Some 18 months after the first NSA revelations by Edward Snowden, the outrage in Europe about US intelligence snuffling through our data has dropped from the headlines. But the debate over privacy continues behind closed doors in Brussels and the European Union's 28 capitals.
The wrangling over a core question – how much protection does the EU want for its citizens and their data? – has entered a key stage.
In one corner is a well-oiled lobbying machine, financed by leading US and European dotcom, direct marketing and media companies who want freedom to innovate, research, create jobs and earn money with big data. In the other corner, is a cabal of privacy campaigners with a dogged determination to tighten existing privacy standards.
In the middle are national and EU officials who have to strike a balance between these competing interests. How much privacy inhibits innovation? How much data sharing undermines privacy? The debate may seem abstract, but its outcome will have a massive, concrete effect on how you live and work for decades to come.
It’s hard to think of anything you can do these days – online or off – that doesn’t leave a trail of data crumbs. These individual crumbs record the websites you visit, the products you buy, the emails you write, the places you visit with your smartphone in your pocket, what you watch on Netflix or “like” on Facebook posts.
Like skin cells, we are shedding these data crumbs so continually we don’t realise it. But, as we do so, the crumb-collectors are right behind us. Some are public bodies that have asked for your permission to collect them. Or a retailer that offers “loyalty” discounts in exchange for your purchasing data. Perhaps it’s a social media service that stores your posts and pictures as payment for their “free” service. But what happens to the crumbs they collect?
Personal data crumbs from disparate sources are of little use on their own, but can be reconstituted into a valuable, individual loaf of user information, one that grows the more data is added. The more the collectors collect, the more they know about where you’ve been, who you know, what medical conditions you have, how you vote – even who you’re sleeping with.
When they know all that, privacy campaigners worry, they can predict how you are likely to behave.
Profitable data mountains
Should companies you know be allowed collect your information in perpetuity, and sell it on to others? What about data companies you’ve never heard of which are also collecting your information? The profitable mountains of data being produced daily – by smartphones, social media, e-commerce and increasingly smart household devices – have raised the stakes and increased pressure further on the three-year EU talks to replace existing data rules.
They date from 1995, when Facebook founder Mark Zuckerberg was 11 years old and his social network was only a twinkle in his pre-teen eye. As if the task wasn't complicated enough, it is shared between three EU institutions: the commission, parliament and council.
First up was the executive, the European Commission. Viviane Reding, then holder of the justice portfolio, put forward proposals she said had three main motivations. "First was to protect the citizens, because that is the obligation that politicians have . . . under the charter of fundamental rights and the European treaty," she said to The Irish Times.
“But we also wanted to have an equal treatment of all companies whether European, American or Chinese. Third, we wanted to get rid of the fragmentation. If you want to have a single digital market, fragmentation will kill it, take away all the efficiencies.”
Just as important as the new rulebook’s contents is its legal form. The 1995 rules are an EU directive, which member states transpose into national law. For citizens and companies alike, this has created a confusing quilt of privacy regulations in 28 member states with very different legal traditions and cultural attitudes to privacy.
The new rulebook, meanwhile, is planned as a regulation: a one-size-fits all proposal with no wriggle room for member states. It would offer citizens more control of their data, Commissioner Reding promised, and efficiencies to companies worth €2.3 billion annually, boosting EU job creation, innovation and growth.
After the commission published its proposals, and with Brussels by now crawling with lobbyists, the European Parliament took over. After committee debates and submissions it produced a draft text shaped considerably by 3,133 amendments tabled by MEPs.
Justified and logical
is a chastening document of EU realpolitik. It allows users to compare directly proposals from data-processing lobby groups that found their way, verbatim, into MEP amendments.
“Yes, there has been a fair bit of lobbying, but most of it justified and logical,” said Seán Kelly, Fine Gael MEP and the only Irish parliamentarian on the parliament’s industry, research and energy committee.
After the parliamentary vote, the regulation moved to its third stop: the council of ministers where national officials meet. After two long years, negotiations reach a critical phase next week with concluding talks on several final, crucial concepts.
The first is a so-called “one-stop shop” for anyone – a citizen or a company – with a data protection issue in the EU. The idea is to offer customers one – and not 28 – points of contact with national data protection commissioners (DPC). For citizens, the proposal would allow them to file a complaint with their home DPC against a company in another EU country.
But the longer talks drag on, the more complicated the one-stop shop proposals are becoming. Disagreement persists over whether national regulators should have the final word or whether the new European Data Protection Board (EDPB), comprising all national DPCs, should be able to overrule local decisions and set sanctions for violating data rules.
The issue of sanctions is also still up in the air. The commission proposed fines up of up to €1 million or up to 2 per cent of the global annual turnover of a company. The parliament’s proposal pushed that up to 5 per cent; now the council is proposing that it drop back to 2 per cent.
But imposing sanctions for breaking the rules hinges on another critical issue: consent. Did a user give their free, informed approval for their data to be processed by a company or passed on to a third party? The commission and parliament favoured the idea of explicit consent, and were opposed to the idea of “pre-ticked boxes” that put the onus on eagle-eyed users to opt out of data collection and sharing.
In the council, however, many member states argue that this is impractical given that everyone from car makers to healthcare providers want greater freedom to process the growing mountains of customer data available to them. With this in mind, a recent proposal on consent from Germany favours a looser approach with several caveats.
Another outstanding issue is the idea of so-called “profile-building”, allowing user data collection from diverse sources. Companies say this could result in better services and more targeted advertising. Privacy campaigners warn of other consequences. What if a health insurer raised a customer’s premium after accessing their food shopping habits via supermarket loyalty card data?
A bone of contention revolves around the issue of who has a “legitimate interest” in accessing personal data. Draft council proposals appear to favour a more liberal regime and allow third party easier access to data once they feel they have a legitimate interest in doing so.
“They could start processing the data for reasons that are completely unrelated and incompatible with the original purpose for which the data was provided,” warns Joe McNamee, executive director of the Brussels-based privacy lobby group EDRI. “If a company you have never heard of can process your data for reasons you’ve never heard of, what’s the point in having data protection legislation? It would make a mockery of the whole thing.”
Council negotiators dispute this, saying existing proposals would not allow an intransparent transfer of data to third parties without the consent of citizens, known in EU jargon as “data subjects”.
“A data transfer would have to be transparent with a declared legitimate interest, and the data subject should be informed the disclosure is taking place,” said one member state official involved in negotiations.
For council negotiators, the difficulty is to prevent well-intended restrictive data rules that cause problems later on, such as in historical or medical research or for law-enforcement.
After three years of talks, a final round of “trilogue” negotiations looms between the council, commission and parliament. But German Green MEP Jan-Philipp Albrecht, who steered the draft regulation through the European parliament, sees “no basis” for talks based on council drafts he’s seen so far.
“Negotiations would take much longer, and people would lose trust in the regulation, which would be a huge loss for companies and citizens,” he said.
Many data protection authorities around Europe share his concerns.
"The leaked drafts we've seen so far all show things moving in the same direction," said Alexander Dix, state data protection commissioner in Berlin, "namely that governments are coming under huge pressure to loosen up data protection for the benefit of the business lobby."
A senior council negotiator disputes this claim, but admits officials have no way of tracking back the source of amendments that land on their desks from EU capitals.
Sean Kelly says legislating based on "knee-jerk reaction" of privacy group warnings would create a "dysfunctional ICT sector which would be counterproductive for people who want to avail of online e-health, e-commerce, and other online services".
“To have a functioning digital market, you obviously have to protect privacy, but you also have to make sure you have an environment where businesses can grow,” he said. “If they cannot use or process data, instead of growing jobs in Europe, we will start losing jobs.”
With the consequences of big data only slowly revealing themselves, privacy campaigners like Joe McNamee insist that new privacy rules should veer on the side of caution.
He cites a recent Facebook experiment suggesting the network could alter users' mood by manipulating their news feeds. For security expert and cryptographer Bruce Schneier, the social network company already connects so much data on its users that it could go further if it wishes.
“Facebook could easily tilt a close election by selectively manipulating what posts its users see,” writes Mr Schneier in his new book
Data and Goliath
. “Someone who knows things about us has some measure of control over us, and someone who knows everything about us has a lot of control over us. Surveillance facilitates control.”
Austrian privacy campaigner Max Schrems, who has taken on Facebook in Ireland, and soon in Austria and Luxembourg, fears the ongoing negotiations for a one-size-fits-all regulation will conclude in a lowest-common-denominator, lazy compromise.
“The promise of a higher level of data protecting is being betrayed by the European Council to serve business interests,” said Mr Schrems. “If things come out the other end as they stand now, we should stick to the existing 1995 laws.”