In the wake of the Snowden revelations, the EU’s new data protection reforms will be the source of scrutiny, not least by communication professionals. We spoke to Giovanni Butarelli, the EU's Data Protection Supervisor, about the EU's reaction to the Snowden revelations and what this means for data privavcy and protection.
Neelie Kroes, vice president of the European Commission responsible for the European Union’s “digital agenda” has called the Snowden revelations a “blessing in disguise” – to what extent do you agree with that statement?
This is indeed the issue of the century. It’s a wakeup call for Europe and Europe should draw a line in the sand now or never. Some surveillance programmes took place on a basis of legal basis in the US but in breach of EU rules. And therefore this is relevant for our legal system and its time to have a final word on this issue.
What steps are you taking to address the loss of trust of citizens in the wake of the NSA revelations?
Data protection authorities as well as the European data protections supervisors are to be considered regulators but we are not in charge of policy. We advise the legislator and we monitor that the processing of personal data complies with existing rules, so we are strongly advising the legislature to give an answer to the strong request from EU citizens to be better protected in terms of fundamental rights. Those data protections authorities with the competence in terms of security and intelligence are investing lots of energies not only in terms of legal analyses of relevant actions but also to increase the level of security to strengthen the accountability of the relevant providers and to investigate where possible. The European Data Protection Supervisor, for instance, has invested particular energies in advising both the three main institutions but also with a view to increase the level of security of EU offices, bodies and agencies.
What role do you think directors of communications can play in rebuilding trust and informing the relationships between business and users?'
They could do a lot of things by keeping alive the level of attention of public opinion by insisting on the need of EU leaders to implement what they promised to the public opinion, to adopt by 2015 a strong EU data protection reform. That is because this is the main important step to be made in addition to a few other points. The European Commission has identified six main actions involving the state of play of existing bilateral agreements with the US and also the signature of new bilateral agreements, as well as some important steps in terms of international legal framework, so the position of certain first countries such as the US with regard to conventions. So it is important to also address the concerns of citizens and ask for the relevant regulations.
What kinds of limitations exist for the collection of personal data here in Europe?
We already have strong safeguards in terms of lawfulness, fairness, necessity and proportionality of the relevant processing of personal data, although these safeguards do not entirely build on fully harmonised legal framework and that’s the challenge of the EU reform. The EU is not competent on national intelligence but can do a lot of things in terms of protection of the fundamental rights of EU citizens. In addition to that, some of the national data protection acts also apply to national intelligence.
The European Parliament has voted to overhaul the EU’s 19 year-old data protection laws: when can we realistically expect it to happen?
I stand by the announcements of the European Council and of the Council of the European Union. They both expressed recently, October last year and repeated in June this year, to have the reform approved by 2015 at the latest. And therefore a short transitional phase is to be expected. That means by next year we can see these provisions officially published.
What can we expect from the proposed reforms?
The reduction of administrative burdens and red tape, strong harmonisation of existing rules by strengthening the accountability of relevant controllers and processors that the rights of data subjects, but also by reinforcing the enforcing powers of accountable data protection authorities. And finally by applying these provisions to everybody in the world, offering goods and services to individuals in the EU, or monitoring their behaviour.
To what extent does Big Data present a challenge for data protection?
Big Data is a new challenge in terms of the fast development of IT technologies, it is a serious challenge for data protection provisions but it’s not fundamentally affecting the principles. Our concern is that existing principles will continue to work with Big Data although in need of some ways to implement them in practice. We already had in the past enormous challenges such as changes when we moved from manual files to automatic files in the 70s, from analogic to digital networks, from silos to larger-scale information technology systems, from the pioneering e-commerce to the digital agenda. So we need to be prepared to other challenges, but that doesn’t mean we need to withdraw from principles to do with protection, so the emphasis is on the identification of new dynamic modalities to implement the same principles.
How will the EU reforms work around Big Data?
A lot. It will have an enormous impact, by being applicable to the global giants, although two out of the 20 Big Data players are located in the EU, so it’s not extraterritoriality, it is protection of EU individuals or more precisely individuals within the EU regardless of the geographical location of the servers or the controllers, or their establishment, what is important is to concentrate on the relevant impact on individuals, where they are profiled and where there are consequences.
Cloud computing is a complicated global market, largely American in origin. How secure is it for European businesses, without its own capacity for a European cloud?
Nothing is secure and can be secure in the IT world, we can only work to reduce as much as possible the relevant risks by considering as much as possible. What is important is to have a robust approach to security breaches, which is now in the package where we will apply to all controllers horizontally conditions that are currently only applicable to controllers competent for publically available communication networks. So we need to invest energies in dynamic measures of security, and the idea is not to reduce the flows, to create isolated cloud computing in the world. So I am not saying a European cloud cannot play any role, but the idea of regionalising computing or internet is not exactly what we have in mind.
Will geography matter more in the future in the field of data protection?
Increasingly less, because our concern is to improve the interoperability of existing networks, to work on international standards, not necessarily of a legal nature so other IT standards or guidelines around the world can play a role. So perhaps a few years we can also have some more dynamic contribution from the United Nations in terms of implementation of a recent resolution adopted by the United Nations in December last year.
What impact will the decisions taken by Europe on data protection reforms have on approaches to the issue in other parts of the world?
Enormous. A lot of other countries, in the APAC area for instance, are in waiting mode, looking to what happens in Europe, and I think that this will influence a lot their approach in terms of international approaches to data, approaches in terms of standards and also implementation of an international system. Japan is a key example of this approach, but South America as well.
Do you believe that companies are sufficiently prepared for the data protection revolution?
Not entirely, but it’s time to work on it since accountability is the main change of the EU reform They will not only be asked to comply but to be proactive, to translate into practice the new principles, to allocate responsibilities and to demonstrate that they comply to the request of citizens and data protection authorities. So from a static perspective to a dynamic one.
How will it affect the way corporate communication departments work?
It is time to talk more on this issue, not only in case of scandals or when there is a need to name and shame, but also to rate those that are protecting these rights by also creating a market, new professions and start-up companies. Also, to identify what the consequences for the citizens are also in terms of benefits. It is not only an issue of being passive in preventing interferences in fundamental human rights. We should also ensure that a robust and secure processing of personal data takes place in the interest of citizens, including the processing of Big Data.