The Battle for the Soul of EU Privacy
Published 13:58, 29 January 13
As I mentioned a couple of weeks ago, 2013 is already shaping up to be a year in which data protection is a key battleground. That's been confirmed by a flurry of stories around Data Privacy Day, which was yesterday in case you missed it.
For example, Mozilla had some good news on this front:
I’m very happy to share that Mozilla has been named the Most Trusted Internet Company for Privacy in 2012, according to a study performed by the Ponemon Institute.
Their findings were released today in celebration of an internationally recognized holiday that we at Mozilla look forward to as much as any bank holiday: Data Privacy Day. The study surveyed more than 100,000 consumers in the U.S., and after all the number crunching, Mozilla ranked highest in the Internet & Social Media industry. We also made it onto the top 20 list for all companies.
The post goes on:
This is certainly quite a distinction and the product of a user-centric philosophy implemented by contributors to the Mozilla project over the past decade. Engineers, UX designers, security, engagement, IT and privacy folks have made thousands of small decisions over the years that have collectively created the user trust reflected by this survey. This recognition is not something we sought, as we don’t view privacy as an end unto itself, but it’s greatly appreciated given all the complexities and nuances associated with privacy and security today.
Now, as readers of this blog will know, I'm a huge fan of Mozilla and grateful for all it's done to preserve openness in the online world. But I'm not sure how much should be read into being named "Most Trusted Internet Company." Here's how the survey was conducted [.pdf]:
Our Web-based research study asked respondents to name up to five companies in 25 different industries they believe to be the most trusted for protecting the privacy of their personal information. Our survey procedures also asked respondents to name one to five companies they believed to be least trusted when handling their personal information. Company names were not provided as a pull down list. The survey instrument allowed each participant to freely select the organizations believed to be most trusted for privacy.
There were two main Internet categories: eCommerce (where Amazon was the most highly-placed) and Internet & social media (which Mozilla won.) If you think about it, in the latter category, you have companies like Facebook and Google, which basically means people trust Mozilla more than those players - not hugely surprising.
What I found more interesting in the report was the background information. For example, the following commentary on a line graph:
The bottom line pertains to consumers’ sense of control over their personal information. The downward slope suggests that over time consumers perceive a loss of control over their personal information (from a high of 56 percent in FY 2007 to a low of 35 percent in FY 2012). The top line pertains to the importance consumers attach to their privacy (very important and important response combined). Despite a loss of control, the upward slope suggests privacy preferences have increased in importance for consumers over time (from a low of 69 percent in FY 2007 to a high of 78 percent in 2012).
So people feel that they have less control over personal information, even while it is becoming more important. That's particularly interesting because the respondents from this survey were all from the US, where privacy is supposed to be less of an issue than here in the EU, and where its protections are far weaker.
Actually, according to the United States Mission to the EU, this idea that privacy is protected less well in the US is nothing but a "myth" - one of five that is seeks to debunk [.pdf]:
The transatlantic privacy discussion is too often based on myths about the U.S. legal system - myths that obscure our fundamental commitment to privacy and the extensive legal protections we provide to data. Contrary to concerns raised by some, electronic data stored in the United States - including data of foreign nationals - receives protections from access by criminal investigators equal of greater than the protections provided within the European Union.
Fab; do tell us more:
Myth 1: The United States Cares Less about Privacy than the European Union
Reality: The United States was founded on - and its modern-day laws, regulations, and practices reflect - a core belief in the importance of protecting citizens from government intrusion. Our most important legal document - our Constitution - set forth, more than two hundred years ago, a Bill of Rights that provided protection from unreasonable searches and seizures, and that continues to protect privacy today, including the privacy of electronic communications. The United States and the European Union are united in our common values regarding the fundamental importance of privacy protections and our deeply rooted commitment to continue to safeguard these values in the digital age.
Well, I'm sure the beneficiaries of "extraordinary rendition" and torture in Guantanamo Bay might beg to differ somewhat about the "unreasonable seizures" bit, but leaving that on one side, let's hear from some US NGOs that also disagree [.pdf]:
The U.S. Mission to the European Union recently issued a document listing five alleged “myths” about privacy and law enforcement access to personal information in the European Union and United States. The document is an attempt to reassure Europeans who, hearing about laws such as the U.S.A. Patriot Act, are concerned about their data being accessed by the U.S. government. However, U.S. privacy laws are, in fact, far from adequate to protect Europeans’ privacy, and such concerns are entirely legitimate.
The United States Cares Less about Privacy than the European Union.
The U.S. mission insists that it’s a myth that “The United States Cares Less About Privacy than the European Union,” citing our “common values” and “deeply rooted commitment to safeguard those values.” While “values” and “commitments” are to be applauded, when it comes to concrete laws and institutions, the United States has the weakest privacy protections of any advanced western democracy:
The U.S. has no overarching law comparable to the European Privacy Directive.
The few sectoral laws we have in areas such as communications, financial, and medical privacy are weak and riddled with loopholes.
There are no independent privacy or data protection officials. Our “Privacy Officers" report to and work at the behest of their agencies’ directors.
The privacy protections of the Fourth Amendment to the U.S. Constitution have none of the sweep or force of the European declarations of rights such as the ECHR [European Court of Human Rights].
Current jurisprudence has largely failed to keep pace with new practices and technologies.
The rest of that document is well-worth reading, since it comprehensively debunks the purported debunking, and includes important areas like the (non-existent) privacy of EU citizens using US-owned cloud computing services. But the US Mission's document is just one part of a thoroughgoing campaign to neuter the data protection directive currently being considered in the EU. Here, for example, is part of a speech made by the US Ambassador to the EU, at Forum Europe’s 3rd Annual European Data Protection and Privacy Conference:
Differences between the EU data protection legislation and the U.S. privacy protection regime should not be allowed to hurt EU-U.S. trade and should not prevent businesses from developing their activities on both sides of the Atlantic. And this isn’t just about big multinational companies - we should be very careful not to limit the tremendous opportunities the on-line economy has to offer for small and medium-sized companies. These SMEs form the backbone of our economies and a source of jobs and income that communities in Europe and the United States rely upon.
Those "differences" are not minor details, but philosophical: the EU gives primacy to privacy considerations, the US regards business concerns as being paramount. The previous paragraph is a blunt statement that it wants the EU to do the same by bringing its rules more into line with those of the US. Remember, however, that Americans surveyed recently by the Ponemon Institute "perceive a loss of control over their personal information", so maybe they'd rather the US adopted the EU's tighter norms instead.
It is important to note that the United States and the EU already enjoy considerable cooperation on this issue. The U.S. - EU Safe Harbor Framework facilitates interoperability between the current U.S. and European data privacy systems. The value of this mechanism cannot be overstated. Since 2000, Safe Harbor has allowed thousands of American companies of all sizes to do business in Europe while committing to comply with the 1995 EU Data Privacy Directive.
This is rather telling, since the US - EU Safe Harbo(u)r Framework is actually part of the problem that the new EU Data Protection directive is trying to solve. The Framework is pretty much in the chocolate teapot class, since it relies largely on self-certification (what could possibly go wrong?) In an article defending the system, even the person responsible for the programme's administration was forced to admit:
In recent years, Safe Harbor has come under attack from a number of sources who believe the legal framework does not provide adequate protection for EU citizens. Allegations that organizations that self-certify compliance to the framework merely ‘check the box’, that the government provides no oversight to ensure compliance with the seven Safe Harbor privacy principles, and that there is no effective enforcement, have proliferated.
As far his rebuttal of these criticisms is concerned, Mandy Rice-Davies applies.
Interestingly, even US companies have piled into the general anti-Data Protection scrum. Here's Intel's director of security policy and global privacy officer offering his views:
There is much to applaud in the Commission's recently released proposed regulation. It avoids mandating specific technological solutions and attempts to help companies meet the challenge of doing business in various EU member states and around the world.
Yet there are also significant shortcomings in the proposal. To address these issues, the global business community took the unprecedented step of coming together under the auspices of the International Chamber of Commerce (ICC) to express concern that the current direction of the regulation would chill innovation and discourage investment in Europe.
Translated, this basically means that if the EU dares to place more emphasis on the privacy of the EU citizens than on the ability of US companies to make easy profits from exploiting personal data, the latter might take their toys and go home. Except they won't, of course, because the EU market is simply too important for them.
What's extraordinary is the ferocity of this broad-based current attack on the EU proposals. This clearly goes beyond simple lust for lucre, and is about a deeper clash of world-views. The US just does not want this privacy stuff spreading around the world, and it knows full well that if the EU takes this road, others may follow (damn those socialist/communist Europeans....)
Sadly, the European Commission has shown itself to be consistently supine in the face of US pressures - not quite in the the Tony Blair poodle class, but certainly at the labrador level - and so is likely to buckle under this mounting pressure. The good news is that the European Parliament's rapporteur for this area, Jan Albrecht, whose amendments to the data protection Regulation I wrote about earlier this month, is extremely able and keen to put up a fight for our privacy. We also have the useful precedent of the European Parliament standing up for EU citizens over ACTA last year, so there's hope it might do the same here too. Putting all that together, this means that if it weren't so important for us all, the imminent scrap over the soul of privacy in the EU would be rather entertaining to watch. Unfortunately, it is and so it won't be.