Human Rights Day: EU’s Data Protection Reform: restoring trust by reinforcing user rights

Access is celebrating International Human Rights Day by bringing you a series of blog posts about our work and its intersection with the right to privacy. Privacy is a fundamental human right codified in Article 12 of the Universal Declaration of Human Rights, which was signed 65 years ago today.

Human rights are universal, interrelated, interdependent, and indivisible: we must protect each one to enjoy them all. The right to privacy ensures the protection of our rights to freedom of expression, association, and conscience, and is the foundation of democratic governance. With privacy under attack all around the world, Access is taking today to recognize its importance.


On the 65th anniversary of the signing of the Universal Declaration of Human Rights and the celebration of UN Human Rights day, we would like to take this opportunity to reflect upon the importance of privacy and data protection as key pillars of healthy societies.

The Vienna Declaration instructs us that human rights are universal, indivisible, interdependent, and interrelated. In practice, this means that we cannot enjoy freedom of expression or other rights without the security of the right to privacy. In fact, privacy is a key building block for democratic societies. Without it, we self-censor, limit our associations, and may be unable to fully experience freedom of conscience.

This means we must safeguard the privacy of our communications. But it is about more than protecting the communications themselves: We must have trust in the systems upon which we build our open and democratic societies. Our growing dependence on technology — to connect us, conduct business, and even manage critical domestic infrastructure — amplifies the threat to human rights when users, businesses, and governments lose trust in these systems.

Key to (re)building this trust is to ensure that citizens have control over their personal data. This includes, but is not limited to, being informed about the terms upon which your data are being processed, guarantees that they are processed fairly, for specified purposes, and on the basis of your consent or some other legitimate basis laid down by law. Furthermore, that you have the right to access and correct data that have been collected about you.

In short, you call the shots over what happens to the information that relates to you. This is called data protection, and in Europe, it is recognised as a fundamental right. While data protection can be considered a subset of the right to private life — which is articulated in nearly all international and national human rights instruments — Article 8 of the Charter of Fundamental Rights of the EU specifically articulates the right to the protection of personal data.


The EU’s Proposal for a Data Protection Regulation (DPR)

The European Commission has undertaken a much needed data protection reform effort in the EU, which includes a proposal for a General Data Protection Regulation. The Regulation aims to accomplish the following:

  • Update the rules established in 1995 (when only 1% of Europeans had access to the internet) to suit the challenges of the digital age;
  • Harmonise the data protection rules throughout the continent, replacing 28 different interpretations with one single law (“cutting the red tape”);
  • Increase the ability of data protection authorities to impose penalties for those that break the rules (“enforcement with teeth”);
  • Last but not least, strengthen the rights of users, or “data subjects,” by putting them back in control of their personal data.

The Data Protection Regulation is the implementation of Article 8 in the Charter. The proposal includes strengthened rights such as the right to data portability, to access, erasure, and rectification, in addition to refining definitions, such as “personal data” and “data subject,” in a way that better suits today’s digital challenges. It will also oblige entities that collect and process your data to implement privacy-protecting measures like data protection by design and by default.

The final value of the proposal will be determined by the outcome of the process which is currently underway and which has been subject to unprecedented lobby efforts by countries outside the EU and companies, many of which are implicated in the NSA surveillance programmes, such as PRISM and MUSCULAR.


State of play on the DPR

The European Parliament successfully reached a decision on its version for the proposed Regulation on 22 October, 2013.

Now, the General Data Protection Regulation is in the hands of the Council of the EU (the 28 representatives of the EU member states). The negotiations were going relatively well under the Irish Presidency of the Council which ended last July. However, since the Lithuanian Presidency took over, the situation has deteriorated to the extent that during the last meeting on December 6, Commission Viviane Reding accused the Council members of not moving forward but rather going round and round in circles, undoing any progress that has been made so far.

Apart from obstructing constructive progress on the legislation, which is under a strict deadline if the negotiations are to be concluded before the elections in the European parliament in May 2014, the general position of many members of the Council has been nothing short of destructive towards the rights of citizens.

Some countries – particularly the UK and Sweden – have been dragging their feet, apparently out of concern that the new rules would be too onerous for businesses. This attitude reflects these countries’ long-held preference for a Directive over a Regulation, which is typically considerably softer legislation.

Perhaps most surprisingly Germany, a longtime leader in digital privacy, has joined the group of countries seeking to block the passage of a Regulation in favour of something weaker. Indeed, the statements from the German representative have drawn the ire of the Rapporteur for this dossier in the European Parliament, Jan Philipp Albrecht. “It’s just ridiculous. The German government has talked about data protection throughout the last months, Chancellor Angela Merkel said it is priority and then the German interior minister is going to Luxembourg and Brussels and doing exactly the opposite,” he said. “They use the argument that they are safeguarding German consumer rights, but these arguments are lies, because the Parliament has insisted on consumer protections which are of exactly the same standards as those in Germany,” Albrecht added.

While a handful of countries have been calling for the need to speed up the negotiations, the December meeting ended without a single conclusion. Discussions will resume on the same point at the next meeting, set for sometime in January.


Outcome of the DPR uncertain: the Council must act now

Commissioner Reding has asked the Council Members how they plan to face their citizens, who, particularly in the aftermath of the mass surveillance revelations, are calling for greater protection over their personal data.

For users, having control over personal data is paramount, as it empowers citizens to make informed decisions about who may have access to their data and with whom they share them with. And it’s not only Europe; many countries throughout the world have adopted similar comprehensive approaches to the protection of personal data. That’s why the Regulation is so important, as it could serve as a model for the protection of personal data globally.

On the occasion of UN Human Rights Day, we urge the Council to stop meddling around with the fundamental rights of their citizens and come to constructive conclusions so citizens will at last be guaranteed the rights long enshrined in the Charter.