New EU rules could give you control of your personal data

Generally the proposals are quite good but there are a couple of big issues.

Primarily, the issue of US law infringing on the fundamental rights of EU citizens. One of the biggest issues we face with regards to data protection and privacy is raised by the PATRIOT Act and Foreign Intelligence Surveillance Act (FISA) which allow US law enforcement to obtain data from any US company even if that data is held outside the US. These are very controversial laws which just this week led to a decision in Norway to ban the use of Google Apps by Public & Private sector to store personal data.

In the original leaked draft of the proposals before Christmas, there was a section dedicated to this issue (originally A42 then I believe A45 in a later draft) which would require US companies to contact the Data Protection Authority (DPA) of the relevant EU member state in the situation where US Law Enforcement request access to data pertaining to EU Citizens as such activity would not be acceptable under European Data Export and Data Protection rules.

In the document released yesterday this section had been relegated to a recital which was weaker than the original text (unfortunately I can’t seem to locate the recitals at this time so I can’t quote the actual wording) and frankly without stronger provisions against PATRIOT/FISA data protection is effectively meaningless given how much of our personal data is controlled by US corporations.

I would have liked to see a much stronger stance from the Commission on this issue as it would have been good for citizen’s fundamental rights but also it would have had the potential of encouraging growth in this sector across Europe, providing more competition and allowing us to move away from US companies.

A prime example is Cloud Computing – currently data in the cloud is often stored on US servers or servers owned by US companies, which puts this data at risk under PATRIOT and FISA – had the Commission taken a stronger stance we would likely see more European companies entering this market, which is not only good for citizen’s rights but good for the economy and would have created a significant increase in jobs (at a time where it is sorely needed).

I welcome the Commission addressing the issue of Data Protection Authorities (The Information Commissioner in the UK for example) that fail to act or are unable to act on breaches of the relevant data protection laws. Under the new proposals, the Commission would be able to intervene directly, which is important particularly in the UK where our regulator repeatedly fails to enforce the law against global corporations. This is down to Regulatory Capture (which basically means the Regulator is “captured” by the industry they are supposed to regulate).

This has been a real problem in the UK for many years to the point where global corporations are effectively above the law due to the ICO’s refusal to persue enforcement action against them and has led to significant criticism of the ICO at all levels (including Parliamentary).

So in light of the 2% of revenues (or 1M Euros) fine Rob mentioned in this article, those fines are likely to only ever be levied against public authorities, which effectively means the public pay these fines through taxes, in effect punishing the victims.

The chance of ICO ever issuing such a fine against a large global company (like Google for example) would seem to be less than slim as such a fine would almost definitely lead to a legal challenge through the courts, which the ICO have insufficient resources to fight, whereas the rich corporations have almost limitless resources and armies of lawyers to pursue.

The Commission state that DPAs need to be properly resourced but in the current economic climate where public services are being cut dramatically, an already severely underfunded ICO is unlikely to get the support it needs from the treasury to meet these requirements.

One thing I would like to point out is that the right to be forgotten and the requirement of explicit consent to process data has always been the case since the original 1995 Directive these proposals are set to update – the problem is there has been no harmonisation across Europe to make these rights comprehensive. The aim of the proposals is specifically to address this lack of harmonisation in an attempt to set a level playing field across all Member States (which currently isn’t the case with the 95 Directive) as well as modernising the 95 Directive to make it more appropriate in our tech centric world.

I could go on but I still haven’t finished reading the entire document and I don’t want to dominate the comments. So in summary, Well done Vivian Reding and her team, generally an improvement on the 95 Directive, but still some fundamental issues I would like to see resolved before this has a genuinely positive impact for citizens. I look forward to seeing how these proposals evolve through the European Parliament and Council, there is a long road ahead of us.