Evolution of data protection (and related) legislation

An important aspect of creating a trustworthy as well as secure digital environment for EU consumers is ensuring a robust legal framework for the protection of citizens’ data. Whilst the EU's interest in privacy and data protection dates as far back as the 1970s (Gonzalez 2014), the contemporary EU approach to data protection has been underpinned by the 1995 Data Protection Directive (DPD) and its replacement, the General Data Protection Regulation (2016), which was implemented by Member States in May 2018. The DPD sought to protect the fundamental (data protection) rights and freedoms of individuals whilst ensuring that there was no impediment to the free flow of personal data needed for the continued development of the single market. The European Commission’s reports (2003, 2007) on the implementation of the DPD found that the Directive did not achieve its internal market policy objectives fully, or remove differences in the level of data protection in EU Member States. Enforcement was also identified as an area where improvement was needed. Following extensive consultation, the Commission released a Communication on “A comprehensive approach on personal data protection in the European Union” (2010) and a proposal followed for a new General Data Protection Regulation (GDPR 2012), which consisted of two legislative proposals:

  • • A Regulation on the protection of individuals in relation to processing and free movement of personal data;
  • • A Directive on the protection of individuals in relation to ‘the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, and the free movement of such data’ (European Commission 2012, p. 1).

The challenges to data protection brought about by rapid technological and exponential growth in the scale of data sharing, processing, and collecting, provided the main rationale for such proposals, with a critical issue being that of enhancing trust in the online environment. This was critical to Europe’s economic development through its Digital Agenda (European Commission 2010a), and, more broadly, the European 2020 Strategy (European Commission 2010b). A key aim of the Regulation, whilst retaining the central principles that underpinned the DPD, wasto build a stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities.

(European Commission 2012, p. 2)

The DPD had failed to address the diversity of rules across EU Member States; the ambition of the GDPR was that it would create uniformity within the EU.

The acceleration and development of EU policy on data protection and privacy was triggered by both trends and major defining events. For example, data from a Special Eurobarometer survey (2011) revealed, among other things, that 70% of Europeans were concerned that their personal data held by companies may be used for a purpose other than that for which it was collected. This led the European Commission in 2012 to call for comprehensive reform of data protection rules in the EU, which would build on the EU’s Digital Agenda for Europe (European Commission 2010a, pl7). The Snowden disclosures in June 2013 that exposed a number of US surveillance programs involving the large-scale collection of personal data was significant in further galvanizing the European Commission and other EU actors to strengthen legislation in privacy and data protection within Europe and beyond. Thus, since the approval of the GDPR by the EP in April 2016 (The EP and Council 2016), the EU has proposed the Regulation on Privacy and Electronic Communications in order to update the e-pri-vacy directive (which only covers traditional telecoms operators), and, specifically, align the rules for electronic communications with the GDPR (European Parliament and Council 2017). It was also significant in spurring the European Court of Justice to act in reversing key pieces of EU legislation and initiatives, such as the Data Retention Directive (2006) and the EU-US Safe Harbour Agreement (the original Max Schrems case in 2013); the former annulled by the Court in 2014 on the grounds that it represented an infringement of the individual’s right to privacy, and the latter declared invalid because it was not seen to protect European citizens’ data against US government surveillance activities.

Whilst the GDPR is no doubt perceived as a global standard for data protection it has also faced several challenges internally and externally, and, in particular, in the transatlantic context. Internally, for example, certain Member States, whilst implementing the GDPR, have also continued the practice of retaining data and mass surveillance; and have simply legalized the right to access data in matters of criminal investigation and national security (e.g., UK, Germany). Externally, it has become a significant (but

EU-ROK cooperation on cyber-security 63 not insurmountable) challenge in terms of negotiating agreements with third countries — where domestic data protection laws do not offer equivalent protection to that of the GDPR - and where reform is required in order for the European Commission to grant an adequacy decision that would allow the transfer of personal data (commercial or otherwise).

In the transatlantic context, the EU-US Privacy Shield, operational since August 2016 and the replacement mechanism for the Safe Harbour Agreement annulled by the ECJ, has also come under stress. Specifically, another legal challenge in the Irish High court by Max Schrems against Facebook (2017) related to a secondary EU-US data transfer mechanism (that is still being used), Standard Contractual Contracts (SCCs), was referred to the ECJ (as with the original) on the grounds that it contravened fundamental EU citizens’ rights in relation to continued US surveillance practices. The political mood under the Tramp administration sought to strengthen, or, at the minimum, sustain rather than transform the legal framework (and loopholes therein) that protects the rights of either US or indeed foreign citizens against warrantless surveillance. To this end, President Tramp in 2017 signed into law another six years of Section 702 of the Foreign Intelligence Surveillance Act (FISA); a controversial surveillance law that EU policy-makers have lobbied the US government to reform since Snowden so that provisions for foreigners’ data could be enhanced. Thus, US intelligence agencies retain the right to access and collect citizens’ data in bulk, which more broadly also challenges the premise and indeed sustainability of the Privacy Shield Agreement and EU-US transatlantic data flows (Vermeulen 2018; Lomas 2018). This, even more so, given that both Facebook and Cambridge Analytica - at the center of a data scandal in 2018 - were both certified by the Privacy Shield (Hill 2018).

Whilst the EU’s second GDPR legislative proposal (Directive) was penned to address issues relating to access, use, and process of personal data in relation to police and criminal matters; this has also proved controversial in terms of practice. Again, in the transatlantic context, the EU and US have specific agreements on the use and transfer of data in police and judicial matters in the form of an Umbrella Agreement concluded in 2015 (European Commission 2015a). Debates and disputes emerged before, and, in particular, after the Snowden affair over levels of personal data protection in the Passenger Name Record Agreement (PNRA) (the transfer of flight information), the Terrorist Finance Tracking Program (TFTP) (exchange of financial data through the SWIFT system), and the Mutual Legal Assistance Agreement (MLA) (facilitating the exchange of information and evidence in criminal cross-border investigations) (see Vermeulen 2018).

The EU’s priority in the Umbrella Agreement was to ensure that "EU citizens will benefit from equal treatment: they will have the same judicial redressrights as US citizens in case of privacy breaches” (European Commission 2015a). This said, the Agreement has been criticized for offering limited improvement to the privacy rights of European citizens, not least because the US Judicial Redress Act that seeks to enhance the rights of non-US citizens through amending the US Privacy Act (1974) does not cover collection of data by US intelligence agencies (Jeppesen and Nojeim 2015; see also Korff 2015 for detailed critical analysis). The EP’s legal service has also argued that the Umbrella Agreement is “not compatible with primary EU law and the respect for fundamental rights” (EP Legal Opinion, 2016). The Umbrella Agreement, for many, does not provide for an adequate strengthening of EU citizens’ rights when it comes to mass surveillance and snooping. This is an issue and discussion that has caused division not just with regard to the Agreement, but also the broader encryption and access debate between certain intelligence services and large tech corporations (e.g., Apple).

Controversy has also surrounded specific issues such as e-evidence. US and EU convergence on the need for further efficiency in this area through the US Cloud Act and the proposed EU Framework for e-evidence (consisting of a Regulation and Directive),2 respectively, has pushed up against the issue of citizens’ rights in terms of law enforcement access to their data without the requisite probable cause and MLA request (Fischer 2018; Anagnostakis 2018). The calls for direct access to sendee providers located abroad - whether in terms of US law enforcement authorities accessing e-evidence abroad, EU law enforcement accessing e-evidence in the US, or indeed in other Member States - has raised significant concerns. Central among these have been the extent to which any such direct access arrangements do not provide sufficient safeguards against the practices of bulk access and mass surveillance, the fact that there is no differentiation in the treatment of different types of data with higher potential for misuse or abuse, and the fear that private companies would effectively be turned into judicial authorities; that is, it would cut out the competent authority in any Member State that effectively assesses the legality of requests, so that the burden of responsibility would fall on private companies, thus leading to higher risk of over-compliance (Fischer 2018; EDRi 2018b; ART 29 WP on e-Evidence (12 July 2017); Vbgiatzoglou 2018). Fundamentally, the argument against the new proposed Framework for e-evidence is that it would maximize the risk of rights violations and reduce the extent to which citizens could defend their rights through more traditional channels. Tensions within EU policies (and between EU policies and Member State practices/other nation state practices), given the borderless nature of the Internet, have serious implications for the protection of personal data, both within and beyond the EU’s geographical reach (related to both commercial and police/criminal matters).

 
Source
< Prev   CONTENTS   Source   Next >