Malta IT Law Association (MITLA) president and data protection expert Antonio Ghio has questioned whether the EU Data Protection Regulation goes far enough in protecting user data from government and corporate giants.
“The Data Protection Regulation tries to bring EU data protection law up to speed with current technological and social developments,” said Mr Ghio. “Presently, the data protection law transposed by member states is almost 20 years old. Obviously, technological advancement did not halt in 1995, in fact we did not have Facebook or Google back then. One major factor that instigated the process for data protection reform was a comment made by Facebook founder Mark Zuckerber, who said that data protection is a dying social norm. This was said in the midst of a controversy in relation to the data protection settings of Facebook, where at that time everything was publicly available, irrespective of user settings”.
The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. It will also set up a one-stop-shop for businesses by which companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to conduct business in the EU.
“Looking at it from a purely legislative point of view, the proposed regulation will be directly enforceable in all EU member states and the states will not need to enter into the process of transposing a directive with their individual flavour”, Dr Ghio continued.
“Personal data knows no borders and in the past there had always been one member state who would interpret certain terminology in one way and another that would understand things differently. Having a regulation which all member states must apply directly, irrespective of what it contains, will result in unity,” he explained.
Turning to whether governments would be affected by this proposed regulation, he said: “There are situations where governments can process personal data without the consent of the person in question, and this will remain within the regulation. If the tax authorities are carrying out an investigation, for example, they would not need a person’s consent in order to access that person’s information.
“The regulation does not force any further obligations on government, which is probably why one could be justified in saying that the regulation is not going far enough. At the end of the day, governments obtain information from different sources, control vast amounts of data and hold vast databases full of information. It is also questionable whether we should only hold businesses to account, but not also governments, who should be the epitome of correct data-processing”.
Dr Ghio mentioned Legal Notice 76, which was put on hold last April after it was discovered that the Education Minister would be able to acquire sensitive information about students. He drew a distinction between the trust people have in government in Malta and in a Scandinavian country, stating that trust in government in Malta is quite low.
The new regulation tackles data portability. “Let’s assume that I own a Facebook account. I have a large amount of information on there, however I’m fed up and would like to change over to Google Plus. This rule clearly recognises that the information belongs to me and the service provider must assist me in order to ensure that I can remove my data and that they will not be able to retain it”.
The right to be forgotten
Turning to the regulation’s proposal regarding the right to be forgotten (called the ‘right to erasure’ within the regulation), Dr Ghio cited a case in the European Court, where Google was ordered to remove search results regarding a Spanish man and his unpaid debts that was reported in 1999.
“Would this mean that I have a right to ask The Malta Independent to remove an article about me? The answer is no, but the same answer does not apply to Google, who would be indexing the internet”.
Criticisim on this particular right has been expressed, with a number of people questioning whether it would give citizens the ability to re-write history. Dr Ghio believes that a fine line exists and such cases would need to be dealt with on an individual basis. Looking at a certain European Court judgement: “The Court did not tell the newspaper to remove the article, but told Google to remove the search results. Following the judgement, Google was inundated with right-to-erasure requests... There were cases where paedophiles asked to have searches linked to their past erased. A line needs to be drawn where a public interest element is found and the right for people to retrieve their own information. In its judgement, the court made a distinction between the author of the information, the newspaper and Google, who reprocessed that information. Google could not make use of those exemptions that relate to journalistic freedom – it is a search engine, not a newspaper”.
The regulation also tackles ‘privacy by default’. “If participating in an online environment, any privacy settings within applications must automatically be set to ‘high’. ‘Privacy by design’ is another issue being tackled within the regulation, meaning that when new applications are built, the creators must consider privacy as an essential ingredient within the design process”.
Dr Ghio spoke of Google Glass, which has raised “thousands of questions as far as privacy is concerned. A very strict interpretation of this regulation would point the finger at Google, saying that they are not valuing privacy as much as they should. This highlights the constant struggle between privacy and innovation”.
While people always look at Facebook and Google as the main culprits of privacy breaches, the Snowden files brought a bigger picture to light, with people beginning to worry about their governments and countries who were, according to Snowden, carrying out mass surveillance.
The aftermath of 9/11
“Looking at reports released soon after 9/11,” said Dr Ghio, “they read that the attacks could have been foreseen and prevented. Following the attacks, laws were enacted by countries to give law enforcement agencies more tools in order to prevent similar events. In that climate, the Data Retention Directive was passed, where member states were allowed to store citizens’ telecommunications data for a minimum of six months and 24 months at most. Unfortunately, this gave carte blanche for the launching of all these Snowden-related surveillance schemes. Currently we are rethinking this process and realising that privacy is a fundamental human right, but the question remains as to whether this EU General Data Protection Regulation will go far enough.”
Another aspect of the regulation would result in companies having to give personal data to those who request it within a reasonable time. Dr Ghio remarked: “Abroad, to receive a copy of your credit rating one would have to pay, however this regulation will change that, thus making personal information more accessible.
“Unfortunately, the regulation is slowly being watered down as time goes on… although I still believe it is the way forward. The regulation, for example, would see further assistance for Data Protection Commissioners within the member states.
“Should a data controller (Think Facebook and Google who control user data) be of a certain size, the regulation would require them to appoint a data protection representative. Nowadays this is optional. Lobbyists are arguing that this would incur costs associated with becoming up to scratch on the new regulation and view it as a data protection tax, which in turn would result in the end user suffering and being required to carry part of the costs. These are the Googles of this world trying to shoot down the regulation. Of course, it is still uncertain as to what final form the new regulation would take”. Dr Ghio confirmed that this regulation is one of the most lobbied in European history.
Dr Ghio made a rather interesting observation regarding cloud technology. Citing gmail as an example, he said that such emails would be found in your personal inbox, however “Where are your emails actually being stored?
“Up until a few years ago, people would upload an image to their desktop, however with the introduction of cloud technology, people do not know where their information online is being stored, whether it is on a server in France or in the USA. When posting an image on Facebook, one does not know where the server holding that particular image resides. Everything is moving towards the cloud. A vast number of legal challenges arise in relation to jurisdiction, privacy, intellectual property, etc., in relation to cloud technology”.
An event called Data Protection at a crossroads: re-inventing wheels or chasing windmills? will be held on 1 April at SmartCity, organised by MITLA to discuss the proposed EU General Data Protection Regulation. One of the key speakers will be Dr Bruno Gencarelli, Head of the Data Protection Unit within the European Commission, who will discuss The long and winding road towards the new General Data Protection Regulation. “You will be hearing it directly from the mouth of the European Commission, who were the architects of the regulation” Dr Ghio explained. He said that the scope of the conference will address the aforementioned topics head on.
Prof. Joseph A. Cannataci, Head of the Department of Information Policy & Governance at University of Malta, and Dr Remco Hendrikse, Commercial Attorney, Microsoft CEE will also deliver speeches during the event. Social Dialogue Minister Helena Dalli will give a ministerial address. Apart from speeches, question-and-answer sessions will be held and a round table discussion with some of the speakers, as well as Information and Data Protection Commissioner Saviour Cachia, will take place.
Another topic to be discussed is whether this data reform package goes far enough.
More information about the conference can be found here.