Big tech accountability? Read how we got here in  The Closing of the Net 

The European Parliament  today adopted a data protection package  that is being described as 'historic' and monumental'.  The new EU measures  update data protection rules for the era of the Internet and social media, including the use of data by  police  and law enforcement. The hot buttons have been the transfer of data outside the EU – especially to the United States -  and how the large digital corporations may exploit data for commercial purposes. For whose benefit is this law and how should we regard it?

The main part of the package is the General Data Protection Regulation, that has been shepherded theough the European Parliament by the German MEP Jan-Philipp Albrecht. The Regulation has gained the support of all political groups, and of the Council of Ministers, meaning that was adopted  without opposition. This cross-party and cross-country consensus reflects an achievement by Mr Albrecht,  who had a  very tough role in getting there.

The new measures  will apply from 2018 and all 28 member states will be subject to the same data protection rules.   Changes were  necessary because the current law was devised in an era when the Internet was just an emerging technology, and notion of analysing billions of pieces of data or automated profiling individuals by their location and spending habits had not yet been invented. The updates  address issues such as  data profiling techniques and so-called 'big data' processing,

Nevertheless, anyone listening to the  debate in the European Parliament  that took place yesterday  may have been struck by the apparent contradictions.  There were  claims that the law will  give individuals more control over their data and in that way it would do more to protect  privacy. In particular, provisions on data portability will   allow people to take their data from one service provider  to another, and  to get more information on how their data is processed.

There were also claims that the new law will  be 'a market  opener',  providing  legal certainty for business. One law for one continent. A “sensible”  compromise.  MEPs said that 'data is the new currency' and that this law is a plank in the creation of   the digital single market.  

This contractiction highlights the paradox of privacy law, and especially data protection. It is positioned as a law to protect the privacy of individuals whereas it is actually about protecting the industries that rely on the processing of data.

Data protection law  is an  essential cornerstone  of privacy law,  and as individual citizens we look to it to protect some of our most private information. However, from the viewpoint of those industries  for whom data is the new currency, it takes on a totally different aspect. To them, data protection law is about their liability exposure and about their ability to run a business and make profit.

It is precisely because 'data is the new currency' that  the Data Protection Regulation  attacted a  massive and co-ordinated lobbying campaign   -  probably the largest lobbying campaign that I have witnessed in nearly 10 years following European Parliament matters ( See The Closing of the Net ) .

That is why the issue of transferring data outside the EU was eEspecially controversial, because it sits at the nexus of commercial interest and individual privacy protection. This matter rumbles on with the so-called Privacy Shield agreement between the EU and the US. Mostly the political debate has been dominated by the  Google, Facebook and other US-based corporations. They  were concerned  because they transfer data to their data centres in the US on a daily basis, and potential changes to EU law would render their activity illegal.  Bubbling under was of course, the ability of the US intelligence services to process the data of EU citizens for other reasons.

The Privacy Shield does seem to be a misnomer. It  has a set of get-out exceptions that seem to render it more  privacy sieve than shield. The European Commission's own advisers, in the form of the Article 29 Working Party, yesterday made public their objections to it:

Key data protection principles as outlined in European law are not reflected “ and “the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not provide sufficient details in order to exclude massive and indiscriminate collection of personal data originating from the EU”.

In response, Justice Commissioner Jourova, speaking in the European Parliament yesterday,  said that she would address their concerns. The political question is  whether she can convince her US colleagues to make any changes.

The other part of the data protection package contained a new directive covering the use of personal databy  law enforcement and police. It  addresses  the requirement  for law enforcement authorities to  process  and share data as part of criminal investigations.  This directive has also obtained the full support of all party groups and of the Member States, and it too was adopted without opposition.

A third piece of legislation addressing privacy matters  was also adopted.  This is the directive on pasenger name records,   a law that deals with  the collection of airline passenger data.   This law is more controversial, with  disagreement between MEPs in the dominant EPP group, and the smaller Green and Liberal groups, concerning the necessity for the mass collection of these records.  

Note that the legislation adopted  today  was the Council's position, which was agreed last December by all three EU institutions: European Parliament, Commission and Council of Ministers. See  Recommendation for Second Reading.


For the back story to today's vote, and more on the trans-atalantic data transfer issues, see my new book The Closing of the Net, now available from Polity Press.Here's what the Times Higher Education had to say about it: "In one of the book’s best chapters, Horten’s description of the lobbying process surrounding data protection reform in the European Union shows how lobbyists work in practice – and it is a cautionary tale."


This is an original article from and reflects research that I have carried out. If you refer to it, please cite my name as the author, and provide a link back to Media and Academics – please cite as Monica Horten, 2016,  EU 'historic' data protection rules highlight privacy paradox    in, 14 April  2016. Commercial users - please contact me.

If you like this article, you might also like my latest book The Closing of the Net which discusses corporate influences over EU policy. It has three chapters on privacy policy including the back story to the EU data retention directive, with a singular lesson for today's legislators.

Iptegrity in brief is the website of Dr Monica Horten. I’ve been analysing analysing digital policy since 2008. Way back then, I identified how issues around rights can influence Internet policy, and that has been a thread throughout all of my research. I hold a PhD in EU Communications Policy from the University of Westminster (2010), and a Post-graduate diploma in marketing.   I’ve served as an independent expert on the Council of Europe  Committee on Internet Freedoms, and was involved in a capacity building project in Moldova, Georgia, and Ukraine. I am currently (from June 2022)  Policy Manager - Freedom of Expression, with the Open Rights Group. For more, see About Iptegrity is made available free of charge for  non-commercial use, Please link-back & attribute Monica Horten. Thank you for respecting this.

Contact  me to use  iptegrity content for commercial purposes


States v the 'Net? 

Read The Closing of the Net, by me, Monica Horten.

"original and valuable"  Times higher Education

" essential read for anyone interested in understanding the forces at play behind the web."

Find out more about the book here  The Closing of the Net


FROM £15.99

Copyright Enforcement Enigma launch, March 2012

In 2012, I presented my PhD research in the European Parliament.


Don't miss Iptegrity!  RSS/ Bookmark