Readers know that I have always said that the Data Protection Regulation will fail, mainly because of disagreements between Member States over content. However, my analysis was before the Snowdon whistle-blowing disclosures as to how personal data, processed by corporate American (e.g. Google, Facebook etc), are regularly harvested by the USA’s National Security Agency (NSA).
I still think the Regulation will fail but I am now less certain; in the run up to Xmas, the position will become clear. But certainly, the change of mood is due to the Snowdon revelations (see a comprehensive review of this published last week by the European Parliament; see references for this an all other press commentary).
The reason for my current hesitation are the reports I have heard from the 35th International Conference of Data Protection Commissioners (where the revelations about NSA became the hidden herd of elephants in the room). There now appears to be some recognition that Directive 95/46/EC needs to be replaced “with something” before the deadline (but with what?).
The Regulation is perceived to be the only game in town, and if that fails, then the perceived view is that this is the end of the discussions for a decade.
In addition, the European Commission appears to have decided that the “with what?” question is best answered by Qualified Majority Vote, as can be done under the Lisbon Treaty. This QMV vote, when or if it comes, will be in the absence of serious consideration of the British and Irish position.
This is because the British have been perceived to be “not constructive” whilst the Irish are conflicted as they benefit from their status as a corporate tax haven for the very organisations that have unwittingly (or otherwise) been contributing the NSA’s surveillance effort.
Ms Reding, the Commissioner responsible for the Regulation, has been reported in the German press saying there could be a majority decision of Council of Ministers and the EU Parliament, and that discussions with Britain and Ireland were "not important". She added that she only had time for “constructive conversations” identifying those discussions with Great Britain as a waste of effort and "unnecessary”. She added that Europe needs "strong laws” with deterrent effect and "conscious consumers” empowered to protect themselves.
In addition, the Germans in particular, appear to more willing to engage with stronger data protection as a result of the NSA revelations. Data protection featured in the German Election campaign; there were even data protection demonstrations involving thousands in Berlin. The BBC reported Angela Merkel pledging her government to take a "very strict position" in ongoing talks on European Union-wide data rules adding that "We have a great data protection law. But if Facebook is registered in Ireland, then Irish law is valid, and therefore we need unified European rules" she said.
By contrast the UK’s Minister of Justice, Chris Grayling MP, wants out of the Human Rights Act and the current draft of the Regulation (a view repeated at today’s speech at the Party Conference where the Tories committed themselves to leave Europe's human rights regime).
He told the Daily Telegraph that “We have to curtail the role of the European Court of Human Rights in the UK, get rid of and replace Labour’s Human Rights Act”. He told Bloomberg that he will encourage other European Union nations to block plans to tighten data-protection rules, arguing the proposals risk burdening business and destroying jobs.
At one level, I have always been puzzled why the disclosure of the personal data to the national security agencies via PRISM has increased calls for the Data Protection Regulation to be strengthened. The reason is that Directive 95/46/EC left it to Member States to decide what exemptions would apply if personal data were, for example, to be disclosed by a data controller to the national security agencies.
Even the draft Regulation, as originally published by the Commission, states that “it does not apply to the processing of personal data … in the course of an activity which falls outside the scope of Union law, in particular concerning national security…”.
So why the fuss about national security? The answer quite simply is that whereas many European countries claim their own countries have due process with respect to national security surveillance, this is absent for Europeans when the USA national security agencies are involved. The UK Government is relaxed about the national security issue as GCHQ is in cahoots with the NSA; due process is largely absent in the UK as the relevant national security warrants have been expansively drafted.
And that is why the majority of Europe countries could well back strong data protection rules for data export and personal data use on the Internet, dominated as it is by USA companies. What these States are doing is sending a signal to the Obama Administration it needs to change policy re NSA surveillance of Europeans so that it includes some "due process" for Europeans.
A tough Data Protection Regulation could well become the vehicle to deliver that message.
Our Update program for the end of the October 28th is one of the best I have compiled; see details on the main Amberhawk website. A snip at £225 for the day (plus drinks reception at end)
The NSA surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities; report to European Parliament: http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/briefingnote_/briefingnote_en.pdf
The German press comment is on: http://www.faz.net/aktuell/politik/ausland/amerika/nsa-affaere-reding-deutschland-beim-datenschutz-bisher-zu-zoegerlich-12562045.html (I have used three translation programs to check the jist of the comments to the German press).
Report on German data protection demonstrations: http://www.dw.de/opposition-banks-on-nsa-in-german-elections/a-17076974 and http://www.expatica.com/es/news/spanish-news/Thousands-protest-in-Germany-over-personal-data-protection--_56264.html
BBC report on Merkel’s comments: http://www.bbc.co.uk/news/world-europe-23309624
Chris Grayling on Human Rights and data protection: Daily Telegraph http://www.telegraph.co.uk/news/politics/10334855/UK-Supreme-Court-should-have-final-say-on-human-rights-cases-not-Strasbourg-says-Chris-Grayling.html; Bloomberg report: http://www.businessweek.com/news/2013-09-26/u-dot-k-dot-seeks-to-block-eu-data-protection-plans-that-burden-firms