The US’s days of "splendid isolation" when it comes to privacy regulations are numbered, Europe’s top data protection watchdog has warned.
The past six weeks have put a spotlight on data protection like never before, exposing legal but questionable data use, as well as potential misuse and political manipulation to an extent that has shocked many observers.
To many in the European Union, the news wasn’t a revelation; rather it validated the changes to data protection laws they have been pursuing for the best part of this decade.
But in the US, where privacy laws are much less stringent, the Facebook scandal could be described as a wake-up call. Lawmakers are now seriously discussing regulation and during Mark Zuckerberg’s mammoth Congressional hearings, politicians grilled him on plans to apply EU rules globally.
The shift in attitudes has not gone unnoticed in Brussels. Giovanni Buttarelli, the European Data Protection Supervisor, said that on his most recent trip to DC, he could see the desire for stronger laws trickling down to the public.
“By surprise, what I've found is that a lot of citizens – not just NGOs – now want to have stronger laws, because they see citizens have specific rights when an EU-based company uses their data, but they don't have similar rights when a US company in the US uses their data,” he told The Register.
“And this feeling is reflected in Congress, not only in the 10 hours of hearings with Zuckerberg, but by renewed talk of the need for a comprehensive law.
“Many people are realising that the US is in splendid isolation mode.”
Bigger than Snowden?
Buttarelli – who has been in the data protection game since 1997, having led the Italian Data Protection Authority for 12 years before moving to the EDPS in 2009 – doesn’t shy away from emphasising the importance of the Facebook scandal.
“We continue to believe that this is a Snowden-like event with far-reaching consequences,” he said. “This is not a data leak. This is not the result of malicious actors. It is a systemic issue that’s the direct result of years of uncontrolled data policies.”
But, much like the [PRISM leaker/ex-NSA sysadmin turned whistleblower Edward] Snowden revelations, it's unlikely that simply recognising the systemic issue will cause a wholesale shift in policy – as evidence, you need only look at the number of legal challenges against government surveillance that are still dragging through the courts today.
So, surely politicians' sudden interest in making tech giants respect citizens' privacy seems is at odds with state snooping?
Butarelli – who began his career as a public prosecutor in Italy – is in partial agreement.
"I'm a member of the judiciary," he said. "So I'm the first one to say that surveillance should have a high degree of intrusiveness into the private sphere.
"But this intrusion – in many cases – reaches an extent that goes far beyond what is necessary in a democratic society."
Excessive surveillance can be counterproductive, he said, for instance by damaging public trust, and there needs to a better understanding of "how to prevent generalised monitoring of all citizens".
This is particularly relevant when it comes to the transfer of data out of the EU – the bloc's tighter rules on privacy mean that it wants to ensure data subjects get the same protections elsewhere.
Most famously, this principle has been used by activist Max Schrems to bring down the Safe Harbor deal through his battle with Facebook over data transfers to the US.
That's now been replaced with Privacy Shield, which Buttarelli described as "acceptable in the short to mid-term", but said that the EU still needs reassurances on a number of issues, such as the lack of safeguards against law enforcement bodies deciding they need routine access to commercial data.
Brexit means... underestimating data protection
The UK government looks set to be involved in similar discussions in future. Despite its surveillance laws being ruled unlawful under EU law, at the moment it manages to transfer data within the bloc because of provisions allowed for member states. After Brexit, its position is more fuzzy.
Although Buttarelli maintains the UK will remain in the EU, when pushed, he said that if the UK opts for a hard Brexit then there would have to be an adequacy decision.
Some of the data protection consequences would depend on wider political agreements, he said, but: “Just as we did with the US, there’s no way out; adequacy would need to take into account the way in which the UK intelligence services operate.
“This could be an important test for the assessment of how national security works in the EU. It would by no means be a quick exercise.”
Buttarelli added that, in his view, the implications of Brexit on data protection “are being clearly underestimated” in the UK.
That may change due to Facebook’s data slurping hitting the headlines – but it’s also important that policymakers see beyond the Zuckerborg to the wider problem.
“Of course Facebook is on the front line, because of its size,” Buttarelli said, but the same concerns apply not just to other social networks, but also search engines and other firms – a view he has expanded on at length in a recent paper on microtargeting and manipulation.
As part of the EU-wide group of data protection authorities, the EDPS is involved in a number of investigations that Buttarelli said should show just how systemic the use of data for political campaigning and microtargeting is.
“Then people will understand how many other [Cambridge Analytica-like] companies unfairly processed their data for purposes other than commercial reasons... this will be sensational.” ®