Posted in EU Data Protection
After working in Brussels for the last 15 years, I have become accustomed to the byzantine machinations of European politics. But the spectacle that is currently unfolding concerning appointment of a new European Data Protection Supervisor (EDPS) and Assistant Supervisor paints a particularly dismal picture of how data protection in the EU can become a political football.
When I was at university, I remember a lecturer who used to say the first rule that any law degree student should follow was “to not panic.” That is a rule that we should all apply when reading the draft report of the LIBE Committee of the European Parliament on the NSA surveillance programme. The prospect of a closed-down Europe that is advocated by the report is certainly daunting. Shutting down pretty much all transatlantic data flows in order to prevent unreasonable access to data by the U.S. intelligence services would not only be disproportionate, but it would be hugely damaging to the information society we all rely on.
The Year in Review
If there ever was a “year of privacy,” surely it was 2013. A year that ends with dictionary.com selecting “privacy” as “word of the year;” with privacy making front-page headlines in The New York Times and The Washington Post (not to mention The Guardian) on a weekly, indeed almost daily, basis; with cross-Atlantic ties stretched to the limit over privacy issues, the UN passing a privacy resolution and armies of lobbyists spinning BCRs and Do-Not-Track in Washington bars and Brussels cafes—ladies and gentlemen, 2013 was the year of privacy.
At the just-concluded IAPP Data Protection Congress in Brussels, the audience heard a bold proposal from closing keynoter Viktor Mayer-Schönberger: “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.”
Contemporary ideas of notice and consent, he argued, are a farce.
In the moment, he was quite compelling. It is important that we as privacy professionals from time to time question the underpinnings of our training and, especially, our industry and profession.
I recall that in the 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously. The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.
The situation is now reversed, and there has been intense interest in the European Commission’s proposal for a General Data Protection Regulation published in January 2012, and in related developments such as calls for reform of the EU-U.S. Safe Harbor. U.S.-based lobbyists have descended in hordes on the EU institutions; U.S. government representatives travel to Brussels to lobby the EU, and U.S. authors publish articles and papers on complex issues of EU law. Brussels has become the center of the global privacy world.
This causes us in Europe to wonder: Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?
The stance adopted by the European Commission in the report on the functioning of Safe Harbor published today was probably one of the worst kept secrets of the privacy world. It was patently obvious to anyone close enough to the controversy around the ability of Safe Harbor to live up to the expectations of EU policy makers and regulators that the Commission would be critical about it but would stop short of delivering a fatal blow to the scheme.
Imagine the NSA, European Parliament, Tor and Vodafone having a civilized conversation about privacy. Considering that the ricochets from the Snowden affair are still reverberating on both sides of the Atlantic, this may seem implausible. But you better believe it: the IAPP Europe Data Protection Congress 2013 is featuring a panel discussion among representatives of all of the above, which I look forward to moderating.