PI responds to European Commission Consultation on the Privacy Directive

31/12/2009

PI has responded to the European Commission's consultation on the future of the legal framework for the protection of personal data in Europe.

The Consultation asked the following questions:

1. Please give us your views on the new challenges for personal data protection, in particular in the light of new technologies and globalisation.

2. In your views, does the current legal framework meets these challenges?

3. What future action would be needed to address the identified challenges?

Our response is below.

About Our Response

We are grateful to the European Commission for running this consultation at such an important time for privacy. We believe that privacy is a fundamental right that must always be discussed, promoted, protected, and along with changes to our societies, it must be continuously enhanced.

For twenty years Privacy International (PI) has vigorously defended personal privacy. We have campaigned across the world to protect people against intrusion by governments and corporations that seek to erode this fragile right. We believe that privacy forms part of the bedrock of freedoms, and our goal has always been to use every means to preserve it.

PI is the oldest surviving privacy advocacy group in the world, and was the first organisation to campaign at an international level on privacy issues. Its antecedents stretch back to 1987, at which time the organisation’s founders started to build an international network in response to mounting concern across the world over the changing nature and magnitude of privacy violations.

We remain engaged with a variety of issues on a regular basis, including identity and biometric systems, corporate governance, cross-border data flows, data retention by companies and governments, information security, national security, cybercrime and aspects of around a hundred technologies and technology applications ranging from video surveillance to DNA profiling. Our strategies of engagement included participating in judicial processes, and government consultations, filing legal complaints, research and report writing, running events and campaigns, and media awareness exercises.

We are therefore not inclined to shrink from a discussion about the future of the 1995 Directive. We would be remiss if we did not note, however, that there are powerful stakeholders who look forward to revising the Directive to minimise its protections, its reach, and who speak of how it is ‘out of date’, and how privacy considerations must be reduced to consider other societal and economic interests. By focusing on technological, economic, and political changes they seek to reshape the Directive in ways that are counter to the expectations of consumers.

As a result, we are aware that if we critically analyse the Directive in this consultation response, we appear to be instigators for its ‘reopening' and renegotiation. This could not be further from the truth. We hope that readers of this consultation response understand that, first and foremost, we are ardent supporters of the Directive and we believe that it has indeed provided Europe, and the world, with a benchmark for privacy protection. We also believe that the principles within the Directive do not need to be changed and are necessary to the protection of privacy.

Our response to this consultation was undertaken through extensive discussions with our membership from around the world, and with key experts in privacy, human rights and data protection. We sought to respond succinctly to the Commission’s questions while relaying all the fine-grained input we have received from our members and advisors, and reflecting upon our years of experience.

We remind the readers of this consultation response that we are not merely supporters of the Directive, we are also frequent users as we have filed numerous complaints across all the Member States. Importantly, we are also ambassadors of the Directive as we promote its principles around the world as other countries seek remedies to the same set of problems that Member States sought to resolve in the 1960s and 1970s, that the Council of Europe and the OECD sought to standardise in the 1970s and 1980s, and that the European Union sought to harmonize in the 1990s. The stakes are now so much higher, and Europe must again lead.

Response to Question 1

Q: Please give us your views on the new challenges for personal data protection, in particular in the light of new technologies and globalisation.

The need for privacy protection has never been greater. Nations now have over 30 years of experience in regulating data protection that show that abuses are rife. The past two decades has seen the significant growth of private sector data processing, and in particular the growth of industries that thrive off personal information.

Ironically we continue to hear calls for reduced regulation. In turn, we are shocked that despite all the regulation in our lives, particularly introduced by government IT strategies and law enforcement agendas, some still argue that the protection of personal information must be left to self-regulation.

This lack of synergy between the mounting risks and the calls for reduced regulation is difficult to understand. We offer a number of possible instances:

• For too long we believed our privacy was protected by the incompetence of government and industry personal information processors. That is, we relied on the inability of organisations to collect, analyse, and share information. Instead we are finding that as organisations become more expert at data mining and moving information around the globe, incompetence is no longer a protection but is instead a risk in itself as incompetent organisations give rise to abuses through inadequate internal and external controls, and data breaches.
• Over the past ten to fifteen years we have become obsessed with perceiving momentary trends as though they were ‘game changers’. The way policymakers regard users of social networking as though they have abandoned all hopes and expectations of privacy is the same way they described the need to promote mining, profiling, and retention after terrorist attacks. Two years ago proponents of reduced privacy spoke of privacy as standing opposed to the survival of a free Internet, just as we hear proponents of body-scanning technologies speaking of processing naked scans of passengers is necessary to the survival of the air-travel industry. Privacy regulations are said to be standing in the way of progress while policymakers focus on regulating for public security.
• Organisations have become paranoid over data collection. Previously, due to the scarcity of resources, only relevant information was collected. As costs have reduced dramatically, and security concerns have grown, governments have been keen to collect more and more information just in case something may some day go wrong. They fear the day that a cataclysmic event may happen and they do not have the metrics of that place, person, or event; so even without reasoned justification they collect vast amounts of information. Governments have also placed these collection requirements on industry. Industry is also keen to retain information just in case it may prove useful in analysing their services and customers. Even so, governments and industry have tried arguing that collection in itself is not a problem, and that only use must be regulated. This is a fundamental shift, again, on the regulatory approach to privacy.
• Organisations have become aware of data protection laws and find ways of skirting them. Much of the modern internet advertising industry exists in contravention of data protection law. Telemarketing continues to thrive despite anger and frustration from the public. Modern communications surveillance policy, particularly in the European Union, contravenes the principles of proportionality and necessity as required by the European Convention of Human Rights.

All these instances are obvious. More worrying is that surveillance and the defiance of privacy laws is becoming commonplace as part of the infrastructure of modern society and the arsenal of policymakers. Surveillance policy is no longer enshrined only in ‘anti-crime' or ‘anti-terrorism' laws, just as industry surveillance is no longer limited to named customers. One would be hard pressed to identify a modern government policy or industry customer-management practice that does not involve the collection and processing of personal information. Policy agendas as diverse as environmental protection, the management of social exclusion and social benefits, and health and education services now appear to be hinging on surveillance techniques. The use of modern computing resources shows how surveillance has been concealed from end-users with websites running scripts and placing cookies from third parties and servers being located across borders and providers. There are fewer debates over these initiatives because we are so rarely informed of the fact that they are occurring.

We are facing these challenges today both because authorities have inadequately enforced existing laws when they had the chance, and the awareness of privacy protection is minimal amongst policy-makers and within industry. While there is greater awareness of privacy risks amongst the general population, and there are competent regulators across Europe and a growing sector of privacy professionals, privacy awareness has not penetrated the mindsets of policy-makers, managers and technology developers.

Response to Question 2

Q: In your views, does the current legal framework meets these challenges?

No. The regulatory system may have to carry some responsibility for this parlous situation.

1. The very language of ‘data protection' conceals two significant obstacles to effective privacy protection. The language of ‘data protection' is obsolete. Few understand the link between ‘privacy' and ‘data protection’. A better choice of terminology would be the ‘protection of information privacy’. Also, the protection of privacy is greater than the strict adherence to the language of ‘data protection’. As the divergent opinions from regulators regarding the deployment of public surveillance cameras has shown recently, the definition of ‘personal data' has caused much confusion.
2. The Directive cannot adequately address the challenge of identity construction of ‘data shadows’. Data may exist without clear linkages to individuals but when mined and processed can disclose vast amounts of information about people. Recent research has also shown that it is indeed possible to de-anonymize data, and through combining data sets to identify individuals across multiple platforms.
3. In our focus on the regulatory system as a technical application of principles, we have often forgotten that the protection of privacy is our primary goal. At the very foundation of the Directive is the quest to protect human rights across Europe, not merely to monitor adherence to the articles of the Directive.

In turn, the public’s awareness of their rights under ‘data protection' is remarkably low. This is perhaps a reflection of the legalistic approach that has been taken too many times, and the lack of public education campaigns by the European Commission and national regulators across Europe. It also reflects how data protection law is considered: a matter for compliance rather than empowerment. That is, if regulators required clear communication from organisations that processed personal information, and ensured that individuals could be presented regularly with their personal information under their rights of subject access, we believe a greater awareness of privacy would follows. Instead the issue has become arcane and the debates are insular, never able to compete with other interests such as public safety.

In our experiences of having filed complaints in a number of Member States, sometimes simultaneously, we have found that there is an utter absence of harmonization. The Directive has been poorly transposed, and the Commission has been remiss at enforcing a harmonized regulatory system. We are astonished by the failure of the Commission to publish documents regarding Member States’ weaknesses in implementing the Directive.

• Definitions of ‘personal data' are not harmonized, leading to a diversity of opinions from regulators and courts. The failure to define personal data rigorously is a major reason why the Directive has not been effective for data protection on the Internet.
• The powers of regulators vary widely. They are not held to account when they fail to uphold the highest standards, and yet are insufficiently heeded when they express concerns. We cannot imagine another domain of public policy where the regulators' powers and effectiveness are so weak to question the very integrity of the law.
• Regulators have inadequate experiences and knowledge of technology and innovation. In our experiences they are not properly equipped to understand the implications of new techniques, to apply the law to innovations, or to provide guidance to technologists and innovators on privacy issues.
• Regulators should be given the ability to oversee management practices. While Privacy Impact Assessments have been useful in identifying the risks to new policies and technologies, more transparent and publicly available techniques are required. There is a vast gulf between identifying risk and taking action to eliminate that risk. Regulators should be promoters of privacy and transparency in processing but should also be more active in prosecuting cases where privacy is violated.

In our opinion, one of the greatest challenges is that the Directive has come to be seen as a ‘foreign' interference with public policy and business practices, as few are willing to stand up and defend it. Governments across Europe and around the world often implement data protection law because of the Directive, and this is indeed something we celebrate; but the mere existence of a law does not mean that a comprehensive regime is in place. Every Member State needs to promote a national discussion and educational campaign on personal information protection. Privacy law must be embraced by countries and citizens, and not merely implemented because of international standards or requirements.

Response to Question 3

Q: What future action would be needed to address the identified challenges?

Enhancing Public Awareness

We need a significant initiative, led by the Commission, to enhance transparency and public education. Though concerned, people are unaware of their actual ‘data shadows' regarding the extent of personal information collection. Regulators have expended few resources in public education campaigns, proving that they alone are insufficient to improve the level of public discourse on privacy protection. Some mechanisms that will enhance transparency must include:

• Enhancement of Subject Access Rights. The right of subject access is one of the most powerful rights an individual may assert. Yet with all the work done on enhancing data collection and sharing, organisations done little to enhance this right of individuals to gain access to the data held about them. The Commission and Regulators must require governments agencies and companies provide easier means for individuals to gain regular access to this information in an understandable manner, to rectify erroneous and out of date information.
• Data Breach notification as an accountability mechanism. While various studies may draw conflicting conclusions on the effectiveness of data breach notification on enhancing privacy rights, we believe that when citizens and consumers are made aware of the poor practices by companies and government agencies, they will scrutinise the collection and use of their information by all organisations.
• Minimising collection and developing the right to delete. When information is collected as part of nearly every modern process, we need to place additional obligations on organisations. First, they must minimise collection to the level of what is strictly necessary. Second, upon giving individuals access to their data, people must also be given the right to delete their records. We have been heartened by the response of some key industry players who have taken this responsibility seriously and granted individuals this right; though in many cases we must have faith in their promises to delete while some verifiable audit would be preferable.

Enhancing Public Discourse and Accountability

While the action of informed individuals may lead to enhanced privacy protections, it is our hope that an informed public discourse will lead to better decisions. Public and private sector organisations must be held to account for their practices, and have a duty to explain how they protect privacy. Initiatives should include:

• Political accountability for privacy in the public sector. When surveillance legislation is enacted, the Minister accountable to Parliament for the public authority that undertakes the surveillance will usually be the Minister who guides the legislation through Parliament. Thus it is the Minister who is politically accountable for the surveillance policy who effectively establishes the privacy constraints that apply to that surveillance. There is a therefore a heightened risk that privacy can easily become subservient to policy objectives that depend on an extension of surveillance. As a result, in the Parliamentary process the Government does not have to consider privacy issues. We therefore recommend the creation of Parliamentary bodies and/or Government Ministers who will be responsible for privacy protection, generating guidance and assessments of legislative initiatives.
• A requirement to conduct Privacy Impact Assessments on all new policies, practices, and technologies that interfere with the right to privacy. PIAs are limited but powerful tools, when done properly, that can provide key insights into the development of a new technique, and offer the opportunity for organisations to highlight how they considered privacy from the outset. These must be completed early in the processes to inform deliberations on the technique, much like how some governments promote Regulatory Impact Assessments at the legislative stages in Parliaments.
• Management statements of privacy practices. Currently, citizens and consumers can only rely on statements within privacy policies, often on websites, that are limited in nature. For instance, privacy policies on websites usually only reflect the privacy practices of the website, not the general service, or the organisation. Therefore organisations should be required to present statements of managerial commitments to privacy and audits of management practices.
• Capacity Building on privacy for key stakeholders. As we work across Europe and around the world we continually encounter government officials and international organisations that advise other governments on how to devise anti-terrorism law, cybercrime laws, copyright protections, and a myriad of other policy domains. While there may be a benefit in building the capacity of governments around the world to respond to contemporary threats, we have yet to encounter capacity building programmes to enhance privacy. The Commission should be promoting capacity building on privacy within Europe and internationally, and should model its own work on these other initiatives. Additionally, capacity building should not only apply to informing other government ministers and agencies, but should seek to engage with all stakeholders, including academia, civil society, industry, the media, and even religious institutions.

Enhancing the Effectiveness of Regulation

As we have stated previously, the current principles and the Directive are in of themselves adequate, but the implementation of the Directive and effectiveness of regulators have been lacking. We recommend the following initiatives to remedy this situation:

• Parliamentary appointed Regulators. All regulators and regulatory bodies must be independent of the Government, and appointed by Parliament. In turn, they must report to Parliament, not to the Government. These regulators must be consulted as governments seek to introduce new surveillance measures, and should report their opinions to Parliament throughout the legislative stages of a Bill. They should also be given the power to seek judicial review when their advice is not appropriately heeded.
• Monitoring regulators and more obligations upon ICOs. We are surprised by the diversity in regulators' powers. We recommend that the Commission regularly monitor the powers of regulators to ensure that they are adequately equipped to enforce the Directive. Their opinions and rulings should be monitored to identify significant deviations from regulators in other Member States.
• Monitoring of exemptions. While the Directive and all Member States' laws allow for some surveillance systems to be exempted from privacy laws, these exemptions must be publicly noted and the rationales must be published. For instance in the UK there is no single register of all the ‘national security certificates' that have been issued exempting surveillance systems from the Data Protection Act. As a result the public is not informed, and Parliament is not given the chance to debate the merits of these exemptions.
• Greater incentives for deploying Privacy Enhancing Technologies. Governments and industry organisations must be given greater incentives to deploy privacy enhancing technologies. The public sector must lead in the deployment of privacy-enhancing systems.

Promoting a Vision of Privacy Protection

Just as we could not foresee today’s computing environment in 1995, we cannot predict what the situation will be like in 2015. The Directive is often seen as a constraining mechanism where regulators admonish organisations for poor practices. This is not necessarily a negative development, but a more progressive future of mutual respect for privacy should also be charted. We believe that the Commission and regulators should be more articulate about their vision for privacy protection. Considering today’s environment and tomorrow’s potential, we need to provide guidance on the constitution of privacy rights in the future. Such articulations and visions could serve to provide some guidance to organisations that seek to be perceived as privacy-friendly as they innovate.

This vision need not be limited to 'data protection'. In fact, many of today’s great challenges will not be effectively dealt with so long as we have divergent opinions of the definition of personal data. While body scanning at airports may not involve the collection of names or the generating of unique and persistent identifiers, we are all aware that it is the modern equivalent of a strip search where we place brown paper bags over individuals' heads. Modern internet advertising may not rely on persistent identifiers or an individual’s unique identity, but tracking the movements of individuals across their daily lives still may have a chilling effect. Telephone numbers may not qualify as personal information, yet individuals are still outraged at intrusion by the telemarketing industry. Our point is that just because interpretations of ‘data protection' rules may not find these systems in breach of national laws does not mean that the surveillance is acceptable. We must always remind ourselves that our duty is to protect the dignity of individuals, to protect them from the fear of surveillance and the sense of invasion.

Privacy International does not hold all the answers to how to resolve these situations. We are optimistic that these problems can be resolved, and we are heartened by the positive moves by many governments, industry leaders, regulators and courts. We need continuous engagement on these issues, across all stakeholders. We find solace that the European Commission appears to be also seeking answers to these questions. We hope it will continue its role to spur and host discussions and deliberations, and to lead the world in the protection of this most fragile right. And we are hopeful that the European Commission will remain aware of the fact that it has a duty to uphold fundamental rights in accordance with its Charter, and in accordance with its founding principles, and in accordance to the highest global standards, and in accordance with the need to protect human dignity.