The European Union needs to have common privacy standards in place as soon as possible. For this to happen, member states need to show far more engagement, says German MEP Jan Albrecht
More than three years on from the publication of the first draft proposal, the Data Protection Regulation is still under negotiation. However there are doubts over whether it can be agreed before the end of 2015. What is your view?
I think that for the legislation to be finalized by the end of this year member states need to show far more engagement. Negotiations in the Council are advancing at a slow pace due to simple issues and disagreements popping up over and over again, thus postponing the whole process.
So ultimately it’s a question of political will. If the Council does want to achieve an agreement, it can do it very quickly. The European Parliament has voted its position in October 2013: since then we are waiting member states to reach a deal in order to start the trilogue.
Speaking of the trilogue, how do you see the future negotiations between the Council and the European Parliament?
First of all, it will be key that the Council delivers on high standards for the protection of privacy. However, looking at the ongoing talks among member states some of the provisions of the proposal already run the risk of being diluted compared to the protection levels set in the 1995 directive.
This is a red line for the European Parliament: we won’t accept lower standards than the 1995 directive. If member states want to get on a common ground with the European Parliament they need to agree on stronger individual rights and sanctions.
Given that the regulation will have a two-year transitional period before it applies, don’t you fear that the technological evolutions will render the text obsolete by the time it enters into force?
I do not think that the text voted by the European Parliament will be outdated soon because it already encompasses all the actual developments and it is as much technology-neutral as possible.
But it’s true that if the Council doesn’t find an agreement anytime soon and negotiations stretch into 2016, adding the transitional period, it means that there are at least three years left before Europe has a single data protection standard. This equates to three more years of losses and struggle for the European IT companies in comparison with US Internet giants. I do not think that we can afford this to happen. We really have to hurry up!
However critics of the regulation lament that the regulation will result into more burden placed on companies.
On the contrary, the European Parliament has included in the text provisions that protect all the companies from too much burden – for example we excluded smaller companies from some duties of documentation and information.
Moreover, the new regulation would reduce bureaucracy by replacing 28 different national regimes with just one. The benefits for SMEs will clearly outstrip the potential burden which I do not think will be higher than today.
Is it possible to restore trust in transatlantic data flows and on which basis?
First, the European Union and its single market need to have common privacy standards in place in order to ensure legal certainty for consumers, citizens and enterprises in Europe.
Only then, we can start negotiating with the US on common transatlantic standards, i.e. the application of certain basic data protection rules. In short, that will be only possible if we pass the data protection regulation as quickly as possible.
How can we negotiate with the US on common standards and create a transatlantic market if Europe has not a single standard itself? As long as we do not achieve this objective it won’t be possible to negotiate on privacy standards in the framework of TTIP.
In addition, the US has also to do its own homework. New legislation on data protection recently announced by President Obama is a starting point and the first requirement for any further negotiation. Without such legislation in place it is almost impossible for the European Union to agree on common privacy standards.
What’s wrong with the EU’s plans for the passenger name record (PNR) system? Why the European Parliament is opposing the proposal?
In the last years nearly every terrorist attack we have seen involved attackers who were already known by the authorities as potential or suspicious terrorists. However, we have focused on collecting personal data of citizens – for instance through the data retention directive – who are completely not suspicious or risky.
Collecting just more hay if you are looking for a needle in a haystack is the wrong approach to improve security. The right way would be to spend the money that would go to the PNR system (hundreds of millions of euro) into better equipment for police and law enforcement authorities in Europe and into improving coordination and exchange of information on suspicious persons. This is what we ask.
A no less important issue is that last year the European Court of Justice ruled that retention of data without any link to suspicious or risk is not legal and proportionate. Therefore, we should not vote laws that we know are illegal.