On data protection: In search of core European values
As the EU’s response to the Snowden leaks converges with European data protection reforms, new debates on privacy emerge at the European level: and the burning issue remains that of trust. Simon Garnett rounds up the latest developments to coincide with Data Protection Day 2014.
The twenty-eighth of January is European Data Protection Day, marking the signing of Europe’s first data protection treaty – the “Council of Europe Convention 108 for the Protection of individuals with regard to automatic processing of personal data” – in 1981. More than ever, the date is worth remembering. Currently, two major developments in privacy politics are converging in the European Union: first, its response to the information contained in the Snowden files, including the proposal to bring Snowden before the European parliament; second, the commencement of negotiations between the European parliament and the Council of Ministers around the proposed Data Protection Regulation that would replace the current 1995 Directive.
Safe Harbour?
The 1995 European Data Protection Directive placed restrictions on the exchange of personal data with companies and organizations in third countries, requiring that those countries ensured “adequate” levels of protection. “Adequacy” was loosely defined as compliance with the Directive and, theoretically, the data protection laws of the member states. In 2000, these restrictions were relaxed under the “Safe harbour decision”, which allowed exchange of personal data with US companies where incompatibilities between EU and US data protection law would otherwise have ruled this out. Safe Harbour was set up as a self-regulating system controlled by the US Department of Commerce and the US Federal Trade Commission, in which US companies undertook to comply to a set of principles on consent, transparency and accuracy. US companies participating in Safe Harbour are mainly those operating in the EU, including the major Internet and software companies, and US subsidiaries of big EU companies; not included under Safe Harbour are financial services and the telecommunications sector, which fall outside the remit of the Federal Trade Commission.
Criticisms of the effectiveness of Safe Harbour were raised by European data protection authorities as early as 2002, and again in 2004, without any corrective being undertaken. This appears to have changed with a report published on 27 November 2013, calling for a review of Safe Harbour in summer 2014. Alongside an increase in flows of personal data of a type previously considered insignificant (social media), and a sharp rise in the number of US companies participating in the scheme, the factor prompting the report is the information contained in the Snowden leaks, which “raises new questions on the level of the protection the Safe Harbour arrangement is deemed to guarantee”. This refers to revelations about the access to user data provided by US Internet companies to the NSA. Both the Irish and the Luxembourg data protection authorities have since rejected complaints about US companies operating in their jurisdictions (Facebook in Ireland, Microsoft and Skype in Luxembourg). The contrast between these positions and the strong critique from the German data protection authority (DPA) has highlighted what the Report calls the “fragmentation” of the Safe Harbour system – a failure that would be rectified by the creation of a centralized European DPA, as proposed in the draft Data Protection Regulation. This is nevertheless one of the major sticking points in negotiations between the EU parliament and the member states.
From Directive to Regulation
After a long and difficult drafting process, MEPs voted on a final draft of the Regulation in October. However, after a first round of negotiations at the end of 2013 between the Council and representatives of the parliament, headed by the German Green MEP Jan-Philipp Albrecht, it now threatens to run into the sand at the Council level. Hopes that the Regulation would be passed by the end of the current legislative period (ending in May 2014) now appear very slim. While the EU sees “lack of political will” (Viviane Reding), European justice ministers say they need more time to ensure quality of law: “We prefer a strong agreement to a fast one, and must work to ensure a proper balance between business interests and fundamental rights of citizens,” according to the presidency of the Council of the European Union.
Indeed, the sheer complexity of the process should not be underestimated, nor the implications of the fact that the Regulation, unlike the Directive, would have direct validity. In the German case, 300 existing data protection regulations spread across the legal code would have to be replaced by 100 new ones, the risk being that existing data protections would actually be weakened. However the main opposition is to the “one-stop shop” system that would see transnational complaints addressed by a central data protection authority. Here, countries with US companies operating in their jurisdictions (above all Ireland) are strongly opposed to the weakening of the authority of national DPAs. It is to the credit of the parliament that it succeeded in reintroducing closer restrictions on data transfer with third countries into the final draft, after these were dropped following intense US lobbying. The issue of data transfer to the US is likely to become highly controversial if it fails to be satisfactorily addressed in the Transatlantic Trade and Investment Partnership Agreement (TTIP), currently being negotiated behind the scenes and with markedly greater speed and urgency.
A European Digital Habeas Corpus
On 9 January, the European parliament voted to invite Edward Snowden to give evidence: the issue is the proportionality of his actions and whether he had exhausted all other whistle-blowing channels. The vote came on the heels of a report on surveillance by the NSA and European secret service agencies published by the Parliamentary Committee on Civil Liberties, Justice and Home Affairs. Headed by rapporteur Claud Moraes, British Labour Party MEP and member of the Social Democratic group, the outspokenness of the report stands in contrast the EU’s official response to US President Barack Obama’s equivocal speech on the NSA, given on 16 January. Expressing doubt that “data collection of such magnitude is only guided by the fight against terrorism” and warning of a change in the “established paradigm of criminal law in democratic societies”, the report’s central “recommendation” is the introduction of a “European Digital Habeas Corpus for protecting privacy”. The idea is essentially that individual informational privacy rights be given “constitutional” status at the European level. Unlike the draft Data Protection Regulation, which by its nature makes no reference to the NSA or other secret services, this report has no legislative import. Rather, it is an unreserved statement of “core European values” on privacy, and as such a noteworthy document. At its centre is the question of “trust between the two transatlantic partners, trust among EU member states, trust between citizens and their governments, trust in the respect of the rule of law, and trust in the security of IT services”. In other words, it is a constitutional law justification for privacy protections rather than one derived from contract law and civil law rights of consent and self-representation.
In the case of data protection, resolution at the European level is the only way in which adequate protections of citizens’ rights can be obtained. Or, to put it negatively: the rejection of a European system of regulation, under the pretext of national sovereignty, will necessarily mean not the strengthening of the rights of citizens, but their erosion.
Published 28 January 2014
Original in English
First published by Eurozine
© Eurozine
PDF/PRINTNewsletter
Subscribe to know what’s worth thinking about.
Related Articles
Controlling the future
Edward Snowden and the new era on Earth
The worldwide spying operation is about more than security and counter-terrorism; rather, it is a part of a broader strategy aimed at controlling global information, writes political scientist Elmar Altvater. Opposition needs to grasp the geological significance of the planetary data theft.