This speech was presented by Fanny Hidvegi, European Policy Manager and Legal Counsel at Access Now, to the European Economic and Social Committee (EESC) during a hearing “Exchanging and Protecting Personal Data in a Globalized World.” It was presented on 5 September 2017.
Dear Members of the EESC and dear Colleagues,
Thank you very much for the opportunity to have a discussion with all of you today about international data transfers, and in particular the EU’s role to promote data protection in a globalised world.
My name is Fanny Hidvegi, I’m the European Policy Manager of Access Now. Access Now is an international non-profit civil society organisation. Our mission is to defend and to extend the digital rights of users at risk around the world. We work in the intersection of human rights and technology, and the internet in particular. One of our main focus areas is privacy and data protection. Having colleagues in D.C., Argentina, Brussels, India, and elsewhere gives us a unique view on human rights and international data transfers, and we are very pleased that the EESC opinion points to our coalition letter that calls for EU Lawmakers to Push for US Surveillance Reform.
The key message of my remarks is in line with the Commission’s and the EESC’s position: When data travels, protection should travel with it. That’s easier said than done in the reality when the protections do not even travel with our bodies, let alone our personal data.
My remarks will be structured as follows:
- An overview of fundamental rights and data flows,
- A short overview of our position on the Privacy Shield,
- Review of the challenges of adequacy decisions as an export model for the EU’s data protection regime,
- An overview of the Umbrella Agreement and efforts in the law enforcement cooperation.
- Data flows and fundamental rights
As stated, it is our common starting point that protection should travel with personal data. Data flows are and should be happening, they are a vital element of the global economy, and they contribute to Europe’s digital economy. It is not a right, however, to process personal data even if there is the common interest in data flows. There is no fundamental right to process and monetize personal data, and therefore the portrayal of data as the 5th freedom is a flawed concept.
Europe must protect and ensure the fundamental rights to privacy and data protection internally and externally. Data transfer mechanisms are the enablers of the digital economy but adequacy determinations must not become the tool for the race to the bottom serving the interest of trade.
Beyond international and EU law, there’s another reason why the EU must respect these rights and must enforce them. The digital economy is indeed dependent on data flows but both the digital economy and data flows are dependent on users’ trust. A trust which is broken, as many Eurobarometer and policy papers have shown.
- Privacy Shield
The Privacy Shield, and the Umbrella Agreement for that matter, is a good example of a tool where that trust could have been built. Privacy Shield and similar arrangements must comply with international and European human rights law, including that on data protection. In order to ensure this, and legal certainty both for users and businesses, the European Commission should subject the Privacy Shield and US practices implicating the rights of people in the EU to an exacting review.
I don’t have time to go into details of our letters and submissions for the Privacy Shield review process but I circulated some of them in advance to the hearing and I’m happy to discuss during the debate. The top level take aways are as follows
- the commercial side of Privacy Shield is based on voluntary commitments by companies without proper enforcement possibilities. Improving this part of the arrangement does not require immediate reforms in the US.
- surveillance reform is still necessary on both sides of the Atlantic, and
- an awareness raising obligation must be acknowledged in order to ensure at least partial enjoyment for Europeans of their fundamental rights.
- Adequacy as exporting European data protection model
Similarly to the Privacy Shield process, and also supported by the EESC opinion, the Commission has expressed its intention to use adequacy decisions as a way to engage with key trading partners. It notes signs of upward convergence toward data protection principles globally and the EU’s special role in that trend. The EESC opinion goes even further and calls on the EU’s responsibility to become a global actor in promoting respect for fundamental rights and adequate protection of private life and personal data”.
While I support the promotion of the highest data protection and privacy principles and safeguards possible, I’d also like to point to a few challenges.
Within data transfers, there’s an issue with adequacy decisions of lowering the competence of data protection authorities by conceding our enforcement to an actor outside our legal, political and social oversight.
In addition, we should figure out how to put in practice this supposedly two way street process when a partner country has higher protections in certain areas such as the Tunisian draft data protection and electronic privacy bill does it on fines
Beyond international data transfer the obvious example for a failure to export our model is the Right to Be Forgotten. It might function more or less well in the European legal context, numerous case studies have shown, however, how governments globally are abusing that right for censorship purposes and restricting freedom of speech.
- Umbrella Agreement and law enforcement cooperation
And finally, I’d like to touch on the law enforcement cooperation and data transfers. The Umbrella Agreement is not a data transfer tool, it aims to protect the privacy of personal data that is transferred overseas for law enforcement purposes.
There is relative consensus on the need for such an agreement, but the final text came under heavy fire from privacy experts because it fails to comply with EU law. The EU has once again, moved forward with a dysfunctional framework in an effort at political compromise with the US, instead of fully protecting Europeans’ fundamental rights.
To conclude, I would like to welcome the opportunity to engage with the European Commission on the Privacy Shield review process and beyond. I hope civil society, including Access Now will have opportunities to contribute to this public discourse and achieve our common goals: a flourishing European digital economy on the basis of both the private and public sector fully respecting fundamental rights, including privacy and data protection.