CJEU invalidates Privacy Safe Harbour in Schrems-case – Highlights

6 Oct, 2015   | by:

Today the Court of Justice of the European Union (CJEU) invalidated Decision 2000/520 of the European Commission establishing a safe harbour for transferring personal data from the EU to the US. Furthermore, it clarified and strengthened the role of national Data Protection Authorities when such a safe harbour is issued. The judgment is explained by some highlights, and the post is concluded with the Commission’s response.

, , ,

Things that caught our eye

The end of anonymous domain registration?

23 Jun, 2015   | by:

The Internet Corporation for Assigned Names and Numbers (ICANN) is considering a change in policy concerning the way in which you can register a domain name. ICANN issued a report in 2013 in which it estimated that some 39% of all domain names is registered by a legal person, 33% by a natural person and some 20 % were registered using a privacy or proxy service. It is these latter 20% of registrations using a privacy service, which shields the personal information of the registrant, that the policy change will impact.

What does a privacy proxy service do?

When registering a domain name, the details provided by the registrar are published online for all to see. Anyone who types in a domain name on any whois service, can find out who registered the domain name, and how you can directly contact them (via telephone or postal address). This was particularly handy in the beginnings of the internet, when it was mainly universities and government agencies that were using this WHOIS database to contact one another, however, it has become a headache for some small and medium businesses and individuals these days who do not wish to have their information be published.

To shield this personal information from the public, privacy services or proxy services (the Service Provider) were created, which show the information of the Privacy Service as opposed to the person behind it (the Customer).

What are the proposed changes?

The changes proposed suggest (see in particular Annex E ) that a Service Provider may be required to disclose the information matters of a possible trademark infringer or copyright infringer, if they provide evidence of such alleged infringements. If a request for disclosure (by the Requester) is brought to the Service Provider, they must then promptly notify the Customer of the complaint and disclosure request. The Customer will then have 15 calendar days to respond. If the Customer considers there to be legitimate reason(s) to object to disclosure, they have to give these reasons to the Service Provider who will communicate these to the Requester. Disclosure cannot be refused any longer ‘solely for a lack of any of the following: (i) a court order; (ii) a subpoena; (iii) a pending civil action; (…) nor can refusal to disclose be solely based on the fact that the request is founded on alleged intellectual property infringement in content on a website associated with the domain name.’ The practice of requiring a court order for disclosing information the Privacy Service is protecting, is thus going to be curtailed by the proposed changes.

Public Comment – Consultation on proposed changes.

Not everyone is pleased with these proposals, and a group called ‘Save Domain Privacy’ set up a website where a petition is opened. The group plans on adding the signatures to their statement, which they’ll send in on 7 July 2015. This date is not chosen out of the blue, rather that is also the closing date for ICANN’s Public Comment on the proposal.

, ,

Things that caught our eye

Dear Google, tell us what you’re forgetting.

14 May, 2015   | by:

Today marks the one year anniversary of the Google Spain ruling on the ‘right to be forgotten’, or perhaps more accurately ‘the right to delist’. A cohort of 80 (internet) scholars and researchers led by Ellen P. Goodman and Julia Powles have penned an open letter to Google requesting the release of more specific data on their compliance with the ruling. The letter is published in the Guardian today.

They state:

Beyond anecdote, we know very little about what kind and quantity of information is being delisted from search results, what sources are being delisted and on what scale, what kinds of requests fail and in what proportion, and what are Google’s guidelines in striking the balance between individual privacy and freedom of expression interests.

In order to remedy this lack of information, the scholars present a 13 points long list in which they lay down the specifics of their request. Some of their points overlap with the guidelines published by the Article 29 Working Party on the Right to be Forgotten, though not all.

Read the letter to Google in full here.

Full disclosure: one of our own contributors (Stefan Kulk) is one of the undersigned.


Things that caught our eye

Privacy community to Dutch government: Please develop a vision on privacy (with us)

2 Apr, 2015   | by:

A broad coalition of privacy advocates has sent an open letter to the Dutch Minister of Security and Justice today, asking to suspend any activity on bills that: ‘lead to tracking of citizens without any specific and concrete suspicion against them,’ until the government has developed a ‘vision’ about privacy protection of citizens in the Dutch information society. This vision should then be the subject of a public debate facilitated by the Dutch Government, so that the Dutch people may have the fundamental discussion about privacy and technological development it never had. Preferably the debate would be held not only in Parliament, but also outside of Parliament.

The current bills of which they would like to see legislative action suspended until the public debate has taken place are:

  • The bill on Data Retention (a revised bill of the Act that was recently struck down)
  • The bill that would allow automatic numberplate recognition more extensively
  • The bill that would extend the ‘massive and unspecified internet tapping’ to be accessed by the Dutch Secret Service
  • The bill that would allow the police to hack, in the Act on Computercriminality III.
  • The proposed revision of the postal secret laid down in article 13 of the Dutch Constitution, and
  • The bills on source protection in free gathering of news.

This open letter is signed by a large group of privacy researchers, interest groups and groups such as Amnesty International (Netherlands), Bits of Freedom (the Dutch equivalent of the EFF), Dutch Association of Criminal Lawyers, Dutch Association of Journalists, Privacy First Foundation and many others. There is also a website where individuals may sign the letter.

Some of the aforementioned groups were also a party to the recent interim proceedings in which the Dutch Data Retention Act was struck down, (for more on that see our earlier post, with a translation of the ruling attached).

We will update this post with the response of the Government.

Read the open letter in Dutch here.


Things that caught our eye

Dutch Data Retention Act is Gone

11 Mar, 2015   | by:

Today the District Court of The Hague ruled the Dutch Data Retention Act inoperable in summary proceedings. You can find the Dutch judgment here. And for those not reading Dutch, we have made a quick unofficial (!) English translation of the judgment, which you can download here.

For many EU Member States it was clear that since the EU Court of Justice on 8 April 2014 had ruled the Data Retention Directive invalid, with retroactive effect, the national implementation laws would also be invalid. The Dutch government opted for a different strategy. It retained (pun intended) the law as is, while thinking about amending the law in the future.

This was deemed an unacceptable course of action by Privacy First, The Dutch Lawyers Committee on Human Rights, The Dutch Association of Journalists and three companies that are providers of telecommunication services and public telecommunication networks. They sued the Dutch State, and today they won.  More…

Things that caught our eye

Not all FTC Commissioners agreed to publication of FTC Internet of Things Report.

27 Jan, 2015   | by:

The US Federal Trade Commission (FTC) released a Staff Report [PDF] on the Internet of Things earlier today. The report is based on a workshop that the FTC had hosted in late 2013 and holds several recommendations for companies developing Internet of Things devices. Though many have already reported on the release, I would like to focus here on the separate statement [PDF] made by Maureen K. Ohlhausen and  the dissenting statement [PDF] made by Commissioner Joshua D. Wright. While the former had hesitations but supported the publication, the latter was clear in his opposition to publication of the report.

The Report’s recommendations
As the focus here is on the separate statments, I will suffice with the words from the FTC itself in its press release summarising its recommendations to companies developing IoT devices:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

The Separate Statement by Commissioner Maureen K. Ohlhausen
Though Commissioner Ohlhausen did vote in favour of publication of the report itself, she took the opportunity [PDF] to show her dissatisfaction with two of the staff report’s recommendations.

In her own words:

First, I do not support the recommendation for baseline privacy legislation because I do not see the current need for such legislation. The FTC’s Section 5 deception and unfairness authority already requires notice and opt-in consent for collecting consumers’ sensitive, personally identifiable information. It also protects against uses of personal information that cause substantial, unavoidable consumer harm not outweighed by benefits to consumers or competition. Furthermore, sector-specific laws, such as FCRA, provide additional protections for consumers. Thus, I question what current harms baseline privacy legislation would reach that the FTC’s existing authority cannot.

Second, I am concerned that the report’s support for data minimization embodies what scholar Adam Thierer has called the “precautionary principle,” and I cannot embrace such an approach. The report, without examining costs or benefits, encourages companies to delete valuable data – primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive.

As a final note she states that she would have liked to see the report include a full exploration of the emerging tension between information technology (including IoT) and the Fair Information Practice Principles’ approach to protecting consumer privacy. She continued:

The staff report acknowledges the conflict, but fails to grapple with it in a substantial way. We will need to address these issues in the relatively near future, and I look forward to playing a role in that effort.

The Dissenting Statement
The criticism by Commissioner Ohlhausen of the report’s lack of a rigorous cost-benefit analysis was shared by Commissioner Wright. But while the former considered that this was not a reason to vote against its release, Commissioner Wright did vote against publication of the report. In his Dissenting Statement he explains his reasons:

I dissent […, AB] because the Workshop Report includes a lengthy discussion of industry best practices and recommendations for broad-based privacy legislation without analytical support to establish the likelihood that those practices and recommendations, if adopted, would improve consumer welfare.

In the footnote accompanying the paragraph he explains that while the FTC’s reports do not have the force of law,

“there is a very real danger that companies may reasonably perceive failure to achieve those practices or to adopt such recommendations as actionable. Where an agency’s recommendations regarding best practices are not supported by cost-benefit analysis, firms may respond by adopting practices or engaging in expenditures that make consumers worse off.”

He continues his criticism by explaining that this report followed a very unusual procedure when it comes to the FTC practice of publishing public reports on “novel, emerging or otherwise important issues”. Leaving procedural issues aside, his problems with the content itself are (briefly & paraphrased) as follows:

(1) The report is based on a one-day workshop, that is hardly the stuff of solid exploration of best practices and a strong basis for legislative recommendations.

(2) The rigorous cost-benefit analysis argument. Without it, the recommendations are not based on a strong footing. Apart form some assertions, there is no analysis at all that came from the Workshop itself.

(3) Commissioner Wright remains unconvinced that the proposed framework which entails a combination of Fair Information Practice Principles and concepts such as “security by design” is the best way to go about the Internet of Things framework.

He concludes that based on the foregoing, that the FTC should do more research before publishing the Workshop Report’s recommendations.

Read the 55-page report here [PDF]
Read the separate statement by Commissioner Ohlhausen here [PDF]
Read the dissenting statement by Commissioner Wright here [PDF]




Using NYC Taxi Data to identify Muslim taxi drivers

21 Jan, 2015   | by:

Remember that NYC Taxi data set that allowed you to see who visited a gentlemen’s clubs and which celebrity took a taxi where? Reddit user uluman now seems to have found a way to distinguish Muslim taxi drivers from the set. More…

, , , ,

Things that caught our eye

Sorry you don’t have enough Facebook friends to prove you exist.

15 Nov, 2014   | by:

The Guardian reported yesterday that a ‘middle-aged mum of two’ with ‘an impeccable credit record’ who preferred to remain anonymous could not book a B&B via Airbnb because her 50 Facebook friends were not enough to establish that she existed, as she states. The lack of a very abundant online presence (nearly) prevented her from making use of the Airbnb services.

Airbnb requires a verification of the booker’s identity by (1) having a photo as well as both (2) a copy of a passport or driver’s licence and  (3) some some proof of her existence online either by linking a Google, LinkedIn or Google account. Verification of both ‘online’ and ‘offline’ identity. That is quite a lot of personal information. Whilst I understand that in the event anything goes wrong it would be good for the ‘host’ to know who he/she was dealing with, but still, why the need to give Airbnb this host of personal information? Airbnb responded to the article in the Guardian with the statement that the new Verified ID system has received “extremely positive feedback”.

The story has a happy ending; in the end the woman got to book via Airbnb.

Three days, three lost bookings, a spate of emails, and two calls to Casey and her colleague in Colorado later, my problem was resolved. I was “escalated” to one of Airbnb’s “verification specialists”, who allowed me to upload my (very grumpy) video directly to him, explaining who I was. Twenty-four hours after that I got my green light. Off I went, and had a wonderful weekend courtesy of my excellent host “Felix”.

Read the full article here.

, ,

Things that caught our eye

A Game Designed To Teach Teens About Privacy

30 Oct, 2014   | by:

The University of New Mexico’s Computer Sciences department has developed a comic book art style game to address the issue of privacy on the internet. In their research paper, the researchers introduce the game ‘Immaculacy’:

“This interactive story takes the player on a journey, through a world in which personal information is in constant jeopardy. The player is placed in the role of an eighteen-year-old girl, Sydney Carlisle.”


“Immaculacy is an interactive story that immerses the player in a slightly dystopian world littered with privacy issues. Events unfold in the narrative based on hidden scores kept during gameplay and calculated based on specific decisions made by the player. Ultimately, we hope to create an engaging environment that helps players consider the decisions they are making in their own lives. We give the player experience with many privacy issues through their explorations of a world of hyper surveillance and connectivity.”

While the target audience for the game is very broad: “[i]n general, any smartphone owner or person who uses the Internet on a regular basis can benefit from and enjoy this game”, the rating of the game could reach up to ‘Teen’. The researchers expect that this might be possible “due to the psychological nature of the game.”

The game has been submitted to the CHI Play Student Game Design Competition held last week, for other competitors have a look at the competition’s website.

The game itself also has a website:  EXIT | Immaculacy: A Game of Privacy.


Image: Nathan Rackley

, ,

Things that caught our eye

EU Data Protection Supervisor: Internet of Things without thought given to privacy is “a disaster happening in slow motion.”

27 Oct, 2014   | by:

The European Data Protection Supervisor (EUDPS), who “is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies”, recently gave a speech in Mauritius on account of the 36th International Conference of Data Protection and Privacy Commissioners . In his speech (PDF), the EUDPS Peter Hustinx, dealt with the difficulties of enforcing privacy laws which are restricted to territorial borders in a world of “borderless Internet technology”.

Two of the examples he gave of  problems in this area I would like to highlight here. In relation to the Internet of Things (IoT) he mentioned:

“[W]e have heard at this conference that very few objects or devices for the future IoT are being devised with serious attention for privacy implications. Therefore, boxes with diverse gadgets, just being sent off to other parts of the world, without any thought given or information provided on privacy aspects, are simply a disaster happening in slow motion.”

Futhermore, in relation to the Google Spain Case and the Right To Be Forgotten, on which  Stefan Kulk & Rehana Harasgama here at the iii wrote earlier, the EUDPS also had some comments:

[T]he highly critical and sometimes aggressive reactions to the recent CJEU judgment in the Google Spain case show a disconnect between the assumption that available information can be re-used and the requirement that processing of personal information must always be legitimate and may be subject to rights of erasure or objection by the data subjects.

The remainder of the speech deals with questions on feasibility of privacy in a borderless world, which provides for an interesting status quo of what is done in this area.

Read the full speech here.

Interesting final note. Peter Hustinx, is currently the EU Data Protection Supervisor, but the procedure for appointing his successor is in full swing. Latest development here is that his current assistant, Giovanni Buttarelli, has received the most votes in the Civil Liberties Committee last week, and will therefore be the most likely successor of Mr. Hustinx for the role of EU Data Protection Supervisor.


Image Credit: “Internet of Things” by Wilgengebroed on Flickr – Cropped and sign removed from Internet of things signed by the author.jpg. Licensed under Creative Commons Attribution 2.0 via Wikimedia Commons


Things that caught our eye

European Commission wants more art online. Now if only we could find it.

2 Oct, 2014   | by:

The European Commission published two reports today in which it urges cultural institutions throughout Europe to publish more of their art collection(s) online.

One report [PDF] looks at how to digitise, make accessible and preserve culture online, the second [PDF] report explains how our film heritage can be rescued from rotting cans.

The report on digitisation of culture and preserving it online shows that in recent years there has been an increase in digitisation efforts of art and their publication online. However, the report also notes that the work is far from done:

[O]nly a fraction of Europe’s collections [is] digitised so far (around 12% on average for libraries and less than 3% for films).

The European Commission therefore states that it will continue to monitor the progress in this area and at the same time the Commission encourages further digitisation efforts of cultural heritage. The Commission furthermore suggests that, in order to help finance these initiatives, the European Structural and Investment Funds could be tapped into.

You can find well over 30 million already digitised works of cultural heritage at In this online library, you can find among others; classical works of art from the Dutch Rijksmuseum, Diplomatic Documents of Switzerland, and 1262 pieces of 3D Icons. From what we gather, however, the website is not very well known. European Commission Vice-President Neelie Kroes even called Europeana “the best cultural collection that no-one has heard of.” Testament to that is that even the aforementioned European Commission report on digitisation uses a picture of Raphael’s ‘The School of Athens’ fresco, from on its cover, and not one of Europeana’s versions of the fresco. The reason for this cannot be one of copyright, as many of these Europeana’s versions are Licensed under a Creative Commons licence that would allow their use.

Now, the Commission’s efforts are directed at digitising art within the European Union. A more global approach is taken by Google, with its Google Cultural Institute, in particular the Art Project. From the Google Cultural Institute’s website:

Museums large and small, classic and modern, world-renowned and community-based from over 40 countries have contributed more than 40,000 high-resolution images of works ranging from oil on canvas to sculpture and furniture. Some paintings are available in ‘gigapixel’ format, allowing you to zoom in at brushstroke level to examine incredible detail.

The advantage of this project is that you can indeed zoom into so far that you are allowed to have a closer look at the painting than you would be able to have in the museum itself. It offers more than just a Google Street View in Museums, where you are given the opportunity to ‘walk’ through the museum and look at the art. This Art Project also allows you to have a look at individually digitised paintings, in great detail.

What is great about these projects, both Europeana and Google’s Art Project, is that they provide access to cultural heritage, for everyone with an internet connection. Therefore, the European Commission’s continued support and urging of more digitisation within the European Union is very welcome.


Picture: Raphael’s ‘The School of Athens’, Credit: Wellcome Library, London, CC Licence.

Update: there was a report that the link to the report was broken. The new link to the report is updated accordingly.

, , ,


Giving data back to its users, MIT Media Lab creates the Personal Data Store

29 Sep, 2014   | by:

MIT Media Lab researchers have developed a new program openPDS/SafeAnswers in which the starting point is that users collects their own data, and apps can only ask questions about this data, not get access to the data itself. A great way to protect privacy, if adopted generally.


Do you create apps from home? Prepare to give your home-address to the world

23 Sep, 2014   | by:

A couple of days ago Androidpolice reported that Google will institute a new policy, requiring all app developers who offer any app costing money (including those offering in-app purchases) to list their physical address. This information will then be published on the developers’ profiles. Many of these app developers are not big companies but rather hobbyists or the proverbial guy working from his (or his parents’) garage. For them this new policy means revealing their home-address to the world. While it allows developers to comply with current EU consumer legislation, the method to achieve this, which cannot be opted out from, places an unnecessary heavy privacy burden on the developers. More…


Things that caught our eye

Apple states iOS 8 Update Keeps Your Data Private (Except iCloud-Data)

18 Sep, 2014   | by:

The New York Times this morning reported that Apple, perhaps in wake of the celebrity photo leak, it has increased the security measures in time for the launch of its newest iOS.

In relation to Government Information Requests Apple states on its page that (emphasis added):

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

However, there is one big caveat, which the NYTimes noted. If you want matters to be private, then you should not use iCloud services, because:

[t]he new security in iOS 8 protects information stored on the device itself, but not data stored on Apple’s cloud service. So Apple will still be able to hand over some customer information stored on iCloud in response to government requests.

This is interesting, because with launching iOS 8, these iOS devices heavily rely on you also enabling your iCloud account and storing as much information as possible on there. Many of the native apps on iOS are adept to this iCloud backup/storage and also many third-party apps. To again take the example of the leaked photos of celebrities recently, those were not from the devices themselves, but taken, most likely, from iCloud storage. Future incidents like this are not solved by making access to phones themselves more difficult, but perhaps might benefit from the newly introduced ‘two-step-verificiation‘ .

Thus, it might be a step in the right direction, but it in no way means that your data is private, especially when using iCloud. However, it does boost privacy for those instances in which law enforcement are allowed to access ones phone, as they will now have access to encrypted, and hence virtually useless, data (when it comes to messages and FaceTime. When it comes to the US, the June 25, 2014 decision of the Supreme Court in Riley v. California (PDF) has shown that for law enforcement to ‘search’ a phone the bar has been set much higher now.

Apple Says iOS 8 Update Keeps Data Private, Even From the Police –


Things that caught our eye

Apple forces the U2 album on everyone with an iPhone or iPad

11 Sep, 2014   | by:

For those with an i-device, they should be able to see that new U2 album that was released on the same day as the iPhone event by Apple (9 September 2014). Without your explicit permission, the album features in your Music app.

We have seen questions on Google having to delete things off of your phone remotely, (see for a recent example the Brazilian Court who ordered the remote removal of the app ‘Secret’ from the Google Play Store and phones), but this is a first, to my knowledge, of having a company add something like this remotely to ‘your music library’.

Apple Just Uploaded A U2 Album To Your iPhone And iPad — And Seriously, WTF | TechCrunch.

, ,

Things that caught our eye

EU Commission getting serious (again) about Cloud Computing

10 Sep, 2014   | by:

Yesterday and today, the European Commission started unveiling their intentions in relation to Cloud Computing.

Though there were already policy documents about ‘Unleashing the Potential of Cloud Computing in Europe‘, in 2012, yesterday the Commission picked it up again and drew attention to a document titled ‘Complete Computing: Toward Information, Incentive and Intention. – Research Priorities in Cloud Computing, in the context of Software and Services, taking into account Internet of Things, Future Internet and Big Data.’

In it:

This document argues that there is a great opportunity for Europe to take a large sector of the CLOUDs marketplace but that to achieve this requires ‘leapfrogging’ research leading to products and services in a 10-year time horizon.

And then today it released a Public Consultation on the topic of Cloud Computing, which will start today and end on 10 October 2014.

The consultation is structured in two parts: one on Cloud Computing and one on Software (including Open Source). Interested stakeholders can contribute to one or to both parts.

See further:

Complete Computing: toward information, incentive and intention | Digital Agenda for Europe | European Commission.

Things that caught our eye

Google under attack in Europe, doubles down on Lobby efforts

9 Sep, 2014   | by:

The New York Times reports today that Google faces increased pressure in Europe.

“Google is clearly in the cross hairs,” said David Wood, a London-based partner at Gibson, Dunn, one of Microsoft’s law firms, and legal counsel at ICOMP. “A lot of the aura has faded, and the shine has come off, and people don’t think they’re the good guy anymore.”

Read the full article

Things that caught our eye

Academic Commentary on Google Spain case

15 Aug, 2014   | by:

Cambridge Code has done a marvelous job of gathering all the academic commentary on the Google Spain case. They may not be very up to date, but it gives a nice overview of early commentary on the case. You can find the authors, summaries and links to the works HERE.

Things that caught our eye

WSJ Explains: How does 3-D Printing work

15 Aug, 2014   | by:

If you find yourself in need for more explanation about 3-D Printing after reading Luke Heemsbergen’s piece on 3-D Printing. Go ahead and have a look at the Wall Street Journal’s explanation on 3-D Printing. You can even download their 3-D printing graph and print it yourself!

Find the article here.



Things that caught our eye

A collection of the comments on ‘Big Data and Consumer Privacy in the Internet Economy’

15 Aug, 2014   | by:

The National Telecommunications & Information Administration, which is part of the US Department of Commerce has kept note of most (if not all) the public commentary on the request posed by the NTIA in early June comments on ‘‘‘Big data’’ developments and how they impact the Consumer Privacy Bill of Rights’. On 5 August the consultation closed and the NTIA has now published all the public commentary on its website. 44 People or organisations responded including Microsoft, the Electronic Frontier Foundation, Reed Elsevier Inc, ARTICLE 29 Data Protection Working Party and The Internet Association which represents among other Google, Facebook, Yahoo!, Ebay & Paypal, Twitter, and Netflix.

Full list of all the commentary: See here.