This article is also available in:
Deutsch: EU PNR-Richtlinie zur Fluggastüberwachung: Erst finanzieren, dann ver...
The European Parliament (EP) Civil Liberties Committee is to vote, by the end of January 2013, on the controversial EU-Passenger Name Record (PNR) directive proposal introduced in February 2011 that has already been examined by the three EP committees. However, the European Commission has already issued a Call for Proposals to fund with 50 million Euro for setting up national units for the collection, processing, analysis and exchange of passenger name record data.
The directive would require the establishment within the EU Member States of systems to collect, store and process large amounts of personal data from people flying into (and possibly within) Europe, with the stated purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
Further on, the Council will discuss "certain issues" in the proposal at its meeting in Luxembourg in June. The system will enter into force once the Council and the EP reach an agreement.
The proposal has been fiercely opposed and criticized as having no legal basis and as being ineffective for its declared purpose, while affecting the privacy and liberties of the citizens. And yet, the Commission is pushing it further and is making 50 million Euro available for the establishment of Passenger Information Units (PIUs) in the Member States. The units, beside collecting, processing, analysing, and exchanging PNR data, should also “be able to carry out risk assessment of passengers on the basis of the PNR data held in the database mentioned under point 3 prior to their arrival or departure either on the basis of criteria or by comparing the data against relevant databases.”
One of the expected results of the project is the “establishment of a database capable of gradually reducing the access to the data, for example by depersonalising the data through masking out the personal identifiable information.” On 9 January 2013, the Commission launched a call for proposals for projects to establish such PIUs in the Member State with 90% of the costs covered from the EU Prevention of and Fight against Crime fund.
Although the "running costs of any system set up further to EU legislation, in principle have to be borne by the Member States," the Commission said it was "willing to use existing financial funds to support Member States in the establishment of the passenger information units." Only a minimum of 10% of the total eligible costs are to be provided by the applicant or one of its partners.
The deadline for Member States' applications for financial assistance for PIUs is 10 April 2013, the winning proposals to be decided by the end of September. "The projects are expected to commence shortly after the award of a grant, at the latest 1 January 2014," says the Commission call.
And this entire process is developed although the EU PNR directive is still under discussion showing a clear willingness of the Commission to pass the draft directive no matter what.
Commission makes €50 million available for the development of "big brother" PNR databases - before legislation has even been agreed (11.01.2013) http://statewatch.org/news/2013/jan/07-pnr-com-money.htm
Prevention of and fight against crime 2007-2013 - Action Grants 2012 -
Targeted Call for Proposals
http://ec.europa.eu/dgs/home-affairs/financing/fundings/security-and-s...
This article is also available in:
Deutsch: Irische EU-Ratspräsidentschaft empfiehlt Abbau des Rechts auf Privats...
The Irish Presidency of the European Council has distributed a "discussion paper" on the protection of citizens' personal data ahead of this week's Justice and Home Affairs Council in Dublin. As the first Presidency in this “European Year of the Citizen”, we had every reason to expect the Irish to produce novel ways of protecting citizens. Their first suggestions are definitely novel, but certainly are not protective of citizens' fundamental rights.
For example, based on the current situation in Ireland, the idea is that all companies can do whatever they want with personal data, without fear of sanction. Sanctions, such as fines, “should be optional or at least conditional upon a prior warning or reprimand”. In other words, do what you want, the worst that can happen is that you will receive a warning.
Of course, policies are often proposed that sound worse in theory than they are in practice. In this case, however, we just have to look at current practice in Ireland to see what such an approach looks like. The Irish police “PULSE” database saga gives a chilling insight into the brave new world into which the Irish Presidency apparently wants to lead us.
In 2007, the Irish data protection Commissioner agreed on a “self-regulation” structure with the police. In 2010, a report from a judge assessing Ireland's data retention regime identified serious abuses happening under this “light touch” regulatory system. The abuses passed apparently unnoticed by the vastly under-resourced data protection authority (DPA) that had approved the launch of the “self-regulatory” regime. The Irish DPA availed of its option not to take immediate enforcement action against the police.
In 2011, a full four years after the system had been set up, the Irish data protection authority at last came to the conclusion that the system was falling “short of the standards we expect”. Again, the Irish DPA chose not to take enforcement action against the police. Finally, after five years of apparently unremitting abuse of citizens' data, the data protection authority announced in 2012 that it would audit the PULSE database and, from what we can tell, chose yet again not to take enforcement action against the ongoing breaches of citizens' fundamental rights. In the meantime, we can only assume that the abuses continue unabated.
Under the Irish proposal, this approach would be made mandatory, warnings would have to be issued first, after citizens' fundamental rights were abused, giving companies and state authorities “carte blanche” to breach our rights until (at the earliest) the data protection authority twice found a company to be in breach of the law.
If the EU-wide introduction of current unfit-for-purpose Irish strategies would not be bad enough, the reality would be a little worse. At the moment, companies are required to register their data processing with the data protection authority, which at least makes the DPA aware of the processing that is taking place. Under the new Regulation that has been proposed, those registration obligations would be substantially weakened, which makes sense in the context that the Commission originally proposed. In this context, however it would mean giving even fewer tools to the eviscerated DPAs. The “race to the bottom” would be replaced by a synchronised dive.
Two weeks into the European Year of the Citizen and two weeks since the start of the term of office, the Programme of the Irish Presidency of the European Union is beginning to look like a lame parody:
"Increased internet usage, social media, globalisation of data transfers and other technological advances have made life easier for millions, but also increase the collection, use and processing of personal data globally. The Lisbon Treaty contains a new legal base for EU data protection rules and the Charter of Fundamental Rights also enshrines protection of personal data as a fundamental right. As part of its focus on the Digital Agenda, the Presidency will work to reach agreement in the Council on key aspects of the Data Protection package. This is aimed at ensuring that citizens have more control over their personal data. Progress made by the Presidency in this area will strengthen confidence in the digital economy and support the growth of the Digital Single Market."
Informal Justice and Home Affairs Ministers’ Meeting - Discussion Paper
- Data Protection – certain key issues (17-18.01.2013)
http://edri.org/files/irl_dppaper.pdf
2013 - European Year of the Citizen
http://europa.eu/citizens-2013
Gardaí use database to check up on daughters’ boyfriends (8.08.2011)
http://www.thejournal.ie/gardai-use-database-to-check-up-on-daughters-...
Data Protection in An Garda Síochána
http://www.garda.ie/Controller.aspx?Page=136&Lang=1
Judge's report reveals allegations that Garda used phone records to spy
on her ex (20.02.2011)
http://www.tjmcintyre.com/2011/02/judges-report-reveals-allegations-th...
Irish DPA Report - 2010
http://www.dataprotection.ie/documents/annualreports/2010AR.pdf
Tax official used data on woman to proposition her (24.10.2012)
http://www.independent.ie/national-news/courts/tax-official-used-data-...
Programme of the Irish Presidency of the European Union
http://www.eu2013.ie/media/eupresidency/content/documents/EU-Pres_Prog...
(Contribution by Joe McNamee - EDRi)
This article is also available in:
Deutsch: VDS in Österreich: Verfassungsgericht wendet sich an Europäischen Ge...
The Austrian Constitutional Court has reservations that the EU Directive on the Retention of Data could be incompatible with the European Charter of Fundamental Rights. For this reason, the 14 constitutional judges have addressed the Court of Justice of the European Union (CJEU), submitting questions on the interpretation of the Charter of Fundamental Rights of the European Union.
This request for a preliminary ruling has been prompted by applications and/or complaints addressed to the Constitutional Court against data retention. To date, the province government of Carinthia, a telecommunications company employee, and a total of some 11 000 private individuals have turned to the Constitutional Court.
The data retention obligation came into force in Austria on 1 April 2012. Shortly after, the Austrian AK Vorrat started a campaign to file a complaint at the Constitutional Court. Within a few weeks, 11 139 Austrians supported the action and declared their will to affiliate the complaint.
On 18 December 2012, the Constitutional Court Judges announced that they shared the reservations of these citiziens. "In the overwhelming number of cases, data retention concerns persons who do not cause any ground for their data being retained. The authorities capture the data of these individuals and are then in possession of information about their private behaviour. In addition, there is an heightened risk of abuse", explains Gerhart Holzinger, president of the Austrian Constitutional Court, continuing: "The Constitutional Court is under an obligation to turn to the CJEU if it has doubts on the interpretation of the Union law. We have doubts that the EU Directive on Data Retention is really compatible with the rights guaranteed by the Charter of Fundamental Rights of the European Union".
This decision to seek a preliminary ruling from the CJEU has a suspensive effect on the proceedings pending with the Constitutional Court in Austria. Once the CJEU has ruled on the questions submitted to it, the Constitutional Court will resume its deliberations. While the matter has been referred to the CJEU, data retention remains in force in Austria. The Constitutional Court says it does not have any means to provisionally suspend the relevant provisions at its own initative.
The Court's decision is a very important stage win for the AK Vorrat activists and the concerned citizens. Lawyer Ewald Scheucher who filed the complaint on behalf of the 11 139 Austrians considers the decision as the best possible result – as the CJEU is the supreme body on this matter. Thus, it is the European Court which has the power to sound the death knell for data retention in Europe.
Constitutional Court has reservations against data retention and turns
to the CJEU (18.12.2012)
http://www.vfgh.gv.at/cms/vfgh-site/attachments/2/7/9/CH0003/CMS135581...
Judgement (only in German, 18.12.2012)
http://www.vfgh.gv.at/cms/vfgh-site/attachments/0/4/1/CH0003/CMS135581...
English version will be available at
http://www.vfgh.gv.at/cms/vfgh-site/attachments/2/7/9/CH0003/CMS135581...
AK Vorrat: Constitutional Court shares reservations of 11,139 citizens
(only in German, 20.12.2012)
http://www.akvorrat.at/node/70
(Contribution by Alice Sedmidubsky - unwatched.org)
This article is also available in:
Deutsch: Schwere Datenpanne bei der belgischen Bahn
At the end of December 2012, the personal data of more than one million customers of the Belgian train company SNCB Europe were available on-line, at a simple query in a search engine. The data contained in the SNCB database included names, email addresses and even, in some cases, phone numbers and home addresses. The forum user having discovered the link to the database, after having reported his discovery, deleted the address (URL) from the forum post to avoid further exposure.
On 22 December 2012, a spokesman of SNCB Europe stated that a file available on the Internet was private, as its URL was not revealed. Actually, any information accessible on the Internet is public if it is not restricted by an authentication mechanism.
"Contrary to the statement of the SNCB Europe spokesperson, the person who revealed the information did not use any trick to access the file. The data base containing 1,460,734 customers was freely accessible via a trivial query on a search engine. This management of personal data is shockingly irresponsible. The SNCB made no effort whatsoever to ensure that these data are inaccessible to the public and failed in its duty to protect its customers' personal data." said André Loconte, spokesman of EDRi Observer NURPA (Net Users' Rights Protection Association).
Furthermore, the Belgium company has not yet informed the people affected by this leak as, unfortunately, there is no Belgian law imposing the notification obligation in such cases.
According to CPVP (the Belgian data protection commission) which receives privacy complaints, in order to find out whether one is on the leaked database, the respective user must send a letter to SNCB with a copy of his/her identity document.
NURPA has created a free software application allowing interested Internet users to fill up a questionnaire to generate the necessary mails in order to obtain the information concerning the presence of their personal data in the respective database. The application also permits users to submit complaints to CPVP and to oppose the use and exploitation of their personal data. CPVP has launched an investigation having already received more than 1700 complaints at the level of the first week of January 2013.
SNCB Europe data leak involves more than one million customers (23.12.2013)
http://nurpa.be/actualites/2012/12/SNCB-personal-data-leak
Hermes : simplify your actions within « SNCBgate » (only in French,
8.01.2013)
http://nurpa.be/actualites/2013/01/hermes-plainte-information-SNCB-gat...
Hermes - SNCB Europe leaked your personal data
http://nurpa.be/hermes/
Second-class service (10.01.2013)
http://www.europeanvoice.com/article/imported/second-class-service/761...
This article is also available in:
Deutsch: Frankreich: US-Unternehmen soll französische Werte hochhalten
The French government seems to be very confused regarding questions of net neutrality and interference in networks. In the first two weeks of the new year, the new government managed to contradict itself by organising a round-table to discuss the importance of net neutrality on the one hand... and by asking a private corporation to interfere with communications on its network, on the other. It also seems to have lost track of its responsibilities as the government of a sovereign country, inviting a US company to regulate the online freedom of speech of its own citizens.
This week, a round table was organised by the government with academia and companies in order to discuss the issue of "Net neutrality: growth of the Internet and freedom of internet users". One of the reasons for this event was the decision by Free, France's second-largest access provider, to turn on the blocking of online advertisements by default. As a result of the ensuing controversy, Digital Economy Minister Fleur Pellerin stated that she had persuaded Free to stop its controversial policy of interfering with traffic in this way. However, she later clarified that Free's decision “raised a good question”, cryptically explaining that service providers that do not pay interconnection fees are “stowaways” (stowaways in ships that are, no doubt, pursued by Eric Cantona's famous seagulls).
Since encouraging Parliamentary reports in 2011 and legislative proposals on the topic of net neutrality, it is surprising that the French government deemed it necessary to discuss the issue now in a round table. Two things are noteworthy here: Internet users were not invited to take part in the round table that was supposed to be discussing their freedoms and second, French tactics start to look like a local duplication of the European Commission's wait-and-see approach: if you don't want to do anything just launch consultations... or a series of round tables.
Regardless of the French approach on this matter, the fact is that the government successfully asked for the end of the interference with traffic on its network (by Free) and then publicly called on a service provider (Twitter) to do the opposite and interfere with traffic on its service.
Last week, the French Minister of Women's Rights and Government spokesperson Najat Vallaud-Belkacem announced that she would like to hand over the responsibility for fighting unwanted content on the Internet to a US company. In an opinion piece in Le Monde, she stated that “Twitter must respect the values of the Republic”. After homophobic, racist and anti-semitic hashtags managed to become trending topics in recent months, the minister suggested Twitter should actively fight against the publication of tweets containing hate-speech on its platform in France. This week, her cabinet stated in an explanation to the online news platform Numerama that she wanted to “negotiate with Twitter in order to remove Trending Topics (TT) containing contentious content and hashtags.”
It appears that the French government is trying to hand over the regulation of French citizens' right to expression and to communication to a US company. It is quite astonishing that a European government believes that fundamental rights should be regulated by private actors – and that a responsible member of a democratic society would call on a private corporation to ask them to regulate the freedom of expression based on concepts that are rather stretchable. If Twitter should regulate the online liberty of French citizens, logically the French Socialist government believes that major corporations like Google, Microsoft/Skype, Paypal, MasterCard, Visa, Verisign, Facebook, Amazon and others should do the same.
Participant list of the round table on Net neutrality
http://www.fftelecoms.org/sites/fftelecoms.org/files/contenus_lies/130...
Twitter needs to respect the French values (only in French, 28.12.2012)
http://www.lemonde.fr/idees/article/2012/12/28/twitter-doit-respecter-...
Blocking advertising: Free "asked the right question" after Pellerin
(only in French, 13.01.2013)
http://www.lemonde.fr/technologies/article/2013/01/13/blocage-de-la-pu...
Fleur Pellerin does not want to block the Twitter hashtags, but to
filter the TT (only in French, 14.01.2013)
http://www.numerama.com/magazine/24763-fleur-pellerin-ne-veut-pas-bloq...
Net Access Restrictions: What is the French Government doing? (14.01.2013)
https://www.laquadrature.net/en/net-access-restrictions-what-is-the-fr...
Legal analysis: RT the Hate: France and Twitter Censorship, Part Two
(7.01.2013)
http://www.citmedialaw.org/blog/2013/rt-hate-france-and-twitter-censor...
(Contribution by Kirsten Fiedler - EDRi)
This article is also available in:
Deutsch: ULD geht gegen Facebook vor
Germany’s ULD (Data Protection Authority - DPA in the German state Schleswig-Holstein) issued in December 2012 orders threatening Facebook Inc. USA and Facebook Ltd. Ireland with a 20 000 Euro fine for their refusal to accept anonymous user accounts.
Thilo Weichert, the German Data Protection Commissioner, sent two letters to Mark Zuckerberg, Facebook’s founder and CE, as well as to Dublin-based Facebook Ireland Ltd, stating Facebook’s current rules of requiring users to provide their real names when creating an account, violated the German law (German Telemedia Act).
"It is unacceptable that a US portal like Facebook violates German data protection law, unopposed and with no prospect of an end," said Weichert. ULD asked Facebook to comply to Sect. 13 par. 6 of TMG which is in line with the European law and which also serves to protect the fundamental rights and in particular the fundamental right to freedom of expression on the Internet.
Facebook Inc. has first of all made clear that Facebook Ltd. in Ireland was exclusively responsible and not the parent company in the U.S., and, secondly, stated that Facebook Ltd. fully complied with Irish data protection laws which implemented the European law.
In the company’s view, the application of the provision set in Sect. 13 par. 6 of TMG, is not applicable to Facebook and, furthermore, it also infringes the European legislation on the subject.
ULD has previously raised other issues with Facebook. In 2011, the German state Schleswig-Holstein banned local organisations and companies from using Facebook's "like" button allowing the site to monitor users, and Hamburg's data protection authority ruled that Facebook's facial recognition feature violated German privacy laws.
Although the threat is not financially challenging for Facebook, it may have an image damaging impact on the social network. However, it is very unlikely that either Facebook Inc. or Facebook Ireland Ltd. change their policies for only one country. A Facebook spokesman said the German orders were without merit and stated that the company would strongly fight them.
German state fights Facebook over alleged privacy violations (4.01.2013)
http://www.guardian.co.uk/world/2013/jan/04/facebook-germany-data-prot...
Opposing anonymity, Facebook risks an insignificant fine in Germany
(only in French, 8.01.2013)
http://www.numerama.com/magazine/24721-oppose-a-l-anonymat-facebook-ri...
ULD orders (only in German, 14.12.2012)
https://www.datenschutzzentrum.de/facebook/20121214-anordnung-fb-inc.h...
Statement on the Irish audit report (only in German, 21.09.2012)
https://www.datenschutzzentrum.de/presse/20120921-irisches-facebook-au...
ULD issues orders against Facebook because of mandatory real names
(17.12.2012)
https://www.datenschutzzentrum.de/presse/20121217-facebook-real-names....
This article is also available in:
Deutsch: SWIFT: Ist der Bericht der Kommission inkorrekt?
The very controversial TFTF (Terrorist financing tracking programme or Swift Agreement) through which the European and US law enforcement authorities are exchanging financial personal information of suspected terrorists, is covered by two review boards (one American and another one from EU) to ensure that the information is secured and properly handled.
The Commission’s report on the second joint review of the implementation of the Swift Agreement issued on 18 December 2012, was largely favourable to the implementation of the agreement: “As illustrated by the report (and the detailed information contained in its annexes), this review confirmed the clear value added of this instrument in fighting against and preventing terrorism. This – very sensitive – programme continues to be well protected and is scrupulously managed in accordance with a set of effective safeguards. (...) Overall the implementation of the agreement more than two years after the entry into force of the Agreement has reached a very satisfactory level of effective implementation with also the EU increasingly profiting from it under the specific reciprocity arrangements”
The report has also pointed out some recommendations among which that the US Treasury specifies more in detail to the Commission how the on-going evaluation process is carried out in practice, and that the practice of deletion of data is continuously monitored. It also recommends that US Treasury respects any technical modalities and security arrangements agreed for the transfer of information, “including seeking prior consent from the data owner before disseminating such information”. The report asks for future consultation and coordination between JSB, Europol and the Commission on the planning, timing and focus of possible inspections “in order to avoid overlapping activities and misleading public statements.”
But Reinhard Priebe, Director for Internal Security at the Commission’s directorate for home affairs, who chairs the EU review team, stated that there might be a conflict of interests in the European review board, as the board includes two data protection experts who are on a joint-supervisory body (JSB) linked to Europol.
The JSB report, which details how the terrorist-fighting authorities share the personal data, is now kept secret, as JSB conclusions were apparently incorrect in the Commission’s view considered Dutch MEP Sophie in't Veld. She also stated that she had no idea whether the agreements regarding the safeguards for the proper application of agreements were used or not.
The reality is that there is a huge unnecessary amount of data sent, on a daily basis, within the agreement. "The essential problem of the Agreement remains unresolved: The report gives no indication of the extent and scope of the data" as underlines The German Federal Data Protection Commissioner Peter Schaar.
By 1 August 2013, the Commission and the US Treasury are to prepare a joint report regarding the value of TFTP data. The next Joint Review, according to Article 13 of the Agreement, will be carried out in 2014.
Terrorist data oversight tainted by potential conflict of interest
(20.12.2012)
http://euobserver.com/justice/118593
Commission Staff Working Document - Report on the second joint review of
the implementation of the Agreement between the European Union and the
United States of America on the processing and transfer of Financial
Messaging data from the European Union to the United States for the
purposes of the Terrorist Finance Tracking Program (14.12.2012)
http://www.statewatch.org/news/2012/dec/eu-com-tftp-review-swd-454-12....
Monitoring report of the EU Commission: the case of financial data
delivery in the U.S. is that neither requests nor deletion are traceable
(only in German, 19.12.2012)
https://netzpolitik.org/2012/kontrollbericht-der-eu-kommission-bei-fin...
This article is also available in:
Deutsch: ENDitorial: Fragen zum Entwurf für eine Strategie und eine Richtlinie...
A draft of the already announced EU Directive on Cybersecurity Strategy that is circulation in Brussels seems to be totally misguided, in EDRi's opinion.
The Commission seeks to put ENISA at the heart of a network to act as an early warning system for bad stuff on the Internet, which is good. What is wrong is that instead of pulling together police forces, CERTs and service providers, ENISA seeks to set up a classified network of military and intelligence agencies.
It is true that large numbers of EU citizens have suffered from online frauds and that their ability to get redress varies quite disgracefully across the EU (as noted in the recent Eurostat survey, and discussed in the paper on "The Costs of Cybercrime"). However the appropriate policy responses are already well-known: they include improved and harmonised consumer protection, better police cooperation, security breach disclosure and a policy that vendors should supply and certify network-attached devices to be safe by default. Such measures are clearly within the competence of the EU and some are already being undertaken; see for example the security breach disclosure provisions in the draft Data Protection Regulation, and the new European Cybercrime Centre. Such proposals should be pursued and implemented with vigour.
This proposed directive, however, represents an attempt to militarise security in cyberspace. This has already been seen in some Member States; for example, the UK allocated a further £640m (approx. 770m Euro) to cybersecurity from 2011-5 but when the dust settled, GCHQ (the UK signals intelligence agency) had won 59% of it. The police, who actually have the responsibility for catching cyber-crooks, got an almost insignificant £5m (approx. 6m Euro) a year. So rather than giving the police the resources they need to catch cyber-crooks and put them in jail, the UK government decided to give most of the money to the spies so they could go commit more cyber-crimes (albeit in other people's countries).
It is a tragedy that the European Union is now considering following this UK- and US-centric policy lead. The proposed draft directive must be rewritten so that the network of cooperation on cybercrime includes those organisations in a position to push back on crime, including the police, network service providers, CERTs, researchers, online service firms, software vendors and security companies. A classified network will not be in a position to win the trust of most of these stakeholders and would not be able in any case to feed much useful information to them. At present, civilian organisations contribute much more to the fight against cybercrime, as well as owning most of the critical infrastructure; as a result we understand the problems much better. A network of governments talking only to each other could easily end up with the agencies amplifying each others' misconceptions.
Furthermore, the draft Directive concept of a "single national competent authority" is wrong in principle and unworkable in practice. Even in the UK, where cybersecurity is already being partly militarised along the US model, we see a plurality of players even in the public sector: GCHQ, the Serious and Organised Crime Agency, the Security Service, local police forces and the National Physical Laboratory. This diversity of mission and of policy is valuable. Similarly, in Germany the roles of the Bundesamt fuer Sicherheit in der Informationstechnik and the Bundesnachrichtendienst are quite properly separate. A directive that encourages one single agency to acquire primacy in each Member State would undermine the constitutional arrangements that various states currently have for separation of powers and accountability (weak though these already are in some cases). In the German case, for example, it would undermine the strict separation between criminal prosecution and national intelligence.
The draft directive also grants draconian powers to ENISA and to Member States, which would greatly exceed those granted under the Data Retention Directive and which now have been challenged successfully in the Constitutional courts of several Member States. Note for example point 28 (page 14):
"Competent authorities should have the necessary means to perform their duties,including powers to obtain sufficient information from market operators in order to assess the level of security of network and information systems as well as reliable and comprehensive data about actual security incidents that have had an impact on the operation of network and information systems."
The definition of a "market operator" is: "Enablers of Internet services, e.g. e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, application stores, communication services other than those covered by the electronic communications framework. Software developers and hardware manufacturers are excluded."
In other words ENISA and the national agencies in its network will have access to "sufficient information" from almost everyone online, in effect extending the data-retention powers from phone companies and ISPs to service providers such as search engines, webmail providers, social networks and computer game operators. That is completely unacceptable as it would violate the constitutions of Germany and other countries (and in view of the hostile report by the UK parliament's review committee in the proposed Communications Data Bill, would likely be unacceptable even in the most surveillance-friendly of the EU member states). Finally, it is extremely difficult to see how such a provision could be squared with Article 8 of the European Convention of Human Rights.
The draft as it stands is unacceptable. It must be rewritten or abandoned.
The Costs of Cybercrime, R Anderson et al, 2012
http://www.lightbluetouchpaper.org/2012/06/18/debunking-cybercrime-myt...
Analysing Barriers and Incentives for Network and Information
Security in the Internal Market for e-Communication, ENISA 2008
http://www.enisa.europa.eu/activities/stakeholder-relations/reports/ec...
EU cyber-security legislation on the horizon (11.05.2012)
http://euobserver.com/justice/116239
(Contribution by Ross Andreson - EDRi member FIPR - UK)
This article is also available in:
Deutsch: Lesestoff
Commission's own internal review condemned CleanIT's incoherence and
cost (9.01.2013)
http://edri.org/CleanIT-evaluation
European Parliament Data protection draft – compromise or compromised?
(8.01.2013)
http://edri.org/ep-eudatap
Privacy by Design : Let’s be smart and implement it!
http://europeanprivacyday.org/privacy-design%E2%80%89-let%E2%80%99s-be...
Article 29 Data Protection Working Party: "European data protection
Authorities launch Binding Corporate Rules for processors" (21.12.2012)
http://ec.europa.eu/justice/data-protection/article-29/press-material/...
This article is also available in:
Deutsch: Agenda
20-23 January 2013, Brussels, Belgium
The Power of Information - How Science and Technology can Make a Difference
http://www.ThePowerofInformation.eu
23 January 2012, Brussels, Belgium
Privacy Camp: civil society warm-up for the CPDP
http://www.edri.org/pre-cpdp
23-25 January 2013, Brussels, Belgium
CPDP 2013 Conference - Reloading data protection
http://www.cpdpconferences.org/callforpapers.html
2-3 February 2013, Brussels, Belgium
FOSDEM
https://fosdem.org/2013/
14-15 February 2013, Vienna, Austria
Internet 2013 - Shaping policies to advance media freedom
http://www.osce.org/event/internet2013
21-22 February 2013, Washington DC, USA
Intellectual Property and Human Rights Conference and Roundtable Discussion
Webcasted live and archived
http://www.wcl.american.edu/pijip/go/blog-post/intellectual-property-a...
22 February 2013, Warsaw, Poland
ePSIplatform Conference: "Gotcha! Getting everyone on board"
http://epsiplatform.eu/content/save-date-22-february-2013-epsiplatform...
21-22 March 2013, Malta
Online Privacy: Consenting to your Future
http://www.onlineprivacyconference.eu/
6-8 May 2013, Berlin, Germany
re:publica 2013
CfP by 31 January 2013
http://re-publica.de/en/news/call-papers
20-21 June 2013, Lisbon, Portugal
EuroDIG 2013
http://www.eurodig.org/important/call-for-issues-and-proposals
25-26 June 2013, Barcelona, Spain
9th International Conference on Internet Law & Politics: Big Data:
Challenges and Opportunities.
http://edcp.uoc.edu/symposia/idp2013/?lang=en
31 July – 4 August 2013, Geestmerambacht, Netherlands
Observe. Hack. Make. - OHM2013
https://ohm2013.org/
23-26 September 2013, Warsaw, Poland
Public Voice Conference 2013
35th International Data Protection and Privacy Commissioners conference
http://www.giodo.gov.pl/259/id_art/762/j/en/