Interview at Críptica.org (English translation)

6912948733_c69c164f99_o

(Note: This is the English translation of the interview I did for Críptica.org, orginally in Spanish. You can find the original interview below or at the original site: http://www.criptica.org/2016/02/10/entrevista-a-diego-naranjo/ )

1. For those who do not know you, could you please present yourself?

My name is Diego Naranjo and I work as Advocacy Manager at European Digital Rights (EDRi). EDRi is an umbrella organisation of civil rights groups working for the defense of human rights in the online environment.

2. When did you become aware of the importance of protecting your privacy? Was there any specific moment that affected your current views on this subject?

The “dystopian” books 1984 by Orwell, Fahrenheit 451 by Bradbury and A brave new world by Huxley made an impact on me during my teenage years. Since then the idea of resisting the Big Brother influenced my way of thinking and marked my political positions.

3. Do you want to talk about any of the projects related with security or privacy (regardless of their technical, social or political nature) in which you are currently involved?

This year we are focusing in EDRi in a campaign against the EU PNR Directive, that may be passed in the European Parliament in the following weeks; we will also work in the review of the e-Privacy Directive, since after the initial agreement of the General Data Protection Regulation (GDPR) needs to be reviewed; finally, we will start working on the implementation of the GDPR and be alert on the attempts of establishing new data retention laws at national levels.

4. What kind of practices do you do in your every day life to protect your privacy, both in the digital and in real life?

I do similar activities in both the digital and non-digital environments:

In the online environment:

1. I only use Free Software in my computers.
2. I use end-to-end encryption (PGP) daily.
3. To communicate with friends and working colleagues I do not use Whatsapp, but Signal and Telegram instead.
4. I do not use social networks which are especially invasive as Facebook.

In the non-digital world:

1. I advocate for the use of free software tools by public institutions through my regular advocacy work, for example via proposing amendments in non-legislative reports or in the proposals of EU legislation.
2. When using snail mail, I use envelopes for private information and postcards for not so private information.
3. I try to do more meetings in person and public speaking than online, when possible.

5. What would you tell the ordinary Internet user, who says that he has “nothing to hide” or that believes that privacy is something that should worry those to “do evil things”?

This is a “zombie argument” that comes back to life after every pro-privacy initiative. The reply to that statement is that privacy is not related to “hiding things”, but with freedom of expression, freedom of assembly and other fundamental rights. Everyone should be able to talk with their friends, express their fears and opinions without being constantly under surveillance. Otherwise, this leads to self-censorship and people not being themselves. This could lead to all sort of problems, including health related ones. Would you look up the address of a clinic that performs abortions if you think your boss might be reading your private messages? Are you going to look up for information in Google about ISIS si that could lead you to be in some data base as a suspect of supporting terrorism?

This “chilling effect” can be seen in other scenes in our daily life. For example, when you drive and you notice that there is a police car driving next to you, no ones stays indifferent: You revise everything mentally: You wonder if you have the documentation of your car insurance and if your seat belt is correctly fastened, if the speed is under the limit and, generally, you put yourself in some sort of “alert mode”. If we all take our smartphone everywhere and we communicate more and more often using the Internet we can potentially have “a policeman” looking over our shoulders constantly. Who wants to live in a state of permanent alert? What kind of freedom would that be?

6. What kind of tools, habits or practices would you recommend to non-technical users to improve their privacy?

Edward Snowden has proposed several easy tips that can improve your privacy easily without being a very technical person.

For those who have what it could be called “below user level”, my recommendation would be not installing those apps that require access to your information without needing it to perform correctly (for example, the torch app which asks ro access your contacts). A step further from that would be using by default apps that are on the Free Software repository F-Droid, since they are are free and ‘gratis’, and only in case you do not find what you need going to Google Play or Apple Store.

You could also use search engine DuckDuckGo.com instead of Google, in order not to be tracked.

A step forward would be using Free Software daily. There are already many distributions out there (Ubuntu, Linux Mint…) that debunk the myth that Free Software is only for geeks.

7. To what extent do you think that the criticism of massive surveillance involves the involuntary legitimation of targeted surveillance that, nevertheless, violate rights of those affected by those measures? (Example: #Spycops case in the United Kingdom)

Indiscriminate mass surveillance is, by definition, contrary to human rights, as the courts in Strasbourg and Luxembourg have said repeatedly (cases Digital Rights Ireland and Schrems –in the CJEU, case Szabo and others in the ECtHR).

Targeted surveillance, on the other hand, is not a blank check. It must be prescribed by law and follow the criteria of necessity and proportionality. In order to be lawful targeted surveillance should include a system to prevent abuses: In cases of spying agencies (“intelligence agencies”) being the ones doing this surveillance, they must be subject to the control of the State, including judicial supervision. In the case of the surveillance performed by law enforcement agencies, this also needs to be done following the Rule of Law, including that no one si subject to surveillance without judicial authorisation and that, in some cases, this cannot be done even with that authorisation (for example, conversations between a client and their lawyer and a doctor and his patient).

8. Which institutions, acts or institutions are a threat for freedom and privacy online? Who should defend these rights?

The Internet of Things and Big Data are threats that need to be neutralised right now. The effects of these technologies lead to the creation of profiles and the ways they can be used to control population is alarming. Multinationals that make profit out of our personal data (Google, Facebook, Skype-Microsoft and others) are a constant threat, as we have seen after the Snowden revelations.

Defending these rights is the duty of citizens. Rights, as muscles, are strengthened by exercising them daily. If we do not do this, we become weaker as societies and as individuals. Since policies related to privacy are decided increasingly at the European level, we call citizens to get organised in associations and to get involved in the campaigns organised by organisations like EDRi, Xnet, Access Now, BEUC and others. If we want to shape our future freedoms in the digital world, the moment is now.

9. Do you believe that there are important differences between “traditional” political activism and the activism focused in the defense of human rights online or “hacktivism”? We at Críptica see a “gap” (generational, technical, gender based…) between both ways to intervene in politics.

Inevitably, human rights activism in the online world requires some technical skills (sometimes, very basic ones), which can leave outside some activists (for example, older generations). When this is not the case, we see that digital rights activism is identified with hackers and geeks, when it is obvious that almost everyone has a smartphone, uses e-mails and therefore the risks affect all of us.

When I introduce EDRi, I always highlight that we EDRi is a human rights organisation. Otherwise, when we talk about “digital rights” it seems like we are talking about “human rights for the developed world”, when in fact we are talking about the same human rights we already have offline, but applied to the online environment.

There is another issue, maybe more important. It is true that there are fights which are more urgent than privacy: climate change and social inequalities are two of the main ones. However, these battles are going to be fought, to an increasing extent, using digital tools. If we do not control those tools and we prevent indiscriminate surveillance we can see these fights seriously threatened and compromised.

10. Finally, what do you think should be, in your opinion, the aspects that as a political movement (from the “digital rights” organisations) we should have to improve?

1. We need to create a global discourse about surveillance and privacy which is not connected to the rhetorics of the Big Brother so we can get closer to citizens. We need to find and use positive examples (talking about freedoms rather than fears) in order to reach a wider audience.

2. Support economically (via donations, crowdfunding…) free software and privacy tools in particular, and use them. A first step could be, for example, convincing five people with whom you communicate the most to use Signal and communicating with them (sms and calls) privately. Signal is an app that is free of charge, it is free software, it is easy to use, and replaces your SMS app, so you do not need to use two different one for the same purposes.

3. We need to organise at local and national level to work on these issues, and also work in alliances at the European and international level in order to be more powerful. We need to put constant pressure on Members of the European Parliament and on the European Commission, since they are the ones that to a great extent decide on our online freedoms.

Entrevista en Criptica.org

El blog Criptica.org ha publicado una entrevista que me han hecho esta semana. (Post original en: http://www.criptica.org/2016/02/10/entrevista-a-diego-naranjo/)

6912948733_c69c164f99_o

1. Para los lectores que no te conocen, ¿podrías presentarte brevemente?

Me llamo Diego Naranjo y trabajo como Advocacy Manager para European Digital Rights (EDRi). EDRi es una federación de organizaciones no gubernamentales que trabajan en la defensa de derechos humanos en el mundo digital.

2. ¿Cuándo empezaste a ser consciente de la importancia de proteger tu privacidad? ¿Hubo algún acontecimiento concreto que determinara tu forma de pensar actual?

Sin duda, los libros del género de la “distopía” como 1984 de Orwell, “Fahrennheit 451” de Bradbury y “Un mundo feliz” de Huxley marcaron mi adolescencia. Desde entonces la idea de resistir al Gran Hermano ha influido en mi forma de pensar y ha marcado mis posiciones políticas al respecto.

3. ¿Quieres hablarnos de alguno de los proyectos relacionados con la seguridad o la privacidad (ya sean de carácter técnico, social o político) en los cuales estés involucrado actualmente?

Para este año en EDRi nos vamos a enfocar en una campaña contra la directiva EU PNR (https://edri.org/faq-pnr/), que puede ser aprobada en las próximas semanas; también trabajaremos en la reforma de la Directiva ePrivacy, que tras la aprobación del nuevo Reglamento General de Protección de Datos (GDPR, por las siglas en inglés: General Data Protection Regulation) tiene que ser revisada; finalmente, empezaremos a trabajar en los detalles sobre la implementación de la GDPR y estaremos atentos a los intentos de establecer nuevas normas de retención de datos a nivel nacional.

4. ¿Qué prácticas realizas en tu día a día para proteger tu privacidad, tanto en el entorno digital como en la vida real?

Realizo prácticas parecidas en ambos mundos (digital y no digital):

En el mundo digital:

1. Utilizo exclusivamente software libre en mis ordenadores.
2. Utilizo encriptación end-to-end (PGP) a diario.
3. En mi smartphone no utilizo Whatsapp, sino Signal y Telegram.
4. No uso redes sociales especialmente invasivas como Facebook.

En el mundo no digital:

1. Impulso la adopción de software libre por parte de instituciones públicas a través de enmiendas o propuestas en iniciativas legislativas y no legislativas de la Unión Europea.
2. Cuando uso correo ordinario, utilizo sobres para información privada, y postales para información no tan privada.
3. Intento realizar más reuniones en persona y charlas públicas que comunicaciones online.

5. ¿Qué le dirías al usuario común de Internet, que cree “no tener nada que ocultar”, o que piensa que la privacidad es una cuestión que solamente debería preocupar a “los que hacen cosas malas”?

Este es un “argumento zombie” que reaparece tras cada iniciativa pro-privacidad. La respuesta es que la privacidad no está relacionada con “ocultar cosas”, sino con la libertad de expresión, la libertad de reunión y otros derechos fundamentales. Todo el mundo debería ser capaz de hablar con sus amigos, expresar sus miedos y sus opiniones sobre cualquier tema sin ser vigilado constantemente. De lo contrario, esto lleva a que las personas se auto-censuren y dejen de ser ellos mismos. Esto puedo conllevar todo tipo de problemas, incluso de salud. ¿Seguro que buscarías la dirección de una clínica para la interrupción del embarazo si piensas que tu jefe puede estar analizando tus mensajes privados? ¿Vas a mirar información en Google sobre ISIS si eso puede llevar a que acabes en alguna base de datos como sospechoso de apoyar el terrorismo?

Este “chilling effect” lo podemos ver en otras escenas de la vida diaria. Por ejemplo, cuando conduces y ves que hay un coche de policía nadie se queda indiferente: Revisas todo, piensas si tienes la reglamentación del coche a mano, miras si vas a la velocidad permitida y, en general, te pones alerta. Si llevamos nuestro smartphone a todos lados y nos comunicamos cada vez más por Internet, podemos tener a “un policía” sobre nuestro hombro a cada segundo. ¿Quién quiere vivir en un estado de alerta permanente? ¿Qué tipo de libertad sería esa?

6. Pensando en usuarios sin formación específicamente técnica, ¿qué herramientas, hábitos o prácticas les recomendarías para mejorar su privacidad?

Edward Snowden ha propuesto varios consejos sencillos que pueden mejorar la privacidad fácilmente sin necesidad de muchos conocimientos técnicos: http://www.eldiario.es/cultura/tecnologia/privacidad/Edward-Snowden-explica-proteger-privacidad_0_457754864.html

Para los que tengan un conocimiento técnico menor que lo que se podría llamar “nivel usuario”, la recomendación es no instalar aplicaciones que requieran acceso a información cuyo uso no es necesario (ejemplo: aplicación de linterna que quiere acceder a tus contactos). Un paso más sería usar las aplicaciones que figuran en F-Droid (https://f-droid.org/), que son gratis y libres, y sólo en caso de no encontrar lo que necesitas ir a Google Play o Apple Store.

También se puede usar el buscador DuckDuckGo.com en vez de Google, para no ser rastreado.

Un paso un poco más avanzado es usar software libre. Ya hay muchas distribuciones (Ubuntu, Linux Mint…) que eliminan el mito de que el software libre es para informáticos.

7. ¿Hasta qué punto piensas que la crítica de la vigilancia masiva supone la legitimación involuntaria de formas de vigilancia individualizadas que, no obstante, siguen vulnerando los derechos de las personas afectadas? (Ejemplo: caso #Spycops en Reino Unido)

La vigilancia indiscriminada es, por definición, contraria a los derechos humanos, como han declarado reiteradamente los tribunales de Luxemburgo y Estrasburgo (casos Digital Rights Ireland y Schrems – CJEU, caso Szabo y otros en TEDH).

La vigilancia individualizada, por otro lado, no es un cheque en blanco. Debe estar previsto en una ley y seguir los criterios de necesidad y proporcionalidad. Esto debe incluir un sistema de prevención de abusos: En casos en que sean las agencias de espionaje (“agencias de inteligencia”) sean las que llevan a cabo la vigilancia, deben estar sometidas al escrutinio del Estado, incluyendo la supervisión judicial. En el caso de vigilancia por parte de fuerzas policiales, esto debe ser hecho siguiendo las normas de un Estado de Derecho, lo cual incluye que no se inicie ningún seguimiento de comunicaciones privadas sin autorización judicial y que, en ciertos casos, incluso éstas no puedan ser investigadas (por ejemplo, entre un abogado y su cliente, o entre médico y paciente).

8. A día de hoy, ¿qué instituciones, actores u organismos piensas que suponen una amenaza para la libertad y la privacidad en Internet? ¿A quién corresponde defender estos derechos?

El Internet de las Cosas (Internet of Things) es una amenaza que tiene que ser neutralizada ya mismo. Los efectos que esas tecnologías pueden tener en relación a la creación de perfiles (profiling) y como una nueva manera de control de la población es alarmante. Las multinacionales que viven de nuestros datos personales (Google, Facebook, Skype y otras) suponen una amenaza constante, como hemos visto tras las revelaciones de Snowden.

Defender estos derechos nos corresponde siempre a los ciudadanos. Los derechos, como los músculos, se fortalecen mediante su ejercicio constante. De lo contrario, nos volvemos débiles. Debido a que las políticas sobre privacidad se realizan cada vez más a nivel europeo, hacemos un llamamiento a que los ciudadanos se organicen en asociaciones y que actúen en los llamamientos a la movilización que hacemos organizaciones como EDRi, Xnet, Access Now, BEUC y otras. Si queremos perfilar nuestras futuras libertades en el mundo digital, el momento es ahora.

9. ¿Crees que existen diferencias notables entre el activismo político “tradicional” y el activismo centrado en la defensa de los derechos en Internet o el “hacktivismo”? Lo cierto es que desde Críptica observamos una “brecha” (generacional, técnica, de género…) entre ambas formas de intervención política.

Inevitablemente, el activismo de los derechos humanos en Internet requiere ciertos conocimientos técnicos (a veces, sólo muy mínimos), lo cual puede echar hacia atrás a cierta gente. Cuando no es ese el caso, nos encontramos con que este campo se identifica con hackers y geeks solamente, cuando lo cierto es que casi todos tenemos un correo electrónico y un smnartphone a mano, y por tanto los riesgos nos afectan a todos.

Cuando presento EDRi, siempre hincapié en que somos una organización de derechos humanos. De lo contrario, cuando hablamos de “derechos digitales” parece que hablamos de derechos humanos para el mundo desarrollado, cuando en realidad son solamente los derechos humanos que ya tenemos offline pero aplicados al mundo digital.

Hay otro asunto, quizá más importante. Es cierto que hay luchas más prioritarias y urgentes que la privacidad: el cambio climático y la desigualdades sociales son dos de las principales. Ahora bien, estas luchas se van a desarrollar en mayor o menor medida cada vez más usando medios digitales. Si no controlamos estas herramientas y prevenimos que exista la vigilancia masiva indiscriminada, podemos ver que esas luchas se vean amenazadas seriamente.

10. Finalmente, ¿cuáles deberían ser, según tu opinión, los aspectos que como movimiento político (desde el conjunto de las organizaciones defensoras de los “derechos digitales”) tendríamos que mejorar?

1. Tenemos que crear un discurso global sobre la vigilancia y la privacidad que se aleje de la retórica del Gran Hermano y que se acerque a los ciudadanos. Hay que usar ejemplos positivos y divertidos para poder llegar a la gente.

2. Impulsar económicamente (donaciones, crowfunding…) software libre y el uso de herramientas de privacidad. Un primer paso puede ser, por ejemplo, convencer a tus 5 contactos más utilizados de que instalen Signal y comunicarte por ellos (por mensajes y llamadas) de forma privada. Es una herramienta gratuita, fácil de usar, y que reemplaza a tu app de SMS, así que no necesitas duplicar tus apps.

3. Organizarnos en nuestras organizaciones locales y nacionales para abordar estos temas, y aliarnos a nivel europeo e internacional con otras organizaciones para aunar fuerzas. Hay que poner presión constante en los parlamentarios europeos y en la Comisión Europea, que son los que en gran medida deciden sobre nuestras libertades digitales.

Unión Europea: luchar por la transparencia para una democracia plena

Diego Naranjo y Maryant Fernández
European Digital Rights (EDRi)

(publicado originalmente en El 4º Poder en red: http://blogs.publico.es/el-cuarto-poder-en-red/2015/12/03/union-europea-luchar-por-la-transparencia-para-una-democracia-plena/)

Bruselas es el epicentro de un proceso de toma de decisiones que afecta a más de 500 millones de personas y que casi nadie ve. A esta invisibilidad se suma la falta de transparencia en los procesos legislativos europeos. Los llamados “trílogos” y las negociaciones sobre los tratados comerciales son dos claros ejemplos de falta de transparencia, pero también una demostración de que cuando se lucha por ella, la democracia mejora.

Las trabas que hay que pasar para entrar a la sede del Parlamento Europeo en Bruselas son un buen reflejo de cómo funciona el proceso legislativo de la Unión: Mientras los turistas tienen las puertas abiertas al Parlamentarium –el centro de visitas de la Eurocámara– las casetas de obras bloquean la entrada principal del edificio desde hace semanas. Tal y como ocurre con estas barreras físicas, el acceso a los documentos oficiales se encuentra también tras varias barreras que hay que saber sortear.

Uno de los procedimientos más opacos, pero a su vez el más utilizado para aprobar nuevas medidas legislativas comunitarias, son los llamados “trílogos”. Los trílogos son una serie de reuniones entre un número muy reducido de representantes del Parlamento Europeo, del Consejo de la Unión Europea y de la Comisión Europea. Originalmente pensados como una vía excepcional para acelerar la toma de decisiones mediante acuerdos “informales”, estas reuniones a puerta cerrada liman y deciden los aspectos esenciales de la normativas comunitarias. Sólo aquellos que tienen contactos en las instituciones podrán tener acceso a los documentos, notas de reuniones y comentarios informales sobre las diferentes propuestas. ¿Y los ciudadanos?

Los ciudadanos tienen que recurrir a ONGs que tengan el peso, experiencia y conocimiento suficiente para poder tener también los contactos y recursos necesarios para acceder y analizar el material obtenido. Como es fácil de imaginar, la correlación de fuerzas entre lobbies y la sociedad civil es tal que mientras que unos luchamos para no ahogarnos en documentos de tres, cuatro o cinco columnas con las diferentes versiones de una normativa y seguir a tiempo las filtraciones que llegan de diferentes fuentes (Wikileaks, Statewatch de otras ONGs como EDRi), los lobbies tienen auténticos ejércitos de informantes, analistas y personal de comunicación para hacer llegar su mensaje.

Pero, si los trílogos son opacos, las negociaciones de los tratados de libre comercio (TTIP, TISA, CETA…) son el secretismo elevado a la enésima potencia. Bajo la excusa de que la publicación de documentos puede perjudicar las “relaciones internacionales” (especialmente entre la UE y los Estados Unidos), las negociaciones son confidenciales hasta el punto de que hasta hace poco, sólo una treintena de diputados (de un total de 750) tenían acceso a los documentos, si bien en una habitación especial en la que los teléfonos y los ordenadores no pueden ser usados.

Afortunadamente, hoy tenemos una novedad. Gracias a la presión pública y la creciente oposición a estos tratados comerciales negociados en la opacidad, la Defensora del Pueblo Europeo inició una investigación y consulta pública sobre la transparencia del TTIP, a la cual muchos respondimos. ¿El resultado? La Defensora del Pueblo ejerció presión para que haya más transparencia y la Dirección General del Comercio de la Comisión Europea elaboró una estrategia para lograrlo. Desde ayer, 2 de diciembre, todos los eurodiputados tendrán acceso a los documentos del TTIP y los mandatos de la Comisión en relación al TTIP y a TiSA han sido publicados. Mañana, el Comité de Política Comercial del Consejo discutirá sobre si hace lo mismo con el tratado comercial con Canadá, el CETA.

En cuanto a los trílogos, la Defensora del Pueblo Europeo también ha lanzado una investigación contra las tres instituciones involucradas. Grupos de activistas que incluyen a EDRi, Access Now, Access Info Europe, Corporate Europe Observatory, Statewatch o X-net han solicitado una reforma de los trílogos para que sean transparentes, abiertos y que los políticos estén sujetos al escrutinio público.

Los políticos europeos no pueden seguir dando la espalda a los ciudadanos y tomar decisiones de manera secreta. Para ello, la transparencia es fundamental. Luchar por la transparencia es luchar por la democracia.

Smart Borders package: Unproportionate & unnecessary data collection

Originally published at EDRi-gram on 04-November-2015: https://edri.org/smart-borders-package-unproportionate-unnecessary-data-collection/  )
https://www.flickr.com/photos/neccorp/16250748818/

Photo by NEC Corporation of America with Creative Commons license. https://www.flickr.com/photos/neccorp/16250748818/

“The proposal is fear-driven and fear-triggering at the same time, placing emphasis on a putative need to protect the EU from those coming from outside.”

(Extract from EDRi’s response to the consultation)

In an attempt to overcome the failed proposal from 2013 on the Smart Borders package, the European Commission launched a consultation to prepare a revised text, to which EDRi submitted its response on 29 October 2015. The new EU Entry/Exit System (EES) plans to extend biometric ID checks to all non-EU nationals entering or leaving the EU. Despite the numerous questions about the costs and serious implications to civil liberties raised in relation to the 2013 proposal, the European Commission seems decided to give it another try.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The Smart Borders Package, which is aimed at improving the management of migratory flows , consists of three legislative proposals: (1) a Regulation establishing an EU Entry/Exit System (EES); (2) a Regulation establishing a Registered Traveller Programme (RTP) and (3) a Regulation amending the Schengen Borders Code to take into account the establishment of the EES and the RTP.

EDRi’s submitted the position that such a vast collection of sensitive personal data risks undermining the right to privacy of millions of people. As any other restriction of fundamental rights, this measure needs to be guided, inter alia, by the necessity and proportionality test of the Article 52.1 of the Charter of Fundamental Rights of the European Union. The new entry system could include biometric ID checks including the collection of ten fingerprints and facial images. The Commission has yet to demonstrate clearly why these privacy invasive measures are necessary, effective and proportionate, and whether the system could operate without some or all of them.

In our submission we mentioned the need to learn from the case law of both the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU), and recalled that if an intrusive measure such as data retention was to be considered, the legislators would have the obligation to verify the “proportionality of the interference”. Therefore, no data retention mandates should be approved until a credible, independent test, proving compliance with CJEU and ECtHR case law has been conducted. In addition to the European courts, the issue of biometric databases has been the subject of debate in various Member States, for example in the French Constitutional Court.

Once the European Commission has analysed the responses, it will produce a legislative proposal. This proposal needs to take into account the concerns that were raised before and that are still under analysis by experts like the EU Fundamental Rights Agency. As we have seen with the Safe Harbor agreement and the Data Retention Directive, legislation which was in clear violation of EU core norms can lead to the violation of citizen’s rights that can drag on for years, as well as costs for companies, citizens and the European courts. The Commission and the European Parliament cannot fail again and drag us into years of litigation, nor can it leave it to the CJEU to fix the breaches of fundamental rights law that they willfully or negligently foist on individuals. The EU needs to produce the right policies to achieve its goals, and stop suggesting the dragnet collection of personal data as the solution to all European problems.

Response from EDRi to the Smart Borders Consultation (29.10.2015)
https://edri.org/files/smartborders/consultationresponse.pdf

EDRi-gram: France: Biometric ID database found unconstitutional (28.03.2012)
http://history.edri.org/edrigram/number10.6/french-biometric-database-unconstitutional

Biometric data in large EU IT systems in the areas of borders, visa and asylum – fundamental rights implications
http://fra.europa.eu/en/project/2014/biometric-data-large-eu-it-systems-areas-borders-visa-and-asylum-fundamental-rights?_cldee=ZG5AZGllZ29uYXJhbmpvLmV1&urlid=1

(Contribution by Diego Naranjo, EDRi)

General Data Protection Regulation: Moving forward, slowly

(Originally published at EDRi-gram 13.11, 3 June 2015: https://edri.org/general-data-protection-regulation-moving-forward-slowly/)

youtubeprivacy

Options are: Be tracked or be tracked

 

The discussions in the EU on the proposal for a General Data Protection Regulation (GDPR) are slowly advancing, but the final destination is still unknown. Commissioner Věra Jourová , who is responsible for Justice, Consumers and Gender Equality and has the task of ensuring the “swift adoption of the EU data protection reform”, has stated that EU Data Protection reform “is a win-win for consumers and businesses”, and that the red lines of the 1995 Data Protection Directive will remain untouched. However, latest developments in the Working Party on Information Exchange and Data Protection (DAPIX) have brought to the GDPR text new changes that may erode Jourová’s optimism.

In March 2015, EDRi published a set of leaked documents with the (then) latest texts from the EU Council. At the same time we published an analysis of the five main topics we thought were going below the safeguards that were set in the 1995 Data Protection Directive. Our analysis remains valid, unfortunately, for majority of the points we analysed, with some exceptions.

For example, Article 6 and recital 40 on lawfulness of processing of personal data have been touched in different ways. The list of requirements defining whether or not a further processing is compatible with the purpose the data was collected in Article 6 (3a) has become an open list with the insertion of the words “inter alia”. This makes it a broader definition which could add additional safeguards for the data subject. Going a bit further, Article 6.4 is likely to be deleted, since there seems to be a significant number of Member States that are pushing against it. This Article allows for “(f)urther processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject”.

The “one stop shop” mechanism is also a matter of concern. The original idea was to simplify complaints, creating a single point of contact for citizens and businesses bringing a transnational complaint. It would also ensure consistent application of the Regulation through the European Data Protection Board (EDPB), eliminating the current common practice of “forum shopping”. Based on the leaked documents, the current proposed text from the Council on the “one stop shop” mechanism would add several levels of bureaucracy. In the case of a transnational complaint, at least two data protection authorities would have to be involved and reach consensus to solve the case. This could lead to a fragmented implementation of the Regulation as the oversight role of the Board would be greatly reduced. Both citizens and businesses would then be left without the benefits of a swift, predictable and harmonised “one stop shop” mechanism. Finally, data Protection seals (certifications) and binding corporate rules should all be subject to the one-stop mechanism, at least in transnational cases. Otherwise they will offer the possibility to bypass the Regulation.

In the lead-up to the start of the trialogue meetings on this topic, we can only mention a few of the major issues here. In a meeting of the European Data Protection Supervisor with civil society actors (including EDRi, EDRi members Access and Bits of Freedom, as well as BEUC, Code Red, and Privacy International, see video below) on 27 May, we addressed also problems with the definitions contained in the GDPR, the seriousness of having profiling back in the exceptions of Art. 21 after it was taken out by the Parliament, the need for citizens to be able to have access to effective collective redress mechanisms, and problems with the transfer of data to third countries, including the Safe Harbour agreement.

Data protection reform timetable (01.06.2015)
http://www.eppgroup.eu/fr/news/Data-protection-reform-timetable

Latest consolidated text of the GDPR
https://edri.org/files/DPR2015feb/GDPR_consolidated1-June-2015.pdf

Statewatch: LIMITE document from the Council on Article 6 and recital 40 (26.05.2015)
http://www.statewatch.org/news/2015/may/eu-council-dp-reg-Art-6-ChapII-III-9082-15.pdf
Other documents obtained by Statewatch are available at
http://statewatch.org/news/2015/may/eu-dp-reg-may-2015.htm

EDPS meeting with civil society (EDRi, Access, BEUC, Bits of Freedom, Code Red, Privacy International)
https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/GDPR_civil_soc

Badly broken campaign: European data protection reform is badly broken (03.03.15)
https://edri.org/broken_badly/

(Contribution by Diego Naranjo, EDRi)

European Parliament failing to support copyright reform

(Originally published at EDRi-gram: https://edri.org/european-parliament-failing-support-copyright-reform/)

26930549_f1286f7ef1_o(Image by EnriqueB: https://www.flickr.com/photos/enriqueb/ )

Everyone is talking about EU copyright reform. However, in the European Parliament, everyone is having the same discussions on enforcement that they were having ten years ago – and talking about stopping any reform.

The Draft Report “Towards a renewed consensus on the enforcement of Intellectual Property Rights: An EU Action Plan” (2014/2151(INI)) presented by Member of the European Parliament (MEP) Pavel Svoboda reacts supportively to the rather bland, regressive and unimaginative Commission Communication of the same name. Sadly, Mr Svoboda seems to be choosing to support the mistakes that the Commission’s view that the failures of the last ten years should be the model for the next decade.

The Draft Report mixes, sometimes in the same phrase, totally different issues in Intellectual Property Rights (IPR), such as counterfeit goods and online content. This leads him to write that “the enforcement of intellectual property rights plays a significant role in ensuring consumers’ health and safety”, although this connection seems somewhat vague. Svoboda also uses terms which we already rejected in the Communication on which this Report is based, and talks about the “commercial scale infringement” that even the Commission publicly admitted that, particularly the online environment, would also require a clearer definition of “commercial scale”, although everyone now appears to have forgotten this.

More worryingly, the Report appears to call for the implementation of certain enforcement measures which do not require public or judicial supervision. The Report refers to “due diligence” procedures, without being clear about whether it is talking about online or offline, where this would have very different meanings. It speaks supportively of “follow the money”, without any particular definition or understanding of what this might be. The whole Report might be understood as wholesale privatisation of regulation of freedom of communication. Or not.

The Report also applauds the work of the Observatory on IP Infringements, presumably because the European Commission asked it to. One would have to search for a long time to find anything of high quality produced by the body since its inception.

There are, however, some positive aspects of this Draft Report. For example, it states that there is the need for more information about what citizens are allowed to do with protected content. EDRi has been calling for a modernised and harmonised system for copyright, since the system which is still in force is not in line with the uneeds of users in the 21st century. Svoboda also expresses his concerns on the “divergent interpretations of certain provisions of the directive result in differences in its application in the Member States”. Indeed the fact that national courts have been implementing the IPR Enforcement Directive in order to clarify what the legislator could not clarify, which is why reform is needed. The situation is that critical that, if the EU legislator just took the opportunity to make sense of the copyright regime, it would be already a victory.

The Opinions proposed by the Committee on Culture and Education (CULT) and Internal Market and Consumer Protection (IMCO) do not give any more hope. We can find in both of them the same references to the same vague and misleading terms (“commercial scale infringement”, “follow the money approach”, etc) and reference to the same statistics that EDRi and the Copyright for Creativity (C4C) coalition have already definitively debunked to “describe” the impact of infringements. The amendments tabled by MEPs in the CULT committee are beyond parody. One, for example, removes demands for statistics to be reliable, precised and unbiased!

Draft Report: Towards a renewed consensus on the enforcement of Intellectual Property Rights: An EU Action Plan” (2014/2151(INI))
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52014DC0392

Roadmap for renewal of IPRED
http://ec.europa.eu/smart-regulation/impact/planned_ia/docs/2011_markt_006_review_enforcement_directive_ipr_en.pdf

CULT Opinion
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-544.344+01+DOC+PDF+V0//EN&language=EN

CULT Amendments
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&reference=PE-544.345&secondRef=01&language=EN

IMCO Opinion
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-546.649%2b01%2bDOC%2bPDF%2bV0%2f%2fEN

Copyright for Creativity – Myths and facts
http://copyright4creativity.eu/myths-facts/

(Contribution by Diego Naranjo, EDRi)

The “Google tax” that is not a Google tax

By Diego Naranjo

The new European Commissioner with responsibility for “digital agenda” issues, Guenther Oettinger caused a stir in the media recently when he raised the possibility of introducing “ancillary copyright” payments, requiring search engine providers to pay for displaying copyrighted materials on their sites, on the EU level. The press was all of a sudden full of talk of a “Google tax”.

There are two problems with the “Google tax” term. In fact, there is one problem in each of the words:

Firstly, the implementation of ancillary copyright in Germany is such that Google does not actually pay. As others have explained (see Julia Reda’s article), the measure has already embarrassing failed consequences for the the publishers that lobbied to get it adopted. The most recent case happened in Germany, where the rights management firm VG Media asked Google a payment because of the news snippets from German newspaper publishers which are offered in its Google News. Google’s unsurprising response (having followed the same approach in Belgium, apparently unbeknownst to the German government) was to delete from Google News all the content related to VG Media associates. The sites in question had been put online in order to be read and not being on Google News would result in significant numbers of visitors being lost. As a result, VG Media decided to grant a “free license” to Google. Google will not have to pay anything to do the same it was doing before. On the other hand, all of the other companies in the market offering paid or free news snippet services, but that do not have Google’s market dominance, will have to pay the… “Google tax”.

Secondly, it is not a “tax”. A tax is, according to Oxford dictionary, “(a) compulsory contribution to state revenue, levied by the government on workers’ income and business profits, or added to the cost of some goods, services, and transactions”. The “Google tax” does not contribute to the State revenues in any sense, since it is a payment between different private companies.

It remains to be seen whether Commissioner Oettinger is really determined to make the same mistakes at the EU level that have already been made in Germany

Julia Reda: An EU-wide “Google tax” in the making? (28.10.2014)
https://juliareda.eu/2014/10/an-eu-wide-google-tax-in-the-making/

French publishers want in on German plan to force everyone to pay to link to news (07.09.2014)
https://www.techdirt.com/articles/20120906/02102920291/french-publishers-want-german-plan-to-force-everyone-to-pay-to-link-to-news.shtml

Spain’s “Google tax” gets green light with sole support of Popular Party (30.10.2014)
http://elpais.com/elpais/2014/10/30/inenglish/1414688575_232202.html?rel=rosEP