A Global Standard for Data Protection Law
Strong and effective data protection law is a necessary safeguard against industry and governments' quest to exploit our data. A once-in-a-generation moment arose to reform the global standard on data protection law when the European Union decided to create a new legal regime. PI had to fight to ensure it wasn't a moment where governments and industry would collude to reduce protections.
In January 2012, the European Commission published a proposal to comprehensively reform the European data protection legal regime. This consisted of a Regulation that covered general data processing (known as the GDPR - the General Data Protection Regulation), and a brand new Directive for the police and justice sector (known as the Law Enforcement Directive).
The GDPR became one of the most controversial pieces of legislation to have ever passed through the Brussels legislative process, with an unprecedented lobbying onslaught from businesses and interested organisations in all sectors, and the United States Government too. Some 5,000 amendments were tabled during its passage through the European Parliament, with countless more during the (much more secretive) negotiations between the EU member state governments, in the Council as well as the final, even less transparent, horse-trading during the so-called Trialogue between the European Commission (the civil service), the Parliament, and the Council (the 27 member state governments).
What we did
On the GDPR, PI actively contributed to the revision process from the start and throughout the multi-year process.
It was important, from 2012, to develop a set of policy objectives to define the language we wanted to achieve in the final legislation, which was essentially about strengthening individual rights.
To achieve our goals, we had to develop alliances. In 2012 PI was still a small organisation with very limited resources. Collaboration with other NGOs was essential to achieving results, particularly in the face of powerful players with resources many times the size of ours.
We conducted a multi-year advocacy campaign around the legislative process in the European Parliament.
- We worked with others to draft policy positions, waded through thousands of amendments and compromise amendments, and drafted and suggested our own to persuade Members of the European Parliament (MEPs) to adopt them.
- We participated in many meetings with MEPs and their political advisers, attended and spoke in committee hearings, developed blogs and educational resources.
- We exposed, with the help of German NGO-developed technology called LobbyPlag the extent to which MEPs were copying word-for-word amendments to the legislation suggested by industry, with some of the UK parliamentarians topping the plagiarism list.
- We pushed back against powerful governments. For instance, in 2014, to counter-act the vigorous U.S. Government lobbying, we organised, jointly with the Transatlantic Consumer Dialogue, a visit to Brussels by US consumer and privacy advocates.
The final text of the legislation was agreed in the European Parliament in late 2015 with a fairly luke warm response from Privacy International and other coalition partners and formally passed in April 2016.
On the Directive for the police and justice sector, our work was very different.
Unlike the GDPR, this Directive did not receive much attention from NGOs or lobbyists. It covers personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties. Our initial analysis of the draft Directive demonstrated that it was much weaker than the proposed GDPR in many respects, particularly on individuals’ rights; and there was no distinction in treatment between the accused, their victims or witnesses.
PI had an effective platform to highlight these shortcomings at an early inter-parliamentary hearing in the European Parliament. Our briefing had a strong influence on the report of the MEP who was the rapporteur for the committee. A majority of our suggestions for improvement were taken on board in these initial amendments, and some of the most important ones, such as ensuring extra safeguards for the data of persons not accused of any crimes, made their way into the final legislation.
Additionally, the advocacy of colleague NGOs in Brussels took the Privacy International position as a base. Some of the influential Member States in the Council also strongly favoured a closer alignment between the GDPR and this Directive.
In both legislative processes, we played a regional and national role. As the UK Government was particularly influential in this process (and with significant voting power) and as PI is a UK-based charity, we were particularly active in the UK domestic consultation process. As members of the UK Ministry of Justice multi-stakeholder consultation group, giving evidence to the UK Parliament Justice Committee hearing early in the legislative process and maintaining close links with the data protection team at the Ministry (and later on when it moved to another government department), we were able to create and maintain pressure.
During the course of PI’s advocacy work on this legislation, the strategies have turned from offensive to defensive, due to the unprecedented lobbying attacks. We were successful in getting strong safeguards into the early drafts. We then had to defend these from the onslaught.
We were successful in preventing the removal of safeguards, in ensuring essential improvements in legal rights and better enforcement. The legislation includes language addressing issues such as profiling, privacy by design and the possibility for the NGOs to represent individuals for more effective redress. One high level European Commission official acknowledged in public speeches that no more than 20 individuals working within civil society have been responsible for safeguarding the essential provisions of this legislation, and that Privacy International has played a key influential part throughout.
In the case of the Law Enforcement Directive, PI had a leadership role among NGOs and was successful in achieving stronger provisions, through alignment of the original weak articles to those of the GDPR, resulting in strengthened principles, rights and safeguards.
We were also successful in our demand to the UK government to table a holistic and modern Data Protection Act 2018.
Keeping the public focused on legislative initiatives over a long period is challenging. The advertising, profiling and targeting industries push hard against strong protections. As a result, we found that MEP’s committees were weakening the draft proposals. In response, the alliance of NGOs embarked on a year-long public campaign, Naked Citizens.eu, though it has to be acknowledged that apart from some of the media reporting, this did not echo widely with the public.
We couldn't focus on the full ambit of the General Regulation and the Law Enforcement Directive, so we focused on our strengths: rights for individuals and pushing back against the more egregious demands of governments and industry.
Fighting for a law like this takes years of work. Our first consultation submission was in 2010. The Regulation was approved in 2016, and then brought into force in 2018. Small NGOs are not well positioned to fight these long fights; we are fortunate that in this period PI grew as an organisation and was eventually able to apply the necessary resources to sustain this work.
Getting a legal framework is only the start of the fight. There are still so many components of the law that are unclear and with boundaries that we want redefined.
What we are doing now
The new legal regime is not perfect. Many of the provisions are vague and will need to be elaborated on through regulatory engagement, and when necessary, tested in the courts.
PI has established new projects to test the boundaries of the laws through research, engagement with policy-makers and regulators, public engagement, and strategic complaints and legal action. This will be an intense area for activity for years to come.