New EU Commission proposal data retention

The European Commission has finally produced its draft directive on data retention. According to the Commission, all fixed and mobile telephony traffic and location data from all private and legal persons should be stored for 1 year. Data about communications 'using solely the internet protocol' should be stored for 6 months. The Commission does not provide any argument about the usefulness and necessity of data retention, but considers the directive to be proportionate if providers are reimbursed for 'demonstrated additional costs'. The last compromise achieved by the ministers of Justice and Home Affairs (the JHA Council) to create a two-step approach, starting with telephony data and introducing internet data retention at a later stage, is completely ignored by the Commission.

The Commission claims it seeks a balance between law enforcement, human rights and competition aspects by defining the purpose, limiting the categories and time period. The purpose is derived from Article 15 of the E-Privacy directive of 2002 and is actually larger than what the JHA Council proposed. The Commission includes the prevention of criminal offences and safeguarding national security, defence and public security besides the JHA purpose of the investigation, detection and prosecution of criminal offences.

The JHA Council always claimed much more room for member states to adopt longer periods, up to the 4 years already implemented for fixed telephony data in Italy. The Commission intends to proceed with this directive in the first pillar, with full co-decision rights for the European Parliament. However, the JHA Council has also made it clear it will not withdraw the proposed third pillar framework decision, and has vowed to reach (unanimous) agreement in the formal JHA Council of 12 October 2005. The tension will probably reach a climax in Newcastle on 8 and 9 September 2005, during the informal JHA meeting.

EDRI has received a copy of the so-called 'Interservice Consultation', which is circulated amongst Commission officials from several Directorate Generals. The final, possibly amended version is expected to be published some time in August 2005, before the informal JHA Council. The Commission writes it wants to set up a permanent advisory platform with representatives of law enforcement, providers and the Article 29 Working Party of Data Protection Authorities to be consulted "whenever the details of the list of data to be retained are to be amended." Besides, the Commission intends to create "a Comitology mechanism to allow for quick amendments to the details of the data which need to be retained."

The proposal includes a "result-oriented" list of data that providers must be able to make available to the competent authorities. "Such a 'result-oriented' list provides a certain degree of flexibility to the Member States in deciding what obligations will need to be met and to the operators on how to meet these obligations." The specific data are summed up in the Annex (p. 15 and 16). At this point in time, the Commission does not mention a full IP logfile from every ISP to trace every incoming and outgoing communication, but limits the demands to IP-address, the Computer internal MAC address, username, e-mail addresses and a logfile of every sent and received e-mail. The operators of mobile telephony surely won't be pleased with the proposal to store SMS traffic data for 1 whole year, nor with the obligation to keep detailed location data for 1 year, including mapping Cell IDs to the geographical location of the caller.

The Commission clearly admits the weakness of the need for data retention by creating a new obligation for providers to keep statistics on the usage of traffic data and present them to the Commission on a yearly basis. "Today no verifiable statistics exist at the European level on the usage of traffic data.(...) This information, once aggregated, will provide the factual information necessary to evaluate the effectiveness of the Directive." The Commission does not promise any publication of these statistics.

The Commission follows the draft framework decision very closely, even to the point of copying the completely misleading sentence "Many Member States have adopted legislation providing for the retention of data by service providers (...)". To the best of EDRI's knowledge, only 2 of the 25 Member States have actually implemented data retention legislation; Ireland (since April 2005, only for telephony) and Italy (only for fixed telephony). General data retention legislation has been adopted, but not implemented due to massive differences in opinion, in France, Denmark and Spain.

Member States have to implement the directive, if it is adopted by the European Parliament, within 15 months after publication in the Official Journal. The Commission plans to evaluate the directive after 3 years.

New EU Commission proposal data retention (20.07.2005)
http://www.edri.org/docs/EUcommissiondataretentionjuly2005.pdf

Last UK prepared version of the JHA working document on data retention (29.06.2005)
http://www.edri.org/docs/Data-retention-council-draft-29062005.pdf

EDRI launches petition against data retention

European Digital Rights, together with the Dutch ISPs XS4ALL and Bit, launched an international petition today against mandatory data retention. The petition is aimed at the European Commission and the members of the European Parliament.

EDRI argues that retention of telecommunication traffic data is an invasive tool that interferes with the private life of all 450 million people in the European Union. Secondly, the petition points out that data retention is illegal under Article 8 of the European Convention on Human Rights, because it is disproportionate. Thirdly, the petition explains that security gained from retention may be illusory, as traffic data may easily point to another user and finally, the means through which this policy is being pursued are illegitimate.

In the next two months, EDRI hopes to collect an impressive amount of signatures from all over Europe, to convince Commission and Parliament that data retention is no solution against terrorism and crime. Supporters are kindly invited to help distribute information about this petition, by placing the banner on their sites or homepages and spread the news through mailinglists.

The petition-initiative will be presented during the opening speech of the open-air hacker event What the Hack, Thursday 28 July. During and after the event, everybody is invited to contribute to the website by adding translations in many languages and back-ground files.

The petition script uses confirmed opt-in to verify every signature. This means everybody has to provide the organisers with a valid e-mail address to receive the confirmation. The e-mail address will not be used for any other purpose. Only the name and country of every signer will be published publicly on the website and presented to Commission and Parliament. The specific privacy policy for this campaign guarantees that personal data will only be used for this specific purpose and all personal data will be destroyed after presentation of the list.

EDRI and ISP petition against data retention (in English and French)
http://www.dataretentionisnosolution.com

New IPR law proposed in Spain

The Spanish government has issued a press release announcing a new draft Intellectual Property law. The law aims to adopt the existing copyright and intellectual property rights to the context of IT and implement the European Copyright Directive (2001/29/EC).

The main changes are:

1. The right to "interactive disposition" which regulates the way authors offer their works on the Internet. 2. Libraries can present their contents in telematic media as long as they remain within a closed intranet. 3. Quotes of both text and audiovisual material are allowed as long as its main use is teaching/ research. It is legal to quote press and journals as long as there are no economic benefits from such quotes. If the quote serves a commercial purpose, previous authorisation from the owner is necessary. 4. A new private copy regulation is designed to harmonise the rights of authors, distributors and users. The right to make a private copy is specifically acknowledged. To compensate for private (digital) copies, the Spanish government plans to create a new process to compensate for the economic impact. Within five months after the law is approved, all implied market sectors must reach an understanding about the type of economic compensation for every piece of sold equipment or information bearer suitable for digital copies. The agreement will be renewed every two years. The draft law specifically excludes hard disks and equivalents, DSL connections, as well as any other medium that doesn't have as its main goal to make copies. 5. The law creates a legal context for digital rights management (DRM). Spain has chosen for penal sanctions on circumvention. It also turns into a crime to publish about the very existence of systems to elude copyright protection. The press release however promises some extra measures in order to assure that DRM won't collide with basic user rights.

So far, consumer organisations and cyberactivists are not very happy with the draft law. It doesn't address the problem of the levy on blank CDs. Organisations like Internautas have argued for a long time that many CDs are very commonly used to make back-ups of data. There is also a clear tension between allowing private copies and legally protecting DRM at the same time. The announcement of possible extra measures does not specify how this tension will be addressed in practice.

Press release (in Spanish, 22.07.2005)
http://www.mcu.es/gabipren/notas/2005/julio/cul_22_derechosautor.pdf

(Contribution by David Casacuberta, EDRI-member CPSR-Spain)

Open letter Italian companies on software patents

On 19 July 2005 a group of Italian small and medium sized businesses (SMEs) and business associations sent an open letter to the Minister of Innovation and Technologies, Mr. Lucio Stanca. In the letter, the businesses call for a thorough reform of the European Patent Office. The letter was sent after the European Parliament rejected with a striking majority the proposed directive on the patentability of computer implemented inventions, better known as the software patent directive. Signers include Assoprovider, Assosoftware, CIRS, Registro Informatici, Zucchetti and others.

The letter welcomes the rejection of the Directive and, in what can probably be interpreted as a touch of irony, agrees with the official press release of the Ministry, which expressed 'regret' for the rejection, since "Europe needs a clear legal framework on this issue". At the same time, the Ministry agreed that "no directive is better than a bad directive". The Ministerial press release closed with the hope that the 'ideological positions' that had emerged in the past could be put aside in order to reach a general consensus across Europe on this sensitive topic.

The open letter agrees with Mr Stanca on the 'ideological' bit, since the proponents of software patentability "have mystified reality, speaking of a non-existent majority of SMEs (...) who were in favour (of software patents), and falsely claiming that software patentability as such would encourage research and development".

The open letter invites Mr Stanca to act on behalf of Italy in order to reform the European Patent Office (EPO), putting it under true democratic control, and to make null and void all illegal software patents that have been registered as of today.

Asked about the reasons for the letter, Roberto Galoppini, president of the Consortum Italicum Ratione Soluta (a group of Italian SMEs working with Open Source Software) and promoter of the initiative, answered: "Patents, in spite of being originally created to stimulate innovation, are having the opposite effect in the IT world. This is clearly demonstrated by the difficulties encountered by North American companies, who must cope with a huge 'minefield', with no chance to avoid ex-ante lawsuits and requests for royalty payment. Patents are a medium toward uncertainty, and they affect our growth and ability to interoperate with others' programs, because of the patent pro attitude of important standard setting organisations like OASIS. Europe won't gain any advantage by allowing for software patents."

Giacomo Cosenza, CEO of Sinapsi S.p.a. and one of the most vocal adversaries of software patents in the recent lobbying struggle, adds: "In my opinion the rejection of the CII directive on 6 July showed that we, as European citizens and entrepreneurs, can be very effective in helping our national and European representatives to better understand the relationship between software patents and the software industry in Europe. Now it's time to move on and verify EPO's current practice in accepting software patent submissions. Has the Italian Minister for Innovation and Technologies a clear position on this issue? Could we be more collaborative with each other?"

No response has been issued by the Ministry of Innovation and Technologies as of today.

Text of the Open Letter to Mr Stanca
http://punto-informatico.it/p.asp?i=54190

Consortium Italicum Ratione Saluta
http://www.consorziocirs.it/

Italian Ministry of Innovation and Technologies
http://www.innovazione.gov.it/

(Contribution by Andrea Glorioso, Italian consultant on digital policies)

FBI spies on US civil rights groups

The renowned US civil rights organisation ACLU has sent out an alarming press release about FBI-surveillance of their activities and of other renowned peaceful groups such as Greenpeace and United for Peace and Justice. The FBI has collected more than 1.100 pages of documents on the ACLU since 2001 and the ACLU is urging the court to order a rapid hand-over of these files, in stead of having to wait another 9 months for the FBI to 'process' the file. The ACLU is deeply concerned about the large-scale surveillance of political and religious groups in the name of fighting terrorism.

In December 2004 ACLU filed access requests to FBI-files on behalf of 7 national organisations and on behalf of more than 100 groups and individuals in 16 States. The ACLU received widespread complaints from students and political activists who said they were questioned by FBI agents in the months leading up to the 2004 political conventions. The people represented by ACLU include "advocates for causes including the environment, animal rights, labour, religion, Native American rights, fair trade, grassroots politics, peace, social justice, nuclear disarmament, human rights and civil liberties."

"The ACLU is seeking information about the FBI’s use of Joint Terrorism Task Forces and local police to engage in political surveillance. The FOIAs seek two kinds of information: 1) the actual FBI files of groups and individuals targeted for speaking out or practising their faith; 2) information about how the practices and funding structure of the task forces, known as JTTFs, are encouraging rampant and unwarranted spying."

ACLU: FBI Is Keeping Documents on ACLU and Other Peaceful Groups (18.07.2005)
http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=18784&c=206

New EDRI initiative on e-voting

European Digital Rights has opened a new open mailinglist on e-voting. Anybody interested in contributing knowledge on this matter is kindly invited to subscribe and share information with experts from all over Europe. The discussion is focussed on developments in Europe, and can be both political as well as technical.

Subscribe to the EDRI-voting mailinglist
http://mailman.edri.org/cgi-bin/mailman/listinfo/edri-voting

Announcement EDRI general assembly

On Sunday 7 August 2005 European Digital Rights will hold a General Assembly in Berlin, Germany. EDRI is looking forward to welcome new members and discuss strategies. Interested digital civil rights organisations are warmly invited to apply for possible membership, by sending a letter of application to the EDRI board, accompanied by statutes (in English or French) specifying digital rights protection as goal.

For more information about formal membership or individual observer status, please look at the EDRI statutes.

Applications to the EDRI board

Statutes in English
http://www.edri.org/files/edri_statutes_english.pdf

Statutes in French
http://www.edri.org/files/edri_statuts_francais.pdf

Recommended reading

On 15 July 2005 the EU Network of Independent Experts on Fundamental Rights presented its annual report on the state of fundamental rights in the EU. The analysis is presented in two lengthy documents. In the Synthesis report, with conclusions and recommendations, the network recommends the creation of a new directive on privacy and employment relations.

From the chapter on the protection of personal data (p. 52-56): "There is a proliferation in the technical mechanisms to help the employer take decisions in the management of persons who are applying for a job or who, once the employment contract has been concluded, are under his control or direction. These include personality and intelligence tests that are used in the recruitment process and that are generated by special software, the recording of recruitment interviews in order to allow evaluation by other persons than the interviewer or to notice more precisely the reactions of the interviewee, the systems for monitoring workers in the workplace – for example through the use of video surveillance or counting or measuring the work by computer -, the use of security badges allowing the identification of staff as well as their location on the company premises at any time. It is important that a Community initiative is taken soon in order to harmonize the way in which the Member States regulate those practices."

Full report (January 2005)
http://europa.eu.int/comm/justice_home/cfr_cdf/doc/report_eu_2004_en.p...

Synthesis report (15.04.2005)
http://europa.eu.int/comm/justice_home/cfr_cdf/doc/synthesis_report_20...

Support EDRI!

European Digital Rights needs your help in upholding digital rights in the EU. Donations allow EDRI to hire part-time professional assistance in Brussels and invest in targeted campaigns. With the plans for mandatory data retention and the continuous erosion of digital civil rights, your donation could make a huge difference.

If you wish to help us promote digital rights, please consider making a private donation, or interest your organisation in sponsorship. We will gladly send you an invoice for any amount above 250 euro to confirm the donation.

KBC Bank Auderghem-Centre
Chaussée de Wavre 1662, 1160 Bruxelles, Belgium
EDRI Bank account nr.: 733-0215021-02
IBAN: BE32 7330 2150 2102
BIC: KREDBEBB

Agenda

28-31 July 2005, Den Bosch, The Netherlands
What The Hack, major open air hacker / internet lifestyle event.
http://www.whatthehack.org/

8 September 2005, Brussels, Belgium
EuroSOCAP Workshop on confidentiality and privacy in healthcare 3 year programme to develop new ethical standards for privacy and patient access to (electronical) files, started on 31 January 2003.
http://www.eurosocap.org/eurosocap-workshop.aspx

12-13 September 2005, Strasbourg, France
CoE Pan-European Forum on Human Rights in the Information Society
http://www.coe.int/T/E/human_rights/media/

5 October 2005, Paris, France, RFID
Radio-Frequency Identification (RFID): Applications and Public Policy Considerations. Conference convened by the Committee for Information, Computer and Communications Policy (ICCP) of the Organisation for Economic Co-operation and Development (OECD).

1-2 December 2005, London, UK, Patenting Lives
Conference in the Queen Mary Intellectual Property Research Institute. The call for papers closes on 26 August 2005 and invites abstracts on topics such as Access to Knowledge, Consumer Aspects, Public Interest, Public Goods, Public Domain and Human Rights.
http://www.patentinglives.org/conference.htm