It is likely that the Council of European Justice and Home Affairs ministers will adopt a regulation tomorrow, on 3 December 2004, to fingerprint all EU citizens and residents, to take digital photographs of their faces and to store these data in a gigantic database of 450 million EU citizens. This will be the last step of a procedure that has exploited the democratic deficit of the European Union to an unheard extreme.
Today the European Parliament adopted the proposal but introduced a large number of limitations. MEPs voted to clearly limit the kinds of information to be stored on the passports, they voted against the storage of the data in a central database and in favour of giving Data Protection Authorities oversight over the whole process. But it is unlikely that the Council will take any of these amendments into consideration. Under the European Union's consultation procedure the Council can globally reject all of the Parliament's amendments. Though it is mandatory to at least look at the parliamentary suggestions, it will be almost impossible to do so in this case, since the Council plans to adopt its own plan tomorrow.
Members of the European Parliament were deeply angered by the Council's sudden and belated change of the draft that the Parliament had to vote on. On 25 October 2004, while the Parliament's LIBE (Civil Liberties, Justice and Home Affairs) Committee was voting on its report on the biometric issues, the EU's Justice and Home Affairs ministers met behind closed doors in Luxembourg. They decided to considerably change the document that LIBE was just voting on: Fingerprints were introduced as a second obligatory biometric identifier, and the data were to be stored in a central database. The draft Regulation adopted by the Council was transmitted to the Parliament only a month later, on 26 November 2004.
The Council then black-mailed the Parliament's Conference of Presidents, the body taking decisions on the plenary agenda, to behave as if the proposal had not undergone any significant changes and to leave it on the agenda of the plenary session of 1 and 2 December. If the Presidents had refused, the Council threatened to delay the introduction of the co-decision procedure for immigration and asylum issues. In stead of giving parliament this important power on 1 January, it was to be delayed to 1 April 2005. And if Parliament had decided to refer the new proposal back to the LIBE committee, the Council announced it would just completely ignore Parliament, under some obscure procedure.
More than seventy civil society organisations from the EU and abroad, nine national or regional Data Protection Commissioners and more than two hundred concerned citizens have signed an open letter by Privacy International, Statewatch and European Digital Rights opposing this proposal. It seems, however, quite unlikely that the Justice and Home Affairs Ministers of the European Union will take the declared will of the EU Parliament or of Civil Society into account when introducing the obligation to fingerprint all their citizens and to store their data in a central database.
PI, Statewatch and EDRI Open Letter (30.11.2004)
http://www.edri.org/campaigns/biometrics/0411
EU governments blackmail European Parliament into quick adoption of its report on biometric passports (27.11.2004)
http://www.statewatch.org/news/2004/nov/12biometric-passports-blackmai...
Council Draft regulation on biometric passports (23.11.04)
http://www.statewatch.org/news/2004/nov/biometric-proposal.pdf
Parliament report on the Commission proposal for a Council regulation on standards for security features and biometrics in EU citizen's passports, including voting list and all amendments (25.11.2004)
http://www.edri.org/files/BioPass_AllAmend_VoteList.pdf
Provisional agenda for the meeting of the JHA Council (2-3.12.2004)
http://www.eu2004.nl/default.asp?CMS_TCP=tcpAsset&id=1FA5E817CB124...
JHA Council press conference video stream (available after 2 December, 20:00, for one week)
http://europa.eu.int/comm/ebs/bottom_schedule.cfm?jour=5&semaine=4...
(Contribution by Andreas Dietl, EDRI EU Affairs Director)
The European Council of ministers of Justice and Home Affairs will meet on 2 and 3 December 2004. Telecommunication data retention is an important item on the agenda. The Dutch EU Presidency tried to force the Council to reach a quick unanimous decision on the proposed framework decision, but has now changed course. According to an explanation given by minister Donner of Justice on 1 December 2004 to the judicial committee of the Dutch Lower House, a large majority of EU Member States is now in favour of an extended obligation. Supposedly lead by France, most countries now insist on a large set of data that should be collected and stored by telecom and internet providers, in stead of limiting the retention to data that are already collected for business purposes.
Not a single example of these extra data was given, but providers should be prevented from 'obscuring personal data' and 'there must be certainty about the set of available data across Europe', said minister Donner. The JHA Council will now proceed to discuss the extent of the extended obligation, in stead of focussing on the need and necessity of storing intimate data about all citizens as opposed to preserving data of individual suspects.
The German Lower House committee on Justice and Home Affairs has unanimously adopted a draft-motion on 1 December 2004 forbidding the German government to support a decision in any EU body that would oblige companies in Germany to store traffic data "with reservation to the presentation of appropriate legal justification."
EDRI-member IRIS adds that France has never published a decree stipulating mandatory data retention, but has been working on it since 15 November 2001. Though a French official announced on 21 September in a Commission workshop that the publication was 'imminent', it has not surfaced yet. It is widely expected to include web-surfing, data most providers can only obtain by sniffing their entire network. That means putting a wiretap on every customer and distilling the necessary data from this unwholesome amount of data. According to an urgent open letter from 160 Dutch internet providers (including all the major European ISPs such as Tiscali, UPC and Wanadoo) to Parliament, an ordinary broadband provider with 100.000 customers transports 5.5 terabyte data per day, or 8.500 CD's. To sniff all those connections and distil traffic data from it, is technically impossible, they claim.
In full support of the open letter, the Dutch judicial committee asked Donner to provide proof of the necessity, proportionality and costs of the obligation, before adopting any official Dutch position. Minister Donner said he would write a letter to Parliament in January, answering some of these questions, but said it wasn't possible for parliament or internet-providers 'to frustrate the European decision making process', since the Netherlands were 'only accommodating this process as chairman of the EU.'
Pressured to give examples of the necessity of data retention for law enforcement, Donner admitted he had not told the 'full truth' to Parliament in the previous meeting when he pointed to 'the success of mandatory data retention in the UK'. He now acknowledged there was no legal obligation to retain data in the UK, only a self-regulatory code to which many providers don't comply. He admitted he only "talked to English law enforcement officials who said mandatory data retention was a very good idea."
Meanwhile the European Commission has not yet published its opinion on mandatory data retention, an opinion that was due on 19 November, the date of the previous JHA Council. The Council has now asked the Commission to provide specific input on the issue of 'regular' or 'extended' data retention.
Bundestag will Datenschutzreform anmahnen (01.12.2004)
http://www.heise.de/newsticker/meldung/53816
Open letter 160 Dutch ISPs (in Dutch, 29.11.2004)
http://www.bewaarplicht.nl/
PI/EDRI statement, endorsed by 90 civil rights organisations (15.09.2004)
http://www.privacyinternational.org/issues/terrorism/rpt/responsetoret...
A Brussels court of first instance has ruled on 30 November 2004 that internet provider Tiscali should disconnect customers if they violate copyrights, and block the access for all customers to websites offering file-sharing programs. The case was instituted by the Belgian Society of Authors, Composers and Publishers (SABAM) on 24 June 2004 with an appeal to consideration 59 of the European Copyright directive (2001/29/EC).
This consideration states: "In the digital environment, in particular, the services of intermediaries may increasingly be used by third parties for infringing activities. In many cases such intermediaries are best placed to bring such infringing activities to an end. Therefore, without prejudice to any other sanctions and remedies available, right-holders should have the possibility of applying for an injunction against an intermediary who carries a third party's infringement of a protected work or other subject-matter in a network."
Sabam argued that it might well be possible that P2P-software is used for legitimate purposes, but most often to infringe on copyrights. Tiscali wasn't just aware of the fact that infringements were committed on its network, said Sabam, but also gained serious profits from the infringements, since the customer-base had significantly grown since the advent of filesharing networks.
The Court apparently followed this line of reasoning, but ordered technical research into the possibility of blocking access. The verdict is not public yet. It is completely unclear how Tiscali should detect possible unlawful behaviour from their customers. The verdict seems to contradict the provider liability provisions in the e-Commerce directive (2000/31/EC). This directive decrees that providers that provide mere conduit to their customers, such as access providers do, cannot be held liable for any illegal or unlawful conduct from their customers if they are not ware of the origin of the content, don't influence the destination and doesn't select or modify the information.
Sabam announced in an earlier press release they would apply the outcomes of the verdict to all Belgian access providers, claiming should block access to any P2P software and take technical measures to cripple the working of the already downloaded P2P software.
La SABAM obtient raison (01.12.2004)
http://www.lalibre.be/article.phtml?id=3&subid=85&art_id=19533...
La Sabam poursuit Tiscali pour atteinte au droit d’auteur (25.11.2004)
http://www.droitbelge.be/news_detail.asp?id=197
Press release SABAM (Word doc in English, 24.06.2004)
http://www.sabam.be/website/data/tiscaliangl.doc
The UK government is pushing ahead with plans for a compulsory national ID card. The Identity Cards Bill was announced in the Queen's Speech, which sets out the government's legislative programme for the coming year, and introduced in the House of Commons on 29 November.
The Bill is virtually unchanged from a draft published for consultation earlier this year. Citizens will be issued with a card as they renew passports, but can also be ordered to attend an interview to be biometrically scanned and given a card. A National Identity Register will contain details of the names, current and previous addresses, place of birth, identifying characteristics, nationality and immigration status of every UK resident. Biometrics (planned to be fingerprints and iris scans) will be stored on the card and in the database. Details of every access made to the Register will be stored, revealing the times and places that online checks were made on the card and hence the location of its owner.
The card and the register would be necessary to seek employment, to gain access to health and other services, and would be used by police and immigration officers in the course of their functions. It could also be required for operating a bank account, using professional services such as a solicitor or accountant, applying for a permit or license, buying property, stocks or shares or applying for credit.
EDRI members Privacy International and FIPR are members of a national campaign against the proposals. This No2ID coalition has branded the card and register as a "licence to exist". PI Director Simon Davies, recently elected Chairman of NO2ID, commented that: "The Home Secretary and the government have staked their future on this proposal. They have totally misjudged the public mood and will find themselves in the middle of a firestorm over the issue."
ID card scheme unveiled by Queen (23.11.2004)
http://news.bbc.co.uk/2/hi/uk_news/politics/4034699.stm
ID scheme, IT the key to Blunkett's new terror laws (24.11.2004)
http://www.theregister.co.uk/2004/11/24/security_bill_roundup/
(Contribution by Ian Brown, board-member EDRI)
The European Commission is preparing a Framework Decision on 'Access to information by law enforcement agencies'. Commission services have authored a Communication on enhancing such access, which was sent to the Council and the European Parliament in June 2004.
The issue is closely linked to discussions currently under way on the introduction of data protection rules for issues that are dealt with under the Third Pillar of EU Legislation, which is mainly about police and judicial co-operation. At present, this whole topical area is exempt from EU Data Protection legislation, including the EU Data Protection Directive 95/46.
In the classic view on data protection, access to information is seen as a complementary condition for the protection of data. This was reflected at an expert's meeting in Brussels on 23 November 2004, where Gus Hosein of Privacy International and Andreas Dietl of EDRI were invited, along with a small number of speakers from other civil rights organisations.
The Commission sees a need for more transparency by law enforcement agencies as a consequence of the Dublin Declaration, which, in the aftermath of the Madrid bombings of 11 March 2004, aimed at enhancing the exchange of information between police forces and secret services, especially in, but not limited to, cases involving terrorism. If personal data is transferred between different agencies and cross-border, common rules must apply to the processing of the data, to data security, data protection and the individual's right of access to the data. The Commission recognised traceability of the data as a key issue, while privacy advocates and representatives of Amnesty International added that individuals must have a right to remedy concerning the data stored about them. This should be an integral part of a judicial framework for law enforcement data, which is yet to be constructed.
The Commission announced that it will try to get more input from civil society by organising at least one bigger hearing next spring, before presenting draft legislation early in July 2005.
Towards enhancing access to information by law enforcement agencies. Communication from the Commission to the Council and the European Parliament (16.06.2004)
http://europa.eu.int/eur-lex/en/com/cnc/2004/com2004_0429en01.pdf
(Contribution by Andreas Dietl, EDRI EU Affairs Director)
On 24 November 2004 in Denmark a hearing was held on RFID and pervasive computing. During the hearing, a first draft of an industry code of conduct (drafted by Danish Industry, The Danish Consumer Council and the Danish Trade and Service Association) was presented, together with a report on the technical and legal challenges and lacunas.
The debate at the conference focussed at concerns for the optimistic (read privacy naive) approach towards privacy implications of RFID, especially with regard to new means of extensive storing, profiling and exchanging personal data. Representatives from the Danish Industry and others stressed that as long as chips are de-activated upon shop exit, the public should not be overly worried. Representatives from the Consumer council and The Danish Institute for Human Rights stressed the extensive and invasive individual mapping this could lead to. They recommended that privacy threats and compliance are more seriously addressed, and that Denmark should pay more attention to international developments and concerns.
The hearing was a follow-up to a ministerial report on Pervasive Computing from 2003. The report recommends that further analysis must be conducted with regard to the ICT security aspects of pervasive computing, including RFID.
The hearing was organised by the National Council for IT-security (Rådet for IT-sikkerhed) and the Danish Data Protection Agency (Datatilsynet).
Extracts from the report (in English)
http://www.rfits.dk/English.3349.0.html
Report about the hearing (in Danish)
http://www.rfits.dk/N_r_chippen_f_lger_o.3346.0.html
(Contribution by Rikke Frank Joergensen, EDRI-member Digital Rights Denmark)
During the Big Brother Awards ceremony in Budapest, Hungary on 25 November 2004, the People's Award was presented to the Data Protection Commissioner, Attila Péterfalvi. He was chosen with a large majority of 917 votes (39,8%) from 2.342 valid votes. He was given the negative price for making official statements that could erode the Hungarian privacy culture, including a statement that it was right from a legal point of view to install CCTVs in fitting rooms. Acting like a good sport, Péterfalvi joined the ceremony and received the award. But earlier, he had sent an official letter from the Hungarian Data Protection Agency warning the Hungarian organisers that he would ask Privacy International to erase them from the list of official Big Brother Award organisers.
The Ministry of Employment and Labour won a Big Brother Award for its project EMMA (Egységes Munkaügyi Nyilvántartás). It is a centralised database containing personal information about every Hungarian employee, without any purpose that would make it justifiable under constitutional privacy protection.
Another award was given to the publisher of the Hungarian Official Gazette. If you wish to look at the most recent legislation online, you have to register and inform them about your name, postal address and telephone number. The jury of the Hungarian Big Brother Awards finds this practice unjustifiable, since every piece of information published on the web site of the Publisher of Hungarian Official Gazette should be accessible without any restriction for everybody.
Finally Mihály Ficsor, vice-president of the Hungarian Patent office won an award for personally supporting the European Software Patent.
Some pictures of the BBA ceremony (25.11.2004)
http://www.nagytestverdij.hu/pictures2004.html
Three top officials in Finland’s Security Police (SUPO) and the former head of the security unit of the telecommunications service provider Sonera are to be charged in a case involving suspected illegal telecommunications surveillance, according to the Finnish journal Helsingin Sanomat. The case dates back to November 2000, when Juha E. Miettinen, the head of Sonera's security unit, handed over the traffic data records of 5 mobile phone customers to the SUPO without just cause. The illegal hand-over was brought to light in yet another painful incident compromising the privacy of Sonera staff and customers. Miettinen had personally led an operation to collect telephone records of Sonera employees and outsiders in 2000 and 2001, to investigate which employee had possibly leaked information about internal company affairs to the press.
The case painfully demonstrates the risk of intimate connections between telecom operators and security services. It is no secret that many security desks of providers, especially the former telephony monopolists, are run by former intelligence agents. This risk will only aggravated if providers in the EU will be forced to retain large sets of data about their customers for a long time.
Top officials in Security Police face charges in telephone surveillance case (23.11.2004)
http://www.helsinginsanomat.fi/english/article/print/1076154613063
Head of Sonera corporate communications arrested (25.11.2002)
http://www2.helsinginsanomat.fi/english/archive/news.asp?id=20021125IE...
Police believe Sonera security unit illegally monitored telephone records for nearly a year (06.11.2002)
http://www2.helsinginsanomat.fi/english/archive/news.asp?id=20021106IE...
The EU's Court of First Instance will decide between 18 and 20 December whether to suspend the Commission's sanctions against Microsoft. In March 2004 Microsoft got a record fine of 497 million euro after a five-year investigation by the Competition Commissioner into Microsoft's business practice. The Commission also ordered Microsoft to offer a version of Windows without a bundled media player and to share more technical information with server rivals. Microsoft paid the fine but the cash is being kept in an escrow account until Microsoft's appeal has been settled.
According to the Commission's March 2004 ruling Microsoft's illegal conduct has enabled it to acquire a dominant position in the market for work group server operating systems and has significantly weakened competition on the media player market. The dominant position has grave consequences for consumers: "The ongoing abuses act as a brake on innovation and harm the competitive process and consumers, who ultimately end up with less choice and facing higher prices".
The appeal case has been complicated by the recent withdrawal from the legal proceedings of two main Microsoft opponents, Novell and a US-based trade group called the Computer and Communications Industry Association (CCIA). These two groups reached settlements with Microsoft earlier this month to withdraw from the case. Microsoft paid Novell 536 million dollars to remove its complaints against it. A smaller amount was also paid to CCIA. CCIA-member Nokia has left the association because of the settlement which it calls 'inappropriate'.
Microsoft is trying since April to get approval from the European Commission to acquire the US-based Digital Rights Management technology company ContentGuard. In August, the European Commission said that the purchase "would be liable to create or strengthen Microsoft's dominant position on the market for D.R.M. solutions" and that the concentration "raises serious doubts" that it is in the public's interest.
Microsoft won't try to bar evidence (25.11.2004)
http://www.iht.com/articles/2004/11/24/yourmoney/msft.html
Crucial Microsoft decision set for mid-December (25.11.2004)
http://www.euobserver.com/?sid=9&aid=17848
Europe Stalls ContentGuard Deal (29.11.2004)
http://www.nytimes.com/2004/11/29/technology/29newecon.html
Nokia exits industry group after Microsoft payment (30.11.2004)
http://www.cbronline.com/article_news.asp?guid=AE40C2A5-0E82-4500-81BE...
Microsoft gets record-breaking fine (24.03.2004)
http://www.edri.org/edrigram/number2.6/microsoft
On Thursday 2 December, the European Parliament adopted the report from the Dutch PSE rapporteur Edith Mastenbroek on the goals and funding of the Safer Internet Plus Programme. Parliament has decided to dedicate 45 million Euro to the program, of which 20,05 million are to be spent in the first 2 years, 2005 and 2006. Since the amendments were already agreed with the Commission and the Council, the report is adopted at first reading and will enter into force on 1 January 2005.
The programme is divided into four action lines and the budget is divided along these lines:
1. Fighting against illegal content (25-30% of the budget) by the means of hotlines. To ensure that the Programme is effective, hotlines are required in all Member States and candidate countries. Currently, hotlines exist in 13 of the 25 Member States.
2. Tackling unwanted and harmful content (10-17%)
3. Promoting a safer environment (8-12%): the Safer Internet Forum is to provide codes of conduct.
4. Awareness-raising (47-51%) measures.
Parliament has agreed to considerably diminish funding for the second action line, in order to dedicate a much larger budget to awareness-raising. The report has a strong focus on privacy principles, and doesn't want to make funding available to create filter tools, but use the funding to investigate the performance and transparency of filter technologies. Adding to the transparency of the hotline system, the report demands that "the number and kind of web-pages withdrawn by internet service providers as a result of information provided by the hotlines should be made public if possible." Also, internet providers are encouraged to handle Notice and Take Down requests in a transparent and conscientious matter.
Finally, the report adds an important dimension to the debate about harmful content. "It would be desirable to try to take account of the possible effect of new technologies, on their safe use by children when they are being developed, instead of trying to deal with any consequences of the new technologies after they have been devised. (...) However, it should be taken into account that not every product developed for the online world is intended for use by children."
EP report on Safer Internet Plus Programme 2005-2008 (18.11.2004)
http://www2.europarl.eu.int/omk/sipade2?PUBREF=-//EP//NONSGML+REPORT+A...
The Dutch EU Presidency of the EU had published a rather thin paper on spam. The Presidency 'sees spam as a priority issue' and is looking for 'short-term practical measures and quick wins'. The paper will be on the agenda of the Telecommunications Council on 9 December 2004.
The paper mentions that the Commission has created a contact network of spam enforcing bodies in the EU called CNSA. Also, the French and Dutch responsible authorities (CNIL and OPTA) have prepared a co-operation protocol, that is expected to enter into force before the end of 2004. A questionnaire was sent out by the European Commission to industry and government in October 2004. The results show that the difference in implementation of the enforcement of the spam-ban causes lots of problems. The paper mentions a large variety in financial penalties, from 145 euro per spam message to an administrative fine of 450.000 euro. Precisely one sentence is dedicated to the most hotly debated controversy caused by Article 13 of the Privacy Directive of 2002, whether the spam-ban only applies to natural persons, or also to business recipients. The Presidency offers no solution or recommendation for this problem.
The paper recommends the European Commission should do a fast evaluation of the e-Privacy directive of 2002, not to start at the end of 2006, but early in 2005. Secondly, the paper recommends raising user awareness of the security-risks involved with spam and identity phishing. "It is important that member states can learn from each other and exchange ideas and experiences on awareness campaigns."
EU Presidency paper on spam (24.11.2004)
http://register.consilium.eu.int/pdf/en/04/st15/st15148.en04.pdf
7th annual Privacy and Human Rights survey, published by Privacy International & the US based Electronic Privacy Information Center (EPIC). The report reviews the state of privacy in sixty countries and warns that invasions of privacy across the world have increased significantly in the past twelve months.
The 800 page report is available free of charge at
http://www.privacyinternational.org/survey/phr2004 (17.11.2004)
6 December 2004, Namur, Belgium
Afternoon seminar on trans-border data flows and the safe harbour case
http://www.droit.fundp.ac.be/colloques/transborderDataflow.htm
7 December 2004, Zurich, Switzerland
First open debate about the Swiss Creative Commons, scheduled to be launched in spring 2005
http://www.openlaw.ch
10 December 2004, Oxford, UK
Reflecting on the Civil Society Agenda, debate in the Oxford Internet Institute about the WSIS Civil Society declaration that emphasizes a commitment to: "building information and communication societies that are people-centred, inclusive and equitable".
http://www.oii.ox.ac.uk/collaboration/?rq=specialevents/20050101
10 December 2004, Brussels, Belgium
Creative Commons-Belgium launch event. Following Austria, Finland, France, Germany, Spain and the Netherlands, Belgium is launching a bi-lingual national version of the Creative Commons license, translated by the CRID, Centre de Recherches Informatique et Droit of the University of Namen and the CIR, Centre for Intellectual Rights of the University of Leuven.
http://creativecommons.org/projects/international/be.
14 January 2005, Athens, Greece
ePSINet Policy Conference on re-use of Public Sector Information in Europe. The aim of the conference is to provide a forum for policy makers, public content providers, re-users and international experts to discuss the prospects for adding value through commercial exploitation of public sector information. The conference will also act as a progress check on the early implementation of the European Directive on PSI re-use, published late in 2003, and discuss the future agenda. Registration is free for the first 150 participants.
http://www.epsigate.org/conf.htm
21 January 2005, Paris, France, Big Brother Awards
The organising committee of the French Big Brother Awards is inviting the public to nominate people, institutions and governments that have excelled in violating privacy and enhancing control. The French have opened a new category, for nominations in the 'Novlang/Newspeak Award', dedicated to public manipulation of the masses aimed at making people docile to control, surveillance, tagging and tracing their private lives.
Public nominations French Big Brother Awards
http://candidats.bigbrotherawards.eu.org/
12-15 April 2005, Seattle, USA, CFP 2005
The program committee of the annual Computer, Freedom, Privacy Conference is accepting proposals for conference sessions and speakers for CFP2005. The deadline for submissions is 31 December 2004. The conference will be held in the Westin Hotel in Seattle, Washington.
http://www.cfp2005.org