EU data protection reform
October 8, 2013
Joe McNamee is the Executive Director of EDRi (European Digital Rights). Thirty-five privacy and civil rights organizations in 21 different European countries have EDRi membership. Their goal is to defend civil rights in the information age.
DW: Data protection is a controversial and much debated topic in Europe at the moment. The commission has proposed a reform of the current rules, which go back to the year 1995. One of the key elements of the reform would be the so-called one-stop-shop mechanism. Can you explain what that would entail?
Joe McNamee: That's one of the issues that is still very much subject to controversy. Under the proposals both citizens and companies would have a single point of contact to address questions regarding data processing. The basic idea is that a particular company would be able to rely on one national regulatory authority to deal with all of its processing, rather than having a more fractured approach.
At the moment, there's a case involving Google in France; there's another case involving Google in Spain that's still ongoing in the European Court of Justice. But Google is registered in Ireland. That's a perfect example of the very difficult balance that has to be achieved.
On the one hand, it's somewhat unreasonable to have companies unclear on which jurisdiction they're based in or whether they're simultaneously in numerous European jurisdictions. On the other hand, data protection implementation is notoriously weak in Ireland. Many people point to the fact that Google, LinkedIn and Facebook and every other big name you can think of is registered in Ireland as proof that companies will exploit the weakest link in any such system as a way of avoiding strong data protection regulation. This cannot be allowed to happen. So if you go too far one way you end up with a problem for companies and if you go too far the other way - as is the case now - you have a problem for citizens.
Germany says the proposed changes don't go far enough. What does Germany want to see implemented?
Germany has got a few niche issues – in particular with regard to public sector information, which they are afraid would need to be weakened somewhat if the regulation came into force. But most people would argue it would not need to be significantly weakened. But the German position is really difficult to defend when you look at the wider issues at stake.
At the moment you have a situation where the Facebook data of millions of German citizens is essentially being laundered through Ireland. To most observers that seems to be a far bigger problem than a slight weakening of public sector data protection rules, bearing in mind that the weakened rules would still be quite strong.
The revelations of US whistleblower Edward Snowden have given new impetus to the whole debate. Initially, his revelations caused an outcry and dismay in Brussels and in the member states. Do you see that outcry reflected in EU policymaking?
It's quite extraordinary how little impact those revelations have actually caused. There is a little bit of movement with regard to issues concerning export of data to third countries, in particular in respect to export to the US.
But there's been pretty much no impact on the wider issues on whether companies should be allowed to collect vast databases, collect data without consent, and profile people without consent. Those issues are continuing exactly as before. As if the fact that private companies will be allowed to create massive private databases will not in any way influence the amount that foreign governments will then want to gain access to these private databases. It's really quite unbelievable how little influence these revelations have had.
Let's come back to the planned reform: Britain has been accused of trying to postpone a deal. It argues the whole issue just highlights the different cultures in the EU of dealing with online privacy issues. But some are saying Britain actually doesn't want more powers to be transferred to Brussels. Britain replies by saying, we don't need rigid regulation and that less is more. Can you elaborate?
Britain's position is the American position - by coincidence or otherwise. Britain has had the existing principles in its national laws since 1998 and has got around the current system by having a weak data protection authority. It is not the best in Europe for doing its job. It's quite a ridiculous position for the UK to simultaneously have laws and not want to enforce them. Now they're trying to dilute, delay, confuse and do anything other than have a proper discussion about what's actually needed.
We have had the same discussions on European level with the UK with regard to banking regulation. The UK was at the forefront of the fight against regulation of the banking sector. They called for self-regulation; they called for industry to be left with a light regulatory touch; and they were at the forefront of insisting on a regime, which has proven to be catastrophic for European interests. Now we're talking about personal data being the new currency. And the UK is taking exactly the same short-term view on personal data protection that they took on banking regulation. It will have the same result if they're allowed to have their say.
The council that represents the member states will have to agree on a common position before negotiations can continue with the other European institutions. With Britain's opposition so firm, what are we likely to expect there? Is the whole reform dead already?
It depends on the other member states. If Britain is isolated then its position is not hugely important. But if they get the support of another big European member state like Italy, France, or Germany, then they can theoretically kill the entire package. For the moment, the European Commission seems confident that Britain's position is so extreme and so indefensible that they're unlikely to get another country to support them. But anything can happen in politics.
There's not just disagreement over the data protection reform. The Safe Harbor agreement has also come under criticism. It allows European companies to transfer personal data to the US. The EU's Justice Commissioner Viviane Reding says that she wants to reassess the deal by the end of the year. What's going to come of that?
That's more a question of political courage at this stage rather than anything else. It was quite obvious – at least to us – at the beginning of this process that the Safe Harbor agreement is not capable of doing the job that it was set up to do. This is now extremely clear from recent revelations and from the experience of the whole project.
So Viviane Reding's services have no option other than come to an honest appraisal that Safe Harbor does not work and is not going to mysteriously start working. Therefore we need to pronounce it dead in order to bury it and find another way of achieving the goal of protecting European citizens' fundamental rights to privacy and data protection. The problem is that Commissioner Reding is not solely responsible for this, because the European Commission works as a college, which means it needs to be unanimous. Even if Commissioner Reding produces a strong critique of Safer Harbor, the end result still might be negative.
So far the Commission as a whole has shown remarkably little courage in standing up for European citizens' rights - as illustrated by the fact that the EU/US trade negotiations were not slowed down by the Snowden revelations. My feeling is that when Commissioner Reding is finished with her work, and once the rest of the commission gets hold of her text there's not going to be much left. The result is likely to be a half-hearted and inadequate response to a real problem.
So who protects European citizens' personal data then?
Whenever the commission produces its final report on Safe Harbor, either it's going to be clear and forthright and say this is simply not good enough and a better solution must be found. Or this European Commission - which is historically the first European Commission where each individual commissioner took a personal oath to respect and uphold the charter of fundamental rights - is going to go down in history as the commission which has failed most impressively at protecting fundamental rights. Then I guess the next stage will be five or ten years of battles in the European Court of Human Rights, in order to reassess our rights there and to achieve legally what our political leaders were unable to achieve.
Do you think pressure could be growing on both the European Commission and the member states with the beginning of the campaign for the European elections next year?
There are very few things in life that I would wish for more. This should be happening, people should be concerned. What's happening at the moment in the European Parliament and in the Council of Ministers is that, in a world of big data where profiling allows deeper insights into our personalities than we have into our own personalities, fundamental rights – your right and my right to privacy – are in the process of being destroyed.
It's a matter of complete bafflement to me that parliamentarians, in particular, are acting as if they have complete impunity, that nobody is watching them and that they can happily dismantle our fundamental rights- despite the fact that they will be coming to citizens over the coming months asking for their vote.
To sum it up: our rules date back to the year 1995, and politicians are not adjusting them to our day and age. What do you think is a realistic scenario for our data protection rules to be reformed and brought in line with the digital world we live in?
The principles are from 1995, and the principles are remarkably durable. The principles that were valid in 1995 are still valid in 2013. What we need is more a reform of the rules in order to bring them into line with what the principles mean in a different technological era.
One of two things is going to happen: Either between now and the elections in May people are going to realize that this is an important issue and that we can't allow the current watering down of the principles that have been in place since 1995 and parliamentarians change their stance in a way that is appropriate. Or they don't. In which case the principles are going to be significantly watered down, and this reform is going to be the last reform for at least 15 years. If we lose this opportunity we're not going to get another one.