Actions in national and european level regarding e-evidence

Today, Wednesday 5 December 2018, in view of the upcoming meeting of the Council of Justice and Home Affairs of the European Council (6-7 December), 18 organizations sent a letter to all the EU Member States, putting forward their vivid concerns regarding the approach suggested by the Austrian Presidency in the draft Regulation on European production and preservation orders for electronic evidence in criminal matters (“e-evidence”).

Among these organizations are EDRi, Electronic Frontier Foundation, the Council of Bars and Law Societies of Europe – CCBE, Access Now, Privacy International and many national digital rights organizations, including Homo Digitalis.

We believe that the solution proposed by the Austrian Presidency do not manage to adequately address important issues, which arise from the legislation in question. For example, the text:

– greatly reduces the possibility for enforcing authorities to refuse recognition and enforcement of an order on the basis of a violation of the Charter of Fundamental Rights;

– wrongly assumes non-content data is less sensitive than content data, contrary to case law of the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR) – notably the CJEU Tele 2 judgment (cf. para.99) and the ECtHR’s case Big Brother Watch and others v. UK (cf. para.355-356);

– contemplates the possibility to issue orders without court validation, disregarding what the CJEU has consistently ruled, including in its Tele 2 judgment (para. 120).

– does not provide legal certainty; and

– undermines the role of executing states, thereby undermining judicial cooperation.

Similar views have been expressed by the European Data Protection Board (EDPB), judges such as German Association of Judges, companies like Internet Service Providers, academia, Bar Associations, the Meijers Committee, among many others.

In the national level, Homo Digitalis submitted today its letter to the Greek Ministry of Justice (Protocol no. 4568/5.12.2018), expressing its concerns for these provisions.

You can find a copy of our letter in Greek here.

You can learn more on the action in the European level here.


8 digital rights organizations ask for transparency regarding the new Data Protection Commissioner of Serbia

Today, 4 December, EDRi, Access Now, APTI, EFN, Epicenter.works, Open Rights Group, Privacy International and Homo Digitalis sent a joint letter to the National Assembly of the Republic of Serbia, requesting a transparent procedure regarding the appointment of the new Data Protection Commissioner of the country.

This is the second action in the Balkans in which Homo Digitalis takes part in, aiming at the provision of adequate safeguards for human rights in the contemporary digital age.

The letter is available here.


The Norwegian Consumer Council files a complaint against Google

On November 27, 2018 the Norwegian Consumer Council filed a complaint against Google. Based on a new study, Google is accused of using deceptive design and misleading information to manipulate its users.

More particularly, Google is accused of tracking users through “Location History” and “Web & App Activity”, which are settings integrated into all Google accounts.

For the users with Android software, such as Samsung and Huawei smartphones users, it is extremely difficult to avoid this tracking.

According to the complaint, some of the techniques used by Google to push the users to share their location are:

Deceptive click-flow: The click-flow when setting up an Android device pushes users into enabling “Location History” without being aware of it. This contradicts legal obligations to ask for informed and freely given consent.

Hidden default settings: When setting up a Google account, the Web & App activity settings are hidden behind extra clicks and enabled by default..

Repeated nudging: Users are repeatedly asked to turn on “Location History” when using different Google services even if they decided against this feature when setting up their phone.

Google’s intention is to elicit users’ consent, so that users agree on being constantly tracked, thus revealing very important aspects of their personalities! Which are these aspects?

What does Google know exactly? Does Google know, for example, if you are in your living room, your bedroom or even your toilet? How many times per minute does it track you? When you take a cigarette break at work is Google there with you? Does Google know when you are on a date? Does it know your religious beliefs? Your health history? Learn more about all these in the official video by the Norwegian Consumer Council. More information can be found here.


What are cookies?

By Ιason Chontzopoulos* and Konstantinos Kakavoulis

When we visit a website for the first time, the following message appears “this website uses cookies to ensure you get the best experience”.

But what are these famous cookies? Do they really improve our experience on the internet? And if so, do they do so with no cost?

What are cookies?

They are small files with information, created by websites while we visit them. They are equivalent to short text files, in which the information is usually codified, or has an ids form, so it does not appear to be coherent, when a human reads them. These files and the information they contain, are created by the computer, in which the server operates. Each website uses only the cookies that it has created itself.

How are cookies used?

They serve to add functionality to the websites we visit. For example, they are used for a website to recognise us. Since they are created by the website, they do not include personal information.

They usually recognise the browser we have used during our previous entry. The principle on which the websites are based is that each of our clicks is independent from the previous one. Cookies were created to denote the continuous relation between the two clicks (on the same site).

Are there different types of cookies?

Yes! We can distinguish cookies according to their functionality, in simple cookies, session cookies and tracking cookies.

1) Simple cookies serve as information storage. Online retailers use such cookies just to remember the products that we have already chosen to buy. Other information could be the technical characteristics, statistics related to how many times we have visited the website, which language we choose, which page layout we prefer etc.

2) Session Cookies: the most common are the authentication cookies, that help to identify our profile, as we previously mentioned. According to their application, they can have a limited duration (temporary cookies). Usually we can find temporary cookies in the website of banks, which expire for safety reasons after a fixed period and we have to re-insert our particulars.

In other cases, the option “Remember Me” or “Keep me Logged in”, sets them active until we explicitly choose to disconnect (permanent cookies).

It is noteworthy that authentication cookies constitute an essential privacy element on the internet and they are always dispatched codified. There are also technologies that can increase the certification’s safety and reliability and operate at the same time with cookies.

3) Lastly, there are tracking cookies. The third-party tracking cookies constitute the most frequently disputed tracking cookies category, as they focus on the service’s improvement apart from those, which are offered from the website. Advertising is included in these services. Cooperating websites obtain the right to use cookies, so as to collect information related to our Internet surfing behaviour. The fact that third services, besides the website itself, can install cookies extend their use beyond the prime reason for which cookies have been created; this is obviously the improvement of the services of the initial website and is served by the simple cookies and the authentication cookies.

There are tools that help us check the information flow we share through cookies. We can see below one of these tools, where the shared information is recorded in cooperating undertakings.

Does this seem complicated? You should try this tool to find out live with whom you share each click at any time!

So, do cookies target me?

As we mentioned above, usually cookies aim at recognising the browser we use and our IP address. Cookies rarely contain personalised characteristics, which indicate the user’s identity. The combination of these specific elements with other sources may be used for the identification of natural persons; for this reason the functioning of cookies is regulated by legislation.

What does the legislation provide for cookies?

The EU General Data Protection Regulation (GDPR) includes a provision concerning cookies.

Specifically, Recital 30 of the Regulation, provides:

“Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

In simple terms, if cookies can identify a natural person, they are subject to GDPR. Of course not all cookies can identify a person, but most of them -if combined with third sources- can.

For websites to be compatible with the GDPR and not be at risk of being fined under its provisions, they must either stop collecting cookies, which can identify a natural person, or establish an adequate and lawful reason for the collection and the processing of such information.

Significant changes that the GDPR brought in cookies use

1) Tacit consent in cookies use is no longer sufficient. The website user must explicitly provide his/her consent to cookies installation from the website. This is the reason why the messages we mentioned at the beginning of the article, are displayed each time we visit a new website. These messages may seem merely embarrassing, at first sight, but having read this article, you should have a second thought before you click “I accept” next time.

2) The message “By using this website, you agree in the use of cookies” is not sufficient. User’s granted consent must be genuine and consistent with his free will; the user should really have the choice not to accept the cookies installation.

3) The user must have the possibility to withdraw his/her consent as easily as he/she provided it. Therefore, websites must give users the possibility to change their mind and change their original choice at any time, by offering them easy and rapid access in the relevant menu – equally easy and rapid with the one they had when they first visited the website.

What can I do if a website does not comply with the above obligations relating to cookies?

Take a look at the guide that Homo Digitalis has prepared on what you can do and to whom you can address if you face problems with the processing of your personal data. You have to follow the same steps in case a website infringes the legislation on cookies.

Can a website function without cookies?

Cookies obviously multiplied the possibilities of websites and in many cases increased their safety.

Their use is clearly a design choice for each website, but the use of certain cookies has purely technical nature. An example is the online shops we previously mentioned.

Cookies with technical nature are necessary. Websites are accessible through various devices and browsers. The various devices and browsers require particular treatment for technical reasons; therefore, the use of simple cookies with technical data is considered necessary. In this way, the website’s layout changes so as to fit in requisite needs, as for example the adaptation of the website to mobile phones and small screens.

This does not apply to tracking cookies. The use of tracking cookies has attracted world-wide interest in recent years, in particular related to the purpose for which the collected data is exploited. For this reason, the legislation aims to help cookies’ use come into open, giving rights and an option for users to choose. At the same time, it requires transparency in the use of cookies by companies and provides for large fines, in order for companies to comply with their obligations.

Homo Digitalis, faithful to the values it represents, does not place cookies at its website visitors’ devices, in order to analyse the effectiveness of the design and the presentation of our website or identity its visitors (tracking cookies).

We don’t, therefore, make notes of your activity in our website. The only cookie that our website uses is called PHPHSESSID.

This specific cookie cannot identify any natural person and does not note user’s personal data. It is only of technical nature, serving the server’s function.

*Ιason Chontzopoulos is a data scientist based in Zurich. He is an electrical and computer engineer, having studied in National Polytechnic School of Athens and ETH Zurich.

*Source of the main photo: https://www.howtogeek.com/327268/why-do-some-websites-have-pop-up-warnings-about-cookies/


An interview with Emmanuel Tzivieris, DPO at Investment Bank of Greece

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force and changed significantly the protection of personal data in our country. The GDPR establishes many rights for citizens. Among others, the Regulation provides for the creation of the position of the Data Protection Officer (known as DPO). We met with Emmanuel Tzivieris*, DPO at the Investment Bank of Greece, so that he could explain us more about this new position.

Talk to us about the role of the DPO. Is it something new?

Many people are referring to the role of the DPO as a novelty of the GDPR, which is not entirely accurate. The term is not unknown. It also existed in the European Directive 95/46, it was also included in Greek law 3979/2011 on eGovernment, it also existed in Germany; but in practice it was not used, at least not to such an extent. This has changed with the implementation of the GDPR, which provides for the mandatory appointment of a DPO, starting on 25 May 2018, for three main categories of organizations and businesses:

(a) Public authorities and bodies other than the courts.

(b) Organizations whose core activities require regular and systematic monitoring of subjects on a large scale.

(c) Organizations processing personal data of specific categories, such as genetics, biometrics, health data e.t.c.

– You are giving me the opportunity to ask you about the level of business alertness on May 25th. Had the Greek companies and organizations already appointed DPOs?

I am not aware of the overall picture of Greek businesses and public organizations to answer your question, but there are indications that the “last minute” rule was not excluded even in the case of GDPR. At this point, I would like to emphasize that the GDPR was adopted in April 2016, which meant that all the persons in charge had more than two years to comply with its requirements, including the definition of DPO. Even the incorporation of the Regulation into the national legislation of the Member States has been delayed. Just a few days after its introduction, the European Commissioner responsible for justice has warned eight member-states (including Greece) and urged them to speed up their compliance procedures.

– How would you describe the role of DPO in an organization?

There are various interpretations of the role the DPO has to play in an organization. It has been suggested that the DPO will be the “long hand” of the Data Protection Authority, or its “eyes and ears” within the organization. It has also been heard that he will be an informal internal auditor who can carry out audits and communicate his findings to the Authority. However, we can’t confirm any of these theories when the legislative process is in progress in Greece. The only certainty is that the DPO will be a communication channel, or the link between the organization and the Supervisory Authority, and will be entrusted with the tasks assigned to it by the Regulation in Article 39, such as monitoring the organization’s compliance with the Regulation, advice to the company, staff briefing, opinion on impact assessment, etc.

– How important are the personal data of the subjects that are managed and processed by a business?

There are whole business models based almost exclusively on the processing of personal data. Meanwhile, the digital world is evolving rapidly and this has resulted in creating an intangible environment for individuals, consumer preferences and needs. See what happens with electronic communications today and compare it to previous decades. Look up on what is coming with artificial intelligence. Real cosmogony. So, you understand the importance of legislation such as the GDPR that tightens the framework for the processing of personal data at a time when personal data and control are becoming decisive for sustainability, competitiveness and further development of businesses.

– What do you think is the biggest challenge for a DPO?

The challenges mainly concern the innovations introduced by the Regulation on the general functioning of an entity. As you can see, it is a piece of legislation that changes the strategy and the way in which organizations and businesses have operated so far. The DPO, therefore, as the orchestration of the compliance process, is called upon to confront the habit, which is the greatest enemy of a healthy business. It is called upon to create within the company a new culture that treats personal data with respect and a sense of responsibility.

– Can the consumer contact the DPO directly?

The Regulation provides for the obligation to process personal data in a transparent manner. In this context, the organization is required to share the DPO contact information to all data subjects, facilitating communication with him/her.

Any interested person may contact the DPO to get informed about the categories of personal data being processed, the purposes of the processing, the potential recipients of the data and, in particular, his/her rights as derived from Regulation.

– What about the public’s awareness so far? Is there a response and interest of the public for the protection of their personal data?

Remember the first days of application of the Regulation and the dozens of identical messages we received from various businesses, e-shops, social media, etc. Anyone claiming that he was not bothered by this information storm and did not delete most of these messages would not be frank. This negative atmosphere gave the impression that sending the newsletters discouraged the public rather than sensitizing it.

This climate is slowly reversing. The messages we receive from daily communication with the public, as well as the results of a recent survey on the level of awareness and information of the Greeks on personal data protection issues, are encouraging. More than 80% said they were aware of the new regulation, while 77% of respondents claimed they had become more cautious about how they shared their personal data. If the numbers tell the truth, then we are on the right track. This progress is largely due to initiatives such as yours, Homo Digitalis, aimed at raising public awareness, but mainly ensuring that the public is properly and responsibly informed.

– How do you see the future of business in this digital world?

Although I’m not good at predictions, what I can say is compliance with the GDPR is the first major test that businesses are faced with in this field. There are plenty of other more demanding tests coming. The results of this first exercise will reveal the level of alertness of organizations to adapt to the new requirements and new business models of the digital world. Those who pass the test successfully have every reason to be optimistic that they will remain competitive, unlike the others, for which, unfortunately, the future does not look promising.

*Emmanuel Tzivieris holds a Bachelor from the Law School of Athens, a Master in Public Law form the National Kapodistrian University of Athens and a Master in Law and Economics from Utrecht University. He is the DPO of the Investment Bank of Greece.


Can machines replace judges?

A philosophical approach by Philippos Kourakis*

There are various ways in which technology could change the way people who are involved in the legislative process and law enforcement work. In this text we will focus on the question of machines taking over the judiciary, and if that could be in line with Ronald Dworkin’s right solution thesis.

Using a specific algorithm

Lawyers Casey and Niblett [1] describe a hypothetical future situation in which the information and predictions we can derive from technology will be of such precision where we can assign the judge’s role to machines. The process, as they say, will be the following: in some US states, an algorithm is already being used by judges to predict the possibility that the accused will not appear before the court. Although this algorithm has not replaced the judges, it is reasonable to assume that the more effective it will be, the more the judges will rely on it, until they ultimately depend entirely on it.

Τhere is a question through this (hypothetical) scenario on how such a move would be in harmony with the very nature of law. To give an answer, we will turn to Dworkin’s work and in particular to his theory regarding the right solution thesis.

The theory of the right solution and its possible misinterpretation

Dworkin in his early career has shaken the philosophical and rigorous currents of his time, arguing that always, even in the most controversial and difficult cases, there is a right solution [2]. At first, this position seems to be largely expressed by those who support the replacement of judges by machines if the right solution seems reasonable to emerge from a mechanistic process of the highest precision. However, this approach is a misinterpretation of Dworkin’s position.

Dworkin himself had predicted such a misinterpretation. In the Empire of the Law (1986), he wrote [3]:

“I have never designed an algorithm to be used in the courtroom. No computer wizard could draw from my arguments a program which, after gathering all the facts of the case and all the texts of previous laws and judgments, would give us a verdict that would find everyone in agreement.”

Dworkin’s statement stems from his belief that the correct method of hearing cases is an exercise that is fundamentally interpretative and worthwhile and, as such, is based on principles. The judge can find the right solution in each case, but only by finding the best possible interpretation.

The best interpretation is expressed by those who, according to the letter of the law, can legitimately justify the coercion imposed by the law on its companions. In this process, Dworkin argues that the judge tries to preserve the integrity of the law by interpreting it in its best light, having in mind that the law is the creation of a community in which the unifying element is the attempt to justify state coercion.

Dworkin believed that each case had a right solution, but nevertheless, every case is difficult, and finding a solution is a very important exercise of political ethics. Therefore, despite the formalist texture of the philosopher’s belief in a correct solution to each case, he realized that the legal system, being an organic unit, is constantly changing with its individual elements being as constant as possible between them.

Will technology replace judges?

The question that arises from the above is whether the pace of technology development and the path it has taken will lead to machines effectively replacing judges, finding the right answer even in difficult cases. Machine Learning can indeed redirect a set of rules so that a more general goal can be served, which is something that may well be ethically welcomed. From this perspective, Machine Learning is dynamic and structured with continuity. Therefore, if it was used to deal with real assumptions, it would do so with some kind of integrity that would be mechanical in its nature.

Nonetheless, the desired goals would remain intact. The static nature of political ethics, on which the legal system would be based, would detract from legality, in Dworkin’s view. For the philosopher, integrity has the meaning that all parts of the legal system can be revised, since the argumentative disagreement reaches the foundations of legality by looking at basic questions such as how citizens should be taxed and whether they should be taxed or if there should be policies of positive discrimination [4]. Following this reasoning, legislative policies are based on principles that arise through the interpretation of difficult cases. This process aims to consolidate past decisions in a way that would justify state coercion on the part of the interpretive community.

The conclusion

To sum up, it is understandable that the prospect of technology through Machine Learning could hardly be in harmony with legality as expressed by Dworkin. Machine Learning does not work on principles. It operates on statistical relationships that do not reflect ethical principles. Its operation would therefore be abolished to the extent that a system (the legal) would require it to act fundamentally morally.

*Philippos Kourakis is a lawyer with a specialization in Philosophy of Law and Criminology. He holds a Bachelor from the Law School of Athens and a Master from Oxford University in Criminology as well as a Master in Philosophy of Law from the National Kapodistrian University of Athens.

[1] Casey, Anthony J. and Niblett, Anthony, Self-Driving Laws (June 5, 2016). Available at SSRN: https://ssrn.com/abstract=2804674

[2] Ronald Dworkin,Taking Rights Seriously(London: Duckworth, 1978), chapter 4

[3] Ronald Dworkin,Law’s Empire (Cambridge, MA: Harvard University Press, 1986) p. 412

[4] Ibid, p. 73


Homo Digitalis receives two scholarships for free participation in the most popular conference for the protection of privacy and private data in the world

Our organization has the pleasure and honour to have received two scholarships from the program “Epic Public Voice Scholarships for NGOs” to participate in the 40th “International Conference of Data Protection and Privacy Commissioners” in Brussels (22-26 October).

The scholarships could be obtained only by 20 organizations worldwide and they are provided by EPIC, a worldwide well-respected research centre headquartered in Washington D.C, U.S.A which focuses its activity and attention at the protection of privacy, freedom of expression and the democratic values in the society of information.

The conference is organized by the European Data Protection Supervisor (EDPS) and it is widely respected concerning the issues of privacy and personal data protection.

Taking part in the process we will be able to observe speeches and conversations about various relevant issues and exchange ideas with other digital rights organizations from all over the world, academics, as well as representatives of organizations of the EU and the Council of Europe, with government spokesmen of other countries, members of supervising authorities and company agents.

The schedule of the event can be found here.

Stay tuned!


Enrich your knowledge and get information about your digital rights through educational quizzes

Questions are interdependent with knowledge, since knowledge is the process of asking questions. As you have already been informed by Homo Digitalis, we are in the first week of the European Cyber Security Month.This article will guide you through some very interesting material that will enrich your knowledge through questions, educational questionnaires and quizzes.

Every time you use the internet a new digital world unfolds before you. Through a simple Internet connection, you have access to an ocean of information that you can use to get informed, educated, to communicate and have fun.

However, this world is not just a world of opportunities, but also a world full of challenges and risks. Campaigning and raising awareness are the keys in order to take full advantage of the offered opportunities given to you.

Our journey to awareness is about to begin with the first educational questionnaire on our list, which comes from the Communications Privacy Authority (ADAE). ADAE is one of the independent authorities, provided by the Greek Constitution. Its purpose is to protect the free correspondence or communication in any possible way. ADAE has recently posted a training questionnaire on its website with questions and answers based on a number of important issues.

If you have questions about the dangers stemming from the installation of malicious software on your computer or mobile device, if you suspect that your telephone or internet communication is being monitored, or if you want to know what is the right way to respond when you receive threatening or abusive calls, then the ADAE questionnaire will give you the right guidelines.

Next stop in our October journey to awareness is the variety of quizzes of knowledge and awareness created by the Hellenic Safer Internet Centre team within the SaferInternet4Kids campaign and is specially designed for children and teachers.

The Hellenic Safer Internet Centre operates under the Institute of Technology and Research (ITE) and through the SaferInternet4kids campaign website it sensitizes children, parents and teachers regarding the safe use of the Internet and social networking applications. If you want to know about your personal data, cyberbullying, excessive internet engagement, and more, you should definitely visit this site.

The third and last stop of our current trip is the Network and Information Security quiz prepared by the European Network and Information Security Agency (ENISA). The third and last stop of our current trip is the Network and Information Security quiz prepared by the European Network and Information Security Agency (ENISA). This quiz is available in all languages ​​of the Member States of the European Union and is divided into two themes, privacy and general security. Start the quiz here and get detailed answers for questions like: Is incognito mode private? How can botnets affect you? What concerns do cookies raise and what is VPN?

Fortunately, over the last few months a Safe Navigation Guide has been prepared for you by the Homo Digitalis team, which contains basic information about your device settings and general online behavior. If you have not yet taken the time to read this guide, do not waste time. Getting properly informed is only a few clicks away.


The European Cyber Security Month is here

Alongside with the hack of 50 million Facebook accounts

You might have already read about the recent cyber-attack on Facebook and the fact that the intruders gained access to more than 50 million accounts.

A tremendous amount of personal data, such as conversations, photos, important information regarding the lives and relationships of all these users with other users are in the hands of the hackers. This attack clearly shows how vulnerable we all are. Even Internet giants, such as Facebook, are not able to protect their users in certain cases.

This attack reminds us that expensive cyber security systems are not always enough. Regardless of the security measures everyone uses, there will always be a team of talented hackers, which might be able to take advantage of some human mistake or a weakness in the installed cybersecurity systems and successfully hack them after persistent efforts.

The protection of digital rights, such as privacy, protection of personal data and the freedom of online expression and information, is intrinsically linked to the security of the computer systems and the adoption of the pertinent techniques or organizational measures, which guarantee the requisite protection.

For this reason, the European Union Agency for Network and Information Security (ENISA) together with the European Commission (DG CONNECT) and other partners devote October to cyber security every year. For the sixth time the campaign “European Cyber Security Month” is here to draw the attention of people and organizations on the importance of the security of information on cyberspace.

Through events taking place in various EU Member States or “digital” meetings, which you can follow through your computer, this campaign aspires to promote the safer use of the Internet and enhance the interest of the public in cyber security.

If you want to get informed on the various events taking place, you can have a look at the map of the events here.