EDRi works to influence legislative proposals on artificial intelligence (AI) to protect people, communities and society from the escalating economic, political and social issues posed by AI. EDRi provides input to EU institutions on AI to ensure fundamental rights based legislation and policy.

EDRi’s recommendations to European Union institutions on AI can be found here and the response to the European Commission’s consultation on AI is here.

The Audiovisual Media Services Directive (AVMSD) is the EU’s legal framework that regulates traditional TV broadcasters, on-demand services, and, since 2017, video-sharing platforms. It contains rules on audiovisual advertising, the promotion of European works, and providers’ obligations with regards to the protection of minors from potentially harmful content, among other measures. Regulating online content and the role of online platforms in dissimenating it has a direct impact on freedom of expression and access to information. We are therefore concerned about the AVMSD’s lack of clarity and safeguards for respecting the rule of law and protecting fundamental rights.

On 11 May 2022, the European Commission put forward a proposal for a law to ‘prevent and combat child sexual abuse’ (CSA Regulation). Proposing rules to force social media platforms, email and chat providers and other digital services to monitor the public and private communications of potentially all of their users, the law’s architect, Home Affairs chief Ylva Johansson, claimed that her law is the “only way” to keep children safe online.

The CSA Regulation proposal has been a controversial piece of legislation from the very beginning. We are seeing a democratic scandal unravelling before us, as groundbreaking decisions are being taken out of a false sense of urgency, rather than good evidence and solid processes. The handling of the CSA Regulation on an institutional level has brought to the surface a long history of poor-quality policymaking. This risks severely damaging the democratic values and foundations the Union has been built upon.

As experts in online regulation, like the EU’s top data protection authority warn, supporting this law will not bring us closer to keeping children safe. It will only legitimise scandalous practices that have no place in the EU and will put the democratically-elected Members of the European Parliament in the uncomfortable position of trying to find a ‘solution’ to make mass digital surveillance acceptable. The CSA Regulation proposal as put forward by Johansson and her staff (DG HOME) has turned the conversation into a zero-sum game between fundamental rights, which sadly will not contribute to the better protection of anyone – especially the children this legislation is supposed to help. 

In the digital era, copyright should be implemented in a way which benefits creators and society. It should support cultural work and facilitate access to knowledge. Copyright should not be used to lock away cultural goods, damaging rather than benefiting access to our cultural heritage. Copyright should be a catalyst for creation and innovation. In the digital environment, citizens face disproportionate enforcement measures from states, arbitrary privatised enforcement measures from companies and a lack of innovative offers, all of which reinforce the impression of a failed and illegitimate legal framework that undermines the relationship between creators and the society they live in. Copyright needs to be fundamentally reformed to be fit for purpose, predictable for creators, flexible and credible.

The 2016 Data Protection Law Enforcement Directive, or LED, accompanies the more well-known General Data Protection Regulation (GDPR), but relates specifically to data processing for law enforcement purposes. The LED has many similarities with the GDPR, but differences include different requirements for consent. It is an important piece of legislation for holding law enforcement to account and ensuring that people’s personal data is properly protected and not abused by law enforcement. The LED is relevant to many topics on which EDRi works, including surveillance, biometrics, data retention, cross-border data sharing and more.

In 2006, the European Union enacted its Data Retention Directive, requiring telecommunications providers to retain communications data for a period of between 6 months and 2 years, placing the entire population under surveillance. Eight years later, the Court of Justice of the European Union (CJEU) ruled that blanket data retention was illegal under EU law and declared the Directive invalid. Some Member States still ignore this ruling and maintain illegal data retention regime to this day. Despite its role of “guardian of the Treaties”, the European Commission appears unwilling to start infringement proceedings. EDRi monitors regular attempts to give data retention a fresh start at EU level while EDRi members continue to bring legal action against national data retention laws.

EDRi follows and inputs into EU processes related to the Data Strategy to uphold data protection rights, ensure freedom of expression, accessibility and access to information, and resist the exploitation of personal data.

The Digital Services Act (DSA) is an EU law that regulates a large variety of online services available today. It focuses in particular on the responsibilities of large online platforms such as Facebook, Youtube, Instagram, X and TikTok, when it comes to how they make available, curate, and moderate user-generated content. EDRi’s work has had a major positive impact on today’s DSA rules. Now we are making sure the law is applied fairly and in full respect of the fundamental rights of us all.

The Digital Markets Act (DMA) is an EU law that regulates known anti-competitive behaviour of the largest tech companies, called ‘gatekeepers’. Gatekeepers sit in between business users and end users and can manipulate the flow of information and products between them to their own profit. Since 2020, EDRi has worked to ensure that the DMA introduces strict prohibitions and obligations for gatekeepers and enables people to take back control over their online lives. Our work now focuses on ensuring the DMA’s swift and decisive enforcement.

The European Commission proposed a Regulation on cross-border access to and preservation of electronic data held by service providers and a Directive to require service providers to appoint a legal representative within the EU in April 2018. Since then, the legislative process to adopt them has been fast-tracked, which has prevented any proper assessment of these measures to be carried out.

New devices are being continually developed that increasingly have the ability to connect to the internet and communicate between themselves. These devices, while making our life easier in many ways, also create major privacy and security risks. We explained in our series of blogposts on privacy the freedoms that are under threat, if these technologies are not regulated effectively.

As the 2019-2024 mandate drew to a close, the ePrivacy Regulation was regarded as virtually defunct. The European Commission is anticipated to withdraw the current proposal, opting instead to address its various components through separate legislative initiatives. EDRi will actively participate in every phase of the upcoming legislative processes as part of its ongoing efforts to combat abusive state and commercial surveillance.

The 2020 European Democracy Action Plan (EDAP) is a Communication from the European Commission on threats to democracy in the EU, including misinformation, disinformation, media freedom and plurality and electoral integrity.

In May 2018, EDRi and our members widely and warmly welcomed the increased protections and rights enshrined in the General Data Protection Regulation (GDPR).

The GDPR was designed to address information and power asymmetries between individuals and entities that process their data, and to empower people to control it.

Six years after the text came into force, despite limited successes partly driven by the efforts of digital rights organisations advocating for data protection, GDPR procedures remain excessively lengthy. This inefficiency has hindered the timely delivery of satisfactory outcomes for data subjects and indirectly encouraged data controllers and processors, notably Big Tech, to persist in non-compliant activities. Consequently, there is an urgent need to enhance legal certainty and prevent actions that could undermine the effectiveness and trust in GDPR enforcement. Acknowledging the widespread consensus within the data protection community that the GDPR has yet to fully realise its potential to uphold the fundamental rights to privacy and data protection, the European Commission has published a Proposal for a Regulation that establishes additional procedural rules for the enforcement of the GDPR. EDRi welcomes this initiative and supports the effort to address enforcement deficiencies through this new Regulation, and is actively involved in the legislative process to ensure that these improvements are effectively implemented

The term disinformation refers to false, inaccurate, or misleading information used to intentionally cause public harm or to make a profit. Hate speech denigrates people based on their race, ethnicity, gender, social status, sexual orientation, religion, age, physical or mental disability among others. Disinformation and hate speech at scale are dangerous practices that are used to discriminate against people and infringe on our rights to freedom of expression and access to information.

Net neutrality ensures that people can connect to any service or other user on the internet, and that they can create, access and use any content, service and application they choose without discrimination. Since 2015, the EU has legislation in place that protects net neutrality and related user rights to an acceptable degree. Yet every year powerful industry lobby groups attempt to undermine those protections and weaken the law for their own profit. EDRi fights to maintain and further strengthen the current net neutrality rules and keep the internet in Europe truly free (as in ‘freedom’, not as in ‘gratis’) and accessible to all.

Passenger Name Records (PNR) are very detailed pieces information that are collected by airlines about travelers. As of result of the terrorist attacks of 11 September 2001 (9/11) a number of proposals were pushed to collect more data about everyone, allegedly with the goal to find “patterns” that would reveal terrorist plans before they were executed.

Terrorist networks have grown highly prone to the use of the internet for spreading their propaganda and recruiting followers in recent years. Although the fear of the general public of terrorist attacks certainly puts considerable pressure on policy makers, politicians also strategically use the climate of diffuse anxieties to increase the securitisation of the internet and present themselves as capable, tough leaders. A notable example of such politically motivated policy making was a Regulation on preventing the dissemination of terrorist content online, with which the European Commission continued its trend of producing a watershed of “solutions” to terrorist propaganda on the internet, rather than addressing the various root causes of this complex societal issue. The Regulation came into force in 2022. EDRi has actively evaluated the text’s implementation and has highlighted significant concerns raised since the negotiation phase about the Regulation’s impact on fundamental rights and its effectiveness in achieving its objectives.