It’s time to update European data protection, and I’ve got three concrete suggestions.
The problem is not with the basic principles of data protection law, but the way they have failed to evolve to adapt to the information age. Since the adoption of the first EU data protection directive in 1995, companies have come to accept that effective privacy protection is a necessity for a flourishing economy, particularly in the online sector. And individuals in Europe demand effective privacy and data protection. European data protection law has also become influential outside the EU. In recent years, countries such as Argentina, Japan, and New Zealand have adopted privacy law that show influence from the European model. Even the US, which was formerly highly critical of EU privacy law, has become more open to seeing the good in the European system.
However, several principles of EU privacy law are out of date and need to be adapted to the global information economy. Foremost among these are the restrictions on transfer of personal data outside the EU. In past years, such transfer meant packing a computer tape or paper files into a box and shipping them to a far away location. However, nowadays almost any activity on the internet involves a transfer of data outside of the EU, so that strict application of these laws would cause the Internet to shut down. Moreover, studies have shown that privacy protection inside the EU leaves a lot to be desired, so that it is not clear why a transfer of personal data outside the EU necessarily causes greater risks to privacy than the processing of the same data in the EU would. Recent scandals in the press about outsourcing to India only show the bad actors; in fact, many such outsourcing centers actually have higher privacy and security standards than equivalent installations in Europe do.
Moreover, the way that the principles of EU privacy law are implemented is mired in red tape. While some progress has been made on this in recent years, there are far too many bureaucratic hurdles put on the processing of personal data. For example, most Member States require that individual databases be registered with the national data protection authority, but there is no single, EU-wide procedure for such registration, so that a company running a database which is accessible in all Member States will have to register the same database in different ways across the entire EU. Member States also do not recognize each other’s authorizations, which recognition has become routine in other sectors (such as with regard to the licensing of pharmaceutical products). To give an example: in one case a company had obtained permission to transfer personal data from twenty-two other Member States, but the data protection authority of one single Member State required an additional year of deliberation before it gave its permission, thus holding up the entire data transfer. One of the main purposes of EU data protection law is to provide a minimum floor of data protection throughout the entire Community, so that it is strange that national data protection authorities are not willing to grant each other’s authorizations some form of mutual recognition.
The most glaring gap in EU data protection law is that it does not apply to activities by law enforcement, military, and national security authorities. Thus, EU citizens have data protection rights which they can assert against an online shop that sells their e-mail addresses without permission, but have no such rights when the police surreptitiously listen into their telephone conversations, despite the far more serious breach of privacy that the latter action entails. It is thus not surprising that European governments are now seeking to collect personal data and build large databases in a way that would be illegal for companies to do, thus exploiting this loophole in the law. While is EU is currently discussing the passage of an instrument that would close this gap, I don’t expect it soon.