, provide are increasingly valuable. Legal means of monitoring, blocking and censoring these voices have, of course, developed in parallel, as recent developments in Russia, and elsewhere, illustrate.
The independence of the newly appointed authority for data protection and freedom of information is questioned by many, and there are currently no other specifically privacy- or digital rights-oriented organizations in Hungary to defend the interests of Internet users.
The new regulations are due to enter into force on July 1st of next year.
HCLU analysis of the draft law (only in Hungarian, 31.10.2012)
http://tasz.hu/szolasszabadsag/az-internet-szabadsagat-csorbitana-korm...
Opinion of the Hungarian Content Providers Association (MTE) (only in Hungarian, 9.11.2012)
http://m.cdn.blog.hu/mt/mte/file/MTE%20komment%20lehetosegek%20vitaany...
Freedom House report (25.09.2012)
http://www.unhcr.org/refworld/docid/5062e8a4c.html
Rights advocates on the government’s new Internet bill (only in Hungarian, 24.10.2012)
http://www.origo.hu/techbazis/20121024-jogvedok-a-kormany-uj-internete...
Internet blocking: crimes should be punished and not hidden
http://www.edri.org/files/blocking_booklet.pdf
(Contribution by Christiana Mauro – EDRi Observer)
This article is also available in:
Deutsch: Google schaltet aus unerklärlichen Gründen portugiesischen Blog ab
On 14 November 2012, the blog of the group Precários Inflexíveis, whose purpose is to expose the working conditions of freelance workers without permanent contracts, was deleted by Google, during the day of the general strike in the country.
Those who tried to find information about the protest and actions of the group, were greeted with the message “This blog is in violation of Blogger's Terms of Service and is open to authors only”. The group wrote on their Facebook page that the takedown was probably the result of the accusations of defamation directed to Google by the company BF Group which reacted to the testimony of a worker accusing the company of “illegal work and tax evasion”.
According to James Gillot of Precarious Inflexible, the group received an email from representatives of the BF Group where it was told there was defamatory content on its blog and the company would incur legal action against the movement if it did not withdraw the respective content. Further on, Google notified Precarious Inflexible of the possible cancellation of its blog on Google’s Blogger service, due to the complaint made by the BF group. The group considered it had nothing to modify and was surprised to find their blog cancelled on 14 November. "Blogger is a platform that promotes freedom of expression and our policies serve this purpose. Whenever some content is flagged by users, we analyse this blog and proceed in accordance with our policies. We believe this is the best solution to provide a safe online experience for users of all ages and be a platform for creativity and freedom of personal expression that have characterized Blogger and its users," reads the statement sent to Portugal online news website Publico by Rui Carvalho from Google, who also stated the company did not make comments on individual cases. Google’s new terms of service are now covering country-specific takedowns of content on Blogger.
Precários Inflexíveis has been previously brought to court by Ambition Marketing International, a company that argued the comments made to a testimony published on the blog of Precarious Inflexible on 10 May 2011, hindered the recruitment of new professionals and questioned its image. The company required the removal of the comments from the page, which was granted by the court in May 2012. The sentence was however revoked by the Appeal Court on 18 September 2012 which decided that the company did not bring enough proof that its image and prestige had been affected, nor that there had been a decrease in the number of hires. Google Blogger did not delete the webpage during that lawsuit, even after the first court order.
Although Precários Inflexíveis won that case, the group believes this was a bad precedent that encouraged other companies to attack it.
The Portuguese group stated it would continue to pressure Google to restore its blog, and it will continue to do its job to expose precarious working conditions.
Portugal: Activist blog silenced by Google (16.11.2012)
http://advocacy.globalvoicesonline.org/2012/11/17/portugal-activist-
blog-silenced-by-google/
Precarios Infelxiveis Facebook Page
https://www.facebook.com/precariosinflexiveis
Blog of Precarios Inflexiveis blocked since Wednesday (only in
Portuguese, 15.11.2012)
http://www.publico.pt/Sociedade/blogue-dos-precarios-inflexiveis-bloqu...
The Court annuls the decision to hide comments to blog Precarios
Inflexiveis (only in Portuguese, 6.11.2012)
http://www.publico.pt/Sociedade/tribunal-anula-decisao-de-ocultar-come...
This article is also available in:
Deutsch: IE Domain Registry bestätigt Angriff auf DNS Nameserver
On 9 October 2012, those who tried to visit Google.ie and Yahoo.ie were sent to an Indonesian webserver controlled by hackers.
After having investigated the security incident, the IE Domain Registry (IEDR) confirmed on November 2012 that unauthorised change had been made to the two .ie domains on an independent Registrar’s account which resulted in a change of DNS nameservers.
Nameservers ensure that when users visit a certain domain, they are pointed to the correct website on the correct server. In this case, users, instead of being directed towards Google.ie and Yahoo.ie, were redirected to a fraudulent server. The “hack” page was signed by Hmei7? who is apparently an Indonesian hacker whose “signature” has appeared on thousands of websites defacements, including attacks against Asus and Siemens.
According to IEDR, for a 25 days period starting with 11 September 2012, “the public-facing web server of the IEDR was subjected to repeated attempts at unauthorised access from external sources”. The incident occurred because the hacker had succeeded in exploiting a Joomla (content management system installed on the IEDR website) plugin, uploading malicious PHP web scripts. “PHP scripts were then used to access a backend database and this database access subsequently provided access to the IEDR control panel and permitted unauthorised modifications to an account,” says IEDR statement.
“Luckily there haven’t been any reports of any malware or viruses coming from the two websites. The sites were timing out and we suspect the hacker’s webservers were overwhelmed; they couldn’t cope with the volume of traffic Google and Yahoo would normally receive. Luckily, the IEDR were quick to restore the correct DNS nameservers on both the domain name and minimise the disruption caused. Luckily, other websites like Microsoft.ie which is also managed by MarkMonitor were not affected. It’s all very lucky. It is a security disaster but it could have been much worse. If website visitors had been infected with malware, Google, Yahoo, MarkMonitor and the IEDR could have been dealing with a security catastrophe,” stated Peter Armstrong from Irish webhosting provider Spiral Hosting.
IEDR also confirmed that a criminal investigation by the Gardai Bureau of Fraud Investigation would continue and assured that a recently appointed Technical Services Manager would give more attention to security policies, processes and procedures at the IE Domain Registry. The IEDR’s Joomla website was replaced on 26 October with a new website built using the Drupal content management system which was however criticised for its design and lack of a WHOIS lookup facility. IEDR replied that their priority had been to restore secure services and that they would deal with the other issues in the next future.
Investigation concludes IE Domain Registry website was exploited (9.11.2012)
http://www.domainregistrar.ie/investigation-concludes-ie-domain-regist...
Google.ie and Yahoo.ie unavailable after “unauthorised change” to
nameservers (9.10.2012)
http://sociable.co/web/google-ie-and-yahoo-ie-unavailable-after-unauth...
Scenes from the history of the IEDR (12.11.2012)
http://www.tjmcintyre.com/2012/11/scenes-from-history-of-iedr.html
Google.ie Hijacked? (9.11.2012)
http://technology.ie/google-ie-hijacked/
This article is also available in:
Deutsch: EDSB-Stellungnahme zu Cloud Computing
On 16 November 2012, the European Data Protection Supervisor (EDPS) published his opinion on the European Commission’s communication on "Unleashing the potential of Cloud Computing in Europe" issued on 27 September 2012, in which the Commission proposes key actions and policy steps for the use of cloud computing services in Europe. In his opinion, the EDPS draws the attention upon the data protection challenges brought forth by cloud computing and on how the proposed Data Protection Regulation will deal with these challenges when the reformed rules come into effect.
The EDPS believes that, while cloud computing can bring large advantages such as a decreased cost of IT services and better access to these services, one of the main issues related to cloud computing is the necessity of having reliable and trustworthy systems for the cloud customers and of complying with data protection rules when dealing with data processing.
"Currently, many cloud customers, including members of social media, have little influence over the terms and conditions of the service offered by cloud providers. We must ensure that the cloud service providers do not avoid taking responsibility and that cloud customers are able to fulfil their data protection obligations. The complexity of cloud computing technology does not justify any lowering of data protection standards."
In Peter Hustinx’s opinion, all parties involved in cloud computing must have precise responsibilities, clearly defined by the law, to avoid the unbalance of power between cloud customers and cloud service providers. Therefore, standard commercial terms and conditions that respect data protection requirements for commercial contracts, public procurement and international data transfers should be developed. The EDPS also recommends a clearer and more complete guidance on the mechanisms that would ensure the effectiveness of data protection measures.
According to the proposed new EU data protection rules data controllers would be necessary to verify that the mechanisms put in place by the cloud providers to protect personal data are efficient enough to provide that data processing and storing complies with these rules. "Especially in the context of cloud computing, more specific guidance is required to clarify which mechanisms should be put in place to ensure verification of the effectiveness of data protection measures in practice” says Hustinx
The opinion recommends the development of best practices on issues such as controller/processor responsibility, retention of data in the cloud environment, data portability and the exercise of data subjects' rights as well as the development of standards and certification schemes to fully incorporate data protection criteria.
Cloud computing implies that data may be stored on servers all around the world. Presently, the EU data protection laws do not allow companies to transfer personal data outside of the European Economic Area (EEA) countries unless adequate protections are in place (or unless the destination country has been pre-approved as having adequate data protection).
Hustinx also believes a clear definition is needed for the data transfer and the criteria allowing access to the data in the cloud by law enforcement bodies outside the EEA countries, especially having in view that, with cloud computing, the data is not only transferred but "made available to a number of recipients located in various countries (often unknown to the cloud customer/end user)."
While welcoming the EC plans to develop a new contract model for companies to use in service level agreements with cloud computing providers, the EDPS said that the new contracts should contain terms to prevent cloud providers from denouncing their responsibility for data confidentiality and security, or their liability for data loss or corruption. He also considers that the new contract model should contain provisions to force cloud providers to tell clients whether it is possible to store data in a single country or region as well as to obtain their clients’ consent before changing the terms of their cloud computing service contracts. The terms of contracts should also include information about the personal data processing activities, such as "where the data may be processed, compliance with certification scheme/standards, guarantees that there are appropriate safeguards in place at all levels of the infrastructure and wherever the data are transmitted or stored, specific safeguards for sensitive data, identification of the relevant supervisory body," says the EDPS in his opinion.
This opinion comes in line with that of the Article 29 Working Party which, in its opinion of July 2012, said that businesses wishing to use cloud services to store and process personal data, should select a cloud provider that guarantees compliance with EU data protection legislation.”
EDPS: responsibility in the Cloud should not be up in the air (16.11.2012)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/...
Opinion of the European Data Protection Supervisor on the Commission's
Communication on "Unleashing the potential of Cloud Computing in Europe"
(16.11.2012)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/...
Businesses need more guidance on how to verify cloud providers' data
protection compliance, says EU watchdog (16.11.2012)
http://www.out-law.com/en/articles/2012/november/businesses-need-more-...
Unleashing the Potential of Cloud Computing in Europe (27.09.2012)
http://ec.europa.eu/information_society/activities/cloudcomputing/docs...
Article 29 Data Protection Working Party - Opinion 05/2012 on Cloud
Computing (1.07.2012)
http://ec.europa.eu/justice/data-protection/article-29/documentation/o...
This article is also available in:
Deutsch: ENDitorial: Woche der dümmsten Zensurmaßnahme
Over the past few years it has become more and more frequent that private companies get to decide what is "appropriate" or "inappropriate" online and what sort of Internet content we are allowed to access.
Our rights to privacy and freedom of expression are increasingly put into the hands of arbitrary decisions of private intermediaries. Instead of a society where democratically elected governments enact laws which are predictable and testable in court, we have an increasing number of terms of service which result in banning of content, deletion of profiles and censoring of material that is deemed "inappropriate".
Recently, we have noticed a flood of examples of bizarre corporate censorship that demonstrate the absurdity and comedy behind a very serious problem – the abandonment of the rule of law in exchange for corporate regulation of freedom of speech. To illustrate this phenomenon, we picked five of the most bizarre examples and launched the “Silly Censorship Week” on Twitter, where users could vote for the worst case, simply by re-tweeting their favourite.
According to the number of re-tweets, the clear winner and silliest censor is Apple, who censored the title of Naomi Wolf's new book “Vagina” in the itunes store. While Apple had no particular problem in selling the book to make a profit, it did feel the need to protect its customers from the name. As a result, Apple decided to call it V****a instead and to replace the word throughout the book's description. In reaction to this, the author asked on Facebook “Why is this theme so very very taboo -- in a land of 24/7 porn and commodification of women?”
The Guardian: Naomi Wolf's ebook covered up by Apple itunes
http://www.guardian.co.uk/books/2012/sep/13/naomi-wolf-vagina-apple-it...
Naomi Wolf's comment on Facebook
https://www.facebook.com/naomi.wolf.author/posts/388761331195124
And the next top 4 places are awarded to:
2nd Place:
Apple is censoring the word #jailbreak in iTunes
http://www.huffingtonpost.com/2012/05/17/apple-is-censoring-the-wo_n_1...
3rd Place:
Nipplegate: Bob Mankoff expounds on why the New Yorker Cartoon
department was temporarily banned from Facebook
http://nyr.kr/UFdwFw
4th Place:
Apple bans Pulitzer Prize political cartoons from iPhone
http://www.theregister.co.uk/2010/04/15/mark_fiore_rejected_from_app_s...
5th Place:
A mother was banned from Facebook for 7 days after posting a photo of
her 5-year-old pretending to nurse her younger sibling
http://www.huffingtonpost.com/2012/07/27/lauren-ferrari-banned-faceboo...
Also, please enjoy some other examples of censorship that didn't make it into our top five include :
Nipplegate: Bob Mankoff expounds on why the New Yorker Cartoon
department was temporarily banned from Facebook: http://nyr.kr/UFdwFw
Apple censors cartoon boobs (14.06.2010)
http://www.wired.com/business/2010/06/apple-bans-cartoon-boobs-in-joyc...
Apple Censors - Then Approves - Gay Kiss In Oscar Wilde Comic (15.06.2010)
http://www.huffingtonpost.com/2010/06/15/apple-censors-gay-kiss-in_n_6...
Facebook controlling art: In February 2011, Facebook censored a
masterpiece by painter Gustave Courbet currently residing in Paris's
Musee d'Orsay (8.03.2011)
http://cornellsun.com/node/46245
Amazon's Kindle deletion: erotic, incest-themed fiction because they
”violated Amazon's content guidelines” (15.10.2010)
http://arstechnica.com/business/2010/12/amazons-latest-kindle-deletion...
No transgender cartoon torsos please, we're Facebook: Wendy Pini,
creator of a decadent sci-fi version of Edgar Allan Poe's Masque of the
Red Death, learned the hard way that one does not simply post paintings
of blue-skinned hermaphrodite event planners with
indeterminately-gendered breasts to Facebook (29.07.2012)
http://lezgetreal.com/2012/07/pinis-bunchh-censored-by-facebook/
Amazon remotely deletes 1984 ebooks from Kindle: Some E-Books Are More
Equal Than Others (17.07.2009)
http://pogue.blogs.nytimes.com/2009/07/17/some-e-books-are-more-equal-...
Mothers breastfeeding on Facebook, The Guardian tested it on their own
Facebook page (22.02.2012)
http://www.guardian.co.uk/commentisfree/2012/feb/22/facebook-no-nipple...
Wendy Pini faces permanent expulsion from Facebook over the pinning of a
popular photography of Ryan McGinley, whose artwork can be seen from San
Francisco galleries to New York art blogs (19.09.2012)
http://boingboing.net/2012/09/19/facebooks-vague-rules-only-h.html
(Contribution by Kirsten Fiedler - EDRi)
This article is also available in:
Deutsch: Lesestoff
EDRi member Open Rights Group - UK wins Human Rights Campaigner of the
Year with 38 Degrees (20.11.2012)
http://www.openrightsgroup.org/blog/2012/org-wins-human-rights-campaig...
Communia: Position on EC Horizon 2020 Open Access policy (20.11.2012)
http://www.communia-association.org/2012/11/20/position-on-ec-horizon-...
Podcast: Azerbaijan IGF debrief (16.11.2012)
http://www.humanrightseurope.org/2012/11/podcast-azerbaijan-igf-debrie...
IATA announces plan for personalized airline ticket prices (2.11.2012)
http://hasbrouck.org/blog/archives/002036.html
Internet Policy Report 2011 – Brazil (11.2012)
http://observatoriodainternet.br/internet-policy-report-brazil
This article is also available in:
Deutsch: Agenda
29-30 November 2012, Brussels, Belgium
For Your Eyes Only: Privacy, Empowerment and Technology in the context
of Social Networks
http://www.foryoureyesonly.be
4 December 2012, Brussels, Belgium
3rd Annual European Data Protection and Privacy Conference
http://www.eu-ems.com/summary.asp?event_id=123&page_id=983
27-30 December 2012, Hamburg, Germany
29C3 - Chaos Communication Congress
http://events.ccc.de/category/29c3/
20-23 January 2013, Brussels, Belgium
The Power of Information - How Science and Technology can Make a Difference
http://www.ThePowerofInformation.eu
23-25 January 2013, Brussels, Belgium
CPDP 2013 Conference - Reloading data protection
http://www.cpdpconferences.org/callforpapers.html
2-3 February 2013, Brussels, Belgium
FOSDEM
https://fosdem.org/2013/
21-22 March 2013, Malta
Online Privacy: Consenting to your Future
CfP by 3 December 2012
http://www.onlineprivacyconference.eu/
6-8 May 2013, Berlin, Germany
re:publica 2013
http://re-publica.de/
25-26 June 2013, Barcelona, Spain
9th International Conference on Internet Law & Politics: Big Data:
Challenges and Opportunities.
Abstracts deadline: 3 December 2012
http://edcp.uoc.edu/symposia/idp2013/?lang=en
31 July – 4 August 2013, Geestmerambacht, Netherlands
Observe. Hack. Make. - OHM2013
https://ohm2013.org/
24-27 September 2013, Warsaw, Poland
Public Voice Conference 2013
35th International Data Protection and Privacy Commissioners conference
http://www.giodo.gov.pl/