On March 12, the European Parliament adopted the Data Protection Reform Package and the report on the impact of mass surveillance programmes on EU citizens. These votes represent another crucial step towards protecting European right to privacy and the completion of the long-awaited reform proposed by the European Commission back in January 2012.
However, this reform process will only be as strong as its weakest links. Despite some improvements to the Commission’s initial proposal, the adopted text contains measures that undermine the strength of the overall Regulation. For example, the Regulation allows companies to process personal data and create user profiles (e.g. for marketing reasons) without individual consent, provided that the data remains pseudonymous. Although the European Parliament understands pseudonymous to mean ‘not directly related to you,’ the reality of the era of big data means that as few as two datasets, when analysed together, can easily determine an individual’s identity.
Under the Parliament’s version of the Regulation, companies can also process and utilise user data without consent if its within their “legitimate interest,” a vaguely defined term that gives permission to data controllers to share your information with “third parties.” Through this weak safeguard, the company must determine if its actions are in line with the user’s “reasonable expectations,” a phrase close to meaningless in our ever-changing digital environment. The opportunity to clarify and restrict the concept of “legitimate interest” that is already in the 1995 Directive has now been lost.
It is now up to the Council (the relevant ministries of the 28 Member States) to work toward the conclusion of an agreement, closing the remaining loopholes, in order to complete the Data Protection Reform by the end of 2014.
The completion of this reform took place at the same time as the adoption of the European Parliament’s report on mass surveillance. Drafted over the course of 15 inquiry hearings conducted by the European Parliament’s Civil Liberties committee (LIBE), the report looked into the impact of the surveillance programmes revealed by former NSA contractor Edward Snowden on the fundamental rights of European citizens.
The report includes a seven point action plan, a “European Digital Habeas Corpus” aiming to restore trust between the EU and the U.S. and guarantee more robust protections of EU citizens’ rights which have been undermined by mass surveillance programmes. In addition to the adoption of the Data Protection Reform by the end of 2014, the recommendations include the review of data transfer agreements between the EU and the U.S., such as the Safe Harbor Agreement, and the development of European IT technologies and capabilities.
Snowden has requested asylum from several E.U. member states, but has yet to receive a positive response. During today’s vote, the European Parliament rejected amendments that would have dropped the charges against Snowden and granted him asylum or refugee status. Snowden referenced this in his testimony, saying that, “Parliamentarians in the national governments have told me that the US, will not allow” EU partners to offer political asylum.”
Despite the failure of the Parliament to defend the person who brought the abuses to light, the vote for adoption of the report is an extensive defence of the privacy rights of all Europeans, and a rebuke to those who support mass surveillance. While the adopted report is non-binding, today’s vote also establishes a high level oversight group to ensure the implementation of the report’s recommendations by 2015, and the Parliament has agreed to meet in early 2015 to ensure that the recommendations are being implemented.
Edward Snowden’s testimony to the European Parliament:
Data Protection Reform info page:
After the NSA: LIBE Inquiry info page:
European Parliament vote on Privacy Regulation: Major Losses Obscure Gains:
(Contribution by Raegan MacDonald – Access)