Press "Enter" to skip to content

Regulating privacy in the age of Big Data

January 12, 2017

On Tuesday the European Commission published its proposal for an e-Privacy Regulation. This legislation is intended to clarify rules on the data companies can retain whilst searching the web.

That was an issue the European Commission could not get it right. If everyone was slightly unhappy and no one furious, Tuesday would be a good day. It wasn’t.

The dilemma was succinctly framed: “New devices and technologies that make our life easier in many aspects also create new threats to our privacy.”

The issue is hugely controversial for two main reasons. First, it begs the question of how much of our web history is ours. Not being “ours” means it could get privatized or used by security agencies.

Private and public data

On the one hand, it is a matter of civic privacy and the delineation of the private and the public, as we are moving with speed into a “big data” society. As soon as the Commission came out with its proposal, the Executive Director of the European Digital Privacy civic advocacy group, Joe McNamee, recognized that the European Commission “resisted the most extreme demands from certain parts of the industry.”

But, McNamee was less than overjoyed, as he saw the Commission did succumb to some of the pressure to take a shortcut to a “big data” society. In his view, civil society and the industry show significant differences in priorities. Citing a Eurobarometer on e-Privacy, the advocacy group argues that the priority should be clear rules and strong safeguards that will ensure that “a minority of businesses” are not allowed to “destroy trust for everybody.”

On the other hand, the private sector is unhappy with regulation which hinders access to data, an argument that usually comes hand in hand with the words “innovation,” “growth,” and “jobs.”

Sure enough, the lobby group Digital Europe “regretted” that the Commission “did not take the opportunity provided” to simplify the legislative landscape, taking a “disproportionate” approach to ensuring an appropriate level of protection for consumers that “risks undermining” the balance of the digital ecosystem.

“How can European companies build a data economy without data?” asked the Director General of the lobby group John Higgins.

Mr Higgins also regretted that the European Commission did not “take the opportunity” to harmonize privacy law, forcing member states to allow the free flow of data without “unjustified national data localization requirements,” which hinders the emergence of a Digital Single Market.

“Backpedalling on the free flow of data initiative shows a worrying lack of commitment,” Higgins noted.

EU data and national data

Meanwhile, the issue at hand is the delineation of data to which the state has access.

From the point of view of the industry, varying levels of privacy protection are a form of trade protectionism. The digital industry wants a single EU-wide regime for the protection of citizens’ privacy that will create a single normative framework for companies to operate across the EU.

“At a time of growing protectionism around the world, Europe needs to send a message to its trading partners that the free flow of data should be championed and localization measures discouraged,” Higgins said.

National data and Security

Of course, there is a third dimension to this debate. In December, the European Court of Justice (ECJ) has ruled that the indiscriminate collection of data by the U.K and Sweden are against EU law.

Currently, the Investigatory Powers Act in the U.K is considered one of the most pervasive in the western world. It has been dubbed the “snoopers charter,” as it obliges communication companies to hold on to communication data (of everybody) for a whole year. The data retained is mostly “meta-data,” as in whom and when we speak to someone or send them an e-mail, rather than what is said or written.

That means that the police and intelligence services can have access to any data retrospectively, even when individuals were not subject to an investigation. Swedish law provides authorities with the same kinds of power.

In Sweden, the opposition to snooping legislation started from the industry. In 2014, Internet and telecom providers in Sweden told the government they planned to suspend data storage, arguing it was a violation of privacy rights. But the Swedish Posts and Telecom Authority warned that if they did so, they would move to impose fines. The Swedish government demanded the storage of customer data.

To put this simply: security cannot be obtained on private money. The Legal Officer of the advocacy group Privacy InternationalCamilla Graham Wood, said that the ECJ ruling is “a major blow against mass surveillance and an important day for privacy” as it makes clear that “blanket and indiscriminate retention of our digital histories – who we interact with, when and how and where – can be a very intrusive form of surveillance that needs strict safeguards against abuse and mission creep.”

Data and Diplomacy

Following the disclosure of the intrusive US surveillance over private data by Edwards Snowden in 2013, the European Commission has been forced to scrutinize more closely the enforcement of EU’s Privacy Shield agreement with the US. While Brussels concedes the flow of Europeans’ personal data across the Atlantic for credit card transactions, hotel bookings or browsing habits, US companies must comply with strict EU data protection rules.

On Wednesday, Commissioner Vĕra Jourová told Reuters she was not satisfied with US explanations on why and how Yahoo was scanning customers’ incoming emails for U.S. intelligence purposes. “I am not satisfied because to my taste the answer came relatively late and relatively general,” Jurova said.

That is serious as digital trade between the EU, and the US is worth little under €245bn. The Commission reviews that the US abides by the Privacy Shield terms once a year. The next review will take place in the summer of 2017.

Originally Published in New Europe: January 12, 2017