Data Protection Debates: Week 8

I have generally tried to stay away from EU Science and Technology Policy issues since that is the  focus of TP3 in Easter term, but following on the DG-Connect talk, some of the legal and policy questions we touched on in Nick Ashford’s classes about access to information, and the many, many NSA revelations, it seems difficult to ignore questions of data protection, so I thought our last blog of term should focus on recent EU moves in this area.  The most recent policy document by the EU Commissioner VIviane Reding recommends 13 changes as part of a major new initiative at  ‘rebuilding trust in EU-US data flows‘ as a result of the Snowden leaks, the PRISM programme and a seemingly-endless string of news stories over data of private citizens being compromised.  Underlying the discussions is the view among many in Europe articulated by a Dutch MEP that “We are an economic giant and we behave like a political midget“.  Ultimately, that bastion of smooth legislative functioning, the US Congress, is being asked to address EU concerns by mid-2014 with the somewhat explicit threat that the EU would withdraw from or suspend the agreement, which would impose significant difficulties for US firms operating in the EU and collecting any sort of data from EU citizens. The Commission has, however, ruled out pushing for tougher data protection rules as part of wider US-EU trade talks.

By way of background, in 2000, the Commission adopted its so-called “Safe Harbour decision”, recognising US Safe Harbour Privacy Principles as ‘providing adequate protection for the purposes of personal data transfers from the EU’ and thereby allowing free transfer of personal information from EU Member States to companies in the US which have signed up to the Principles in circumstances where the transfer would otherwise not meet the EU standards for adequate level of data protection given the substantial differences in privacy regimes between the two sides of Atlantic.  Although firms agree to these arrangements on a voluntary basis, the rules are legally binding for any firm that signs up to the Safe Harbour terms. Firms are required to a) Issue transparent corporate privacy policies; b) Incorporate Safe Harbour principles into their privacy policies, and 3) Enforce these provisions.

In parallel to the debate over Safe Harbours is a new EU Data Protection Regulation that was first issued as a draft for consultation in 2012.  Subsequently the draft provisions needed to considered by individual member states.  The UK Parliament’s Justice Committee considered the matter in late 2012 for which Government then issued its own response. Both the Government and the select committee highlight the problem with what they perceive as the overly prescriptive nature of the EU draft regulations that does not allow individual national circumstance to be taken into account.  There is a recognition that the EU has an important role to play in ensuring a level playing field and harmonising regulations across countries but there is a limit to the tolerance for specific interventions.  Part of the tension, of course, is that the UK has its own Data Protection Act (based on 8 key principles only one of which involves Safe Harbours) which operates in a different manner from that proposed by the European Commission. More widely though there have been many disagreements across the EU on the issue of a new directive and there remains an impasse on the question with debates centred around how to anonymise data, with the European Parliament seeking a much tougher line than the Commission. Potential penalties for non-compliance are huge, amounting to up to 5% of annual turnover.

This very brief review gives you some sense of the challenges for the UK (or Sweden of the Netherlands or France) to design its own data protection rules since it is linked not only to EU decisions but to US policy.  How can the tensions between Commission and EU Parliament, between member states and the EU, and between the EU and US be reconciled? Will the US accede to EU requests for changes in Safe Harbour provisions and the way data is handled allowing for EU citizens to be treated in a manner similar to US citizens?  Is there any evidence that as a result of these revelations that the EU is no longer a ‘political midget’?

Aside from all the publicity over the Snowden leads, is a technology-rich issue affecting international trade and competition like data protection more difficult for nations to resolve than more conventional trade matters? If so, why?