The Conference on the Future of Europe, Democracy and Rule of Law panel has generated 39 recommendations to improve the EU’s Democracy and compliance with the Rule of Law. Three of these related to Privacy and one to Cybersecurity.
I have drafted a response for CTOE, which I hope will become part of their response but did not form part of their first response, which is fortunate since I changed my mind slightly.
My initial view of the recommendations was that they lacked a problem definition and that they were often unactionable. I feel they may have been ill-served by the experts who may not have presented the GDPR and the other privacy regulations in an accurate light. However, I have been told that the view in citizen’s panel 2, and others, is that privacy is not taken sufficiently seriously and that breaches by the member states, foreign governments and corporations still occur and are not sufficiently controlled or punished. An opinion based on the blasé view that it’s under control, which is where I started, is not good enough and fails to recognise what should be the power of a Citizen’s Assembly; it raises ideas, opinions and interests that politics as normal and experts ignore.
Regulation and sanctions
There are three recommendations and while two of them are very specific on details of the EU’s privacy laws, recommendation 7 deals with GDPR enforcement. For this to have become a recommendation, there must be a broadly held view that enforcement is not sufficiently rigorous.
Recommendation 7 proposes pan-European registration of data processing companies, to enable a normalisation of penalties and other enforcement actions. It also proposes that the EU is vested with the power to deregister a licence holder and thus its ability to process personal data. This would be tantamount to closing the entity down. The proposal also suggests an increasing of financial penalties. The use of licensing in this way engages the Charter of Fundamental Rights in two ways: freedom of expression and information and the freedom to conduct a business.
.The GDPR abolished the need for data controller/processors to register with the Data Processing Supervisors. It also arguably weakened the privacy regime by weakening the need for consent, particularly via its introduction of “legitimate interest”. It did however, increase the fines and sanctions to levels designed to ensure that companies will comply with the law. Fines are €20 million (about £18 million) or 4% of annual global turnover, whichever is greater. It has been suggested that the maximum fines are insufficient to genuinely deter the datenkraken, but 4% of turnover not profit turns into very high proportions of profit. [ Google tells me that Facebook have a revenue of $85.96 bn, with a profit of $39.37bn, a profitability of 45% which is inordinately high and would generate a fine of $3.4 bn or ~ €3bn, more than Cyprus contributes to the budget, but less than Latvia].
I’d be curious to understand the problem that this proposal seeks to solve, I don’t think it’s been defined and that if there are specific member-state violations or harmful legislative derogations, then the Commission has the powers to ensure that the European Data Processing Board (EDPB) investigates and acts or opens compliance proceedings itself.
There may be a justified view that the EDPB is insufficiently independent of the member state governments that appoint its members, and thus they, despite the legislative guarantees are more likely to toe a government line rather than advocate for citizen’s right of privacy. This argument can be equally applied to the Commission and Council. Perhaps I should be more sympathetic to the recommendation as some question the vigour with which the UK’s ICO pursues investigations against both the Government, and big corporations and they won’t be alone.
Equality of arms
Recommendation 8 makes two proposals on data protection awareness and one on increasing the enforcement of minor’s rights. The supporting text focuses exclusively on the enforcement of minor’s rights. I believe the panel were looking to equip citizens living in the EU and abroad with the skills and means to make complaints and pursue them. This is very worthy and they talk about the inequality of arms while making complaints in Recommendation 9. With respect to the protection of minors, the GDPR legislates for both consent and special data although for the purposes of the GDPR the legal definition of minor belongs to the member states. Perhaps there should be a higher floor on the age of majority, it is currently thirteen. Again, a concrete problem definition would help, and this maybe another recommendation that would have been helped by stronger expert guidance.
Recommendation 9 seeks to mandate standardised privacy policies, easy to use consent forms inc. withdrawal of consent and control entities from bundling services with consent. This would seem to me to be an attempt to equalise the relationship of legal power between data controllers/processors and citizen/data subjects. This is in my mind a reasonable problem to address. Legal remediation against corporate or state bad behaviour is expensive, takes too long and there is an ‘inequality of arms’ when individuals are dealing with such entities although Max Schrems, in his pursuit of judicial review on “standard model clauses” and how they enable cross border data flows, has shown that with persistence great things can be achieved. I am unsure that standardised privacy policies are likely to be part of the answer; it has been tried by some open source campaigns and is encouraged by the GDPR. What is important here is that European citizens need confidence that the “storage limitation” principle is complied with, so that personal data is deleted when no longer required or when consent is withdrawn. In the latter case, the withdrawal of consent only impacts data for which consent is the lawful purpose. (There are five other purposes, including ‘legitimate interest’.) However, the legislature, in the Digital Services Act, now in trialogue are strengthening the legal status of consent to prohibit web sites and services inducing people to change their privacy settings in exchange for services. Without being part of the debate, it’s hard to know if this is sufficient.
Political will
In my mind, the problem is not really the law, but the dispersed nature of enforcement powers and in the case of the Commission, a weak will to enforce. One of the key forces undermining the rights to privacy is the political desire to permit the monetisation of such personal data; in the EU, advicates of this ‘right’ includes the Commission and the member states. The fact that the EDPB is appointed by the member states may also lead to a weakening of their role as a regulatory enforcer; its predecessor the Article 20 working party often played the role of reminding all the other stake holders is that the goal is privacy for citizen’s data.
These issues, regulation, sanction, inequality of arms, enforcement and political will are ones that a Citizen’s assembly might be well suited to address although the flabbiness of this recommendation shows more work in designing the process and choosing the experts needs to be done.
Recommendation 13, calls on the EU to do more to combat criminal cyber-attacks. It does not mention external state sponsored attacks. They also suggest that European leadership in cyber defence should be established.
Again, we can see no actions within the recommendation and note that the Cyber Security Act (CSA), the last institutional review only became law in June 2019. This act increased the powers and independence of European Union Agency for Cybersecurity (ENISA).
There is a serious problem in this area in that all the member states seek to weaponise cyber-security flaws and often do not share this with their citizens or other member states. In some cases, they have conducted illegal surveillance programmes. This behaviour may undermine the ambitions of the legislation, but the CSA is a positive step forward, it should be given time to see what improvements it creates. I note that responsibility for cyber-security is shared between the member states, Europol and ENISA, again making pan-european, pro-citizen policies more difficult.
I told informally that the driver to include this recommendation stem from fears over cyber bullying, which may also have impacted some thinking around Recommendation 8. I am not sure what the answer is, but possibly it should be considered in the context of the rights of the child, and that the datenkraken should be held to account for their terms of service which nearly all prohibit, bullying, racism, misogyny other forms of abuse and fake news which takes us back to Recommendation 7.
On the positive side, the data proposals raise and question if the GDPR, that the EU thinks of as the world’s gold standard is good enough and do we need to address the issues of regulation, enforcement, access to justice, protection of minors and a secure computing capability. Experts might think these problems are well addressed, the random citizens of CoFoE do not.