Sophie in ‘t Veld, of the Dutch social liberal party Democrats 66, is a Member of the European Parliament (hereafter: MEP). She is Vice President of the Alliance of Liberals and Democrats for Europe. In ‘t Veld has a specific interest in issues of privacy and data protection. As such, she is a member of, inter alia, the European Parliament’s LIBE Committee on Civil Liberties, Justice and Home Affairs, whose tasks include reviewing the EU’s proposed data protection reform package. She is also Chair of the European Parliament’s Privacy Platform. In the interview below, conducted on 7th November, 2014, In ‘t Veld elaborates on how the EU protects, or aims to protect, its citizens’ rights to privacy and data protection.
1. The European Convention on Human Rights, the European Court of Human Rights, the EU Charter on Fundamental Rights and the Court of Justice of the European Union (hereafter: CJEU)place different emphases on the right to privacy and the right to data protection. In your capacity as a politician, how do you distinguish between these two rights?
There is a difference, but the two rights are sometimes also linked. The right to privacy means you have the right to keep your private life to yourself. Data protection means if your personal data are being collected, stored or processed for whatever reason, data processing will be governed by certain rules to ensure data security and your right as a data subject. Often the two are linked.
2. How can citizens think more actively about what is done with their data and how to avoid violations of their privacy?
People are slowly becoming more aware. I’ve been working on data protection and privacy issues for 10 years now. 10 years ago, it was an issue for only a small group of interested people. Now everyone at one point or the other has been thinking of data protection. I think people are slowly becoming aware what the rights to privacy and data protection mean, and what they mean to them. The issue may differ slightly from one person to the next, depending on their context and who is handling their personal data. There are some very high profile, visible cases in the media of privacy violations and data protection disasters, which is another reason why people are becoming more aware. They think that more and more of their personal information is being stored and being used. Initially, people did not really realise so much of their data was being used. It is fairly invisible on the internet; data collection and storage is taking place, but it is not visible. People are becoming aware and the big difference is that when companies are using personal data for their own purposes, people have a choice. If they do not like what the company is doing, they can go elsewhere. Consumer power is an important tool in data protection. Public authorities have an insatiable appetite for personal information. They have a ‘not need to know, nice to know’ attitude. They store everything and, in that context, people do not have a choice. Their only choice is at the ballot box; they can hope for another government. These days, data is stored by governments of third countries, where we cannot vote. As a citizen, we are defenceless.
3. The Data Retention Directive was passed quickly in reaction to the London bombings. What are the political aspects of its quashing in the Digital Rights Ireland case? Does this reflect the increased public fear of privacy invasions since the Snowden revelations? What are the limitations on data retention and lack of transparency in governments on grounds of national security?
We had been waiting many years for that Court decision. We voted against the Data Retention Directive at the time. It is almost the most perfect example of policy laundering, which is particularly interesting in the case of the UK, given they are ranting against the EU and how it is not democratic, how it is an alien entity imposing laws on the citizens. That is not quite reality. The British wanted data retention back home, so they chose the option of policy laundering, that is, creating European legislation and circumventing national parliament to create an obligation to retain data. They did not want to go through the European Parliament at all, but wanted to adopt a data retention law as a law enforcement tool, which required unanimity at the time. There was no unanimity in the Council. The British therefore chose a different legal basis: not law enforcement, but internal market, which of course was ridiculous. Accordingly, there was a different procedure that involved the European Parliament. They basically rammed it down our throats; we were bullied into accepting it within three months. We had to adopt it very quickly in what was hardly a democratic process. It took Member States many years to implement. Once it was adopted, the implementation phase started, trouble arose and now what we see is that the Data Retention Directive has been annulled, but Member States hold onto their national laws, which are the transposition of the Data Retention Directive. They do not need the Data Retention Directive because they have national laws. That is political fraud. If they wanted a national law, they should have gone through the national parliament.
3(b). Could you please expand on the German Constitutional Court ruling in response to the data Retention Directive?
The German Constitutional Court did not annul the Directive, they cannot annul it, but they annulled the implementation law. In their view, it became clear that there was no way the Directive could be implemented in a way compatible with the German Constitution. If you see how stubborn the previous Commission was and the Member States just hanging onto their data retention laws, it is interesting.
4. You have previously suggested that the UK’s opting-out of EU police justice and cooperation measures could have an effect on surveillance of citizens. It looks as if the UK has decided to opt-in to the majority of these measures, but that Spain has vetoed some of these opts-in. What do you believe the potential consequences of these political manoeuvres are in relation to privacy concerns?
We discussed this yesterday [6 November, 2014] in Parliament. I asked the question of how they were overcoming Spain’s reservation. Initially, other countries had reservations: do they make concessions? Do they make changes? How? What is the decisive factor? That did not become clear. I do not know what the final package will be; I do not know if there will be a trade-off. I think it is a very strange procedure because the EU Parliament is not involved in it at all, but it will affect their work because it is an area where they have legislative powers. There are a number of areas where countries have opted-out, but there is no country like the UK that is outside the policy zone (they are not part of Schengen, they are not in the Euro zone, they have opted out of various police and justice initiatives, and social policies, and have kind of opted out of the EU Charter). At some point, as with Westminster and the Scottish Parliament, the question will arise of who has the right to decide over what. I am not necessarily advocating that British MEPs will no longer have a vote in this area. If the UK government, which is crying blue murder over the ‘evil’ Europe imposing its laws, is now deciding on police and justice matters, will the UK have a vote? We will see to what extent they can decide on matters that affect only other countries and not the UK.
5. In dealing with the US, how does the EU attempt to reconcile the two major conceptions of privacy at play (freedom vs dignity)? On a related note, to what extent do you think the EU privileges US interests? Is this a problem and, if so, how could we solve it?
The EU privileges US interests very much. I sometimes feel people negotiating on behalf of the EU are negotiating on behalf of the US. We accept very readily that some US law is basically being applied on EU territory.
I think the EU and US conceptions of privacy and data protection are maybe not quite as far apart as people think. On the whole, Americans have their Privacy Act, which is not a bad piece of legislation at all. The problem with the act is that it does not apply to EU citizens. There is some deal that it may apply to EU citizens, some administrative promise that they will apply it, but there is no real legal safeguard. Of course there are some exemptions from the Privacy Act. The Act essentially governs the relationship between citizens and public administration. The US also has an Act governing the use of personal data for commercial purposes by, for example, non-government entities. There are pretty strong safeguards in financial services, so it is not so much that Americans care less about privacy and data protection, it is just done in a very different way.
They really do not care about the personal data of non-US citizens. That is a big difference. We have principles here that apply to everybody. They make a distinction between US citizens and non-US citizens.
6. You have previously raised concerns about the democratic oversight of the EU Intelligence Analysis Centre, IntCen. Could you elaborate on these concerns and suggest what action should be taken?
For those who were not already worried about them, the Snowden revelations have shown how weak and ineffective democratic oversight mechanisms are in the area of intelligence. They are ineffective and I have not seen much improvement. This is a recurring thing. Every so many decades, there is a big scandal of intelligence services being completely out of control, then oversight mechanisms are implemented and, after a couple of decades, the whole process repeats. I have not seen that oversight mechanisms are being strengthened anywhere. What I do see is that where we have discovered secret services were out of bounds, rather than ending these illegal activities, parliaments have passed legislation that legalises previously illegal activities; they just create a legal basis for them.
7. In your work, how does the balance of powers between the European Parliament, European Council, lobbyists, big businesses, the CJEU and Council of Europe play out in respect to privacy and data protection? Are the lobbyists’ interests, especially those of internet giant-affiliated lobbyists, watering down the proposed General Data Protection Regulation (hereafter: GDPR), as the LobbyPlag site suggests?1
Data protection used to be the remit of the Single Market Director General. In the US, data protection is in the federal trade position; it is clearly a commercial issue, talking big bucks, a lot of money and big interests. Therefore, of course everybody is lobbying – academics, companies, everybody. This is fine; I think stakeholders should make themselves heard. Of course, we always have to be transparent about who has an interest. I think LobbyPlag was a very interesting initiative. I think there should be more such sites. It is an excellent instrument for democratic checks. The automatic assumption is that heavy lobbying by industry is not what we want. After the European Parliament voted, however, the lobbyists did not get all they wanted. If Google had its way, the draft would not look the way it does. The companies cannot completely buy power. They are much more effective in lobbying national governments than lobbying in the EU Parliament. The Parliament has left- and right-wing politicians, and accordingly some think they should include interests of industry. On the whole, I think the European Parliament, more so than national governments, is very aware of data protection and privacy protection.
What was more important was the US government lobbying; they intervened in the drafting process. I think this is totally unacceptable. Everyone can make recommendations once the legislation proposal is on the table. They wanted to modify the text in the interests of the US government. I think that is unacceptable. Are we too inclined to cater to the US’ needs rather than protecting the interests of EU citizens? Can you imagine that Europeans would go over to the White House and help draft legislation in Congress? There would be riots. In Europe, we are so submissive to the US. I think the US is great, I am a big admirer of the country, but I think Europe should be a lot more self-assured. No relationship that is so unequal is healthy. We need to be a lot more assertive. Ultimately, this is in the interests of industry: that there be strict, clear and uniform data protection rules. That facilitates the use of data and the free flow thereof. If there are no standards, the general public does not trust companies, then they lose business. It is in their interests that we have very strict data protection rules.
7(b). Do the Passenger Name Record (hereafter: PNR) and safe harbour agreements ensure an EU standard of data protection?
Neither PNR nor safe harbour meet EU data protection standards. There the US gets its way. They are rubber-stamping the transfer of data, when in reality the data protection standards are abominably low. Commercial business between two conflicting jurisdictions should not put the burden on the businesses.
8. How does your future work in privacy and data protection in the EU look?
I am doing lots of different things in Parliament and currently concentrating very much on my new role as Vice President of the Alliance of Liberals and Democrats for Europe. Privacy and data protection are always an important part of my portfolio. I believe privacy and data protection are about fundamental rights, freedom, citizens’ rights and the quality of our democracy. I feel it is essential in a democracy that politicians, journalists, lawyers and doctors feel they can operate freely. They should not have to be afraid of being under surveillance without knowing it. They have to be independent and free. They also have to know their communication, for example between journalists and sources, and lawyers and their clients, is confidential. Those safeguards are essential in a democracy. We have to be absolutely sure politicians, for example, cannot be blackmailed or pressured with information other political parties got from government agencies. This has to do with democracy; for me it is essential. All other things – the economy, the internal market - are important, but this goes right to heart of democracy. Two days before the twenty-fifth anniversary of the fall of the Berlin wall, we are reminded of how precious freedom is.