Politics & The World

by Matthias Hasler

Security and privacy – never have we been made more aware of the alleged conflict between these two concepts than nowadays. The digital age and the ongoing shift of social activity from the real, tangible to the virtual level have catered for a situation where the personal freedom of privacy is more exposed to abuse than ever before. While the internet has set a venue for the creation and circulation of personal data, the terrorist attacks in New York, Madrid, London and recently Paris have provided a welcome justification for politicians around the world to exploit this venue. For our security. The common public good.

But can governments legitimately claim to pursue the common public good when this comes at the expense of what we consider the constitutional basis of Europe’s post-war order? Can governments simply evade one vital pillar of contemporary democracy – fundamental human rights – for the sake of security? Two recent examples of EU legislation demonstrate how indifferent the EU legislature and the governments of the Member States apparently are towards a fundamental rights legacy which has evolved out of the unprecedented destruction and suffering of two world-wars. It seems to be in this context that other actors become active – or to put it differently – that other actors need to become active as there is no one else left to do the job: The citizens of the EU.

In 2006 the EU adopted the so-called Data Retention Directive. It allowed for the retention of various data generated by individuals through the use of electronic communication services and networks for up to two years “for the purpose of the investigation, detection and prosecution of serious crime”. Thereby it did not distinguish between suspects or non-suspects. Neither did it specify who and under which conditions may use and access the data. The opportunities to abuse the data for objectives other than the prevention of terrorism and serious crimes therefore loomed large.

Already in the policy-making process leading to the adoption of the Directive, 90 NGOs and 80 telecommunications service providers urged the European Parliament to reject the proposal. According to them, the indiscriminate manner in which data were to be retained amounted to “treating the use of communications infrastructures as criminal activity; just in case that it may be of use at some point in the future by countless agencies in innumerable countries around the world with minimal oversight and even weaker safeguards”. Needless to say, the European Parliament nevertheless approved of the proposal and the Data Retention Directive duly entered into force in March 2006.

It became one of the most disputed and controversial EU counter-terrorism measures and the European Data Protection Supervisor (2011) called it “without doubt the most privacy-intrusive instrument ever adopted by the EU in terms of scale and the number of people it affects”. The EU institutions and the Member States, however, did seem to readily accept this as the lesser evil when it comes to protecting national security.

It was not until 2013 that the NGO Digital Rights Ireland, joined by a large number of Austrian applicants was able to bring the matter before the European Court of Justice. What has been already clear for most commentators, became a legal fact when the Court declared the Directive invalid in early 2014. It did so, unsurprisingly, for reasons of its particularly serious and unproportional interference with the fundamental rights to respect for private life and to the protection of personal data, enshrined in the Charter of Fundamental Rights of the EU. What is particularly troublesome is that no EU institution and no national government made any efforts whatsoever to strike down this EU measure, although it was fairly clear amongst legal circles that the Data Retention Directive was in breach of the EU Charter of Fundamental Rights.

This indifference on the part of EU and national politicians towards privacy and data protection is not coincidental and has been proven once again very recently. At the latest since the revelations made by Edward Snowden it should be clear to every decision-maker in Europe that the US does not ensure an adequate protection of personal data. Finding a statement that the United States sufficiently protects personal data which is generated in communication networks not credible at all, is not particularly daring against this background.

However, just such a statement – designating the US as safe data processor – has persisted until the 6th of October 2015 within the Commission’s US Safe Harbour decision. Despite the fact that Edward Snowden had already started to systematically reveal precisely how unsafe our data is in the hands of the US National Security Agency from early June 2013 onwards. Apart from some cautious statements of indignation by some senior European politicians nothing much has happened in response to Snowden’s revelations. The Commission’s US Safe Harbour decision, dating back from the year 2000, remained unchallenged. Neither a government, nor any institution of the EU has dared to change this.

Once again it had to be on the initiative of a citizen, in this case the Austrian Maximilian Schrems, that the European Court of Justice was finally able to declare the Safe Harbour decision invalid on 6 October 2015. Just as it was the case for the Data Retention Directive, the Court considered the Commission decision as serious and unproportional interference with the right to privacy and the protection of personal data, since once transferred to the US, the personal data generated in Europe was subject to wide and almost unrestricted access and use by the NSA.

In the light of these developments it becomes unequivocally evident how crucial citizen’s involvement is nowadays to preserve the integrity of our fundamental rights legacy. Where governments and the EU legislature are too easily prepared to trade in our privacy for some remote and weakly proven law enforcement benefits it is ultimately on us to act. Only us. Sadly enough, given the EU’s and its Member States’ openly and proudly presented dedication to democratic values. However, such democratic values quickly transform into barriers rather than traits when politicians seek to pursue security interests. The area of data protection is certainly not the only policy domain that is affected by this trend.

It is civil society – and in the last instance, ourselves  – who needs to remind them constantly and insistently that what they consider as barriers are the very foundations of Europe’s existence in the post-war era. As such these values are worthy of rigorous  protection, come what may.

 

Image by Timberland Regional Library, taken from flickr