An Op-Ed about Data Protection
Fergal Crehan and I drafted the original version of this op-ed piece on the evening of the 5th of June, completing it on the 6th and submitting it immediately to the Irish Times as a topical opinion piece. The article was originally drafted in response to the EU Council of Ministers publication of proposed amendments to the EU General Data Protection Regulation that would significantly undermine the protections awarded to individuals and their data under EU law.
It wasn’t published (but them’s the breaks as they say).
I’ve updated it to include reference to the Prism and Tremora stories that were just beginning to break the week the original piece was drafted. I’ve also included references to some anti-data protection stories that have appeared in the Irish Times since the beginning of June, and a nod to the legacy of light touch regulation and associated attitudes that has recently emerged in the Irish press.
I took the decision in consultation with Fergal to publish this here as the points that are raised are important ones regarding the nature of the society we want to live in. The failure of the Irish Times to fact check recent stories raises a further question as to the role of a neutered as opposed to neutral press in the definition of and shaping of that society.
Journalists more than anyone should be alert to and resisting of any efforts to dilute or invade privacy, because it is only where there is privacy that there is the freedom for sources and whistle blowers to express privately (to journalists) facts that should be made public by the media. The logging of data about what numbers you dial, when, where from, and the uses that data can be put to could conceivably jeopardise sources, result in stories that need to be told being silenced, and force public and private conformity with a “party line” regardless of consequences. “All the President’s Men” would have been a significantly different movie if Nixon had had access to a Minority report level of analytics about who called who and who was where when – which is possible today.
A Free Press should be concerned in equal measure about attacks on the freedom of expression and the rights to Privacy. This is why Data Protection should be a hot topic of relevance, not a dry techie story of limited interest. Responsible journalists need to inform themselves of the rights that exist, the ways those rights are being undermined, and how the existence of those rights that are under threat.
A skewed balance struck
For some years now, the EU has been preparing a regulation to update and standardise data protection law in Europe. The expectation was that the rules would be strengthened, giving citizens more protection against misuse of their information. It was a shock then, when the Irish Presidency brought forward a draft regulation which not only dilutes many of the original proposals of the EU Commission, but represents a neutering of many data protection rights rights enjoyed up until now.
Data protection is a human right, closely bound up with privacy, and is unsurprisingly taken especially seriously by European countries whose citizens suffered under the police states of Nazis or Soviets, or even both. It is the right not to have your personal information hoarded, sold, disclosed or otherwise misused. “Data Protection” may not stir passions like other rights do, but in an increasingly data driven world, its importance cannot be overstated. We are already at risk of a two-tier privacy system, where the rich and famous can go to court for super-injunctions, while Joe Citizen cannot sit peacefully at home without their phone ringing with unwanted direct marketing calls.
Ireland has had the privilege of shepherding the revised Data Protection rules through the process of negotiation and agreement. The vision set out by the European Commission in its initial drafts was to provide a simplified regulatory structure for business and strengthened rights for individuals over how, where, and why information about them is processed, and by whom. This vision became the subject of one of the most intensive lobbying campaigns by US firms ever seen in the EU.
In February it emerged that amendments tabled by a group of MEPs that diluted the protection of personal data were copied verbatim from the submissions of these lobbyists. Sean Kelly, the Irish MEP responsible for those amendments, recently received an award from an advertising industry group for his work. The Council of Ministers recently issued a set of proposed changes to the Regulation that are being touted by Alan Shatter, the outgoing President of the Justice and Home Affairs Council, as providing “better protection for citizens” while also “providing a better strategy and architecture for business”.
However, privacy advocates have highlighted that while the proposed changes are good for business they are a serious weakening of protections EU citizens have historically enjoyed. Advocates in favour of the proposed changes cite the importance of data in the modern economy and the potential for jobs.
But are we building an economy or a society? In a speech this week President Michael D. Higgins tells us that the EU is a “union of citizens” and the institutions of the EU must work to protect those citizens. The proposed Regulation weakens those very protections.
The proposed changes introduce a “risk based”, self-regulation approach. This seems not unlike the “light touch” regulation which was adopted in order to attract financial services companies to Ireland, and which fuelled the financial services boom. With our government now keen to attract more data-based firms like Facebook and LinkedIn to Ireland, it seems lessons of recent history are not being learned. And in the week of the Anglo Tapes it is more important than ever that we learn these lessons.
This approach has been hailed as “non-prescriptive”. But a regulation that doesn’t prescribe anything is a mere suggestion, which can and will be ignored unless there are adverse consequences. Ireland’s Data Protection Commissioner is chronically underfunded, but he can and does bring prosecutions for breach of the Data Protection Acts. It is difficult to see how a these kinds of criminal convictions could be achieved under the proposed regulation.
Under the proposed Regulation, if your personal data is lost or stolen, the decision about whether to tell you will be left in the hands of the people who lost the data. This effectively means that there will be no right to know when your personal information is lost.
Last year Target, the US supermarket, broke the news to a father that his teenage daughter was pregnant by sending her unsolicited targeted adverts for baby products. Current laws make this potentially illegal in Europe. However, direct marketing rules are to be changed under the proposed Regulation. Companies would no longer need your permission to market to you once they have obtained your data. This is an extraordinary win for the marketing lobby, a turn from a right to privacy, to a right to invade privacy. The telemarketer, a scourge familiar to any American with a phone, is set to become an unwelcome part of our daily life too.
The recent revelations of unfettered and covert surveillance on the private commmunications of every individual in every country by US and UK intelligence services has highlighted the risks of the Panopticon. Some argue that if you have nothing to hide you have nothing to fear. But that flies in the face of our fundamental values that everyone has a right to a place where they can have private thoughts and private communications. These rights are under attack and must be defended.
But at a smaller scale, recent articles in the Irish Times have linked Data Protection rules with inefficiencies in the Ambulance service which have contributed to deaths. ‘Data Protection rules mean we can’t use GPS for ambulances’ was the claim. Bunkum is the answer. Such processing is permissible under Section 8 of the Data Protection Acts. ‘Data Protection rules will curtail genealogy’ was another claim. Again, bunkum. The draft Regulation will likely apply only to living persons, Public Registers will have certain exemptions, and the Right to be Forgotten is not a right to be airbrushed from history, as has been made clear by Commissioner Reding on many occasions, and has been made clear by the ECJ in the past week.
Data is hailed as “the new oil”. “Big data” is mined to predict everything from musical taste to voting habits. It is disturbing when rights, once considered uncontroversial, are watered down or neutralised because it has become profitable to do so. What is proposed in this draft of the Regulation is something unprecedented in the history of the EU – the effective abolition of a human right enshrined in EU Treaties. As citizens, we can only wonder and worry which other human rights will become inconvenient to big business, and what their fate will be.