Europe's data protection supervisor told us why it should be a priority in the Commission's five-year strategy.
Peter Hustinx. Image: European Data Protection Supervisor
Over the past two days, members of the European Council have been discussing the future development of the EU: the “strategic agenda” laid out every five years around the election of the new European Parliament.
The agenda is broad, and most eyes are trained primarily on the appointment of the next EU president, expected to be Jean-Claude Juncker of Luxembourg. But one man is trying to shift the Council’s focus to a key point he thinks risks being insufficiently addressed: data protection.
Peter Hustinx is the European Data Protection Supervisor, and I spoke to him at the end of last week, ahead of the Council’s meeting. He had recently written a letter to current European Council president Herman Van Rompuy to emphasise the need for data protection in the EU’s mission for “freedom, security and justice.”
He acknowledged that the strategy should address only the most important matters over the next year, but wrote that he was “concerned that the Commission communications and the Council’s recommendations barely acknowledge the role of data protection in ensuring the EU’s activities are appropriate and proportionate.” He wanted the meeting to be used as an “opportunity for the Union to show its intention to restore trust in its capacity to effectively protect individuals.”
Hustinx told me that the guidelines his office saw before this week did not address data protection with sufficient emphasis, and that he thinks the issue should be considered of crucial importance in future discussions.
"We need to be on our toes, more active, to make sure this protection is integrated."
The full communiqué from the Council’s meeting is not yet available, but a leaked version of the paper under discussion seen by the Telegraph does include a brief mention of data protection. Under initiatives that “should be taken as a matter of urgency,” one point is to “ensure a balance between fundamental rights, including data protection, and law enforcement needs.”
That slippery middle ground has been a matter of great controversy this year in Europe. In April, the European Parliament annulled the Data Retention Directive—one that required member states to hold on to citizens’ telecommunications data for at least six months, so that law enforcement and security agencies could request access. But the European Court of Justice ruled that it was invalid because it interfered too much with citizens’ fundamental right to privacy.
This ruling, Hustinx said, was evidence as to the importance of data protection in meeting Europe’s standards for fundamental rights. “That doesn’t happen every week—the entire directive null and void,” he said. He suggested that if data protection had been considered more in the directive, it might not have been annulled, and said the incident pointed to the increasing importance of emphasising data protection.
“There is also the post-Snowden effect—you know what I mean—and the impact of far-reaching surveillance, and it means we need to be on our toes, more active, to make sure this protection is integrated,” he said.
The Council meeting in Belgium. Image: The Council of the European Union
It’s an interesting case study in terms of the blurry line between security and privacy, and it seems to reflect changing attitudes in that debate. Euractiv points out that the directive was introduced in the wake of September 11, when people were more inclined to emphasise security over privacy. As Hustinx alluded to in the comments above, that focus has shifted more in the direction of privacy concerns in the slipstream of allegations of mass surveillance leaked by Edward Snowden.
Maintaining that delicate balance is the emphasis of the one brief mention of data protection in the draft agenda. Not that Europe is unanimous on the issue. Earlier this week, the Guardian reported that the UK is still forcing telecoms to retain user data despite the overturning of the EU-wide directive.
But there are also other issues that have a data protection element, and Hustinx is keen to see these concerns addressed more broadly. A key goal is instituting new data protection regulations by 2015—a deadline that has already been pushed back.
As evidence for the necessity of the new framework, Hustinx pointed to another recent high-profile decision on data protection: the European Court’s recent ruling that Google must comply with the “right to be forgotten”, by giving people the opportunity to remove links to “irrelevant” content about themselves, which put Europe’s ideas of data protection on the international stage. The Independent reported just yesterday that Google has now started to remove some links at users’ requests.
Hustinx said that sent a strong message about reforms to data protection law. “It brought the search engine, which is based in the US, under the scope of European law,” he said. “That is anticipating the extended scope of the future framework.”
He said both cases illustrated the need for Europe to consider data protection a priority in its operations. “That’s why we are saying to the Council, if you set guidelines for the next five years, please include data protection.”