The European Parliament today adopted a data protection package that is being described as 'historic' and monumental'. The new EU measures update data protection rules for the era of the Internet and social media, including the use of data by police and law enforcement. The hot buttons have been the transfer of data outside the EU – especially to the United States - and how the large digital corporations may exploit data for commercial purposes. For whose benefit is this law and how should we regard it?
The main part of the package is the General Data Protection Regulation, that has been shepherded theough the European Parliament by the German MEP Jan-Philipp Albrecht. The Regulation has gained the support of all political groups, and of the Council of Ministers, meaning that was adopted without opposition. This cross-party and cross-country consensus reflects an achievement by Mr Albrecht, who had a very tough role in getting there.
The new measures will apply from 2018 and all 28 member states will be subject to the same data protection rules. Changes were necessary because the current law was devised in an era when the Internet was just an emerging technology, and notion of analysing billions of pieces of data or automated profiling individuals by their location and spending habits had not yet been invented. The updates address issues such as data profiling techniques and so-called 'big data' processing,
Nevertheless, anyone listening to the debate in the European Parliament that took place yesterday may have been struck by the apparent contradictions. There were claims that the law will give individuals more control over their data and in that way it would do more to protect privacy. In particular, provisions on data portability will allow people to take their data from one service provider to another, and to get more information on how their data is processed.
There were also claims that the new law will be 'a market opener', providing legal certainty for business. One law for one continent. A “sensible” compromise. MEPs said that 'data is the new currency' and that this law is a plank in the creation of the digital single market.
This contractiction highlights the paradox of privacy law, and especially data protection. It is positioned as a law to protect the privacy of individuals whereas it is actually about protecting the industries that rely on the processing of data.
Data protection law is an essential cornerstone of privacy law, and as individual citizens we look to it to protect some of our most private information. However, from the viewpoint of those industries for whom data is the new currency, it takes on a totally different aspect. To them, data protection law is about their liability exposure and about their ability to run a business and make profit.
It is precisely because 'data is the new currency' that the Data Protection Regulation attacted a massive and co-ordinated lobbying campaign - probably the largest lobbying campaign that I have witnessed in nearly 10 years following European Parliament matters ( See The Closing of the Net ) .
That is why the issue of transferring data outside the EU was eEspecially controversial, because it sits at the nexus of commercial interest and individual privacy protection. This matter rumbles on with the so-called Privacy Shield agreement between the EU and the US. Mostly the political debate has been dominated by the Google, Facebook and other US-based corporations. They were concerned because they transfer data to their data centres in the US on a daily basis, and potential changes to EU law would render their activity illegal. Bubbling under was of course, the ability of the US intelligence services to process the data of EU citizens for other reasons.
The Privacy Shield does seem to be a misnomer. It has a set of get-out exceptions that seem to render it more privacy sieve than shield. The European Commission's own advisers, in the form of the Article 29 Working Party, yesterday made public their objections to it:
“Key data protection principles as outlined in European law are not reflected “ and “the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU”.
In response, Justice Commissioner Jourova, speaking in the European Parliament yesterday, said that she would address their concerns. The political question is whether she can convince her US colleagues to make any changes.
The other part of the data protection package contained a new directive covering the use of personal databy law enforcement and police. It addresses the requirement for law enforcement authorities to process and share data as part of criminal investigations. This directive has also obtained the full support of all party groups and of the Member States, and it too was adopted without opposition.
A third piece of legislation addressing privacy matters was also adopted. This is the directive on pasenger name records, a law that deals with the collection of airline passenger data. This law is more controversial, with disagreement between MEPs in the dominant EPP group, and the smaller Green and Liberal groups, concerning the necessity for the mass collection of these records.
Note that the legislation adopted today was the Council's position, which was agreed last December by all three EU institutions: European Parliament, Commission and Council of Ministers. See Recommendation for Second Reading.
For the back story to today's vote, and more on the trans-atalantic data transfer issues, see my new book The Closing of the Net, now available from Polity Press.Here's what the Times Higher Education had to say about it: "In one of the book’s best chapters, Horten’s description of the lobbying process surrounding data protection reform in the European Union shows how lobbyists work in practice – and it is a cautionary tale."
This is an original article from Iptegrity.com and reflects research that I have carried out. If you refer to it, please cite my name as the author, and provide a link back to iptegrity.com. Media and Academics – please cite as Monica Horten, 2016, EU 'historic' data protection rules highlight privacy paradox in Iptegrity.com, 14 April 2016. Commercial users - please contact me.