This article was published on June 1, 2013

EU data protection reform: A pandora’s box or a new dawn for personal data?


EU data protection reform: A pandora’s box or a new dawn for personal data?

When Jeremy Bentham came up with the idea of Panopticon, a new prison model, in 1787, he surely didn’t have in mind that three centuries after constant surveillance would be possible in the non-material world: via the Internet.

In the case of the Panopticon, the concept of the design is to allow a watchman to observe (-opticon) all (pan-) inmates of an institution without them being able to tell whether or not they are being watched.

In the case of the new digital era and towards the era of the Internet of Things, for some the internet has turned into a massive surveillance tool, an electronic Panopticon in the hands of both companies and governments.

With current controversies about privacy rules in the European Union running very hot, the European Commission proposed in January 2012 a new regulation and a new directive on Data Protection, updating existing legislation from 1995.

The draft regulation updates the principles set out in a 1995 directive, so as to keep pace with major changes in data processing brought about by the Internet for social networks, online shopping, e- banking services etc.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The draft directive would replace and broaden the scope of a 2008 framework decision on cross-border data processing in police and judicial cooperation. It is designed to protect both domestic and cross- border transfers of data.

During a seminar [PDF link] organised by the European Parliament Press service on 14-15.05.2013, journalists from the 27 member states of the EU, had the opportunity to discuss the hot key issues of the new legislation with MEPs and stakeholders. And as expected, the conversation was very vivid.

The right to be forgotten: Forgetting footprints, shunning shadows

Have you ever fancied deleting your digital footprints? Well, look no further. The Commission proposal envisages “a right to be forgotten”, according to which a person would be able to ask that their data be deleted if they no longer want them to be processed and there are no legitimate reasons for keeping them.

EU Commissioner Viviane Reding discussed the 'right to be forgotten' at DLD 2012
EU Commissioner Viviane Reding discussed the ‘right to be forgotten’ at DLD 2012

The provisions of this right have raised the opposition of Facebook, which states in a 11-page document, dated 30 March 2012 that this right “raises major concerns with regard to the right of others to remember and of freedom of expression on the Internet.”

Naturally, the right to be forgotten is restricted in some cases, for instance when the data are needed to exercise freedom of expression, for public interest in public health, for historical, statistical and scientific purposes or when required by law.

Furthermore, reliance on the exemption for freedom of expression could mean news reports and archives or comments on posts are excluded. Concerning journalism, the general exemptions available will be set separately by the EU member states. The problem is that there’s a general lack of clarity about when these records are subject to freedom of expression or public interest arguments.

Last but not least, even if a person asks for the deletion of their data from a website, there’s a high possibility for this information to have been harvested and republished by other websites. It is not clear how far, for example, would a website be expected to go in tracking down other websites that have republished this data and to what extent it can achieve a satisfactory outcome for the individual.

Profile me: Our digital egos revealed and examined

The rift between individuals and companies over online personal data seems gaping in the case of profiling (observing, collecting and matching people’s personal data online to analyse or predict a person’s behaviour).

The new regulation proposed by the European Commission gives consumers the ability to block many forms of online web tracking and online targeted advertising. It would only allow web businesses to collect data and profile individuals if they give their explicit consent.

Jérémie  Zimmermann, Spokesperson for La Quadrature du Net, a French advocacy group that promotes digital rights and freedoms of citizens, stated during the first day of the seminar that:

“It is beyond necessary that the legislative frame will be as clear as possible, in order for the citizens to know when they should give their consent for the deletion or usage of their data. Despite the fact that the initial proposal of the Commission was quite balanced and protective for the fundamental rights, now it is full of holes and windows. There were four votes in the opinion committees and they were all fully aligned with the industries lobbies. To my mind, the issue is clearly political and I am afraid more complex than the ACTA itself”.

European Privacy Association in defence of industry interests?

While Zimmermann spoke in front of the journalists about “a massive cooperative lobbying that is about to drive the EU policy,” some important news recently came into limelight: The Corporate Europe Observatory (CEO), which works to expose privileged access in EU policy making, said in a complaint that the European Privacy Association (EPA), a pan-European think tank based in Brussels, is working to represent industry interests in the debate on data protection in Europe. EPA managing director Pietro Paganini confirmed to the IDG News Service that Google, Yahoo and Microsoft are members of EPA and claimed that the failure to list these companies on the Transparency Register was an oversight.

It is noted that the register, which is operated by the European Parliament and European Commission, requires all signatories to disclose their interests, objectives or aims and, where applicable, the clients they represent.

The CEO used harsh words describing EPA as an “astroturf organization” or front group, defending the interests of large IT corporations. Following the accusations [PDF link], EPA issued a press statement on the issue.

The challenges for companies

Richard Szostak, member in charge of data protection in the Cabinet of European justice Commissioner Viviane Reding, who originally proposed the measures, stated during the seminar that one of the big assets of the new data protection reform is that it will lead to a strong, clear and uniform legal framework at EU level which in turn cut red tape and costs for business.

As Vivian Reding also has stated in one of her interviews: “By having a single set of rules on data protection that are valid across the EU, businesses will reduce costs from lower legal fees. We have calculated that all this will save firms around €2.3 billion a year”.

The new legislative package, if passed, would also grant European consumers a fundamental new right: data portability, or the right to easily transfer an individual’s posts, photographs and video from one online service site to another. Also, according to the regulation, when explaining their privacy policies, data processors (e.g. web businesses, search engines, social networks) will have to use clear, plain language and avoid legal jargon.

It is noted that under the Commission proposal, penalties for serious breaches of the rules are envisaged for companies (such as processing sensitive data without an individual’s consent or without any legal grounds) of up to €1 million or up to 2% of the global annual turnover of a company. The fines would start out at €250,000 or up to 0.5% of turnover for less serious offences. Moreover, companies would notify to a single national data protection authority in the EU country where they have their main base (at the moment, companies must notify to each national authority).

Furthermore, those employing at least 250 persons would be required to appoint a data protection officer (DPO). These requirements combined with the right given to consumers to withhold basic personal details while using the Web, have been considered by companies as a major crimp in their financial model and revenues.

Nuria Rodriguez, Senior Legal Officer at the European Consumers’ Organisation (BEUC) stated on the matter: “Considering the argument that the new legislation will stifle innovation, it is my firm belief that the lack of trust of the consumers for the companies and the usage of their personal data create problems to the business”.

The proposed regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. Most importantly, it also applies to organizations based outside the European Union if they process personal data of EU residents, having drawn the attention of US and international technology and advertising companies. 

The EU data protection reform: an old wine in new bottles?

The fact that 3,999 amendments were tabled to the proposal for a regulation, the highest number of amendments ever tabled to a single legislative file in Parliament (a total of 771 amendments were tabled to the draft directive) reveals the complexity and marks the alleged fears of not reaching an agreement on the debatable issues.

The aim is to reach an agreement before the next European elections in 2014, while once adopted, member states would have 2 years to adapt their national legislation to the new laws (both the regulation and the directive).

It is a fact that facilitating the free flow of information, while at the same time ensuring a high level of data protection between and across the member states in a harmonized framework is surely a tricky challenge for Europe.

Despite the fact that revitalizing and adapting fundamental privacy principles to the information age is among the strengths of the current proposal, some core concepts of data protection regulation, such as the definitions of personal data and individual’s consent, have turned out to be highly politicised. Damage would be done if a new regulation protects less than all personal data and consent is not explicit and separated from any other transaction.

As MEP Dimitrios Droutsas the Rapporteur for the General Data Protection Directive said “I feel a certain shift towards the companies’ interests instead of highly protecting our citizens, which I dislike. However, one should take the important work of European Union into account in the field of data protection so far.”

It seems that the resistance of some companies and industry associations towards the new reforms somewhat underline the underestimation of privacy from their part.What is equally interesting is that according to Hielke Hijmans, Head of Unit Policy & Consultation, European Data Protection Supervisor, it was proposed the financial sector to be excluded from the proposed regulation.

Moreover, there were previous attempts to introduce a specific Directive for employment data protection but that failed. As Jan Philipp Albrecht MEP, Rapporteur for the General Data Protection Regulation stated, “There is a mechanism for the [EU] Commission to adopt a delegated act for this. However, it would be better for it to be a separate act or a comprehensive set of rules be integrated in the current regulation.”

Finally, it remains to be seen if the new legislation, if adopted, will be an old wine in new bottles or a step forward for protection of the fundamental rights of individuals in the new era of digital “smoothening.”

Image credits: AFP/Getty Images, Getty Images

Get the TNW newsletter

Get the most important tech news in your inbox each week.