tag:blogger.com,1999:blog-341161572024-03-13T05:20:12.911+01:00Ralf Bendraththoughts and observations of a privacy, security and internet researcher, activist, and policy advisorRalf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.comBlogger147125tag:blogger.com,1999:blog-34116157.post-47104239326065789002017-02-12T04:40:00.000+01:002017-02-12T23:38:02.758+01:00Internet of Things and Security - The ChallengesI had the pleasure of speaking at an event organised by the <a href="https://www.edps.europa.eu/">European Data Protection Supervisor (EDPS)</a> on the Internet of Things. While the EDPS is focused on data protection, I tried to widen the perspective and also address the more pressing issues around IoT security. My final words addressed some of the issues around the economic aspects of the IoT, including data ownership. I used a lot of recent examples from the real world, including <a href="https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/">car hacking</a>, <a href="http://www.networkworld.com/article/3162740/security/cops-use-pacemaker-data-as-evidence-to-charge-homeowner-with-arson-insurance-fraud.html">pacemaker snitching</a>, and <a href="http://www.thelocal.at/20170128/hotel-ransomed-by-hackers-as-guests-locked-in-rooms">hotel door ramsomware</a>. <br />
<br />
The <a href="http://web.ep.streamovations.be/index.php/event/stream/170210-1230-special-eops-trainee-event">video of the whole event is now available</a>, I speak at 55:55.<br />
<br />
<b><i>Edited to add: </i></b>The other speakers before me were: Giovanni Butarelli (EDPS, <a href="https://twitter.com/buttarelli_g">@Butarelli_G</a>), Wojtek Wiewiorowski (assistant EDPS, <a href="https://twitter.com/W_Wiewiorowski"> @W_Wiewiorowski)</a>, Joe McNamee (EDRi, <a href="https://twitter.com/@why0hy">@why0hy</a>), Riccardo Masucci (Intel, <a href="https://twitter.com/riccardomasucci">@riccardomasucci</a>, Irene Kamara (Universities of Brussels & Tilburg, <a href="https://twitter.com/kamara_irene">@kamara_irene</a>), in that order.
Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com1tag:blogger.com,1999:blog-34116157.post-75164022082451473672016-07-16T22:28:00.000+02:002016-07-16T22:29:13.740+02:00Minutes from EU Court of Justice on #DataRetentionOn 19th July 2016, Advocate General Øe Saugmandsgaard will present the Court of Justice of the European Union (CJEU) his opinion in the joined cases <a href="http://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-203/15" target="_blank">C-203/15</a> and <a href="http://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-698/15" target="_blank">C-698/15,</a>Tele2 Sverige and Davis and Others. They concern the validity of national laws in Sweden and the UK for the retention of telecommunications data under EU law and the EU Charter of Fundamental Rights. This is a very relevant question, since the Court <a href="http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=900044">invalidated</a> the EU Data retention directive in 2014.<br />
<br />
To see what is to be expected, it is helpful to know what happened at the oral hearing on 5th April 2016. Our legal trainee Antonia Latsch attended the hearing (which is public, but not streamed or recorded). She <a href="https://twitter.com/antonialatsch">live-tweeted</a> from there, and has allowed me to re-publish her tweets in chronological order here. I have done minor editing to clean up the language, correct typos, etc. So here we go:<br />
<br />
Court is in session <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s></a><b><span style="color: blue;"><a href="https://twitter.com/hashtag/dataretention?src=hash">dataretention</a> </span></b><a href="https://twitter.com/hashtag/dripa?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dripa</span></b></a><br />
<br />
Judgement first, hearing about to start <a href="https://twitter.com/hashtag/CJEU?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b><s><span style="color: blue;"> #</span></s><b><span style="color: blue;">CJEU</span></b></a><br />
<br />
Hearing started. Johansson addressing question of what constitutes electronic processing of personal data <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Tele2 Lawyer Johansson: Law needs to be proportional to what is strictly necessary for the concrete objectives <a href="https://twitter.com/hashtag/tele2?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">tele2</span></b></a> <a href="https://twitter.com/hashtag/CJEU?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">CJEU</span></b></a><br />
<br />
Tele2: legislation needs to limit access of data, only to fight serious crimes & subject to ex ante court control <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Tele2: Swedish data collection law is not limited to serious crimes, nor does it grant ex ante court control <a href="https://twitter.com/hashtag/tele2?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">tele2</span></b></a> <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Watson/Davis Lawyer: The United Kingdom does not provide sufficient safeguards for personal data collection <a href="https://twitter.com/hashtag/DRIPA?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">DRIPA</span></b></a> <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Davis/Watson: Minimum safeguards need to be in place to protect personal data to prevent abuse <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention </span></b></a><a href="https://twitter.com/hashtag/DRIPA?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">DRIPA</span></b></a><br />
<br />
Davis: Court should give guidance to what necessary safeguards are, UK does not meet the safeguards <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Davis: UK allows collection of data for purposes that are not in regards to suspected crimes, constitutes breach of Art. 51 <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Brice: authorization and purpose for what it is granted for are connected; intrusiveness needs to meet seriousness of crime <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Brice: Authorization to access to data must me be granted by structural independent body <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Brice: purpose of law is only in case of serious crimes. Domestic legislation goes way beyond, including tax purposes <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Open Rights Group: Case is of global significance, challenging the courts position on personal data protection <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
ORG/Privacy International: states need to be able to prevent passing of data to states that don't comply with EU privacy law <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
PI: Art. 15 e-privacy directive is lex specialis, it does not allow for the individual to be completely stripped of their privacy rights <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Law Society: Limitation by independent authorization for the kind of data that can be stored is missing <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Sweden: general obligation to keep data can be proportional for very important measures <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Sweden: not all access to general data needs to be directly related to a serious crime, but be strictly necessary <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Sweden: investigations have shown that it is impossible to limit retention of data prior for measurements to be effective <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Sweden: possibility of rapid decisions is necessary for effectiveness, therefore outside review is unpractical <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
UK: Law requires commercial service providers to keep the data, not authorities <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
UK: We cannot know in advance what data is necessary and valuable <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
UK: in matters concerning national security, member states must make assessments of what is necessary and proportionate <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
UK: objective requirements for necessity of the taken measurements are different from specific rules laid out by the court <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
UK: it should be up to national courts to check that specific requirements and set standards are met <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Czech: important how domestic law allows access and safety of data, if safeguards are in place, it is not disproportionate <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Czech: "We live in troubled times, do we really want to constrain the member states in this way?"<a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Denmark: data retention must be general to be effective as a crime fighting tool <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Denmark: Rules on access to and retention of date go hand in hand and can not be separated <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Denmark: proportionality test strikes the right balance, provided it gives clear and precise rules/guarantees of protection <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Denmark: approach to data retention should be all or nothing <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Denmark: no reason to assess these national measures more stringent than other national measures <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Germany: active passing of data by private sector allows government access, this must be compatible with fundamental rights <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Germany: objective safeguard criteria can be sufficient, therefore concrete implementation determines if law is proportionate <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Antonia Latsch re-tweeted<span style="color: blue; font-family: "times new roman" , "serif"; font-size: 12.0pt;"> <u><a href="http://twitter.com/%E2%80%8FTetsuwanAstro">@<b>TetsuwanAstro</b></a>:</u></span><br />
Germany: Data protection guarantees should be assessed as a whole, access AND retention rules together <a href="https://twitter.com/hashtag/dataprotection?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataprotection</span></b></a><br />
<br />
Estonia: We consider it necessary in the fight against terrorism to collect data of all people <s><span style="color: blue;"></span></s><a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Estonia: Saving someone's life and effectively fighting crime is worth allowing government's intervention <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Ireland: access of data is not directly governed by EU law <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Ireland: court is providing guidance for interpretation of EU law to national courts <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Ireland: member states must be given discretion on how to provide proportional measures <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Ireland: access of data is not directly governed by EU law <s>#</s><b>dataretention</b><br />
<br />
<a href="https://twitter.com/AntoniaLatsch"><b><span style="color: blue;">Antonia Latsch re-tweete</span></b></a>d <a href="https://twitter.com/JanAlbrecht"><span style="color: blue;">@<b>JanAlbrecht</b></span></a><br />
<br />
Jan Philipp Albrecht quoted Antonia Latsch:<br />
Rubbish. The ePrivacy Directive regulates use of personal telecom data, therefore governed by EU law.<a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;"> #</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<blockquote class="tr_bq">
Ireland: access of data is not directly governed by EU law <s>#</s><b>dataretention</b></blockquote>
Ireland: Diversity of different member states needs to be respected by the court <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Spain: The burden that data retention puts on the internal market and private actors should not be underestimate <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Spain: The upholding of fundamental rights must be the upper limit to granted discretion <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Spain: General data retention cannot be seen as an indispensable measure taken by all means <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
France: Data can be used for prosecution as well for proof of innocence. It is impossible to know in advance what is needed. <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
France: French government finds the retention period of 1 year for data absolutely necessary to combat crime and terrorism <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
European Commission: Interference must be proportional as well as respect the essence of the interfered right <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Finland: Connection between retention and use means that retention can only be justified if the later use is also justified <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Finland: Practical reasons necessitate a system of universal retention of data that can be compensated by limitation <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
European Commission: procedural safeguards in their entirety need to be assessed to their efficiency <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
after questioned by Judge Rapporteur von Danwitz, Tele2: about 10.000 data request have been made to tele2. No overall statistic available <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
von Danwitz to UK: Does DRIPA enable public authority to collect data from persons outside of the UK? <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
UK: Scope of data retention of DRIPA applies to all data generated and processed in the UK <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
v. Danwitz:"how far are we taking this logic that we don't know who will be a criminal tomorrow and therefore need all data?" <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
v. Danwitz: "Isn't there always something more effective and also more intrusive? Where do we stop?" <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Advoc. General Saugmandsgaard to UK: can you be more precise to when general retention is indispensable? <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
UK: retention of general data is vital to prevent terrorism and preventing crime but also for protecting people in general <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Advoc. General to Tele2: Are Swedish authority demanding you to secure data you would otherwise not acquire? <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Tele2: No, its data that is there, but would not be kept and deleted at once. <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Advoc. General to Sweden: Is there information about the misuse of this data retention? <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Germany: data retention is not useful if limited to specific geographical locations <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Sweden: The chancellor of the data protection agency must be informed of mistakes; here ex-post control is more efficient <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Tele2: All retention of data carries a risk of misuse, member states should look closely at what is stored and for how long <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Davis: Case regards the lack of safeguards. Access to data takes place in secret; high demands cannot be monitored adequately <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Davis: Although individuals can, it's unlikely they will bring a complaint if they don't know their information was accessed <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Sweden: if data retention is to be an effective measure in fighting crime it needs to be general by nature <a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a><br />
<br />
Session is closed. Advocate General opinion will be delivered on the 19th of July 2016.<span style="color: blue;"> </span><a href="https://twitter.com/hashtag/dataretention?src=hash"><s><span style="color: blue;">#</span></s><b><span style="color: blue;">dataretention</span></b></a>Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-69122995667205950982016-04-11T01:03:00.000+02:002016-04-11T01:16:44.507+02:00Minutes from EU Court of Justice on #CanadaPNROn 5th April, I attended the oral hearing of the Court of Justice of the European Union (CJEU) on the draft agreement between the EU and Canada on the transfer, use, and retention of air passenger data <a href="http://www.consilium.europa.eu/register/en/content/out/?&typ=ENTRY&i=ADV&DOC_ID=ST-12652-2013-INIT">(EU-Canada PNR agreement)</a>. The European Parliament has <a href="http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P8-TA-2014-0058&language=EN&ring=B8-2014-0265">submitted</a> this agreement to the Court in November 2014.<br />
<br />
It was my first time at the Court, and the Grand Chamber is really impressive. However, I watched the hearing from the press room next door in order to be able to use the laptop and wifi.<br />
<br />
Colleague <a href="https://twitter.com/ThmsvdVlk">Thomas van der Valk</a> was also tweeting.<br />
<br />
Here are my tweets in chronological order and with some typos corrected:<br />
<br />
EU Court of Justice hearing on EU-Canada PNR agreement about to start. I'll tweet from there.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-_lLqSNFxHgE/Vwmyj6TrtKI/AAAAAAAAAKs/-JNFCNGnokkNG7VX3IWasqH9zlQEEvgYg/s1600/CJEU.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://4.bp.blogspot.com/-_lLqSNFxHgE/Vwmyj6TrtKI/AAAAAAAAAKs/-JNFCNGnokkNG7VX3IWasqH9zlQEEvgYg/s320/CJEU.jpg" width="240" /></a></div>
"The Court is in session". Two short judgements are announced first, then #CanadaPNR hearing in a few minutes. #CJEU<br />
<a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> hearing started. First: legal service of @Europarl_EN, which submitted the agreement to the Court.<br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a>: 2 questions: lack of data protection rights, wrong legal basis of the agreement. Candadian law only allows Canadians remedy.<br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> questions compatibility with Art. 8 of the Charter of Fundamental Rights (data protection): independent oversight? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a><br />
<div class="TweetTextSize TweetTextSize--16px js-tweet-text tweet-text" data-aria-label-part="0" lang="en">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="835417375" dir="ltr" href="https://twitter.com/ThmsvdVlk">@ThmsvdVlk</a> is also live-tweeting from the <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> hearing at the <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CJEU?src=hash">#CJEU</a>. </div>
<div class="TweetTextSize TweetTextSize--16px js-tweet-text tweet-text" data-aria-label-part="0" lang="en">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a>: Article 47 of the Charter (judicial redress / legal remedies) not met with the PNR agreement?</div>
.@Europarl_EN: Article 52 of the Charter (proportionality and necessity) not met either, see <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/dataretention?src=hash">#dataretention</a> judgement?<br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> lists the several typed of processing of PNR data: transfer, access, analysis, retention, onward transfer. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a><br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a>: systematic analysis of all passenger data (profiling) not yet covered by <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CJEU?src=hash">#CJEU</a> case law such as <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/dataretention?src=hash">#dataretention</a> or <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/Schrems?src=hash">#Schrems</a>.<br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a>: Canadian privacy Commissioner has been critical about large-scale PNR data analysis. "mega-data" not "meta-data" <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> <br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a>: PNR data will be transferred to US authorities under the "beyond the border" agreement, <a class="twitter-timeline-link" data-expanded-url="https://www.dhs.gov/beyond-border" dir="ltr" href="https://t.co/O8aXkK98go" rel="nofollow" target="_blank" title="https://www.dhs.gov/beyond-border"><span class="invisible">https://www.</span><span class="js-display-url">dhs.gov/beyond-border</span><span class="tco-ellipsis"><span class="invisible"> </span></span></a> <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a><br />
Now: Council legal service, defending the <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement. "<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> also accepted PNR agreements with USA and Australia." <br />
(Reason for <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> to submit <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement was CJEU <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/dataretention?src=hash">#dataretention</a> judgement. It came after USA and Australia PNR agreements.)<br />
<div class="js-tweet-text-container">
<div class="TweetTextSize TweetTextSize--16px js-tweet-text tweet-text" data-aria-label-part="0" lang="en">
Council now on legal arguments about opt-out options for Denmark, Ireland and UK, Court had asked about this as well. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a></div>
</div>
<div class="stream-item-footer">
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Council: Canadian general law allows for legal remedies for anyone, not just people in Canada. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Funny to see the <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> agents sitting behind the Council agent who is speaking now. They shake their heads quite often. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Council: Legal basis for <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement (Art. 82 TFEU, judicial cooperation) is correct, we maintain our position.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Council: <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> did not contest same legal basis for EU-Australia PNR agreement. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="206717989" dir="ltr" href="https://twitter.com/EUCouncil">@EUCouncil</a> conclusion: All is fine with the <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a> quotes EU anti-terror coordinator: number of convictions based on PNR "irrelevant". Court had asked about those! <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a></div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: The <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/PNR?src=hash">#PNR</a> data is "anonymised" after 30 days. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/dataretention?src=hash">#dataretention</a> judgement is not applicable here. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement provides for legal remedies and independent oversight: Passengers can complain with EU DPAs.<br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: Dispute settlement mechanism in Art. 25 of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement is sufficient. If no solution, EU DPAs can act, cf <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/Schrems?src=hash">#Schrems</a><br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a> on legal basis: Art. 16 TFEU (<a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/dataprotection?src=hash">#dataprotection</a>) cannot ovver-rule all provisions on police / judicial cooperation. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a><br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: Existing data exchange agreements (Europol etc.) Can't out-rule this agreement, because we need data exchange <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a><br />
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: Critical report by Canadian privacy commissioner shows that independent oversight works. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a><br />
<br />
<div class="js-tweet-text-container">
</div>
Some laughter in the press room on the last argument by <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>. (I am here, so I can use the laptop.) <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a></div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Estonia starts their argument with an analogy of two piles of hay. Seems
to boil down to "We can eat the cake and still have it". <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Estonia: <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> data is limited. Helps police to determine criminal intent of travellers. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/Schrems?src=hash">#Schrems</a> not comparable, based on 1995/46/EC.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Estonia: PRISM programme was covert, allowed unlimited data sharing. Completely different for <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>: Protects against covert processing</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Estonia: We can't limit (target) the amount of passengers, but the profiling limits the group of suspicious passengers anyway. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Estonia: PNR data is broader than API (passport) data. But any border
agent could ask you about your credit card number as well. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Estonia: No reason to believe that Canada would process data without good faith. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> will pass <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/Schrems?src=hash">#Schrems</a> "eye of the needle" test.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Estonia: We cannot allow the risk of having potentially dangerous people board airplanes. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> is "unavoidably necessary".</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Now Ireland on <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>: International problems demand international responsed. Agreement is necessary.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Ireland: <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> has agreed to PNR agreements with USA and Australia!</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Ireland: Choice of legal basis important for us because of our opt-in
choice for judicial cooperation. (We'll participate anyway) <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Ireland: Data and number of people affected is much more limited than data in DRI and Schrems cases. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Ireland: <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> is endangering international cooperation by its challenge of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Next in <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> hearing is Spain: We must regard the specific circumstances of the <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> case.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Spain: <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/dataretention?src=hash">#dataretention</a> period of 5 years is absolutely necessary for criminal investigations. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Spain: Charter requirement of "independent" DPAs is different than "total independence" under 1995/46/EC. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> guarantees independence</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
(re last argument: <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> is overseen in Canada by an ombudsperson, not by the Canadian DPA.)</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
After short break, now France on <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>: Canada provides essentially equivalent data protection rights. PNR data not intrusive anyway.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
France: Judicial approval of transfer of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> data would make the whole approach meaningless. Agreement necessary and proportionate.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Impression so far: Everybody refers to "necessary and proportionate", but hardly anyone except <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> is giving criteria. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
France: Investigations into crimial networks take 4 to 5 years, therefore we need 5 years <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/dataretention?src=hash">#dataretention</a>. Useful. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
France: Terrorist groups exist some years before they actually become active. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
France insisting that recent CJEU and ECtHR case-law on mass surveillance was about communications, not PNR. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Now UK, their agent in full "Queen's Counsel" style with a wig: We must check purpose, nature of data, safeguards. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
UK: There are things we know, and there are things we don't know. We need PNR data to find unknown terrorists and trafficers. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
<a class="account-group js-account-group js-action-profile js-user-profile-link js-nav" data-user-id="835417375" href="https://twitter.com/ThmsvdVlk"><span class="fullname js-action-profile-name show-popup-with-id">RT </span><span class="username js-action-profile-name" data-aria-label-part="">@ThmsvdVlk</span>:</a><a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> UK says it provided examples to Parliament. Anekdotal yes, not evidence. UK now again providing an example</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
<div class="js-tweet-text-container">
</div>
UK: Use of term "profiling" by <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> is wrong. PNR relates to travel pattern, not person's character. [well: "terrorist"?] <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
UK: Vast majority of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> data will never be subject to human review, only sifted through by computers.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
UK attacks <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> legal service agent: "His assertions about Canadian law are just wrong".</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
UK repeats <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: Critical report by Canadian DPA shows that independent oversight works. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Last statement by <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="596377986" dir="ltr" href="https://twitter.com/EU_EDPS">@EU_EDPS</a>, agent is <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="17895604" dir="ltr" href="https://twitter.com/buchtan">@buchtan</a>. Refers to PNR data demands by other countries, incl. Saudi-Arabia, Russia. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="596377986" dir="ltr" href="https://twitter.com/EU_EDPS">@EU_EDPS</a> Art. 5 of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement presumes adequacy for Canada without additional safgeguards. No judicial remedy for Europeans.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="596377986" dir="ltr" href="https://twitter.com/EU_EDPS">@EU_EDPS</a> argues that PNR data can as well be very intrusive, including revealing religious beliefs by means of food preferences. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="596377986" dir="ltr" href="https://twitter.com/EU_EDPS">@EU_EDPS</a>: Use of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> data is about predictive policing, based on abstract definitions of what is "suspicious" & big data. Like US.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="596377986" dir="ltr" href="https://twitter.com/EU_EDPS">@EU_EDPS</a> Profiling of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> similar to "Rasterfahndung" (pattern searches) in DE after 9/11. Ruled out by consitutional court in 2006.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="596377986" dir="ltr" href="https://twitter.com/EU_EDPS">@EU_EDPS</a> dissects claims by Member States & Comission about oversight in <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>. Not equivalent to independent authority, EU DPAs out.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Statements in <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CJEU?src=hash">#CJEU</a> <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> hearing are over. Thomas von Danwitz, judge rapporteur, now summarising for Q&A.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: Passengers are not informed about collection & consequences when they book a flight. Therefore, <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> implies purpose change.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: "As Article 11 of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> provides..." Danwitz: "We're still at the travel agency now, not in the agreement!"</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: Well, that is far-fetched. Countries can demand anything from people entering their territory. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: DRI judgement requires clear guarantees for data subjects. Should <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> data categories be clarified by law, not in annex?</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: What exactly does "frequent flyer information" mean? All my previous flights under a given loyalty programme? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: What does "etc." stand for in point 5 of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement? Is that sufficiently precise?</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> lawyers are cracking up in the background.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz now really grilling <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a> on the <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> annex. They already have two agents at the bar in order to deal with it.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: We were told that all the data can be used for finding terrorists or criminals. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: That's not my question. My question is about precision of the annex of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>, and "mandatory" vs "optional" data. Inequality?</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: Nothing in the <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement limits databases for cross-checking to Canadian databases. Is that correct?</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: Data is used for profiling first, only suspicious data compared with other databases. Danwitz: It's not in the agreement!</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: The <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="596377986" dir="ltr" href="https://twitter.com/EU_EDPS">@EU_EDPS</a> asked you to exclude sensitive data. No explicit exclusion in <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement, however. Reason (except "useful")?</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: See Article 8. Danwitz: Hmh, ok.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: Why do you not demand statistics in <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> agreement, as in the EU directive? .<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: Canadians still do statistics.</div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: So you don't have any data on how many convicted passengers were, let's say, muslims? - No. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: Can all data be freely exchanged with other Canadian
authorities, subject to Art. 18? - COM: Yes, but case-by-case only <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: Should adequacy finding better be made by EU institutions (c.f. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/Schrems?src=hash">#Schrems</a>), not negotiated with the third country? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: Art. 19 only limits 3rd country transfer for "Canadian Competent Authority". What about other Canadian authorities? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: The whole "a posteriori" approach of rights enforcement worries me. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: Could I object to the algorithm that sifted through my data? - COM: No. Danwitz: Why not? COM: "Prevention" <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: Even when I leave Canada again, my data stays with their
authorities for five years. Why? I have a difficulty with this. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
Danwitz: Are all 28 Mio passengers who go to Canada each year subject to
such measures, even if completely unsuspicious? COM: yes <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="ProfileTweet-actionCountList u-hiddenVisually">
<div class="js-tweet-text-container">
<div class="TweetTextSize TweetTextSize--16px js-tweet-text tweet-text" data-aria-label-part="0" lang="en">
<a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> hearing now into lunch break until 15:00. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CJEU?src=hash">#CJEU</a></div>
</div>
<div class="js-tweet-text-container">
<a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CJEU?src=hash">#CJEU</a> <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> hearing has started again. <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a> to answer question from before lunch - "should we all be subject to surveilance"?</div>
<div class="js-tweet-text-container">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a> also now claims there is no "profiling". And then explains what kind of profiling is done with <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> data. m(</div>
<div class="js-tweet-text-container">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a> to answer on lack of statistics on use of data, but merely makes false claims on "anonymous" and "deleted". <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Judge von Danwitz lectures COM that data are actually not "anonymised" after 30 days. "It bothers me when you're not precise" <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Danwitz: You could really anonymise data after 30 days. Or delete data of non-suspicious persons at after they leave Canada. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Danwitz now lecturing on ECtHR case-law re possible discrimination of persons by data stored about them. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Danwitz: Does the data "stigmatise" everyone or just some? That's the question. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>. Now questions from AG and other judges.</div>
<div class="js-tweet-text-container">
Now Paolo Mengozzi, advocate-general for this case, with questions on the legal basis of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>. "COM can rest, but just for a bit"</div>
<div class="js-tweet-text-container">
Council legal service on special carve-out protocols for UK, Ireland and Denmark on judicial cooperation. Q: Have they voted on <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>?</div>
<div class="js-tweet-text-container">
AG Mengozzi with Q for COM: Why limitation on sensitive data only for
"competent authority", not Canada as a whole? - COM: "..." <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Mengozzi: Why limitations for transfers to 3rd countries also only for
"competent authority", and no limitations for recipients? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: 3rd country authorities not really a concern for us, as they only receive already "filtered" data case-by-case. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
AG Mengozzi: "This seems absurd to me." Chance for survival of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> getting slimmer by the minute.</div>
<div class="js-tweet-text-container">
Mengozzi now with question to <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> on <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>: Legal basis: data protection or judicial cooperation? Could it be both? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a>: We think it's data protection (Art. 16 TFEU), but could be both. One reason we submitted <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> to you.</div>
<div class="js-tweet-text-container">
Mengozzi: Article 4(1) of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>: "EU shall ensure air carriers are not prevented from transferring PNR data" But there are limits!</div>
<div class="js-tweet-text-container">
Mengozzi: Where does the /obligation/ for transfers come from then?<a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
.@Europarl_EU: Our problem is that we don't know Canada's or even the EU's interpretation of this. Canadian law not referenced. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a>: We also don't know who will be the supervisory authority / body in Canada either. Should be specified! <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a>: Art. 4(1) would neutralise any EU data protection legislation with regards to data transfers. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Judge Rosas to Council with question on legal basis: Should certain Member States vote on instruments that do not bind them? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Council: Well, on the new <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/EUdataP?src=hash">#EUdataP</a> directive for law enforcement, Denmark will vote, but still unclear if and how it is bound. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Q: Has a link to the Schengen acquis been considered, including to cover Norway, Switzerland, Iceland? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Council (other lawyer): Schengen link was not considered. Re DK, IE, UK:
They are bound to a certain extent, therefore can vote. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Judge Regan to @Europarl_EU: How do you reconcile your dataprotection
arguments with your declared comittment to fight terrorism? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
.@Europarl_EU: You can have general <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/EUdataP?src=hash">#EUdataP</a> rules, but you can also have special DP rules for anti-terror instruments. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a>: Look at Art. 5 <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>: Canadian authoriy "is deemed to provide an adequate level of protection" - problematic!</div>
<div class="js-tweet-text-container">
Judge Rosa to COM: Which PNR data in the annex are sensitive? Art. 2(e) (sensitive data) doesn't refer to specific data types. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
.<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>: Only point 17, Special Service Request Information etc. Judge: How can we be sure none of the others? Unclear. <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Judge Rosas grilling COM now: Why is Art. 2(e) then not directly referencing point 17 of annex? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Judge von Danwitz: What about point 18 annex? "API data collected for
reservation purposes"? COM: No. Judge: How can we be sure? <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
Closing statements now. .<a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="157981564" dir="ltr" href="https://twitter.com/EU_Commission">@EU_Commission</a>, pretty deperate: Data protection must not turn into an area of fear! <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> </div>
<div class="js-tweet-text-container">
UK lawyer by far with strongest and most well-informed arguments in favour of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a>. Must be the wig.</div>
<div class="js-tweet-text-container">
UK: WHole purpose of <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> is to ensure that Canada has equivalent protections. Not to install EU DPA oversight over Candian DPA.</div>
<div class="js-tweet-text-container">
Advocate-General Paolo Mengozzi will present his opinion on <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> on 30th June. Session is closed.</div>
<div class="js-tweet-text-container">
</div>
<div class="js-tweet-text-container">
The <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="36329597" dir="ltr" href="https://twitter.com/Europarl_EN">@Europarl_EN</a> inofficial twitter team says thanks for RTs and favs! <a class="twitter-hashtag pretty-link js-nav" data-query-source="hashtag_click" dir="ltr" href="https://twitter.com/hashtag/CanadaPNR?src=hash">#CanadaPNR</a> <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="835417375" dir="ltr" href="https://twitter.com/ThmsvdVlk">@ThmsvdVlk</a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-1L6KwWjbmOw/VwraGJTKbtI/AAAAAAAAAK8/5DNvsN4-kEMt7wTFnBVkDg3D5f_O8Vk3g/s1600/CanadaPNR-Twitter-team.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://4.bp.blogspot.com/-1L6KwWjbmOw/VwraGJTKbtI/AAAAAAAAAK8/5DNvsN4-kEMt7wTFnBVkDg3D5f_O8Vk3g/s320/CanadaPNR-Twitter-team.jpg" width="320" /></a></div>
</div>
</div>
Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com1tag:blogger.com,1999:blog-34116157.post-71630366938109080522015-05-11T01:13:00.000+02:002015-06-05T17:58:03.774+02:00Trade Agreements and the Internet - and the Zombies I had the pleasure of speaking about what trade agreements such as TTIP or TiSA may do to the internet at <a href="https://re-publica.de/">re:publica</a>, the greatest European conference about the digital society. The <a href="https://re-publica.de/session/trade-agreements-and-net-faq-panel">talk</a> was together with Estelle Massé, Gaelle Krikorian, and Sanya Reid Smith.<br />
<br />
Here are the <a href="http://userpage.fu-berlin.de/~bendrath/Trade%20Agreements%20and%20the%20Net%20-%20rp15.ppt">slides</a>, and here is the <a href="https://www.youtube.com/watch?v=Mps-5Y1JeL8">video recording</a>. They may contain Plants and Zombies.
<iframe width="360" height="215" src="https://www.youtube.com/embed/Mps-5Y1JeL8" frameborder="0" allowfullscreen></iframe>Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-27162593042542836532015-02-28T17:43:00.000+01:002019-03-15T19:28:56.637+01:00White House releases draft Consumer Privacy BillThe US <a href="http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-act-of-2015-discussion-draft.pdf">"Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015"</a> was released yesterday. It follows up to the 2012 <a href="https://templatearchive.com/consumer-privacy-bill-of-rights/">"Consumer Privacy Bill of Rights"</a> from President Obama. <br />
<br />
The draft bill sets out some basic definitions and principles, such as "reasonable" collection of personal data, and consumer rights, such as access to their own data. For enforcement, it gives the Federal Trade Commission the powers to approve and enforce Codes of Conduct submitted by different industry sectors. So far, the FTC has enforced certain data protection rules under Title V of the FTC act, which prohibits "unfair and deceptive trade practices".<br />
<br />
At first glance, the draft has a number of serious issues, especially if you look at it from an EU data protection perspective. A few points are worth mentioning:<br />
<br />
1) The bill exempts "Cybersecurity data" from the scope:<br />
<blockquote class="tr_bq">
The term “personal data” shall not include cyber threat indicators collected, processed, created, used, retained, or disclosed in order to investigate, mitigate, or otherwise respond to a cybersecurity threat or incident, when processed for those purposes."</blockquote>
This does not make any sense. It may be reasonable to allow the processing of personal data for IT security purposes (as certain drafts of the planned EU data protection regulation do), but with this approach, things such as IP addresses are removed from the scope of the privacy bill.<br />
<br />
2) The bill is contradictory. It states in section 103:<br />
<blockquote class="tr_bq">
"If a covered entity processes personal data in a manner that is reasonable in light of context, this section does not apply",</blockquote>
and then in section 104, it says<br />
<blockquote class="tr_bq">
"Each covered entity may only collect, retain, and use personal data in a manner that is reasonable in light of context."</blockquote>
To me it is completely unclear when section 103 would apply at all... <br />
<br />
3) Title III of the bill recycles the "Safe Harbor" term and the idea of self-certification which has consistently been criticised by the European Parliament and privacy experts from around the world since the EU Commission and the US Department of Commerce came up with the Safe Harbor approach in 2000:<br />
<blockquote class="tr_bq">
"Safe Harbor Protection.—In any suit or action brought under Title II of this Act for alleged violations of Title I of this Act, the defendant shall have a complete defense to each alleged violation of Title I of this Act if it demonstrates with respect to such an alleged violation that it has maintained a public commitment to adhere to a Commission-approved code of conduct that covers the practices that underlie the suit or action and is in compliance with such code of conduct."</blockquote>
At least compliance is required, not just the mere committment, but the underlying problem is that the FTC would only be able to review submitted codes, not develop and issue their own ones.
<br />
<br />
4) The draft would preempt state laws, some of which, such as the Californian one, are stronger than the White House proposal.<br />
<br />
5) The bill would exempt start-ups from data privacy requirements for the first 18 months.
This will encourage an approach such as "grow quickly and ruthlessly while collecting as much data as you can, and sell to the highest bidder after 18 months". I don't think this is good for a sustainable long-term business strategy.<br />
<br />
6) The penalties section (203) is quite interesting, however:
<br />
<blockquote class="tr_bq">
"(1) The civil penalty shall be calculated by multiplying the number of days that the covered entity violates the Act by an amount not to exceed $35,000; or<br />
(2) If the Commission provides notice to a covered entity, stated with particularity, that identifies a violation of this Act, the civil penalty shall be calculated by multiplying the number of directly affected consumers by an amount not to exceed $5,000 (...)"</blockquote>
This could easily exceed the 5% annual global turnover which the European Parliament has set as the maximum penalty in its version of the coming Data Protection Regulation.<br />
<br />
This
Washington Post article gives a <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/27/the-white-houses-draft-of-a-consumer-privacy-bill-is-out-and-even-the-ftc-is-worried/">good summary</a> of the reactions (in short: The FTC is not happy, the NGOs are not happy, industry is partially happy, except for the libertarians).<br />
<br />
The White House apparently did not manage to find bipartisan congressional sponsors before releasing it, so this and the timing (Friday afternoon) has lead some observers to believe already that it's <a href="http://techfreedom.org/post/112261952429/obama-escalates-crackdown-on-the-open-internet">"dead in the water"</a>.<br />
<br />
Senator Ed Markey, known as a strong privacy defender, has criticised the draft for not doing enough for consumers here. As a result, he has <a href="http://www.markey.senate.gov/news/press-releases/markey-white-house-privacy-bill-of-rights-needs-to-go-further">announced</a> that he will present his own draft next week (!).
<br />
<br />
There will be loads of things to discuss for the European Parliament delegation that will visit Washington mid-March. Among the MEPs taking part are Jan Philipp Albrecht, vice-chair of the Civil Liberties, Justice and Home Affairs Committee and rapporteur for the EU Data Protection Regulation and for the EU-US Data Protection Umbrella Agreement, and Claude Moraes, chair of the same committee and rapporteur for the NSA mass surveillance inquiry and its upcoming follow-up.Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com2tag:blogger.com,1999:blog-34116157.post-31869804675129933672014-10-03T18:02:00.000+02:002014-10-03T18:02:41.001+02:00The Ballad of Google SpainThe <a href="http://curia.europa.eu/juris/documents.jsf?pro=&lgrec=de&nat=or&oqp=&lg=&dates=&language=en&jur=C%2CT%2CF&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&num=C-131%252F12&td=%3BALL&pcs=Oor&avg=&page=1&mat=or&jge=&for=&cid=376533">judgement of the European Court of Justice in the case Google Spain</a> from May 2014 has caused a very diverse and intense debate that is not finished by far. Though the ruling does not contain this, it has become known as the "right to be forgotten"-ruling, or <a href="https://twitter.com/search?q=%23R2BF">#R2BF</a>.<br />
<br />
The best summary by far has been provided by <a href="http://paulbernal.wordpress.com/">Paul Bernal</a>. The analysis is very much to the point, but even better: For the national poetry day yesterday, he wrote it in the form of a poem!<br />
<blockquote class="tr_bq">
The Ballad of Google Spain<br />
<br />
There was a case, called ‘Google Spain’<br />
That caused us all no end of pain<br />
Do we have a right to be forgotten?<br />
Are Google’s profits a touch ill-gotten?
</blockquote>
<br />
<a href="http://paulbernal.wordpress.com/2014/10/02/the-ballad-of-google-spain/">read the full poem</a>Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-36936832413951598652014-10-03T17:50:00.001+02:002014-10-03T17:50:05.403+02:00TTIP and TiSA: big pressure to trade away privacyI have been asked by Statewatch before the summer to contribute to their collection of essays and analyses on transatlantic relations. I wrote an analysis of the pressure on European data protection and privacy rules, including strategic discourses and lobbying around it. It is based on the documents that are available so far.<br />
<br />
The paper has finally been published in September, very timely after the end of the Brussels and Washington summer break.<br />
<a href="http://www.statewatch.org/analyses/no-257-ttip-ralf-bendrath.pdf">TTIP and TiSA: big pressure to trade away privacy</a>, Statewatch Analysis 257, September 2014Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-55005149073584326972013-12-14T01:24:00.001+01:002014-04-06T03:09:08.819+02:00layers of the struggle privacy vs surveillance, in my picture of the year<span class="userContent">This is the picture of the year for me, on so many
different layers: </span><br />
<span class="userContent">Stewart Baker, ex-NSA general counsel, and Jacob
Appelbaum, internet freedom activist/hacker/journalist (left, right). </span><br />
<img alt="Eingebetteter Bild-Link" height="326" src="https://pbs.twimg.com/media/BbYqgdMIgAAX7Wk.jpg" width="435" /><br />
<ul>
<li><span class="userContent">They pretty much symbolise the two sides of the global scandal of the year.</span></li>
<li><span class="userContent"><span class="text_exposed_show">They also symbolise the attitudes of both sides.</span></span></li>
<li><span class="userContent"><span class="text_exposed_show">This struggle has defined a large part of my professional life in 2013.</span></span></li>
<li><span class="userContent"><span class="text_exposed_show">I was involved in defining much of this struggle (at least on the EU
Parliament side) as a large part of my professional life in 2013.</span></span></li>
<li><span class="userContent"><span class="text_exposed_show">I was on a panel with both of them yesterday, which was one of the most unlikely things I ever imagined in my life.</span></span></li>
<li><span class="userContent"><span class="text_exposed_show">This picture was one of the more unlikely pictures in my life of which I imagined to be there when they were taken. </span></span></li>
<li><span class="userContent"><span class="text_exposed_show">But hey, I was involved in pulling that panel together. </span></span></li>
<li><span class="userContent"><span class="text_exposed_show">Most basic question that says it all: With whom of these guys would you prefer to hang out and collaborate
and try to change the world? The answers to this one again can be on
many layers, but they actually converge to the same answer.</span></span></li>
<li><span class="userContent"><span class="text_exposed_show">[fill in your own layer in the comments / shares] </span></span></li>
</ul>
<span class="userContent"><span class="text_exposed_show">(picture by Omer Tene, who also moderated the panel) </span></span><br />
<br />
<span class="userContent"><span class="text_exposed_show"><b>Update, 6 April 2014:</b> Jake and Stewart now finally got into the <a href="https://twitter.com/stewartbaker/status/451893415878209536">heated discussion</a> they were supposed to have back in December. </span></span><br />
<ul>
</ul>
Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com2tag:blogger.com,1999:blog-34116157.post-89341967683512122922012-12-09T03:46:00.001+01:002012-12-12T15:02:10.267+01:00EU Commission: No new law enforcement databases neededIn a <a href="http://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/20121207_com_2012_735_en.pdf">communication</a> and a <a href="http://europa.eu/rapid/press-release_IP-12-1330_en.htm">press release</a>, somewhat hidden on a <strike>Saturday</strike> Friday for whatever reasons, European Union Home Affairs Commissioner Cecilia Malmström announced that her services had done an assessment of EU-wide law enforcement information exchange mechanisms. She concluded that<br />
<blockquote class="tr_bq">
information exchange generally works well, and <b>no new EU-level law
enforcement databases are therefore needed</b> at this stage. </blockquote>
This is the first time in a long while that a top-level home affairs official has said that they don't need more new databases. Emphasis is added in the quote for a reason!<br />
<br />
This conclusion is based on an <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0385:FIN:EN:PDF">"Overview of information management in the area of freedom, security and justice"</a> which the Commission had released in 2010 and which introduced a number of criteria for further policy development in this field:<br />
<blockquote class="tr_bq">
<ul>
<li>Safeguarding fundamental rights, in particular the right to privacy and data protection</li>
<li>Necessity</li>
<li>Subsidiarity</li>
<li>Accurate risk management</li>
<li>Cost-effectiveness</li>
<li>Bottom-up policy design</li>
<li>Clear allocation of responsibilities</li>
<li>Review and sunset clauses</li>
</ul>
</blockquote>
In the new communication, the Commission examines a number of EU-wide information exchange instruments among law enforcement agencies. Oddly enough, they mix existing EU stuff such as Europol and the Schengen Information System (SIS) with projects started by a number of member states which have not yet been Europeanised, such as the Püm Decision or the European Border Surveillance System EUROSUR.<br />
<br />
The Commission does also not address a number of other initiatives and databases that are currently in the legislative pipeline:<br />
<ul>
<li>Eurodac, the database of fingerprints of asylum seekers, where Parliament and Council are currently debating law enforcement access;</li>
<li>EU-PNR, the proposed system of EU-wide gathering, profiling, and retention of data on all air passengers entering or leaving Europe (and with an extension to inner-European flights under discussion);</li>
<li>Smart Borders, a legislative package probably coming in early 2013, which would collect data about everbody entering and leaving the EU, including fingerprints (Entry-Exit System) and which would allow easier entering of the EU if travellers were pre-checked and profiled.</li>
</ul>
The Commission is to be applauded for such a sober look at the state of play in information exchange. Members of the European Parliament as well as several stakeholders had repretedly asked "when is it enough?" after the Commission in alliance with the Member States had pushed through massive surveillance projects such as telecommunications data retention, bulk bank data transfers to U.S. financial intelligence services through the SWIFT agreement or air passenger mass surveillance through the PNR-agreements with Australia and the U.S. Good to finally see a red line here.<br />
<br />
However, this raises urgent questions about the need for the above-mentioned measures still in the pipeline. The European Parliament is about to vote on the negotiation mandate for EU-PNR and Eurosur, and on the final agreements for law enforcement access to Eurodac. And one can wonder how the Commission will justify its "smart borders" package next year.<br />
<br />
It seems the EU institutions should stop current initiatives and have a more general debate on further databases and information exchange in the field of justice and home affairs. It would make sense to align this with the debates on the work programme of the upcoming Irish Council presidency as well as the legislative reports from the Parliament on the EU data protection reform, which both will be debated in the Civil Liberties, Justice and Home Affairs Committee on 10th January 2013. Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-78958402418168454222012-07-07T18:44:00.002+02:002012-07-07T21:19:15.615+02:00Post-ACTA: declassified negotiation documents on criminal provisionsImmediately after the <a href="http://tales-of-the-sausage-factory.wetmachine.com/eu-parliament-rejects-acta-defeat-ustr-starts-to-get-clue-mpaariaa-still-in-denial/">defeat</a> of the notorious Anti-Counterfeiting Trade Agreement (ACTA) in the European Parliament on 4th of July, it seems the institutions are quickly wrapping it up. Right on the next day, the Council of the European Union has declassfied the different (and still secret) negotiation versions of the ACTA criminal sanctions chapter (these fall under Council competence, whereas the Commission was in charge of the general trade provisions). A list in chronological order is provided below. Let's see if the Commission will also declassify the other chapters.<br />
<br />
21 November 2008<br />
<a href="http://register.consilium.europa.eu/pdf/en/08/st15/st15588-re02.en08.pdf">http://register.consilium.europa.eu/pdf/en/08/st15/st15588-re02.en08.pdf</a><br />
<br />
3 December 2008<br />
<a href="http://register.consilium.europa.eu/pdf/en/08/st15/st15588-re03.en08.pdf">http://register.consilium.europa.eu/pdf/en/08/st15/st15588-re03.en08.pdf</a><br />
<br />
25 March 2009<br />
<a href="http://register.consilium.europa.eu/pdf/en/09/st08/st08031-re01.en09.pdf">http://register.consilium.europa.eu/pdf/en/09/st08/st08031-re01.en09.pdf</a><br />
<br />
9 October 2009<br />
<a href="http://register.consilium.europa.eu/pdf/en/09/st13/st13867-re01.en09.pdf">http://register.consilium.europa.eu/pdf/en/09/st13/st13867-re01.en09.pdf</a><br />
<br />
19 October 2009<br />
<a href="http://register.consilium.europa.eu/pdf/en/09/st14/st14696-re01.en09.pdf">http://register.consilium.europa.eu/pdf/en/09/st14/st14696-re01.en09.pdf</a><br />
<br />
29 October 2009<br />
<a href="http://register.consilium.europa.eu/pdf/en/09/st15/st15044-re01.en09.pdf">http://register.consilium.europa.eu/pdf/en/09/st15/st15044-re01.en09.pdf</a><br />
<br />
22 December 2009<br />
<a href="http://register.consilium.europa.eu/pdf/en/09/st17/st17779-re01.en09.pdf">http://register.consilium.europa.eu/pdf/en/09/st17/st17779-re01.en09.pdf</a>Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-4747782774520541792012-07-04T03:38:00.000+02:002012-07-04T03:45:46.098+02:00EU Commission will link data retention reform to e-privacy reform in 2013EU home affairs commissioner <a href="http://www.faz.net/aktuell/politik/europaeische-union/eu-innenkommissarin-cecilia-malmstroem-wir-waren-sehr-geduldig-mit-deutschland-11808962.html">Cecila Malmström has announced in an interview with German newspaper Frankfurter Allgemeine Zeitung</a> that she will not propose a revision of the notorious <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:en:HTML">data retention directive </a>this year. Instead, she will work with information society commissioner Neelie Kroes to review the <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML">e-privacy directive</a> and the data retention directive together in 2013.<br />
<br />
This is big news. Malmström and her services have been struggling with the data retention reform for almost two years. Now she and Kroes want to reform it together with the e-privacy directive in a package, both closing loopholes for further data use in the latter and reducing retention periods and police access in the former. <br />
<br />
My reading is this: The liberal Malmström does not know how to get out of this data retention mess in one piece, with activists and "the internet" (c.f. ACTA) on one side, and home affairs ministers in Council on the other side. So she is now siding with Kroes in a hope to get anything agreed under the stewartship of an experienced telco regulator. They will try to ease industry opposition and in return get an okay for a limited version of data retention.<br />
<br />
The big question is: How will this interact with the <a href="http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm">data protection reform package</a> proposed by justice commissioner Viviane Reding in January? It was supposed to also amend and have an impact on the e-privacy directive with the <a href="http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf">data protection regulation for the internal market</a>, and the proposed <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52012PC0010:en:NOT">directive on data protection in the law enforcement field</a> would need some rules on access of police investigators to corporate databases about their customers.<br />
<br />
Time for some interesting coalition-building of institutional players, activists and lobbyists all across the field.<br />
<br />
Competing schools in political science would suggest:<br />
<ol>
<li>Whoever gets the major conflict lines and narratives set up first and firmly, will win (constructivism);</li>
<li>Whoever controls the institutional agenda, will win (institutionalism);</li>
<li>Whoever is in better understanding of economic and political interests, will win (realism).</li>
</ol>
And this finally reminds me of my academic years and also shows how unpredictable all of this is in theory. Think ACTA, again.Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-55531572171465085752012-06-02T17:25:00.005+02:002012-06-04T15:38:30.377+02:00EU Commission to present regulation on electronic identity cards (Update)EU information society commissioner Neelie Kroes will present a new regulation on the mutual recognition of national e-ID systems on Monday (4th June), according to news reports. There will for sure be a number of data protection issues related to this.<br /><br />This is from the <a href="http://ec.europa.eu/atwork/programmes/docs/cwp2012_annex_en.pdf">Commission Work Programme 2012</a>:<br /><blockquote><u>Pan European framework for electronic identification, authentication and signature - Legislative</u><br /><br />The proposal will present legislation to boost trust and facilitate electronic transactions notably by ensuring the mutual recognition of electronic identification and authentication across the EU, and of Electronic Signatures. (2nd quarter 2012)<br /></blockquote>Electronic identification and authentication schemes have a number of data protection issues. <a href="http://www.euractiv.com/infosociety/brussels-wants-identities-eu-citizens-news-512833">EurActiv.com has seen an internal Commission paper</a> which shows that EU Justice Commissioner Viviane Reding (in charge of data protection) seems to only focus on breach notifications<http: com="" infosociety="" 512833="">.<br /></http:><span style="display: block;" id="formatbar_Buttons"><span class=" down" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);"><img src="http://www.blogger.com/img/blank.gif" alt="Link" class="gl_link" border="0" /></span></span><br /><http: com="" infosociety="" 512833="">But I am not sure anyone is addressing the inherent data protection issues related to functioning and non-breached e-ID schemes, such as the problem that the issuing authority ("identity provider" in technical jargon) may be notified every time one uses his or her eID card. I hope that someone reminds the Commission of e.g. the <a href="http://bendrath.blogspot.be/2008/03/statement-on-identity-management-and.html">recommendations on "</a></http:><a href="http://bendrath.blogspot.be/2008/03/statement-on-identity-management-and.html">Identity Management and Reputation"</a> <http: com="" infosociety="" 512833="">from Civil Society to the OECD ministerial meeting </http:><a href="http://www.oecd.org/FutureInternet">"The Future of the Internet Economy"</a> in Seoul in June 2008.<br /><http: com="" infosociety="" 512833=""><br />What does not seem to be the case is an EU-wide obligation for member states to introduce eID schemes or even use a harmonised European standard, as had been reported by more europsceptic, right-wing and conspiracy-driven news websites.<br /><br /><span style="font-weight: bold;">Update:</span> Here is the <a href="http://ec.europa.eu/information_society/policy/esignature/docs/regulation/com_2012_2038_en.pdf">draft regulation</a>, here is an <a href="http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/12/403&format=HTML&aged=0&language=EN&guiLanguage=en">FAQ</a> from the Commission.<br /></http:>Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com3tag:blogger.com,1999:blog-34116157.post-72793832120966023032011-06-15T23:11:00.002+02:002011-06-15T23:52:23.179+02:00EU Fundamental Rights Agency: EU-PNR Directive not goodThe <a href="http://www.fra.europa.eu/fraWebsite/home/home_en.htm">Fundamental Rights Agency</a> of the European Union (FRA) has finished its <a href="http://www.nopnr.org/wp-content/uploads/2011/06/FRA_PNR_Opinion_14-June-2011.pdf">opinion on the proposed directive for an EU-PNR system</a> for the retention and mass analysis of flight passenger data. It had been asked by the Civil Liberties Committee of the European Parliament in March 2011, on initiative of the Greens/EFA group.<br /><br />I provide a summary of the most important findings below. A summary in their own words is at page 20.<br /><br />Further reading: In the meantime, the legal service of the EU Council has also <a href="http://gruen-digital.de/wp-content/uploads/2011/05/Gutachten-JD-Rat-PNR.pdf">shred the proposed directive into pieces</a> (German version only, sorry!).<br /><br />The FRA opinion criticises the proposed PNR directive on the following grounds:<br /><br /><span style="font-weight: bold;font-size:100%;" >1) Data Protection Violations</span><br />FRA shares the concerns published by the EUropean Data Protection Supervisor (EDPS) and the Article 29 Working Party. The FRA opinion therefore is seen as complementing it and only touches on issues that are not addressed by the data protection bodies:<br /><blockquote>"In general, the FRA shares these analysis and opinions and takes them as a point of departure. This FRA opinion complements and adds to the opinions of the EDPS and the Article 29 Working Group by focusing on topics from a broader fundamental rights perspective." (p. 5)</blockquote><span style="font-weight: bold;">2) Ban of Discrimination not sufficiently respected</span><br /><br /><span style="font-weight: bold;">a) Discriminatory Profiling based on sensitive Data:</span> The directive would have to exclude many more categories than the ones listed in articles 5 and 11. The Commission did not cover the following categories in its proposal, though they are protected under EU law:<br /><blockquote>"[I only list the ones not covered by the proposed directive, RB] sex, colour, social origin, genetic features, language, any other opinion (beyond political views), membership of a national minority, property, birth, disability, age” (p. 7)</blockquote><span style="font-weight: bold;">b) Indirect Discrimination based on Profiling for Other Data:</span> This would also be prohibited and is not by the proposed directive. It includes all data categories that are not covered by a) (p. 9). To me it reads like a cautiously written general ban on profiling, because any data category can be used for discrimination. Surveillance studies scholars have called profiling "digital discrimination" years ago.<br />An example by anaologue: Discrimination based on language or nationality or religion is banned, but if someone travels from Islamabad to Mekka once a year, you can assume he or she is Muslim. This would be prohibited.<br /><br /><span style="font-weight: bold;">3) Clarity of the law is not given:</span><br /><blockquote>"Individual passengers may be generally aware that their flight details are being recorded and exchanged but will typically know neither the assessment criteria applied nor whether or not they have been flagged by the system for further scrutiny. Therefore, any measure giving the authorities power to interfere with fundamental rights should contain explicit, detailed provisions" (p. 12) </blockquote>This clarity is lacking because of<br /><br /><span style="font-weight: bold;">a) Generic clauses</span> such as “general remarks (...) such as" in the description of the data transmitted, retained and analysed (item 12 in the annex to the proposed directive, see p. 13 of FRA opinion). The types of data are also not limited:<br /><blockquote>"The explanatory text within the brackets also indicates solely what kind of information is included, but does not limit the data to be collected. This might possibly permit unlimited information gathering and transfer and, therefore, might not be justified by the purpose of the PNR system" (p. 13)</blockquote><span style="font-weight: bold;">b) Purpose Limitation is lacking:</span><br /><blockquote>"The definition of serious crime included in Article 2 (h) includes an open formulation: (...) the discretion the proposal grants Member States to decide which crimes are covered and which are not seems unnecessarily broad." (p. 14)</blockquote><span style="font-weight: bold;">c) Data Matching is unspecified: </span><br /><blockquote>"Article 4 (2) (b) states that “the Passenger Information Unit may compare PNR data against relevant databases, including international or national databases or national mirrors of Union databases, where they are established on the basis of Union law, on persons or objects sought or under alert, in accordance with Union, international and national rules applicable to such files.” This provision allows for matching PNR data ‘with undetermined databases’. Because the databases are not specified, the use of PNR data might not reach the required level of foreseeability" (p. 14)</blockquote><span style="font-weight: bold;">4) No Proof of Necessity:</span><br /><blockquote>"The FRA is aware that further evidence proving the necessity of a PNR system might exist beyond what was disclosed." (p. 15)<br /></blockquote>In plain English: Do your homework! (Fun fact: The Commission currently has the same problem with regards to the evaluation of the data retention directive 2006/24/EC, where they were not able to prove the necessity based on hard data.)<br /><br /><span style="font-weight: bold;">5) False Positives / Repression against Innocent People</span><br /><blockquote>"The examples provided by the European Commission relate only to cases in which PNR data were successfully used in the course of investigations. For a more complete picture, it would also be necessary to analyse those cases in which the use of data proved to be misleading and led to the investigation of innocent people. Such a case is included by the European Union Committee of the UK House of Lords in its 2007 report on the EU/US Passenger Name Record (PNR) Agreement: the case of Maher Arar." (p. 16)</blockquote><span style="font-weight: bold;">6) Proportionality of Applying the Measures to all Passengers</span>: The FRA quotes at length from rulings by the German Constitutional Court etc., and then concludes:<br /><blockquote>"The FRA suggests for proportionality reasons to include an explicit obligation in the proposal to make every reasonable effort to define assessment criteria in a manner which ensures that as few innocent people as possible are flagged by the system. This aspect could also play an important role for the review envisaged in Article 17 of the proposal which states that special attention should be given in the course of the review to “the quality of the assessments”. (p. 18)</blockquote><span style="font-weight: bold;">7) Effective Oversight unclear:</span> Any data protection oversight must be fully independent and must have powers of investigation and binding rulings, which apparently is not clear from the proposed directive draft. (p. 19f)Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com2tag:blogger.com,1999:blog-34116157.post-14484457781666076722011-06-07T23:38:00.005+02:002011-06-14T07:18:43.375+02:00Conservative hardliner admits: lack of data retention has no impact on crime clearance rateUwe Schünemann, conservative home affairs minister of the German Land of Lower-Saxony, <a href="http://www.mi.niedersachsen.de/live/live.php?navigation_id=14797&article_id=96699&_psmand=33">admits</a> in a reponse to a parliamentary question:<br /><blockquote>Erhebliche Auswirkungen im Hinblick auf die Aufklärungsquote bei Straftaten, die im Zusammenhang mit dem Tatmittel Internet begangen wurden, sind für das Jahr 2010 nicht festzustellen.</blockquote>English translation:<br /><blockquote>Significant impact in terms of the clearance rate for crimes that were committed in connection with the Internet for the year 2010 can not be determined.</blockquote>After a constitutional court ruling, Germany has had no data retention in place since 2nd of March 2010.<br /><br />Fun fact I: Schünemann just received a Big Brother Award in Germany for the second time. German laudation <a href="http://www.blaetter.de/aktuell/dokumente/big-brother-award-%C2%BBinnenminister-schuenemann-ist-wiederholungstaeter%C2%AB">here</a>.<br /><br />Fun fact II: The question came from Social Democrats. This is the party that was crucial for adopting data retention in the EU in 2005 and then later in Germany. They have been losing so many votes in recent years (of course also for factors not related to privacy) that they seem to move into the right direction again. Hopefully.Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-14857166035006952792011-06-07T22:33:00.002+02:002011-06-07T22:47:51.814+02:00Battle over Passenger Data is heating up<p> In late May 2011, the new draft agreements on the transfer and retention of air passenger data between the <a href="http://www.statewatch.org/news/2011/may/eu-usa-pnr-agreement-20-5-11-fin.pdf">EU and the United States</a> and between the <a href="http://www.statewatch.org/news/2011/may/eu-com-pnr-australia.pdf">EU and Australia</a> respectively have leaked to the public. The re-negotiation of the agreements from 2007, which have since then been provisionally applied, had become necessary after the European Parliament <a href="http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2010-0144+0+DOC+XML+V0//EN&language=EN">refused to vote on them</a> in May 2010. </p> <p> The new agreements do not substantially improve the situation with regards to the old ones. They both require that data of air passengers is transferred to public authorities (DHS in the US, Customs and Border Protection in Australia) ahead of a flight; they allow for profiling, i.e. the use of data for sorting assengers into risk categories based on pre-defined and secret criteria without an initial suspicion or criminal lead; and they allow for retention of the data up to 5.5 (Australia) and 15 (US) years. There are also provisions for onward transfer of the data to third agencies and countries. </p> <p> The agreement with the US met heavy criticism both <a href="http://fm4.orf.at/stories/1683412/">among EU member</a> states as well as <a href="http://www.guardian.co.uk/world/2011/may/25/us-to-store-passenger-data">among Members of the European Parliament</a> and <a href="http://www.edri.org/_illegal_PNR">from civil society</a>, and provoked an <a href="http://www.guardian.co.uk/technology/2011/may/26/air-passenger-data-kenneth-clarke">emergency reaction from the UK Justice secretary</a> as well as the US ambassador to the EU. At the moment, there are talks with the negotiator (DG Home Affairs of the European Commission) to re-open the text, though improvements have been made very unlikely by a recent <a href="http://thomas.gov/cgi-bin/query/D?c112:3:./temp/%7Ec1122tULiL::">resolution of the US Senate</a> that rejects European privacy demands. </p> <p> The agreement with Australia is less prominent, but still highly relevant. There is a small blocking minority in the Council, consisting of Germany, France, Belgium, Czech Republic, Ireland, Austria and Portugal, that is mainly concerned about the provisions on transfer to third countries, and sometimes about the retention periods (Germany, France). The Commission is not willing to re-negotiate, though. The Council of Justice and Home Affairs Ministers on 9th/10th June might overcome the blocking minority and the parliamentary reservations from some countries, and adopt the agreement. At the moment, a veto in the European Parliament is unlikely. In the worst case, the Australia agreement may be concluded before the summer break and open the floodgates for other such agreements, and for the first time accepting profiling and preventive policing. </p> <p> Privacy activists from EDRi members Mensenrechten.be, Digitale Gesellschaft and FoeBuD, as well as from EDRi observer AK Vorrat and other groups, <a href="http://wiki.vorratsdatenspeicherung.de/index.php?title=20110527-30-Work-and-lobby-weekend-pnr">met in Brussels from 27th to 30th May</a> to do a legal, technical and political analysis, coordinate their short-term work and plan for long-term collaboration with others. A mailing list will be set up shortly. </p> <p> Comprehensive PNR Wiki: <a href="http://wiki.vorratsdatenspeicherung.de/Passenger_Name_Record">http://wiki.vorratsdatenspeicherung.de/Passenger_Name_Record</a></p>Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-71455669511628047952010-12-22T11:26:00.003+01:002010-12-22T11:36:08.315+01:00Reding asks the "Kissinger question" on Data Protection Agreement with USThe preparations for a comprehensive data protection framework agreement between the EU and the US for cases where personal data is exchanged in the context of criminal law enforcement have been finalized - in Brussels. The Council of EU Justice and Home Affairs Ministers approved the negotiation guidelines for the Commission on 3rd December.<br /><br />The US government, unfortunately, is reluctant to move forward. They seem to prefer to agree on the new Passenger Name Records (PNR) deal quickly and postpone the data protection framework - which would cover PNR, TFTP/SWIFT bank data, as well as other data exchanged between the EU and the US.<br /><br />Now, Viviane Reding came up with one of her <a href="http://www.euractiv.com/en/global-europe/eu-us-relations-je-t-aime-moi-non-plus-news-500815">unique quotes</a> again:<br /><blockquote>European Justice and Fundamental Rights Commissioner Viviane Reding criticised the US for having shown little interest in negotiating with the EU a deal to protect the private data of European citizens during terrorism probes. <p> In what appears as a remake of the so-called "Kissinger question" ('what is the EU's telephone number'?), Reding lamented that Washington had not yet appointed a negotiator for the data protection agreement.</p> <p> "I certainly can wait for a few days. <span style="font-style: italic;">But I expect to be given the telephone number</span> of the US chief negotiator before the end of the year and seriously start the talks," she said, cited by AFP. [emphasis added]<br /></p></blockquote><p></p><p>The Guardian has <a href="http://www.guardian.co.uk/world/2010/dec/20/eu-accuse-us-on-data-protection">more info</a> on Reding's recent trip to Washington.<br /></p><p>I am collecting all publicly available documents on the data protection agreement <a href="http://www.euwiki.org/COM/2010/0252">here</a>.<br /><br /></p>Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-52641241250962529642010-09-30T13:57:00.004+02:002010-10-02T13:21:47.411+02:00UK sued at European Court of Justice over Deep Packet InspectionThe United Kingdom has just been sued by the European Commission because of the lack of data protection enforcement over companies that do <a href="http://userpage.fu-berlin.de/%7Ebendrath/Paper_Ralf-Bendrath_DPI_v1-5.pdf">Deep Packet Inspection</a>. The trigger that had started the infringement procedure was the <a href="http://bendrath.blogspot.com/2009/04/privacy-international-position-on.html">Phorm case</a> around DPI-based targeted advertising, but the Commission seems to be annoyed in general by the lack of rules and enforcement on telecommunications privacy. Phorm has already closed its operations in the UK as far as I know.<br /><br />So this is the first case at the European Court of Justice that involves DPI, and the first time a whole county has been sued over being too lax about DPI - as far as I am aware.<br /><br /><a href="http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1215&format=HTML&aged=0&language=EN&guiLanguage=en">European Commission press release from today</a><br /><br /><span style="font-weight: bold;">Update:</span> More <a href="http://jurist.org/paperchase/2010/09/eu-suing-uk-over-internet-privacy.php">links to legal aspects</a> at JURIST Paperchase.Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com1tag:blogger.com,1999:blog-34116157.post-82301124637592000962010-08-24T16:11:00.003+02:002010-08-24T16:30:53.814+02:00APSA Paper on Deep Packet InspectionAs a result of my <a href="http://bendrath.blogspot.com/2008/04/deep-packet-inspection-or-end-of-net-as.html">previous research project at TU Delft</a>, my former supervisor Milton Mueller and I have co-authored a paper on Deep Packet Inspection for the <a href="http://www.apsanet.org/content_65547.cfm?navID=193">upcoming convention</a> of the <a href="http://www.apsanet.org/">American Political Science Association (APSA)</a>:<br /><blockquote><a style="font-weight: bold;" href="http://ssrn.com/abstract=1653259">The End of the Net as We Know it? Deep Packet Inspection and Internet Governance</a></blockquote>I will not be able to attend the meeting because of the duties in my new job in the European Parliament, but Milton will be there and present our work. For those of you at APSA or in Washington DC next week, it should be an interesting panel in general: <a href="http://www.apsanet.org/mtgs/program_2010/program.cfm?event=1532568">"Global Information Technology Issues: Policy, Politics, & Methods"</a>, 2nd September, 14:00 to 15:45, Marriott Wilson Hotel, room B.<br /><br />Side note: Because APSA is now using the Social Science Research Network (SSRN) as their paper repository, you get all kinds of information on the usage of your papers. Ours, it turned out, made it to the <a href="http://papers.ssrn.com/sol3/topten/topTenResults.cfm?groupingId=870526&netorjrnl=jrnl">top ten downloads for the SSRN e-journal "Journal of Entrepreneurship, Innovation, & Growth"</a> under whose umbrella the paper was posted. Interesting, though I have to confess I had never heard of that journal before.Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-67019260231512814942010-06-30T10:15:00.004+02:002010-06-30T10:45:38.220+02:00New SWIFT / TFTP Agreement still has Massive Weaknesses<p>The <a href="http://www.statewatch.org/news/2010/jun/eu-usa-draft-swift-agreement-com-final-3.pdf"><strong style="font-weight: normal;">new agreement</strong></a> on the transfer of banking data from the EU to the US Department of Treasury's Terrorist Finance Tracking Programme (TFTP), informally called "SWIFT agreement", was <strong style="font-weight: normal;">adopted by Council on Monday 28 June 2010 at 10:00 in written procedure</strong>. Minor details: Even the German liberal Minister of Justice, who had fought the agreement wildly in November, gave in. So now, even Germany did not abstain (what they normally do when the coalition can not agree), but instead voted in favour. France abstained in Council, but only because they did not get the required consent from the national assembly in time.<br /></p><p>The agreement was <strong style="font-weight: normal;">signed on the same day at 12:30 by the Spanish Homeland Minister</strong><span style="font-size:100%;"> Alfredo Pérez Rubalcaba, </span><strong style="font-weight: normal;">the EU Home Affairs Commissioner Cecilia Malmström, and the US Ambassador to the EU</strong>, William Kennard. Spain had pushed hard to achieve this during the last days of their EU Council presidency.<br /></p><p>The agreement will now be <strong style="font-weight: normal;">rushed through the next EP plenary session in Strasbourg (5-8 July)</strong> with an extraordinary session of the LIBE committee there on Monday and the plenary vote on Wednesday or Thursday. EPP was long planning to accept it, and over the last few days S&D and ALDE have completely given in. They even try to sell it as a success, though there are no real substantial improvements compared to the agreement from November which the EP voted down in February. Only the Green and Left groups in the Parliament still stick to their principles and to previous EP resolutions on this matter and will vote against it.<br /></p> <p>All <strong style="font-weight: normal;">documents</strong> are already on Statewatch:</p> <div><ul><li><a href="http://www.statewatch.org/news/2010/jun/eu-usa-draft-swift-agreement-com-final-3.pdf">Council Decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program</a><span style="color: rgb(0, 0, 0);"> (EU doc no: 11222/1/10, dated 24 June 2010, pdf);</span></li><li><a href="http://www.statewatch.org/news/2010/jun/eu-usa-swift-agreement-final-11350-rev2-10.pdf">Declarations to be adopted upon the adoption of the Council Decision on signature of the TFTP Agreement</a><span style="color: rgb(0, 0, 0);"> (pdf): referring to the EU developing its own system for monitoring financial transaction related to terrorism</span></li><li><a href="http://www.statewatch.org/news/2010/jun/eu-usa-swift-agreement-final-11350-rev1-cor1-10.pdf">Corrigendum</a><span style="color: rgb(0, 0, 0);"> (pdf). </span></li></ul></div><span style="font-weight: bold;">Main points of critique still remain</span>:<br /><ul><li><strong>Bulk data transfers</strong> of unsuspicious EU citizens still systematically built-in (the "tailored as narrowly as possible" is a joke, because they can only filter the data by a few criteria, such as country & day).</li><li><strong>Retention periods</strong> still 5 years (probably in breach of the German Constitutional Court's decision on data retention inn march)<strong></strong></li><li><strong>There is no clear sunset clause or conditioning of the agreement on data extraction on EU soil.</strong> The clause "EU shall consider whether to renew the agreement" if there is no extraction on EU soil after 5 years is a joke, because it automatically extends for one year each if nothing happens. It does not have to be renewed, it has to be actively terminated.<strong></strong></li><li><strong>There is no binding legal redress mechanism.</strong> The US government guarantees that they will treat EU citizens equally in administrative procedures, but there is still a hole in the juridical redress, because the US Privacy Act court clauses only apply to US citizens and legal residents. The agreement is not conditioned upon the US changing their law here.</li><li>The <strong>role of Europol is a total mess on several levels</strong>:<br />a) Europol is supposed to authorize data transfer requests from the US. This derogates from the demand of the EP in its May 2010 resolution to have a judicial authority do this.<br />b) Europol can now itself request data searches from the US, which reduces their incentive to limit the transferred amount of data in the first place to exactly zero.<br />c) UK, Ireland and Denmark have opt-in clauses on Europol. If they don't participate here, the whole agreement will not apply to their "territory". It's totally unclear what that means: Can SWIFT (based in BE, servers in NL and CH) still transfer data, even if it concerns citizens of these three countries? Is this happening with or without Europol then? Who would do the autorization instead if Europol would not do it?<br />d) The consent of the EP to the agreement extends the mandate of Europol and might therefore imply a "Lisbonization" of the agency - which of course should be done under ordinary legislative procedure, not just by saying "yes" or "no". The Council explanations ("no Lisbonization") are not necessarily convincing. There may be a legal challenge based on this.</li><li>The fundamental issue of <strong>proportionality</strong> is still not solved: Just seeing the data as useful for police and intelligence work does not suffice to legitimate these massive data transfers. Instead, there has to be facts-based evidence that there is a clear and imminent danger to the lives and limbs of people or to the existence of the state which can not be fought with less intrusive and much narrower means. A general risk of terrorist activity is not sufficient to give up our civil liberties. </li></ul>For the old agreement from 2009, see: <a href="http://bendrath.blogspot.com/2009/11/swift-agreement-not-in-line-with.html">SWIFT Agreement Not in Line with European Parliament 's Demands</a>.Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com2tag:blogger.com,1999:blog-34116157.post-87580508132348569232010-03-30T19:33:00.011+02:002010-03-30T20:45:13.119+02:00I try a dialogue with EU Commissioner Cecilia Malmström on Internet FilteringThe EU Home Affairs Commissioner and former Swedish Minister for Europe, Cecilia Malmström, has yesterday presented the "<a href="http://ec.europa.eu/justice_home/news/intro/doc/com_2010_94_en.pdf" target="_blank">Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on combating the sexual abuse, sexual exploitation of children and child pornography, repealing Framework Decision 2004/68/JHA</a>". This includes a paragraph that would require member states to set up mechanisms for filtering out websites with such material.<br /><br />We have had the exact same debate with - it seems so far - the exact same arguments on sexual abuse websites in Germany last year, and it took us 134.000 signatories under an e-petition to the parliament as well as 2% for the Pirates in the German election to finally get listened to. Now, with the new German government, the blocking law is still officially in force, but will not be applied. So much for the backgrund and why internet liberty people from Germany are furious that this comes back from Brussels now.<br /><br />There are several reasons why blocking is a really bad idea. A good summary of the arguments is <a href="http://mrtopf.de/blog/en/10-reasons-against-access-blocking/">here</a>. Other arguments and facts, provided by a group of victims of child abuse, are <a href="http://mogis-verein.de/eu/">here</a>. EDRi recently sent an <a href="http://www.edri.org/edrigram/number8.5/edri-open-letter-internet-blocking">open letter</a> on this to Cecilia Malmström and her colleagues for Justice, Viviane Reding, and for the Information Society, Nellie Kroes. Reding herself is against the blocking proposal and has been fighting internally with Malmström. Joe McNamee from EDRi has some background info <a href="http://www.netzpolitik.org/2010/netzpolitik-interview-background-on-the-censilia-plans/">here</a>.<br /><br />The twitterverse has already come up with a nickname for Cecilia Malmström: <a href="http://search.twitter.com/search?q=%23censilia">#Censilia</a>, and internet and civil liberties activists are busy networking across borders now. I thought I try the direct way and leave a comment in Mrs. Malmström's <a href="http://ceciliamalmstrom.wordpress.com/2010/03/29/ett-slag-for-barnens-rattigheter/">blog</a>. Here is a copy:<br /><br />Dear Mrs. Malmström,<br /><br />I'd be interested in hearing how your former boss, prime minister Reinfeldt, can go to China with a straight face and tell them that unfiltered internet is important for human rights and democracy, as he did according to <a href="http://www.businessweek.com/ap/financialnews/D9EO89GO0.htm">news reports yesterday</a>. The Chinese government has already used the filtering infrastructure in place in a few Western countries as an excuse for their own "Green Dam" censorship system.<br /><br />You can again reply "But we will only filter child abuse". Two of the many problems are: The filtering lists have to be secret by definition. So how can concerned citizens be sure that nothing else ends up on these lists? And how can you be sure that the next government is also run by people who only have best intentions?<br /><br />Karl Popper wrote wisely on the open society: We have to build our political institutions in a way that neither evil nor incompetent rulers can do too much harm. The same principle now has to be applied to our technological infrastructures. This is why people are so concerned about your proposal - not because they think you or the current European governments are evil (well... maybe except for the Italian one), but because of the inherent risks such technologies of information control create.<br /><br />On a more empirical note: The Danish filtering list from 2008/2009, <a href="http://blog.odem.org/2010/01/30/bka-antwort-spd-bulmahn.pdf">according to the German Federal Criminal Police Agency</a>, has websites from these countries blocked:<br /><br />USA: 1148<br />Germany: 199<br />Netherlands: 79<br />Canada: 57<br />Russia: 27<br />Japan: 20<br />Korea: 19<br />Czech Republic: 15<br />UK: 14<br /><br />Maybe you should mention this to the US secretaries of Justice and Home Affairs when you next talk to them about access to European SWIFT and PNR data - before you start setting up a dangerous technology in Europe.<br /><br />Best regards, Ralf BendrathRalf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com1tag:blogger.com,1999:blog-34116157.post-73724219459110314192010-03-10T01:59:00.002+01:002010-03-10T02:06:59.821+01:00Google in Italy: Brandeis in New England 2.0Marc Rotenberg from <a href="http://www.EPIC.org">EPIC</a> has an interesting <a href="http://www.huffingtonpost.com/marc-rotenberg/brandeis-in-italy-the-pri_b_481115.html">commentary</a> on the Google court case in Italy:<br /><blockquote>I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States.</blockquote>After a comparison of how the right to privacy was born in the U.S. and first endorsed by a New York Court in 1905, Marc goes on to set the record straight on the current case in Italy:<br /><blockquote>It is significant also in the Italian case that defamation charges against the Google execs were dropped. That was an appropriate recognition of the freedom of expression interests in the case and tracks the distinction between the Google execs being responsible for the content of the speech (they were not) and the Google execs deriving commercial value from the continued display of the video (they did). That distinction, which has been missed by virtually every commentator on this case, makes clear that the Italian court had a good understanding of the freedom of expression concerns. He just didn't believe that absolved Google of all liability.<br /></blockquote>(via <a href="http://www.schneier.com/blog/archives/2010/03/marc_rotenberg_1.html">Bruce Schneier</a>)Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com1tag:blogger.com,1999:blog-34116157.post-75165304521415280692010-02-12T19:15:00.004+01:002010-02-15T04:53:49.346+01:00European Parliament rejects Bank Data Transfer to U.S.The <a href="http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2010-0029+0+DOC+XML+V0//EN&language=EN">decision</a> yesterday on the so-called <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:008:0011:0016:EN:PDF">"SWIFT-Agreement"</a> was historic, as even the EP's vice-president who was chairing had to admit. MEPs rejected the transfer of bulk data from Belgian bank telecommunication service provider SWIFT to U.S. authorities for its lack of legal and privacy protection by a large majority of 378 to 198 votes. Also take note of the <a href="http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A7-2010-0013&language=EN">report and the explanatory statement</a> by the civil liberties committee's rapporteur, Dutch liberal Jeanine Hennis-Plasschaert - well worth a read. EDRi.org had helped a bit with an <a href="http://www.edri.org/edrigram/number8.3/european-parliament-to-discuss-swift">FAQ</a> that was distributed to MEPs before the vote.<br /><br />Next on the EP's privacy agenda:<br /><ul><li>The transfer of Passenger Name Records (PNR) to the United States. Edward Hasbrouck has the <a href="http://www.papersplease.org/wp/2010/02/11/european-parliament-rejects-deal-for-us-access-to-swift-financial-data-next-on-the-agenda-pnr-deal-for-access-to-travel-data/">links between PNR and SWIFT</a>.<br /></li><li>The <a href="http://ec.europa.eu/justice_home/news/consulting_public/news_consulting_0005_en.htm">public consultation</a> for the planned comprehensive data transfer and data protection framework between the EU and the US for law enforcement purposes. The deadline 12 March - please submit strong statements there!</li><li>The review of the data retention directive (Commission document expected this fall).</li><li>The review of the data protection directive 46/95/EC for the internal market.</li><li>Europol access to other EU databases such as the fingerprints of asylum-seekers.<br /></li></ul>So let's keep rockin'. The victory yesterday was worth the bottle of champagne we had afterwards, but we have more serious work ahead of us. We also need better transatalantic exchange among privacy defenders on these matters. Who is willing to help?Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com1tag:blogger.com,1999:blog-34116157.post-16722497092000554312010-02-02T02:40:00.004+01:002010-02-02T02:59:07.918+01:00Bank data deal under heavy fire from EU Parliamentarians<p> The debate on the bank data ("SWIFT") agreement in the European Parliament's Committee on Civil Liberties, Justice and Home Affairs last week showed a <a href="http://www.europarl.europa.eu/news/expert/infopress_page/019-67946-025-01-05-902-20100125IPR67943-25-01-2010-2010-false/default_en.htm">clear conflict</a> between parliamentarians on the one side and the EU Council as well as the European Commission on the other side.<br /></p> <p> The EU Justice and Home Affairs Ministers had signed an agreement with the US government on the transfer of bank data from the EU to the US for the Department of Treasury's "Terrorist Finance Tracking Program" (TFTP) on 30 November last year. It would legalize the use of bank data, including inner-European transactions, by US security agencies, which had been going on since 9/11 2001 and only became public in 2006. The new agreement had only been only possible because Germany abstained after a heavy fight between conservative and liberal parties in the Berlin coalition. Members of the European Parliament furiously criticized this move, because one day later, on 1st December, the Lisbon Treaty entered into force and gave the Parliament full veto powers in the area of justice and home affairs. Only later it turned out that because some national parliaments had announced reservations to the signature, the deal was not concluded and now has to be dealt with under codecision procedures. </p> <p> The President of the European Parliament since December <a href="http://www.netzpolitik.org/wp-upload/EP-President-letter-to-F-REINFELDT-on-SWIFT-agreement.pdf">repeatedly</a> <a href="http://www.netzpolitik.org/wp-upload/438669_EN1.pdf">had asked</a> the Council and Commission to refer the agreement to the EP as soon as possible, without getting any reply. Only two weeks ago, the Spanish presidency <a href="http://www.netzpolitik.org/wp-upload/Secretary-of-State-follow-up-plenary-20JAN.pdf">told MEPs</a> that the delay was caused by translation problems and that the EP would get it on 25 January. When MEPs found out that the text of the agreement had already been <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:008:0011:0016:EN:PDF">published in the Official Journal</a> on 13 January, they immediately suspected a foul play by Council and Commission. The agreement has entered into force provisionally on 1st February, but the EP can only vote on it in the next plenary session (8 to 11 February). The Council has <a href="http://www.netzpolitik.org/wp-upload/10-01-26-respuesta-Pte-Rdz-Zapatero-a-Pte-Buzek-SWIFT-2.pdf">turned down</a> a <a href="http://www.netzpolitik.org/wp-upload/SWIFT-Letter-from-EP-President-to-JL-Zapatero-21-Jan-10.pdf">formal request by the EP</a> to postpone the provisional application by two weeks. SWIFT itself has in the meantime announced that they will not turn over data unless there is a legal basis for it, including a parliamentary vote.<br /></p> <p> In the 27 January 2010 committee session, Commission representative Johnathan Faull revealed that there will also be a new, confidential, report by French anti-terror judge Jean-Louis Bruguière, when the committee will already have its vote on the agreement. MEPs from both Liberal and Green groups demanded that all such background documents be made public immediately, including an opinion of the Council's legal service and the secret annex that lists the financial service providers affected by the agreement. MEPs from all groups also criticized the substance of the agreement, citing numerous articles that are not in line with EU or Council of Europe data protection regulation or the EU charter of fundamental rights.<br /></p><p>The EP's rapporteur on this dossier, Dutch liberal Jeanine Hennis-Plasschaert, also rejected the Council's and Commission's repeated claim that without the provisional application of the agreement, we would have a "security gap". Austrian Conservative MEP Ernst Strasser stated that "if there was a security gap, we would have it now - from 1st January to 31st January," referring to the fact that the global bank transaction provider SWIFT has already changed its architecture on 1st January. SWIFT is now routing inner-European transactions only within Europe, thereby cutting off direct access by US agencies.<br /></p><p>The discussion became fully absurd when commission representative Faull suggested that we would even get a "privacy gap" if the agreement is vetoed by the EP. Vice European Data Protection Supervisor Giovanni Buttarelli quickly debunked such assertions, citing a <a href="http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2010/10-01-25_EU_US_data_exchange_EN.pdf">new legal analysis</a> done by his staff which also revealed several privacy and legal protection flaws in the agreement.The group of EU data protection commissioners had produced a <a href="http://www.statewatch.org/news/2010/jan/eu-art-29-cttee-swift.pdf">similar analysis</a>.<br /></p> <p> The next week before the EP plenary vote will now be decisive not only for privacy protection for EU citizens in the fight against terror, but also for transatlantic relations in this field and for the role of the European Parliament with its new powers under the Lisbon Treaty. Left, Liberal, and Green MEPs are willing to kill the agreement and protect privacy rights, while conservatives seem to be split. The decisive group will therefore be the Social Democrats. The committee vote is set for Thursday, 4 February, 15:00 CET.</p><p><span style="font-style: italic;">(This is an updated and slightly edited version of an <a href="http://www.edri.org/edrigram/number8.2/swift-deal-european-parliament">article</a> I wrote for EDRi-Gram on 27 January 2010.)</span><br /></p><a href="http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2010/10-01-25_EU_US_data_exchange_EN.pdf"></a><p> </p>Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com1tag:blogger.com,1999:blog-34116157.post-82610632519021858622009-11-25T18:49:00.003+01:002009-11-25T19:00:52.930+01:00European Parliament on Privacy vs Security and the "Balance" MetaphorThe European Parliament has adopted its resolution on the Stockholm Programme today. The Stockholm Programme is a political document that lays out the priorities for EU justice and home affairs policy for the years 2010 to 2014. It will be adopted by the Council of Ministers next Monday - therefore the Parliament's opinion on this was very timely. There were a lot of amendments, separate votes and split votes, so we have to wait a few days for the final consolidated text. Overall, it's a mixed bag, but that is a looong story.<br /><br />What I want to point out here is only one amendment that was adopted - but it was an extremely crucial one:<br /><br />The European Parliament<br /><blockquote>"... stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective"</blockquote>I think this is one of the most important official contributions to the "freedom vs security" debate in the last few years. And it is the official opinion of Europe's directly elected representatives now.<br /><br />Please help spreading the word and establishing this clarification firmly in the public discourse.Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com0tag:blogger.com,1999:blog-34116157.post-82684085168445774122009-11-18T16:46:00.006+01:002010-01-25T18:24:20.269+01:00SWIFT Agreement Not in Line with European Parliament 's Demands<span style="font-weight: bold; font-style: italic;">Update, 25 January 2010:</span><span style="font-style: italic;"> The agreement has been signed, but not yet concluded, by the Council on 30 November 2009. </span><a style="font-style: italic;" href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:008:0011:0016:EN:PDF">Here is the final text.</a><span style="font-style: italic;"> It will be voted on in the European Parliament on 10 or 11 February 2010. The only change to my analysis below (beyond some re-numbering of paragraphs) is the transfer of data to third countries or agencies, which is now limited to "leads", not raw data. The remainder of the criticism still stands.</span><br /><br />The <a href="http://www.netzpolitik.org/wp-upload/SWIFT-Abkommen-2009-11-10.pdf">draft agreement on bank data transfer between the EU and the US for anti-terrorism purposes ("SWIFT Agreement")</a> was leaked on 11 November. It stirred a heavy debate in the media, even made front-page news in Germany, and resulted in members and staff of the European Parliament and of the Committee of Permanent Representatives of EU member states (COREPER) having hectic phone calls. Background on the SWIFT deal is available <a href="http://www.edri.org/search/node/swift">elsewhere</a>.<br /><br />I want to focus here on the conformity of the draft with the demands of the European Parliament. The EP adopted a <a href="http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2009-0016+0+DOC+XML+V0//EN">resolution on the SWIFT agreement</a> in September, which was not too strong, but clearly spelled out some substantial and procedural criteria.<br /><br />There are rumours that the Council and the Commission are trying to get an informal confirmation (whatever that means) from the Parliament that the current draft meets the demands of the Parliament. The following quick analysis shows that this is clearly not the case.<br /><br /><span style="font-weight: bold;"></span><span style="font-weight: bold; font-style: italic;">1) Definition of Terrorism</span><br /><br />The EP demands in paragraph 7(a)<br /><blockquote>"that data are transferred and processed only for the purposes of fighting terrorism (...), and that they relate to <span style="font-style: italic;">individuals or terrorist organisations recognised as such also by the EU</span>".<br /></blockquote>The draft agreement has a definition of terrorism in article 2 and also refers to the EU definition on this, but spells out no procedure on who would make such a decision and how.<br /><br /><span style="font-weight: bold; font-style: italic;">2) Judge Approval</span><br /><br />The EP demands in paragraph 7(c) that data transfers have to be<br /><blockquote>"subject to judicial authorization". </blockquote>The draft agreement does not mention this at all. It only describes a procedure in article 4 where requests by the US government are scrutinized by an ominous "central authority" in the EU member state where the financial service provider concerned is located. I assume this will be agencies like the Federal Criminal Police Agency (BKA) in Germany and the likes. Not exactly what is meant by an independent judge.<br /><br /><span style="font-weight: bold; font-style: italic;">3) Judicial Review</span><br /><br />The EP demands in paragraph 7(d) that<br /><blockquote>"legality and proportionality of the transfer requests should be open for judicial review in the US"<br /></blockquote>and in paragraph 7(e) that<br /><blockquote>"transferred data are subject to the same judicial redress mechanisms as would apply to data held within the EU".<br /></blockquote>The draft only has a meaningless clause on this in article 11(3). There is an annex to the draft that lists a number of U.S. laws and codes that allegedly provide for judicial redress, but none of these actually does so. In detail:<br /><br />- The Administrative Procedure Act of 1946 only states that<br /><blockquote>"a person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action within the meaning of a relevant statute, is entitled to judicial review thereof".<br /></blockquote>The problem: The US Privacy Act offers protection against unlawful data processing by government agencies, but only for US citizens and residents.<br /><br />- The Inspector General Act of 1978 only establishes the powers of inspector generals, of the various agencies and departments for auditing and investigations. There is no option for citizens to demand judicial review. Quite the contrary:<br /><blockquote>"the Secretary of the Treasury may prohibit the Inspector General of the Department of the Treasury from carrying out or completing any audit or investigation".<br /></blockquote>- The Implementing Recommendations of the 9/11 Commission Act of 2007 establishes the Privacy and Civil Liberties Oversight Board in the Department of Homeland Security. But the PCLOP is not really independent, has very few rights and can not pursue independent investigations. There is no option for citizens to demand judicial review. Quite the contrary - the act establishes even more possibiliites for data-sharing among government agencies, e.g. through the "State, Local, and Regional Fusion Center Initiative".<br /><br />- The Computer Fraud and Abuse Act criminalizes unauthorizes and authority-exceeding use of computers. But this is not what the SWIFT agreement s about - the US government could theoretically send a carrier pidgin to the Europeans with the message demanding specific data. A computer is not abused or even broken into here - otherwise every corruption, libel or other white-collar-crime case where a computer was used would be sanctionable under this act, too. Ridiculous.<br /><br />- Freedom of Information Act (FOIA): Any possible right to access information is immediately annulled by the exception clauses in article 11 of the draft agreement.<br /><br />- Standards for Ethical Code for Employees of the Executive Branch: This code includes no option for citizens to demand judicial review. It only foresees the option of disciplinary measures in case of wrongdoing by executives.<br /><br /><span style="font-weight: bold; font-style: italic;">4) Purpose Binding</span><br /><br />The EP demands in paragraph 7(f) that transfers of data are limited to investigations about "terrorism financing". The draft agreement includes "prevention, investigation, detection, or prosecution of terrorism or terrorist financing". This means that the US can ask for data that is not related to terrorism financing at all, as long as they make the case that it is <span style="font-style: italic;">somehow</span> related to terrorism or may help its "prevention" (which is a broad and unclear clause anyway).<br /><br /><span style="font-style: italic; font-weight: bold;">5) Onward Data Transfers</span><br /><br />The EP demands in paragraph 7(f) that<br /><blockquote>"the transfer of such data to third parties other than the public authorities in charge of the fight against terrorism financing is also prohibited".<br /></blockquote>The draft agreement allows the onward transfer of bank data to third countries, not just third parties within the US. The parliament clearly meant the latter in its resolution and did not foresee any transfer to third countries. This would be the major hole in the agreement where all the other criteria (judicial review, purpose binding etc.) would be annulled even if they existed.<br /><br /><span style="font-weight: bold; font-style: italic;">6) Scope</span><br /><br />The EP demands in paragraph 9 that<br /><blockquote>"batches and large files such as those concerning transactions relating to the Single European Payment Area (SEPA) fall outside the scope of the data".<br /></blockquote>The draft agreement in article 4(6) allows for the transfer of "bulk data" if the service provider can not identify the specific data requested. A slightly newer version of the agreement, according to German press reports, explicitly excludes SEPA data. But the parliament explicitly mentioned SEPA only as an example, as is clear by the word "such as". The draft agreement does not exclude <span style="font-style: italic;">all</span> batches and large files.<br /><br /><br /><span style="font-weight: bold;">7) Procedural Aspects</span><br /><br />The EP demands in paragraph 13 that<br /><blockquote>"the European Parliament and all national parliaments will be given full access to the negotiation documents and directives".<br /></blockquote>This has repeatedly not happened. Neither has the parliament received the text of the draft agreement, not was it even informed about its very existence. It only learned about it from the press reports.<br /><br /><span style="font-weight: bold;">Conclusion</span><br /><br />The current draft agreement on bank data transfers is clearly in breach of the criteria established by the European Parliament - on substance as well as on procedures.<br /><br />It would be a clear affront by the Council of Ministers if they adopted and signed the agreement at their next meeting on 30 November - one day before the Lisbon Treaty will enter into force and the European Parliament will get full veto powers in the area of justice and home affairs.Ralf Bendrathhttp://www.blogger.com/profile/10683156686424057297noreply@blogger.com5