Daniel Hamilton and Dominique Lazanski: Which way forward for EU digital data protection policy?

Following the entering into law of the Lisbon Treaty on 1st December 2009, the European Parliament gained key competences in the field of intellectual property and data protection laws - namely, Article 16(2) of the Treaty on the Functioning of the European Union (TFEU). Like any child with a new toy, MEPs have indicated that they are more than willing to play with these powers – to both affect legislative change and to demonstrate their worth as politicians to a European populous that grows more and more concerned with data security issues by the day.

Arguably, the most notable example of the European Parliament’s new-found focus on privacy issues was the rejection of the SWIFT agreement in February 2010 which would have allowed the EU citizens’ bank data to be shared, without reciprocity, with the United States government. While five months later the bulk of the original agreement found its way into law as the rebranded Terrorist Finance Tracking Program (TFTP), the Parliament was able to win key concessions which prevented the mass transfer of financial data to the US.

While far from perfect, the European Parliament’s perceived success in relation to SWIFT has given rise to demands for a new EU approach to data protection.Mindful of this, on November 4th 2010 the European Commission outlined its intention to conduct the first overhaul of EU data protection policies since 1995 – a year when less than third of European citizens owned a computer and fewer than one in 20 used the internet on a regular basis.

The 1995 Data Protection Directive put forth two important ideas on personal data, namely, that individuals have rights and freedoms especially associated with personal data protection and that there should be free flow of personal data within the common market. The consultation today, which is designed to provide a new framework for the ‘digital age’, intends to provide a framework for dealing with new technologies and the realities of globalisation.

At Big Brother Watch, we campaign to fight intrusions on privacy and protect liberties – two considerations the European Commission must take into account when fashioning their new data protection framework.

At the heart of this conviction is the belief that individuals should have all rights to their personal data. As such, we would encourage the Commission to move towards a system by which individuals should ‘opt-in’ to sharing their personal data rather than the present situation where websites and data protection controllers the default position is to force consumers to ‘opt out’. At present, far too many members of the public are simply unaware of how their personal information is shared. Forcing people to ‘opt in’ would end this problematic situation.

Indeed, the Commission has some prior experience in this field. In the previous Commission, Consumer Protection Commissioner Kuneva outlawed the use of pre-selected boxes on airline websites. Before the ban on websites ‘preselecting’ boxes, many airlines were able to hoodwink their customers into purchasing insurance products or “speedy boarding” products without their prior knowledge. The same principle should be applied to personal data.

The issue of transparency must also key to the Commission’s considerations when it comes to fashioning a new framework for data protection. Transparency is the key to any industry where consumers are adopting new technologies wholesale. In order to ensure this important consideration is taken into account while also guaranteeing that firms are not strangled by Brussels bureaucracy, online industries should be encouraged to innovate and find new ways to inform customers of their data collection. This could happen in a variety of ways including proactive instruction and education by companies, for consumers, on how to protect personal privacy.

According to figures published by the Dutch government, the identity of each of the country’s citizens appears on an average of 1,500 databases. While perhaps a pipe-dream, Big Brother Watch supports the ‘right to be forgotten’. It can only be right that an individual can require their personal data to either ‘expire’ and be removed from a computer system or be removed from an online service at a time of their choosing.

From our experience, consumers can often find the process of removing their data from websites such as the UK-based 192.com telephone directory service frustrating and complicated. The Commission should encourage, as an example of ‘best practice’, websites storing data to display information about how to ‘opt out’ from their databases in a prominent position on their web pages.

When conducting a wide-ranging review of any piece of legislation, it is vital that a government – or, in this case, the European Commission – do their best to educate citizens about the workings of such a law. As such, any new approach to data protection must take into account recommendations from the Article 29 working group of Member State data protection watchdogs as to how consumers can be better informed of how their data will be stored, used and propagated at the time of submission such as notifications on data capture forms, the aforementioned ban on the ‘pre-selection’ of tick boxes etc.

Such an approach need not – and should not – require the use of any European taxpayers’ money to fund such campaigns. Rather, companies and individual data controllers should be encouraged to take on such obligations on a voluntary basis and in the spirit of good will and best practice.

In the European Parliament, there are increasing calls for the harmonisation of data protection laws across the EU’s twenty-seven Member States. Big BrotherWatch, while hugely sympathetic to calls for increased Europe-wide attention to this issue, does not believe supranational law-making is the most effective way to achieve this.

The responsibility to uphold industrial standards in the field of data protection should stem from industry itself, with groups companies whose business is data delivery and data management meeting regularly to debate best practices in terms of data standards and delivery worldwide. The Commission, working with the European Parliament, should continue to play an active role as a stakeholder in this field; sharing best practice and maintaining an ongoing dialogue with the business community about data protection issues.

While different laws apply in different territories, it should be the agreement of the companies involved and not the EU to clarify rules across territories. The music and film industries both operate under similar disconnected rules across territories within the EU and internationally, however, music companies and musicians are meeting and seeking better agreement on how to license and manage music across the world. Data companies should be encouraged to do the same first and then resort to the EU for rules clarification as a last resort.

Big Brother Watch recognizes the European Union’s existing competences in relation to the “area of freedom, security and justice”. As civil libertarians, we are, of course, concerned about the use and potential mis-use of personal data in the name of anti-terrorism or public safety and would thus encourage careful consideration of personal data in criminal cases and across country borders. In cases where a Member State has significant concerns about a) standards of data protection or b) the judicial integrity of another Member State, a respective national minister should be able to place either a block or conditions on the transfer of sensitive information.

Data protection is of the utmost importance to an individual and it is the individual’s responsibility to be aware, informed, and in control of their own data. It is also the responsibility of the data collection and other related industries to manage and deal with data in a way that protects consumers and their rights.

Through its decision-making procedures, the European Union has proved itself hugely effective in only one field: increasing the bureaucratic burden on businesses. As such, the European Commission must prove itself able to listen to solutions from the data protection industry itself first and resort to new legislative measures only as a last resort.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>