Latest EDRi-Gram

*The latest news on fundamental breaches of the social contract.

=======================================================================

EDRi-gram

biweekly newsletter about digital civil rights in Europe

Number 11.14, 17 July 2013

1. The PRISM scandal gets bigger
2. Data retention: "We ask the Court to rule in favour of Freedom"
3. Austria: Outsourcing data retention obligations to the US
4. Unanimous JURI vote on Collective Rights Management directive
5. Finland: A new citizens initiative - Lex Snowden
6. The French three strikes system gave up on Internet disconnection
7. EC notice & action directive to come out of the drawer?
8. Closed environments locking down consumers’ rights
9. ENDitorial:Leaked telecoms Regulation with or without net neutrality?
10. Recommended Reading
11. Agenda
12. About

Privacy campaigners have filed claims against Prism and Tempora, the US
and British spy programmes that allow intelligence agencies to gather,
store and share data on millions of innocent people.

Privacy International has submitted a claim to the Investigatory Powers
Tribunal (IPT), hoping for a public hearing and early rulings, due to
the seriousness of the issue. Privacy International’s statement refers
to the Prism programme, which allows the NSA to intercept the
communications of non-US citizens living outside America from global
Internet companies such as Google, Facebook and Yahoo. It transpires
that this information has been shared with the UK agency GCHQ. Privacy
International also ask for a temporary injunction against the Tempora
programme, which allows GCHQ to tap into the transatlantic fibre-optic
cables used for telephone and Internet services and gather large amounts
of sensitive data.

"If UK authorities are to be permitted to access such information in
relation to those located in the UK in secret and without their
knowledge or consent, the European convention on human rights (ECHR)
requires there to be a legal regime in place which contains sufficient
safeguards against abuse of power and arbitrary use. There is no such
regime," says PI's statement.

Also, emails and phone calls made in the UK that pass electronically
through the US can be intercepted by the NSA, which has access to these
data as well. Moreover, the UK agency, by accessing the US programme,
can “obtain private information about UK citizens without having to
comply with any requirements of RIPA (the Regulation of Investigatory
Powers Act)"

Privacy International intended to file the claim in the Administrative
Court, which would have had public proceedings. They were however forced
to file the claim with the IPT, a secret tribunal that does not make its
proceedings public and does not have to give reasons for its decisions.

"One of the underlying tenets of law in a democratic society is the
accessibility and foreseeability of a law. If there is no way for
citizens to know of the existence, interpretation, or execution of a
law, then the law is effectively secret. And secret law is not law. It
is a fundamental breach of the social contract if the government can
operate with unrestrained power in such an arbitrary fashion," said Eric
King, head of research at Privacy International.

The civil rights group Liberty has also made a complaint to the IPT. The
group believes its own electronic communications and those of its staff
may have been unlawfully intercepted by the security services and GCHQ.

In the US, a broad coalition of organizations teamed up for a freedom of
association lawsuit. The coalition filed a suit against the National
Security Agency (NSA) for the violation of the First Amendment right of
association by illegally collecting their call records. The coalition is
represented by the Electronic Frontier Foundation (EFF), a digital
rights group, also a member of EDRi, with years of experience in
fighting illegal government surveillance in the courts.

To make things worse, the PRISM scandal continues after the Guardian
revealed documents disclosed by former NSA employee Edward Snowden that
appear to show that Microsoft collaborated with US intelligence services
to allow users' communications to be intercepted, including helping the
NSA to circumvent the company's own encryption.

The documents appear to show that Microsoft collaborated with the FBI
and CIA and the material collected through Prism is shared by all three
agencies. Skype was revealed as one source of information.

"This makes it clear that trusting Microsoft with your critical company
data is downright negligent. In both the public and the private sector,
those responsible for security and data protection urgently need to take
action to protect their organisations, customers and clients," says
Karsten Gerloff, President of the Free Software Foundation Europe.

In its statement to the Guardian, Microsoft said that its “compliance
team examines all demands very closely, and we reject them if we believe
they aren't valid”. Also, that the company said that it only complies
with “orders about specific accounts or identifiers”, “would not respond
to the kind of blanket orders discussed in the press over the past few
weeks, as the volumes documented in (its) most recent disclosure clearly
illustrate.”

The company added: “when we upgrade or update products, legal
obligations may in some circumstances require that we maintain the
ability to provide information in response to a law enforcement or
national security request. There are aspects of this debate that we wish
we were able to discuss more freely. That's why we've argued for
additional transparency that would help everyone understand and debate
these important issues.”

US and UK are not alone in this electronic information gathering
race. France is not that far behind. Le Monde has also revealed that
DGSE (Direction générale de la sécurité extérieure) systematically
collect electromagnetic signals from computers and phones in France
including the traffic between French citizens and people abroad.
Information from emails, telephone calls, access to Facebook or Twitter
are then stored for long periods of time. The database can be accessed
by all French intelligence services.

NSA and GCHQ spy programmes face legal challenge (8.07.2013)
http://www.guardian.co.uk/uk-news/2013/jul/08/nsa-gchq-spy-programmes-legal-challenge

Privacy International files legal challenge against UK government over
mass surveillance programmes (8.07.2013)
https://www.privacyinternational.org/press-releases/privacy-international-files-legal-challenge-against-uk-government-over-mass

New Snowden leak: Storing your data at Microsoft is negligent
(12.07.2013)
https://fsfe.org/news/2013/news-20130712-01.en.html

How Microsoft handed the NSA access to encrypted messages (12.07.2013)
http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data

Unitarian Church, Gun Groups Join EFF to Sue NSA Over Illegal
Surveillance (16.07.2013)
https://www.eff.org/press/releases/unitarian-church-gun-groups-join-eff-sue-nsa-over-illegal-surveillance

Revelations on French Big Brother (only in French, update 7.07.2013)
http://www.lemonde.fr/societe/article/2013/07/04/revelations-sur-le-big-brother-francais_3441973_3224.html

On 9 July 2013, the European Court of Justice held a hearing before the
Grand Chamber on the validity of the data retention directive
(2006/24/EC). In line with the questions the involved parties received
from the Court, the hearing focused on Art. 7 and 8 of the Charter of
Fundamental Rights of the European Union.

The representatives of the parties who initiated the cases in Ireland
and Austria, Digital Rights Ireland, Human Rights Commission Ireland, AK
Vorrat Austria and an individual Austrian citizen argued that the data
retention directive is incompatible with the Charter. There still is no
evidence available, they argued, that the excessive collection of
communication data is a necessary and proportionate measure for
combating organised crime and terrorism in the EU. Furthermore, the
data available proves that retained data is used for the investigation
of crimes not foreseen in the directive, like theft, drug trafficking
and stalking.

The lawyer of AK Vorrat, Ewald Scheucher, referred to the ruling of the
German Constitutional Court, which stated that the cumulative effect of
fundamental rights restrictions need to be taken into consideration when
judging the legitimacy of a single measure. Given the revelations
regarding PRISM, this cumulative effect now clearly provides a different
result that at the time when the German Court took its decision.
Furthermore, he stated that the Austrian implementation of the directive
clearly showed that a Charter-compatible national implementation of the
data retention directive is not possible. This argument is bolstered by
the fact that the main author of the Austrian implementation is among
the 11 139 Austrian plaintiffs who challenged data retention before the
Austrian Constitutional Court.

Mr. Scheucher closed his statement with the words: "We ask the Court to
rule in favour of Freedom. Security already has enough advocates."

Following the statements of the plaintiffs, a number of member states
and EU institutions were asked to deliver their answers to the questions
of the court. Many of them referred to the evaluation report the
Commission published in 2011. This was remarkable, as this report
suffered itself from a lack of evidence as, amongst other shortcomings,
many member states were unable to provide any statistically relevant
data on the use of retained data for the purposes defined in the
directive. On the contrary, it showed an excessive number of uses in
Poland in the context of minor offences.

New statistical data were presented by the representative of Austria. He
explained that between 1 April 2012 and 31 March 2013 retained data has
been accessed by Austrian prosecutors in 326 cases. Out of these 326
cases, 139 are already closed. In 56 of these 139 cases, the data
retained contributed to solving the case. The offences of these cases
were: theft (16), drug offences (12), stalking (12), fraud (7), robbery
(7) and others. Following an ad hoc question of a judge, it was further
stated that none of the cases involved terrorism and that the question
whether organised crime was involved needed further investigation.

The statements of the other member states followed the lines that data
retention is necessary and proportionate, the opposition against data
retention is caused by fears of data breaches (Ireland), the anonymity
of the communication needs to be avoided (Spain), the ECJ should focus
on the core contents of the directive and not on the room it leaves for
the implementation by member states (Italy) and that anonymous uses –
like prepaid mobile phones – are not damaging the value of data
retention, as additional means like video surveillance can be used to
identify individuals.

The representative of the European Parliament stated that the directive
was valid and in line with the Charter. Being a directive harmonising
the internal market, he argued, it only regulates the obligations of
providers and does not deal with the law enforcement aspects, which need
to be defined by the member states. This statement led to questions by
one of the judges who wanted to know if it was due to the chosen legal
basis that the protection of fundamental rights could not be regulated
in more detail. This was confirmed by the EP representative, whereupon
the judge asked whether the legal basis should rather be chosen based on
the compliance with fundamental rights. The representative of the
Parliament agreed but stated that while it was important to protect
fundamental rights, it was not possible to do such regulation in an
internal market directive.

The representative of the Council argued – like some member states
before – that the use of retained data can only be judged in the context
of national laws and that therefore the directive needed to be seen in
isolation rather than in context of national implementations. The
maximum retention period of two years also reflects the different
traditions of member states and is needed to analyse the communication
of terrorists in the context of bomb attacks.

Also, the representative of the European Commission argued that the
directive was only about the obligation to retain data, while the use of
the data needed to be regulated by the member states. Furthermore the
directive needed to be judged on the basis of the legal situation in
2006. Following this statement a judge asked whether the position of the
Commission was that the Charter were not applicable. This was denied.

Finally, the representative of the European Data Protection Supervisor
delivered his statement. He stated that the necessity of data retention
has not been proven and that no alternative, less intrusive measures
have been evaluated. In addition, the directive was not sufficiently
clear in limiting the purpose of the data processing. Furthermore the
use of the retained data should not be left over to be regulated by
member states without further guidance by the European legislator.

The hearing continued with a number of detailed questions by the judges
which also included whether data retention could be
lawfully outsourced to other data processors within the EU or in third
countries. According to a report, 36 percent of the retained data is
subject to outsourcing and the third largest provider is based in a
third country operating on the basis of the Safe Harbor agreement. Being
asked whether the national laws of third countries concerning the access
to data by national authorities could negatively affect the lawfulness
of the processing, the representative of the Commission could not answer
immediately and he also failed to provide a clear answer to whether the
websites accessed by users are to be retained on the basis of the
directive.

The Advocate General will provide his opinion on the 7 November 2013.

EDRi-gram 11.13: European Court of Justice data retention cases to be
heard on 9 July (including the questions asked by the Court, 3.07.2013)
http://www.edri.org/edrigram/number11.13/ecj-data-retention-case-9-july-2013

EDRi-gram 9.8: Top 10 misleading statements of the European Commission
on data retention (20.04.2011)
http://www.edri.org/edrigram/number9.8/data-retention-evaluation

EDRi shadow data retention report (17.04.2011)
http://www.edri.org/files/shadow_drd_report_110417.pdf

Live-Ticker on the ECJ hearing on the data retention directive (only in
German, 09.07.2013)
http://netzpolitik.org/2013/live-ticker-vom-eugh-verfahren-gegen-die-vorratsdatenspeicherung/

(Contribution by Andreas Krisch - EDRi member VIBE!AT - Austria)

During the ECJ lawsuit against the data retention (DR) directive it
became clear that DR obligations may have been outsourced to
contractors, maybe even to US-based companies, thereby giving US
authorities potentially unrestricted access to all such retained data.

Austria is one example of EU member state with data retention in place.
Therefore, the Austrian NGO Initiative für Netzfreiheit asked the
national data protection authority (DPA) whether it could rule out that
Austrian service providers have outsourced their DR obligations, maybe
even to US based contractors and storage locations.

The head of the Austrian DPA answered that they had no way of knowing
whether Austrian service providers have outsourced their DR obligations
at all, let alone to US based contractors. If DR obligations were
outsourced to unsafe third countries, this would have to be registered
with them. However, due to the safe harbor provision, US based companies
that take part in it are exempted from the registration obligation.

The Austrian DPA has the authority and duty to ensure that appropriate
security measures have been established for all DR obligations. For this
purpose, the Austrian DPA also has the right to inspect the data centers
where data retention occurs in order to be able to assess the
effectiveness of the security measures in place. The Austrian DPA stated
to the Initiative für Netzfreiheit that in over 15 months of the data
retention being required by law they did not assess any data retention
security measures at all but that they were planning to do so. Also,
when asked if they thought that they could really get access to the
datacenter of a US based service contractor, the DPA admitted that they
had not thought of such a case yet and that they didn't think they could
actually execute their inspection rights at US located data centers.

In summary, it has to be concluded that there is no way for the Austrian
DPA to even know about US-based outsourcing of DR data handling. Nobody
can rule out that Austrian service providers have outsourced their DR
obligations and thus nobody can rule out that Austrian DR data are
stored on servers in the US, thereby giving US authorities direct access
to the DR data of Austrian citizens.

The Initiative für Netzfreiheit thus demands the immediate repeal of
the data retention in Austria as well as the annulment of the safe
harbor provision. "It is completely unacceptable that US services might
have direct access to the location and connection data of Austrian
citizens. This demands immediate action.", says Josef Irnberger for the
Initiative für Netzfreiheit.

"Not even the data protection authority can rule out direct access by US
authorities to the data retention data of Austrian citizens, nor could
they even rightfully demand access to US data centers. Seen alongside
the blatant human rights violation created by the very existence of the
data retention directive itself, this really takes the biscuit" added
Josef.

Original press release (only in German, 11.07.2013)
https://netzfreiheit.org/2013/07/11/pressemitteilung-prism-vorratsdaten-durch-us-spionage-in-akuter-gefahr/

CEJ Data retention case - live blogging (only in German, 9.07.2013)
https://netzpolitik.org/2013/live-ticker-vom-eugh-verfahren-gegen-die-vorratsdatenspeicherung/

Safe harbor
https://en.wikipedia.org/wiki/Safe_harbor_%28law%29

(contribution by Josef Irnberger - EDRi member Initiative für
Netzfreiheit - Austria)

The proposal from the European Commission for a Directive on collective
management and related rights and multi-territorial licensing of rights
in musical works for online uses in the internal market (hereafter
Collective Rights Management Directive) was a good start to put an end
to some of the unreasonable practices by collecting societies around
Europe.

On 9 July, the Legal Affairs Committee (JURI) voted on the report lead
by Marielle Gallo (EPP, France) amending the Collective Rights
Management Directive. The report passed unanimously.

Broadly speaking, the final text brokered by Gallo represents an
improvement on the original proposal from the European Commission. One
of the main improvements is on the transparency of the collective
management organisations (CMOs). The list of data that have to be public
has been significantly extended, including the repertoires and rights
managed, standard licensing contracts and applicable tariffs, a list of
representation agreements and any information on works for which one or
more rightholders have not been identified. This is a precondition to
ensure fast, efficient and transparent licensing.

On licensing specifically and the relation between users and CMOs, EU
case law on tariffs has been codified and the amendments to the text
propose to speed up the process of granting licences, which would allow
innovative services to emerge faster in the EU market, to the benefit of
all stakeholders. The redistribution of the amounts collected to artists
and creators should also happen faster. The rules will apply to all CMOs
regardless of their financial situation or number of employees. The
possibility for CMOs to limit the re-use of information has been
deleted, which is very important to the much-needed freedom for content
creators to change CMOs.

The bad news however is that the Committee has deleted some important
provisions. References to the Services Directive (2006/123/EC) were
deleted, which is likely to result in a long and tedious legal battle to
clarify the situation, since there is no exception from competition law
and the Treaties still apply. Much worse is that the Directive is
essentially toothless now, as the provisions on sanctions have been
deleted. While the individual freedom of artists to dispose of their
work is clearly recognised in the text voted in JURI, this freedom is
significantly weakened by the possibility offered to CMOs to determine
rules preventing misuses of the right of artists to withdraw their
rights or terminate their authorisation. It is difficult to imagine that
such a rule will create harmonisation and it will definitely create
legal uncertainty.

Finally, some parts constitute an improvement but they could have gone
further. Collecting and keeping money collected by CMOs on orphan works
is problematic. The European Parliament is trying to improve the
situation by reducing the time the money can be kept and by putting
rules into place to avoid misuse of this undistributed money. However,
the idea of having a completely separate fund for this money has been
rejected. Although the JURI's vote to recognise non-commercial licenses
is a good first step, it falls short of a proper recognition of the
artist's autonomy to choose a licence. According to the adopted text,
CMOs will have to allow their members to grant non-commercial licences,
but it is unfortunate that Ms Gallo's initial proposal to allow creators
to have their rights managed on a per-work basis, was not in the
compromises. However, it seems that one of Mr Engström's (Greens)
amendment, that was adopted, does offer this possibility to artists.
Let's hope that this provision survives the final first reading vote in
a European Parliament plenary session later this year.

If there are some very good amendments, there are also some bad ones and
some which could have been better. However, in light of tenor of many of
the amendments she was faced with, the Rapporteur did quite a good job,
and having a unanimous vote on a legislative copyright dossier is a rare
achievement. The discussion is however not over, so let's just hope that
the positive developments will be maintained.

The final report including the compromise amendments is not published yet.

Proposal for a Directive of the European Commission
http://ec.europa.eu/internal_market/copyright/docs/management/com-2012-3722_en.pdf

Draft Report from Marielle Gallo (EPP, Rapporteur on the file)
http://www.europarl.europa.eu/RegistreWeb/search/simple.htm?language=EN&reference=2012%2F0180%28COD%29&code_type_docu=TPRR

Proposed amendments by the other members of the Legal Affairs Committee
http://www.europarl.europa.eu/RegistreWeb/search/simple.htm?language=EN&reference=2012%2F0180%28COD%29&code_type_docu=TAMEPR

(Contribution by Marie Humeau - EDRi)

EDRi member Electronic Frontier Finland (Effi) has submitted on 8 July
2013, with support from Avoin Ministeriö, a citizens' legislative
initiative, titled "Yes We Can - The law for safeguarding of freedom of
expression and privacy internationally", to the Ministry of Justice. If
the initiative collects 50 000 names (almost 1% of total population of
Finland) within 6 months, the Finnish parliament is obliged to vote on
the proposal. The initiative criminalizes spying on citizens, requires
authorities and enterprises to report on the collection and utilization
of citizens' data, and enhances significantly protection of
whistle-blowers in Finland.

Effi's vice chairman Ville Oksanen states: "We are tired of officials
and especially politicians being totally inactive in these matters.
Working groups and endless discussions are not going to solve the
problem, they are just used to hide the matter from the public
discussion. With this initiative we want to show that with sufficient
political will it is possible to provide protection and significantly
improve citizens? position against excessive surveillance." Oksanen
continues: "Similarly, the initiative would address the gaps that
prevent whistle-blowers, such as Edward Snowden, from gaining reliable
protection in Finland."

The Lex Snowden initiative has three main elements. Firstly, it adds new
articles to the Criminal Code to criminalize excessive surveillance of
citizens. This crime would be defined as a so-called universal crime,
which means it would be possible to prosecute in Finland even if the act
had taken place in another country. Penalties would also be available
against companies that participate in illegal surveillance: a Finnish
court could impose a corporate fine, the amount of which would be a
maximum of 25% of the company's total international revenue.

Oksanen comments: "It is of course clear that punishments on this basis
would not be executed in the country doing the surveillance.
Perpetrators of this act, however, could have difficulties travelling
as, for example, an Interpol international warrant could have been
issued for their arrest."

The second section substantially extends authorities' and telecom
operators' liability to report their mass personal data collection,
storage and use. At the moment, the Ministry of the Interior reports
about data retention practices only to the EU Commission. Companies are
not currently required to report about their respective data collection
practices at all.

The third proposed change is the closure of the gaps in the legislation
that have been revealed in the case Edward Snowden related to the
granting of protection for whistle-blowers. The proposal would make the
extradition of whistleblowers impossible. Also, they could no longer be
prevented from obtaining an entry or residence permit.

Effi chairman Timo Karjalainen states: "Unfortunately, this legislative
package is unlikely to assist directly the case of Edward Snowden.
However, similar cases will surely occur again, so it is important to
fix the law now." Karjalainen concludes: "In addition this proposed bill
would make Finland a leading country in safeguarding digital rights and
privacy. This would be a great selling point for Finland as a potential
site for cloud services. Subscribers of cloud services certainly want to
avoid countries where surveillance is rampant."

The draft law has gathered almost 1500 signatures after the first week.

Effi: Legislative initiative to protect privacy and whistle-blowers
(8.07.2013)
http://www.effi.org/julkaisut/tiedotteet/pressrelease-2013-07-08.html

Effi’s campaign site for the Lex Snowden
http://snowden.effi.org/?page_id=2

Draft law on Citizens initiative website (only in Finnish)
https://www.kansalaisaloite.fi/fi/aloite/442

(Contribution by EDRi member Electronic Frontier Finland)

The French three strikes law, known as Hadopi, has for years generated
debate and controversy, primarily because it allowed for the
disconnection of the Internet connections of individuals deemed to have
illegally downloaded copyrighted material. Now, however, there is a
slight ray of sunshine in the matter. The French Government has given up
on this approach.

On 9 July 2013, a decree was published eliminating the possibility to
cut off users’ connections for alleged copyright infringement. An
automated fine system will now be applied to those allegedly infringing
the copyright law.

In June 2013, a nine-member panel lead by former Canal Plus chairman
Pierre Lescure, issued a report on policies for the entertainment
industries in the digital age which concluded, among other things, that
the three strikes system had not delivered the results promised by the
government. The panel recommended that the Internet disconnections for
infringers should be given up.

The measure will be replaced by a “five-class” fine, meaning a fine of
1500 Euro which could go even up to 3000 Euro in cases of continuous
infringing “when the regulations allow it.” According to the Minister of
Culture Aurélie Filippetti, this imposition of the fine will be at the
decision of a judge who is the only authority to “decide upon the
relevance and amount” of the fine. Hadopi, the independent authority,
will disappear. That could be also good news. But not really, since the
three strikes warning system will continue as a “pedagogical” measure
and will be operated by Audiovisual Regulatory Authority - CSA (Conseil
supérieur de l’audiovisuel).

Meanwhile, Ireland is heading in a different direction. On 3 July 2013,
the Irish Supreme Court has backed a “three strikes and you’re out”
agreement upholding a challenge by four music companies to an
enforcement notice of the Data Protection Commissioner of 5 December
2012 which required Eircom to stop implementing the three strikes
protocol by means of which users receive three warnings for illegal
downloading before terminating their Internet access service.

The Supreme Court unanimously dismissed the appeal made by the data
commissioner against the High Court decision because the Irish DPA did
not specify what provisions of the Data Protection Acts had been
contravened by the protocol.

Three Strikes and You’re Still In – France Kills Piracy Disconnections
(9.07.2013)
http://torrentfreak.com/three-strikes-and-youre-still-in-france-kills-piracy-disconnections-130709/

French Criminal Code – Sub-section 4: Infringement fines (only in French)
http://www.legifrance.gouv.fr/affichCode.do?idSectionTA=LEGISCTA000006181730&cidTexte=LEGITEXT000006070719&dateTexte=20090629

Hadopi: Filippetti cuts the cut but not the fine (only in French,
9.07.2013)
http://www.ecrans.fr/Hadopi-Filippetti-coupe-la-coupure,16683.html

Hadopi: Filippetti confirms the death act but supports the private copy
(only in French, 9.07.2013)
http://www.zdnet.fr/actualites/hadopi-filippetti-confirme-l-acte-de-deces-mais-soutient-la-copie-privee-39792239.htm

Hadopi: cutting the Internet access is eliminated (only in French,
9.07.2013)
http://www.francetvinfo.fr/france/hadopi-la-coupure-d-acces-a-internet-est-supprimee_365998.html

Supreme Court backs 'three strikes' deal to fight illegal downloading
(3.07.2013)
http://www.independent.ie/irish-news/supreme-court-backs-three-strikes-deal-to-fight-illegal-downloading-29393260.html

EDRi-gram: Hadopi wants to turn to privatised enforcement measures (13.03.2013)
http://www.edri.org/edrigram/number11.5/hadopi-wants-privatised-law-enforcement

On 3 July 2013, a number of nine MEPs sent a letter to Michel Barnier,
European Commissioner for Internal Market and Services, regarding a
Notice-and-Action directive that was not prepared but subsequently not
published or proposed by the European Commission. As a result, the
European Parliament was not, and will not be, able to give its position
on the subject.

While welcoming the fact that Barnier’s services have undertaken careful
investigations in the field, having in view the great concerns in the
area (especially considering projects that “have undermined citizens’
trust in the Union” such as CleanIT), the letter however expresses
concern for the fate of the proposal for a notice and action directive.

It seems that Commissioner Michel Barnier has chosen not to publish the
proposal although it took 3 years of investigations to produce it and
these investigations concluded that the circumstances under which
requests for material takedown are made, are extremely arbitrary and in
need of clarification.

It appears that opposition to the proposal came from Cecilia Malmstöm,
Commissioner for Home Affairs. She (as Commissioner responsible for
funding the CleanIT projet), objected to clearer procedures for dealing
with allegedly illegal material.

“As elected members and representatives of the European public, this is
of high concern to us. The political process will not gain legitimacy if
publicly elected representatives are not allowed to scrutinize and
debate proposals of concern in a transparent and democratic manner’”
says the MEPs' letter.

The MEPs therefore ask Barnier’s directorate “to propose the draft text
as a directive for the Member States. It is not acceptable that the
Parliament is kept out of these important discussions. If the
indications that the directive might collapse into a mere recommendation
come true and in this way the Parliament gets no say – we fear that both
the citizens’ trust in European institutions as well as our trust in the
European Commission may suffer.

We trust that you agree that a transparent and inclusive mechanism for
political decision making is the preferred route for Europe, and we’re
looking forward to our further interactions.”

MEPs Letter to Michel Barnier European Commissioner for Internal Market
and Services (3.07.2013)
http://ameliaandersdotter.eu/sites/default/files/letter_commissioner_barnier_notice_and_takedown.pdf

Commission staff working document “Report on the implementation of the
e-commerce action plan” (23.04.2013)
http://ec.europa.eu/internal_market/e-commerce/communications/2012/index_en.htm

EC Notice-and-action Procedures
http://ec.europa.eu/internal_market/e-commerce/notice-and-action/index_en.htm

Letter to Michel Barnier on the Notice-and-Action in Europe (only in Swedish, 6.07.2013)
http://ameliaandersdotter.eu/2013/07/06/brev-till-michel-barnier-om-notice-and-action-i-eu

Can you resell your used apps for your iOS or Android device? How about
your video games that you purchased from Valve’s Steam Store?

The answer is yes and no. Legally, you are allowed to resell your used
apps and Steam games if they were marketed in the EU. However, from a
practical perspective, the owners of closed platforms such as Apple’s
App Store and Valve’s Steam Store don’t allow users to transfer their
unwanted software licenses to other users, effectively making it
impossible for a user to resell their used apps and games.

According to the European Court of Justice (ECJ)'s decision in UsedSoft
v Oracle case of last summer, if you pay a fee for software and are
granted a license to that software for an unlimited period of time, then
the copyright holder has exhausted their exclusive distribution right.
Even if the license agreement prohibits a further transfer, the
rightholder can no longer oppose the resale of that copy. This applies
to both software distributed on a physical medium (CD-ROM or DVD) as
well as downloaded software. Thus, consumers in the EU are legally
allowed to resell most of their apps and games.

However, closed environments like Valve’s Steam Store are preventing
consumers from reselling their used software in two ways. The first is
through restrictive user agreements. For example, the Steam Store’s
license agreement states that “The Software is licensed, not sold.
Your license confers no title or ownership in the Software.” However,
since consumers pay a fee for a license that lasts an unlimited period
of time, games bought via the Steam Store clearly fall under the
UsedSoft v Oracle ruling and Valve cannot oppose their resale.

The other way closed environments like Steam prevent consumers from
reselling their unwanted software is by failing to provide a mechanism
that allows a Steam user to transfer a license of their software to
another Steam user’s account. The omission of this simple mechanism
makes it impossible for Steam users to resell their unwanted software,
since the consumer has no way to complete a sale, which would require a
license transfer of the software being sold to the buyer’s account.

Since consumers cannot resell their unwanted software purchased from
closed environments, second-hand markets for used apps and Steam games
are prevented from forming, even though distributors like Valve have
exhausted their distribution rights and cannot oppose resale of their
software.

With software increasingly being distributed via downloads, closed
environments are gaining popularity. Apple, Microsoft, Google and Valve
all distribute software for their platforms via their own closed
environments. Owners of these closed environments take a percentage of
the sales of any software distributed via their online store and the
software developers who make the applications that are no longer sold
lose sales to consumers buying cheaper used copies of their software
instead of new copies.

Consumers, however, have their right to resell their digital property
restricted and also lose access to secondary markets where they would be
able to obtain the same product at lower prices. As software is
increasingly distributed via closed environments, we must protect
consumers’ right to own and resell their software.

ECJ case - UsedSoft v Oracle ruling (3.07.2012)
http://curia.europa.eu/juris/document/document.jsf?docid=124564&doclang=en

(Contribution by Michael McNeff - HalfPriceDigital.com)

Last week, an internal draft of a regulation for a “telecoms single
market” was leaked in Brussels. We published an initial reaction to this
document. But what are the details of the text and what do they mean?
The draft is a strange mix of re-packaged measures that are already in
place and an odd list of disparate issues ranging from spectrum
management to roaming charges.

One important point of the draft regulation, as previously announced by
Neelie Kroes, Vice-President and Commissioner for the Digital Agenda, is
a half-hearted legal “guarantee” of network neutrality – which
simultaneously seeks to “guarantee net neutrality” and at the same time
to allow the kinds of “new premium services” that would undermine net
neutrality.

The positive points first:

- Harmonisation: The Commission chose to propose a Regulation as a
legislative instrument which means that it would allow for greater
harmonisation of the digital single market.

- No discrimination: It would guarantee net neutrality (while killing it
by promoting discriminatory services). Article 20.2 aims at a
prohibition of anti-competitive discrimination: “Providers should not
block or throttle specific services or service classes within
contractually agreed limits on data volumes and speeds”.

- Transparency: The Commission's spokesperson also explained that “our
net neutrality plans include much stronger rights for consumers to
transparent information and switching”. Of course, if the Commission
believed that it was really guaranteeing net neutrality, consumers would
not need transparent information about non-neutral behaviour and their
possibilities to sign up to another access provider. Article 21 would
now introduce new provisions on transparency. However, as we have
highlighted previously, transparency and switching are insufficient to
guarantee and open, free and neutral internet.

- Sanctions: National Regulatory Authorities (NRAs) have an essential
role in securing the users' capability to exercise their freedom of
communication and freedom of expression. According to recital 68, NRAs
should be able to impose financial or administrative sanctions for
violations of net neutrality provisions of the Regulation.
Unfortunately, these sanctions are not detailed in the leaked draft and
merely make reference to the already existing provisions of Article 21a
of the Framework Directive (2002/21/EC). We know from the weak
implementation of existing legislation in some EU Member States that
strong sanctions are necessary to act as a deterrent against
discriminatory practices.

Negative points:

- Discrimination: If adopted, the leaked Regulation would kill net
neutrality (while ostensibly “guaranteeing” it, as described above).
Article 20.1, sub-paragraph 2, foresees that “providers of content,
applications and services and providers of electronic communications to
the public shall be free to agree with each other on the treatment of
the related data volumes or on the transmission of traffic with a
defined quality of service”. The Commission would therefore allow
operators to enter into agreements with content and service providers in
order to deliver certain services faster than others – it would allow a
non-neutral Internet, in other words.

The Commissioner's spokesperson explained on Twitter that “telcos want a
free hand”. If adopted, this Regulation would be disastrous not only for
innovation and competition in Europe, but would cement the economic
advantage of big players who have the financial capacity to strike
exclusive deals with operators – the “death sentence” for innovation
described by Commissioner Kroes.

- Data caps: The leak states that “volume-based tariffs are compatible
with an open internet”. While this is true, up to a point, it appears
that the draft would allow discriminatory behaviour, similar to what the
Deutsche Telekom proposed in Germany. A volume-restricted tariff which
has no restrictions on the volume of traffic from certain sites and
services can be effectively used to transparently and openly stifle
competition.

- Premium services: The draft text also explains that some users should
be able to keep on using high bandwidth services, such as video
conferencing, internet telephony and so on – with an “enhanced quality”.
This might be what Commissioner Kroes meant with “enjoy something extra”
in her speech on 9 July. This approach, however, is not based on
evidence but rather the assumption that current temporary and
exceptional traffic management measures are insufficient to deal with
congestion. The Commission draft attempts to explain that the
possibility and flexibility to provide enhanced quality of service
especially applies to new services such as machine-to-machine
communications (recital 44, p. 12). However, the way in which the
current text is drafted would permit discrimination on the public internet.

- Bundles: In recital 41, the growing importance of bundles (offers that
include internet, fixed/mobile telephone and television as a single
package) is highlighted, but the Commission unfortunately fails to
acknowledge the particular difficulties for consumers subscribed to
bundled offers to change providers.

- National laws: Where does this leave the Netherlands and Slovenia?
According to the leaked internal draft, Article 20.1, sub-paragraph 3,
it is likely that the Dutch provisions and the Slovenian law will have
to be amended, since they restrict the “freedom” of the providers to
enter into discriminatory agreements: "The exercise of these freedoms
shall not be restricted by national competent authorities, or, as
regards the freedom laid down for end-users, by providers of electronic
communications to the public, save in accordance with the provisions of
this Regulation, the Directives and other provisions of Union law."

- Timetable: The draft Regulation will probably be published in
September/October, it then has to be approved by the Council and go
through the legislative process in the European Parliament. Due to the
upcoming elections, there is a chance that this Regulation might not be
adopted before the new Parliament is in place.

Leaked consolidated version of the draft Regulation laying down measures
to complete the European single market for electronic communications and
to achieve a Connected Continent
http://edri.org/files/consolidateddraft-ISC070713.pdf

Leaked Regulation: Schrödinger's net neutrality on its way in Europe
(11.07.2013)
http://www.edri.org/schroedinger-NN

Tweets by Ryan Heath, spokesperson of the Commissioner for the Digital
Agenda, on the leaked internal draft

Joint letter EDRi-BEUC to Commissioner Kroes: Over 80 European
organisations demand protection for Net neutrality (17.04.2013)
http://www.edri.org/node/3281

European Parliament resolution on Completing the digital single market
(11.12.2012)
http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2012-468

(Contribution by Kirsten Fiedler - EDRi)

Estonia: E-voting source code made public (12.07.2013)
http://news.err.ee/politics/0233b688-b116-44c3-98ca-89a4057acad8

Open Letter on transparency to President of the European Parliament (16.07.2013)
https://fsfe.org/news/2013/news-20130716-01.en.html

31 July – 4 August 2013, Geestmerambacht, Netherlands
Observe. Hack. Make. - OHM2013
https://ohm2013.org/

7 September 2013, Berlin, Germany
Demonstration "Freiheit statt Angst" / rally against surveillance
http://blog.freiheitstattangst.de/

14-15 September 2013, Vienna, Austria
Daten, Netz & Politik 2013 - DNP13
https://dnp13.unwatched.org/

16-18 September 2013, Geneva, Switzerland
2013 Open Knowledge Conference (OKCon)
http://okcon.org/

18-20 September 2013, Berlin, Germany
8th International Conference of Information Commissioners (ICIC
2013)
http://www.info-commissioners.org/index.php/blank-menu/281-8th-international-conference-of-information-commissioners-icic-2013-germany

23-26 September 2013, Warsaw, Poland
Public Voice Conference 2013
35th International Data Protection and Privacy Commissioners conference
http://www.giodo.gov.pl/259/id_art/762/j/en/

24-25 September 2013, Brussels, Belgium
EU hackaton - hack4yourrights
This year’s theme is privacy
http://2013.euhackathon.eu/

27-30 September 2013, Brussels, Belgium
Freedom not Fear 2013
http://www.freedomnotfear.org/
http://www.freedom-not-fear.eu

22-25 October 2013, Bali, Indonesia
Internet Governance Forum 2013
http://igf2013.or.id/

25-27 October 2013, Siegen, Germany
Cyberpeace - FIfF Annual Meeting 2013
http://www.fiff.de/

22-24 January 2014, Brussels, Belgium
CPDP 2014: Reforming data protection: The Global Perspective
http://www.cpdpconferences.org/

24-25 April 2014, Barcelona, Spain
SSN 2014: Surveillance Ambiguities & Assymetries
http://www.surveillance-studies.net/documents/cfp_SSN2014_Barcelona_final.pdf

EDRi-gram is a biweekly newsletter about digital civil rights in Europe.
Currently EDRi has 35 members based or with offices in 21 different
countries in Europe. European Digital Rights takes an active interest in
developments in the EU accession countries and wants to share knowledge
and awareness through the EDRi-gram.

All contributions, suggestions for content, corrections or agenda-tips
are most welcome. Errors are corrected as soon as possible and are
visible on the EDRi website.

This EDRi-gram has been published with financial support from the EU's
Fundamental Rights and Citizenship Programme.

Except where otherwise noted, this newsletter is licensed under the
Creative Commons Attribution 3.0 License. See the full text at
http://creativecommons.org/licenses/by/3.0/

Newsletter editor: Bogdan Manolea

Information about EDRi and its members:
http://www.edri.org/

European Digital Rights needs your help in upholding digital rights in
the EU. If you wish to help us promote digital rights, please consider
making a private donation.
http://www.edri.org/about/sponsoring
http://flattr.com/thing/417077/edri-on-Flattr

- EDRI-gram subscription information

subscribe by e-mail
To: [email protected]
Subject: subscribe

You will receive an automated e-mail asking to confirm your request.
Unsubscribe by e-mail
To: [email protected]
Subject: unsubscribe

- EDRI-gram in Macedonian

EDRI-gram is also available partly in Macedonian, with delay.
Translations are provided by Metamorphosis
http://www.metamorphosis.org.mk/mk/vesti/edri

- EDRI-gram in German

EDRI-gram is also available in German, with delay. Translations are
provided by Andreas Krisch from the EDRI-member VIBE!AT - Austrian
Association for Internet Users
http://www.unwatched.org/

- Newsletter archive

Back issues are available at:
http://www.edri.org/edrigram

- Help
Please ask if you have any problems with subscribing
or unsubscribing.