In 2006, the Council of Europe designated January 28th as Europe's Data Protection Day, an annual opportunity for discussion and debate on an issue that was, at that time, still not widely recognised as the European Court of Justice-acknowledged essential human right it is seen to be now.
The increase in awareness is largely due to events of just the past three years, such as a series of critical court decisions, the need for a fresh transatlantic data exchange agreement (Privacy Shield), the enactment of the new General Data Protection Regulation in the EU, and the revelations made by former CIA employee Edward Snowden.
But we cannot become complacent.
In a world where Donald Trump holds the highest office in the US and Britain is about to quit the EU, in which past or existing restraints, regulatory frameworks and social values are heaved overboard, we need to be eagle-eyed, scrutinising the data-gathering of our governments and the corporate world.
Consider the likely intentions of the incoming Trump administration. The new president gave every indication throughout his election campaign that he intends to increase the powers and surveillance capabilities of US spy agencies. And Trump inherits a National Security Agency already given augmented powers by Barack Obama, in one of his more lamentable actions.
Corporate data gathering may seem more benign, but it is as serious a potential threat to privacy as government surveillance. We really know very little about how corporations handle our data, how they parse it or intend to use it, now or in the future. But as we know from Snowden, they are the convenient bulk data-gatherers that government agencies can tap – by order or surreptitiously.
The rush by governments and companies to embrace “big data” initiatives within poor regulatory frameworks, coupled to increasingly adept data analysis, means apparently benign or anonymous detail may be pieced into revealing patterns, with weak oversight on the process or end use.
Put all this together, and the Trump administration’s blatant willingness to lie (giving the press and public convenient “alternative facts”) and how can any rational person take the US or corporations at their word at, say, the negotiating table for the upcoming review of the Privacy Shield agreement, which mandates that EU citizens’ data be given the same protections within the US as it would have in the EU?
Suspension of disbelief
From the moment this agreement was announced, a willing suspension of disbelief was needed to accept that either the US agencies, or multinationals, could possibly be transparent enough to satisfy any legal challenge to it, given the existence of secret courts overseeing data surveillance and the dubious systems and controls companies used to separate and manage EU from US data.
On the latter point, I’ve spoken to senior managers and lawyers who indicate companies large and small, in Europe and the US, not only fail to do this adequately but fail to recognise it as a legal and operational imperative.
Then there’s Brexit. Recently, the UK brought in the draconian Investigatory Powers (IP) Act, making its citizens the most surveilled in any democracy. The law’s provisions would surely never stand up to European Court of Justice scrutiny. But that court will no longer have any say in the UK after Brexit.
Or will it? Though the British government blithely ignores this point when discussing post-Brexit access to the EU market, it – like the US – will be required to guarantee EU data held in the UK is handled in accordance with EU laws.
The US and UK governments seem disinterested that the very basis for their billions of dollars and pounds in trade with a huge EU market is under threat if they cannot meet the higher EU bar for data protection.
Or is it a higher bar? While this has been the case in the past, particularly for corporate data exchange, an alarming shift has occurred, summarised in an article by privacy watchdog Privacy International.
Titled A New Era of Mass Surveillance is Emerging Across Europe, it states that Europe can no longer claim the moral high ground in data protection.
‘Unfettered power’
"Europe's biggest superpowers – [the UK, France and Germany] – have passed laws granting their surveillance agencies virtually unfettered power to conduct bulk interception of communications across Europe and beyond, with limited to no effective oversight or procedural safeguards from abuse."
Many argue that citizens don’t really care about privacy. But survey after survey shows they do. In the US, 84 per cent of a sample of US consumers recently told analyst IDC that they are concerned about the security of their personal data, with 70 per cent indicating it’s a greater concern now than a few years ago.
Younger consumers – the 18-35 bracket – express more concern than their older counterparts, counter to received (alternative facts?) wisdom.
A recent Eurobarometer survey indicated over 90 per cent of EU citizens have similar worries.
So, consider this Data Protection Day a call to activism. Take steps to protect your personal data.
And make your opinions on these issues known and felt here, in Europe and internationally.