The eYouGuide, Europe's first online tool giving consumers practical advice on their "digital rights" under EU law is now available in 10 languages. "The eYouGuide was launched in Strasbourg on 5 May 2009 (see IP/09/702). The guide provides information on a number of issues related to online activities, such as shopping online, networking, uploading and downloading content and making online payments, just to mention a few. It is meant as a tool to improve consumers' awareness and confidence in the digital environment. The website will be updated and extended to more EU languages at the beginning of 2010."

Review of the European Data Protection Directive, by Neil Robinson, Hans Graux, Maarten Botterman, Lorenzo Valeri

Database State, Executive Summary and Full Report - By Ross Anderson, Ian Brown, Terri Dowty, Philip Inglesant, William Heath, Angela Sasse, Foundation for Information Policy Research (March 2009)

News release, September 29, 2008: "Europe could take the lead in the next generation of the Internet. The European Commission today outlined the main steps that Europe has to take to respond to the next wave of the Information Revolution that will intensify in the coming years due to trends such as social networking, the decisive shift to on-line business services, nomadic services based on GPS and mobile TV and the growth of smart tags. The report shows that Europe is well placed to exploit these trends because of its policies to support open and pro-competitive telecom networks as well as privacy and security. A public consultation has been launched today by the Commission on the policy and private sector responses to these opportunities. The Commission report also unveils a new Broadband Performance Index (BPI) that compares national performance on key measures such as broadband speed, price, competition and coverage. Sweden and the Netherlands top this European broadband league, which complements the more traditional broadband penetration index used so far by telecoms regulators."

• The Commission Communication on Future networks and the Internet
  
• The public consultation on the Internet of Things
  
• Press factsheet: Broadband Performance Index - Monitoring high-speed Internet access in the EU

Official Google Blog: "we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users."

Freedom, Security, Privacy – European Home Affairs in an open world - Report of the Informal High Level Advisory Group on the Future of European Home Affairs Policy ("The Future Group"), June 2008

EPIC: "The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also
recommended to raise the awareness of regulators, providers and the general public."

Barry Steinhart, director of the ACLU Technology & Liberty Project: April 16, 2008 Letter from the ACLU to the President of the European Union's Article 29 Working Group urging investigation of NSA spying.

Legally eHealth: Putting eHealth in its European Legal Context. Legal and regulatory aspects of eHealth Study report March 2008.

EPIC: "European privacy officials have established "a clear set of responsibilities" on search engine companies regarding their handling of user data. The opinion, issued by the Article 29 Working Group, states that the European Union Data Protection Directive requires search engines to "delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose" for which they were collected. This requirement has particular significance for search engines, because European privacy rules classify Internet Protocol (IP) addresses as "personal data." The opinion further holds that European privacy laws generally apply to search engines "even when their headquarters are outside [Europe]," and requires that search engines must delete personal data within six months of collection. Earlier this year, EPIC urged the European Parliament to protect the privacy of search histories. For more information, see EPIC's Search Engine Privacy page."

Cybercrime Legislation - Country profiles: "These profiles have been prepared within the framework of the Council of Europe’s Project on Cybercrime in view of sharing information on cybercrime legislation and assessing the current state of implementation of the Convention on Cybercrime under national legislation. They do not necessarily reflect official positions of the countries covered or of the Council of Europe."

Follow up to previous postings on the Google-DoubleClick merger, this announcement today from Eric Schmidt, Google Chairman and CEO: "I'm pleased to share the news that we completed our acquisition of DoubleClick today. Although it's been nearly a year since we announced our intention to acquire DoubleClick last April, we are no less excited today about the benefits that the combination of our two companies will bring to the online advertising market."

"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."

Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

"The aim of the Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing. They should also be made aware of the risks inherent and associated with the illegal mishandling and unfair processing of their personal data. The objective of the Data Protection Day is therefore to inform and educate the public at large as to their day-to-day rights, but it may also provide data protection professionals with the opportunity of meeting data subjects."

European Security Research Agenda: European Commission Working documents: Public-Private Dialogue in Security Research and Innovation: Summary of the Impact Assessment (SEC (2007); Public-Private Dialogue in Security Research and Innovation: Impact Assessment (SEC (2007)

Heise Online: "The world's number one search engine Google is calling for international standards for data protection. "Three quarters of the countries in the world have no privacy regimes at all", Peter Fleischer, Google's Privacy Chief, explained at a conference organized by UNESCO, the UN's Education, Science, and Culture Organization, on the topic of "Internet Ethics". What's worse, Fleischer pointed out that even the countries in Europe and the OECD (Organization for Economic Collaboration and Development) that do have such laws wrote them up back when the Internet did not have the impact it currently does."

Press release: "Secretary Michael Chertoff made the following statement: "I am pleased to have signed an important agreement with the European Union today that will allow the Department of Homeland Security to continue using Passenger Name Record (PNR) data as an essential screening tool for detecting potentially dangerous transatlantic travelers."

Follow up to the Google DoubleClick Merger In the News, from EPIC: The European Commission Directorate on Competition will review Google's $3.1 billion merger with internet advertising company DoubleClick. The news comes a few days after European consumer group BEUC sent a letter (pdf) urging Commission to investigate the merger. The Article 29 Data Protection Working Party recently expanded (pdf) an investigation of Google's data retention policies to include the policies of all search engines. The U.S. Federal Trade Commission also is reviewing the merger."

EPIC reports: "Google will cut the period that it retains user data from a maximum of 24 months to a maximum of 18 months, the company said in a letter (pdf) to the Article 29 Data Protection Working Party. Last month, the Working Party began to investigate (pdf) Google's privacy practices and asked whether the company has "fulfilled all the necessary requirements" to abide by EU privacy rules. In its letter, Google did not adequately explain why it needed to retain user data for 18 or 24 months, except to vaguely say that the data would help Google build new services, possibly help prevent fraud and abuse, and that the U.S. and EU member states might impose a 24-month retention requirement."

European Union Committee, Home Affairs (Sub-Committee F), The EU/US Passenger Name Record (PNR) Agreement, HL Paper 108 is published today Tuesday 5th June, 2007 (139 pages, PDF). [see also HTML version (browsable)]

"The Report on Digital Preservation, Orphan Works and Out-of-Print Works, Selected Implementation Issues is an advisory report on copyright issues to the European Commission, presented on 19 April by the EU's High Level Expert Group on Digital Libraries - which includes, inter alia, stakeholders from the British Library, the Deutsche Nationalbibliothek, the Federation of European Publishers and Google."

Taking steps to further improve our privacy practices: Posted by Peter Fleischer, Privacy Counsel-Europe, and Nicole Wong, Deputy General Counsel: "When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details. Previously, we kept this data for as long as it was useful. Today we're pleased to report a change in our privacy policy: Unless we're legally required to retain log data for longer, we will anonymize our server logs after a limited period of time. When we implement this policy change in the coming months, we will continue to keep server log data (so that we can improve Google's services and protect them from security and other abuses)—but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months...Just as we continuously work to improve our products, we also work toward having the best privacy practices for our users. This includes designing privacy protections into our products (like Google Talk's “off the record” feature or Google Desktop’s “pause” and “lock search” controls). This also means providing clear, easy to understand privacy policies that help you make informed decisions about using our services. After talking with leading privacy stakeholders in Europe and the U.S., we're pleased to be taking this important step toward protecting your privacy. By anonymizing our server logs after 18-24 months, we think we’re striking the right balance between two goals: continuing to improve Google’s services for you, while providing more transparency and certainty about our retention practices. In the future, it's possible that data retention laws will obligate us to retain logs for longer periods. Of course, you can always choose to have us retain this data for more personalized services like Search History. But that's up to you. Our engineers are already busy working out the technical details, and we hope to implement this new data policy over the coming months (and within a year's time). We’ll communicate more as we work out these details, but for now, we wanted you to know that we’re working on this additional step to strengthen your privacy. If you want to know more, read the log retention FAQ (PDF)."

"The European Commission in co-operation with the Member States has finalised the roadmaps for the action plans on Pan-European Electronic Identity Management, Electronic Procurement and Inclusive eGovernment. In view of the continuous and fast evolution in these areas, we shall conduct an annual revision of these roadmaps.

Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."

Follow-up to previous postings on the SWIFT online financial cooperative network, this November 23, 2006 corporate press release:

Press release, November 23 2006: Ofcom [the regulator for the UK communications industries] today announced that the use of certain low power FM transmitters, which wirelessly connect MP3 players and other personal audio devices to radios and in-car entertainment systems, will be legal for use in the UK from 8 December 2006...in response to consumer demand Ofcom has led negotiations in Europe to develop a harmonised technical approach designed to limit the potential of interference to other wireless devices. The FM transmitters that meet these specifications, and which will be legal to use in the UK, will carry a CE mark indicating approval for sale in the European Union. Their use will be legalised under the Wireless Telegraphy (Exemption) (Amendment) Regulations 2006 which come into effect on 8 December. The regulations set out the technical specifications for FM transmitters."

Directive on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing (22 pages, PDF)

Opinion No. 37 / 2006 of 27 September 2006, O. Ref.: SA2 / A / 2006 / 037- CONCERNING: Opinion on the transfer of personal data by the CSLR SWIFT by virtue of UST (OFAC) subpoenas."During its session of 5th July 2006, the Commission had already made the decision to officially start an investigation into this case on grounds of article 32 § 1 DPL1, regarding the processing of personal data under the responsibility of SWIFT, a cooperative society under Belgian law, with headquarters in Belgium and with limited liability...As far as the communication of personal data to the UST is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas. It must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law..."

EU - European Data Protection Supervisor: Annual Report for 2005 - Published August 2006 (125 pages, PDF)

BBC: "The European Court of Justice has annulled an EU-US agreement requiring airlines to transfer passenger data to the US authorities."

Commission Staff Working Directive, 20/1/06.

Nº 98/2005: 22 November 2005, Opinion of the Advocate General in cases C-317/04, C-318/04, Parliament/Council, Principles of Community law - press release - Advocate General Léger Proposed Annulment of the Commission and Council Decisions on Transfer to the American Authorities of Personal Information Concerning Air Passengers.

UK digital rights group sets up - "The main aims of the Open Rights Group are: to foster a grassroots community of campaigning volunteers; to connect journalists and the press with digital rights experts and activists."

The EDRI-gram newsletter reported on the release of the new EU Commission explanatory memorandum on data retention, July 20, 2005 (16 pages, PDF).

NewsForge has a detailed and very interesting posting on how a group of Italian attorneys have formed a consortium to facilitate the distribution of, and training programs about how to efficiently use open source applications for a range of document management applications as well as e-filing of court documents.

Jay Cline reviews a range of popular e-commerce websites that offer consumers a defined list of privacy protections and provides general scores for those that implement portions of the European privacy principles.

RFID Tags and Contactless Smart Card Technology: Comparing and Contrasting Applications and Capabilities

Consumer product manufacturer Procter & Gamble plans to implement data privacy protection software on its websites (numbering in the hundreds) to meet compliance requirements in Europe, which after testing, will be followed by rollouts in the U.S. and other countries.

2 Universities Team Up to Create Free, Open-Source Financial Software for Campuses

A Global Push to Protect Information Online

See the DHS press release, and the Fact Sheet: US-EU Passenger Name Record Agreement Signed. The transfer of data includes passenger email addresses, phone numbers and credit card information.

From Privacy International: "On May 17, 2004 the European Commission approved an agreement to transfer passenger details to the U.S. Department of Homeland Security, an agreement established in the name of, but that has little to do with, the war on terror." Privacy International has published this report, Transferring Privacy and Inadequate Adequacy, documenting what the organization contends entails the release of data to which the U.S. is not statutorily entitled.

From the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom, date of receipt, 28 April 2004:

MEPs take on EU and US over air data deal:

From the World Privacy forum, this press release and letter (pdf) on behalf of a coalition of over two dozen privacy and advocacy groups, addressing Google's new webmail service, Gmail, specific to the retention and repurposing of user data for e-commerce and law enforcement applications.

From Statewatch, April 1:

The EU's Article 29 Working Party on data protection has produced a report on "Video Surveillance". The report sets out guidelines under the 1995 Directive on data protection in relation to surveillance by video cameras in public and work places. [Statewatch News Online] The report states that:

Quoting from the 16th December 2003 speech by Frits Bolkestein, Member of the European Commission in charge of the Internal Market, Taxation and Customs concering EU Data Protection:

With the expiration of an October 31 deadline for implementing the Directive on Privacy and Electronic Communications, the European Commission indicated that legal action against nine member states may be necessary to ensure their compliance. The directive addresses e-privacy issues that include spam, the use of cookies, and the protection of customer data by ISPs.

"As from today EU Member States must comply with the Directive on Privacy and Electronic Communications, which sets EU standards for the protection of privacy and personal data in electronic communications. The Directive includes basic obligations to ensure the security and confidentiality of communications over EU electronic networks, including internet and mobile services. It sets out specific conditions for installing so-called “cookies” on users' personal computers and for using location data generated by mobile phones. Notably, the Directive also introduces a 'ban on spam' throughout the EU." [Link]

From the Wall Street Journal, October 10:

Via Statewatch, this statement by the European Parliament on the need for strict restrictions on the collection, dissemination and maintenance of non-U.S. citizen personal data collected by airlines for transatlantic flights.

25th International Conference of Data Protection & Privacy Commissioners Sydney, 12 September 2003 - Resolution concerning the Transfer of Passengers’ Data.

From the independent group, the Foundation for Information Policy Research, this new guide, published September 8, Implementing the EU Copyright Directive, (128 pages, pdf). See this link for a table of contents to download specific sections in html, which include the following:

From Statewatch.com:

From European Digital Rights, an association of privacy and civil rights organizations in Europe:

Via StateWatch: The EU's Article 29 Data Protection Working Party has issued a strong report on access by the USA to personal data on passengers flying from the EU to the USA.

Copyright and licensing for digital preservation. "Libraries cannot preserve digital material they do not own. Adrienne Muir describes a new project to identify copyright and licensing issues that currently hinder digital preservation and looks at whether new legislation (UK) will help."

From Internet Magazine, news of the publication, by the UK Information Commissioner, responsible for data protection & freedom of information, of the third part of the Employment Practices Data Protection Code - Monitoring at Work, the Do's & Don't for workplace monitoring. Links to these documents, and to the other parts of the guide, are available here. Also see the Trades Union Congress website, called workSMART, that provides resources on workplace monitoring and internet policies.

From UPI: "A proposed European constitution...calls for an elected president of Europe and a binding bill of rights, but at Britain's insistence, it drops the notion of creating a federal "United States of Europe." An edited version of the draft is available here.

The full-text of the six documents (in pdf) are as follows:

European Digital Rights (EDRi), a non-profit coalition of privacy/advocacy groups based in Brussels, launched a campaign against the transfer of European travellers' Passenger Name Records (PNR) to U.S. Customs. See the following related documents:

Contrary to the EU Data Protection Directive (pdf), a recent study determined that approximately 44% of European websites surveyed lack required privacy protection policies. The results indicated the greatest complaince was evidenced by UK sites and the worst by French sites.

According to the Chronicle of Higher Education, the recently amended German Copyright Law (pdf - in German) now exempts universities from fees associated with providing students and scholars with copyrighted materials in a digital environment. For additional information, please see this April 10 posting from amiga-news.de, New Copyright as Good as Succeeded, which provides some additional background about the law, as well as a link to an article from the German IT news publication, Golem (no translation available), and one from Der Spiegel (also in German). Anyone who can provide translation assistance for the law and these articles for beSpacific readers, please contact me. My thanks in advance. See also this brief article, Germany trying to copy DMCA (in English).

See also my recent postings on U.S. copyright and distance learning issues here and here.

The Information Law Weblog was launched March 28, is by librarian/researcher/author Paul Pedley, and focuses on copyright, data protection and freedom of information issues in the UK. Well worth a visit. (Thanks to DC for the link.)

EPIC continues to expand its challenge to the CAPPS II System by documenting objections to the progam that impact European airline passengers, in a statement (pdf) submitted to the EU Committee on Citizens' Freedoms and Rights, Justice and Home Affairs for a hearing held March 25.

See also this announcement today: Spain proposes data on all airline passengers to be sent to law enforcement agencies and for extra checks on all foreign nationals entering the EU.

From StateWatch, this report (PDF) from the European Parliament's Committee on Citizens' Freedoms expressing strong concerns about the collection and use of EU passenger data by the INS and TSA.

See also How US Customs bounced the European Commission into a quick decision.

EU Ministers agreed to establish a new criminal offense, "illegally accessing an information system," which would include incarceration for "serious cases." The text of this new policy is buried on page 19 of this 27 page document (PDF), under the heading "Attacks Against Information Systems." See also this related article in today's New York Times, Europe Hacker Laws Could Make Protest a Crime.

See also a recent press release: European Commission proposes creation of Network Security Agency to boost Cyber Security in Europe.

The European Commission on Data Protection Working Party issued a new directive on January 29 addressing the protection of personal online data and the enforcement of IP rights. The Working Document, On-line Authentication Services, is here.

This recommendation to the Council of the European Union from 38 Members of Parliament from 7 political groups, conveys the groups opposition to the EU Data Directive which permits data mining, document retention and electronic surveillance programs involving citizens. The group states that these actions are "a violation of art. 8 of the European Court of Human Rights."

ZDNet UK is reporting that a coalition of prominent U.S. high tech companies, calling themselves the Global Privacy Alliance (no web site available) wants the EU to relax its data protection laws to stimulate international e-commerce through the transfer of personal data collected on customers.

StateWatch.org reports that the Commissioners' stated: "Where traffic data are to be retained in specific cases, there must therefore be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law, in a way that provides sufficient safeguards against unlawful access and any other abuse. Systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and therefore unacceptable in any case."