The EU already has several pieces of privacy legislation on the books. The ePrivacy Directive bans SPAM, requires an opt-in from consumers for ads over email, and obliges telecoms operators and ISPs to delete subscriber traffic data when it's no longer needed for billing purposes. The Data Retention Directive, with rather painful Brussels irony, requires telecoms operators and ISPs to retain the same traffic data for up to two years to help law enforcement authorities fight crime, depending on national legislation.
But the most important law is the Data Protection Directive of 1995. It sets out the rights of the citizen with regard to personal data, and the obligations of organisations that hold such data. Perhaps most importantly, the Directive sets up some institutions at national and European level that are supposed to help protect our privacy.
Now, almost 15 years later, as those institutions have matured and as privacy/data protection starts to become a hot topic in Europe and around the world, a turf war is brewing within and between the big players on privacy in Europe.
Like most EU policy, privacy is an area where the European Commission has the power of initiative in the "First Pillar" - i.e. the Single Market. The lead department of the Commission is the Directorate-General for Justice, Freedom, and Security ("DG JLS"). However, DG SANCO (which covers consumer protection), DG INFSO (the "information society - i.e. telecoms, Internet, and IT), and possibly some other DGs all have strong claims to at least part of the privacy portfolio.
So what is happening? It's pretty complicated, which is why I find it so interesting. Not only is there a developing internal turf war over privacy in the European Commission, but there is also a fight (more like a mass brawl) brewing between the Commission, Parliament, Member States, EDPS, and A29WP.
Before 1995, data protection belonged to DG Internal Market, and the EU's policy debate was primarily about the tension between civil liberties (or "fundamental rights") and essentially commercial interests. But after 9/11, as governments raced to ramp up electronic surveillance of terrorist suspects, concerns about abuse of personal data by commercial entities rapidly gave way to concerns about infringement of civil liberties by governments. Data protection was hastily moved to DG JLS. The unit sits responsible for data protection sits in the Directorate for Fundamental Rights and Citizenship. Under recent Commissioners Frattini and Barrot, this part of the DG has very much been dominated by the "sexier" Directorate for Security. The data protection unit has not been able to assert itself internally so far.
But while the internal security vs. privacy battle rages in DG JLS, DG INFSO, with responsibility for the ePrivacy Directive and a range of other ICT-related policies, and under the populist leadership of Luxembourg's Commissioner Viviane Reding, has got in on the act. Reding and her staff have managed a high-profile campaign to reconcile public concerns about the privacy impacts of RFID technology with the huge potential economic and social benefits they can bring. This culminated earlier this year with a formal Recommendation on RFID, proposing that retailers carry out privacy impact assessments (PIAs) on RFID systems, and deactivate tags by default if their systems were found to pose risks to consumers. More recently, Bulgaria's Commissioner Meglena Kuneva has taken an interest in the consumer protection aspects of data protection on the Internet, such as privacy policies, consumer redress, social networking, and child protection.
It seems that the EDPS and A29WP, which work closely together, have been making the most of the absence of clear Commission leadership on data protection to project themselves as the authoritative and expert, EU institutional voice on data protection. The Commission is not helped by the fact that the data protection unit at DG JLS has about one quarter of the staff (and probably also a fraction of the multi-million euro budget) of the EDPS.
With the possibly imminent ratification of the Lisbon Treaty and the resultant disappearance of the EU's "Pillar" system, all these institutions will be able to start playing freely in a new and exciting sandbox - law enforcement. In anticipation of the treaty changes and to respond to the need to update the '95 Directive, the Commission has launched a major public consultation on the entire legislative framework for data protection.
I have no idea what will happen (and I'd be interested in any insights that readers might have) - we don't yet know who the relevant Commissioners will be or how they will regard privacy. Nor do we yet have a firm handle on the new European Parliament. Almost the only certainty is that EDPS and A29WP will continue to seek to build their profile and stature, and perhaps even their formal powers.
Watch this space!
Wednesday, August 19, 2009