It has been more than six months since our last blog post on this topic, but it is quite striking to see that most the information within it is still up to date. We are now two years down the road since the Data Protection Regulation (DPR) has been published. Despite the upcoming European Parliament elections in May, not only is there no agreement in sight, but there is an increasing focus on how EU Data Protection laws could serve as a defense tool against “U.S. mass surveillance.” Are the original goals of the DPR being lost, and why is Europe undertaking this reform?
Following the European Parliament’s agreement in October 2013, the Council representing EU Member States has not made much progress since the discussions on the first four chapters of the Regulation under the Irish Presidency, which finished in June 2013. In fact, Member States have returned to discussing some of the fundamental principles of the DPR, including the “One-Stop-Shop” that is one of the proposal’s key innovations.
The Snowden revelations have added complexity to the situation by challenging EU policymakers and derailing discussions on international data transfers. Legal certainty for international businesses is unresolved, and there is more and more recourse to restrictions. This could make one wonder if the rules are being adapted to the current and future technological landscape rather than that of the past.
If opinions differ among policymakers on “who is to blame” for delaying the adoption of the text – from lack of political will from Member States, to too many legal loopholes in current Commission and Parliament texts, to intensive lobbying from industry – it sometimes feels like there is agreement that the DPR should be used to protect the EU from the NSA.
It is a fact that Europe is already a global trendsetter on privacy. Indeed, the EU has been able to export European data protection culture around the world. For example, the often criticized adequacy mechanism for international data transfers has led several countries around the world to follow the EU model. Other international transfer instruments, such as Binding Corporate Rules (BCRs) or the Safe Harbor, also oblige companies to go through a rigorous process and substantial investments to meet requirements. Improvements are nonetheless needed as technology develops further.
Assuredly, Snowden’s revelations cannot be ignored. Individuals’ right to privacy is non-negotiable and will remain a fundamental right in Europe. Nonetheless, is the primary goal of the DPR to address mass surveillance issues at the risk of making our policy framework too complicated, increasing legal uncertainty and therefore the burden on both citizens and companies? Or should the DPR ensure that Europeans are provided with a simple, workable and clear framework where rights are understood and obligations easily implemented so as to ensure full cooperation from public and private sectors?
Mass surveillance is a national, government-to-government issue. It cannot be solved by the EU on its own. In my view, it is time for nation states to start matching the new global reality with the knowledge economy and for partners and allies to stop “19th century” thinking. If the EU – which is in essence a post-modern entity – has a role to play, it cannot assert its political power counter to the technical realities of cross-border data flows in the 21st century. European companies live in this reality, and economic growth and jobs depend on it. Our governments and our European and American leaders must adapt, especially because EU-U.S. digital business can bring great benefits to citizens on both sides.
Last week, my mother was telling me how happy she was to have been able to purchase cheaper materials for her arts and crafts club on an e-commerce website in the U.S. (and also managed to complain on the Facebook page of her usual French online shop about their discount policies, and received an answer). These transactions are a part of the reality of today’s digital transatlantic market and I wondered, listening to this story, if we would not at the end of the day, disincentivize these types of businesses and hurt the interests of our own citizens should the DPR diverge too much from its original objectives.