Data protection: One law should cover EU, governments and private sector

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

The biggest threat to European citizens’ privacy is posed not by companies, but by governments, according to Digital Europe’s director-general. The US Prism scandal has highlighted the potential for governments to snoop on individuals, which makes it even more important that neither the EU institutions nor other government bodies should be excluded from new data protection rules.

John Higgins is director-general of Digital Europe, a federation representing large and small technology companies. He is a board member of Britain's e-skills council and of the council of the University of Warwick. In 2005 was awarded Commander of the British Empire (CBE).

"Why does the European Commission propose excluding itself from its new data protection regulation, when Justice Commissioner Viviane Reding claims the law will defend European Union citizens' fundamental right to privacy?

The revelations about US government surveillance of people's electronic communications highlight two important facts: first, that the single biggest threat to citizens' privacy is surveillance by governments, not by companies; and second, that no government office should ever be above the law.

The Prism-gate story that has filled newspapers over the past ten days exposes two serious flaws in Europe's attempt to modernise its data protection regime. First is the proposal to exclude EU institutions from its scope, and second, the separation of security issues under a proposed directive from the main privacy questions covered in the regulation.

EU institutions are excluded from the existing data protection law – a directive passed in 1995. A special law was passed for the EU bodies in 2001, which mirrors the directive. It took six years to bring the EU institutions into line with everybody else but better late than never.

However, technology – and EU laws – have moved on since then. In 2009 the EU passed the so-called cookie law (the e-privacy directive), which forces all websites in the EU to ask users before downloading tracking cookies on their computers.

All except the EU institutions, that is. Any EU websites you visit are at liberty to track your web browsing activity using the very latest data analytics tools without informing you, according to a report on EURACTIV. There are apparently plans to bring the EU into line with the e-privacy directive, but no legislation has thus far been proposed.

Reding proposes a similar approach for the new data protection regulation: a separate law for the EU institutions to follow sometime after its entry into force. But she has failed to explain why the EU needs a separate law, or how long it will take to adopt.

In the current climate of fears over government surveillance of citizens' data the Commission must be more transparent on these questions.

Instead, Reding is confusing matters further by linking Prism-gate to her attempts to push through her data protection regulation. Isn't the accompanying directive addressing data processing of law enforcement authorities the correct legal vehicle to deal with the type of surveillance practices revealed in recent weeks?

If it's all connected, as Reding seems to imply, then why are these two legal proposals kept separate?

The debate over the shape of the new data protection law has become heated. Most member states are opposed to the EU exclusion. Some are demanding a similar exclusion for their own public sectors.

More broadly, many countries oppose the overall approach of the proposed regulation, and are calling for a more hands-off approach.

Meanwhile, companies both big and small from all industries, as well as the scientific and medical research communities, are unhappy with the proposed regulation, for the same reasons given by the governments of countries including Germany, the Netherlands and the United Kingdom, and by the dissenting voices from within the Commission itself.

Supporters of Reding's proposal misleadingly claim that the critics are just US tech firms trying to dumb down European privacy laws for their own bottom line advantage.

Technology firms including ones based in the US do have legitimate concerns about the proposed legislation, but they are not the only ones criticising the proposed legislation. In the past few weeks European SMEs from the catering industry and European academics have added their voices to what has become a chorus of opposition to the shape of the proposed regulation.

Last week Business Europe, which represents European employers from every industry, wrote to Irish justice minister Alan Shatter calling on him and the other justice ministers to intervene to make the proposed data protection law more balanced – respecting citizens' privacy while at the same time not over-burdening companies with costs and red tape.

A few days after the Prism-gate story broke Reding said that a clear legal framework for the protection of personal data is not a luxury or constraint but a fundamental right.

Digital Europe agrees with that wholeheartedly. Whatever the final version of this law will look like, it must apply to all actors who process personal data, from both the private and the public sector, including the EU institutions. No one should be above the law.”

Subscribe to our newsletters