A Global Standard for Data Protection Law
The (still) current data protection legislation in the 27 EU countries dates back to 1995, before the world became web-wired. So it is now well out-of-date, overtaken by technological advances and particularly the type of unprecedented personal data mining that have prompted some observers to dub the 2000s as the Orwellian era.
There was universal consensus that existing legislation, although still good by-and-large in terms of its basic principles, needs fixing particularly in the areas of implementation, enforcement and redress. It has become obvious, based on evidence, that consumers and citizens have lost control of their data. An effective list of detriments that need fixing can be found in the civil society Brussels Privacy Declaration of 2013, signed by a large number of organisations and prominent experts around the world.
Businesses, incidentally, were not happy either and keen for reform, on their own terms, as they wanted harmonised rules across the so-called EU single market, plus there were uncertainties, as to which jurisdiction would apply, in the global market with the advent of ‘cloud’ computing. The current regime favours large multi-nationals, mainly US companies, as they have the means to pay for lawyers and expand; but it is not good for start-ups or SMEs, which form the backbone of the European economy.
So the European Commission has been preparing a comprehensive review of the legislation since 2008, with consultations and impact assessments, and finally published a proposal that would comprehensively reform the European data protection legal regime, on 25 January 2012. This consisted of a Regulation that covered general data processing (known as the GDPR - the General Data Protection Regulation), and a brand new Directive for the police and justice sector (known as the Law Enforcement Directive or LED). Law enforcement was not part of the current 1995 EU Data Protection Directive, as this so-called ‘third pillar’ only came under EU jurisdiction in 2009, when the Treaty of Lisbon, the revised constitutional basis of the EU, was implemented. The fact that general data processing and police/justice sector processing were treated differently, under different laws was a challenge in itself, as in the majority of EU countries data protection laws apply to all sectors (a Regulation has to be adopted as is, once agreed, while a Directive has wiggle room for different implementation in each Member State).
As it turned out over the next 4 years, the General Data Protection Regulation has been one of the most controversial pieces of legislation to have ever passed through the Brussels legislative process, with an unprecedented lobbying onslaught from businesses and interested organisations in all sectors, and the United States government too. Some 5,000 amendments were tabled during its passage through the European Parliament, with countless more during the (much more secretive) negotiations between the EU member countries, in the Council as well as the final, even less transparent, horse-trading during the so-called Trialogue between the European Commission (the civil service), the Parliament, and the Council (the 27 member countries).
What We Did
Privacy International (PI) has been actively contributing to the European Commission revision process since 2008, responding to consultations, and attending expert groups. Effective data protection legislation is the basic pre-requisite and tool to ensuring the human right to privacy is respected; EU data protection legislation has as its basis the right to privacy in the Charter of Fundamental Rights, and has been a gold standard for privacy protections round the world. We considered it essential therefore that PI should be a major player in the NGO community to help ensure that the laws, in their passage through the EU institutions are further strengthened, not undermined. It was important, from 2012, to develop a set of policy objectives to define the language we wanted to achieve in the final legislation, which was essentially about strengthening individual rights; as well as a set of tactics to help us achieve those objectives. The tactics included, most importantly, alliance-based advocacy, in Brussels, the UK and US, as in 2011-12 PI was still a small organisation with very limited resources. We realised early on that we will not achieve much working on our own with such limited resources, and that collaboration with like-minded NGOs, but as a strong and influential partner, was key to achieving results in such circumstances, and in the face of powerful players with resources many times the size of ours, that were striving to dismantle the provisions in the proposed legislation, particularly those related to individuals’ rights and effective means of enforcing the legislation.
Most of the advocacy connected with the legislative process in the European Parliament has been one of hard and detailed working in teams – drafting policy positions, wading through thousands of amendments and compromise amendments, and drafting and suggesting our own to persuade Members of the European Parliament (MEPs) to adopt them. And many lobbying meetings with MEPs and their political advisers, attending and speaking in committee hearings, writing blogs and educational resources. The links below demonstrate some of this work.
But we have also engaged in campaigning and high profile activities: in 2013 we exposed, with the help of German NGO-developed technology called LobbyPlag the extent to which MEPs were copying word-for-word amendments to the legislation suggested by industry, with some of the UK parliamentarians topping the plagiarism list. The voice of the advertising, profiling and targeting industries was one of the strongest and the MEP’s committees were weakening the draft proposals to a large extent. In response the alliance of NGOs embarked on a year-long public campaign, Naked Citizens.eu, though it has to be acknowledged that apart from some of the media reporting, this has not echoed widely with the public. In 2014, jointly with the Transatlantic Consumer Dialogue, we organised a US consumer and privacy advocates lobbying visit to Brussels, to counter-act the vigorous US government lobbying (this was a visit that has also generated good press coverage.) The final text of the legislation was agreed in the European Parliament in late 2015 with a fairly luke warm response from Privacy International and other coalition partners and formally passed in April 2016. We have saved the best of the rights in the original 2012 draft, and there are more effective enforcement provisions or possibilities for reddress - but there is also much wiggle room for governments to by-pass the rules (see for example our briefings for the UK Data Protection Bill), and many of the provisions are vague and will probably end up being tested in the courts.
Our advocacy on the Directive for the police and justice sector has been an entirely different experience. Unlike the GDPR, this legislation covering personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties, has not attracted much attention from lobbyists or advocates in Brussels. Our initial analysis of the draft Directive, demonstrates that it was much weaker than the proposed GDPR in many respects, including principles and individuals’ rights; and there was no distinction in treatment between the accused, their victims or witnesses. We had an effective platform to highlight these shortcomings at an early inter-parliamentary hearing in the European Parliament, and our briefing had a strong influence on the report of the MEP who was the rapporteur for this draft law in the lead committee. A majority of our suggestions for improvement were taken on board in these initial amendments, and some of the most important ones, such as ensuring extra safeguards for the data of persons not accused of any crimes, made their way into the final legislation. Equally the advocacy of colleague NGOs in Brussels took the Privacy International position as a base. Some of the influential member States in the Council also strongly favoured a closer alignment between the proposed GDPR and the LED, mainly due to their current data protection legislation which covered all sectors.
Finally, in the process of agreeing EU-level legislation, advocacy in the nation States is also vitally important, since the EU Council has an equal say in the final decision. Countries particularly influential in this process (and with big voting power) included Germany, France, Poland and the UK. As PI is a UK-based charity, we were particularly active in the UK consultation process – as members of the Ministry of Justice multi-stakeholder consultation group, giving evidence to the UK Parliament Justice Committee hearing early in the legislative process and maintaining close links with the data protection team at the Ministry and later on at DDCMS. As can be seen from the records of the hearing, we have been advocating for a holistic Data Protection Act in the UK incorporating both general and law enforcement processing right from the start, in 2012 (and in 2017 the UK finally published such a holistic Bill). We also advocated, early on, for a closer alignment between the provisions of the GDPR and those of the LED:
Q 52, Anna Fielder “You could align the provisions in the Directive much more with the provisions in the Regulations. Indeed, in our analysis of the Directive, we have proposed concrete amendments for this to happen, and we would very much urge the UK, in the Council of Europe [EU Council], to lobby and ensure that that happens. We know also that quite a lot of other Member States are not happy about the situation because it weakens their domestic Regulations as well, so I think it is still not too late to achieve some consistency.”
The EU legislative package is a very complex piece of legislation, and many interests were at stake given the importance of personal data in the global economy. Due to this complexity it has been difficult to communicate and engage the general public, notwithstanding its vital importance for the individuals, and their rights to privacy and data protection. During the course of PI’s advocacy work on this legislation, the strategies have turned from offensive to defensive, due to the unprecedented lobbying attacks.
We have been successful in preventing further weakening of the GDPR, and in safeguarding the essential improvements in terms of individual’s rights and better enforcement, addressing issues such as profiling, privacy by design and the possibility for the NGOs to represent individuals for more effective redress. One high level Commission official acknowledged in public speeches that no more than 20 NGO individuals have been responsible from safeguarding the essential provisions of this legislation, and Privacy International has played a key influential part throughout.
As the NGO partners concluded “The final texts are somewhat better than what was proposed by the EU Council and some European Parliament Committees, but fall well short of the ambition of the initial proposals. EDRi, Bits of Freedom, Digitale Gesellschaft e. V, Open Rights Group, Digital Rights Ireland and Privacy International appreciate the work of the co-legislators to defend the proposals. We now must turn our attention to the next challenges – implementation of the new legislation, the reform of the e-Privacy Directive and preparing litigation, where necessary, to ensure that our fundamental rights are defended”.
In the case of the Law Enforcement Directive, PI had a leadership role among NGOs and was successful in achieving stronger provisions, through alignment of the original weak articles to those of the GDPR and so strengthening principles, rights and safeguards.
We have also been successful in our key demand to the UK government to table a holistic, fit for current century and technology, Data Protection Act 2018. We are advocating on key issues in the contents of that Bill at the present time.
Active in the implementation on the UK level, ongoing. Future support for data protection law developments in countries that do not have current legislation. Strategies for implementation of general data protection legislation in the United States.
The value of team work across NGOs and countries for a common cause. Having one person only, with little resource for support from base, was both difficult and challenging on occasion. In work on a complex piece of legislation, legal analysis and expertise is vital, as well as ability for effective communication and the right infrastructure for things like mass communication with politicians voting, arranging dozens of meetings, etc. – for this particular package PI only had all this to a very limited extent, so collaboration was essential to achieve any results at all.
It is also important to record and store documents as well as all actions, presentations, speeches and diary events – these are all important when measuring impact and how it happen as well as for organizational memory and induction of new people and partners in advocacy.
Relevant Media links