The US Department of Homeland Security attaché to the EU, Erik Barnett, said in January that no one should be allowed anonymity online. He wants everyone to be easily identifiable, but having a digital license plate is more like having government surveillance in our bedrooms. We hoped that the EU would rule differently when it reviewed a proposal regarding the protection of user data online. They did just that last Thursday when they ruled in favor of the major reforms in the General Data Protection Regulation (GDPR). These data protection reforms have been in the works for more than four years now, and will take effect two years from now. The Data Protection Directive might be a different story, but the GDPR ruling is a great victory for Internet privacy, especially during a time when the US government is fighting to take it away by attacking encryption.
General Data Protection Regulation
The General Data Protection Regulation (GDPR) was penned with the aim of giving EU citizens more control over their own data. By doing this, the European Parliament believes that people will get better privacy protection and businesses will benefit from the improved standards.
First, the GDPR will guarantee that people get more information about the processes that their personal data undergoes when it is handled by companies. It states that this data must be secured by default on any services and products, by systems that are designed to preserve privacy. This is not going to be popular with companies like Facebook and Google that rely on user data for revenue, but they are not going to have much of a choice.
Second, personal data must be easily moved to and from different online services, protecting it from being kept on servers long after users have stopped using certain online accounts. This also prevents businesses from transferring and using personal data for other purposes without explicit permission. The right to be forgotten is also confirmed and clarified. Any company that experiences a data breach that affects the personal data of users will furthermore have to report the situation to national supervisory bodies and users must be informed so they can take steps to protect their data.
Third, data protection authorities are given the power to slap fines on non-compliant companies of as much as 4% of their global earnings. For the tech giants, this can amount to billions of euros for failing to protect EU citizens’ personal data. Businesses in the EU will at the same time greatly benefit from the standardization of data protection. Particularly small to medium-sized businesses will no longer be burdened by having to work their way through the maze of 28 different regulations, having to manage records of all their data processing activities, and maintaining a data protection officer for compliance.
Establishing rules that put the power to decide back in the hands of the people is a striking contrast to how the US wants to handle online data. EU citizens will soon be able to exercise their right to decide on matters concerning their private data while the US is still pushing for the right to access all US citizens’ private data. We think that the US can learn a lot from how the EU has chosen to handle the issue of data privacy. People will never willingly give up rights that they have already enjoyed, and many will find ways to fight against any moves to take them away. We have seen this in how tech companies have fought against government demands and how people build and buy technologies like personal VPNs to take back control over their privacy when the government so obviously no longer respects it.
Data Protection Directive
Some privacy groups do not agree with the EU Data Protection Directive, but its basic aim seems genuine enough. The rules define how law enforcement and the justice system can use personal data while respecting privacy rights.
First, the directive sets rules to protect the personal data of anyone involved in a criminal investigation, which includes witnesses, suspects, and victims. This impartiality with regard to the basic right to privacy shows us that the presumption of innocence, a key principle in the Universal Declaration of Human Rights, is taken more seriously in the EU that it seems to be in the US.
Second, the rules for law enforcement define how these authorities will be allowed to share data productively and practically. The European Commission aims here to give authorities a better chance at crime prevention where the facts of the case are clear and without violating the EU Charter of Fundamental Rights. Law enforcement agencies in all EU member countries have two years to update their legal frameworks to be fully compliant by the time the directive takes effect.
But What About the Passenger Name Record (PNR) Directive?
We applaud the EU’s decision to uphold user rights in the digital age rather than trying to use now ineffectual laws to greedily grab at data that should, in spirit, remain protected. How the Data Protection Directive will be used, on the other hand, remains to be seen. We acknowledge the risks of abuse, particularly regarding the data sharing aspect of the directive. These risks are pronounced in light of the Passenger Name Record (PNR) Directive that was approved on the same day.
The PNR Directive was rejected three years ago by the European Parliament, but has now passed scrutiny. This directive permits the authorities to begin collecting and storing the personal data of any traveler not only to and from the EU, but within the union as well. This promises to be a huge database, and thus promises to be a huge privacy concern as well. The potential for abuse and profiling is staggering, not to mention the risk of data theft that can greatly harm billions of people. It confuses us that such a rule could be passed alongside the GDPR, especially since it is meant to be a security measure but cannot realistically ensure security. What it can do easily is allow the authorities to maintain a tremendous store of personal data that will be kept for up to five years. We remain hopeful, however, that the basic rights of EU citizens will be upheld, and that of non-EU travelers as well, in this potentially massive database.
