PRISM Significantly Changed EU Attitudes for Personal Data
Adelina Marini, 8 October 2013
In January 2012, the European Commission proposed a radical reform of the European legislation on data protection so that it can be in line with the evolution of the online environment. Among the main changes the Commission proposed were common rules for personal data protection valid for the entire EU; work with only one national authority for data protection in the member state where is the establishment place of a company-operator of data, valid also for individuals; ensuring easier access of the citizens to their own data guaranteeing them the "right to be forgotten"; national authorities for data protection to be able to impose fines for violations of EU rules which can be 1 million euros or up to 2% of the annual turnover of the company.
The proposed reform was topical in the context of the tensions between EU and USA on the exchange of passengers' data in transatlantic flights. This was also the reason why the issue did not leave this context. But everything changed after the PRISM scandal in the US which revealed that the US National Security Agency (NSA) conducted clandestine surveillance of data operated by big trans-national companies. The fact that the data were subject to permanent surveillance through the biggest online companies in the world was revealed by Edward Snowden, an official at the NSA who received an asylum in Russia and is sought in USA for treason. The huge public impact the scandal unleashed injected new energy into the debate on the European legislation on data protection.
The Polish representative admitted during the public debate on the draft legislation on October 7 in the Justice and Home Affairs Council that the PRISM programme had led to "better understanding of the reform of data protection in EU". The country's representative even said that this was probably the most important legislation being currently discussed. "The cases with PRISM directed in a better way our understanding of the problem", he added. That is why it is very important that there is a common legal framework to treat the operation of data. Poland called for political will the work on the regulation and the directive to end by the spring of 2014. In this sense, Warsaw proposed the topic to be included in the agenda of the EU summit on 24-25 October which will be entirely focused on digital economy.
Germany's representative also mentioned the context of PRISM calling for more discussions on the transfer of data from third countries, while Slovenia announced that the recent problems had a significant impact on the country's decision to support in principle the Commission proposal.
It is about a single market of data worth one trillion euros
In the beginning of the debate Vice President Viviane Reding, responsible for justice, fundamental rights and citizenship, said that according to the calculations for 2011 the value of citizens' data was 315 billion euros and the expectations are that it will reach a trillion euros annually in 2020. "If we want to use this potential, we should open a single market for data in Europe", Ms Reding said recalling that in Vilnius in September a political commitment was made for quick progress on that dossier. She said she expected the ministers would turn this into a real progress.
Alas, progress cannot be seen on the horizon given the differences among the member states on some key elements of the proposal. Everyone are unanimous that a change is needed, but have different views on the scope of the proposed changes. The neuralgic points are the proposal for creation of a "one-stop-shop", which means that instead of you going to Dublin to file a complaint against Facebook you will be able to file it with your national supervisory authority which will also have the powers to impose fines. Belgium believes, though, that this single mechanism should be applied also for companies that are not established in Europe but have representation offices. The minsters split into three groups - one wanted more powers for the single mechanism, others wanted national authorities to be with a priority as Austria even warned against too much Europeanisation of the proposal and called for guarantees of the independence of decisions, while the third group insisted on continuing the discussions and not to hurry with the decisions.
One-stop-shop for transnational cases
This is the neuralgic point on which there was no unanimity among the ministers. In this regard, the debate took place on two models: a model where a single supervisory decision is taken by a supervisory body in the place of establishment of the company, but the explicit jurisdiction of that body to be limited to specific competences, and a second model where the various supervisory bodies take a decision together. The second model was proposed by France and foresees only the supervisory authorities of the affected member states to decide on the data operator. This means to work exclusively on the most important trans-border cases and not apply this model on petty cases.
Belgium said it was ready to accept the French model, but The Netherlands sided with the first model because it believes that if the supervisory authority were where the main place of activity of the company-operator was the decisions would be taken much more quickly. That is precisely why it is important this body to have greater powers, not purely administrative competences and even to impose sanctions. Italy shares the same opinion, while Slovenia and Spain proposed a third option - a combination of the first two. Finland underscored that the starting point of decision must be the fact that the authority for data protection on the place of main establishment should have explicit competence. That is why the country supported the first option, but without the explicit competences. The Finnish representative also said that it was important the citizens to be able to use their own language.
Denmark used its right of opt-out because it cannot accept a supervisory decision taken in a member state to be applied in another only because the company is registered there. According to Copenhagen, a good option is to apply enhanced cooperation and to allow different solutions. UK instead of a position posed several questions among which were which will be the authority that will take decisions and how can coordinated decisions be taken.
The second neuralgic point - the European Data Protection Board (EDPB)
In the role of a European-wide authority is the EDPB which consists of the heads of national supervisory authorities as well as the European Data Protection Supervisor. EDPB will replace the existing Working Party for protection of individuals. But how far should the EDPB's powers spread remained an open question during the debate. The Netherlands, for instance, is of the opinion that the Committee's decision should be legally binding. The same opinion is shared by Latvia who said, though, that the number of cases sent to the Committee should be limited. Germany, too, supports the EDPB to have greater powers and play a major role in harmonising the procedures and sanctions. Romania, as well, is among the countries who support the role of the EDPB to be enhanced because in this way will be avoided situations where decisions are blocked.
Ireland was even sharper expressing fears after listening to many positions that there is a risk of drifting away from the one-sto-shop and of approximation to an outcome that will undermine the possibility for coordination.
Estonia led the camp of countries who believe that the EDPB's powers should be limited. Tallinn directly said that it did not support the idea the Committee to take legally binding decisions and proposed consultations instead. France added that the restriction of the Committee's powers was necessary to act faster. Separately, it should be taken into account that national judicial and law-enforcement systems are highly divergent. The same opinion is shared also by Portugal and Denmark. Many countries, however, were of the opinion that more discussions were needed on the issue in the expert groups.
In this group is Croatia, too, whose Justice Minister Orsat Miljenic said the EDPB powers should be decided in the working group. Cyprus said, for its part, that the issues related to the EDPB should be considered only after an agreement is reached on the one-stop-shop. Hungary directly announced it would be better to continue work on expert level and Sweden turned to Poland, which called for speed, saying that quality was more important than speed. Viviane Reding, too, proposed the discussion on the EDPB to deepen and instead, to decide only on the one-stop-shop.
In the beginning of the discussion Ms Reding pointed out that there was a possibility of reaching an agreement by the year-end, but the Lithuanian Justice Minister Juozas Bernatonis said she was a big optimist and called for more realism. Nonetheless, Mr Reding underscored there was a great majority in support of the one-stop-shop which would send a positive signal to the member states. Has the signal reached its goal will be seen when the agenda of the October 24-25 European Council is approved.