Today we celebrated the 33rd International Data Privacy Day by reminding members of the Council of the E.U. representatives of their obligation to protect the rights of European citizens. We sent a letter, signed by several European and International NGOs, outlining the importance of the rights to privacy and data protection and urging them to reach a conclusion on the General Data Protection Regulation without any further delay.
Today, January 28th, marks the anniversary of the signature of the European Union’s Convention for the Protection of Individuals with regards to Automatic Processing of Personal Data (Convention 108). The Convention was the first international treaty to recognise the protection of personal data as a right, and its purpose remains as relevant today as when it was first drafted in 1981: To “[S]ecure […] for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (“data protection”)”.
For more than thirty years, this Convention has been a cornerstone of privacy legislation and data protection in Europe and beyond. Yet after 33 years, it’s not an adequate guarantee: In today’s digital era, the rights of citizens need support in the form of binding law.
Modernizing the Data Protection Regulation
For many Europeans, last year’s mass surveillance revelations highlighted how inadequate current data protections really are. In order to provide European citizens with control over their personal information, laws must be up to date, comprehensive, and provide for the rights of users.
In 2012, the European Commission released a proposal intended to update and modernise the current data protection framework, referred to as the Data Protection Reform Package (DPR). This was the Commission’s first comprehensive data reform effort since the 1995 Data Protection Directive, conceived when only 1% of Europeans had access to the internet. The 1995 Directive, which sets minimum standards, resulted in a patchwork of 28 different data protection laws across the continent. The 2012 Regulation would update the Directive for technological advances, increase protections for users’ rights, and replace these 28 different legal regimes with one strong, universal standard.
The Data Protection Regulation passed out of the European Parliament’s Civil Liberties Committee (LIBE) on October 21st, 2013, and moved to the Council of the European Union. So far, its progress there has been painfully slow, in part due to efforts by certain member states — namely Germany and the U.K. — to obstruct negotiations. This dragging of feet has direct, negative impact on European citizens’ rights, as they’re exposed daily to online fraud, data mining and corporate profiling, and exposure of their personal data to countries with inadequate legal protections.
While the passage of the Data Protection Regulation is not the ultimate or only solution, it is a critical part of the broad reform required to achieve better protections of fundamental rights.
Why privacy matters
As we’ve said many times, privacy is a key building block for free and democratic societies. It’s an enabling right, without which we cannot enjoy freedom of expression or other rights. Without privacy, we self-censor, limit our associations, and are unable to fully exercise our freedom of conscience.
For these reasons we must safeguard the privacy of our communications — whether on or offline. But privacy is about more than protecting the communications themselves. We must have trust in the systems upon which we build our open and democratic societies. Our growing dependence on technology — to connect us, conduct business, and even manage critical domestic infrastructure — amplifies the threat to human rights when users, businesses, and governments lose trust in these systems.
The past few years have been hard on privacy, and damaging to overall levels of citizen trust in public and private institutions. Giving citizens more control over their personal data will be key to rebuilding this trust. This control includes being informed about how your data is being processed (collected, stored, and used), guaranteeing that your data is being processed for specified purposes and with your consent (or some other legitimate basis specified in law). Finally, you should have the right to access and correct data that has been collected about you.
E.U. institutions are now more than ever before accountable for its policies and choices regarding the right to privacy and protection of personal data.