More Stealth News

The story has now been picked up by The Register quoting La Quadrature de Net.

The comments contain one from someone who wrote to Malcolm Harbour as his MEP and received a form response on the amendments in question. The relevant part is below:

"Amendment H2 asks national regulatory authorities to promote - not force - cooperation, as appropriate, regarding protection and promotion of lawful content. It is entirely independent of "flexible response" and does not prescribe the outcome of any such cooperation.

As opposed to the text proposed by the Commission, amendment H3 shifts the burden of explaining the law from the ISPs to the appropriate national authorities. It also broadens the concept so that any type of unlawful activities are covered, not only copyright infringement. Such other activities could be for example child pornography. This public interest information would be prepared by the relevant national authority and then simply distributed by the ISP to all their customers. It involves no monitoring of individual customer usage of the internet. [italics added]

None of the amendments have been drafted by any outside lobbying organisation."

This may all be accurate in Mr Harbour's view although I would suggest that amended recital 12c actually speaks against the part I have italicised. However ,Pangloss sticks by her legal analysis in posts below - H2 and H3 can indeed be read in a benign way, but they can also be interpreted widely enough, in my opinion, to allow a national legislature to install a "3 strikes and you're out" type regime. That would be a matter for debate in each member state, of course, but this would certainly be a useful place to start, given the opposition even Sarkozy has aroused in France.

One is reminded of the Data Retention Directive: see Judith Rauhofer's excellent analysis of how when Tony Blair ran into troubles getting the data retention provisions he wanted through Parliament, he simply shifted his ground to the EP (where the UK then held the EU presidency) and won there. The resemblance to this battle ground is startling. Technollama has also pointed out that there is recent history of unpopular laws being buried in unlikely European legislation to get it through - the software patent provisions, which were in fact eventually defeated, were at one point proposed via a fisheries committee.

If MEPs have been criticised for acting in good faith, that is very unfortunate, but these amendments remain highly worrying from the perspective of human rights, clarity of lawmaking, and the rule of law.

EDIT: same views expressed in ZedNet by self and others -
See aso excellent piece by Bill Thompson on BBC tech blog .

IP Addresses are Personal Data - official

Brief but important note, via the Asociated Press: the EU Art 29 Working Party group working on privacy, DP and Internet search engines (notably Google) has issued an early press release.

"Germany's data protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law.

He told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address "then it has to be regarded as personal data." "

Some may think this an obvious conclusion, but in fact a report on Personal Data commissioned by the UK ICO office a year or two back (and very sadly, no longer available on the ICO site) revealed considerable disparity on this across Europe; in many cases whether an IP adress was regarded as "identifying" depended on context, in the view of various Information Commissioners.

The significance is crucial; if IP addresses are personal data, then services which collect IP addresses but not actual names - as Google does when it collects search terms typed in by users from IP adresses - are still regulated by DP law.

Google's privacy chief Peter Fleischer has previously insisted IP addresses are should only be seen as personal data, if it is likely that a person can be identified from an IP address . (Despite this, Google recently caved in to EU pressure and reducing the duration of Google cookies from 30 years to 2 years.) He may now have to think again, at least in Europe. This should be no surprise however, as , as Fleischer himself admits, the ART 29 Working party gave the answer as far back as 2002, that if an IP address can be connected to a person (eg by the person's ISP), then it should be seen as personal data for all purposes, including use by other companies.

The UK's current law , by the way, is in Pangloss's opinion , rather nearer to Fleischer's interpretation than to Scharr's - see s 1 of the DPA 1998. So bad news may be coming not only for Google but for UK drafters and advisers.