Joris van Hoboken

Decide for yourself. Via the guardian.

What does it mean to be a privacy pirate anyway?

About a month ago, the European Court of Justice decided an important internet and freedom of expression case. I just posted a link to a commentary I have written for Mediaforum (in dutch). I do recommend reading the case.

One conclusion I drew from it, is that increased publicity and findability can end up having a negative impact on the integrity of online archives.

I point to the Court’s first general, explicit (and lukewarm) consideration of the importance of the Internet:

In light of its accessibility and its capacity to store and communicate vast amounts of information, the Internet plays an important role in enhancing the public’s access to news and facilitating the dissemination of information generally. The maintenance of Internet archives is a critical aspect of this role and the Court therefore considers that such archives fall within the ambit of the protection afforded by Article 10.

I criticize the Court for its distinction between the protection of online archives of publications and new publications. It is great that the electronic environment incentivizes newspapers not to make such a distinction and not to remove their historical publications. It means that the electronic environment can add to the value of the newspaper for itself, for other information providers (they can link to them) and for users (they can inform themselves by navigating a networked hyperlinked environment).

And to conclude these short pointers, I wonder why the Court uses the word ‘likely’ in some of its crucial considerations with regard to the implications of Article 10 ECHR:

The Court therefore considers that, while the primary function of the press in a democracy is to act as a “public watchdog”, it has a valuable secondary role in maintaining and making available to the public archives containing news which has previously been reported. However, the margin of appreciation afforded to States in striking the balance between the competing rights is likely to be greater where news archives of past events, rather than news reporting of current affairs, are concerned. In particular, the duty of the press to act in accordance with the principles of responsible journalism by ensuring the accuracy of historical, rather than perishable, information published is likely to be more stringent in the absence of any urgency in publishing the material.

This is a Court that stops being the highest Court to address these questions. I have looked for a similar weak statement about the implications of Article 10 ECHR but did not find it. Please send me a note if you know another!

The Financial Times has an article giving some insight into the debate that will have a huge impact on freedom of expression and access to information in the EU. The main point of discussion is whether fundamental rights have to be taken into account when end-users would be disconnected from the network, something that is being pushed as the new copyright enforcement strategy.

European Council diplomats seem to be thinking this is not the case:

A spokesman for the rotating EU presidency said: “None of the existing conventions and laws recognise internet access as a fundamental right on its own. It is simply one of the means of access to information.”

This is a flawed position. I think it is so clearly wrong that I hope it will backfire on them. Freedom of expression and freedom of communication are protected by Article 8 and Article 10 of the European Convention on Human Rights and the EU Charter. Although there might not be an explicit fundamental right to access the Internet in most European Countries, the Internet is the most important communicative medium for European citizens. The Internet is NOT ‘simply one of the means to access information‘. European institutions recognized as much in a host of official documents. Access to the Internet is a prerequisite to communicate effectively, by email, VoIP, over social network sites, and to find and access information, ideas, and services, including an increasing variety of e-government services. EU Member state Estonia does recognize access to the Internet as a fundamental right explicitly.

The European Court of Human Rights recently stated:

“In light of its accessibility and its capacity to store and communicate vast amounts of information, the Internet plays an important role in enhancing the public’s access to news and facilitating the dissemination of information generally.”

To disconnect people from this communications and information network, thereby limiting its “important role in enhancing the public’s access to news and facilitating the dissemination of information” is simply an interference with the right to freedom of expression and communication that need to be legitimized. The Parliament’s efforts, which would merely ensure that European citizens are not unduly banned from the net, not only deserves support, it could be strengthened. In fact, the current proposal by the Parliament is simply a restatement of fundamental legal principles that an interference with fundamental rights as serious as a ban from the Internet need to follow due process.

Clearly, the opposition from the Council has also to do with the lack of will of member states to harmonize procedural safeguards:

Opponents say this is an issue of legal enforcement over which Brussels has traditionally had few powers.

But, the procedural safeguards proposed by the Parliament are simply a reaction to the attempt to high-jack telecommunications regulation in the interests of copyright enforcement. Disconnecting users from the net is not a good solution. The European Parliament should stand by its efforts to curtail disproportionate enforcement strategies that impact on communicative freedoms.

A final meeting between the parliament, Commission and member states is due tonight, with no further opportunities to agree a deal before the elections without the entire package being reopened.

A spokesman for the Commission stressed that “a solution [on intellectual property protection] must be found, and we believe it will be found”.

Tomorrow, the EP will vote on the proposals to extend the copyright term of sound recordings. So, after this week’s renewed adoption of ‘amendment 138′ in an important European Parliament legislative report, the EP has another chance to show some reason. My colleagues at IViR have studied the issues in depth and have repeatedly and strongly recommended against term extension.

Google has just launched a new option for its search results, in the United States only. United States based users can (through their Google account) edit a personal profile to be shown in Google’s search results. Google presents the move as giving users more control over what people find if looking for them:

To give you greater control over what people find when they search for your name, we’ve begun to show Google profile results at the bottom of U.S. name-query search pages.

The move makes sense in a number of ways. It gives users a (limited) remedy against a bad ego- search page. Users enrich their profiles because they need to add enough information to the profile for the profile to be shown. And users also help Google to do better people search.

Maybe it’s not surprising that the feature remains limited to United States users. People search is controversial under European privacy laws (p.13-14). Google usually defends itself against application of data privacy rules with regard to personal data in their search results with the argument that it is a passive intermediary (p. 4) - Google’s own link is broken . In particular it argued that:

[...] the Google search engine is not responsible for the creation of content on the web, nor are its search results intended to form a profile of any individual. Rather, Google responds to user search queries with links to what appear to be relevant pages.

Of course, that isn’t entirely true. Google knows it when you look for a natural person, and tries to return relevant results too. It’s irrelevant if the processing is automated. In a recent law article (in Dutch) I discuss these issues in more depth. In particular, I point to the outdated media exception in Article 9 of the Privacy Directive:

Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.

In my opinion, this exception should be extended to cover some of the activities of internet intermediaries and search engines. The data privacy directive, in its current form, is ill-suited to govern the public processing of publicly accessible personal data. The principles make a lot more sense for people search activities.

James Grimmelmann has been writing thoughtfully about the Google Book Search Settlement and has an essy on the orphan works perspective on the settlement. Now, Pamela Samuelson draws the analogy between Google and Gogol’s Chichikov. And here are the slides of a presentation she did about the merits and issues of the settlement, calling on others to study the settlement and join the conversation.

GikII 4th Edition, a two day workshop on the intersections between law, technology and popular culture, will be held on September 17-18th, 2009 in Amsterdam, the Netherlands. The chairs of the event are Joris van Hoboken, Doctoral Researcher at the Institute for Information Law, Ian Brown, Senior Research Fellow at the Oxford Internet Institute, Andres Guadamuz, Co-Director, SCRIPT Law and Technology Centre at the University of Edinburgh and Lilian Edwards, Professor of Internet Law, Sheffield University. IViR is hosting GikII in partnership with Creative Commons Netherlands.

There will be no workshop fee. Lunch, coffee and a conference dinner will be arranged free of charge. We will limit registration to 40 participants, so register early!! Preference will be given to attendees who are providing a paper.

GikII is a forum for the intersection of law, technology and popular culture. After previous editions in London, Edinburgh and Oxford, GikII has gained enough steam to hit the continent. Topics covered at the last editions included killer robots, virtual property, copyright online, the many lives and deaths of privacy, fandom, avatar culture, Roman slaves and knitted Daleks. Last year’s presentations can be viewed on the Gikii website, http://www.law.ed.ac.uk/ahrc/gikii/index.asp.

We invite all of you that have a paper on any aspect of law AND technology, science, geek culture, blogging, creative commons, wikis, science fiction or fantasy, computer games, digital culture, gender on-line, virtual worlds, series of tubes, or deep packet inspectors, to come to GikII 4 and join us for two inspiring days of cutting edge collisions of the worlds of law, tech and popular culture. LOLcats, robot scientists and cheezburgers are especially welcome.

If you would like to participate, email your abstract of no more than 500 words. This should be sent to vanhoboken [at] ivir [dot] nl by July 1, 2009. We will confirm acceptances by August 1.

The Dutch Government has answered (in Dutch) an additional set of questions by the Dutch Senate about the implementation of the Data Retention Directive. In the end of last year the Senate had held a hearing with technical experts. This final set of questions and answers probably concludes the written back and forth between the government and the Senate so the Senate can be expected to have a plenary debate about the implementation proposal later this Spring. (UPDATE: The plenary debate has been scheduled to take place on 23 June 2009.) Below I listed some excerpts (my translation) from the Q&A, which I found most remarkable.

A data retention agenda for the future

First, because they stipulate quite clearly that the Dutch government sees the current proposal for data retention as being of a limited nature. It already points to a possible extension of data retention at the European level, in particular a drastic extension of data retention obligations with regard to online communications and with regard to the term.

What fundamental rights?

Second, because it downplays the interference with fundamental rights. To compare access to the complete set of traffic data, including location data, of the entire population for national security and law enforcement purposes with a specified bill for billing purposes is quite remarkable. It’s also remarkable to point to the strict conditions for access to these data because these conditions are not strict at all and have been much criticized when they were adopted a few years ago. To point to the technical nature of the data involved is even more flawed. The fact that citizens and consumer have become part of a data-processing ecosystem that no longer involves human decision makers is more of an extra threat to personal liberty and autonomy than the other way around.

Pointing to Europe

Third, because the Dutch government again takes no full responsibility to legitimate the interference with fundamental rights but points towards the European legislature. I have argued, in response to the data retention directive judgment of the ECJ, that the reasoning of the Court implies that the Member states carry most of the responsibility for legitimizing the interference with fundamental rights. The reason is that the directive does not harmonize crucial aspects of the data retention regime, such as the term, the maximum set of data and most of all access to these data. The Dutch government simply can not rely on the balance that has been struck at the European level, because the directive leaves too many things open.

And endorsing a flawed judgment of the ECJ

Finally, because the government at the same time endorses the judgment of the ECJ and gives the primary argument why the Court should have struck it down. The government states explicitly (and this time in my opinion convincingly) why differences between data retention obligations between the member states cannot harm the competitiveness within the internal market. There is still a level playing field. The negative effects on the internal market were the reason why the directive was legally adopted (in the ECJ’s eyes).

The relevant excerpts:

Answering a question about the ineffectiveness of the proposal because a lot of online communication services fall outside of its scope:

User data of social network sites like Hyves and LinkedIn and the use of certain forms of Internet telephony like Skype currently fall outside of the scope of the proposal because of a lack of political support within the European Union to retain data relating to the use of the Internet, other than simple Internet access. [...] If it would turn out that because of this an important set of data would fall outside of the scope of the Data retention directive, this can be addressed in the context of the evaluation of the directive and this will possibly lead to amendment of the directive.

Answering the question about the justification of the data retention term of one year:

Weighing all interests and taking into account all circumstances, I take the view that the critical boundary [with regard to the legality of the interference of Article 8 ECHR] is not being reached with a term of one year. [] I take the view that the evaluations will be able to provide more insight into the importance of the data in concrete investigations and thereby also in the optimal length of data retention. The evaluation has to be concluded before 15 September 2010.

Downplaying the interference with fundamental rights:

The risk of the interference with the private life of data subjects consists primarily of the image that these data provide of communicative behavior. On that point, there is little difference with the specified bills that telecom providers offer as an extra service. In addition, there is a risk of linking the data to criminal activity of persons. However, a similar risk is also present in the context of requests for license plate information by the police. The Criminal Procedural Code stipulates strict conditions for the access to data by law enforcement officials. The above does not alter the fact that subjects have a right that the data about their communications are being processed with exceptional care.

Again downplaying the interference with fundamental rights, pointing to the technical nature of the data processing infrastructure:

The right to protection of private life, enshrined in Article 8 ECHR and Article 10 of the Dutch Constitution, is only at issue to limited extent. Nothing is being stored about the contents of communications. The data are of a technical nature and are usually stored in dispersed form in the systems of the providers.

Pushing the responsibility for the interference with fundamental right toward the EU:

With regard to the necessity of the interference in a democratic society, there is a margin of appreciation for the member states. The data retention obligation, however, follows from a European directive and the [Dutch] data retention term falls within the limitations of the Directive.

And finally arguing that the difference between member states, in terms of costs for providers does not mean there is not a level playing field for electronic communication providers:

I find the fear for negative effects on the competitiveness within the EU ill-founded. All public providers that are active in the Netherlands, i.e. small and large, can make an appeal to the reimbursement regulation in Article 13.6 of the Telecommunications law. This regulation is applicable, regardless of the origin of the provider. For all providers between themselves, there will still be a level playing field after the adoption of the data retention obligation.

A few weeks ago I gave a short interview on RFID, privacy and the Big Brother Award for the Dutch citizen in 2007. The video is posted here (the third video, titled ‘Le citoyen européen sous surveillance’ (by Florence Morice).

The French Parliament has passed the three strikes provisions for the termination of Internet access of file sharers.