By Simon Davies
Last summer I received a cross-party request from the European Parliament to conduct a wide-ranging independent assessment of the proposed EU data protection regulation. Nearly a year on, I’ve decided I can’t provide that assessment – and as many people have asked about its progress, here are the reasons why. I apologise in advance for what might be a depressing read.
Yes, refinement was needed, but instead, the reference points have shifted away from the individual and toward the data processors.
For those who are unfamiliar with the regulation, the European Commission has proposed reforms (pdf) to the old data protection framework of 1995 to bring safeguards up to date and to put the citizen more to the centre of those protections. Indeed the sub title of the document specifies “the protection of individuals”. It’s worthwhile keeping that phrase in mind as you read on.
The assessment had been my idea. I’d talked it around colleagues at the EP, and people generally felt such a study would be a useful resource to determine where all stakeholders were positioned on the proposals. We all knew by last July that the road ahead would be bumpy and complex.
The rapporteurs for the data protection directive and the data protection regulation – in consultation with shadow rapporteurs – then jointly authorised me to proceed, which I did – initially with optimism and gusto. After all, it was an honour to have been asked to support a bold and forward-looking legal initiative that would protect privacy rights for more than half a billion people over at least the coming two decades.
Over the summer I spoke with thousands of people from all walks of life. I talked in pubs, European Commission meetings, universities, airports, lofty conferences and in shopping centres to random strangers. I engaged on social media and traveled to many countries inside and outside the EU to gain a broader perspective. Many people had come to believe that the regulation was a device to preserve revenue rather than protect rights.
By October I sensed that the issue was becoming impossibly complex. Many of the most vocal global corporations had taken a hard-line position (pdf) through the American Chamber of Commerce in Brussels, and they weren’t budging from that position. The small and medium company sector didn’t trust the proposals because they believed (pdf) the burden of compliance would fall unfairly on them. Many charities and non-government organisations believed – erroneously – that the reforms would stop them using direct marketing to raise money. Meanwhile, people in their droves out on the street had no idea what data protection was or what it meant.
I’m not saying the draft regulation is perfect. It isn’t. But it contains important reforms and safeguards that would have given scope to improve privacy protection across Europe. Yes, refinement was needed, but instead, the frame of reference has shifted away from the individual and toward the data processors.
In the process many of the key mechanisms have been pushed out of the framework. As I mentioned in an earlier article, to give just one example, the original outline of the regulation set out penalties of up to five percent of a company’s global revenue for egregious and repeated misuse of personal information. Following extensive industry lobbying this was whittled down to two percent. The Industry, research and Energy Committee of the European Parliament then voted to lower the ceiling even further to one percent. At this rate the envisioned weaponry to scare invasive corporations will be downgraded to a water pistol. The very organisations that have precipitated the privacy crisis have been allowed to write their own Get out of Jail Free card.
The situation was an utter disgrace. The advertising industry even gave an award to an Irish Minister for destroying some of the rights in the regulation
I was supposed to present my findings to the joint meeting of the European and national parliaments on 9th October. In a speech that was pure optimism I told the delegates “everyone agrees on the basic framework of rights”. Then – skipping the messy details – I advised that my report would be delivered at some point in the future.
Truth be told, everyone I spoke to did indeed agree with the concept of rights. However they differed starkly on the definition of rights. Many people had come to believe that the regulation was a device to preserve revenue rather than protect rights. There was a perception – however ill-founded it was – fuelled by some governments and corporate interests, that the reforms would destroy innovation and hamper economic growth.
I wasn’t aware at the time that there was a vast stitch-up to kill the reforms. The assassination was comprehensive and meticulously conceived, with the business-friendly Irish and British governments acting as Godfather.
Sure enough, when the Irish Presidency of the EU Council commenced its six-month term at the beginning of this year the grinder started turning. In January an unprecedented barrage of lobbying across the economic spectrum rolled into play with the intention of generating so many amendments that the regulation would be hopelessly compromised. In February the World Economic Forum released a report calling for a “rethink” on privacy. In March the Council started drafting a report (pdf) that would devastate huge chunks of the reforms in the regulation. By April the UK government was telling the rest of the world – including India and South East Asia – that it should take a pragmatic view of data protection legislation. That is, drop it.
I wasn’t aware at the time that there was a vast stitch-up to kill the reforms. The assassination was comprehensive and meticulously planned, with the business-friendly Irish and British governments acting as Godfather.
There are many good players who want to do the right thing by people’s privacy. The problem is that the sheer ferocity and scale of the assault dwarfed the voices who want to protect the future.
It has become common knowledge now that large numbers of MEP’s were cutting and pasting amendments drafted by lobbyists with the intention of protecting the private sector. However in the background governments were working with the British and Irish to ensure that the regulation didn’t compromise public sector interests, while the US was successfully lobbying to gut the reforms. Even some MEP’s who I had assumed would be unequivocally on the side of reform – rightfully attempting to balance the onslaught – turned 180 degrees and argued for what appeared to be specious pragmatism. Sarah Ludford – historically a defender of rights – is one such person.
The situation was an utter disgrace. The advertising industry even gave an award to an Irish Minister for destroying some of the rights in the regulation while the UK managed to force a provision that would make the direct marketing industry a “legitimate” processing operation in its own right, putting it on the same level of lawful processing as fraud prevention.
Things got to the point where even the most senior data protection officials in Europe stopped trying to influence events and had told me “let the chips fall as they may”. It seemed to me, traveling across Europe and speaking with data protection regulators, that they increasingly had given up on the regulation. They too had been bombarded and were disillusioned.
If you want to know who the real enemy of privacy is, don’t just look to the American agencies. The real enemy is right here in the European Parliament in the guise of MEPs who have knowingly sold our rights away to maintain powerful relationships
But let’s take a step back for a moment from this travesty. Out on the streets – while most may not know what data protection is – people certainly know what it is supposed to protect. People value their privacy and they will be vocal about attempts to destroy it.
I had said as much to the joint parliamentary meeting, observing “the one element that has been left out of all these efforts is the public”. However, as the months rolled on, the only message being sent to the public was that data protection is an anachronism stitched together with self interest and impracticality.
I did send a note last week to the rapporteur for the regulation saying, in effect, “oh well, I’ll send you the report anyway”, but then the impact of the NSA and PRISM spying scandal became crystal clear, and the entire scenario has yet again shifted. People are angry – and they demand to know what will be done to protect their privacy.
Of course everyone is now in “shock and disbelief” mode, proclaiming they never knew the spying was happening. What utter rubbish. Corporations like Apple and Facebook knew all along that they were little more than a cheap storage facility for government – just as much so as the communications providers have become. And the MEPs who did their bidding knew all along that Europe had partnered with the US to make mass surveillance a fact of life. Such conversations have been common currency at the European Parliament for at least thirteen years ever since the EP’s ECHELON inquiry. Revelations in 2006 about the deal between the US and SWIFT to covertly ship financial transactions to American security agencies definitely made the reality clear to MEP’s.
However, instead of supporting real protections that would safeguard people against such intrusion, those same MEP’s cheerfully torpedoed initiatives such as the Right to be Forgotten that would have provided some armoury for people to protect themselves. They did the bidding of the US by removing protections against NSA spying. They destroyed the consent provisions that would have applied a brake on intrusion.
These developments spell bad news for the rest of the world. Regions such as Asia, South America and India that are striving to implement much-needed privacy law are receiving a signal that data protection doesn’t matter and has even been abandoned by its own birthplace. Of course such a perception suits corporate entities that are positioned to avoid providing strong protections for customers.
I wasn’t aware at the time that there was a vast stitch-up to kill the reforms. I cannot bring myself to present a temperate report with measured wording that pretends this is all just normal business. It isn’t normal business, and it should never be normal business in any civilized society. How does one talk in measured tones about such endemic hypocrisy and deception?
If you want to know who the real enemy of privacy is, don’t just look to the American agencies. The real enemy is right here in the European Parliament in the guise of MEPs who have knowingly sold our rights away to maintain powerful relationships. I’d like to say they were merely hoodwinked into supporting the vandalism, but many are smart people who knew exactly what they were doing.
Are the reforms dead and buried? Not necessarily. At least some common sense will win through. A renewed effort to respectfully consider the position of organisations such as European Digital Rights (EDRi) would go some way to bringing the reforms into the arena of rights protection. And certainly with the current heightened public awareness it’s likely that the pendulum may swing into balance, though I’m not holding my breath. The damage may be largely irreversible.
Is there a way forward? I believe so. First, governments should yield to common decency and scrap the illegitimate and poisoned Irish Council draft and hand the task to the Lithuanian Presidency that commences next month. Second, the Irish and British governments should be infinitely more transparent about their cooperation with intrusive interests that fuelled the deception.