A recent joint declaration adopted by representatives of the German, Austrian, Belgian, Croatian, French, Greek, Hungarian, Lithuanian, Luxembourg, Dutch, Portuguese, Czech, Romanian, UK, Slovakian and Swedish parliaments called on European legislators to adopt the GDPR “by 2015″.
German Green MEP Jan Philipp Albrecht, vice chairman of the civil liberties committee at the European Parliament warned this week that failure to agree on the new security and data protection rules was “bad for democracy” as this left European citizens exposed to snooping from foreign and European security services as well as companies.
With the current spate of data breaches emerging on a daily basis as well as EU President Juncker’s determination to ‘fast track’ the passage of the GDPR, Albrecht’s intervention in the on-going discussion on the timetable for GDPR is certain to highlight the divisions within Europe and in particular the British Government position.
What appears to be happening is the debate about the protection of an individual’s right to privacy has become conflated with issues of national security.
In the UK, MI5, MI6 and GCHQ want greater surveillance powers in order to stop terrorist activities of the type witnessed this week on the streets of Paris.
Understandably, the British Government has already brought in emergency legislation in order to equip the security forces with the tools to protect the public from such atrocities and indeed attempts to blow up transatlantic airliners and an attack on the London Stock Exchange had all been thwarted by electronic intercepts.
The Head of MI5 Andrew Parker has warned: “I don’t want a situation where privacy is so… sacrosanct that terrorists can confidently operate from behind those walls without fear of detection.”
No one would disagree with that assessment but the GDPR deals with the current position for citizens to feel more confident that their data is properly collected, stored, transferred and used in a way that’s consistent with the principles of natural justice and the rule of law.
The existing European rules on data protection were adopted in 1995 when the internet was still in its infancy and clearly the world is in a very different place now.
In January 2012, the European Commission (EC) published a vast legislative package aimed at replacing the existing rules and providing a higher level of protection of personal data across the European Union.
The package includes two legislative proposals: a general regulation on data protection that’s directly applicable across all 28 Member States and a directive specifically aimed at data protection in the police and the justice system to be incorporated into national laws by enabling legislation.
Both legislative proposals were voted on during the first reading at the European Parliament in March 2014, before the European Elections and the GDPR includes measures to protect EU citizens’ data and to restrict its use by businesses.
Since then, the data protection debate has taken several twists and turns, notably in 2013 when American whistle-blower Edward Snowden revealed that the US National Security Agency (NSA) had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called PRISM.
Predictably, this led to a call from European politicians for tighter controls on the way in which EU citizens have a right to their privacy being protected.
However as a matter of logic, should someone be suspected of plotting terrorist activities and poses a threat to national security, then they have effectively waived their right to the protection of privacy afforded to law-abiding citizens on the grounds of national security.
No one in their right mind would think it was wrong to intercept the communications of those terrorists who murdered French citizens and who were eventually caught and killed by the police and national security authorities in a terrifying shoot out yesterday in two different parts of Paris.
The balance of rights and responsibilities is an important one in a civilised society and matters of national security and snooping on suspected terrorists aren’t incompatible with the proposed GDPR.
But the case for reform is overwhelming and shouldn’t be unnecessarily delayed as reflected by the joint communique recently issued by EU Member States.
In the UK, an often hostile attitude towards the EU has transferred itself into a flat rejection of a unified approach to data protection across Europe. This is likely to be a point of argument in the run-up to the forthcoming General Election on 7 May 2015 where divisions between the main political parties will be exposed.
But all of this smacks of politicisation of an issue that in many respects should be above politics.
According to Albrecht, issues surrounding informed consent for the use of data, sanctions, privacy by design and red tape remain sources of friction between the European Parliament and EU Member States represented at the Council of Ministers. Albrecht has warned that failure to agree the GDPR would encourage and increase unjustified snooping of security services on citizens in Europe. The MEP is supporting efforts by Microsoft to avoid disclosing data stored by its Irish office to the US authorities.
“The US authorities shouldn’t be allowed to demand data from companies headquartered in the EU and the Commission should be supporting that position. No EU rules bind the security services and national security is the black hole of European law. That is why the introduction of the GDPR is so necessary to limit the amount of data which they can easily access,” he argues and it’s clear he too is motivated on political grounds.
The European Parliament and the European Commission (EC) want data processors to seek explicit consent from users before processing the data whereas some Member States want such consent to be “unambiguous” – a less rigorous test according to MEPs.
The EU Executive – backed by EU Member States – has proposed a maximum sanction for breach of the rules by companies of up to two percent of global turnover while MEPs wish to see this threshold lifted to five percent of global turnover or €100m fine.
Just before Christmas 2014, the EC announced partial agreement on the setting up of a one-stop shop for citizens to be able to complain to their local supervisory authority in respect of a breach anywhere within the EU. However, not all EU Member States were in favour of such a move and this also has resulted in slowing down the passage to agreement over the GDPR.
German concerns focus on how the GDPR might erode the sovereignty of the country’s powerful regions and alongside France Germany is sensitive to the idea that data issues could be decided in the smaller EU Member States.
The British Government remains opposed to the notion of a GDPR and instead favours the idea of the EU adopting a Directive instead.
However, for global companies looking to do business across the EU, such a position will be disastrous as it would create uncertainty in how data protection laws will be interpreted and enforced across the EU, driving up rather than lowering costs – a situation that exists today.
President Juncker has already made it clear given the border-less nature of digital technologies means it doesn’t make any practical or legal sense for each EU Member State to have its own rules for telecommunication services, copyright, data protection or the management of the radio spectrum and many within the European Parliament agree.
“If ministers want a GDPR, it will be up to the Council to deliver it. If they want to allow companies to regulate themselves, they have to beef up the rights of individuals to overcome this with stronger levels of protection,” warns Albrecht.
June 2015 remains the indicative date by which a common general position on the GDPR should be achieved by the European Parliament and Member States.