Privacy should not be a civil liberty
Not a lot of people think about it, but the evaluation of the present data protection directive consultation from the European Commission is by far one of the most important missions we’ve had in the past two years.
— Experienced telecoms activist
After the PNR and SWIFT discussions in the European Parliament there’s no doubt that the parliament is conscious about data protection, and particularly the differences between American data protection and the European. The biggest difference is bound to the American indirect protection of private data through Supreme Court jurisprudence on the right for individual autonomy. Another major difference is that American data protection is only extended to people protected by their constitution, that is, citizens of the united states. European data protection, on the other hand, is a human right and applicable to all private data handled automatically or otherwise inside the European geographical jurisdiction.
For being a territory handling a lot of private data, it is not difficult to be concerned with how private data is treated inside the American borders (although we should probably extend this concern to China).
But well. The SWIFT discussions had a largely disappointing outcome. But there is hope for change! The European Commission opened a consultation on the 1995 Data Protection Directive late autumn last year. In the case that the result is critical of the implementation outcome we might see attempts on more stringency with respect to privacy rights. I have a slight hunch that further efforts will be made for technological or medium independence, which of course may be problematic. I do not know how, suggestions? Be paranoid.
European politicians at large feel a duty to protect private data. It is trendy in politics right now, even for ambitious protect that leads to less desirable results.
The biggest problem with all directives, though, is the ability of member states to fulfill formal requirements but fail in the work of upholding them. Regulatory authorities in data protection sometimes behave very similarly to telecommunications regulatory authorities and become far too passive in their work to uphold the law. This is true for instance in Ireland and in the Netherlands, where the regulatory authorities exist, but their work is marked by lack of action, or lack of authority to act on perceived failures in the data handling system. Lack of action and lack of authority is present in Ireland and the Netherlands. This is perhaps good to keep in mind for people who make commercial contact with Ryanair.
In Sweden, the regulatory authority Datainspektionen can hardly be accused of lack of action. I do remember Pirate Party member SM5POR pointing out some years ago that their interpretation of certain provisions of the law or the directive may be less conventional or practical (may he correct me if I have misunderstood). The data protection authority has apparently not been interpreting their mission narrowly, but rather exceptionally widely (although I am unsure of what measures they can take when they discover flaws in data handling processes). However, I don’t think criticism against an ambitious authority is not best applied in further legislation, but rather discussions with the authority at hand about their mission. Swedish regulatory authorities tend, further, to be very pragmatic and there is no reason to suspect that their work will be less efficient due to ambitious mission statements.
Germany, like Sweden, has implemented the regulatory authority constitution rather well. The authority is very able to make independent observations and criticisms of legislator and private actor compliance with data protection laws (Germany also has the additional protection from the constitutional court). They keep informed of who protects data, when and how.
A common implementation failure in member states is that the regulatory authority is not made financially or operationally independent of state authorities. It makes it difficult for the regulatory authority to criticize state actions, and is perhaps a point where the Commission ought to take stronger, and more frequent, action.
As the dead line for the consultation submissions is drawing closer (January 12), I’ve also pondered the difference between identification systems versus authentication systems, but I’ll leave it for a blog post for tomorrow.