The EU document proposes reforms to data privacy regulations to give individuals greater control over personal data collected by companies. It acknowledges that current regulations are outdated and do not address today's data practices. The proposed reforms aim to strengthen individual rights by requiring opt-in for data collection and use, data minimization by companies, and a "right to be forgotten." However, the document is criticized for not sufficiently addressing technical implementation details or conflicts with freedom of expression. The implications of the legislation could be significant globally as other regions may adopt similar regulations.
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
1st draft
1. [Title]
Introduction
It has become a widely accepted truism that the internet complicates international and
domestic public policy. One aspect of that is the availability and use of vast amounts of demographical,
biographical and usage information left behind by internet activity—often referred to as ‘big data’.
Along with the new importance of big data comes worries of surveillance, privacy, cyber-security, etc. In
Europe, these came to a head when they announced a directive in January 2012, proposing a right-to-
be-forgotten”, the idea that individuals deserve a say in the usage and effects of their online imprint.
There have been several official reports on the impact of data and technology, some predating the
internet. This brief analyzes one of those reports, the European Union (EU)’s communiqué to their
parliament titled, Safeguarding Privacy in a Connected World: A European Data Protection
Framework for the 21st Century of January 25, 2012 (henceforth, “the EU document”). The
analysis is presented to identify broader trends in European internet policy with a focus on data privacy.
This is an important communication policy that touches on issues of internet freedom, network access
and intellectual property rights. The findings in this brief can inform the interaction of American
business interests, and corporations, such as the US Chamber of Commerce (henceforth, "the
chamber"), in their interaction with the EU.
COM(2012) 9 : Key facts and proposals about the legislation1
The EU document begins by recognizing that “personal data has become an asset for many
businesses. Collecting, aggregating and analyzing the data of potential customers is often an important
part of their activities” (European Commission 2012, 2).2
The EU document acknowledges existing
1
‘COM(2012) 9 final’ is the official report number assigned to the official document by the European Commission.
2
The European Commission is the executive entity of the European Union (source: http://europa.eu/about-
eu/institutions-bodies/index_en.htm)
2. directives but notes that that there has been no update for today’s environment—the EU’s previous
treatment on personal data and its free movement (95/46/EC) was in 1995. Furthermore, that directive
was not uniformly applied across states, which is now necessary with a single European market. Lastly, it
is reported that both European citizens and businesses want comprehensive reform, with over 70% of
European internet users fearing for their personal data (European Commission 2012, 4).
The broad policy goal of these reform rules is to put individuals in control of their personal data
and to strengthen national data protection authorities so that they can implement those protections.
More specifically, the proposed reform in the EU document has the following goals:
an explicit requirement that obliges online social networking services (and all other data controllers)
to minimize the volume of users' personal data that they collect and process;
a requirement that the default settings ensure that data is not made public;
an explicit obligation for data controllers to delete an individual's personal data if that person
explicitly requests deletion and where there is no other legitimate reason to retain it. (European
Commission 2012, 5)
Concrete provisions for action promote individual control, data security & accountability,
facilitating a single market, synchronizing law enforcement and addressing other countries. Some
examples follow:
Facilitating individual control: Opt-in rather than opt-out mechanisms for data privacy agreements
based on and a mandated right to have data deleted if consent is withdrawn.
Data security and corporate accountability: Requiring that each large internet company of over 250
employees employ a senior data protection officer or legal requirements for privacy by design.
Consistent enforcement: laying down protection rules at EU level through a regulation directly
applicable in all member states to put an end to cumulative and simultaneous application of
different national data protection laws, and also further enhancing the independence an powers of
national data protection authorities with a requirement to oblige member states to provide
resources and facilitate that independence.
Law enforcement: Providing for a minimum harmonized criteria, and addressing rights of individuals
to be informed when police and authorities handle or access their data.
3. Background & Framework
Action items in the EU document are underpinned by certain assumptions about privacy. The EU
document emphasizes early that, “individuals have the right to enjoy effective control over their
personal information” (European Commission 2012, 2). Furthermore, data privacy is a fundamental right
in Europe which is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union
and in Article 16(1) of the Treaty on the Functioning of the European Union. Europe is a trendsetter in
the area of digital privacy for consumers, and there privacy is a very heavily developed area of law
relative to the rest of the world. Europe has discussed data initiatives for a while, even in the 1990s
when the internet was very young. The prominence of individual privacy rights is part of efforts to
include internet policies into a broader European agenda.3
Emphasis on privacy data control by the individual can be understood as a philosophical
difference between- Europe and the USA who have different philosophical conceptions of privacy. In
the USA, privacy is about minimizing government interference in one's affairs, while in Europe it is about
one's public reputation (Whitman 2004). In Europe, dignity is elevated to the level of freedom and
equality as seen in how the EU charter’s first statement is that, “human dignity is inviolable. It must be
respected and protected” and in further early statements protecting even mental dignity (European
Union 2000).4
This confirms the preceding observation on the European assumptions and now privacy
data protections can then be understood as a matter of dignity. The elevation of dignity is seen in the
variety of libel and slander laws in Europe which protect reputation. 5
So there is a clash of world view
here in which American internet corporations and business interests as represented by the chamber
3
The Stockholm Program is a roadmap for EU work in the area of justice, freedom and security for the period
2010-14. (source:
http://europa.eu/legislation_summaries/human_rights/fundamental_rights_within_european_union/jl0036_en.ht
m)
4
Article I, Chapter I of the Charter of Fundamental Rights of the European Union.
5
OSCE has a comprehensive cataloguing of libel/slander in Europe that can be accessed at
http://www.osce.org/fom/41958.
4. would view right to be forgotten legislation as invasive, whereas European citizens might see the same
legislation as protecting against invasiveness.
As far as the framework from which the EU document is in, it can be categorized as what
international communication experts would refer to as a public-interest model . Communication policy
models are the foundation of understanding official legislation in the field . Understanding Europe as
operating in a public-interest model would reveal why Europeans approach legislation on
communication infrastructure to prioritize consumer and citizen rights over corporations, at least
relative to a liberal-market model. The public-interest model is premised on a communication policy for
the communal greater good and not just for private business entities (Venturelli 1998, 188-195).
Conversely, the liberal-market model is premised on a laissez-faire approach to communication policy in
which the market is allowed to operate with minimal government interference (Venturelli 1998). In the
EU document and other referenced work, even when reports and expert recommendations are
couched in language of entrepreneurship and free-markets, their solutions are based on supra-national
and centralized top-down solutions. Furthermore, there is always a justification that policies will simplify
the public sector (European Commission 2012, 12).
Policy Strengths
One area that the report is strong is that it addresses the concerns about regulation, arguing
why these regulations will reduce red tape and make operating in Europe easier. The EU document
pledges that in order to enhance the single market dimension of data protection, they would, “ lay down
data protection rules at EU level through a regulation directly applicable in all member states which will
put an end to the cumulative and simultaneous application of different national data protection laws,”
leading to private sector savings of € 2.3 billion annually or simplifying the regulatory environment by
drastically cutting red tape and doing away with formalities leading to net savings of € 130 million a year
5. in just of administrative burdens (European Commission 2012, 7). In identifying and offering concrete
savings available, they address opposing arguments usually raised by entrepreneurial business
advocates.
Under the reformed regulatory framework, the EU can make the case to customers that they
are promoting best business practices, and that a confidence in the integrity of their personal data can
be transferred to confidence in the operations of companies which is a good thing for the industry.
Citizen’s trust in a robust and EU regulatory regime then arguably becomes an asset for service
providers and an incentive for investors looking for optimal conditions when locating
Services—arguments which the EU document makes (European Commission 2012, 8).
Policy Gaps
Areas where the EU document is a little [weak] is in [the absence of technical details and
instruction], it’s nature as supranational document, addressing jurisdiction, and in its handling of
freedom of speech rights.
First, the technical aspect is unaddressed. A study presented to the European Network on
Informational and Security Agency on the eve of the unveiling of the EU document voiced such concerns
(Druschel, Backes and Rodica 2012). Second, there is an ambiguity between the EU as a supranational
entity and the authority if it’s member states. This comes out when consistent enforcement of data
protection rules across Europe are addressed; and also where some reforms for joint activity on use of
data in police and criminal justice cooperation seem to run afoul of those on data protection rules for
the digital single market. The EU document states that, “data protection requirements and safeguards
will be set out in an EU Regulation with direct application throughout the Union” yet “only the data
protection authority where the company has its main establishment will be responsible for deciding
whether the company is acting within the law“ (European Commission 2012, 7). It is unclear then, who
the ultimate enforcer is intended to be, with state-centric language in a supranational document. Third
6. is the problem of jurisdiction is another area which can be problematic and solutions are not really put
forth. For example the Supreme Court in Florida vs BFJF affirms free expression—states cannot pass
laws restricting the media from disseminating truthful but embarrassing information such as the name
of a rape victim as long as the information was legally acquired (Rosen 2012, 91, Florida Star v. B.J.F.
1989). This actually leads into the biggest lost opportunity
Towards the end of the EU document, assurances are made that other rights such as freedom of
expression and information, or right to conduct a business would be respected (European Commission
2012, 12). However, that is mentioned in passing, and no examples of situational conflicts are given like
they are for other areas of the legislation in the EU document. Those freedoms are the crux of the
argument against the right-to-be forgotten. That argument has been encapsulated by Jeffrey Rosen, an
influential US-based legal commentator that argued that, “although Redding depicted the new right as a
modest expansion of existing data privacy rights, in fact it represents the biggest threat to free speech
on the internet in the coming decade" (Rosen 2012, 8). Facebook says that, “The right to be forgotten
needs very careful consideration. As drafted it raises major concerns with the right of others to
remember and of freedom of expression on the internet “ (Facebook 2012); and Google is insisting that
they “support the right to be forgotten, and [we] think there are ways to apply it to intermediaries like
search engines in a way that protects both the right to privacy and the right to free expression” (Reuters
2012).This communication does not specifically address these freedom of expression concerns speech
which is a policy sector that forms the basis of all communication policy and law. Internet speech rights
are philosophically of such importance that even the United Nations has designated online expression
as a fundamental right (United Nations 2012). Due to the many interpretations of 'freedom of speech'
the EU document would have benefited from exploring the issue in more depth like it does with the
regulation issue.
7. Recommendations: Approaching the EU
To navigate this policy, the chamber and its constituents might do well to reach out to the
United Kingdom (UK), while at the same time bearing in mind European history and viewing Europe as
one entity.
To the extent that there may be crack in European unity it is from the British who may have
chosen to opt out of the right to be forgotten (Bowcott 2013). Efforts to stop the impending legislation
can therefore be channeled through the UK where the chamber and likeminded organizations would
find sympathetic interests to partner with. The UK has long had a historical special relationship with the
USA in which their global interests have usually aligned. Furthermore, the current timing is
advantageous as the UK is loudly talking about reassessing its relationship with the EU and proposing to
cede less power to them (Cameron 2013).
Conversely, in an admittedly contradictory approach to one targeting the UK, a helpful frame
could be to view Europe as one entity, rather than a collection of countries. From this perspective the
EU Document's proposed legislation need not be antagonistic to corporate interests. For two decades,
the EU has had spoken favorably about using market mechanisms as motive power and fostering
entrepreneurial mentality and a common regulatory approach and warning (High-Level Group on the
Information Society 1994, 3). However their solutions are premised on supranational action. For
example they have always recommended a union wide approach to legal security for privacy (High-Level
Group on the Information Society 1994, 3). This is because of their previously discussed communication
model, but from an economic perspective it highlights the importance of understanding the economic
self-interest motivations a one Europe and the political reality of a EU that wishes to project European
resolve in a world that is increasingly being dominated by the USA on the one hand and emerging
economies such as China on the other hand (Renard 2012). Essentially, it is not out of the question that
the EU is seeking to maximize economic gains, which means there is an opening to align interests.
8. In addition to the single market, identity and history matter and therefore a thorough
understanding of European history and the ideational forces that led to the creation of the EU should
also be kept in mind. Communication regulation happens via national political logics or mentalities of
governing meaning that, “the deployment of governmental power within specific political and cultural
contexts gives rise to different governance systems,” (Eko, Kumar and Yao 2011, 3). European internet
policies are historically and socially constructed.6 Although nationalism still exists, there has been a
social conception of a 'European identity' that has paralleled the political strengthening of the EU over
the years. This is again then can provide an understanding into why internet legislation is being
addressed at a supranational level (EU) rather than by individual countries. On a related note, looking
over at the net neutrality debate, one sees that overburdening regulation is not always the modus
operandi in Europe, and there the focus is on transparency . In Europe strict regulation of internet
service providers are avoided but replaced with requirements to provide full disclosure of network
management (Stover 2010, 80-81) This might explain the desire for opt-in (as opposed to opt out)
measures which US-based companies tend to oppose (Facebook 2012).
Conclusion: Global implications
Legislation proposed in the EU document will go in effect in 2014 pending European Parliament
approval. Brussels will be inundated with representatives and from various stakeholders edging for their
position. Convergence of issues and technologies ensure that the right to be forgotten has implications
for international relations. For one, other countries are looking to the EU for leadership, and there is a
good chance that whatever comes out of the EU will become a basis for how countries model their
legislation, from diverse areas like South Africa and the Middle East—and the legislation could even
influence US law (Kanter and Sengupta 2013, Shaffer 2000). Developments in the United States in June
6
the idea of "constructivism" from International Relations theory goes more in depth into how states' behavior and
global outlook is influenced by history, shared values, etc
9. of 2103 have brought data privacy and the ongoing transatlantic trade negotiations between the United
States and the EU have brought this issue to a head.7
Data privacy for example, will have to be discussed
in the context of the trade negotiations, and then there have been proposals of an internet tax. All these
issues are beyond the scope of this brief, they can be explored separately and are all issues that are
related to the ultimate resolution of data privacy online in Europe.
7
On June 5, 2013 The Guardian and The Washington Post reported that a top-secret US national security program
(PRISM) had direct access to servers of internet firms including Apple and Facebook (source:
http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data;
http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-
broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html)
10. Bibliography
Bowcott, Owen. "Britain seeks opt-out of new European social media privacy laws." The Guardian. April
4, 2013. http://www.guardian.co.uk/technology/2013/apr/04/britain-opt-out-right-to-be-forgotten-law
(accessed 5 2013, June).
Cameron, David. "Speech to the European Union." Transcript. London, January 22, 2013.
Druschel, Peter, Michael Backes, and Tirteria Rodica. The right to be forgotten - between expectations
and practice. ENISA, Brussels: , 2012.
Eko, Lyombe, Anup Kumar, and Qingjiang Yao. "Google This: The Great Firewall of China, the IT Wheel of
India, Google Inc., and Internet Regulation." Journal of Internet Law (Aspen Publisher Inc.), 2011: 3-14.
European Commission. Safeguarding Privacy in a Connected World: A European Data Protection
Framework for the 21st Century. Communication from the Commission to the European Parliament, the
Council, the European Economic and Social Committee and the Committee of the Regions, European
Union, Brussels: European Union, 2012.
European Union. "Charter of Fundamental Rights of the European Union." Official Journal of the
European Communities, 2000.
Facebook. "Facebook’s views on the proposed data protection regulation." europe-v-facebook.org.
March 30, 2012. http://www.europe-v-facebook.org/FOI_Facebook_Lobbying.pdf (accessed June 17,
2013).
Florida Star v. B.J.F. 491 U.S. 524 (US Supreme Court, June 21, 1989).
High-Level Group on the Information Society. "Recommendations to the European Council: Europe and
the global information society." Brussels, May 26, 1994.
Kanter, James, and Somini Sengupta. "Europe Continues Wrestling With Online Privacy Rules." New York
Times. June 6, 2013. http://www.nytimes.com/2013/06/07/technology/europe-still-wrangling-over-
online-privacy-rules.html?src=recg (accessed June 21, 2013).
Renard, Thomas. The European Union and Emerging Powers in the 21st Century: Hwo Europe Can Shape
a New Global Order. Surrey, England: Ashgate, 2012.
Reuters. Spain refers Google privacy complaints to EU's top court. March 2, 2012.
http://www.reuters.com/article/2012/03/02/us-eu-google-idUSTRE8211DP20120302 (accessed June 17,
2013).
Rosen, Jeffrey. "The Right to be Forgotten." Stanford Law Review , no. 64 (February 2012): 88-92.
Shaffer, Gregory. "Globilization and Social Protection: The Impact of EU and International Rules in the
Ratcheting up of US Data Privacy Standards." Yale Journal of International Law, Winter 2000.
11. Stover, Christine M. "Network Neutrality: A Thematic Analysis of Policy Perspectives Across the Globe."
Global Media Journal 3, no. 1 (2010): 75-86.
United Nations. The promotion, protection and enjoyment of human rights on the internet. UNHCR, New
York: United Nations, 2012.
Venturelli, Shalini. Liberalizing the European Media. New York: Oxford, 1998.
Whitman, James Q. "The Two Western Cultures of Privacy: Dignty versus Liberty." The Yale Law Journal,
2004: 1151-1221.