I have uploaded my final report synthesizing the information that I have been exploring over the past few weeks.
This policy brief is an overview of the European Union’s proposed policies on digital privacy as announced on January 25, 2012. It has been prepared for the benefit of US business interests as represented by the US Chamber of Commerce
The brief provides the following information:
- Key facts and goals of the proposed legislation.
- Assumptions that may have shaped the way proposed legislation is framed.
- A brief assessment of the proposed legislation’s strengths and its policy gaps.
- A few suggestions for how an entity like the US Chamber of Commerce can engage with Europe on this matter.
I hope that the report will be useful, and I welcome any comments and feedback. Although it is my final report on this particular topic, it is certainly not the end of the blog, and I will continue to share my thoughts on various issues related to international affairs, culture, social media, and other technology related news.
In a about a week I will post a short policy brief , which will be an assessment of EU internet policy relating to data privacy.
I will be focusing on one of the documents published on January 25, 2012 when the new data directive was officially unveiled. I will specifically examine the communication by the European Commission to the European Parliament and Council; and I will make the subject official document available (it’s public domain). Meanwhile, the European Union’s rationale for the urgency of reform in this area can be seen in this factsheet .
To follow the report, it would also help to reiterate again exactly what is meant by “the right to be forgotten”. That phrase is actually not mentioned in the official document that I will review, and it is a phrase that really has caught on from analysts and media. However, it’s meaning was first articulated by Commissioner Viviane Redding, who is Vice-President of the EU’s European Commission and in charge of Justice, Fundamental Rights and Citizenship. on January 22, 2012 she stated that, “If an individual no longer wants his personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system”
The legal foundation of such thinking can be found in French law which recognizes le droit a l’oubli i.e. a right to oblivion. It serves the function of for example allowing rehabilitated criminals to object to publication of evidence of their conviction.
The French legal conception of the right to oblivion can be accessed on Wikipedia (in French):
Redding’s 2012 statement to the press can be read in full on the EU site:
The ‘cultural exception‘ spat between the United States and France is getting most of the attention in the imminent EU-USA transatlantic trade negotiations–known as the Transatlantic Trade & Investment Partnership (TTIP). However, lookout for data, especially in light of the PRISM revelations, this is something else that could derail the trade talks. From the Financial Times:
“With all the information we’ve found out in recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement,” said Hannes Swoboda, leader of the socialist members of the European parliament.
“This issue is very critical for us in Europe . . . there will be growing resistance against an agreement with the US unless there are some clear guarantees form their side that our European principles of data protection are respected.”
Given France’s current hardline stance on cultural representation in the media, the Obama administration might be able to offer some concessions by acquiescing to some of the European concerns on internet data privacy policies.
The latest chatter in internet policy circles is the PRISM story. PRISM is an alleged program in which the US National Security Agency obtained direct access to the systems of Google, Facebook, Apple and other large internet companies. All the internet companies have denied knowledge of the program (although there is speculation that even if they knew, they legally can’t admit it).
In the context of the current study I’m working on, I was curious to see what the European reaction to this would be, and the New York Times indicates that they are worried:
Privacy is an emotional issue in Europe, where memories of state-sponsored snooping by communist and fascist regimes still linger.
Privacy is an emotional issue in Europe, where memories of state-sponsored snooping by communist and fascist regimes still linger. And so the revelation Thursday that the U.S. National Security Agency had obtained routine access to e-mail, Web searches and other online data from many of the biggest U.S. Internet companies — whose users stretch far beyond U.S. shores — prompted hand-wringing about America’s moral authority.
“If the U.S. complains about foreign governments spying and then it turns out it is doing the same thing — well, what are you complaining about?” said Yaman Akdeniz, a law professor at Istanbul Bilgi University in Turkey, where anger over restrictions on civil liberties has fueled anti-government protests.
European privacy advocates said Friday that the disclosure of Prism could bolster the push for stricter data protection in the new laws, including a proposed “right to be forgotten,” which would let Internet users scrub unflattering online references to themselves.
There is that “right to be forgotten” being mentioned again. PRISM is the sort of thing that I imagine Europeans would think vindicates their position. Here is the German Chief Data protection public official, giving voice to European worries:
“The U.S. government must provide clarity regarding these monstrous allegations of total monitoring of various telecommunications and Internet services,” said Peter Schaar, German data protection and freedom of information commissioner.
“Statements from the U.S. government that the monitoring was not aimed at U.S. citizens but only against persons outside the United States do not reassure me at all,” he said.
I for one cannot imagine that such news would give leverage to Silicon Valley organizations lobbying in Brussels against stringent internet data protection legislation.
I just yesterday finished a policy review (Network Neutrality A Thematic Analysis of Policy Perspectives Across the Globe by Christine M. Stover) for a discussion with some fellow students on internet policy. Although the paper reviewed net neutrality, which is not what I am covering specifically in my summer research, I think [authors] talk about it in a way that can apply to attitudes on ‘the right to be forgotten’ and other data protection issues on the internet.
In the article, Stover propose four models of approaching net neutrality:
- legal regulation: Where governmental agencies can oversee and impose rules on businesses that offer internet, such as under debate in the USA.
- transparency: Where ISPs are given free reign, except that there are requirements for transparency and up-front disclosures, such as in the EU (Incidentally, the EU today hinted at new net neutrality approach ).
- non-neutrality: Complete freedom for internet providers, such as South Korea.
- government control: Government has complete control, such as China.
This is just Stover’s take, but I would be interested in seeing how this might apply to the EU document on data policy that I will analyze. This type of information that organizations wanting to operate on the internet globally in any capacity would find useful.
As far as internet privacy, everyone uses similar language and appears to want the same end goal. Firms like Google and Facebook are arguing that they are supportive of principles of digital privacy like what Europe is advocating. US-based experts argue that there are many laws in place that amount to online privacy. Is the issue a philosophical one? Here are some statements to see if any assumptions can be identified:
Ultimately, responsibility for deleting content published online should lie with the person or entity who published it. Host providers store this information on behalf of the content provider and so have no original right to delete the data. Similarly, search engines index any publicly available information to make it searchable. They too have no direct relationship with the original content.
Speaking yesterday at a conference on digital privacy taking place in London, Facebook’s Simon Milner, director of public policy in the UK and Ireland, said: “The right to delete your online data is an important one, the right to erasure is a key principle. However, the right to be forgotten… raises many concerns with regard to the right of others to remember and to freedom of expression. It is important this can be implemented in practice, but as drafted the current proposal risks introducing measures which are both unreasonable and unrealistic.
EU is not impressed:
Reding added: “The European rules [will] apply to every company … which operates in the internal market. The EU is a large market with 500 million citizens. If you want to take advantage of this goldmine, then apply the rules. Facebook and such providers like the one-stop shop. They like the fact that the rules are the same everywhere. There’s no opt-out. This is an internal market regulation. It’s a decision that will be taken by majority rule.”
Viviane Reding, the EU justice commissioner, said: “At present a citizen can request deletion only if [data is] incomplete or incorrect. We want to extend this right to make it stronger in this internet world. The burden of proof shall be on the companies. They will have to show that data is needed.”
So first we see how privacy is not being discussed in isolation, with other rights such as freedom of expression being invoked by Facebook, Incidentally, this freedom of expression online was affirmed by the United Nations in 2012, with online expression being declared a human right. For Google, they emphasize individual responsibility and ‘ownership’ being emphasized by Google. Second are different views on the relationship between businesses, enterprises and the government. Reding’s frame is that the individual should be protected from unreasonable private sector practices. That businesses should conform to US Law.
A 2004 report published in The Yale Law Journal explores the philosophical conceptions between privacy in Europe and USA. The argument presented is that, “American law shows a far greater sensitivity to intrusions on the part of the state, while continental [European] law shows a far greater sensitivity to the protection of one’s public face.” (my emphasis)
My initial reaction to this is that while American’s may be hostile to state involvement, there is a tendency to enable contract law. One can read about this in detail in the book Liberalizing the European Media, by Shalini Venturelli, Professor of International Communication at American University. In one of her chapters, Venturelli details how privatization of law, state, constitutional law and public goods have forced the balance of content regulation regimes heavily in favor of pre-political contract law as favored by global corporations. Efforts at legislating a right to be forgotten might be a potential schism in the intellectual property rights regime between European legislators, and powerful US-based multinational corporations (along with their sympathetic American legal intelligentsia) –at least as far as data privacy is concerned.
My last post introduced an idea of ‘big data’ and Kenneth Cuckier, Data Editor of The Economist has a nice succinct summary of what big data is.
Two takeaways: 1.Things that used to be informational, are now becoming data, that is digitized and trackable. 2. Information can increasingly be used for secondary purposes beyond their original intended intent.
Big data tends to be thought of on a large scale, evoking images of ‘Big Brother’, and an Orwellian surveillance state. This matters at the individual scale, which is what EU legislation on individual rights is concerned with, because it is individual actions that create this big data. Big data is basically a collection of my clicks, my status updates, your online purchases, your online flame wars on message boards, etc.
Cukier is author of the book, Big Data: A Revolution That Will Transform How We Live, Work and Think.