The European Commission has finally published a Communication on spam, just in time for the OECD conference on spam, hosted by the Commission on 2 and 3 February. The Communication focusses on actions to be taken by the EU member states in order to make the ban on spam more effective. Clearly, implementing the EU directive on privacy and electronic communications (2002/58/EC) is the first and most important step. 7 out of the 15 member states have not yet transposed the directive, Belgium, Germany, Greece, France, Luxembourg, the Netherlands and Portugal.
In general, the Communication does not bring much clarity to the complex problem of banning spam. It only signals problems caused by the impossible compromises dictated by the Directive. For example, Member States may decide for themselves how and by whom the enforcement should be done. In some countries the Data Protection Authority is given the responsibility, in other countries the task is delegated to the National Regulation Authority or the Consumer Ombudsman and in many countries responsibility is not clear at all. The Commission 'solves' this problem by calling on all national parties to collaborate. Even when it is clear who the competent authority is, it often lacks investigation and enforcement powers to trace and prosecute 'spammers'. "The Commission will look to confirm that national transposition measures provide for real sanctions in the event of breach of the relevant requirements by market players, including where appropriate financial and criminal penalties."
According to the Communication, more than 50 percent of EU e-mail traffic was estimated to be spam in December 2003. Besides the obvious negative effects for private receivers, the Commission stresses the extra costs for businesses in lost productivity, necessary investments in filtering and security software and loss of information due to 'false positives', mail that is undeservedly treated as spam. But the Directive does not protect business e-mail addresses against spam. Member States may extend the protection to these addresses but are not required to do so and due to a strong direct marketing lobby, in many countries work e-mail addresses are not explicitly protected. The Communication does nothing to solve the riddle of the difference between the 2 categories of recipients, once more limits itself to signal the problem.
From a civil rights perspective, there should at least be easy and affordable public access to a complaint procedure. Every citizen officially has a right to complain about violation of privacy rights and claim damages. A very obvious solution is the opening up of a national complaint mailbox. Experiments from the Belgian and French Data Protection Authorities showed massive enthusiasm to complain about spam. The Commission clearly likes these, and 'invites Member States and competent authorities to set up dedicated e-mailboxes, supported by information campaigns.'
Finally, the Commission refers to the essential international dimension, since much spam comes from outside the European Union. The Commission hopes the OECD workshop will bring some solutions, and promises "to investigate how best to follow up the results of the United Nations' World Summit on the Information Society in relation to spam."
Simultaneously, the OECD has published a paper with background information for participants to the OECD Spam Workshop. Besides a lot of sometimes obvious definitions, it contains an interesting overview of current anti-spam legislation in all European OECD member countries, including 3 of the 4 EU accession countries, the Czech Republic, Hungary and Poland. The Czech Republic and Poland have already adopted opt-in and Hungary is currently in the process of adopting this approach. The Czech Republic has adopted the opt-in approach for commercial communications generally, but its legislation does not address spam explicitly.
As for the four other European OECD countries, Norway has adopted an opt-in approach. In Switzerland, following a public consultation in October 2002, the government is now amending regulation to apply opt-in to spam in all forms of messages (e.g. phone, e-mail, fax, SMS) and to oblige the telecommunication services providers to combat spam. There is no law on spam in Turkey, and information regarding the situation in Iceland is currently not available.
European Commission Communication (28.01.2004)
http://europa.eu.int/information_society/topics/ecomm/highlights/curre...
OECD paper on spam (22.01.2004)
http://www.olis.oecd.org/olis/2003doc.nsf/43bb6130e5e86e5fc12569fa005d...
European Commission enforcement action against seven Member States (17.12.2003)
http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&am...
Peter Schaar, appointed 2 months ago as Germany's chief Data Protection Commissioner, has severely criticized the draft Directive on the Enforcement of Intellectual Property Rights, currently under discussion in the European Parliament and the Council. Interviewed by the online news service Heise, Schaar said the Directive brought along many risks, including deep cuts into the confidentiality of communication and citizen's privacy rights by giving too many rights of information to the rights holders. The Directive is, according to Schaar, also likely to undermine current initiatives to regulate the use of RFID tags, and he criticizes the possible extension of the field of application from professional copyright pirates to 'everyone exchanging private copies', which would be 'unproportional'.
The European Parliament has meanwhile fixed the agenda for the adaptation of the IPR Enforcement Directive in its plenary. According to the current planning, the Report will be debated on 9 February in Strasbourg and voted on 25 February in Brussels, with the deadline for MEPs to lay down amendments set on 5 February. In the debate, MEPs will however discuss only a fraction of what they will have to vote on two weeks later. There will probably be many last-minute amendments, tabled by the Rapporteur, the French Conservative Janelly Fourtou.
Mme Fourtou is engaged in intense discussions with Shadow Rapporteurs from the other political groups in the Parliament and with the Council in order to reach an agreement on the Directive in the first reading. Parliament and Council are trying to approach their positions in a series of so-called trilogue meetings, also involving the Commission. These discussions will continue after the plenary debate. As the Rapporteur, Mme Fourtou has the right to do summarize the results from these meetings in last-minute amendments, even after the official deadline.
Heise article on Schaar's criticism (28.01.2004 in German)
http://www.heise.de/newsticker/data/jk-28.01.04-000/
EP Legislative Observatory on the Fourtou report
http://wwwdb.europarl.eu.int/oeil/oeil_ViewDNL.ProcedureView?lang=2&am...
(Contribution by Andreas Dietl, EDRI EU affairs director)
The US airline company Nothwest Airlines voluntarily handed over the personal data of possibly as much as 10 million US and European passengers to the National Aeronautics and Space Administration (NASA). Northwest Airlines has an alliance with the Dutch airline company KLM. The two companies have integrated their reservation systems and operate code-sharing flights from the USA to Amsterdam and beyond routes to Europe, Africa, the Middle East and India. Airline experts believe part of the data handed over to NASA originates from KLM passengers.
The Electronic Privacy Information Center (EPIC) in Washington publicized documents about the transfer obtained through a Freedom of Information Act procedure. NASA requested from Northwest Airlines the passenger data (PNR) from July to September 2001 for use in development and testing of passenger-profiling schemes. Northwest acknowledges the transfer. The company said in a statement that the transfer was 'appropriate' but that its current policy 'is to not provide passenger name record data to private contractors or federal government agencies for use in aviation security research projects'. EPIC has filed a complaint against Northwest Airlines with the US Department of Transport.
NASA requested Northwest to provide 'system-wide Northwest Airlines passenger data'. System-wide PNR data contains the personal data of all passengers on all flights operated by Northwest Airlines, domestic and abroad, and the data of all flights from airline companies with which Northwest operates code-sharing flights. This applies to KLM flights from Amsterdam to the US but also to many KLM flights within Europe and to destinations in Africa, the Middle East and India.
KLM can only share data with Northwest Airlines when the US company is able to comply with EU privacy standards. The American Civil Liberties Union has asked EU commissioner Bolkestein to investigate the handling of EU passenger data by Northwest. The Dutch civil liberties organisation Bits of Freedom will ask the Dutch Data Protection Authority to investigate the transfer, the role of KLM and to order KLM to notify the passengers involved.
EPIC documents: Northwest Airlines' Disclosure of Passenger Data to NASA http://www.epic.org/privacy/airtravel/nasa/
ACLU letter to EU Commissioner Bolkestein (21.01.2004) http://www.statewatch.org/news/2004/jan/18aclu-pnr-eu.htm
MEP Marco Cappato has revealed a letter EU Commissioner Bolkestein sent to Tom Ridge, the U.S. Secretary of Homeland Security. The letter was sent on 18 December, only two days after Bolkestein had given his presentation in which he tried to mislead the European Parliament on the true nature of the agreement on the transfer of Air Passengers personal data to U.S. agencies.
Most interesting is the subtone of the letter, in which Bolkestein behaves like an ally of Ridge against the forces wanting to prevent the transfer: "On my return from Strasbourg (...), where the initial reaction from members of the European Parliament was relatively balanced, I would like to thank you once again for your personal commitment (....) to the conclusion of our discussions. I share entirely your view that we have set a good standard here for EU/U.S. cooperation and I hope we can keep it up."
Bolkestein makes it quite clear that the Commission does not object against the use of PNR-data collected in the EU in the CAPPS-II system: "This letter reflects my commitment to serious and rapid negotiations between DHS (Department of Homeland Security) and the European Commission with a view to reaching an understanding authorising the use of PNR data emanating from within the EU for the CAPPS II programme."
If the U.S. administration should stick to its plans to link CAPPS-II up with the even broader US-VISIT system, the data transfer would constitute an even more obvious offence against EU Data Protection law: US-VISIT explicitly grants access to all data to 'the Intelligence Community'. To conclude, Bolkestein expresses his regret that it is not in the Commission's power to stop national Data Protection Commissioners from enforcing EU or national DP law: "I nevertheless undertake to keep them informed on our discussions in the interest of avoiding any actions which may impact on our negotiations."
Both Bolkestein and Ridge must be disappointed by the negative advice from the Belgian Data Protection Authority against the transfer. In response to a complaint from Marco Cappato, on 19 January the Belgian DPA qualified the transfer of data raised at Brussels National Airport to the U.S. as illegal under Belgian law, paving the way for legal action to be taken against the involved airlines.
Letter from Commissioner Bolkestein to Secretary Ridge (18.12.2003) http://www.europa.eu.int/comm/internal_market/privacy/docs/adequacy/pn...
Statement by MEP Marco Cappato on the letter (27.01.2004) http://coranet.radicalparty.org/pressreleases/press_release.php?func=d...
Belgian Privacy Commission, response to complaint about transfer of personal data to the U.S. by certain air carriers (in French): http://www.radicalparty.org/privacy/etats_un.pdf
EU Data Protection Directive 95/46 (Article 25 defines conditions for the transfer to third countries of personal data raised in the EU) http://www.dataprivacy.ie/6aii-3.htm#25
On 28 January 2004, the Italian Lower House approved of a governmental decree-law on mandatory data retention by telephone and internet companies. Government issued the decree on 24 December 2003, without any prior parliamentary debate. All data about electronic communications must now be stored for a period of 5 years.
According to the privacy-group ALCEI, the new law isn't much more restrictive, or mischievous, than rules and practices that were already into force or are likely to follow. "The decree is messy, poorly conceived and confusing - hastily put together to amend the previous one (from June 2003) that made data retention compulsory but (for alleged 'privacy' reasons) set a limit of 30 months."
In the new decree, the retention period is extended from 30 to 60 months. The older data must be separately accessible and usage is limited to particularly serious crimes including kidnapping, organised crime and terrorism, as well as crimes against IT or online systems.
ALCEI raises some serious objections against general data retention, because of the implication of guilt of every user of telecommunications. Using a vague criterion like terrorism enables the state to access any data at any time, ALCEI fears:
"Things get seriously worse with a dangerous and dramatic threat such as terrorism. There is a real need to prevent and pre-empt - i.e. to find and stop terrorists before they act. That can be done in a civilised manner. It is more effective, as well as ethically correct, to avoid witch-hunts, to stay away from prejudice and arbitrary 'categorisation' - and to avoid any violation of those human rights, and personal freedoms, that anti-terrorism actions claim to be protecting. In this context data retention (combined with the arbitrary, and often clumsy, criteria of data analysis and clustering) plays a key role, because it encourages the creation of as many 'behaviour patterns' as suit the whims of whoever is searching - or of whoever else, for any reason, has access to the data."
On 14 January the Lower House accepted a motion about privacy, specifically calling on government to take initiatives aimed at careful treatment of traffic data from mobile phones. According to privacy-experts, the motion is purely cosmetic. Underneath there must have been some serious lobbying going on. Previous to the decree-law, ALCEI and 2 ISP-associations saw a much stricter decree-law, including the retention of the content of e-mails. The law now accepted by the Lower House specifically excludes the content of e-mails from the data retention obligations.
Shorthand report about the vote in the Lower House (28.01.2004)
http://www.camera.it/_dati/leg14/lavori/stenografici/sed414/s290.htm#T...
Statement ALCEI on data retention (24.01.2004)
http://www.alcei.it/english/actions/crimprev.htm
Statewatch article with commentary Italian DPA (January 2004)
http://www.statewatch.org/news/2004/jan/03italy-dataretention.htm
On 15 January 2004 the European Parliament accepted an own-initiative report about the importance and future of collecting societies, the organisations that collect the rights on copyright and neighbouring rights. The report states that Digital Rights Management is insufficiently developed to replace the work of collecting societies. According to the report, reasonable levies (for example on blank CD-recordables) are "the only means of ensuring equitable remuneration for creators and easy access by users to intellectual property works and cannot be replaced by Digital Rights Management Systems."
In 2002 the European Commission promised to produce a Communication about the collecting societies, to fill in some details left open by the new Copyright Directive (2001/29/EC). The communication never materialised, and the Austrian Member of Parliament Mercedes Echerer took the initiative herself.
In most current member states of the EU collecting societies operate from a de facto monopoly. Only in the Netherlands (Buma/Stemra) and Italy (SIAE/IMAE) do the societies still have a legal monopoly. There has been much criticism about the way these societies collect the royalties for composers and authors. For example in France the owners of discotheques were obliged to pay an astonishing 8,25% of their gross turnover to SACEM. After a long legal battle, the European Court of Justice decided that the fees indeed seemed very high, certainly in comparison with other countries, but over all the management costs were too in-transparent to compare with each other. More importantly, the Court ruled that owners could not be obliged to pay a blanket fee for the entire repertoire SACEM represents, but should be offered a choice. Most discotheque owners claimed they didn't care much about French music and only wanted to play Anglo-American repertoire.
The European Parliament takes the lessons from these and similar cases into account, when insisting on using competition law to examine possible abuse of monopoly, forcing the societies to be transparent about their management fees, keeping the administrative costs at a maximum of 10-15% and creating arbitration procedures that are affordable for everybody.
Creators of copyrighted works must be pleased with the double underlining of their rights of free choice; they are explicitly given the freedom "to decide for themselves which rights they wish to confer on collective management societies and which rights they wish to manage individually", a freedom that must be guaranteed by law. Many artists in Europe are still forced to sign away all of their rights, including their electronic rights and all their future productions, to the national collecting society. This policy for example prevents many artists from offering their own music for free on their website.
The report carefully avoids to address the most painful issue of Digital Rights Management; the privacy of the individual user whose eyeballs and ear shells are being tracked and billed for every single byte of creative work he or she enjoys. In fact, whenever the report speaks about users, it seems to refer only to market parties that make money with the exploitation of copyrighted works.
European Parliament report on collecting societies A5-0478/2003 (15.01.2004)
http://www2.europarl.eu.int/omk/sipade2?PUBREF=-//EP//NONSGML+REPORT+A...
European Court of Justice, joined cases 110/88, 241/88 and 242/88 against SACEM (13.07.1989)
http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELE...
According to a recent decision from the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osobowych - GIODO) a massive SMS-spamrun from the Polish government was perfectly legal. A governmental agency committed this run in June 2003 as a last-minute reminder to citizens of the upcoming referendum about the European Union.
Of the 30 million Polish inhabitants 58.85% were eligible to vote, and no less than 77.45% of them voted in favour of joining the European Union in the referendum held on 7 and 8 June.
The Bureau for European Integration managed to send all owners of mobile phones in Poland an SMS-message reminding them that they could vote until 20:00 PM. Only the people that had previously opted-out with their operator were excluded.
One of the spammed cell phone owners decided to complain about his telecom operator for this violation of his private data. However, according to the Polish Privacy Authority this spam was not unlawful, since it was not a commercial message. Sending commercial messages towards individuals by means of electronic communication is forbidden since 10 March 2003 under the Polish law concerning the provision of electronic services (adopted on 18 July 2002). Spamming is not forbidden for privacy-reasons, but because it is considered unfair competition. The Bureau for European Integration was allowed to send the SMS-spam because of its legal mission: promote public knowledge about European integration in Poland.
GIODO Decision (10.12.2003 - in Polish)
http://www.giodo.gov.pl/docs/decyzje/GI-DEC-DS-241-03.doc
Homepage of the Polish DPA (in English)
http://www.giodo.gov.pl/English/english.htm
(Contribution by Piotr VaGla Waglowski, Polish legal expert)
The Russian government is considering a new system of personal registration for all citizens. In 2006 all Russians will be assigned a unique universal identifier. On 15 January 2004 the deputy minister of economical development Andrei Sharonov told journalists that the original proposal had been prepared by his ministry and the government supported this idea. The ID will be printed (most likely as a bar code) in all identifying documents that people obtain from government, like internal passports and driver licenses. Each person will get his/her ID after birth, the rest will get their identifiers gradually when contacting various governmental bodies.
The idea is to make all personal information (including sensitive data like income) available for easy analysis in one commonly accessible data system. Since 1996 at least 18 different government databases have been developed for voting, taxation, social security, medical, military service and other purposes. These databases are not connected with each other. With the new ID system the Russian government hopes to achieve progress in three main spheres: social and pension insurance, taxation and investigation of crimes. It is not clear yet whether all information is to be accumulated in one huge database or connected trough existing bases.
The governmental initiative has raised concerns among experts. The main issue is the lack of data protection in Russia. In this country many privacy-sensitive data about private persons and organisations are widely dispersed: databases on car owners, passport data, data about property, tax payments, home phone numbers and addresses, data about people wanted for crimes and those who have been convicted earlier. CDs with these databases are easily available at the black market and on the internet for $5-10. Although the Constitution guarantees privacy, the law enforcement bodies refer to lack of legislation and do nothing to protect people's privacy. There is neither a law on personal data nor a data commissioner (or commission) in Russia.
The governmental plans do not foresee in any obligations concerning access of third parties to the collected data. Quite the opposite. In addition to the original proposal the government declared its intention to 'examine' the opportunity for companies to access information about private persons.
"I'm afraid that the information of this central database may become available to everyone who is interested in it. Such data as nationality, belief, political party membership should only be collected on a voluntary and anonymous basis. The procedure must be determined by law, including conditions of data transfer from one governmental agency to the other. This is the situation in Europe and in the US. But here in Russia we don't even have a law on protection of personal data," noted Lev Levinson, expert of Institute for Human Rights.
The government plans to prepare all technical specifications for the new ID system and appoint a responsible agency within 5 months.
The report of the deputy minister of economical development Andrei Sharonov (in Russian)
http://www.economy.gov.ru/merit/574.htm
(Contribution by Sergei Smirnov, Human Rights Network)
The Danish Maritime and Commercial court last week convicted the Danish mobile phone company Aircom for spamming. The company has to pay a fine of EUR 54.000 (400.000 DKK) for sending out unsolicited commercial faxes. In Denmark, this is the largest fine issued up till now for spamming.
In court, Aircom admitted to have sent between 7.650 and 15.300 unsolicited faxes to smaller companies. The Danish Consumer Ombudsman had already asked the company a year before to stop these illegal marketing practices, but they didn't. This was seen by the Court as an aggravating circumstance in the case.
The company was convicted for violating section 6a of the Danish Marketing Practices Act (Markedsfoeringsloven), which prohibits unsolicited commercial e-mails or faxes. The case is the second principle spam case in Denmark within a year.
As with the last spam case, it was the Consumer Council, the supervisory authority of the anti-spam legislation in DK, which sued the company. The Consumer Ombudsman aimed for a fine no less than 94.000 EURO (700.000 DKK).
In Denmark, e-mail, fax and SMS-spamming have been forbidden since June 2000 under section 6a(1) of the Danish Marketing Practices Act (Markedsfoeringsloven). The act creates a very broad privacy-protection, for both physical and legal persons and authorities. However, implementing Art. 13 of the EU Privacy Directive has weakened the privacy-protection in DK. According to the Directive, people that have given their address to companies can be spammed with advertisements for 'similar services'. This kind of implicit prior consent was previously not allowed under the Danish act. The amendment to the Danish Marketing Practices Act entered into force 25 July 2003.
Danish Consumer Ombudsman press release about the Aircom case (21.01.2004)
http://www.forbrugerstyrelsen.dk/uk/misc/p040122e.htm
(Contribution by Rikke Frank Joergensen, EDRI-member Digital Rights Denmark)
30-31 January 2004, Stockholm, Sweden - WHOLES
A Multiple View of Individual Privacy in a Networked World - An international workshop to explore interdisciplinary approaches to privacy.
http://www.sics.se/privacy/wholes2004/
2-3 February 2004, Brussels, Belgium
OECD workshop on Spam. Applications closed, but website provides interesting background paper.
http://www.oecd.org/sti/spam
4 February 2004, Brussels, Belgium - Copyright in the Digital Age
One day workshop on copyright, lectures and panels with very interesting speakers, organised by the Transatlantic Consumer Dialogue. There is no fee to attend, but pre-registration is required. Contact TACD Coordinator Ben Wallis.
bwallis@consint.org
4 February 2004, Paris, France - Orwell Party
Presentation of the French Big Brother Awards, in the Centre culturel La Clef, 21 rue de la Clef 75005 Paris.
http://bigbrotherawards.eu.org/2003/
9 February 2004 - Deadline Call for Papers
Selected papers are to be presented at the Center for Intellectual Property 2004 Annual Symposium, titled Colleges, Code and Copyright: the impact of digital networks and technological controls on copyright and the dissemination of information in higher education on 10 and 11 June 2004 in Adelphi, Maryland (USA)
http://www.umuc.edu/odell/cip/symposium/cpapers.html
29 February 2004 - Deadline Call for Papers
The Programme Committee of the conference eChallenges 2004 is looking for papers or workshop proposals
The conference and exhibition take place in Vienna, Austria from 27 - 29 October. This will be the fourteenth in a series of annual conferences supported by the European Commission,
This year's conference themes include eBusiness, eGovernment, eWork, eEurope 2005 and ICT Take-up by SMEs, and International Collaboration.
http://www.echallenges.org/2004/default.asp?page=call-papers
25 March 2004 - Deadline Call for Papers
The European Black Hat conference 2004 will take place in the Krasnapolsky Hotel in Amsterdam, the Netherlands, from 17 to 20 May 2004. Papers are invited especially about the European perspective on privacy, anonymity and DRM.
http://www.blackhat.com/html/bh-europe-04/bh-europe-04-cfp.html
26-27 March 2004, Warsaw, Poland
Pan-European Forum on safer internet-issues, organised by the Media division of the Council of Europe Human Rights Directorate. Deadline for funding applications is 20 February 2004.
http://www.safer-internet.net/pconference.asp