[Title]IntroductionIt has become a widely accepted truism that the internet complicates international anddomestic public policy. One aspect of that is the availability and use of vast amounts of demographical,biographical and usage information left behind by internet activity—often referred to as ‘big data’.Along with the new importance of big data comes worries of surveillance, privacy, cyber-security, etc. InEurope, these came to a head when they announced a directive in January 2012, proposing a right-to-be-forgotten”, the idea that individuals deserve a say in the usage and effects of their online imprint.There have been several official reports on the impact of data and technology, some predating theinternet. This brief analyzes one of those reports, the European Union (EU)’s communiqué to theirparliament titled, Safeguarding Privacy in a Connected World: A European Data ProtectionFramework for the 21st Century of January 25, 2012 (henceforth, “the EU document”). Theanalysis is presented to identify broader trends in European internet policy with a focus on data privacy.This is an important communication policy that touches on issues of internet freedom, network accessand intellectual property rights. The findings in this brief can inform the interaction of Americanbusiness interests, and corporations, such as the US Chamber of Commerce (henceforth, "thechamber"), in their interaction with the EU.COM(2012) 9 : Key facts and proposals about the legislation1The EU document begins by recognizing that “personal data has become an asset for manybusinesses. Collecting, aggregating and analyzing the data of potential customers is often an importantpart of their activities” (European Commission 2012, 2).2The EU document acknowledges existing1‘COM(2012) 9 final’ is the official report number assigned to the official document by the European Commission.2The European Commission is the executive entity of the European Union (source: http://europa.eu/about-eu/institutions-bodies/index_en.htm)
directives but notes that that there has been no update for today’s environment—the EU’s previoustreatment on personal data and its free movement (95/46/EC) was in 1995. Furthermore, that directivewas not uniformly applied across states, which is now necessary with a single European market. Lastly, itis reported that both European citizens and businesses want comprehensive reform, with over 70% ofEuropean internet users fearing for their personal data (European Commission 2012, 4).The broad policy goal of these reform rules is to put individuals in control of their personal dataand to strengthen national data protection authorities so that they can implement those protections.More specifically, the proposed reform in the EU document has the following goals: an explicit requirement that obliges online social networking services (and all other data controllers)to minimize the volume of users personal data that they collect and process; a requirement that the default settings ensure that data is not made public; an explicit obligation for data controllers to delete an individuals personal data if that personexplicitly requests deletion and where there is no other legitimate reason to retain it. (EuropeanCommission 2012, 5)Concrete provisions for action promote individual control, data security & accountability,facilitating a single market, synchronizing law enforcement and addressing other countries. Someexamples follow: Facilitating individual control: Opt-in rather than opt-out mechanisms for data privacy agreementsbased on and a mandated right to have data deleted if consent is withdrawn. Data security and corporate accountability: Requiring that each large internet company of over 250employees employ a senior data protection officer or legal requirements for privacy by design. Consistent enforcement: laying down protection rules at EU level through a regulation directlyapplicable in all member states to put an end to cumulative and simultaneous application ofdifferent national data protection laws, and also further enhancing the independence an powers ofnational data protection authorities with a requirement to oblige member states to provideresources and facilitate that independence. Law enforcement: Providing for a minimum harmonized criteria, and addressing rights of individualsto be informed when police and authorities handle or access their data.
Background & FrameworkAction items in the EU document are underpinned by certain assumptions about privacy. The EUdocument emphasizes early that, “individuals have the right to enjoy effective control over theirpersonal information” (European Commission 2012, 2). Furthermore, data privacy is a fundamental rightin Europe which is enshrined in Article 8 of the Charter of Fundamental Rights of the European Unionand in Article 16(1) of the Treaty on the Functioning of the European Union. Europe is a trendsetter inthe area of digital privacy for consumers, and there privacy is a very heavily developed area of lawrelative to the rest of the world. Europe has discussed data initiatives for a while, even in the 1990swhen the internet was very young. The prominence of individual privacy rights is part of efforts toinclude internet policies into a broader European agenda.3Emphasis on privacy data control by the individual can be understood as a philosophicaldifference between- Europe and the USA who have different philosophical conceptions of privacy. Inthe USA, privacy is about minimizing government interference in ones affairs, while in Europe it is aboutones public reputation (Whitman 2004). In Europe, dignity is elevated to the level of freedom andequality as seen in how the EU charter’s first statement is that, “human dignity is inviolable. It must berespected and protected” and in further early statements protecting even mental dignity (EuropeanUnion 2000).4This confirms the preceding observation on the European assumptions and now privacydata protections can then be understood as a matter of dignity. The elevation of dignity is seen in thevariety of libel and slander laws in Europe which protect reputation. 5So there is a clash of world viewhere in which American internet corporations and business interests as represented by the chamber3The Stockholm Program is a roadmap for EU work in the area of justice, freedom and security for the period2010-14. (source:http://europa.eu/legislation_summaries/human_rights/fundamental_rights_within_european_union/jl0036_en.htm)4Article I, Chapter I of the Charter of Fundamental Rights of the European Union.5OSCE has a comprehensive cataloguing of libel/slander in Europe that can be accessed athttp://www.osce.org/fom/41958.
would view right to be forgotten legislation as invasive, whereas European citizens might see the samelegislation as protecting against invasiveness.As far as the framework from which the EU document is in, it can be categorized as whatinternational communication experts would refer to as a public-interest model . Communication policymodels are the foundation of understanding official legislation in the field . Understanding Europe asoperating in a public-interest model would reveal why Europeans approach legislation oncommunication infrastructure to prioritize consumer and citizen rights over corporations, at leastrelative to a liberal-market model. The public-interest model is premised on a communication policy forthe communal greater good and not just for private business entities (Venturelli 1998, 188-195).Conversely, the liberal-market model is premised on a laissez-faire approach to communication policy inwhich the market is allowed to operate with minimal government interference (Venturelli 1998). In theEU document and other referenced work, even when reports and expert recommendations arecouched in language of entrepreneurship and free-markets, their solutions are based on supra-nationaland centralized top-down solutions. Furthermore, there is always a justification that policies will simplifythe public sector (European Commission 2012, 12).Policy StrengthsOne area that the report is strong is that it addresses the concerns about regulation, arguingwhy these regulations will reduce red tape and make operating in Europe easier. The EU documentpledges that in order to enhance the single market dimension of data protection, they would, “ lay downdata protection rules at EU level through a regulation directly applicable in all member states which willput an end to the cumulative and simultaneous application of different national data protection laws,”leading to private sector savings of € 2.3 billion annually or simplifying the regulatory environment bydrastically cutting red tape and doing away with formalities leading to net savings of € 130 million a year
in just of administrative burdens (European Commission 2012, 7). In identifying and offering concretesavings available, they address opposing arguments usually raised by entrepreneurial businessadvocates.Under the reformed regulatory framework, the EU can make the case to customers that theyare promoting best business practices, and that a confidence in the integrity of their personal data canbe transferred to confidence in the operations of companies which is a good thing for the industry.Citizen’s trust in a robust and EU regulatory regime then arguably becomes an asset for serviceproviders and an incentive for investors looking for optimal conditions when locatingServices—arguments which the EU document makes (European Commission 2012, 8).Policy GapsAreas where the EU document is a little [weak] is in [the absence of technical details andinstruction], it’s nature as supranational document, addressing jurisdiction, and in its handling offreedom of speech rights.First, the technical aspect is unaddressed. A study presented to the European Network onInformational and Security Agency on the eve of the unveiling of the EU document voiced such concerns(Druschel, Backes and Rodica 2012). Second, there is an ambiguity between the EU as a supranationalentity and the authority if it’s member states. This comes out when consistent enforcement of dataprotection rules across Europe are addressed; and also where some reforms for joint activity on use ofdata in police and criminal justice cooperation seem to run afoul of those on data protection rules forthe digital single market. The EU document states that, “data protection requirements and safeguardswill be set out in an EU Regulation with direct application throughout the Union” yet “only the dataprotection authority where the company has its main establishment will be responsible for decidingwhether the company is acting within the law“ (European Commission 2012, 7). It is unclear then, whothe ultimate enforcer is intended to be, with state-centric language in a supranational document. Third
is the problem of jurisdiction is another area which can be problematic and solutions are not really putforth. For example the Supreme Court in Florida vs BFJF affirms free expression—states cannot passlaws restricting the media from disseminating truthful but embarrassing information such as the nameof a rape victim as long as the information was legally acquired (Rosen 2012, 91, Florida Star v. B.J.F.1989). This actually leads into the biggest lost opportunityTowards the end of the EU document, assurances are made that other rights such as freedom ofexpression and information, or right to conduct a business would be respected (European Commission2012, 12). However, that is mentioned in passing, and no examples of situational conflicts are given likethey are for other areas of the legislation in the EU document. Those freedoms are the crux of theargument against the right-to-be forgotten. That argument has been encapsulated by Jeffrey Rosen, aninfluential US-based legal commentator that argued that, “although Redding depicted the new right as amodest expansion of existing data privacy rights, in fact it represents the biggest threat to free speechon the internet in the coming decade" (Rosen 2012, 8). Facebook says that, “The right to be forgottenneeds very careful consideration. As drafted it raises major concerns with the right of others toremember and of freedom of expression on the internet “ (Facebook 2012); and Google is insisting thatthey “support the right to be forgotten, and [we] think there are ways to apply it to intermediaries likesearch engines in a way that protects both the right to privacy and the right to free expression” (Reuters2012).This communication does not specifically address these freedom of expression concerns speechwhich is a policy sector that forms the basis of all communication policy and law. Internet speech rightsare philosophically of such importance that even the United Nations has designated online expressionas a fundamental right (United Nations 2012). Due to the many interpretations of freedom of speechthe EU document would have benefited from exploring the issue in more depth like it does with theregulation issue.
Recommendations: Approaching the EUTo navigate this policy, the chamber and its constituents might do well to reach out to theUnited Kingdom (UK), while at the same time bearing in mind European history and viewing Europe asone entity.To the extent that there may be crack in European unity it is from the British who may havechosen to opt out of the right to be forgotten (Bowcott 2013). Efforts to stop the impending legislationcan therefore be channeled through the UK where the chamber and likeminded organizations wouldfind sympathetic interests to partner with. The UK has long had a historical special relationship with theUSA in which their global interests have usually aligned. Furthermore, the current timing isadvantageous as the UK is loudly talking about reassessing its relationship with the EU and proposing tocede less power to them (Cameron 2013).Conversely, in an admittedly contradictory approach to one targeting the UK, a helpful framecould be to view Europe as one entity, rather than a collection of countries. From this perspective theEU Documents proposed legislation need not be antagonistic to corporate interests. For two decades,the EU has had spoken favorably about using market mechanisms as motive power and fosteringentrepreneurial mentality and a common regulatory approach and warning (High-Level Group on theInformation Society 1994, 3). However their solutions are premised on supranational action. Forexample they have always recommended a union wide approach to legal security for privacy (High-LevelGroup on the Information Society 1994, 3). This is because of their previously discussed communicationmodel, but from an economic perspective it highlights the importance of understanding the economicself-interest motivations a one Europe and the political reality of a EU that wishes to project Europeanresolve in a world that is increasingly being dominated by the USA on the one hand and emergingeconomies such as China on the other hand (Renard 2012). Essentially, it is not out of the question thatthe EU is seeking to maximize economic gains, which means there is an opening to align interests.
In addition to the single market, identity and history matter and therefore a thoroughunderstanding of European history and the ideational forces that led to the creation of the EU shouldalso be kept in mind. Communication regulation happens via national political logics or mentalities ofgoverning meaning that, “the deployment of governmental power within specific political and culturalcontexts gives rise to different governance systems,” (Eko, Kumar and Yao 2011, 3). European internetpolicies are historically and socially constructed.6 Although nationalism still exists, there has been asocial conception of a European identity that has paralleled the political strengthening of the EU overthe years. This is again then can provide an understanding into why internet legislation is beingaddressed at a supranational level (EU) rather than by individual countries. On a related note, lookingover at the net neutrality debate, one sees that overburdening regulation is not always the modusoperandi in Europe, and there the focus is on transparency . In Europe strict regulation of internetservice providers are avoided but replaced with requirements to provide full disclosure of networkmanagement (Stover 2010, 80-81) This might explain the desire for opt-in (as opposed to opt out)measures which US-based companies tend to oppose (Facebook 2012).Conclusion: Global implicationsLegislation proposed in the EU document will go in effect in 2014 pending European Parliamentapproval. Brussels will be inundated with representatives and from various stakeholders edging for theirposition. Convergence of issues and technologies ensure that the right to be forgotten has implicationsfor international relations. For one, other countries are looking to the EU for leadership, and there is agood chance that whatever comes out of the EU will become a basis for how countries model theirlegislation, from diverse areas like South Africa and the Middle East—and the legislation could eveninfluence US law (Kanter and Sengupta 2013, Shaffer 2000). Developments in the United States in June6the idea of "constructivism" from International Relations theory goes more in depth into how states behavior andglobal outlook is influenced by history, shared values, etc
of 2103 have brought data privacy and the ongoing transatlantic trade negotiations between the UnitedStates and the EU have brought this issue to a head.7Data privacy for example, will have to be discussedin the context of the trade negotiations, and then there have been proposals of an internet tax. All theseissues are beyond the scope of this brief, they can be explored separately and are all issues that arerelated to the ultimate resolution of data privacy online in Europe.7On June 5, 2013 The Guardian and The Washington Post reported that a top-secret US national security program(PRISM) had direct access to servers of internet firms including Apple and Facebook (source:http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data;http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html)
BibliographyBowcott, Owen. "Britain seeks opt-out of new European social media privacy laws." The Guardian. April4, 2013. http://www.guardian.co.uk/technology/2013/apr/04/britain-opt-out-right-to-be-forgotten-law(accessed 5 2013, June).Cameron, David. "Speech to the European Union." Transcript. London, January 22, 2013.Druschel, Peter, Michael Backes, and Tirteria Rodica. The right to be forgotten - between expectationsand practice. ENISA, Brussels: , 2012.Eko, Lyombe, Anup Kumar, and Qingjiang Yao. "Google This: The Great Firewall of China, the IT Wheel ofIndia, Google Inc., and Internet Regulation." Journal of Internet Law (Aspen Publisher Inc.), 2011: 3-14.European Commission. Safeguarding Privacy in a Connected World: A European Data ProtectionFramework for the 21st Century. Communication from the Commission to the European Parliament, theCouncil, the European Economic and Social Committee and the Committee of the Regions, EuropeanUnion, Brussels: European Union, 2012.European Union. "Charter of Fundamental Rights of the European Union." Official Journal of theEuropean Communities, 2000.Facebook. "Facebook’s views on the proposed data protection regulation." europe-v-facebook.org.March 30, 2012. http://www.europe-v-facebook.org/FOI_Facebook_Lobbying.pdf (accessed June 17,2013).Florida Star v. B.J.F. 491 U.S. 524 (US Supreme Court, June 21, 1989).High-Level Group on the Information Society. "Recommendations to the European Council: Europe andthe global information society." Brussels, May 26, 1994.Kanter, James, and Somini Sengupta. "Europe Continues Wrestling With Online Privacy Rules." New YorkTimes. June 6, 2013. http://www.nytimes.com/2013/06/07/technology/europe-still-wrangling-over-online-privacy-rules.html?src=recg (accessed June 21, 2013).Renard, Thomas. The European Union and Emerging Powers in the 21st Century: Hwo Europe Can Shapea New Global Order. Surrey, England: Ashgate, 2012.Reuters. Spain refers Google privacy complaints to EUs top court. March 2, 2012.http://www.reuters.com/article/2012/03/02/us-eu-google-idUSTRE8211DP20120302 (accessed June 17,2013).Rosen, Jeffrey. "The Right to be Forgotten." Stanford Law Review , no. 64 (February 2012): 88-92.Shaffer, Gregory. "Globilization and Social Protection: The Impact of EU and International Rules in theRatcheting up of US Data Privacy Standards." Yale Journal of International Law, Winter 2000.
Stover, Christine M. "Network Neutrality: A Thematic Analysis of Policy Perspectives Across the Globe."Global Media Journal 3, no. 1 (2010): 75-86.United Nations. The promotion, protection and enjoyment of human rights on the internet. UNHCR, NewYork: United Nations, 2012.Venturelli, Shalini. Liberalizing the European Media. New York: Oxford, 1998.Whitman, James Q. "The Two Western Cultures of Privacy: Dignty versus Liberty." The Yale Law Journal,2004: 1151-1221.