call +44 20 7096 1079


June 14, 2013 | Peter Bradwell

EU Commission caved to US demands to drop anti-PRISM privacy clause

...and how European policy makers can undo their mistake.

Reports this week revealed that the US successfully pressed the European Commission to drop sections of the Data Protection Regulation that would, as the Financial Times explains, “have nullified any US request for technology and telecoms companies to hand over data on EU citizens.

The article, (as you can read below), would have prohibited transfers of personal information to a third country under a legal request, for example the one used by the NSA for their PRISM programme, unless “expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority.”

The relevant section is Article 42, which you can read in a leaked draft Data Protection Regulation from late 2011, available from State Watch.

The Article was deleted from the draft Regulation proper, which was published shortly afterwards in January 2012. The reports suggest this was due to intense pressure from the US. Commission Vice-President Viviane Reding favoured keeping the the clause, but other Commissioners seemingly did not grasp the significance of the article. The FT explains:

“the move came after repeated visits to Brussels by senior Obama administration officials, including Cameron Kerry, the commerce department’s top lawyer and brother of US secretary of state John Kerry, who chairs an inter-agency task force responsible for vetting EU data-exchange laws.”

In the wake of the PRISM stories and increased awareness of the powers available to the NSA through "FISAAA" (the law enabling the PRISM programme), this looks like a major error of judgment – surrendering Europeans' data and, potentially, damaging the competitive advantage that cloud services based within the EU could have offered.

In response to such strong public concerns, and the fact that EU citizens have no rights protecting their data under FISAAA, the Commission and other European policy makers need to show some leadership and stand up for the citizens they are supposed to represent, by reinstating the Article.

This is the second example that we have publicised this week of European policy makers weakening the Data Protection Regulation and thus making the NSA FISAAA surveillance on European citizens easier. We blogged this week about Baroness Ludford's amendment that would delete your right to know if your data will be transferred to a third country or international organisation. We hope the Baroness withdraws this amendment.

We thought it would be helpful to post up the relevant deleted sections, which are copied below. The full leaked Regulation that includes Article 42 in available from State Watch.

For an introduction to the FISAAA law, watch the video of Caspar Bowden's excellent ORGCon talk on this.  

From the introduction:

"Article 42 clarifies that in accordance with international public law and existing EU legislation, in particular Council Regulation (EC) No 2271/9633, a controller operating in the EU is prohibited to disclose personal to a third country if so requested by a third country's judicial or administrative authority, unless this is expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority."

Article 42

Disclosures not authorized by Union law

1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.

2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority in accordance with point (b) of Article 31(1).

3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 41.

4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority.

5. The Commission may lay down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Read more] (1 comments)

June 13, 2013 | Peter Bradwell

Baroness Ludford's proposals take away your privacy choices

Many amendments proposed by Liberal Democrat MEP Baroness Ludford to the Data Protection Regulation would leave us with less control of our personal information. In this post, we focus on consent and loopholes.

Yesterday we wrote about Baroness Ludford's amendment to the Data Protection Regulation (amendment number 1210) that would mean your data could be transferred to a third country or international organisation without you being told. In the light of the PRISM revelations, we suggested this amendment should be withdrawn.

Baroness Ludford proposed a number of other amendments that we believe would seriously weaken the Regulation and undermine the control people have over their data. In this post, we focus on two other topics – consent, and loopholes. (Overall the Baroness proposed 113 amendments – you can read them all on EDRi have analysed all the amendments too.)

1. Consent

The draft Regulation defines consent as having to be 'explicit'. However, in her proposed amendment 762, the Baroness removes words including 'explicit', leaving us with a much weaker definition. Here is the amendment:

Amendment 762
Article 4 – paragraph 1 – point 8

(8) ‘the data subject’s consent’ means any freely given specific, [DELETED: informed and explicit] [INSERTED: and informed] indication of his or her wishes by which the data subject, [DELETED either by a statement or by a clear affirmative action,] signifies agreement to personal data relating to them being processed;

Consent is one of the legal bases of processing. It is frequently abused, especially online, where collection is often based on vague or confusing language. Sometimes businesses say it is enough that someone's behaviour – for example signing up to a website – implies that they consent to the use of their data.

Removing the word 'explicit' or by replacing the definition with more vague language would allow companies to continue to assume consent has been given. They would be able to continue to assume you have 'implied' your consent, or to include consent language in hard to understand terms and conditions. Implied consent is effectively what we have now in the UK, and it has allowed companies to basically make it up as they go along.

As we mentioned yesterday, in an article for LibDem Voice Baroness Ludford cites the European consumer BEUC's position on consent in support of her position. In a response sent to members of the LIBE Committee, BEUC have been strongly critical, adding that it was 'to their dismay...that...(she) referred to our position on ‘consent’ in isolation and without referring to the points included in the BEUC position.” BEUC go on to say that other amendments proposed by the Baroness would “systematically reduce the level of protection that consumers in the UK and elsewhere enjoy”.

2. Creating broad loopholes

The proposed Regulation as it stands would also make sure that those wishing to gather and use data can only do so if they satisfy one of six grounds. Amendments that widen these grounds create a risk that it will be too easy for businesses or organisations to use data in ill-defined ways, or in ways that people can't control.

Some of the Baroness' amendments do just that. Amendment 862 would permit processing simply on the basis of industry codes of practice – taking your consent away from you on the basis of an agreement put together by businesses – for example, advertising companies – in which they merely promise to play by the rules.

Amendment 862
Article 6 – paragraph 1 – point c

(c) processing is necessary for compliance with a legal obligation [INSERTED: or regulatory rule or industry code of practice, either domestically or internationally,] to which the controller is subject;

Further, we are concerned about amendment 876, which potentially means that data controllers – meaning Facebook, Google or Experian – could make assumptions about what people's 'legitimate expectations' regarding the efficient delivery of a service are, and to use personal data on that basis. This should not be a decisions in the hands of the data controller.

Amendment 876
Article 6 – paragraph 1 – point f

(f) processing is necessary for the purposes of the legitimate interests pursued by a controller [INSERTED: such as to detect crime or to prevent crime, fraud, loss or harm or to meet the legitimate expectations of the data subject in the efficient delivery of the service], except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.


There are two further reasons, on top of amendment 1210, that we remain concerned about the damage the Baroness' amendments will do to our privacy rights. We do not believe this is an overreaction. We'll post some more tomorrow.

You can contact your MEPs on our campaign website to ask them to respect our privacy rights - just visit

[Read more] (1 comments)

June 13, 2013 | Jim Killock

Website filtering problems are a “load of cock”

On Tuesday, I spoke at an event organised by the Sunday Times and Policy Exchange about online pornography and child protection. This was in the run-up to the opposition debate that took place in Parliament on Wednesday on these topics.

The motion laid down by Labour says:

That this House deplores the growth in child abuse images online; deeply regrets that up to one and a half million people have seen such images; notes with alarm the lack of resources available to the police to tackle this problem; further notes the correlation between viewing such images and further child abuse; notes with concern the Government's failure to implement the recommendations of the Bailey Review and the Independent Parliamentary Inquiry into Online Child Protection on ensuring children's safe access to the internet; and calls on the Government to set a timetable for the introduction of safe search as a default, effective age verification and splash page warnings and to bring forward legislative proposals to ensure these changes are speedily implemented.

The "1.5m" statistic has been debunked elsewhere, but the alarming point here is the deliberate conflation of child abuse images and legal material, potentially accessed by children. The motion slips from talking about child abuse images, to 'safe searches' to protect children from seeing adult material. Just as worrying is the adoption of a position in favour of default blocking by Labour. You can read a transcript of the debate on Hansard.

claire perry at policy exchange, Policy Exchange CC-BY

This is a symptom of a wider problem with this debate - a failure to properly distinguish between different categories of content, and the different methods of dealing with them.  That requires at least some understanding of the technology - the details matter.

A further problem is an unwillingness from some MPs to appreciate or even acknowledge the problems with technical solutions. In the debate on Tuesday, I tried to outline the problems with filtering, including the over and under-blocking of content.

Claire Perry helpfully described such problems as a "load of cock". Helpfully, because such a comment would be very likely to be caught by a filter and cause it to be blocked, while not, of course being pornographic. 

Claire also got applause for suggesting that blocked websites were simply collateral damage necessary to protect children. This is the kind of woolly thinking that thankfully got rejected by her government, which recognised that economic harm stems from blocking legitimate websites, for instance. After all, if you can protect children, and avoid blocking for adults, why not? Can some balance not be struck?

Unfortunately, in the eyes of many MPs, arguing for balance is betraying children. If any children can access more porn than we can technically prevent, then we have failed. Of course, filters don't always work and can be easily got round, but if our solution helps a bit, surely that is better than nothing?

These kinds of position, once you examine them, are pretty incoherent. Filters that don't work well will probably get switched off. Defaults that block too much may encourage people to remove the filters. Parents may assume their children are safe when filters are switched on. Software design is iterative not legislative; yet legislation is often favoured over industry engagement.

The child protection debate over the last two years has won Claire Perry many friends, who believe she has raised the profile of an issue and got results. Certainly, the fact that ISPs are building network level filters points to this, but I was intrigued by a question at the debate on Tuesday. Apparently children are installing Chrome, because it was suggested that helps them access porn sites and gets round filters.

We did try to tell Claire this kind of thing would happen, before she persuaded ISPs to spend millions of pounds on network filters. Even with filters, if parents leave children with admin privileges, they will be able to use their computers to trivially defeat any blocks. Some MPs in the debate in Parliament suggested only 'very clever' folk will be able to get round filtering. This isn't true – most children will find this easy.

Which leaves us with the harms on all sides, to websites, adults and children, without the supposed benefits.

Labour have essentially made the same mistake as Culture Secretary Maria Miller's letter to online companies, in which she invited Internet companies to a proposed 'summit':

Recent horrific events have again highlighted the widespread public concern over the proliferation of, and easy access to, harmful content on the internet. Whether these concerns focus on access to illegal pornographic content, the proliferation of extremist material which might incite racial or religious hatred, or the ongoing battle against online copyright theft, a common question emerges: what more can be done to prevent offensive online content potentially causing harm?

It is clear that dangerous, highly offensive, unlawful and illegal material is available through basic search functions and I believe that many popular search engines, websites and ISPs could do more to prevent the dissemination of such material.

The debate and letter confuse legal, illegal and potentially harmful content, all of which require very different tactics to deal with. Without a greater commitment to evidence and rational debate, poor policy outcomes will be the likely result. There's a pattern, much the same as the Digital Economy Act, or the Snooper's Charter.

Start with moral panic; dismiss evidence; legislate; and finally, watch the policy unravel, either delivering unintended harms, even to children in this case, or simply failing altogether.

ORG, Index on Censorship, English PEN and Big Brother Watch have written to the Culture Secretary Maria Miller demanding that civil society be present at her 'summit', to make sure these issues are addressed. We have yet to receive a reply.

[Read more] (4 comments)

June 12, 2013 | Ruth Coustick-Deal

PRISM, Free speech and creativity: Looking back on ORGCon2013

Thanks to all who came along to ORGCon2013! ORG have a summary of the major sessions, plus details on where you can find more on the sessions you missed.

Open Rights Group’s third national conference took place last weekend at the Institute of Engineering and Technology, with a fantastic set of speakers and hundreds of attendees.

Thank you to all who came along, we hope you had a great event!

Due to recent news there was a big buzz around digital rights issues, especially privacy and surveillance, at this year’s ORGCon. The day was was full of energetic debate on a diverse range of topics and was not without a fair share of controversy. With five sessions happening simultaneously, we only regret we couldn’t witness it all! There were some recurring themes and certain topics that sparked much debate. Clearly PRISM was the issue on everyone’s minds, but topics of free speech including its relationship to copyright, feminism, social media and the child’s right to know was also a big area of contention.

The day kicked off with Tim Wu’s keynote speech on The Digital Rights Movement. Wu described how new technologies and movements have a tendency towards centralisation, but that the Internet has the capability to break out of that pattern, especially due to its communication power to allow consumers and rights activists to develop alternatives and share lo-tech ideas. Nevertheless, he left delegates with the warning that ‘any device designed to liberate can be used to enslave.’

Caspar Bowden presenting on FISAA

Caspar Bowden, privacy expert, spoke to an attentive audience keen to hear his insights on FISAAA, Data Protection and PRISM or ‘How to wiretap the Cloud (without almost anybody noticing).’ Bowden began with a disclaimer that he had not known about PRISM, but deduced what was going on from open-sources. Bowden explained how UK citizens have no right to privacy under the 4th Amendment, a subject that was brought up again in John Perry Barlow’s closing speech. You can read the slides of Caspar’s presentation here and watch his talk here.

Creative Citizens panel

The Creative Citizens panel session was as lively as promised with Steve Lawson, Diane Duane and Simon Indelicate sharing their experiences of how the Internet is changing the creative industries and what is means to be an artist, taking the perspective that it isn’t so much winning at the Internet that is important , but the way in which that the Internet allows you to be a failure on such a large scale that it can begin to seem like a new kind of success. As musicians begin to pave their own way and take control of their own marketing, Lawson suggested there might be a market for digital story-tellers or documenters as the the outlook appears grim for artists who are yet to get their heads around Twitter.

This year’s ORGCon for the first time featured a series of ten minute rapid-fire talks and this session was one of the highlights of the day. The talks were a great opportunity for ORG supporters to address the conference and get their point across snappily. In her stand-out talk Milena Popova shared her experience of the tensions between feminism and the digital rights activism in her talk ‘When Worlds Collide’ calling for the digital rights community to “reach out beyond our bubble of geeks in black t-shirts and make this a welcoming community for everyone.” These sessions were a quick introduction to lots of new projects and threats - for instance Tanya O’Caroll’s talk on Panic Button, Amnesty International’s new app, got a lot of interest from developers looking to contribute to the project, and Richard King gave a useful overview of how to start-up an ORG group - take a look at his blog and get involved.

John Perry Barlow presenting at ORGCOn2013

In the closing keynote John Perry Barlow re-asserted the utopian possibilities of the Internet in his speech ‘The Freedom to Know’. Barlow, making a case for radical transparency, asserted that privacy is contextual, making the bold claim that the loss of privacy that the Internet brings may lead to a greater acceptance of our individual idiosyncrasies, face tattoos and all. He took a great range of questions and spoke on issues from the un-taxability of bitcoins to the Internet as a threat to monotheism, on collective ways to assure human rights and on American civil liberties campaigners attitude to the threat to world-wide privacy from FISAA.

If you missed out on the day, and want more of a round-up, there are lots of other ways you can go over the material. Watch Caspar Bowden’s talk on FISAA right now, follow the hashtag #orgcon, look at the photos on Flickr and keep an eye for the upcoming videos of the main sessions where you watch a lot of the event.

If you have written a blog or report on ORGCon we would love to share it and hear your thoughts, so please let us know. If you have any specific feedback on orgcon, please email - A questionnaire for all attendees will be out soon.


Read more blogs on ORGCon!

Milena Popova:

Ray Corrigan:

Andrew McStay:


[Read more]

June 12, 2013 | Peter Bradwell

Baroness Ludford amendment - opening the door to FISAAA?

Liberal Democrat MEP Baroness Ludford has proposed an amendment to the Data Protection Regulation that would mean your data could be transferred to the USA without you being informed.

Baroness Sarah Ludford MEP

Baroness Ludford, by ALDE, cc-by-nc-sa

The UK Liberal Democrat MEP Baroness Ludford has recently published an article in LibDem Voice accusing the Open Rights Group of "overreacting" to a letter she had written to the Financial Times.

In late March ORG wrote an article for the same Lib-Dem blog pointing out that in her letter to the Financial Times, the Baroness had failed to mention the interests of citizens. Instead Baroness Ludford highlighted the well-known concerns of some technology companies – roughly, that the new rules will stifle internet businesses.

But there is more to our concern than the contents of that letter. The Baroness proposed 113 amendments to the draft Regulation [Correction 12/6: the correct number is 129]. You can read all of them on Parltrack. (We'll be putting up an analysis of more of these shortly). These include proposals that we believe would severely undermine people's privacy rights and leave them with less control over their data. 

For instance, the Baroness is behind amendment number 1210.

This removes the right to know if your data might be transferred to a third country or international organisation.  It does this by deleting the following bit of the proposed Regulation:

Article 14 – paragraph 1 – point g
(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;

It hardly needs spelling out given the recent news about PRISM and state surveillance, but knowing which companies or countries your data might be moved to is likely to increasingly be a fundamental consideration for someone deciding whether to share personal data.

EDRi challenged Baroness Ludford on Twitter to withdraw this amendment in light of the PRISM revelations, yet she refuses to do so:

@EDRi_org: .@SarahLudfordMEP Will you withdraw your AM 1210 that removes obligations to inform if data will be transferred abroad? #prism #eudatap

@SarahLudfordMEP: @EDRi_org: prob is that it's not only 'transferred' data at risk of FISA orders. Glad @VivianeRedingEU pressing Holder, long overdue

@EDRi_org: .@SarahLudfordMEP You won't withdraw AM1210? You seriously want to create a right to export data without telling anyone? #eudatap #prism

This is one reason that we do not believe that ORG and Privacy International have been overreacting, as the Baroness suggested. The Baroness has proposed some of the most damaging amendments we have seen, potentially weakening the definition of consent, creating quite broad loopholes permitting the use of data without consent, and reducing the information people receive when data about them is collected. 

It was no real surprise to see that the Baroness was recently ranked sixth on the list of MEPs who had proposed the most damaging amendments following analysis reported on the website

In her article Baroness Ludford also cites the European consumer BEUC's position on consent in support of her position. In a response sent to members of the LIBE Committee, BEUC have been strongly critical, adding that it was 'to their dismay...that...(she) referred to our position on ‘consent’ in isolation and without referring to the points included in the BEUC position.” BEUC go on to say that other amendments proposed by the Baroness would “systematically reduce the level of protection that consumers in the UK and elsewhere enjoy”.

We will continue looking at her (many) other damaging amendments in a follow up post.

[Read more] (1 comments)

June 12, 2013 | Rachel Wemyss

Caspar Bowden - How to wiretap the Cloud (without almost anybody noticing)

Independent privacy advocate and ex-Microsoft employee Caspar Bowden gives the crucial legal context to PRISM and FISAAA. Bowden explains how the 4th Amendment does not apply to non-US citizens leaving the US government able to conduct mass surveillance of the cloud. This timely ORGCon2013 talk is essential viewing!

[Read more]

June 10, 2013 | Jim Killock

What William Hague and Theresa May need to tell us

While admiration for Edward Snowden's whistleblowing grows in the USA and abroad, in the UK we are listening to Sir Malcolm Rifkind and William Hague with increasing scepticism.

It seems obvious that our security services will have received information from these trawling and retention systems, and equally it would be a little surprising if they had broken international law. The government must answer these questions, especially to tell us what they knew, but Sir Malcolm Rifkind insisting that ministerial warrants would be required seems tiresome and a way of avoiding the real point.

The government cannot simply insist that US-based surveillance, wich is both secret and pervasive, is just a US problem. PRISM in particular seems to be targeted at non-US citizens, for very broad 'foreign policy' considerations. Additionally, the legal position in the US is that there are no constitutional protections for non-US citizens. Caspar Bowden outlined these points in detail (PDF) at ORGCon on Saturday.

Our UK government must have known about US FISAA powers, and most likely the kind of programmes that the new law was creating.

When Parliament thought about a similar problem in preparation for the UK census, they were alarmed and took action. The Patriot Act allows data to be 'seized' secretly under National Security Letters. Parliament asked that the US contractor, Lockheed Martin, be prevented from handling census data, to avoid the possibility that data might be seized and copied under the Patriot Act. Parliament won that battle.

What William Hague and Theresa May should have been doing was making sure that our businesses and citizens knew to shelter from FISAAA powers. They should have been attempting to strengthen our data protection arrangements, or ensuring through procurement that all personal data the government keeps is kept out of the USA, until more reasonable laws are in place.

Instead, their reaction seems to have been to push ahead with our own UK version, in the Snooper's Charter. Frightening and unaccountable US powers seem merely to have inspired in Theresa May the desire to replicate them here.

Laws are meant to guarantee reasonable behaviour. Once secrecy around their interpretation, implementation and use is complete, it should be no surprise that powers get out of control. A lot of this secrecy exists in the UK at present: we do not know which companies retain data, nor whose data is accessed. There is no individual notification; nor court supervision of access. During the Snooper's Charter debate, the Home Office was extraordinarily reluctant to discuss the problems they believed they had, citing national security instead. For FISAAA, the government did nothing to encourage sensible analysis of what this should mean for UK citizens', journalists' and businesses' confidentiality.

The ability of government institutions to turn a blind eye and ignore such serious problems, to the point that our trust in them is dealt a terrible blow, is a failure of leadership. Now our politicians must live up to their duty, and turn their attention to ways to protect British and European citizens from US-based warrantless surveillance.

UK politicians should demand:

  1. That US law recognises the human rights of foreign citizens, in particular their right to privacy
  2. That EU Data Protection requires EU standards of privacy from US companies; or warns when this cannot be guaranteed
  3. That UK and EU procurement be designed to protect personal data from warrantless US surveillance


[Read more]

June 07, 2013 | Jim Killock

Advisory Council nominations

Are you an expert in digital issues, civil liberties or campaigning? Or do you know who should be helping us form policy and campaign strategy?

Once a year, ORG recruits experts to our Advisory Council. This is the your chance to help us be the most expert and forward thinking digital civil liberties organisation in the UK. Send nominations to

This year we particularly want

  1. Privacy experts, in data protection, surveillance laws and digital privacy
  2. People with a legal background
  3. People with a strong background in copyright reform
  4. Campaigners
  5. People with experience in FOI, Subject Access Requests, media work
  6. Journalists and investigative journalists
  7. People with senior political contacts in the Labour, Lib Dem and Conservative parties

Please send us your nominations!

[Read more] (1 comments)

google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail