1. EDRi’s Analysis and Recommendations

Official EDRi statement on COVID-19 and Digital Rights

• EDRi calls for fundamental rights-based responses to COVID-19: https://edri.org/covid19-edri-coronavirus-fundamentalrights/ (20.03.2020)

EDRi Members’ Responses and Recommendations on COVID-19

• Joint civil society statement – “States use of digital surveillance technologies to fight pandemic must respect human rights” (02.04.2020)
• Access Now – “Protect digital rights, promote public health: toward a better coronavirus response” (05.03.2020)
• Access Now – “Recommendations on privacy and data protection in the fight against COVID-19” (March 2020)
• Access Now – “Fighting misinformation and defending free expression during COVID-19: Recommendations for states” (April 2020)
• Article 19 – “Coronavirus: New ARTICLE 19 briefing on tackling misinformation” (06.03.2020)
• Bits of Freedom – “Privacy is geen absoluut recht, maar wel een noodzaak” (20.03.2020)
• Bits of Freedom – “Protect our health and protect out rights”
• Defesa dos Dereitos Digitais (D3) – “A pandemia COVID19 e os direitos digitais” (26.03.2020)
• Digitalcourage – “Coronavirus: Tipps fürs Onlineleben und Grundrechtsfragen“
• Digitalcourage – “Im Blick: Grundrechte und Corona-Maßnahmen” (20.04.2020)
• Digitale Gesellschaft – “Menschenrechte gelten nicht nur in „guten“ Zeiten” (25.03.2020)
• Edward Hasbrouck – “Airline passenger data and COVID-19” (06.04.2020)
• EFF – “EFF and COVID-19: Protecting Openness, Security, and Civil Liberties” (23.03.2020)
• EPIC – “World Health Organization Again Speaks Up for Data Protection” (27.03.2020)
• EPIC – “WHO Advisor – “We should never step beyond individual freedoms” (26.03.2020)
• FIfF – “Datenschutz-Folgenabschätzung (DSFA) für eine Corona-App”
• epicenter.works – “Digital rights implications of the COVID-19 crisis” (EN) / “Netzpolitische Empfehlungen in der Covid-19-Krise” (DE) (25.03.2020)
• GFF – “Corona und Grundrechte: Fragen und Antworten” (23.03.2020)
• Hermes Center – “Il Centro Hermes chiede al governo una risposta all’emergenza COVID-19 nel pieno rispetto dei diritti umani” (25.03.2020)
• Homo Digitalis – “Homo Digitalis για την πανδημία του Κορωνοϊού” (28.03.2020)
• Homo Digitalis – “COVID-19 & ΨΗΦΙΑΚΑ ΔΙΚΑΙΩΜΑΤΑ ΣΤΗΝ ΕΛΛΑΔΑ” (22.04.2020)
• Javier Ruiz – “Containing Covid-19: countries leverage communications surveillance data” (02.04.2020)
• La Quadrature du Net (LQDN) – “Nos arguments pour rejeter StopCovid” (14.04.2020)
• La Quadrature du Net (LQDN) – “Orange recycles its geolocation service for the global pandemic” (31.03.2020)
• noyb – “Data protection in times of corona: not a question of if, but of how” (09.04.2020)
• Open Rights Group (ORG) – “Contact tracing and immunity passports must respect privacy” (15.04.2020)
• Open Rights Group (ORG) – “In the Coronavirus crisis, privacy will be compromised—but our right to know must not be” (20.03.2020)
• Panoptykon Foundation – “Wolność i prywatność w dobie koronawirusa.” (25.03.2020)
• Panoptykon Foundation – “Technologia w walce z koronawirusem – 7 filarów zaufania” (06.04.2020)
• Privacy International – “Extraordinary powers need extraordinary protections” (20.03.2020)
• Privacy International – “International Health Day during a pandemic: an opportunity to reflect” (10.04.2020)
• Privacy International – “Covid-19 response: Corporate Exploitation” (08.04.2020)
• Ross Anderson – “Contact Tracing in the Real World” (12.04.2020)
• SHARE Foundation – “Digitalna prava, pandemija i Balkan” (26.03.2020)

Analysing Tracking & Tracing Apps

• Access Now – “Privacy and public health: the dos and don’ts for COVID-19 contact tracing apps” (04.05.2020)
• CCC – “10 requirements for the evaluation of “Contact Tracing” apps” (06.04.2020)
• Council of Europe – “Contact Tracing Apps” (28.04.2020)
• Digitalcourage – “Corona-Apps: Was heißt hier anonym?” (22.04.2020)
• Digitalcourage – “Einordung zur geplanten ‘Corona-Kontakt-Tracing-App’ des RKI” (08.04.2020)
• Digitale Gesellschaft – “Datenschutzprüfung für „Corona-Apps“ offenlegen” (15.04.2020)
• FSFE – “Any Corona tracking app must be used voluntarily and be Free Software” (02.04.2020)
• epicenter.works – “Analyse der “Stopp Corona”-App des Roten Kreuzes” (01.04.2020)
• epicenter.works – “Technische und Rechtliche Analyse der Stopp Corona App des Österreichischen Roten Kreuzes” (22.04.2020)
• epicenter.works – “Analysis of the “Stopp Corona” App: Improvements through expert report” (23.04.2020)

2. EDRi’s Articles, blog posts and press release

EDRi Reporting

• “Technology, migration and illness in the time of COVID-19” (15.04.2020)
• “COVID-19 pandemic adversely affects digital rights in the Balkans” (15.04.2020)
• “Press Release: EDRi calls for fundamental rights-based responses to COVID-19” (01.04.2020)
• “COVID-19: A Commission hitchhiker’s guide to the App Store” (28.04.2020)
• “Why COVID-19 is a Crisis for Digital Rights” (29.04.2020)

#COVIDTech – An EDRi Blog Series

• EDRi – “Emergency responses to COVID-19 must not extend beyond the crisis” (15.04.20)
• (Upcoming article 13 May)

3. Mapping Exercises

EDRi Members Mapping

• Index on Censorship – https://www.indexoncensorship.org/disease-control/
• Privacy International – https://privacyinternational.org/examples/tracking-global-response-covid-19
• noyb – “Active overview of projects using personal data to combat SARS-CoV-2”
• B.I.R.D. a project by SHARE Foundation – https://bird.tools/mapping-digital-rights-during-coronavirus-outbreak/

Other Mapping Excercises

• Council of Europe – https://www.coe.int/en/web/data-protection-staging/covid-19-data-protection
• European Commission Data Portal – https://www.covid19dataportal.org/
• Future of Privacy Forum – “European Union’s Data-Based Policy Against the Pandemic, Explained” (30.04.2020)
• Pandemic Big Brother – https://pandemicbigbrother.online/en/
• FS0C131Y – https://fs0c131y.com/covid19-tracker-apps/
• GDPR Hub – https://gdprhub.eu/index.php?title=Data_Protection_under_SARS-CoV-2

4. Official EU Documents

• European Commission: Toolbox – “Mobile applications to support contact tracing in the EU’s fight against COVID-19” (15.04.2020)
• European Commission: “Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection” (16.04.2020)
• European Parliament: “EU coordinated action to combat the COVID-19 pandemic and its consequences” (17.04.2020)
• European Data Protection Board (EDPB): Letter to European Commission on COVID-19 apps (14.04.2020)
• European Data Protection Board (EDPB): “Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak” (21.04.2020)
• European Data Protection Board (EDPB): “Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak” (21.04.2020)
• European Parliament Civil Liberties Committee (LIBE): “Use of smartphone data to manage COVID-19 must respect EU data protection rules” (07.04.2020)
• EU Fundamental Rights Agency: “Protect human rights and public health in fighting COVID-19“
• EU Fundamental Rights Agency: “Coronavirus pandemic in the EU – fundamental rights implications“
• Council of Europe (CoE): “Joint Statement on Digital Contact Tracing” (28.04.2020)

5. Other Useful Resources

• World Health Organization (WHO) lead advisor – Warning on data protection and human rights (25.03.2020)
• European Centre for Disease Prevention and Control (ECDC): “Technical Report: Contract Tracing: Public health management of persons, including healthcare workers, having had contact with COVID-19 cases in the European Union – second update” (08.04.2020)
• United Nations Office of the High Commissioner for Human Rights (UN OHCHR): “Responses to COVID-19 are failing people in poverty worldwide” (22 April 2020)
• European Academy for Freedom of Information and Data Protection (EAID): “Corona – Fight the pandemic, protect civil rights and data protection!” (26.03.2020)
• Digital Freedom Fund (DFF) – “Why COVID-19 is a Crisis for Digital Rights” (16.04.2020)
• Ada Lovelace Institute: “COVID-19 Rapid Evidence Review: Exit through the App Store?” (April 2020)
• Vice Media: “Snowden Warns Governments Are Using Coronavirus to Build ‘the Architecture of Oppression’” (10.04.2020)

With huge thanks to the individuals and organisations across the EDRi network who have shared resources for this document pool.

The study found that Facebook’s transparency and control tools that would explain how ad targeting works offered to both researchers and users are “insufficient and superficial.” Users are targeted by Facebook’s algorithm based on potentially thousands of distinct selectors following a a set of criteria that only the company knows. Advertisers on Facebook can opt to select audiences on obvious factors such as age, gender, language spoken and location. But the Facebook machine also steers them towards increasingly narrower criteria such as interests (political affiliation, sex orientation, musical tastes, etc…), “life events” and behaviour, as well as more than 250,000 free-text attributes including, for example, Adult Children of Alcoholics, or Cancer Awareness, which constitute a deeper privacy concern.

Facebook is not merely a passive intermediary; its algorithms interpret criteria selected by advertisers and deliver ads in a way that fulfils advertisers’ objectives, and actively curate the content that users see in their timelines based on those assumptions. In 2016, the company introduced a feature allowing them to target “lookalikes” – profiles similar to a target audience. It also allows A/B testing so advertisers can compare which ads are more effective.

But Facebook’s “why am I seeing this ad?” transparency tool can be misleading, revealing only the “lowest common denominator” attribute. For example, according to the report, during the European elections campaign in Poland in May 2019, a person who was pregnant saw a political ad referring to prenatal screenings and perinatal care. “Why am I seeing this ad?” informed her that she was targeted because she was interested in “medicine” (potential reach 668 million) rather than “pregnancy” (potential reach of 316 million). Users can only verify (check, delete, or correct) a short list of interests that the platform is willing to reveal.

Here is where upcoming regulation comes into play: At the very least, the Digital Services Act should prohibit PMT based on characteristics which expose our mental or physical vulnerabilities (e.g. depression, anxiety, addiction, illness). But if the EU wants to be ambitious and tackle many of the associated problems with the current business model, the DSA should go further and regulate any sort of advertising aimed at profiling users, particularly as there appears to be a gap between ads labelled as “political” by the platform, and ads perceived as political by researchers.

Regulating targeted ads, requiring greater transparency for researchers and users, opt-in rather than opt-out, tighter requirements for political advertising and recognising PMT as an application of AI that poses serious risks for human rights will not solve all the problems of political disinformation in society, but they would certainly eliminate some of the worst practices today.

Read more:

Who (really) targets you? Facebook in Polish election campaigns
https://panoptykon.org/political-ads

Annual self-assessment reports of signatories to the Code of Practice on Disinformation 2019 (29.10.2019)
https://ec.europa.eu/digital-single-market/en/news/annual-self-assessment-reports-signatories-code-practice-disinformation-2019

(Contribution by Karolina Iwańska, from EDRi member Panoptykon)

2. How did it all begin, and how did your organisation develop its work?

Homo Digitalis was founded in 2018 by 6 tech lawyers with a strong passion about the protection and promotion of digital rights. No digital rights organisations existed in Greece before. So, we wanted to create an organisation that could bring like-minded people together and shake things up. After two years of voluntary work, we have managed to grow into an organization with more than 100 members, who bring together a wide variety of disciplines such as law, computer science, humanities and social sciences.

We aim to transform Homo Digitalis from an organization based on voluntary work to a strong watchdog with a long-term strategy and full-time personnel. It will be a long and difficult path, but we have started acquiring our first grants and we are confident that we will grow, gaining more recognition and support for us and our vision.

3. The biggest opportunity created by advancements in information and communication technology is…

…facilitating access to information all around the globe, and building bridges between people. These advancements constitute a driver for positive change in our societies, and could lead to enhanced equality and transparency.

4. The biggest threat created by advancements in information and communication technology is…

…mass surveillance of our societies and power asymmetry in the information economy.

5. Which are the biggest victories/successes/achievements of your organisation?

Becoming a full member of EDRi is certainly a great success of Homo Digitalis so far!

Additionally, Homo Digitalis has managed to achieve important accomplishments over the last two years. We have increased public awareness on digital rights issues by generating media interest in our actions, visiting educational institutions and participating in events, campaigns, and giving talks all around Greece. Moreover, we were instrumental in influencing the public debate around data protection reform in Greece by cooperating with related stakeholders, and by filing complaints and requests before EU and national authorities, respectively.

Also, through access to information requests, complaints, and investigations we have attained a high level of scrutiny regarding projects on technology-led policing and border management activities in Greece. In addition, we have collaborated with investigative journalists to reveal important facts. Even though we are an organization based solely on volunteers, we give our best to respond quickly to the challenges that arise.

Furthermore, we have been fortunate enough to participate shoulder to shoulder with powerful digital rights organisations in EU-wide projects and campaigns and to learn from their expertise and knowledge. Finally, we also had the great opportunity to present our views and opinions in important fora, such as the UN Human Rights Council 39th session in Geneva or the European Parliament in Brussels.

All these accomplishments over the last two years give us the strength to continue our work towards the protection and promotion of human rights in the digital age.

6. If your organisation could now change one thing in your country, what would that be?

Active participation of people in collective activities such as digital rights activism. If individuals could devote a part of their knowledge and time to such activities, we would have a stronger voice to influence policy makers and legislators towards political decisions that respect our rights and freedoms and not violate them, instead.

7. What is the biggest challenge your organisation is currently facing in your country?

After 10 years of financial crisis and austerity measures in Greece that limited public spending, we witness over the last years an increase in funds used for technology-led policing and border managements projects. Thus, we must stay wide-awake in order to challenge and fight back the implementation of intrusive tools and technologies in our societies that limit our rights and freedoms.

8. How can one get in touch with you if they want to help as a volunteer, or donate to support your work?

You can visit our website to help us as a volunteer or to donate and support our work.

Also, we always appreciate a good conversation, so feel free to reach out to info@homodigitalis.gr. Last but not least, you can subscribe to our newsletter here.

Read more:

EDRi member in the spotlight series
https://edri.org/member-in-the-spotlight/

Join Homo Digitalis as member/supporter/volunteer
https://www.homodigitalis.gr/en/join-us

Donate to Homo Digitalis
https://www.homodigitalis.gr/en/donations/help-us-grow

There has already been a widespread absence of transparency and regulation when it comes to the rollout of these emergency measures, with many falling far short of international human rights standards.

Tensions between protecting public health and upholding people’s basic rights and liberties are rising. While it is of course necessary to put in place safeguards to slow the spread of the virus, it’s absolutely vital that these measures are balanced and proportionate.

Unfortunately, this isn’t always proving to be the case. What follows is an analysis of the impact of the COVID-19 pandemic on the key subset of policy areas related to digital rights:

a) The Rise of Biosurveillance

A panopticon world on a scale never seen before is quickly materialising.

“Biosurveillance” – which involves the tracking of people’s movements, communications and health data – has already become a buzzword, used to describe certain worrying measures being deployed to contain the virus.

The means by which states, often aided by private companies, are monitoring their citizens are increasingly extensive: phone data, CCTV footage, temperature checkpoints, airline and railway bookings, credit card information, online shopping records, social media data, facial recognition, and sometimes even drones.

Private companies are exploiting the situation and offering rights-abusing products to states, purportedly to help them manage the impact of the pandemic. One Israeli spyware firm has developed a product it claims can track the spread of coronavirus by analysing two weeks’ worth of data from people’s personal phones, and subsequently matching it up with data about citizens’ movements obtained from national phone companies.

In some instances, citizens can also track each other’s movements – leading to not only vertical, but also horizontal sharing of sensitive medical data.

Not only are many of these measures unnecessary and disproportionately intrusive, they also give rise to secondary questions, such as: how secure is our data? How long will it be kept for? Is there transparency around how it is obtained and processed? Is it being shared or repurposed, and if so, with who?

b) Censorship and Misinformation

Censorship is becoming rife, with many arguing that a “censorship pandemic” is surging in step with COVID-19.

Oppressive regimes are rapidly adopting “fake news” laws. This is ostensibly to curb the spread of misinformation about the virus, but in practice, this legislation is often used to crack down on dissenting voices or otherwise suppress free speech. In Cambodia, for example, there have already been at least 17 arrests of people for sharing information about coronavirus.

At the same time, many states have themselves been accused of fuelling disinformation to their citizens to create confusion, or are arresting those who express criticism of the government’s response.

As well as this, some states have restricted free access to information on the virus, either by blocking access to health apps, or cutting off access to the internet altogether.

c) AI, Inequality and Control

The deployment of AI can have consequences for human rights at the best of times, but now, it’s regularly being adopted with minimal oversight and regulation.

AI and other automated learning technology are the foundation for many surveillance and social control tools. Because of the pandemic, it is being increasingly relied upon to fight misinformation online and process the huge increase in applications for emergency social protection which are, naturally, more urgent than ever.

Prior to the COVID-19 outbreak, the digital rights field had consistently warned about the human rights implications of these inscrutable “black boxes”, including their biased and discriminatory effects. The adoption of such technologies without proper oversight or consultation should be resisted and challenged through the courts, not least because of their potential to exacerbate the inequalities already experienced by those hardest hit by the pandemic.

d) Eroding Human Rights

Many of the human rights-violating measures that have been adopted to date are taken outside the framework of proper derogations from applicable human rights instruments, which would ensure that emergency measures are temporary, limited and supervised.

Legislation is being adopted by decree, without clear time limitations, and technology is being deployed in a context where clear rules and regulations are absent.

This is of great concern for two main reasons.

First, this type of “legislating through the back door” of measures that are not necessarily temporary avoids going through a proper democratic process of oversight and checks and balances, resulting in de facto authoritarian rule.

Second, if left unchecked and unchallenged, this could set a highly dangerous precedent for the future. This is the first pandemic we are experiencing at this scale – we are currently writing the playbook for global crises to come.

If it becomes clear that governments can use a global health emergency to instate human rights infringing measures without being challenged or without having to reverse these measures, making them permanent instead of temporary, we will essentially be handing over a blank cheque to authoritarian regimes to wait until the next pandemic to impose whatever measures they want.

Therefore, any and all measures that are not strictly necessary, sufficiently narrow in scope, and of a clearly defined temporary nature, need to be challenged as a matter of urgency. If they are not, we will not be able to push back on a certain path towards a dystopian surveillance state.

e) Litigation: New Ways to Engage

In tandem with advocacy and policy efforts, we will need strategic litigation to challenge the most egregious measures through the court system. Going through the legislature alone will be too slow and, with public gatherings banned, public demonstrations will not be possible at scale.

The courts will need to adapt to the current situation – and are in the process of doing so – by offering new ways for litigants to engage. Courts are still hearing urgent matters and questions concerning fundamental rights and our democratic system will fall within that remit. This has already been demonstrated by the first cases requesting oversight to government surveillance in response to the pandemic.

These issues have never been more pressing, and it’s abundantly clear that action must be taken.

If you want to read more on the subject, follow EDRi’s new series #COVIDTech here: https://edri.org/emergency-responses-to-covid-19-must-not-extend-beyond-the-crisis/

This article was originally published at: https://digitalfreedomfund.org/why-covid-19-is-a-crisis-for-digital-rights/

Read more:

Tracking the Global Response to COVID-19:
https://privacyinternational.org/examples/tracking-global-response-covid-19

Russia: doctor who called for protective equipment detained (03.04.2020)
https://www.amnesty.org.uk/press-releases/russia-doctor-who-called-protective-equipment-detained

A project to demystify litigation and artificial intelligence (06.12.2019)
https://digitalfreedomfund.org/a-project-to-demystify-litigation-and-artificial-intelligence/

Making Accountability Real: Strategic Litigation (30.01.2020)
https://digitalfreedomfund.org/making-accountability-real-strategic-litigation/

Accessing Justice in the Age of AI (09.04.2020)
https://digitalfreedomfund.org/accessing-justice-in-the-age-of-ai/

(Contribution by Nani Jansen Reventlow, Digital Freedom Fund)

A public consultation by the European Commission is planned to be launched in May 2020 and legislative proposals are expected to be presented in the first quarter of 2021.

In the meantime, three different Committees of the European Parliament have announced or published Own Initiative Reports as well as Opinions in view of setting the agenda of what the DSA should regulate and how it should achieve its goals.

We have created a document pool in which we will be listing relevant articles and documents related to the DSA. This will allow you to follow the developments of content moderation and regulatory actions in Europe.

Read more:

Document pool: Digital Service Act (27. 04. 2020)
https://edri.org/digital-service-act-document-pool/

A public consultation by the European Commission is planned to be launched in May 2020 and legislative proposals are expected to be presented in the first quarter of 2021.

In the meantime, three different Committees of the European Parliament have announced or published Own Initiative Reports as well as Opinions in view of setting the agenda of what the DSA should regulate and how it should achieve its goals.

In this document pool we will be listing relevant articles and documents related to the DSA. This will allow you to follow the developments of content moderation and regulatory actions in Europe.

Last update: 27 April 2020

Table of content

EDRi’s analysis and recommendations
Legislative documents
EDRi’s blogposts and press releases
EDRi members’ publications
Key policymaker
Key dates

EDRi’s analysis and recommendations

• EDRi Position Paper on the Digital Services Act: Platform Regulation Done Right (9 April 2020)
• Joint Report:Civil society calls for evidence-based solutions to disinformation (19 October 2018) with Access Now and Civil Liberties Union for Europe
• EDRi response to European Commission E-Commerce Directive Consultation (10 November 2010)

Legislative documents

European Commission

• Public consultation announced for May 2020
• Legislative proposals announced for Q1/2021

European Parliament

• Internal Market and Consumer Protection Committee (IMCO)
  • Lead Report: 2020/2018 (INL) Legislative initiative procedure – Digital Services Act: Improving the functioning of the Single Market – Draft
    • Draft Opinion of the Civil Liberties Committee (LIBE)
    • Draft Opinion of the Transports Committee (TRAN)
    • Draft Opinion of the Culture and Education Committee (CULT)
• Legal Affairs Committee (JURI)
  • Lead Report: 2020/2019 (INL) Legislative initiative procedure – Digital Services Act: Adapting commercial and civil law rules for commercial entities operating online – Draft
    • Draft Opinion of the Culture and Education Committee (CULT)
    • Draft Opinion of the Internal Market and Consumer Protection Committee (IMCO)
• Civil Liberties Committee (LIBE)
  • Lead Report: 2020/2022 (INI) Own-initiative report procedure – Digital Services Act and fundamental rights issues posed
    • Draft Opinion of the Culture and Education Committee (CULT) (in German only)
    • Draft Opinion of the Internal Market and Consumer Protection Committee (IMCO)

EDRi’s blogposts and press releases

• The impact of competition law on your digital rights (19 February 2020)
• Online content moderation: Where does the Commission stand? (18 December 2019)
• Interoperability: A way to escape toxic online environments (04 December 2019)
• Content regulation – what’s the (online) harm? (9 October 2019)
• CJEU ruling on fighting defamation online could open the door for upload filters (3 October 2019)
• E-Commerce review: Safeguarding human rights when moderating online content (4 September 2019)
• E-Commerce review: Mitigating collateral damage (27 August 2019)
• E-Commerce review: Technology is the solution. What is the problem? (11 July 2019)
• E-Commerce review: Opening Pandora’s box? (20 June 2019)
• Fighting defamation online – AG Opinion forgets that context matters (19 June 2019)
• Answering guide for European Commission’s “illegal content consultation” (13 June 2018)

EDRi members’ publications

• Access Now,Guide: how to protect human rights in content governance (3 March 2020)
• Access Now, Can we rely on machines making decisions for us on illegal content? (26 February 2020)
• Access Now, Who should decide what we see online? (20 February 2020)
• Homo Digitalis, Shedding light on the Facebook content moderation centre in Athens (4 December 2019)
• Epicenter.works, Platform Regulation – an attempt at a fundamental rights based proposal
• Panoptykon, “SIN vs Facebook”: First victory against privatised censorship (17 July 2019)
• Panoptykon, SIN v Facebook: Tech giant sued over censorship in landmark case (8 May 2019)
• Bits of Freedom, You cannot post “a bag of bones” on Facebook (27 February 2019)
• Bits of Freedom, Women on Waves: How internet companies police our speech (29 August 2018)

Key policymakers

• Internal Market and Consumer Protection (IMCO)
  • Rapporteur INL: Alex AGIUS SALIBA (S&D)
  • Shadow Rapporteurs: Alexandra GEESE (Greens), Dita CHARANZOVÁ (Renew), Eugen JURZYCA (ECR), Martin SCHIRDEWAN (GUE), Pablo ARIAS ECHEVERRÍA (EPP)

• Civil Liberties, Justice and Home Affairs (LIBE)
  • Rapporteur INI: Kris PEETERS (EPP)
  • Shadow Rapporteurs: Cornelia ERNST (GUE), Marina KALJURAND (S&D), Moritz KÖRNER (Renew), Patrick BREYER (Greens), Patryk JAKI (ECR)

• Legal Affairs (JURI)
  • Rapporteur INL: Tiemo WÖLKEN (S&D)
  • Shadow Rapporteurs: Angel DZHAMBAZKI (ECR), Emmanuel MAUREL (GUE), József SZÁJER (EPP), Karen MELCHIOR (Renew), Patrick BREYER (Greens)

Key dates

• European Commission’s consultation: May 2020
• European Commission’s legislative proposal: Q1 2021

A techie toolbox

The EC argued for the need of a toolkit as national authorities are developing mobile applications (apps) to monitor and mitigate the COVID-19 pandemic. The Commission agrees that contact tracing, as usually done manually by public health authorities, is a time-consuming process and that the “promising” technology and apps in particular could be useful tools for Member States.

However, the EC points out that, in order for apps to be efficient, they need to be adopted by 60-75% of population – a very high threshold for a voluntary app. As comparison, in the famous case of Singapore, only 20% of the population downloaded the app.

The toolbox calls for a series of concrete requirements for these apps: interoperability (apps must work well with each other in order to be able to trace transnational cases); voluntary; approved by the national health authorities; privacy-preserving and dismantled as soon as they are no longer needed.

The time principle was a key point in our statement laying out fundamental rights – based recommendations for COVID-19 responses. On apps in particular, EDRi member Access Now advocates that access to health data shall be limited to those who need information to conduct treatment, research, and otherwise address the crisis . Finally, EDRi members Chaos Computer Club (CCC), Free Software Foundation Europe (FSFE) and noyb are among those that agree on the need for the apps to be voluntary.

Decentralised or centralised, that is the question

The Toolbox describes two categories of apps: those that operate via decentralised processing of personal data, which would be stored only on a person’s own device; and those operating via a centralised back-end server which would collect the data. The EC argues that this data should be reduced to the “absolute minimum” necessary, with technical requirements compiled by ENISA (encryption, communications security, user authentication….) and “preferably” the Member State should be the controller for the processing of personal data. The Annexes list key recommendations, background information on contact tracing , background on symptom checker functionalities and an inventory of existing mobile solutions against COVID-19.

Our member noyb agrees with the Commission requiring strong encryption, an essential element of secure technologies for which we have also advocated before. More, EDRi member CCC sides with the decentralisation option rather than a centralised one, as well as with strong communication security and privacy requirements.

Readers who liked the Toolbox… also liked the Guidelines

The Commision guidance summarises some of the key points of the Toolbox but provides more insight on some of the features, as well details on ensuring data protection and privacy safeguards. The guidance focuses on apps which are voluntary and that offer one or more functionalities: provide accurate information to individuals about the pandemic or provide questionnaires for self-assessment and guidance for individuals (symptom checker). Other functionalities could include alerting individuals if they have been in close contact with an infected person (contact tracing and warning functionality) and/or provide means of communication between patients and doctors.

The guidance relies heavily on references to the ePrivacy Directive (currently blocked by EU Member States from becoming an updated Regulation for 3 years and 4 months) and the General Data Protection Regulation (GDPR) . The references include data minimisation, purpose limitation, time limitation (apps deactivated after the pandemic is over) and top-of the-art security protections.

Our member Access Now has thoroughly gone through the data protection and privacy requirements of purpose limitation, data minimisation and time limitation , largely coinciding with the Commission, while Bits of Freedom has also mentioned the minimal use of data needed and time limitation, in addition to the apps being based on scientific insight and demonstrable effectiveness.

Location data is not necessary, decentralisation is

The Commission states that location data is not necessary for the purpose of contact tracing functionalities and that it would even be “difficult to justify in light of the principle of data minimisation”, and that it can create “security and privacy issues”. Regarding the debate of centralisation vs decentralisation, the Commission believes that decentralisation is more in line with the minimisation principle and that, as Bits of Freedom, CCC and many other groups have suggested, only “health authorities should have access to proximity data [which should be encrypted]” and therefore no law enforcement agencies can access the data. What about the well-intended but risky use of data for “statistics and scientific research”? Commission says no, unless it is necessary and included in the general list of purposes and clearly communicated to users.

Get us some open code. And add good-old strong encryption to go with it, please

The Commission asks for the source code to be made public and available for review. In addition to this, the Commission calls for the use of encryption when transmitting the data to national health authorities, if that is one of the functionalities. Both of these conclusions have been some of the key requests from EDRi members such as FSFE, both for transparency and security purposes but also as a an appeal for solidarity. We consider the call for openness as a positive request from the Commission.

Finally, the guidance brings back the forgotten Data Protection Authorities (DPAs) who, as we have also suggested, should be the ones consulted and fully involved when developing and implementing the apps.

Moving forward

We have many uncertainties regarding the actual pandemic, especially regarding whether any technical solution will help or not. Furthermore, it is unclear how these technologies should be designed, developed and deployed in order to avoid mass surveillance of citizens, stigmatisation of those who are sick and reinforced discrimination of people living in poverty, people of colour and other individuals of groups at risks who are already disproportionately affected by the pandemic.

The voices of experts and civil society must be taken into consideration, before taking the road of an endless “war on virus” that normalises mass surveillance. If proven that technologies are indeed helpful to combat this crisis, technological solutions need to comply with very strong core principles. Many of these strong principles are already present in the Commission’s two documents and in many of the civil society views in this ongoing debate.

In the meantime, strong public health systems, strong human rights protections (including extra protections for key workers), a human-rights centric patent system that puts humans at its core and open access to scientific knowledge are key principles that should be implemented now.

Read more:

Press Release: EDRi calls for fundamental rights-based responses to COVID-19 (01.04.2020)
https://edri.org/edri-calls-for-fundamental-rights-based-responses-to-covid-19/

noyb – Active overview of projects using personal data to combat SARS-CoV-2.
https://gdprhub.eu/index.php?title=Data_Protection_under_SARS-CoV-2

Privacy International – Extraordinary powers need extraordinary protections. (20. 03. 2020)
https://privacyinternational.org/news-analysis/3461/extraordinary-powers-need-extraordinary-protections

Access Now – Protect digital rights, promote public health: toward a better coronavirus response. (05. 03. 2020)
https://www.accessnow.org/protect-digital-rights-promote-public-health-towards-a-better-coronavirus-response/

Ada Love Lace Institute: Exit through the App Store? (20. 04. 2020)
https://www.adalovelaceinstitute.org/wp-content/uploads/2020/04/Ada-Lovelace-Institute-Rapid-Evidence-Review-Exit-through-the-App-Store-April-2020-1.pdf

European Commission – Mobile applications to support contact tracing in the EU’s fight against COVID-19: Common EU Toolbox for Member States (15. 04. 2020)
https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf

European Commission (COMMUNICATION)- Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection (16. 04. 2020)
https://ec.europa.eu/info/sites/info/files/5_en_act_part1_v3.pdf

The Communications and Media Manager leads and is responsible for EDRi’s strategic communications and engagement with the media. We are looking for an individual that will bring a strategic and creative mindset to communicate about complex human rights and technology issues in a diverse, fast-changing political environment. The successful candidate will have a strong track record in working with European and national media, excellent storytelling and drafting skills, as well as the ability to establish a network of journalists.

We are an equal opportunities employer with a strong commitment to transparency and inclusion. We strive to have a diverse and inclusive working environment. We encourage individual members of groups at risk of discrimination to apply for this post.

Job title: Communications and Media Manager
Start date (expected): July 2020
Reports to: Executive Director
Location: EDRi Office, Brussels, Belgium

RESPONSIBILITIES:
As Communications and Media Manager, working closely with EDRi’s Policy, Campaigns and Network colleagues, you will:

• Develop EDRi’s communications and media engagement long term strategies and short term plans;
• Promote EDRi’s work and narrative to the media, raising the profile of the EDRi network, including by helping to disseminate their work;
• Establish and maintain a robust network of media contacts and relationships;
• Support the production and secure the publication of EDRi op-eds and other materials in leading outlets;
• Write, edit and send press releases and manage media inquiries;
• Support the production and editing of content for EDRi’s website and of the EDRi-gram bi-monthly newsletter;
• Oversee EDRi’s social media presence;
• Oversee the editing and design of EDRi’s publications;
• Analyse media coverage and contribute to report on EDRi’s media exposure and communication work.

QUALIFICATIONS AND EXPERIENCE:

• Minimum 3 years of relevant experience in a similar role;
• A university degree in journalism, communications, media studies, EU affairs, public relations or related field or equivalent experience;
• Demonstrable knowledge of the European media landscape and of European institutions, and an interest in communicating about and framing of human rights, in particular privacy, surveillance and law enforcement, freedom of expression, as well as other internet policy issues;
• Experience in media relations, leading networks of journalists and creating networks of influence;
• Exceptional writing skills in particular for op-eds and press releases;
• Ability to create visuals for social media, work on simple graphic designs and formatting.
• Strong multitasking abilities and ability to manage multiple deadlines;
• Experience of working with and in small teams;
• Excellent level of English;
• Knowledge of another European language is an advantage;
• Knowledge of database management systems, mailing list and free and open software is an advantage.

HOW TO APPLY:
To apply, please send a maximum one-page cover letter and a maximum two-page CV in English (including two professional references) and in .pdf format to applications(at)edri.org by 22^ndMay 2020.

Please note that only shortlisted candidates will be contacted.

The state of play in Hungary:

On 30 March 2020, the Prime Minister of Hungary was granted sweeping powers to rule the country by decree. Hungary has been under the EU’s spotlight over the last two years for failing to comply with the EU’s core values, with the European Parliament launching infringement proceedings about the deteriorating respect for the rule of law, and civil society raising serious concerns including lack of respect for privacy and data protection, evidence of widespread state surveillance, and infringements on freedom of expression online. Following the enactment of a state of emergency on 11 March and the tabling of the indefinite decree on 23 March, ostensibly in response to the coronavirus pandemic, EU Parliament representatives issued a clear warning to Hungary, stating that “extraordinary measure adopted by the Hungarian government in response to the pandemic must respect the EU’s founding values.” This warning did little to temper Orbán’s ambitions, and leaves the people of Hungary vulnerable to expanded powers which can be abused long after the spread of coronavirus has been checked.

The state of play in Poland:

The European Parliament have also raised concerns about the worsening rule of law in Poland, in particular threats to the independence of the judiciary, with investigations activated in 2016. On 19 March 2020, the country’s efforts to tackle the spread of coronavirus received widespread attention when the government announced the use of a ‘Civil Quarantine’ app which they explained would require people in quarantine to send geo-located selfies within 20 minutes of receiving an alert – or face a visit from the police. according to the announcement, the app even uses controversial facial recognition technology to scan the selfies.

Early in April, the Polish government looked to make the use of the app mandatory, in a move which, as reported by EDRi member Panoptykon, was not proportionate [PL] (due to factors like people’s images being sent to government servers) and additionally not compliant with Poland’s constitution [PL]. Panoptykon emphasise important rules [PL] when implementing technological applications to combat COVID-19 such as minimising the data collected and having strict time periods for its retention, which states must follow in order to comply with fundamental rights.

The state of play in the UK:

The UK’s Coronavirus Act was passed on 25 March 2020, giving the UK government a suite of extraordinary powers for a period of 2 years. Following pressure from civil society, who called the proposed Bill “draconian”, the disproportiontely long period for the restrictions of people’s rights was adjusted to include parliamentary checks every 6 months. Yet NGOs have continued to question why the Bill is not up for renewal every 30 days, given the enormous potential for abuse of power that can happen when people’s fundamental rights protections are suspended or reduced. This is especially important given that, as EDRi member Privacy International has pointed out, the UK already has worryingly wide powers over forms of surveillance including bulk data interception and retention.

The UK has also come under fire for the sharp rise in disproportionate police responses since the introduction of the Bill, including stopping people from using their own gardens or using drones to chastise dog walkers. If not properly limited by law, these powers (and their abuse) have the potential to continue in ordinary times, further feeding the government’s surveillance machine.

POLITICO reports that UK authorities are not alone, with countries across Europe exploiting the climate of fear to encourage people to spy on and report their neighbours, alongside a rise in vigilante attacks, public shamings and even support for police violence. Such behaviour indicates an increasingly hostile, undemocratic and extra-judicial way of enforcing lockdowns. And it is frighteningly reminiscent of some of the most brutal, repressive twentieth-century police states.

What an open door could mean for the future of digital rights:

Allowing states to dispense with the rule of law in times of crisis risks putting those rights in a position of vulnerability in ordinary times, too. The legitimation and normalisation of surveillance infrastructures creates a sense that being watched and analysed all the time is normal (it is not) and contributes to societies filled with suspicion, abuse and mistrust. Before coronavirus was a household name, for example, Hungary’s secretive Szitakötő project was preparing to install 35,000 facial recognition cameras across the country for mass surveillance. This would allow the state to undermine the principle of investigatory warrants, and instead watch and analyse everyone, all the time. The current, indefinite state of emergency could remove any potential checks and balances on the Szitakötő plans, and allow Orbán to push through a wide range of ever-more-violatory measures such as repression of the free media, freedom of expression and political dissent.

Throughout 2019, Poland made its aspirations for global AI leadership clear, having experimented with automating state welfare since at least 2015. As UN Special Rapporteur Philip Alston has emphasised, the global uptake of “automated welfare” is a direct result of government goals to spend less on welfare, control people’s behaviour and punish those who do not conform. There is a risk that the Polish state could exploit new tech, like their quarantine app, to expand an undemocratic agenda and make technology the go-to solution for any public or societal issue. And the UK is already infamous for having one of the highest rates of surveillance cameras per capita in the world. Combined with the fact that the UK’s health service have employed the help of notorious personal-data-exploiting software company Palantir to manage coronavirus data, this suggests that the UK’s pre-existing public-private surveillance economy is the one area profiting from this crisis.

Conclusion:

Desperate times call for desperate measures – or so the saying goes. But this should not undermine the core values of our societies, especially when we have many reasons to be positive: compassionate and brave health workers treating patients; civil society working to protect rights in coronavirus apps and help governments make the right decisions; and global health organisations working to prevent future incidences of the virus and develop vaccines.

As the EU’s Committee for civil liberties state, mass surveillance does not make us safer. It puts undue limits on our liberties and rights which will continue long after the current emergency has been eased. As a result, we will all be less safe – and that really would be desperate times. In the words of Yuval Noah Harari:

[T]emporary measures have a nasty habit of outlasting emergencies, especially as there is always a new emergency lurking on the horizon […] Centralised monitoring and harsh punishments aren’t the only way to make people comply with beneficial guidelines. […] A self-motivated and well-informed population is usually far more powerful and effective than a policed, ignorant population.

Read more:
Fundamental rights implications of COVID-19 (various dates)
https://fra.europa.eu/en/themes/covid-1

Extraordinary powers need extraordinary protections (20/03/2020)
https://privacyinternational.org/news-analysis/3461/extraordinary-powers-need-extraordinary-protections

Use of smartphone data to manage COVID-19 must respect EU data protection rules (07.04.2020)
https://www.europarl.europa.eu/news/en/press-room/20200406IPR76604/use-of-smartphone-data-to-manage-covid-19-must-respect-eu-data-protection-rules

Contract Tracing in the Real World (12.04.2020)
https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/

(Contribution by Ella Jakubowska, EDRi Policy Intern)

The then former MEP and copyright reform activist Julia Reda led the opposition against the DSM Directive within the European Parliament, pointing towards its likely incompatibility with the EU’s Charter of Fundamental rights. To date, it is still disputed whether the requirements of Article 17 can be met without the installation of upload filters. Upload filters restrict free communication, because they invariably lead to the blocking of legal uses under copyright exceptions such as citations. Platforms that fail to cooperate with rightsholders to block the uploads of infringing content can be held liable for copyright infringements by their users.

The German government promised to avoid the introduction of upload filters as they would restrict free online communication to a critical degree, possibly violating freedoms guaranteed by the German basic law. This concerns the right to freedom of opinion and freedom of information and, depending on the functioning of these filters, the rights to data protection and confidentiality of communications.

Securing fundamental rights in copyright through strategic litigation

Whichever approach will be taken by Germany and other EU member states, the DSM Directive will expose existing problems and cause new ones between copyright law and fundamental rights. Government solutions to these problems are likely to benefit large right holders (music companies, film industry), neglecting the rights of users such as scientists, teachers, activists and also of small copyright holders and authors.

Thus, control © will use strategic litigation to fight for an implementation of the DSM Directive that is in conformity with European and German fundamental rights. Strategic litigation has proven an invaluable tool to combat fundamental rights violations in the digital era. Since 2016, GFF has gone to court to defend civil rights in the face of mass-surveillance, excessive secret service powers or opaque state authorities. Control © will make use of this strategic tool in yet another area of law, profiting from GFF’s and Julia Reda’s combined expertise.

Beyond upload filters: cultural heritage and freedom of science

Beyond upload filters, there are more open questions regarding the interplay of copyright law and fundamental rights. The copyright Directive introduces new rules on digitizing making out-of-print works available. This holds the chance to unlock a huge treasure of pictures, music, poems and other works that are no longer in commercial use. We will help institutions such as libraries, museums and archives to make use of these new opportunities in order to strengthen freedom of culture, science and information.

Finally, academic freedom requires the circulation of knowledge as well as legal certainty. Too often, authors of scientific publications are being forced to cede the rights to their studies to commercial scientific publishers. The paywalls they install impede the access to knowledge and scientific progress. Strategic litigation in this field aims to clarify the regulations around Open Access publishing in order to make this option more feasible for more scientists.

Read more:
Introducing control © – Strategic Litigation for Free Communication (13.04.2020)
http://copyrightblog.kluweriplaw.com/2020/04/13/introducing-control-strategic-litigation-for-free-communication/

Control ©: Copyright and freedom of communication (in German only) (13.04.2020)
https://freiheitsrechte.org/urheberrecht/

About GFF (English)
https://freiheitsrechte.org/english/

(Contribution by Luisa Podsadny, from EDRi member GFF)