Wednesday, August 19, 2009

A Private EU Battle

Before you get too excited, this post is not about some highly secret European Commission insider gossip. It's about the EU and privacy policy. More specifically, it takes a look at some of the existing and looming institutional battles in Brussels about who is in charge of privacy policy, or "data protection", as it is known in the Brussels jargon.

The EU already has several pieces of privacy legislation on the books. The ePrivacy Directive bans SPAM, requires an opt-in from consumers for ads over email, and obliges telecoms operators and ISPs to delete subscriber traffic data when it's no longer needed for billing purposes. The Data Retention Directive, with rather painful Brussels irony, requires telecoms operators and ISPs to retain the same traffic data for up to two years to help law enforcement authorities fight crime, depending on national legislation.

But the most important law is the Data Protection Directive of 1995. It sets out the rights of the citizen with regard to personal data, and the obligations of organisations that hold such data. Perhaps most importantly, the Directive sets up some institutions at national and European level that are supposed to help protect our privacy.

Now, almost 15 years later, as those institutions have matured and as privacy/data protection starts to become a hot topic in Europe and around the world, a turf war is brewing within and between the big players on privacy in Europe.

Like most EU policy, privacy is an area where the European Commission has the power of initiative in the "First Pillar" - i.e. the Single Market. The lead department of the Commission is the Directorate-General for Justice, Freedom, and Security ("DG JLS"). However, DG SANCO (which covers consumer protection), DG INFSO (the "information society - i.e. telecoms, Internet, and IT), and possibly some other DGs all have strong claims to at least part of the privacy portfolio.

Then you have the European Parliament, which takes a keen interest in high-profile aspects of privacy policy, like the Passenger Name Record (PNR) agreement with the USA. Although it has co-decision powers on Single Market aspects of privacy, the EP does not (yet) have formal powers in Second or Third Pillar areas (foreign and security policy, justice and home affairs).

The relative newcomers to the institutional power game are the European Data Protection Supervisor (EDPS), Peter Hustinx, and the Article 29 Working Party (A29WP). The latter body was set up by Article 29 of the Data Protection Directive, and consists of the independent data protection authorities (DPAs) from all the Member States. Interestingly, although the EDPS, DPAs, and A29WP were set up by the (First Pillar) '95 Directive, their job descriptions are sufficiently vague to have allowed them to be fairly active in justice and home affairs areas, which are "Member State competences" under the EU treaties. The EDPS has an oversight function vis-à-vis the EU institutions' own data protection practices, but the EDPS and the A29WP share an advisory role vis-à-vis the European Commission on privacy policy generally. They regularly issue non-binding, but nevertheless influential, opinions.

So what is happening? It's pretty complicated, which is why I find it so interesting. Not only is there a developing internal turf war over privacy in the European Commission, but there is also a fight (more like a mass brawl) brewing between the Commission, Parliament, Member States, EDPS, and A29WP.

Before 1995, data protection belonged to DG Internal Market, and the EU's policy debate was primarily about the tension between civil liberties (or "fundamental rights") and essentially commercial interests. But after 9/11, as governments raced to ramp up electronic surveillance of terrorist suspects, concerns about abuse of personal data by commercial entities rapidly gave way to concerns about infringement of civil liberties by governments. Data protection was hastily moved to DG JLS. The unit sits responsible for data protection sits in the Directorate for Fundamental Rights and Citizenship. Under recent Commissioners Frattini and Barrot, this part of the DG has very much been dominated by the "sexier" Directorate for Security. The data protection unit has not been able to assert itself internally so far.

But while the internal security vs. privacy battle rages in DG JLS, DG INFSO, with responsibility for the ePrivacy Directive and a range of other ICT-related policies, and under the populist leadership of Luxembourg's Commissioner Viviane Reding, has got in on the act. Reding and her staff have managed a high-profile campaign to reconcile public concerns about the privacy impacts of RFID technology with the huge potential economic and social benefits they can bring. This culminated earlier this year with a formal Recommendation on RFID, proposing that retailers carry out privacy impact assessments (PIAs) on RFID systems, and deactivate tags by default if their systems were found to pose risks to consumers. More recently, Bulgaria's Commissioner Meglena Kuneva has taken an interest in the consumer protection aspects of data protection on the Internet, such as privacy policies, consumer redress, social networking, and child protection.

It seems that the EDPS and A29WP, which work closely together, have been making the most of the absence of clear Commission leadership on data protection to project themselves as the authoritative and expert, EU institutional voice on data protection. The Commission is not helped by the fact that the data protection unit at DG JLS has about one quarter of the staff (and probably also a fraction of the multi-million euro budget) of the EDPS.

With the possibly imminent ratification of the Lisbon Treaty and the resultant disappearance of the EU's "Pillar" system, all these institutions will be able to start playing freely in a new and exciting sandbox - law enforcement. In anticipation of the treaty changes and to respond to the need to update the '95 Directive, the Commission has launched a major public consultation on the entire legislative framework for data protection.

I have no idea what will happen (and I'd be interested in any insights that readers might have) - we don't yet know who the relevant Commissioners will be or how they will regard privacy. Nor do we yet have a firm handle on the new European Parliament. Almost the only certainty is that EDPS and A29WP will continue to seek to build their profile and stature, and perhaps even their formal powers.

Watch this space!


Mathew Lowry said...

With all that internal strife and traffic, you'd think that most Commission DGs would know how to process data and avoid spamming people when setting up their e-newsletters, wouldn't you...

Insideur said...

You would! And you would think there'd be some rules about sign-in sheets in Commission buildings (you can easily read the names, addresses, and ID document numbers of visitors who have entered before you. That's all the EDPS' job to sort out, but he seems to spend his time on other things!

Anonymous said...

You are right about the review becoming messy. Indeed the institutional set-up is ridiculous (just see how the EP worships Mr Hustinx -who is acting outside his mandate). But now we have a group called European Privacy Association, EPA. That seems to have set-up by a huge US company (that has some serious competition issues) to attack another large US company, active in search engine business.
The question is: will European industry pay the price, since many US companies argue they are not even covered by EU law?

Insideur said...

Well the institutional setup is what it is, and I'd certainly agree that it's "ridiculous" inasmuch as it's messy. And frankly, I feel that the Commission is the only institution that can exert some balanced leadership. Sadly, about 5 different Commissioners will soon have different pieces of the privacy pie, and it is hard to see how coherent leadership can come out of this mess. A lot will depend on the personalities of the new Commission. My biggest hope is that we will see the end of the dominance of the privacy vs security dynamic. Hopefully it ill be replaced by a more balanced debate that takes into account technology, consumers, economic interests, as well as privacy and security, to the exclusion of none. It will be quite a challenge.