How do you balance the competing interests of personal data privacy with the rapacious appetites of big data fueled digital businesses? European data protection authorities are continuing to wrangle with this question, and have today published a joint declaration on the principles they believe are core to achieving a balance.
The declaration has been published by Europe’s Article 29 Working Party, the body comprised of data protection representatives from the individual Member States of the European Union, on the same day as a data governance forum being held in Paris to debate the challenges posed by the collection of vast amounts of digital data.
Speaking at the forum, French Prime Minister Manuel Valls was quoted by Le Monde asserting the importance of ensuring individual web users have privacy-enabling controls to safeguard their personal data in an ever-more connected age.
“Europe must make the protection of personal data an attractiveness and competitiveness argument. The user must be able to make choices on its own data with knowledge. This has a huge economic potential,” he said, making an economic argument for safeguarding privacy.
There is likely to be added pressure on Europe to soften its data protection standards at present — as part of behind-closed-doors negotiations on a proposed free trade agreement, the Transatlantic Trade and Investment Partnership (TTIP). Coupled with ongoing lobbying from big U.S. tech companies which operate in Europe and so must play by European law — which states that the protection of personal data is a fundamental right — yet would really rather their businesses didn’t have to be so bound.
Which likely explains why the WP29 is making this declaration now. Subtext: hands off our fundamental rights.
Discussing TTIP in a recent interview with Le Monde, the chair of the WP29 and France’s data protection agency, the CNIL, Isabelle Falque-Pierrotin, warned that European safeguards for personal data could well be at risk as discussions over the trade agreement continue. “We know that Americans place a high value to the data and it is potentially an interesting subject for negotiation for them to monetize,” she is quoted as saying.
The WP29’s declaration also addresses this point, noting [emphasis theirs]: “The European level data protection can not be eroded, in whole or part, by bilateral or international agreements, including trade agreements on goods and services to be concluded with third countries.”
Speaking at today’s data governance forum Valls said data protection should be considered part of a grand human rights battle — a point made last month by Claude Moraes, chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, which conducted an inquiry into electronic mass surveillance of European Union citizens last year.
The risk of increasingly complex data infrastructures created in the private sector, and lacking sufficient supervision and privacy safeguards, leading to a “surveillance society” is also directly invoked by the WP29.
Its 15-point declaration reiterates the position that secret surveillance dragnets are not lawful under European law — and asserts they are also not acceptable under ethical standards, calling for “substantial and effective safeguards” to reign in surveillance states:
Access to personal data for security purposes is not acceptable in a democratic society when it is massive and unconditionally. The conservation, access and use of data by competent national authorities must be limited to what is strictly necessary and proportionate in a democratic society.They must be subject to substantial and effective safeguards.
When it comes to privacy and commerce, the declaration calls for raising digital education standards so that web users are better appraised of their fundamental rights when it comes to their personal data and how it is processed.
The document notes:
The awareness and the rights of individuals must be strengthened to enable them to limit their exposure to the risk of excessive surveillance by public and private actors. Improving digital education, including data protection and the right to initiate collective legal action to denounce widespread violations of personal data are key steps in this perspective.
The declaration also skews towards preferring local storage of European data to ensure compliance with the region’s standards of data protection, although this is not an enforced requirement:
Given that public or private entities collect massive amounts of data providing precise information on the private lives of the individuals whose data are stored, they must organize the storage of these data in order to allow control by an independent European authority , compliance with data protection requirements. The storage of these data on EU territory is a means to facilitate the effective exercise of that control.
The declaration looks ahead to 2015 when the WP29 notes that a new regulations and a directive on data protection needs will be adopted. “In addition to contributing to the unification of the European digital market, these texts must ensure a high level of data protection to individuals, consistent with the values and rights fundamentals of Europe,” it adds.