Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Too Much of a Good Thing? The New EU Data Privacy Rules Have a Transparency Problem

While the num­ber of ques­tions sur­round­ing the future of the inter­net and per­son­al data pro­tec­tions and vio­la­tions seems to grow by the day, it’s clear that the nature of the rela­tion­ships between intel­li­gence agen­cies, for­eign gov­ern­ments, busi­ness, and the pub­lic are going to change some­how fair­ly soon. The Snow­den Affair has guar­an­teed that some­thing will change. But the nature of those changes is still very much an unknown. The changes to nation­al and inter­na­tion­al laws will pre­sum­ably strive to give “greater pri­va­cy safe­guards” and/or “reign in rogue intel­li­gence gath­er­ing” or some oth­er gener­ic-sound­ing pos­i­tive goals. At least that will be part of the sales pitch. And who knows, maybe they will. As the Snow­den Affair has remind­ed us of so often, the dev­il is in the details on mat­ters like these so until we see those details on reforms we won’t real­ly know how effec­tive and/or dam­ag­ing they’ll be. Hope­ful­ly what­ev­er dam­age gets done is done for a good rea­son.

For exam­ple, some­thing we just learned from the EU’s “Work­ing Group” that’s study­ing these mat­ters is that one of those goals might involve revers­ing the “Safe Har­bor” agree­ment between the US and EU that allows com­pa­nies to trans­fer per­son­al data back and forth across nation­al bound­aries. The US/EU “Safe Har­bor” rules are also crit­i­cal for enabling the ongo­ing “cloud com­put­ing” rev­o­lu­tion in online ser­vices. So the changes to EU rules that will be intend­ed to enhance data pri­va­cy pro­tec­tions could have glob­al impli­ca­tions for busi­ness mod­els around the globe. So we should prob­a­bly hope the EU pol­i­cy­mak­ers make wise and use­ful changes to the EU’s data pro­tec­tion poli­cies because if they’re going to break the cloud they should prob­a­bly do it for a good rea­son:

Bloomberg BNA
EC Pri­va­cy Advis­ers Detail PRISM Probe, Ques­tion Via­bil­i­ty of U.S.-EU Safe Har­bor
Mon­day, August 19, 2013
from Pri­va­cy & Data Secu­ri­ty Law Resource Cen­ter™

By Don­ald G. Aplin

The Arti­cle 29 Work­ing Par­ty, the Euro­pean Union’s offi­cial data pro­tec­tion advi­so­ry group, out­lined the cen­tral issues it intends to pur­sue in its inves­ti­ga­tion of the U.S. Nation­al Secu­ri­ty Agen­cy’s PRISM inter­net sur­veil­lance pro­gram, in a let­ter to the Euro­pean Com­mis­sion made pub­lic Aug. 16.

“Espe­cial­ly alarm­ing are the lat­est rev­e­la­tions with regard to the so-called XKeyscore, which alleged­ly allows for the col­lec­tion and analy­sis of the con­tent of inter­net com­mu­ni­ca­tions from around the world,” Art. 29 Par­ty Chair­man Jacob Kohn­stamm said in the Aug. 13 let­ter to Euro­pean Com­mis­sion Vice-Pres­i­dent and Com­mis­sion­er for Jus­tice, Fun­da­men­tal Rights and Cit­i­zen­ship Viviane Red­ing.

The Work­ing Par­ty also raised doubts about the con­tin­u­ing via­bil­i­ty of the pri­ma­ry mech­a­nism for U.S. com­pa­nies to law­ful­ly trans­fer per­son­al data from the Euro­pean Union.

The let­ter prompt­ed renewed calls from Red­ing’s office for EU mem­ber states to quick­ly adopt a new data pro­tec­tion reg­u­la­tion.

Safe Har­bor Pro­gram at Risk?

The Art. 29 Par­ty, which is made up of rep­re­sen­ta­tives from the data pro­tec­tion author­i­ties of the EU mem­ber states as well as the Office of the Euro­pean Data Pro­tec­tion Super­vi­sor, said that it had con­cerns over whether the U.S.-EU Safe Har­bor Pro­gram could be com­pro­mised by the NSA’s sur­veil­lance activ­i­ty.

The U.S.-EU Safe Har­bor Pro­gram, which is admin­is­tered by the U.S. Com­merce Depart­ment, allows com­pa­nies to trans­fer per­son­al data with­out run­ning afoul of the EU Data Pro­tec­tion Direc­tive (95/46/EC).

Under the Safe Har­bor Pro­gram, U.S. com­pa­nies self-cer­ti­fy their agree­ment to abide by the Safe Har­bor frame­work, which includes sev­en pri­va­cy prin­ci­ples sim­i­lar to those found in the Data Pro­tec­tion Direc­tive.

The Art. 29 Par­ty said that the Safe Har­bor Prin­ci­ples allow com­pa­nies to devi­ate “to the extent nec­es­sary” for nation­al secu­ri­ty rea­sons. “How­ev­er, the WP29 has doubts whether the seem­ing­ly large-scale and struc­tur­al sur­veil­lance of per­son­al data that has now emerged can still be con­sid­ered an excep­tion strict­ly lim­it­ed to the extent nec­es­sary.”

The let­ter also said that the EC’s 2000 deci­sion approv­ing the U.S.-EU Safe Har­bor Pro­gram allows EU mem­ber states “to sus­pend data flows in cas­es where there is a sub­stan­tial like­li­hood that the Prin­ci­ples are being vio­lat­ed and where the con­tin­u­ing trans­fer would cre­ate an immi­nent risk of grave harm to data sub­jects.”

React­ing to PRISM, Ger­man data pro­tec­tion author­i­ties have already threat­ened to halt approvals of trans­fers of per­son­al infor­ma­tion out­side of the Euro­pean Eco­nom­ic Area, includ­ing to cloud ser­vices (12 PVLR 1329, 7/29/13).

Inde­pen­dent Inquiry

The Art. 29 Par­ty let­ter said it was open­ing its inves­ti­ga­tion of the PRISM pro­gram sep­a­rate­ly from an inquiry opened by the Euro­pean Par­lia­ment and sep­a­rate­ly from ongo­ing work­ing group dis­cus­sions set up by Red­ing and U.S. Attor­ney Gen­er­al Eric Hold­er (12 PVLR 1204, 7/8/13).

The Work­ing Par­ty said it has a “duty to also assess inde­pen­dent­ly to what extent the pro­tec­tion pro­vid­ed by EU data pro­tec­tion leg­is­la­tion is at risk and pos­si­bly breached and what the con­se­quences of PRISM and relat­ed pro­grams may be for the pri­va­cy of our cit­i­zens’ per­son­al data.”

The Art. 29 Par­ty said it would not lim­it its probe to U.S. sur­veil­lance pro­grams and intend­ed to explore sur­veil­lance pro­grams con­duct­ed by EU mem­ber states to assess their com­pli­ance with data pro­tec­tion laws, cit­ing the “Tem­po­ra” pro­gram.

Red­ing June 26 announced that she had writ­ten to Unit­ed King­dom gov­ern­ment offi­cials ask­ing for “very urgent” clar­i­fi­ca­tion about the British Tem­po­ra pro­gram, which alleged­ly inter­cepts com­mu­ni­ca­tions data from fiber-optic cables car­ry­ing inter­na­tion­al inter­net traf­fic (12 PVLR 1170, 7/1/13).

Red­ing: Pro­posed Reg­u­la­tion

“We wel­come the strong sup­port from the Arti­cle 29 Work­ing Par­ty to the efforts of the Euro­pean Com­mis­sion to build a strong and ambi­tious EU data pro­tec­tion reg­u­la­tion to safe­guard the fun­da­men­tal rights of EU cit­i­zens also in rela­tion to third coun­tries,” Mina Andree­va, Red­ing’s spokes­woman, told BNA Aug. 16.

“The Com­mis­sion calls on the nation­al data pro­tec­tion author­i­ties gath­ered in the Arti­cle 29 Work­ing Par­ty to exert their influ­ence in their respec­tive Mem­ber States to help ensur[e] that gov­ern­ments sup­port unequiv­o­cal­ly a robust lev­el of data pro­tec­tion in the new EU data pro­tec­tion reg­u­la­tion that is also effec­tive­ly enforce­able in PRISM-type sit­u­a­tions,” Andree­va said.

In Jan­u­ary 2012, Red­ing intro­duced the Com­mis­sion’s pro­posed data pro­tec­tion reg­u­la­tion to replace the 1995 EU Data Pro­tec­tion Direc­tive (95/46/EC) (11 PVLR 178, 1/30/12).

Red­ing’s office calls on the Work­ing Par­ty to push for approval of the new reg­u­la­tion “as soon as pos­si­ble and at the lat­est in spring 2014,” Andree­va said.


As not­ed above, Euro­pean Com­mis­sion Vice-Pres­i­dent and Com­mis­sion­er for Jus­tice, Fun­da­men­tal Rights and Cit­i­zen­ship Viviane Red­ing start­ed this data pri­va­cy reform ini­tia­tive back in Jan­u­ary 2012. So while the Snow­den Affair may make it seem like data-pri­va­cy just sud­den­ly lurched on to the scene as a major pub­lic con­cern it’s impor­tant to recall that this debate has been tak­ing place across Europe and the US for years. It’s also been con­tentious for years. A vote on the mat­ter, which has been repeat­ed­ly post­poned this year, just got post­poned again until Octo­ber:

Europe dead­locked over data pro­tec­tion reform
Talks over pro­posed changes to the EU Data Pro­tec­tion Direc­tive have stalled, leav­ing cit­i­zens exposed to pri­va­cy risks

John Burn-Mur­doch
theguardian.com, Mon­day 12 August 2013 11.48 EDT

An EU par­lia­ment vote on amend­ments to data pro­tec­tion law has been post­poned for the third suc­ces­sive time, with the impasse leav­ing cit­i­zens’ rights inad­e­quate­ly pro­tect­ed.

MEPs had been set to decide whether to rat­i­fy the lat­est set of pro­pos­als in ear­ly July but the vote is now sched­uled to take place in Octo­ber, with a view to pub­lish­ing the amend­ed leg­is­la­tion before the Euro­pean elec­tions in May 2014.

The leg­is­la­tion in its cur­rent form is 18 years old and as a result has increas­ing­ly been found want­i­ng in a num­ber of areas, includ­ing the pro­tec­tion of per­son­al­ly iden­ti­fi­able infor­ma­tion in light of recent indus­try devel­op­ments.

The process was kicked off in Jan­u­ary 2012 when the Euro­pean Com­mis­sion pub­lished its ini­tial pro­pos­al. Since then, no sig­nif­i­cant agree­ments have been reached, fuel­ing fears that the legal sys­tem sim­ply can­not keep pace with tech­no­log­i­cal change where data col­lec­tion, analy­sis and stor­age is con­cerned.

“Over the past few months, there has been wide­spread dis­cus­sion of a risk-based approach to data pro­tec­tion reg­u­la­tion, and some detailed explo­ration of the key ele­ments of such an approach under the Irish pres­i­den­cy”, said Brid­get Trea­cy, part­ner and head of the UK pri­va­cy and cyber­se­cu­ri­ty prac­tice at Hunton & Williams.

Fore­most in recent dis­cus­sions has been the need to con­sol­i­date def­i­n­i­tions of dif­fer­ing lev­els of pri­va­cy risk; from per­son­al­ly iden­ti­fi­able records through to tru­ly anony­mous infor­ma­tion.

One stick­ing point has been where infor­ma­tion falls some­where between these two extremes. The lat­est pro­pos­al includes an attempt to estab­lish a third, inter­me­di­ate clas­si­fi­ca­tion, but this step is eas­i­er said than done.


The threat from non-EU gov­ern­ments and cor­po­ra­tions

Anoth­er con­cern — that of whether EU courts will be able to hold non-Euro­pean bod­ies to account — has been brought into the spot­light by the ongo­ing rev­e­la­tions regard­ing gov­ern­ment sur­veil­lance.

Angela Merkel and Viviane Red­ing, Europe’s most senior jus­tice offi­cial have both in recent weeks cit­ed gov­ern­ment and cor­po­rate col­lec­tion of per­son­al data in calls for a swift con­clu­sion to data pro­tec­tion nego­ti­a­tions.

“I would find it help­ful if the Euro­pean coun­cil in Octo­ber could speed up the work on this impor­tant mat­ter,” said Red­ing.

Dur­ing an elec­tion debate last month on inter­net pri­va­cy Merkel named Google and Face­book as exam­ples of com­pa­nies that should pro­vide infor­ma­tion to Euro­pean author­i­ties on third par­ties where their cus­tomers’ data is being sent.

Wor­ries over extra-EU attacks on EU pri­va­cy have esca­lat­ed to the extent that one secu­ri­ty expert has stat­ed his belief that the only way for Euro­pean cit­i­zens to be free from fear of sur­veil­lance would be for Euro­pean entre­pre­neurs to cre­ate an EU dot.com indus­try rivalling that of the US.

The rev­e­la­tions that sev­er­al of the US’ coun­ter­parts in the EU are engag­ing in the same or sim­i­lar prac­tices have per­haps shown such con­cerns to be mis­placed, but the argu­ment that a more self-suf­fi­cient online Europe would offer its cit­i­zens bet­ter pro­tec­tion than the cur­rent mod­el will remain appeal­ing until non-EU gov­ern­ments and cor­po­ra­tions have a rea­son to fear EU data pro­tec­tion law.

Secret Nego­ti­a­tions, Thou­sands of Amend­ments, and Green Pirates
It’s no sur­prise that an EU Par­lia­men­tary vote over the pro­posed reg­u­la­tions would get delayed again fol­low­ing the emer­gence of Edward Snow­den’s rev­e­la­tions. An event like the seem­ing­ly end­less waves of Snow­den-sourced spy­ing rev­e­la­tions is like a dream come true for some­one try­ing to ral­ly sup­port around a high­ly con­tentious set of data pri­va­cy rule changes. But it should be some­what sur­pris­ing and dis­con­cert­ing to learn that, short­ly before Merkel and Viviane Red­ing were call­ing for the nego­tia­tors to speed up the delib­er­a­tions, there was a swirl of rumors that a secret ‘tri­logue’ on the mat­ter would be used to avoid the hur­dles of pub­lic debate. Secret tri­logues — con­fi­den­tial talks between the coun­cil of Min­is­ters, the Euro­pean Par­lia­ment and Com­mis­sion for the pur­pose of ham­mer­ing out leg­isla­tive text — also make it a lot eas­i­er to deal with issues like 3000+ pro­posed amend­ments that have yet to be worked out:

Cloak of secre­cy hangs over EU pri­va­cy reform
Mon­i­ca Hort­en
Pub­lished on 01 July 2013

It may seem to be a para­dox that a law con­cern­ing pro­tec­tion of people’s secrets should be leg­is­lat­ed in the open, but in fact, the para­dox is the oth­er way around.

Secret tri­logue nego­ti­a­tions between the Euro­pean Par­lia­ment and the Coun­cil of Min­is­ters are being pro­posed as a way to get around the impasse of 3000+ amend­ments on the Data Pro­tec­tion Reg­u­la­tion. It has been moot­ed that the tri­logues could com­mence pri­or to the Parliament’s Civ­il Lib­er­ties (LIBE) com­mit­tee vote in Octo­ber. But would such a move be eth­i­cal? And more impor­tant­ly, what are the ethics of leg­is­lat­ing on people’s pri­va­cy rights?

The Data Pro­tec­tion Reg­u­la­tion is cur­rent­ly in its first read­ing in the Euro­pean Par­lia­ment. It deals with our fun­da­men­tal rights to pri­va­cy, and address­es sen­si­tive issues such as behav­iour­al adver­tis­ing and pro­fil­ing, and indeed gov­ern­ment snoop­ing — wit­ness the row over PRISM.

We would nor­mal­ly expect such a law – that calls snoop­ers to account — to be debat­ed open­ly. We want to know what the leg­is­la­tors are decid­ing and how those deci­sions are being tak­en.

That’s why it is very curi­ous that the respon­si­ble com­mit­tee may be plan­ning to take a short cut route to get­ting it adopt­ed – a short cut that con­sists of secret back-room nego­ti­a­tions.

After the Euro­pean Parliament’s Civ­il Lib­er­ties (LIBE) com­mit­tee vote in Octo­ber, the pro­posed new law would usu­al­ly go to a ple­nary ses­sion of the full Par­lia­ment. The Parliament’s posi­tion would then be sent to the Coun­cil of Min­is­ters, and depend­ing on whether or not the two were in agree­ment, it would either be adopt­ed or there would be a sec­ond read­ing. That is the process – tech­ni­cal­ly known as ‘co-deci­sion’.

But it is now under­stood among the lob­by­ing com­mu­ni­ty in Brus­sels that a ‘tri­logue’ nego­ti­a­tion may be applied. This is where the Par­lia­ment sits down with the Com­mis­sion and the Coun­cil and thrash­es out a ver­sion of the law that all three can agree on.

Tri­logues are an option in the leg­isla­tive process, and they may have a place for laws that are not con­tro­ver­sial. But these tri­logues are held in secret, behind closed 0doors, and the only peo­ple allowed in are the rap­por­teur and his shad­ows, the Com­mis­sion­er, the Pres­i­den­cy, and select­ed advis­ers from each insti­tu­tion. The tri­logue dis­cus­sions are not made pub­lic.

Under the rules that gov­ern the Euro­pean Par­lia­ment process, tri­logues can­not start before the respon­si­ble com­mit­tee has giv­en a man­date. That’s what’s a lit­tle bit odd here. The man­date can only be giv­en when the com­mit­tee votes in Octo­ber.

But the Brus­sels rumour mill is sug­gest­ing that there could be a move to begin tri­logues on the Data Pro­tec­tion Reg­u­la­tion before Octo­ber, with­out wait­ing for the com­mit­tee man­date. One rea­son could be tim­ing — get­ting this unwieldy law through the Par­lia­ment before the elec­tions is a bit like try­ing to get an ele­phant through a door­way.

Should that hap­pen, it would be a breach of Par­lia­men­tary process, and espe­cial­ly egre­gious giv­en that this law deals with fun­da­men­tal rights.
In any event, the rap­por­teur does not have to agree to tri­logues. It is an option.

Even if the man­date is pre­sent­ed in Octo­ber, it arguable that tri­logues are not only uneth­i­cal for this par­tic­u­lar piece of leg­is­la­tion, but also that it is unnec­es­sary for the Par­lia­ment to agree to them at this stage.

The Arti­cle 42 scan­dal – drop­ping of an arti­cle by the Com­mis­sion that would have pre­vent­ed unlaw­ful access by for­eign gov­ern­ments and would have been a legal weapon against PRISM — puts the Euro­pean Par­lia­ment in a strong posi­tion vis- a‑vis the Coun­cil of Min­is­ters. And the scan­dal has raised the bar on trans­paren­cy for the pro­cess­ing of the Data Pro­tec­tion Reg­u­la­tion.

What is very trans­par­ent, is that push­ing for secret back­room nego­ti­a­tions with the Coun­cil could well be a los­er on a high pro­file piece of leg­is­la­tion in a Par­lia­ment about to hit an elec­tion year.


As the above arti­cle points out, it’s some­what odd to see calls for secret nego­ti­a­tions over some­thing like new data pri­va­cy rules, espe­cial­ly in the mid­dle of an inter­na­tion­al fias­co over data pri­va­cy con­cerns. But also note that, as the arti­cle also points out, the rap­por­teur — the EU Par­lia­men­t’s rep­re­sen­ta­tive in the tri­logue — does not have to agree to a tri­logues. That’s up to the rap­por­teur . So it’s worth point­ing out that the EU lead nego­tia­tor is Jan-Philipp Albrecht, a 29 year old Ger­man Green Par­ty mem­ber that’s been described as a Pirate dis­guised as a Green. So it’s espe­cial­ly sur­pris­ing to hear that a Green affil­i­at­ed with the Pirate move­ment — a move­ment with gov­ern­men­tal trans­paren­cy as one of its core prin­ci­ple — might be mulling a maneu­ver that is the oppo­site of trans­par­ent for a set of leg­is­la­tion as impor­tant to the future of the inter­net as what is being pro­posed.

Then again, if you were in charge of shep­herd­ing a piece of leg­is­la­tion that might start a trade war and your coun­try’s Jus­tice Min­is­ter calls for a pos­si­ble ban of US inter­net firms if they’re found vio­lat­ing the new rules, secret nego­ti­a­tions might not sound so bad:

The Wall Street Jour­nal
August 8, 2013, 5:23 p.m. ET

U.S. Sur­veil­lance Pro­grams Spur EU Efforts to Tight­en Data Pro­tec­tion Rules
Euro­pean Law Mak­ers Aim For Tougher Leg­is­la­tion by May


The recent dis­clo­sures of the scope of U.S. gov­ern­ment sur­veil­lance pro­grams are giv­ing new impe­tus to Euro­pean Union efforts to tight­en data pro­tec­tion rules, a move that could raise reg­u­la­to­ry hur­dles in an already tricky mar­ket for U.S. Inter­net com­pa­nies.

EU law­mak­ers and lead­ers say they are deter­mined to enact a new law by May—when Euro­pean Par­lia­ment elec­tions are slat­ed.

“The impor­tance has been made clear now with all these rev­e­la­tions, we need cross-bor­der rules, Euro­pean rules, to safe­guard fun­da­men­tal rights,” Jan-Philip Albrecht, the Euro­pean Par­lia­men­t’s chief nego­tia­tor on the pro­posed leg­is­la­tion, said in an inter­view. “It makes the debate more vivid.”

It is a debate U.S. tech­nol­o­gy com­pa­nies, such as Google Inc. and Microsoft Corp., are fol­low­ing close­ly.

Hart­mut Häsel­barth, an asso­ciate at Shear­man & Ster­ling LLP in Frank­furt who advis­es clients on Ger­man and EU data pro­tec­tion law, said the May tar­get is ambi­tious. But even­tu­al­ly, he said, Amer­i­can com­pa­nies with a Euro­pean pres­ence would become “sub­ject to Euro­pean data-pro­tec­tion law, and they will most like­ly have more prob­lems in future”—not least because a com­mon EU frame­work would ensure more rig­or­ous enforce­ment than that by dis­parate nation­al author­i­ties now.


The leg­is­la­tion was first pro­posed in Jan­u­ary 2012 by EU Com­mis­sion­er for Jus­tice Viviane Red­ing. But with a near-record num­ber of par­lia­men­tary amend­ments and deep divi­sions among EU mem­ber states, it was get­ting bogged down.

How­ev­er, the rev­e­la­tions about the U.S. Nation­al Secu­ri­ty Agency have put the dossier back in the spot­light, espe­cial­ly as Germany—which has some of the bloc’s strictest lim­its on access­ing and ana­lyz­ing peo­ple’s data—has thrown its weight behind EU-lev­el rules.

Accord­ing to for­mer NSA con­trac­tor Edward Snow­den, who now has tem­po­rary asy­lum in Rus­sia, U.S. com­pa­nies rou­tine­ly hand­ed over vast amounts of data to the NSA, includ­ing that of for­eign­ers using their Inter­net ser­vices.

“We want firms to tell us in Europe to whom they give data,” Ger­man Chan­cel­lor Angela Merkel said last month, adding that “Europe here would need to speak with one voice.”

At an EU meet­ing last month, French and Ger­man jus­tice min­is­ters called joint­ly for swift adop­tion of the data-pro­tec­tion reform, sug­gest­ing a unit­ed front among mem­ber states that did­n’t exist before. Ms. Red­ing also has asked for the mat­ter to be added to the agen­da for an EU sum­mit in Octo­ber.

The pro­pos­als would give Europe’s nation­al data-pro­tec­tion author­i­ties the pow­er to fine com­pa­nies that abuse cus­tomers’ data by sell­ing it on or using it with­out their per­mis­sion up to 2% of their glob­al turnover. This would apply to any com­pa­ny world-wide doing busi­ness in the EU.

U.S. tech­nol­o­gy com­pa­nies “want to have access to our gold mine, the inter­nal mar­ket with over 500 mil­lion poten­tial cus­tomers,” Ms Red­ing said in remarks sent by her cab­i­net. “If they want to access it, they will have to apply our rules,” she added.

The pro­pos­als raise the poten­tial for a clash with U.S. leg­is­la­tion, includ­ing the U.S. Patri­ot Act and the For­eign Intel­li­gence Sur­veil­lance Act.

Under the expand­ed Patri­ot Act, the U.S. gov­ern­ment can ask com­pa­nies to hand over con­sumers’ data, even though that may be ille­gal in Europe. Wash­ing­ton also can obtain data of non‑U.S. per­sons locat­ed out­side the U.S. from cloud-com­put­ing providers that fall under its juris­dic­tion.

Accord­ing to Joris van Hobo­ken, a senior researcher at the Insti­tute for Infor­ma­tion Law at the Uni­ver­si­ty of Ams­ter­dam: “Such juris­dic­tion applies…to cloud ser­vices that con­duct sys­tem­at­ic busi­ness in the U.S. and isn’t depen­dent on the loca­tion where the data are stored, as is often assumed.”

Ms. Red­ing said com­pa­nies need­ed to know that they could face tough sanc­tions for not com­ply­ing with Euro­pean law. Cur­rent­ly, she said, “the prob­lem is that when these com­pa­nies are faced with a request whether to com­ply with EU or U.S. law, they will usu­al­ly opt for the Amer­i­can law.”

The Par­lia­ment would like to go fur­ther and see Euro­peans’ data stay on servers in Europe, a move that would hurt U.S. com­pa­nies pro­vid­ing cloud-com­put­ing ser­vices and may prove dif­fi­cult as cloud com­put­ing relies on bal­anc­ing demand for serv­er use around the globe.

“We have to ensure that per­son­al data, or data in gen­er­al, are sit­u­at­ed here in Europe because only then can we ensure that Euro­pean juris­dic­tion applies,” Mr. Albrecht said. “This has to go togeth­er with the legal restric­tion of trans­fer of data to cer­tain places.”

In par­al­lel, the EU is review­ing the so-called safe har­bor agree­ment with the U.S., which since 2000 has bridged the gap between EU and U.S. approach­es to data pro­tec­tion. Com­pa­nies self-cer­ti­fy that they pro­vide “ade­quate” pri­va­cy pro­tec­tion, com­pli­ance require­ments are stream­lined, and if there is a legal com­plaint from an EU cit­i­zen against a U.S. com­pa­ny, it can be dealt with in the U.S.

The EU will present its assess­ment by the end of the year. The 2000 deal “may not be so safe after all” for Euro­pean con­sumers, Ms. Red­ing said.

This is going to be a real­ly inter­est­ing dynam­ic because we might be look­ing at a sit­u­a­tion where the EU is try­ing to imple­ment some­thing that’s sup­posed to resem­ble a 21st cen­tu­ry dig­i­tal reg­u­la­to­ry regime for the glob­al age while maybe simul­ta­ne­ous­ly try­ing to rebrand the EU dig­i­tal mar­ket­place as a sin­gle, homo­ge­neous enti­ty. This could recon­fig­ure the dig­i­tal enter­prise land­scape and there’s no rea­son to expect that these reg­u­la­to­ry shake­ups can’t shake­up the glob­al IT indus­tries too. The EU is a HUGE mar­ket. The EU’s IT indus­try is guar­an­teed to under­go some sig­nif­i­cant changes going for­ward but that’s prob­a­bly true for inter­na­tion­al IT busi­ness too as this new land­scape unfolds. That’s not a bad thing because there real­ly does need to be some sig­nif­i­cant updates to how the glob­al com­mu­ni­ty man­ages its data. Face­book and Google and all the rest of the big inter­na­tion­al data-col­lec­tion behe­moths real­ly do need to be pre­vent­ed from Hoover­ing up our col­lec­tive sense of indi­vid­ual sov­er­eign­ty because that might fur­ther warp an already-warped human­i­ty. And the bal­ance between gov­ern­ment intel­li­gence gath­er­ing and per­son­al pri­va­cy clear­ly needs a seri­ous reex­am­i­na­tion every­where. And that’s part of what is trou­bling about the lat­est reform efforts: the French and Ger­man gov­ern­ments that are cur­rent­ly push­ing for swift EU-wide adop­tion of new rules lack cred­i­bil­i­ty on these mat­ters and Angela Merkel has been engag­ing in eco­nom­ic con­quest across the euro­zone for the last few years so per­haps they don’t have the entire EU pub­lic’s best inter­ests in mind. Changes should hap­pen, but not changes rammed through by groups cur­rent­ly exhibit­ing impe­r­i­al ambi­tions.

It also worth not­ing that it’s still unclear at this point if a secret tri­logue will get used at all. As the EU rap­por­teur, Jan-Phillip Albrecht can request a tri­logue, but oth­er bod­ies then have to agree. Tri­logues aren’t uncom­mon in the EU, to the cha­grin of crit­ics. But they are kind of creepy, espe­cial­ly in this con­text. And accord­ing to Jan-Philipp Albrecht, ‘the plan’ is for the EU to agree to creepy a tri­logue in Octo­ber and end it by Jan­u­ary. 2014 could be a weird year for the inter­webs:

Closed-door tri­logues are on the data pri­va­cy agen­da
Mon­i­ca Hort­en
Pub­lished on 08 July 2013

It’s becom­ing clear that the fate of the EU’s pri­va­cy law reform, name­ly the Data Pro­tec­tion Reg­u­la­tion, could be decid­ed by insti­tu­tion­al deal-mak­ing in Brus­sels. The Civ­il Lib­er­ties (LIBE) com­mit­tee in the Euro­pean Par­lia­ment is to be for­mal­ly asked for per­mis­sion to enter into nego­ti­a­tions with the Coun­cil — also known as tri­logues. If the tri­logues go ahead – still an ‘if ’ — it means that the three EU insti­tu­tions will be asked to agree the shape of the leg­is­la­tion in pri­vate talks, before the out­come is put to a Par­lia­men­tary vote.

Fol­low­ing my pre­vi­ous arti­cle Cloak of secre­cy hangs over EU pri­va­cy reform, the Euro­pean Parliament’s rap­por­teur, Jan-Phillip Albrecht, has con­firmed to Iptegri­ty via Twit­ter ( prob­a­bly the strangest form of inter­view­ing that I have ever done) that he does indeed plan to ask his com­mit­tee for a tri­logue man­date when it votes on his report in Octo­ber.

Else­where, Mr Albrecht has expressed a view that there will be a deal done between the Par­lia­ment and Coun­cil of Min­is­ters, pos­si­bly ear­ly next year. Speak­ing to Inside US Trade, Mr Albrecht said that if every­thing goes to plan, the Par­lia­ment and the Coun­cil would be in a posi­tion to reach a deal by Jan­u­ary.

Tweet­ing in response to a Ger­man con­stituent, Mr Albrecht said that he expect­ed both the Par­lia­ment and the Coun­cil of Min­is­ters to estab­lish a man­date for talks in Octo­ber, with a view to adopt­ing the leg­is­la­tion by next Spring.

Tri­logue is EU jar­gon for tri­par­tite, con­fi­den­tial talks between the coun­cil of Min­is­ters, the Euro­pean Par­lia­ment and Com­mis­sion, with the aim of get­ting agree­ment on leg­isla­tive texts. The Euro­pean Parliament’s rap­por­teur must take the polit­i­cal deci­sion to agree to hold­ing tri­logues and then he must put that to his com­mit­tee in the form of a for­mal­ly-word­ed man­date. Tri­logues are option­al in the First Read­ing. It is the rap­por­teur’s pre­rog­a­tive as to whether he wants to do so – or not. The man­date would be append­ed to his report when it is vot­ed.

Hence, the deci­sion to go this route will be tak­en by Mr Albrecht. He does have oth­er options, includ­ing tak­ing his report direct­ly to the Parliament’s ple­nary ses­sion for the first read­ing vote.

Tri­logues, held behind closed doors, would seem to go against the grain for a Green MEP who stands for Inter­net free­dom and trans­paren­cy. Mr Albrecht, a Ger­man lawyer, is high­ly regard­ed in the Euro­pean Par­lia­ment, and that is indeed the rea­son he was select­ed for this role. So why might he con­sid­er this route?

He could be under pres­sure from the Com­mis­sion to get the Data Pro­tec­tion Reg­u­la­tion adopt­ed. He is very like­ly to feel the weight of the forth­com­ing Euro-elec­tions. His elec­torate in Ger­many is sen­si­tive to the issue of data pro­tec­tion. His wider con­stituen­cy of NGOs is expect­ing that he will get this law through. That’s an awful lot of dif­fer­ent pres­sures that are push­ing him to fast-track the adop­tion.

Mr Albrecht will have to weigh up his chances. Will he be more like­ly to get the leg­is­la­tion adopt­ed by going the tri­logue route, or by putting his report to ple­nary? What is more like­ly to pro­vide a suc­cess­ful out­come?


Data pri­va­cy and pro­tec­tion issues real­ly are crit­i­cal and com­pli­cat­ed top­ics that have to be bet­ter addressed by the glob­al com­mu­ni­ty. And the nature of the inter­net does kind of call for a glob­al response so a US/EU bilat­er­al agree­ment is prob­a­bly a pre­lude to the web of bilat­er­al agree­ments glob­al­ly that will prob­a­bly cre­ate a mul­ti­lat­er­al mess as this top­ic moves for­ward glob­al­ly. But there’s no rea­son is has to be an enor­mous glob­al bilat­er­al-mess (ignor­ing the fact that these are inher­ent­ly very messy top­ics). The upcom­ing changes to the EU’s Data Pro­tec­tion Reg­u­la­tions real­ly could do enor­mous good if this was being hashed out by cred­i­ble par­ties. But, of course, vir­tu­al­ly every world leader lacks cred­i­bil­i­ty of on mat­ters of secre­cy and espi­onage, so it isn’t sur­pris­ing that the lead­ers lead­ing the way on the idea of imple­ment­ing broad glob­al data pri­va­cy rules are laugh­ably unqual­i­fied for the task. Just about any set of nation­al lead­ers would be unqual­i­fied on these mat­ters. But the fact that Merkel & Friends — the crew that just waged eco­nom­ic con­quest across Europe — are try­ing to rush through the biggest change to EU Data Pro­tec­tion Reg­u­la­tions in near­ly two decades and with over 3000 amend­ments yet to be hashed out does­n’t bode well. It’s been known for years that some sort of seri­ous reform to the inter­net is nec­es­sary and com­ing so some changes should be wel­come. But Merkel is sur­round­ed by a socioe­co­nom­ic wreck­ing crew that has its sights set on the inter­net. Watch out.


No comments for “Too Much of a Good Thing? The New EU Data Privacy Rules Have a Transparency Problem”

Post a comment