Intervention at Mydata 2016 Helsinki on data protection, privacy and encryption

 

After the adoption of the EU General Data Protection Regulation – what next? Join DR.  MALTE BEYER-KATZENBERGER (Policy officer, European Commission, DG CONNECT), KASPAR KALA (Advisor at Ministry of Economic Affairs and Communications), TARU RASTAS (Senior Adviser in the Finnish Ministry of Transport and Communications), PHILIPPE DE BACKER (Belgian State Secretary for the Fight against Social Fraud, Privacy and North Sea), DIEGO NARANJO (Advocacy Manager of EDRi), JARNO LIMNÉLL (Professor of Cyber Security, Aalto University) in a Panel Discussion on policy making for personal data at the mydata2016 conference.

MyData 2016 was an international conference that focuses on human centric personal information management.
MyData is an initiative to help people gain more control over their personal data.

CJEU hearing on the EU Canada PNR agreement: Still shady

(Originally published at https://edri.org/cjeu-hearing-on-the-eu-canada-pnr-agreement-still-shady/)

The European Court of Justice (CJEU) had a hearing on 5 April to decide about the referral made on 25 November by the European Parliament on the EU-Canada agreement on Passenger Name Records (PNR). Passenger Name Records (PNR) include information provided by passengers and collected by air carriers for commercial purposes, such as, but not only, the date of the trip and complete itinerary, the name and contact information, the form of payment, frequent flyer information, meal preferences and medical information. In some cases, the airlines will have access to other data such as hotel bookings, car rentals, train journeys, travel associates, etc. This provides a massive insight into the private life of an individual.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The agreement between the EU and Canada allows for the transfer and processing of PNR data of passengers flying between the EU and Canada. The result of the referral of the agreement to the CJEU could impact the proposal for an EU PNR Directive (Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD)), that was adopted by the European Parliament’s Civil Liberties Committee on 15 July 2015, and which may be scheduled to be voted in the European Parliament’s plenary session on 27-28 April 2016. The narrow vote (32 in favor, 26 against, no abstentions) in favour happened despite the rejection of this same EU PNR proposal by the same Committee in 2014 and despite the CJEU ruling invalidating the Data Retention Directive.

During the hearing, many crucial issues came up:

Firstly, the European Commission (EC) argued before the Court that PNR data is “anonymised” after 30 days and that, as a result, the CJEU judgment invalidating the data retention Directive is not applicable in this case. However, the EC fails to see that the PNR data is only “masked out” – depersonalised by masking certain identifiers. This is not anonymisation. The EU PNR Directive contains similar clauses and the European Data Protection Supervisor (EDPS) Opinion 5/2015 of 24 September 2015 said that they were glad that the mention to anonymous data was taken off the proposal since “(i)ndeed, the data at stake could not be considered as anonymous since they would still be re-identifiable.”

Secondly, the EC quoted the EU anti-terrorism coordinator saying that the number of convinctions based on PNR are irrelevant”. This just does not make sense. If the goal is to find suspects, and there are no convictions based on the PNR data used, the collection and processing of PNR data could well not be “necessary” nor “genuinely meet objectives of general interest recognised by the Union” as Article 52.1 of the Charter of Fundamental Rights states for any limitation for fundamental rights.

Thirdly, during the hearing Member States defended the agreement based on different reasons. The Spanish representative stated that the data retention period of 5 years is absolutely necessary for criminal investigations. Why not five and a half years, as it is the case currently under the PNR agreement with Australia… or 15 years, as under the PNR agreement with the USA? Why not 20 years? Or maybe just 3? Is the standard “whatever-length-we-randomly-decide-each-time”?

Fourthly the issue of the independent supervisory authority was also highlighted during the hearing. The EDPS reiterated the views expressed in their Opinion on the agreement of 30 September 2013 and said that the oversight in Canada PNR is not an equivalent independent authority, which was refuted by the EC during the hearing. The EDPS Opinion explicitly regretted the fact that “oversight may take place (…) by a (non independent) authority created by administrative means”. The EDPS also noted the “limitations of judicial review with respect to judicial redress”.

In sum, the hearing has shown once again that PNR profiling is a not a necessary and proportionate means to prevent international crime and terrorism in the EU. The Advocate General of the Court will announce his opinion on 13 June 2016.

EU-Canada agreement on PNR referred to the CJEU: What’s next? (03.12.2014)
https://edri.org/eu-canada-agreement-on-pnr-referred-to-the-cjeu-whats-next/

Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record
http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2012657%202013%20REV%201

EU PNR Document Pool
https://edri.org/eu-pnr-document-pool/

Opinion of the European Data Protection Supervisor on the Proposals for Council Decisions on the conclusion and the signature of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (30.09.2013)
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2013/13-09-30_Canada_EN.pdf

Steve Peers: The Domino Effect: how many EU treaties violate the rights to privacy and data protection (25.11.2014)
http://eulawanalysis.blogspot.be/2014/11/the-domino-effect-how-many-eu-treaties.html

Bruce Schneier: Refuse to be terrorised (24.08.2006)
https://www.schneier.com/essays/archives/2006/08/refuse_to_be_terrori.html

Mass surveillance through PNR is facing closure: EU-Canada agreement is put to testing (in German) (05.04.2016)
https://digitalegesellschaft.de/2016/04/vds-reisedaten-kanada-eugh/

(Contribution by Diego Naranjo, EDRi)

EDRi-gram_subscribe_banner

Twitter_tweet_and_follow_banner

Interview at Críptica.org (English translation)

6912948733_c69c164f99_o

(Note: This is the English translation of the interview I did for Críptica.org, orginally in Spanish. You can find the original interview below or at the original site: http://www.criptica.org/2016/02/10/entrevista-a-diego-naranjo/ )

1. For those who do not know you, could you please present yourself?

My name is Diego Naranjo and I work as Advocacy Manager at European Digital Rights (EDRi). EDRi is an umbrella organisation of civil rights groups working for the defense of human rights in the online environment.

2. When did you become aware of the importance of protecting your privacy? Was there any specific moment that affected your current views on this subject?

The “dystopian” books 1984 by Orwell, Fahrenheit 451 by Bradbury and A brave new world by Huxley made an impact on me during my teenage years. Since then the idea of resisting the Big Brother influenced my way of thinking and marked my political positions.

3. Do you want to talk about any of the projects related with security or privacy (regardless of their technical, social or political nature) in which you are currently involved?

This year we are focusing in EDRi in a campaign against the EU PNR Directive, that may be passed in the European Parliament in the following weeks; we will also work in the review of the e-Privacy Directive, since after the initial agreement of the General Data Protection Regulation (GDPR) needs to be reviewed; finally, we will start working on the implementation of the GDPR and be alert on the attempts of establishing new data retention laws at national levels.

4. What kind of practices do you do in your every day life to protect your privacy, both in the digital and in real life?

I do similar activities in both the digital and non-digital environments:

In the online environment:

1. I only use Free Software in my computers.
2. I use end-to-end encryption (PGP) daily.
3. To communicate with friends and working colleagues I do not use Whatsapp, but Signal and Telegram instead.
4. I do not use social networks which are especially invasive as Facebook.

In the non-digital world:

1. I advocate for the use of free software tools by public institutions through my regular advocacy work, for example via proposing amendments in non-legislative reports or in the proposals of EU legislation.
2. When using snail mail, I use envelopes for private information and postcards for not so private information.
3. I try to do more meetings in person and public speaking than online, when possible.

5. What would you tell the ordinary Internet user, who says that he has “nothing to hide” or that believes that privacy is something that should worry those to “do evil things”?

This is a “zombie argument” that comes back to life after every pro-privacy initiative. The reply to that statement is that privacy is not related to “hiding things”, but with freedom of expression, freedom of assembly and other fundamental rights. Everyone should be able to talk with their friends, express their fears and opinions without being constantly under surveillance. Otherwise, this leads to self-censorship and people not being themselves. This could lead to all sort of problems, including health related ones. Would you look up the address of a clinic that performs abortions if you think your boss might be reading your private messages? Are you going to look up for information in Google about ISIS si that could lead you to be in some data base as a suspect of supporting terrorism?

This “chilling effect” can be seen in other scenes in our daily life. For example, when you drive and you notice that there is a police car driving next to you, no ones stays indifferent: You revise everything mentally: You wonder if you have the documentation of your car insurance and if your seat belt is correctly fastened, if the speed is under the limit and, generally, you put yourself in some sort of “alert mode”. If we all take our smartphone everywhere and we communicate more and more often using the Internet we can potentially have “a policeman” looking over our shoulders constantly. Who wants to live in a state of permanent alert? What kind of freedom would that be?

6. What kind of tools, habits or practices would you recommend to non-technical users to improve their privacy?

Edward Snowden has proposed several easy tips that can improve your privacy easily without being a very technical person.

For those who have what it could be called “below user level”, my recommendation would be not installing those apps that require access to your information without needing it to perform correctly (for example, the torch app which asks ro access your contacts). A step further from that would be using by default apps that are on the Free Software repository F-Droid, since they are are free and ‘gratis’, and only in case you do not find what you need going to Google Play or Apple Store.

You could also use search engine DuckDuckGo.com instead of Google, in order not to be tracked.

A step forward would be using Free Software daily. There are already many distributions out there (Ubuntu, Linux Mint…) that debunk the myth that Free Software is only for geeks.

7. To what extent do you think that the criticism of massive surveillance involves the involuntary legitimation of targeted surveillance that, nevertheless, violate rights of those affected by those measures? (Example: #Spycops case in the United Kingdom)

Indiscriminate mass surveillance is, by definition, contrary to human rights, as the courts in Strasbourg and Luxembourg have said repeatedly (cases Digital Rights Ireland and Schrems –in the CJEU, case Szabo and others in the ECtHR).

Targeted surveillance, on the other hand, is not a blank check. It must be prescribed by law and follow the criteria of necessity and proportionality. In order to be lawful targeted surveillance should include a system to prevent abuses: In cases of spying agencies (“intelligence agencies”) being the ones doing this surveillance, they must be subject to the control of the State, including judicial supervision. In the case of the surveillance performed by law enforcement agencies, this also needs to be done following the Rule of Law, including that no one si subject to surveillance without judicial authorisation and that, in some cases, this cannot be done even with that authorisation (for example, conversations between a client and their lawyer and a doctor and his patient).

8. Which institutions, acts or institutions are a threat for freedom and privacy online? Who should defend these rights?

The Internet of Things and Big Data are threats that need to be neutralised right now. The effects of these technologies lead to the creation of profiles and the ways they can be used to control population is alarming. Multinationals that make profit out of our personal data (Google, Facebook, Skype-Microsoft and others) are a constant threat, as we have seen after the Snowden revelations.

Defending these rights is the duty of citizens. Rights, as muscles, are strengthened by exercising them daily. If we do not do this, we become weaker as societies and as individuals. Since policies related to privacy are decided increasingly at the European level, we call citizens to get organised in associations and to get involved in the campaigns organised by organisations like EDRi, Xnet, Access Now, BEUC and others. If we want to shape our future freedoms in the digital world, the moment is now.

9. Do you believe that there are important differences between “traditional” political activism and the activism focused in the defense of human rights online or “hacktivism”? We at Críptica see a “gap” (generational, technical, gender based…) between both ways to intervene in politics.

Inevitably, human rights activism in the online world requires some technical skills (sometimes, very basic ones), which can leave outside some activists (for example, older generations). When this is not the case, we see that digital rights activism is identified with hackers and geeks, when it is obvious that almost everyone has a smartphone, uses e-mails and therefore the risks affect all of us.

When I introduce EDRi, I always highlight that we EDRi is a human rights organisation. Otherwise, when we talk about “digital rights” it seems like we are talking about “human rights for the developed world”, when in fact we are talking about the same human rights we already have offline, but applied to the online environment.

There is another issue, maybe more important. It is true that there are fights which are more urgent than privacy: climate change and social inequalities are two of the main ones. However, these battles are going to be fought, to an increasing extent, using digital tools. If we do not control those tools and we prevent indiscriminate surveillance we can see these fights seriously threatened and compromised.

10. Finally, what do you think should be, in your opinion, the aspects that as a political movement (from the “digital rights” organisations) we should have to improve?

1. We need to create a global discourse about surveillance and privacy which is not connected to the rhetorics of the Big Brother so we can get closer to citizens. We need to find and use positive examples (talking about freedoms rather than fears) in order to reach a wider audience.

2. Support economically (via donations, crowdfunding…) free software and privacy tools in particular, and use them. A first step could be, for example, convincing five people with whom you communicate the most to use Signal and communicating with them (sms and calls) privately. Signal is an app that is free of charge, it is free software, it is easy to use, and replaces your SMS app, so you do not need to use two different one for the same purposes.

3. We need to organise at local and national level to work on these issues, and also work in alliances at the European and international level in order to be more powerful. We need to put constant pressure on Members of the European Parliament and on the European Commission, since they are the ones that to a great extent decide on our online freedoms.

Entrevista en Criptica.org

El blog Criptica.org ha publicado una entrevista que me han hecho esta semana. (Post original en: http://www.criptica.org/2016/02/10/entrevista-a-diego-naranjo/)

6912948733_c69c164f99_o

1. Para los lectores que no te conocen, ¿podrías presentarte brevemente?

Me llamo Diego Naranjo y trabajo como Advocacy Manager para European Digital Rights (EDRi). EDRi es una federación de organizaciones no gubernamentales que trabajan en la defensa de derechos humanos en el mundo digital.

2. ¿Cuándo empezaste a ser consciente de la importancia de proteger tu privacidad? ¿Hubo algún acontecimiento concreto que determinara tu forma de pensar actual?

Sin duda, los libros del género de la “distopía” como 1984 de Orwell, “Fahrennheit 451” de Bradbury y “Un mundo feliz” de Huxley marcaron mi adolescencia. Desde entonces la idea de resistir al Gran Hermano ha influido en mi forma de pensar y ha marcado mis posiciones políticas al respecto.

3. ¿Quieres hablarnos de alguno de los proyectos relacionados con la seguridad o la privacidad (ya sean de carácter técnico, social o político) en los cuales estés involucrado actualmente?

Para este año en EDRi nos vamos a enfocar en una campaña contra la directiva EU PNR (https://edri.org/faq-pnr/), que puede ser aprobada en las próximas semanas; también trabajaremos en la reforma de la Directiva ePrivacy, que tras la aprobación del nuevo Reglamento General de Protección de Datos (GDPR, por las siglas en inglés: General Data Protection Regulation) tiene que ser revisada; finalmente, empezaremos a trabajar en los detalles sobre la implementación de la GDPR y estaremos atentos a los intentos de establecer nuevas normas de retención de datos a nivel nacional.

4. ¿Qué prácticas realizas en tu día a día para proteger tu privacidad, tanto en el entorno digital como en la vida real?

Realizo prácticas parecidas en ambos mundos (digital y no digital):

En el mundo digital:

1. Utilizo exclusivamente software libre en mis ordenadores.
2. Utilizo encriptación end-to-end (PGP) a diario.
3. En mi smartphone no utilizo Whatsapp, sino Signal y Telegram.
4. No uso redes sociales especialmente invasivas como Facebook.

En el mundo no digital:

1. Impulso la adopción de software libre por parte de instituciones públicas a través de enmiendas o propuestas en iniciativas legislativas y no legislativas de la Unión Europea.
2. Cuando uso correo ordinario, utilizo sobres para información privada, y postales para información no tan privada.
3. Intento realizar más reuniones en persona y charlas públicas que comunicaciones online.

5. ¿Qué le dirías al usuario común de Internet, que cree “no tener nada que ocultar”, o que piensa que la privacidad es una cuestión que solamente debería preocupar a “los que hacen cosas malas”?

Este es un “argumento zombie” que reaparece tras cada iniciativa pro-privacidad. La respuesta es que la privacidad no está relacionada con “ocultar cosas”, sino con la libertad de expresión, la libertad de reunión y otros derechos fundamentales. Todo el mundo debería ser capaz de hablar con sus amigos, expresar sus miedos y sus opiniones sobre cualquier tema sin ser vigilado constantemente. De lo contrario, esto lleva a que las personas se auto-censuren y dejen de ser ellos mismos. Esto puedo conllevar todo tipo de problemas, incluso de salud. ¿Seguro que buscarías la dirección de una clínica para la interrupción del embarazo si piensas que tu jefe puede estar analizando tus mensajes privados? ¿Vas a mirar información en Google sobre ISIS si eso puede llevar a que acabes en alguna base de datos como sospechoso de apoyar el terrorismo?

Este “chilling effect” lo podemos ver en otras escenas de la vida diaria. Por ejemplo, cuando conduces y ves que hay un coche de policía nadie se queda indiferente: Revisas todo, piensas si tienes la reglamentación del coche a mano, miras si vas a la velocidad permitida y, en general, te pones alerta. Si llevamos nuestro smartphone a todos lados y nos comunicamos cada vez más por Internet, podemos tener a “un policía” sobre nuestro hombro a cada segundo. ¿Quién quiere vivir en un estado de alerta permanente? ¿Qué tipo de libertad sería esa?

6. Pensando en usuarios sin formación específicamente técnica, ¿qué herramientas, hábitos o prácticas les recomendarías para mejorar su privacidad?

Edward Snowden ha propuesto varios consejos sencillos que pueden mejorar la privacidad fácilmente sin necesidad de muchos conocimientos técnicos: http://www.eldiario.es/cultura/tecnologia/privacidad/Edward-Snowden-explica-proteger-privacidad_0_457754864.html

Para los que tengan un conocimiento técnico menor que lo que se podría llamar “nivel usuario”, la recomendación es no instalar aplicaciones que requieran acceso a información cuyo uso no es necesario (ejemplo: aplicación de linterna que quiere acceder a tus contactos). Un paso más sería usar las aplicaciones que figuran en F-Droid (https://f-droid.org/), que son gratis y libres, y sólo en caso de no encontrar lo que necesitas ir a Google Play o Apple Store.

También se puede usar el buscador DuckDuckGo.com en vez de Google, para no ser rastreado.

Un paso un poco más avanzado es usar software libre. Ya hay muchas distribuciones (Ubuntu, Linux Mint…) que eliminan el mito de que el software libre es para informáticos.

7. ¿Hasta qué punto piensas que la crítica de la vigilancia masiva supone la legitimación involuntaria de formas de vigilancia individualizadas que, no obstante, siguen vulnerando los derechos de las personas afectadas? (Ejemplo: caso #Spycops en Reino Unido)

La vigilancia indiscriminada es, por definición, contraria a los derechos humanos, como han declarado reiteradamente los tribunales de Luxemburgo y Estrasburgo (casos Digital Rights Ireland y Schrems – CJEU, caso Szabo y otros en TEDH).

La vigilancia individualizada, por otro lado, no es un cheque en blanco. Debe estar previsto en una ley y seguir los criterios de necesidad y proporcionalidad. Esto debe incluir un sistema de prevención de abusos: En casos en que sean las agencias de espionaje (“agencias de inteligencia”) sean las que llevan a cabo la vigilancia, deben estar sometidas al escrutinio del Estado, incluyendo la supervisión judicial. En el caso de vigilancia por parte de fuerzas policiales, esto debe ser hecho siguiendo las normas de un Estado de Derecho, lo cual incluye que no se inicie ningún seguimiento de comunicaciones privadas sin autorización judicial y que, en ciertos casos, incluso éstas no puedan ser investigadas (por ejemplo, entre un abogado y su cliente, o entre médico y paciente).

8. A día de hoy, ¿qué instituciones, actores u organismos piensas que suponen una amenaza para la libertad y la privacidad en Internet? ¿A quién corresponde defender estos derechos?

El Internet de las Cosas (Internet of Things) es una amenaza que tiene que ser neutralizada ya mismo. Los efectos que esas tecnologías pueden tener en relación a la creación de perfiles (profiling) y como una nueva manera de control de la población es alarmante. Las multinacionales que viven de nuestros datos personales (Google, Facebook, Skype y otras) suponen una amenaza constante, como hemos visto tras las revelaciones de Snowden.

Defender estos derechos nos corresponde siempre a los ciudadanos. Los derechos, como los músculos, se fortalecen mediante su ejercicio constante. De lo contrario, nos volvemos débiles. Debido a que las políticas sobre privacidad se realizan cada vez más a nivel europeo, hacemos un llamamiento a que los ciudadanos se organicen en asociaciones y que actúen en los llamamientos a la movilización que hacemos organizaciones como EDRi, Xnet, Access Now, BEUC y otras. Si queremos perfilar nuestras futuras libertades en el mundo digital, el momento es ahora.

9. ¿Crees que existen diferencias notables entre el activismo político “tradicional” y el activismo centrado en la defensa de los derechos en Internet o el “hacktivismo”? Lo cierto es que desde Críptica observamos una “brecha” (generacional, técnica, de género…) entre ambas formas de intervención política.

Inevitablemente, el activismo de los derechos humanos en Internet requiere ciertos conocimientos técnicos (a veces, sólo muy mínimos), lo cual puede echar hacia atrás a cierta gente. Cuando no es ese el caso, nos encontramos con que este campo se identifica con hackers y geeks solamente, cuando lo cierto es que casi todos tenemos un correo electrónico y un smnartphone a mano, y por tanto los riesgos nos afectan a todos.

Cuando presento EDRi, siempre hincapié en que somos una organización de derechos humanos. De lo contrario, cuando hablamos de “derechos digitales” parece que hablamos de derechos humanos para el mundo desarrollado, cuando en realidad son solamente los derechos humanos que ya tenemos offline pero aplicados al mundo digital.

Hay otro asunto, quizá más importante. Es cierto que hay luchas más prioritarias y urgentes que la privacidad: el cambio climático y la desigualdades sociales son dos de las principales. Ahora bien, estas luchas se van a desarrollar en mayor o menor medida cada vez más usando medios digitales. Si no controlamos estas herramientas y prevenimos que exista la vigilancia masiva indiscriminada, podemos ver que esas luchas se vean amenazadas seriamente.

10. Finalmente, ¿cuáles deberían ser, según tu opinión, los aspectos que como movimiento político (desde el conjunto de las organizaciones defensoras de los “derechos digitales”) tendríamos que mejorar?

1. Tenemos que crear un discurso global sobre la vigilancia y la privacidad que se aleje de la retórica del Gran Hermano y que se acerque a los ciudadanos. Hay que usar ejemplos positivos y divertidos para poder llegar a la gente.

2. Impulsar económicamente (donaciones, crowfunding…) software libre y el uso de herramientas de privacidad. Un primer paso puede ser, por ejemplo, convencer a tus 5 contactos más utilizados de que instalen Signal y comunicarte por ellos (por mensajes y llamadas) de forma privada. Es una herramienta gratuita, fácil de usar, y que reemplaza a tu app de SMS, así que no necesitas duplicar tus apps.

3. Organizarnos en nuestras organizaciones locales y nacionales para abordar estos temas, y aliarnos a nivel europeo e internacional con otras organizaciones para aunar fuerzas. Hay que poner presión constante en los parlamentarios europeos y en la Comisión Europea, que son los que en gran medida deciden sobre nuestras libertades digitales.

Smart Borders package: Unproportionate & unnecessary data collection

Originally published at EDRi-gram on 04-November-2015: https://edri.org/smart-borders-package-unproportionate-unnecessary-data-collection/  )
https://www.flickr.com/photos/neccorp/16250748818/

Photo by NEC Corporation of America with Creative Commons license. https://www.flickr.com/photos/neccorp/16250748818/

“The proposal is fear-driven and fear-triggering at the same time, placing emphasis on a putative need to protect the EU from those coming from outside.”

(Extract from EDRi’s response to the consultation)

In an attempt to overcome the failed proposal from 2013 on the Smart Borders package, the European Commission launched a consultation to prepare a revised text, to which EDRi submitted its response on 29 October 2015. The new EU Entry/Exit System (EES) plans to extend biometric ID checks to all non-EU nationals entering or leaving the EU. Despite the numerous questions about the costs and serious implications to civil liberties raised in relation to the 2013 proposal, the European Commission seems decided to give it another try.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The Smart Borders Package, which is aimed at improving the management of migratory flows , consists of three legislative proposals: (1) a Regulation establishing an EU Entry/Exit System (EES); (2) a Regulation establishing a Registered Traveller Programme (RTP) and (3) a Regulation amending the Schengen Borders Code to take into account the establishment of the EES and the RTP.

EDRi’s submitted the position that such a vast collection of sensitive personal data risks undermining the right to privacy of millions of people. As any other restriction of fundamental rights, this measure needs to be guided, inter alia, by the necessity and proportionality test of the Article 52.1 of the Charter of Fundamental Rights of the European Union. The new entry system could include biometric ID checks including the collection of ten fingerprints and facial images. The Commission has yet to demonstrate clearly why these privacy invasive measures are necessary, effective and proportionate, and whether the system could operate without some or all of them.

In our submission we mentioned the need to learn from the case law of both the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU), and recalled that if an intrusive measure such as data retention was to be considered, the legislators would have the obligation to verify the “proportionality of the interference”. Therefore, no data retention mandates should be approved until a credible, independent test, proving compliance with CJEU and ECtHR case law has been conducted. In addition to the European courts, the issue of biometric databases has been the subject of debate in various Member States, for example in the French Constitutional Court.

Once the European Commission has analysed the responses, it will produce a legislative proposal. This proposal needs to take into account the concerns that were raised before and that are still under analysis by experts like the EU Fundamental Rights Agency. As we have seen with the Safe Harbor agreement and the Data Retention Directive, legislation which was in clear violation of EU core norms can lead to the violation of citizen’s rights that can drag on for years, as well as costs for companies, citizens and the European courts. The Commission and the European Parliament cannot fail again and drag us into years of litigation, nor can it leave it to the CJEU to fix the breaches of fundamental rights law that they willfully or negligently foist on individuals. The EU needs to produce the right policies to achieve its goals, and stop suggesting the dragnet collection of personal data as the solution to all European problems.

Response from EDRi to the Smart Borders Consultation (29.10.2015)
https://edri.org/files/smartborders/consultationresponse.pdf

EDRi-gram: France: Biometric ID database found unconstitutional (28.03.2012)
http://history.edri.org/edrigram/number10.6/french-biometric-database-unconstitutional

Biometric data in large EU IT systems in the areas of borders, visa and asylum – fundamental rights implications
http://fra.europa.eu/en/project/2014/biometric-data-large-eu-it-systems-areas-borders-visa-and-asylum-fundamental-rights?_cldee=ZG5AZGllZ29uYXJhbmpvLmV1&urlid=1

(Contribution by Diego Naranjo, EDRi)

General Data Protection Regulation: Moving forward, slowly

(Originally published at EDRi-gram 13.11, 3 June 2015: https://edri.org/general-data-protection-regulation-moving-forward-slowly/)

youtubeprivacy

Options are: Be tracked or be tracked

 

The discussions in the EU on the proposal for a General Data Protection Regulation (GDPR) are slowly advancing, but the final destination is still unknown. Commissioner Věra Jourová , who is responsible for Justice, Consumers and Gender Equality and has the task of ensuring the “swift adoption of the EU data protection reform”, has stated that EU Data Protection reform “is a win-win for consumers and businesses”, and that the red lines of the 1995 Data Protection Directive will remain untouched. However, latest developments in the Working Party on Information Exchange and Data Protection (DAPIX) have brought to the GDPR text new changes that may erode Jourová’s optimism.

In March 2015, EDRi published a set of leaked documents with the (then) latest texts from the EU Council. At the same time we published an analysis of the five main topics we thought were going below the safeguards that were set in the 1995 Data Protection Directive. Our analysis remains valid, unfortunately, for majority of the points we analysed, with some exceptions.

For example, Article 6 and recital 40 on lawfulness of processing of personal data have been touched in different ways. The list of requirements defining whether or not a further processing is compatible with the purpose the data was collected in Article 6 (3a) has become an open list with the insertion of the words “inter alia”. This makes it a broader definition which could add additional safeguards for the data subject. Going a bit further, Article 6.4 is likely to be deleted, since there seems to be a significant number of Member States that are pushing against it. This Article allows for “(f)urther processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject”.

The “one stop shop” mechanism is also a matter of concern. The original idea was to simplify complaints, creating a single point of contact for citizens and businesses bringing a transnational complaint. It would also ensure consistent application of the Regulation through the European Data Protection Board (EDPB), eliminating the current common practice of “forum shopping”. Based on the leaked documents, the current proposed text from the Council on the “one stop shop” mechanism would add several levels of bureaucracy. In the case of a transnational complaint, at least two data protection authorities would have to be involved and reach consensus to solve the case. This could lead to a fragmented implementation of the Regulation as the oversight role of the Board would be greatly reduced. Both citizens and businesses would then be left without the benefits of a swift, predictable and harmonised “one stop shop” mechanism. Finally, data Protection seals (certifications) and binding corporate rules should all be subject to the one-stop mechanism, at least in transnational cases. Otherwise they will offer the possibility to bypass the Regulation.

In the lead-up to the start of the trialogue meetings on this topic, we can only mention a few of the major issues here. In a meeting of the European Data Protection Supervisor with civil society actors (including EDRi, EDRi members Access and Bits of Freedom, as well as BEUC, Code Red, and Privacy International, see video below) on 27 May, we addressed also problems with the definitions contained in the GDPR, the seriousness of having profiling back in the exceptions of Art. 21 after it was taken out by the Parliament, the need for citizens to be able to have access to effective collective redress mechanisms, and problems with the transfer of data to third countries, including the Safe Harbour agreement.

Data protection reform timetable (01.06.2015)
http://www.eppgroup.eu/fr/news/Data-protection-reform-timetable

Latest consolidated text of the GDPR
https://edri.org/files/DPR2015feb/GDPR_consolidated1-June-2015.pdf

Statewatch: LIMITE document from the Council on Article 6 and recital 40 (26.05.2015)
http://www.statewatch.org/news/2015/may/eu-council-dp-reg-Art-6-ChapII-III-9082-15.pdf
Other documents obtained by Statewatch are available at
http://statewatch.org/news/2015/may/eu-dp-reg-may-2015.htm

EDPS meeting with civil society (EDRi, Access, BEUC, Bits of Freedom, Code Red, Privacy International)
https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/GDPR_civil_soc

Badly broken campaign: European data protection reform is badly broken (03.03.15)
https://edri.org/broken_badly/

(Contribution by Diego Naranjo, EDRi)

“We still need to watch you, really”: PNR back in the Parliament

(Originally published at EDRi’s website:  https://edri.org/pnr-back-in-the-ep/)

fPNR

Despite the decision of the European Parliament to refer the EU-Canada PNR agreement to the Court of Justice of the European Union (CJEU) in December 2014, the urge to keep increasing surveillance citizens’ movements across Europe seems to be irrepressible. Timothy Kirkhope, Rapporteur (MEP in charge) of the Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD) ), is again launching the EU PNR proposal in the European Parliament, after it was rejected by the Parliament’s Civil Liberties Committee in 2013.

What is PNR?

Passenger Name Records (PNR) are data containing information provided by passengers and collected by air carriers for commercial purposes. This can contain several pieces of information such as dates, itinerary and contact details. All PNR data is stored in airlines’ databases.

What kind of information do they contain?

  • Date of the trip and complete itinerary,
  • Name and contact information,
  • Form of payment,
  • Frequent flyer information,
  • Meal preferences,
  • Medical information,
  • Disabilities,
  • Non-flight matters administered by the airline, such as hotel bookings, car rentals, train journeys, travel associates, etc.

Many of these types of data can be used and aggregated to build profiles. For instance, meal preference can provide information about religious affiliation, hotel reservations can indicate passengers’ personal relationships, etc. Mr Kirkhope suggests comparing the PNR database against other databases, presumably to generate such extra data.

How will this information be used under the proposed EU PNR Directive?

The passenger data of all flights from or to the European Union could be processed for the purposes of the prevention, investigation and prosecution of serious crime, serious transnational crime and terrorist offences. However, the definitions in the Directive are so unclear that Member States are given the option of excluding “minor offences” that they cover. All passenger data would be retained by specific Passenger Information Units (PIU) up to five years (or five and a half years, if being stored by the Australian authorities under the bilateral EU/Australian agreement… or 15 years, if being stored by the US authorities under the bilateral EU/US agreement). Moreover, the proposal foresees the possibility to broaden the scope of the PNR directive by including internal European flights, a measure that Mr Kirkhope wants to introduce immediately.

What are the main problems of the EU PNR proposal?

  • The ruling of the EU’s court, the Court of Justice concerning the invalidation of the Data Retention Directive: The analysis provided in that ruling makes it difficult to believe that the current PNR proposal would be considered lawful
  • Excessive Data Retention Period: Even if the retention of data in the PNR context was considered necessary and proportionate, the proposed storage period excessive and lacking any meaningful justification
  • Lack of concrete protections from arbitrariness: In the text,it is unclear how and when data will be processed (prevention of badly defined “serious crime”). There are existing measures (VIS, SIS and API) which already provide a great deal of information. There is no evidence another system would be needed.
  • Lack of evidence showing that these measures are effective, necessary and proportionate in the detention or prevention of serious crimes.From the European Commission impact assessment, there is no concrete evidence on the actual usefulness of PNR collection for the tackling of serious crime or terrorist offences. In this regard, it is particularly worrying that the European Commission states in its proposal that “PNR data is unverified information provided by passengers” while remaining convinced – despite questionable accuracy – it could be used in real time “to prevent a crime”.
  • Lack of proportionality: The Fundamental Rights Agency, the European Data Protection Supervisor, and the Article 29 Working party  (most recently here) agree on the lack of proportionality of the proposal. The proposed EU PNR system foresees data collection and analysis for all passengers on international flights without any sort of targeting.
  • Excessive costs: Transposing such Directive will bring significant costs for Member States. The high expenditure is confirmed by the controversial call for proposal of 50 million euros issued by the European Commission to build PNR systems in several Member States. These funds were made available even though the legislation has not been agreed.

We have sent a letter to members of LIBE, and prepared a briefing paper and an analysis of the proposal. It is time to call and write your MEPs and let them know why this proposal needs to be rejected again.

You can also support our crowdsourcing campaign to produce postcards that will be sent to MEPs in order to make them aware of the risks of this proposal for the fundamental rights of citizens.

 

PNR_postcards_20150324