This article is also available in:
Deutsch: ENDitorial: Datenschutz in der EU: der Stand der Dinge, Raum für Verb...
With the title "Personal data - more use, more protection?" the European Commission organised on 19 and 20 May 2009 a data protection (DP) conference in Brussels. The purpose of the conference was to look for new challenges for privacy and to kick off a process towards a new quality of data protection for the European Union. On invitation of the European Commission, Andreas Krisch participated on behalf of EDRi.
The topics of the one and a half day conference included a wide range of areas related to data protection. Amongst them: data protection in the area of law enforcement, data retention, the role of businesses as well as supervisory authorities and consumer protection.
Following the presentations on data retention by Kurt Alavaara (National Police Board, Sweden) and Francis Stoliaroff (Ministry of Justice, France) a long debate on the legitimacy of the data retention directive took place. Spiros Simits (Goethe-University Frankfurt am Main) argued that data retention not only is in violation of fundamental rights and against the German constitution but also violates the fundamental principles of data protection, especially the principle of purpose limitation.
Panellist Douwe Korff (London Metropolitan University) concured by saying that for vague purpose specifications the interpretation is different in the member states. While some countries differentiate between the purposes of prevention and prosecution of crimes others simply subsume these with the term "police purposes" with huge implications regarding the access to retained data. Furthermore, he made clear that communication traffic data is personal data.
Finally Waltraud Kotschy (Austrian Data Protection Commission) joined the discussion and stated that, in her view, it will be impossible to keep the access to retained data restricted to cases of terrorism and organised crime. Already now there are discussions in Austria on access to data for purposes of copyright enforcement. These and similar discussions will gain momentum once data retention is in place.
For all presentations and discussions of the first day of the conference a webcast of 15 minutes of discussion with English, German and French translations is available on the EC website and definitely worth viewing.
The role of business and personal data protection was the title of my presentation. Starting with a general overview of commercial data collection on shopping and communication habits, financial, location and movement information, I argued that in many cases commercial data collection leads to the use of these data by the state. Examples for this include but are not limited to the SWIFT case where US authorities accessed data on EU financial transactions, PNR data where the EU grants the US access to passenger information and plans to access these data as well, and the mandatory data retention where EU member states retain and access data on communications of 490 million people.
Given these practices, the significance of commercial data collection cannot be overestimated and the 1983 ruling of the German Constitutional Court reasoning that "... an as such inconsequential date can get a new significance;" and that "insofar there is no 'inconsequential' date anymore under the conditions of modern data processing", has more relevance today than ever before.
At the same time, we see significant weaknesses at the counterparts of these data controllers, the data protection authorities. On the one hand, they are often confronted with very limited financial and personal resources and therefore are also limited in their possibilities to enforce data protection legislation. On the other hand, we also see problematic decisions - or at least problematic reasoning - of data protection authorities (see Privacy International on the UK Information Commissioner). In addition, it is also clear that traditional means of oversight will be unable to cope with the immense increase of the amount of data being processed. Present means for individual data protection are also limited and often impose relatively high financial risks for legal procedures in combination with relatively little potential gains in individual cases.
Improvements of data protection and data protection legislation can therefore be achieved by expanding the possibilities for individual data (self-)protection (e.g. easier and less risky legal procedures; evaluation of current practices regarding "informed consent" of data subjects), the introduction of mandatory data breach notifications and punitive damages on a per data basis in cases of data leaks. With regard to the area of Radio Frequency Identification and the Internet of Things it will be necessary to follow the developments carefully and to evaluate if current data protection concepts still provide sufficient means to address the data protection challenges introduced by these technologies.
Additionally, positive measures need to be also taken. Tools and mechanisms that help businesses to prove and publicly communicate their compliance with data protection legislation, like the European Privacy Seal (EuroPriSe), should get a strong foundation in the European data protection legislation. The introduction of mandatory data protection officers for companies would not only help companies to establish data protection mechanisms in their organisations and to work internally on improvements but would also bring positive effects for the relationship between companies and their customers by providing a competent contact person for questions related to data protection.
Finally, better educational information on data protection is needed to ensure that young people have access to relevant first hand information on data protection and their possibilities to protect their privacy.
The future will show what this process towards a new quality of data protection for the European Union brings. For the time being, it is to say that the European Union has at least two faces when it comes to data protection. On the one hand, important steps towards data protection in the area of RFID and the Internet of Things are taken, but on the other hand, the planned Stockholm Programme on Justice and Home Affairs policy for the next five years describes the way towards a surveillance society in which the floods of the digital tsunami threaten to overwhelm the data protection rights of individuals in Europe.
Conference "Personal data - more use, more protection?" (19-20.05.2009)
http://ec.europa.eu/justice_home/news/events/news_events_en.htm#dp_con...
Conference Programme "Personal data - more use, more
protection?"(19-20.05.2009)
http://ec.europa.eu/justice_home/news/events/conference_dp_2009/progra...
Webcast of the discussion on data retention (Simits, Korff, Kotschy and
others) at the conference
http://webcast.ec.europa.eu/eutv/portal/jsf/_vi_fl_300_en/player/index...
Webcast of the presentation by Andreas Krisch "The Role of Business and
Personal Data Protection"
http://webcast.ec.europa.eu/eutv/portal/jsf/_vi_fl_300_en/player/index...
PI calls for review of UK privacy regulator following series of failed
judgements (23.04.2009)
http://www.privacyinternational.org/article.shtml?cmd³³0³=x-347-564402
European Privacy Seal (EuroPriSe)
https://www.european-privacy-seal.eu/
EDRi-gram: Stockholm programme - the new EU dangerous surveillance system
(17.06.2009)
http://www.edri.org/edri-gram/number7.12/stockholm-programme-eu-survei...
EDRi-gram: EU supports RFID with proper protection of consumers' privacy
(20.05.2009)
http://www.edri.org/edri-gram/number7.10/rfid-european-commission-reco...
EDRi-gram: 'Right to the silence of the chips' in the new EC Communication (1.07.2009)
http://www.edri.org/edri-gram/number7.13/right-silence-of-the-chips
(Contribution by Andreas Krisch - EDRi)