«

»

Analysis: Why the EU data protection crisis is more perilous than you imagined

europe-usa-eu-flags.preview_0

 By Simon Davies

With masterful understatement, Europe’s data protection supervisor, Peter Hustinx, has warned that the EU’s proposed new framework for information privacy is in danger of collapse because of “excessive lobbying” by corporations and other entities that are hostile to privacy reform.

The new data protection framework has been subjected to unprecedented pressure from competing interests, resulting in thousands of amendments that have intentionally compounded and delayed its adoption.

“Barrage” might have been a more accurate description. The new data protection framework has been subjected to unprecedented pressure from competing interests, resulting in thousands of amendments that have intentionally compounded and delayed its adoption.

The broader situation, however, is far more perilous than Hustinx suggests. The havoc wrought on the proposals has become a farcical and degrading public spectacle that I fear is starting to corrode public trust in data protection. Lobbying over the past few months borders on institutional sabotage aimed at destabilising a core pillar of human rights.

The US has publicly demanded – as it has done with so many international arrangements – the weakening of rights that it would not dare deny its own citizens.

For example, Stewart Robinson, Justice Counsellor with the US Mission to the EU, stunned participants at the Computers, Privacy and Data Protection conference in Brussels earlier this year by condemning the European proposals and then asserting that rights are “what we [the government] give you”.

The implications of this spectacle reach far beyond Europe’s shores. Countries that are striving to build privacy protections are struggling to figure why Europe has apparently caved in to such pressure after being promoted as an ideal framework for other nations to adopt.

Data Protection – for those who are not familiar with the term – is a widely deployed set of conditions intended to protect personal information and to enshrine certain rights – such as the right to see the information organisations hold about you. These conditions are codified as principles, and those principles are presumed to form the bedrock for responsible and trusted use of personal information.

The havoc wrought on the proposals has become a farcical and degrading public spectacle

Europe has a data protection framework that requires all member countries to enforce these conditions through national law. However, that framework – now more than fifteen years old – is seen by some as archaic, and so a new draft regulation is being considered by the European Parliament. Needless to say, some governments and corporations are keen to ensure that people’s rights don’t stand in the way of business operations.

The proposals have been construed by industry as controversial – something of a self fulfilling prophecy. At one extreme is the claim that they are unrealistic, prescriptive and will harm economic growth and innovation. On another extreme there’s a fatalistic belief that any regulation in an era of globalisation, cloud and ubiquitous computing is doomed to failure. Nevertheless, the proposed framework contains some important safeguards that could improve privacy protection in the years to come – which of course explains the vast lobbying effort.

Countries that are striving to build privacy protections are struggling to figure why Europe has apparently caved in to such pressure after being promoted as an ideal framework for other nations to adopt.

Privacy advocates who have followed the tortuous path of these proposals are feeling a little despondent. None of the public reports of the regulation’s evolution give rise to optimism. A spiral of political compromise has weakened many of the key mechanisms that might have provided a degree of protection over the coming decade.

To give just one example, the original outline of the regulation set out penalties of up to five percent of a company’s global revenue for egregious and repeated misuse of personal information. Following extensive industry lobbying this was whittled down to two percent. The Industry, research and Energy Committee of the European Parliament then voted to lower the ceiling even further to one percent. At this rate the envisioned weaponry to scare invasive corporations will be downgraded to a water pistol.

It’s a sad reality that many European Parliament Members – often ambivalent on the matter of everyone else’s rights – have been swayed by blatant misrepresentation from corporate lobbyists, research institutions, national security and public sector bodies. The argument, for example, that information rights will harm innovation is a powerful scare tactic, but I have yet to hear evidence that there’s any substance in the claim. While speaking at a London event on this subject a couple of years ago I challenged the audience of 600 to come up with an example. There was no response.

At one extremity, the lobbyists’ argument for minimal privacy rights is lubricated by their claim that strong data protection will trigger social and economic regression. At another extremity they argue in harmony that principles such as consent are economically unsustainable and should be diluted. Both positions are false. Historically, such safeguards are key to the core principles of rights that have existed for decades. The current lobbying exercise is little more than a predictable attempt to argue that new technology necessitates reinvention of the wheel.

As a consequence – rather than feeling energised by the prospect of supporting a new era of strengthened protections – many MEP’s have unwittingly bought into a chaotic struggle that constantly imperils the survival of the proposed framework. Many have accepted the argument that all privacy rights are infinitely negotiable.

The current lobbying exercise is little more than a predictable attempt to argue that new technology necessitates reinvention of the wheel.

Yes, in some respects privacy rights are derrogable – as are rights such as freedom of expression – but this equation should be determined by the judicial process, not through lobbying. MEP’s and European governments seem to have overlooked this principle.

The new regulation has therefore teetered from one hostile European institution to another – systematically ravaged – while fundamental privacy safeguards such as anonymity are being stripped and compromised. A staggering 5,000 amendments to the regulation stand in testament to the tenacity and buying power of Amazon, Yahoo!, Facebook, Microsoft, Verizon, the American Chamber of Commerce and their ilk.

You’d be right to wonder how a framework of protections that has evolved in law and practice over the past forty years now teeters in the face of pressure from entities whose primary interest is slinging targeted advertising onto your computer screen. How was it possible for these organisations to achieve such reach into our democratic institutions? How is it right that they can openly engineer the dilution of privacy rights in ways – for example – that oil companies would never have been allowed to weaken environmental protections?

The new regulation has therefore teetered from one hostile European institution to another – systematically ravaged – while fundamental privacy safeguards such as anonymity are being stripped and compromised.

The answer – I believe – is that lobbyists are arguing that their clients provide “free” products to consumers, and that this gift constitutes a relationship that enables the development of important Web innovations such as search and social networking. The products are interpreted as public services and an essential utility. However no other industry in recent years has been allowed to argue that its social or economic value should override rights and safety – ask the manufacturing or the automobile industries.

Corporations do of course have an obligation to shareholders to argue their case, but politicians have a duty to defend existing rights and freedoms. There is a real risk that at some levels the new regulation could end up becoming less protective than the current regime. There is an even greater risk that it might degenerate into a framework for the last decade rather than being an innovative protector for 2015 and beyond. The sustained attack on the proposed “right to be forgotten” is one example of a potentially powerful right that has been shredded by industry.

Unfortunately the picture is even more bleak than you might imagine. Even if the tiny band of advocates such as MEP Jan Philip Albrecht are able to win some common sense at the end of this bizarre process, the outcome may be somewhat pyrrhic. National privacy regulators tasked with the job of enforcing the new framework are already overwhelmed and under-resourced. Many are barely able to cope with their current legislative responsibilities, let alone daring to imagine the future. Some have lost their independence while others have become timid and symbolic.

To make matters more complex, the 23 million small and medium sized companies in Europe risk being all but ignored by the regulation for no other reason that it’s simply too difficult to bring them into compliance. That aspect – together with perceived compliance costs – have become too much of a political issue.

Then there is the even more critical issue of global infection. The “fact” of the European impasse is being communicated by industry and government lobbyists overseas as proof that data protection is unstable and fundamentally flawed. While speaking to officials on my recent visits to the US, India, Mexico and South East Asia I was told that Europe’s schism was evidence that there is no overall trust in data protection and that the framework is questionable. This is why some countries have suddenly gone cold on solid principles of data protection and are moving to an industry-led self regulation model. Europe has lost its global leadership.

National privacy regulators tasked with the job of enforcing the new framework are already overwhelmed and under-resourced.

I’m not a conspiracy theorist, but I do believe that this is a red-letter moment for industries that are hostile to privacy and that they will collectively and strategically respond. In Asia, APEC is at a key point of negotiating a privacy framework. India is on the cusp of passing data protection law. South America is on a legislative roll. Mexico is about to debate whether to keep its privacy regulator. The US is deciding on its position regarding online ad tracking.

Europe is the keystone for many of these developments. For decades the region has been the benchmark for global reform, so it stands to reason that sabotaging the European process would create a global chill. This is exactly what has occurred. Was it planned? Who knows. The timely and disruptive intervention by the World Economic Forum this year indicates significant machinations.

Public opinion might have been the key to this impasse, but the harsh reality is that many of the core data protection issues at stake have failed to inspire the passion essential for healthy public engagement. Unlike environmental protection or workplace safety, the public and media are still largely oblivious to all but the most basic tenets of DP law. This arena has been castrated in part because of the phrase data protection. It is legalistic and insipid and I can well understand why those two words fail to inspire excitement. The phrase depoliticises privacy.

What I’m arguing is that we should recognise the current process for the hypocritical and deceptive beast that it is, and become much more strategically and aggressively engaged.

It is true that strong data protection is an inoculation against privacy threats, but it’s hard to explain this relationship to non-specialists. People aren’t so consciously focused on protection of their data – they are more captivated by violation of that data. North America got it right by instituting the word privacy in its laws and its advocacy.  Europe intentionally adopted legalistic terminology. This creates a presentational challenge for campaigners.

What bonds people in their support for privacy is a distaste for hypocrisy, unfairness, secrecy and deception. No matter how much a person may support a technology of intrusion – and no matter how cool that technology may be – those four elements are a lightning rod for opposition. This dynamic reveals the nature of privacy.

Where does this all leave us? The most pessimistic assessment is that we face a fatally wounded reform process, diminished trust in data protection and a largely disinterested public.

There is, however, a less dismal interpretation. It could be argued that the opponents of privacy reform have gone too far, too fast, and that in so blatantly seeking to wound the reforms, have sensitised opinion formers to the cause of data protection. In this case the sheer weight of the attack has created a polemic that did not before exist. The ACTA campaign exhibited similar dynamics.

This isn’t the same as saying that we should ignore the data protection process. Quite the opposite. What I’m arguing is that we should recognise the current process for the hypocritical and deceptive beast that it is, and become much more strategically and aggressively engaged. The game is not over yet – not by a long way.