Despite the spying revelations in Europe and the United States, privacy is increasingly relevant in a society that is driven by the extensive use of information technology – claims European Data Protection Supervisor Peter Hustinx in an exclusive interview with Policy Review editor Dean Carroll
There has been a loud media scream in reaction to the Edward Snowden revelations but didn’t this whole episode just confirm what we already knew – no citizen data is truly protected and the security services often overreach when using surveillance?
“The media reactions across the European Union reflect a genuine and fully justified concern of the population. Over the last 20 years, the internet has gradually revolutionised our societies. The impact it has had on our culture and on the way we communicate could not have been predicted when the technology was conceived. Similarly, the vulnerabilities of the system, including the possible weaknesses of encryption and security, have also gradually revealed themselves over the years. The scale of the monitoring activities and the numbers of private actors including well known internet giants, either actively or passively involved, that have now been revealed could not have been anticipated and this all has far-reaching effects and has greatly damaged public trust.
“Most people are discovering this only now. We are increasingly reliant on technology that processes huge amounts of our personal information. In our daily lives, we often share personal information with others: whether through loyalty cards, filling in a hotel form or a job application or perhaps taking part in clinical trials. Online data sharing is pervasive on e-commerce sites, social networks and in mobile apps, via personal computers but also smart phone tablets.
“Although people are now used to the availability of free services, not everyone is aware that free services do not exist in reality; this leads to extensive monitoring of their behaviour for marketing purposes, on an almost permanent basis. This is the basis for the wide scale involvement of private actors in public sector monitoring.”
The PRISM and Tempora scandals do not seem to be holding back negotiations on the free trade deal between the European Union and the United States. Do you think Europe should insist on improved data security safeguards as part of the Transatlantic Trade and Investment Partnership?
“The EU should indeed insist upon improved safeguards. Whether this is something that should be discussed as part of the trade talks is another matter.
“We should not forget that negotiations about conditions for trade and investment would necessarily be complex. Privacy and data protection discussions would be equally demanding since they are fundamental rights. Such discussions should therefore be handled in dedicated meetings, separate to those on trade. “
For citizens unaware of your existence could you highlight the European Data Protection Supervisor’s remit, the size of your budget and staff – and the notable successes of your organisation?
“With a staff of around 50 people and a budget of approximately €7m, the EDPS is an independent body that was established in 2004 under the EU Data Protection Regulation – (EC) No 45/2001. We are responsible for ensuring that the fundamental right to the protection of personal information, as outlined in the regulation, is respected by the European institutions and bodies. Similar institutions exist at national level in all member states and we work closely with them to ensure more effective and consistent protection of people across the union.
“Our main success since 2004 is to have worked data protection into the practices of most EU institutions through a persistent and pragmatic approach. We are now at a stage where most institutions do not pay lip service to data protection but give it the attention it deserves, including in the development of new policies. It sends an important message when the main institutions set the example.”
And could you outline the areas where you feel the EDPS still has much work to do?
“There is always room for improvement. We are now at a stage where we are able to enforce the data protection obligations and principles and the guidelines we have formulated over the years, as effectively as possible. This is important for those who still have to catch up. In another area of or work, we see that the number of relevant subjects that we are consulted on by the institutions for new legislation proposals is increasing. We are therefore also looking at the ways in which we interact with the European Commission, the European Parliament and the European Council at different stages of the legislative procedure.”
Who appoints the EDPS and for what term?
“The selection procedure that leads to the appointment of the European Data Protection Supervisor and the assistant supervisor, each for a five-year term, is a transparent one and involves the three major EU institutions.
“Following a public call for candidates, an inter-institutional selection board makes a selection of the most competent applicants – who are interviewed. The selection board forwards a shortlist with recommended candidates to the commission for adoption and subsequent submission to the parliament and the council. Public hearings take place in the EP in order to evaluate the experiences, skills and independence of the candidates. This is followed by discussions in parliament and the council, and eventually leads to a joint decision being taken on the appointments.”
Which EU agencies do you monitor and who performs well?
“We supervise all EU institutions and bodies, and that includes in principle all agencies established in the different member states across the union. When an institution intends to process personal data in operations that present specific risks, they must first notify these to the EDPS for prior checking. The aim is ‘data protection by design’ – to build data protection into the design and architecture of the operation.
“In most cases, this prior checking exercise leads to a set of recommendations from us that help the institution or body to comply with data protection rules. Institutions and their data protection officers can consult us for advice when drawing up measures or internal rules that involve the processing of personal information, if they are complex or may result in considerable risks to the rights and freedoms of individuals.
“We carry out regular monitoring exercises such as surveys and on-the-spot inspections and these give us an indication of the levels of compliance and are also useful to gather statistics to benchmark and compare the performance of the EU institutions and bodies. We can use these to ascertain improvements in compliance and also the areas on which we need to focus.
“The results that we published at the beginning of 2012 from our last general survey on the level of compliance within the institutions showed that some were progressing well while others were not performing as well as they should. Ensuring compliance is a continuing process that requires the commitment and support of the hierarchy in all institutions and bodies. So, where necessary, we follow-up these surveys.”
And which EU bodies are laggards when it comes to data protection?
“Over the course of 2012 we visited the agencies that, based on the results of our survey, gave us cause for concern. These included the European Aviation Safety Agency, the European Centre for Disease Prevention and Control, the European Training Foundation, the European Research Council Executive Agency and the Research Executive Agency over the course of 2012. Such visits typically lead to an agreed roadmap of follow-up activities in order to boost compliance and we are pleased that the visits, for the most part, have been fruitful.”
As a society, we will have to simply accept that to take full advantage of the internet’s benefits we must also accept that privacy is somewhat of an outdated concept?
“We do not agree that privacy is an outdated concept. Instead it is increasingly relevant in a society that is driven by the extensive use of information technology. However, we have to think about new and more effective ways to protect our private lives and personal information. That is why the EU is now engaged in an ambitious review of its current rules on data protection, and why a more responsible use of information technology is also a precondition for trust and confidence in online environments. Better protection for privacy and personal data therefore plays a key role in the EU’s Digital Agenda.
“Reassuringly, the data protection community – in Europe and elsewhere – has grown tremendously over the last 35 years, suggesting that privacy is as important as ever in our societies. Latest estimates suggest that some seventy countries now have a national law on privacy or data protection and the number of data protection authorities around the world has also grown. In spite of obvious legal differences in details, they are all designed to deliver more effective protection in practice.”
Which EU member states meet high standards on data protection and which European nations under perform?
“The EDPS is not competent for issues on a national level and has no supervisory powers for handling complaints on the processing of personal information by national authorities or private entities. So we cannot comment on this except to say that the existing rules on data protection in the EU are binding for all member states.
“However, as they are in the form of a directive – D95/46/EC – the member states have some flexibility as to how they transpose them into their national laws. So there will necessarily be differences in how these are applied in Germany for instance compared to the UK. The review of EU rules on data protection is designed to reduce undue diversities and make the system more consistent across the union.”
Given that many of the leading tech players have turned into public companies, should we be concerned that data protection will be downgraded even further as companies chase profits and advertising to please shareholders – rather than being concentrated on the user experience?
“The need for stronger, more effective and more consistent data protection, applying to all those active on the European market is an important driver of the EU reform effort. However, we also need a change of mindset. The benefits for industry should not – and do not need to – be at the expense of our fundamental rights to privacy and data protection. The integration of data protection principles in technical innovation or in the transfer of our personal information to relevant bodies, in the interests of security for example, can add significant value – both in terms of efficiency and lower costs, if privacy is built into the design of processes from the outset. Data protection is compatible with innovation and should not simply be ignored to make way for short-term gains.
“The ambitious review of our current legal frameworks for privacy and data protection should – as said – make them more effective and consistent across the EU. Making data protection more effective in practice means stronger rights for individuals, more responsibility for organisations using personal data and stricter supervision and enforcement by data protection authorities. It will apply to all those who offer their goods or services on the European market and should therefore provide more of a level playing field than currently exists.”
Scanning the horizon, what role do you see technology playing in our future lives?
“The digital environment in which we now live is without any doubt an area of tremendous creativity, innovation and technical accomplishment that will continue to grow. We should embrace this growth but an equal level of creativity is needed to ensure better digital governance and real citizenship for all in the digital society. It is neither possible nor desirable to regulate innovation but the law can create the right responsibilities and allocate the right incentives and that is exactly what the new legal framework will do.
“The current legislation arose at a time when the internet was still in its infancy. Under the proposed new rules for data protection in the EU, the obligations of those responsible – in both the private and the public sector – are very well defined. How they should manage personal data, what they need to have done before they come to the market and concepts such as accountability or ‘privacy by design’ – building data protection into the design and architecture of an operation or product.
“Every app developer knows about copyrights, patents and trade mark laws because they need them to market their product. In future they will also need to keep in mind that they have to meet some basic rules on personal data, otherwise their product will not be good enough. “
Are you personally engaged on the social networks and, if so, what are the pros and cons of developing a virtual profile across networks like Twitter and Facebook?
“I am not active on any social network. The networks, which are relevant for me, work perfectly without the artificial exposure inherent in many social networks. There is a great amount of manipulation and undue pressure in and around social networks, as they currently exist. However, after a careful analysis, we have decided at the EDPS to be active on Twitter as an integral part of our communication policy.”
Is there a greater risk of identity theft on certain social networks more so than others?
“There is a very clear need for greater user control on all social networks. But the problem is compounded because people are naïve and providers can be very crafty. Manipulation and unfair practices are not obvious to everyone. And that is where accountability comes in: a supervisory authority worth its salt will challenge businesses, so that what is available on the internet is acceptable and citizens can make an informed choice.
“In short, people should be on their guard more. Big players should demonstrate to their customers that their personal information is safe with them, not least out of commercial interest. But you cannot leave it to entities to self-regulate. You need effective supervisory authorities as well.”
Can you outline the EDPS safe-use guidelines for the internet?
“This question comes a bit too early. We are preparing guidelines for different online issues, which will probably be available on our website in early 2014. Although these guidelines are primarily designed for use within the EU institutions, we would be happy to share them more widely if there is interest.”
The internet began as an unregulated phenomenon – is this light-touch stance sustainable now that technology has come to dominate the modern world?
“I do not believe in strict regulation of the internet but it is not exempt from existing legal rules either. Rules on privacy and data protection apply both on and offline. Some companies seem to assume that this not the case and simply act like cowboys in the old far west. It is high time that they revisit their business cases, as some of their current practices are clearly unacceptable. This will inevitably lead to some confrontations and tough lessons in the near future.
“For instance – adoption of the new legal framework for data protection in the EU will allow the excessive tracking, tracing, monitoring and profiling of behaviour on the internet to be addressed more effectively than is the case now. This will also add more weight against current trends on the internet and begin to help restore more balance of interests and more trust in this environment.”