The Rocky Road to “The Right to be Forgotten”

On 21st October 2013 the European Parliament’s Committee on Home Affairs voted in majority for the negotiating mandate for new basic data protection rights. 49 “yes” votes, 1 vote against and 3 abstentions was a clear vote in favour of improved data protection in the European Union. A small initial victory for Europeans in the struggle against the incessant lobbying of US internet giants Google and Facebook.

The European Parliament’s rapporteur Jan Philipp Albrecht (Member of European Parliament/MEP, The Greens/EFA) was decisively involved in the draft reform of the new basic data protection rights. He’s said to have been like the Ingenious Gentleman Don Quixote of La Mancha (novel by Miguel de Cervantes Saavedra) during the past two years. Albrecht’s contemporary “windmills” of the digital age are Facebook, Amazon, Google & co.

The vote in the Committee on Home Affairs was repeatedly postponed. The data protection reform would be one of the most extensive new legislations in the history of the EU. In the committee alone 3,133 amendments were submitted. The list of lobby groups who wanted and still want to influence the new legal principles of data protection in Brussels is long. In the past 14 months Albrecht and his team have met with 173 different interest groups and taken part in 73 different events on data protection across the continent. In a cross section of sectors involved in the meetings, the finance and insurance sectors (18.87%) and company and company groups (17.45%) were unsurprisingly by far the most prominent.

Titanic battle for internet business

Both the US economy and its political leadership are pulling out all the stops in this titanic internet business battle in order to prevent an intensification and standardisation of European data protection. Facebook deployed Erika Mann, a former MEP (1994 to 2009) who knows how the various EP committees tick, as head lobbyist in Brussels. The dominant US web players are even prepared to deliberately spread false reports. Time and again all manner of quite frankly false and ridiculous accusations are brandished against MPs: “The freedom of the internet is seriously under threat” if Europe brings its data protection regulations from 1995 up to the level needed in today’s environment.

The fact that in the mid-1990s there wasn’t even social media or smartphones is already reason enough for the reform. The last legal framework was formed when Mark Zuckerberg was just 11 years old. It’s left up to the member states as to how they implement these European data protection guidelines in their respective national laws. This has led to a proper patchwork quilt of interpretations as the 28 member states implement different data protection regulations based on these principles. In the context of this legislative scenario, companies such as Google and Facebook have logically located their European headquarters in Ireland where data protection is rather more negligently interpreted and practiced.

Data mining is the new gold rush

There’s a real gold digger atmosphere within US data mining. And with good reason – dealing with data is a lucrative business. Correctly compiled data from service users with their preferences and purchasing behaviour are gold dust for network operators and search engine providers. The proof is in the pudding – in 2012 the revenue generated by the worldwide internet advertising market rose by an unbelievable 16.2% to 99 billion dollars in comparison to the previous year. In the USA Google now earns more with advertising than all print newspapers and magazines put together.

With the plethora of digital tracks that we all leave behind us in the internet, the money is practically lying on the street. In 2011 the amount of digital information created and replicated worldwide exceeded 1.8 zettabytes (1.8 billion gigabytes). 75% of this information comes from private users of social networks and new media forms such as blogs. At the end of 2011 Facebook had 845 million active monthly users who shared a collective content of 30 billion information units (posts, photos, videos etc.).

In the light of “Big Data” the European advance is coming at the right time. Informational self-determination currently only exists in German constitutional law. Moving forward, this data ownership autonomy should apply across the whole European Union. In America privacy has a completely different value to in Europe. Zuckerberg regards privacy as something that’s gone out of fashion. In the USA people are only protected from state access with their own material possessions (house, car etc.). No one protects them from companies who, in a highly capitalist commercial economy, compile their personal data and with IT support aggregate this into profiles.

The new Europe-wide data protection regulation envisages a harmonisation of data protection standards. This should, in future, prevent “Forum Shopping” i.e. companies will no longer be able pick out those member states with the lowest standards for their office locations. The draft reform actually goes a step further in two directions: The standards in Europe apply to all, to both citizens of member states and migrant citizens. They therefore also apply to Europeans outside the territorial borders of the EU.

The right to be forgotten

The central points in the new data protection regulation are the right of deletion, information and correction (the right to be forgotten), the explicit consent for processing data and an improved transparency through service providers being required to provide information concerning the forwarding of data. In future, personal data from telecommunication and internet providers will only be allowed to be passed to criminal prosecution services in third countries based on the principles of European law or resulting law enforcement treaties with authorities in third countries. The regulation also wants to clearly determine what applies as personal data. Essentially, personal data encompasses all information that can be assigned to a person and that allows this person to be filtered out and identified from a mass of people.

Data protection enforcement

Of course a modern, functioning data protection regulation needs corresponding enforcement mechanisms to punish infringements. And these sanctions against violations need to be strict! Hence companies should have to pay up to 5% of their annual turnover if they fail to adhere to the law. For big companies this can reach into billions and will prevent the evasion of data protection rules simply being cynically calculated into business models.

Furthermore, the regulation envisages “Privacy by design” (by default) where offerings from service providers have to be as data minimalistic as possible. Only data absolutely necessary for the delivery of a service is allowed to be collected.

Brussels is also fighting for less bureaucracy. The appointment of data protection registrars will be determined by the amount of processed data and not by the number of employees.

A consistent law enforcement through European data protection surveillance similar to the EU banking supervision and a “one-stop-shop” approach for citizens for complaints (national data protection agency in the respective member state, arbitration processes before the newly founded European data protection committee) round off the reform.

Continuously qualify, modify and optimise

However, the road to the data protection regulation coming into force remains tricky. European institution experts doubt whether it will be passed before the European Parliament elections next spring. The US lobbying against the data protection reform will continue in full force. Not just MPs of the leading LIBE committee (Civil Liberties, Justice and Home Affairs) but also MPs of the ITRE committee (Industry, Research and Energy), IMCO (Internal Market and Consumer Protection) and JURI (Legal Affairs) are targets of the American interest groups. The European Parliament in its entirety should at least admit that the new policy needs to bring the outdated guidelines from 1995 into line with the modern IT environment1.

The next step involves an agreement in the council. This will also be difficult because many national politicians are already complaining about changes due to politics taking into consideration the economic interests of companies. Then there are the three way negotiations between the European Parliament, European Council and European Commission before the data protection regulation can put into action.

Extensive data protection standards have a significant impact on the usage of future technologies where trust is paramount. Cloud computing can only benefit from better and consistent standards in Europe. Nevertheless, it remains a fine line between the right to free information flow and the right to privacy. The final wording of the law must find a clearly and unambiguously weighted balance here. You could say that the whistle-blower revelations from Edward Snowden about the wheeling and dealings of the NSA came at the right time for Jan Philipp Albrecht for the formulation of the regulation. The unpleasant details about the tapping of German chancellor Angela Merkel and Brazilian president Dilma Roussef could lead to improved European data protection.

With an impassioned speech before the UN assembly the Brazilian head of state showed herself to be hell-bent on establishing a post-American internet age with a strong allegiance of trust with Europe. “The rights and security of a country’s citizens should never be founded upon the infringement of fundamental human rights of another country’s citizens.” In this respect the legal approaches in Europe and Latin America are not too dissimilar. With fibre-glass cables in its own country and to Europe Brazil also wants to technologically break the American hegemony in data traffic and build up a strong axis to the EU. “America sees entire populations and world regions from a purely political power perspective as data clusters. Its internet economy subordinates everything to the private pursuit of profit. The whole world is led to believe that America’s actions are an emancipatory blessing to the human race”, as formulated by Matthias Rüb, FAZ (Frankfurter Allgemeine Zeitung – German broadsheet newspaper) correspondent for Latin America2.

In future improved data protection, technological development and the strengthening of our own infrastructures must go hand in hand. Europe will go about this more quietly and diplomatically than the Brazilian president with her manifesto for a new internet. Tap-proof technologies are already present in Europe, such as the quantum cryptography developed by Professor Anton Zeilinger’s (Upper Austrian quantum physician) team at the Vienna Technology Academy. A European-wide breakthrough is just a matter of collective intent and will. This quantum leap in data security has long outgrown its infancy.

In Europe we have the unique opportunity to connect law and technology so that the trust of the economy and citizens in the virtual world can be fully restored.

1 Voss Report 2011
2 Frankfurter Allgemeine, 26.10.2013 (Article in German)