This policy brief is an overview of the European Union's proposed policies on digital privacy as announced on January 25, 2012. It has been prepared for the benefit of US business interests as represented by the US Chamber of Commerce
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Â
EUROPE'S RIGHT TO BE FORGOTTEN: AN OVERVIEW OF THE EU'S PROPOSED DIGITAL PRIVACY POLICIES
1. EUROPE'S RIGHT-TO-BE-FORGOTTEN
by
William A. Nyikuli
June 28, 2013
This policy brief is an overview of the European Union's proposed policies on digital privacy as announced
on January 25, 2012. It has been prepared for the benefit of US business interests as represented by the
US Chamber of Commerce
The brief provides the following information:
ï Key facts and goals of the proposed legislation.
ï Assumptions that may have shaped the way proposed legislation is framed.
ï A brief assessment of the proposed legislation's strengths and its policy gaps.
ï A few suggestions for how an entity like the US Chamber of Commerce can engage with Europe
on this matter.
2. Introduction
It has become a widely accepted truism that the internet complicates international and
domestic public policy. One aspect of that is the availability and use of vast amounts of demographical,
biographical and usage information left behind by internet activityâoften referred to as âbig dataâ.
Along with the new importance of big data comes worries of surveillance, privacy, cyber-security, etc. In
Europe, these issues came to a head when they announced a directive in January 2012, proposing a
right-to-be-forgotten, the idea that individuals deserve a say in the usage and effects of their online
imprint. There have been several official reports on the impact of data and technology, some predating
the internet. This brief analyzes one of those reports, the European Union (EU)âs proposal to their
parliament titled, Safeguarding Privacy in a Connected World: A European Data Protection Framework
for the 21st Century of January 25, 2012 (henceforth, âthe EU documentâ). 1
The analysis is presented to
identify broader trends in European internet policy with a focus on data privacy. This is an important
communication policy that touches on issues of internet freedom, network access and intellectual
property rights. The findings in this brief can inform the interaction of American business interests and
corporations, such as the US Chamber of Commerce (henceforth, "the chamber"), in their interaction
with the EU.
COM(2012) 9 : Key facts and proposals about the legislation
The EU document begins by recognizing that âpersonal data has become an asset for many
businesses. Collecting, aggregating and analyzing the data of potential customers is often an important
part of their activitiesâ (European Commission 2012, 2).2
The EU document acknowledges existing
directives but notes that that there has been no update for todayâs environmentâthe EUâs previous
treatment on personal data and its free movement (95/46/EC) was in 1995. Furthermore, that directive
was not uniformly applied across states, which is now necessary with a single European market. Lastly, it
1
âCOM(2012) 9 finalâ is the official report number assigned to the document.
2
The European Commission is the executive entity of the European Union (source: http://europa.eu/about-eu/institutions-
bodies/index_en.htm)
3. 2
is reported that both European citizens and businesses want comprehensive reform, with over 70% of
European internet users fearing that their personal data is accessed by other parties without
authorization (European Commission 2012, 4).
The broad policy goal of these reforms are to put individuals in control of their personal data
and to strengthen national data protection authorities so that they can implement those protections.
More specifically, the proposed reform in the EU document has the following goals:
ï· an explicit requirement that obliges online social networking services (and all other data controllers)
to minimize the volume of users' personal data that they collect and process;
ï· a requirement that the default settings ensure that data is not made public; and
ï· an explicit obligation for data controllers to delete an individual's personal data if that person
explicitly requests deletion and where there is no other legitimate reason to retain it. (European
Commission 2012, 5)
Concrete provisions for action promote individual control, data security & accountability,
facilitating a single market, synchronize law enforcement and address other countries. Some examples
follow:
ï· Facilitating individual control: Opt-in rather than opt-out mechanisms for data privacy agreements
and a mandated right to have data deleted if consent is withdrawn.
ï· Data security and corporate accountability: Requiring that each large internet company of over 250
employees employ a senior data protection officer, and also legal requirements for privacy by design.
ï· Consistent enforcement: Laying down protection rules at EU level through a regulation directly
applicable in all member states to put an end to cumulative and simultaneous application of
different national data protection laws, and also further enhancing the independence and powers of
national data protection authorities with a requirement to oblige member states to provide
resources and facilitate that independence.
ï· Law enforcement: Providing for minimum harmonized criteria, and addressing rights of individuals
to be informed when police and authorities handle or access their data.
Background & Framework
Action items in the EU document are underpinned by certain assumptions about privacy. The EU
document emphasizes early that, âindividuals have the right to enjoy effective control over their
personal informationâ (European Commission 2012, 2). Furthermore, data privacy is a fundamental right
in Europe that is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and
4. 3
in Article 16(1) of the Treaty on the Functioning of the European Union. Europe is a trendsetter in the
area of digital privacy for consumers, and the issue of privacy is a very heavily developed area of law
relative to the rest of the world. Europe has discussed data initiatives for a while, even in the 1990s
when the internet was relatively new. The prominence of individual privacy rights is part of the EUâs
efforts to include internet policies into a broader European agenda.3
Emphasis on data control by the individual can be understood as a philosophical difference in
American and European conceptions of privacy. In the USA, privacy is about minimizing government
interference in one's affairs, while in Europe it is about protecting one's public reputation (Whitman
2004). In Europe, dignity is elevated to the level of freedom and equality as seen in how the EU
charterâs first statement is that, âhuman dignity is inviolable. It must be respected and protectedâ and in
further early statements protecting even mental dignity (European Union 2000).4
This confirms the
preceding observation on European privacy assumptions and hence privacy data protections can then be
understood as a matter of dignity. The elevation of dignity is seen in the variety of libel and slander laws
in Europe which protect reputation. 5
Therefore, there is a clash of world views in which American
internet corporations and business interests, as represented by the chamber, would view the right-to
be-forgotten legislation as invasive, whereas European citizens might see the same legislation as
protecting against invasiveness.
As far as the EU documentâs framework, it can be categorized as what international
communication experts would refer to as a public-interest model. Communication policy models are the
foundation of understanding official legislation in the field. Understanding Europe as operating in a
public-interest model would reveal why Europeans approach legislation on communication
infrastructure prioritizing consumer and citizen rights over corporations, at least relative to a liberal-
3
The broad agenda is spelt out in the Stockholm Program which is a roadmap for EU work in the area of justice, freedom and
security for the period 2010-14. (source:
http://europa.eu/legislation_summaries/human_rights/fundamental_rights_within_european_union/jl0036_en.htm)
4
Article I, Chapter I of the Charter of Fundamental Rights of the European Union.
5
The Organization for Security and Cooperation in Europe has a comprehensive catalogue of libel/slander laws in Europe that
can be accessed at http://www.osce.org/fom/41958.
5. 4
market model. The public-interest model is premised on a communication policy for the communal
greater good and not just for private business entities (Venturelli 1998, 188-195). Conversely, the liberal-
market model is premised on a laissez-faire approach to communication policy in which the market is
allowed to operate with minimal government interference (Venturelli 1998). In the EU document and
other referenced work, even when reports and expert recommendations are couched in language of
entrepreneurship and free markets, their solutions are based on supranational and centralized top-
down solutions. Furthermore, there is always a justification that policies will simplify the public sector
(European Commission 2012, 12).
Policy Strengths
One area that the EU document is strong is that it addresses the concerns about regulation,
arguing why these regulations will reduce red tape and make operating in Europe easier. The EU
document pledges that in order to enhance the single market dimension of data protection they would,
â lay down data protection rules at EU level through a regulation directly applicable in all member states
which will put an end to the cumulative and simultaneous application of different national data
protection laws,â leading to private sector savings of ⏠2.3 billion annually or simplifying the regulatory
environment by drastically cutting red tape and doing away with formalities leading to net savings of âŹ
130 million a year in just of administrative burdens (European Commission 2012, 7). In identifying and
offering concrete savings, they address opposing arguments usually raised by entrepreneurial business
advocates.
Under the reformed regulatory framework, the EU can make the case to customers that they
are promoting best business practices, and that a confidence in the integrity of their personal data can
be transferred to confidence in the operations of companies which is good for the industry. With the
proposals in the EU document, citizenâs trust in a robust regulatory regime arguably becomes an asset
6. 5
for service providers and an incentive for investors looking for optimal conditions when locating
servicesâarguments which the EU document makes (European Commission 2012, 8).
Policy Gaps
Areas where the EU document is weak is in the absence of technical details and instruction, its
nature as supranational document, addressing jurisdiction, and in its handling of freedom of speech
rights.
First, the technical aspect is unaddressed. A study presented to the European Network on
Informational and Security Agency on the eve of the unveiling of the EU document voiced such concerns
(Druschel, Backes and Rodica 2012). Second, there is an ambiguity between the EU as a supranational
entity and the authority if its member states. This is evident when consistent enforcement of data
protection rules across Europe are addressed; and also where some reforms for joint activity on use of
data in police and criminal justice cooperation seem to run afoul of those on data protection rules for
the digital single market. The EU document states that, âdata protection requirements and safeguards
will be set out in an EU Regulation with direct application throughout the Unionâ yet, âonly the data
protection authority where the company has its main establishment will be responsible for deciding
whether the company is acting within the lawâ (European Commission 2012, 7). With state-centric
language in a supranational document it can be unclear who is intended to be the ultimate enforcer.
Third is the problem of jurisdiction, another area which is vague and solutions are not really put forward.
For example the Supreme Court in Florida vs. BFJF affirms free expressionâin the USA states cannot
pass laws restricting the media from disseminating truthful but embarrassing information as long as the
information is legally acquired (Rosen 2012, 91, Florida Star v. B.J.F. 1989). So this could present US-
based corporations with a legal dilemma, which actually leads into the biggest lost opportunity.
Towards the end of the EU document, assurances are made that other rights such as freedom of
expression and information, or a right to conduct a business would be respected (European Commission
2012, 12). However, that is mentioned in passing, and no examples of situational conflicts are given as
7. 6
the document does for other areas of the legislation. Those freedoms are the crux of the argument
against the right-to-be-forgotten. That argument has been encapsulated by Jeffrey Rosen, an influential
US-based legal commentator that argued that, âalthough Redding depicted the new right as a modest
expansion of existing data privacy rights, in fact it represents the biggest threat to free speech on the
internet in the coming decade" (Rosen 2012, 8). Facebook says that, âThe right to be forgotten needs
very careful consideration. As drafted it raises major concerns with the right of others to remember and
of freedom of expression on the internet â (Facebook 2012); and Google is insisting that they âsupport
the right to be forgotten, and [we] think there are ways to apply it to intermediaries like search engines
in a way that protects both the right to privacy and the right to free expressionâ (Reuters 2012).This
communication does not specifically address these freedom of expression concerns. Speech is a policy
sector that forms the basis of all communication policy and lawâwith internet speech rights of such
importance that even the United Nations has designated online expression as a fundamental right
(United Nations 2012). Due to the many interpretations of 'freedom of speech' the EU document would
have benefited from exploring the issue in more depth like it does with the regulation issue.
Recommendations: Approaching the EU
To navigate this policy, the chamber and its constituents should reach out to the United
Kingdom (UK), while at the same time bearing in mind European history and viewing Europe as one
entity.
To the extent that there may be crack in European unity it is from the British who may have
chosen to opt out of the right-to-be-forgotten (Bowcott 2013). Efforts to stop the impending legislation
can therefore be channeled through the UK where the chamber and likeminded organizations would
find sympathetic interests to partner with. The UK has long had a historical special relationship with the
USA in which their global interests have usually aligned. Furthermore, the current timing is
advantageous as the UK is openly reassessing its relationship with the EU and proposing to cede less
power to them (Cameron 2013).
8. 7
Conversely, in an admittedly contradictory approach to one targeting the UK, a helpful frame
could be to view Europe as one entity rather than a collection of countries. From this perspective the EU
Document's proposed legislation need not be antagonistic to corporate interests. For two decades, the
EU has spoken favorably about using market mechanisms as motive power and fostering
entrepreneurial mentality and a common regulatory approach and warning (High-Level Group on the
Information Society 1994, 3). However their solutions are premised on supranational action. For
example they have usually recommended a union wide approach to legal security for privacy (High-Level
Group on the Information Society 1994, 3). This is because of their aforementioned communication
model, but from an economic perspective it also highlights the importance of understanding the
economic self-interest motivations of a common European market. In addition there is the political
reality of a EU that wishes to project European resolve in a world that is increasingly being dominated by
the USA and emerging economies such as China (Renard 2012). Essentially, it is not out of the question
that the EU is seeking to maximize economic gains, which suggests there is an opening to align interests
or for the chamber to engage on more familiar terrain.
In addition to the single market, identity and history matter and therefore a thorough
understanding of European history and the ideational forces that led to the creation of the EU should
also be considered. Communication policy is influenced by national political logics or mentalities of
governing meaning that âthe deployment of governmental power within specific political and cultural
contexts gives rise to different governance systemsâ (Eko, Kumar and Yao 2011, 3). European internet
policies are historically and socially constructed. Although nationalism still exists, there has been a social
conception of a 'European identity' that has paralleled the political strengthening of the EU over the
years. Consequently, this can provide an understanding into why internet legislation is being addressed
at a supranational level (EU) rather than by individual countries. On a related note, looking over at the
net-neutrality debate, one sees that overburdening regulation is not always the modus operandi in
Europe, as there the focus is on transparency. In Europe, strict regulation of internet service providers is
9. 8
avoided, and instead full disclosure of network management practices is required (Stover 2010, 80-81).
This might explain the desire for opt-in (as opposed to opt out) measures seen in the EU document
which US-based companies tend to oppose (Facebook 2012).
Conclusion: Global implications
Legislation proposed in the EU document will go in effect in 2014 pending European Parliament
approval. Brussels will be inundated with representatives from various stakeholders edging for their
position. Convergence of issues and technologies ensure that the right-to-be-forgotten has implications
for international relations. For one, other countries are looking to the EU for leadership, and there is a
good chance that whatever comes out of the EU will become a basis for how countries model their
legislation, from diverse areas like South Africa and the Middle Eastâand the legislation could even
influence US law (Kanter and Sengupta 2013, Shaffer 2000). Developments in the United States in June
of 2013 on data privacy and the ongoing transatlantic trade negotiations between the United States and
the EU have made the right-to- be-forgotten an even more prominent issue for diplomats.6
Data privacy
for example, will have to be discussed in the context of the trade negotiations, and then there have
been proposals in Europe for an internet tax. All these issues are beyond the scope of this brief, but are
worth exploring separately as they are connected to the ultimate resolution of digital data privacy in
Europe.
6
On June 5, 2013 The Guardian and Washington Post reported that a secret US national security program (PRISM) had direct
access to servers of internet firms including Apple and Facebook (source: http://www.guardian.co.uk/world/2013/jun/06/us-
tech-giants-nsa-data; http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-
companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html)
10. 9
Bibliography
Bowcott, Owen. "Britain seeks opt-out of new European social media privacy laws." The Guardian. April
4, 2013. http://www.guardian.co.uk/technology/2013/apr/04/britain-opt-out-right-to-be-forgotten-law
(accessed 5 2013, June).
Cameron, David. "Speech to the European Union." Transcript. London, January 22, 2013.
Druschel, Peter, Michael Backes, and Tirteria Rodica. The right to be forgotten - between expectations
and practice. ENISA, Brussels: , 2012.
Eko, Lyombe, Anup Kumar, and Qingjiang Yao. "Google This: The Great Firewall of China, the IT Wheel of
India, Google Inc., and Internet Regulation." Journal of Internet Law (Aspen Publisher Inc.), 2011: 3-14.
European Commission. Safeguarding Privacy in a Connected World: A European Data Protection
Framework for the 21st Century. Communication from the Commission to the European Parliament, the
Council, the European Economic and Social Committee and the Committee of the Regions, European
Union, Brussels: European Union, 2012.
European Union. "Charter of Fundamental Rights of the European Union." Official Journal of the
European Communities, 2000.
Facebook. "Facebookâs views on the proposed data protection regulation." europe-v-facebook.org.
March 30, 2012. http://www.europe-v-facebook.org/FOI_Facebook_Lobbying.pdf (accessed June 17,
2013).
Florida Star v. B.J.F. 491 U.S. 524 (US Supreme Court, June 21, 1989).
High-Level Group on the Information Society. "Recommendations to the European Council: Europe and
the global information society." Brussels, May 26, 1994.
Kanter, James, and Somini Sengupta. "Europe Continues Wrestling With Online Privacy Rules." New York
Times. June 6, 2013. http://www.nytimes.com/2013/06/07/technology/europe-still-wrangling-over-
online-privacy-rules.html?src=recg (accessed June 21, 2013).
Renard, Thomas. The European Union and Emerging Powers in the 21st Century: Hwo Europe Can Shape
a New Global Order. Surrey, England: Ashgate, 2012.
Reuters. Spain refers Google privacy complaints to EU's top court. March 2, 2012.
http://www.reuters.com/article/2012/03/02/us-eu-google-idUSTRE8211DP20120302 (accessed June 17,
2013).
Rosen, Jeffrey. "The Right to be Forgotten." Stanford Law Review , no. 64 (February 2012): 88-92.
Shaffer, Gregory. "Globilization and Social Protection: The Impact of EU and International Rules in the
Ratcheting up of US Data Privacy Standards." Yale Journal of International Law, Winter 2000.
11. 10
Stover, Christine M. "Network Neutrality: A Thematic Analysis of Policy Perspectives Across the Globe."
Global Media Journal 3, no. 1 (2010): 75-86.
United Nations. The promotion, protection and enjoyment of human rights on the internet. UNHCR, New
York: United Nations, 2012.
Venturelli, Shalini. Liberalizing the European Media. New York: Oxford, 1998.
Whitman, James Q. "The Two Western Cultures of Privacy: Dignty versus Liberty." The Yale Law Journal,
2004: 1151-1221.