Sarah Ludford:

Comment: I’m trying to challenge Prism – not help it

Comment: I’m trying to challenge Prism – not help it

This comment piece is a response to a Politics.co.uk article published on Thursday.

The aim of the ALDE group on the reform of EU data protection legislation is to have enforceable and workable standards which give consumers assurance that their fundamental rights are respected and companies the confidence they need to invest in innovative business models.

My approach in the negotiations within the European parliament on the new proposed Data Protection Regulation has been to maintain high standards but also to clarify the implications of wording which seemed to me unclear or impracticable. After all, this will be directly applicable law EU-wide, so MEPs as well as the 27 governments owe it to users – 'data subjects' – as well as public and private sector organisations to get it right. I make no apology for challenging the rapporteur, Green MEP Jan Albrecht, to come up with workable text. I'm one of those awkward parliamentarians who thinks that the laws I help pass should be both easily comprehensible and feasible.

I apologise if the following is a bit anoraky for general readers, but specific amendments of mine have been referred to so I must too. My amendment 1220 aimed to delete a requirement for the user to be told whether the provision of personal data was "obligatory or voluntary". I have pointed out in European parliament discussions that the terms 'mandatory' and 'optional' are more usual and am gratified that the rapporteur has listened to me.

But this paragraph is in any case unclear in its effects, such as when filling out an online form or registration form. For instance on the Politics.co.uk website there is a box asking readers to "Fill in your details to receive Politics.co.uk's brand of informed, in-depth and independent coverage of Westminster to your inbox". No information is provided about which data the data subject is obliged to provide, nor what the consequences of non-provision are.

My amendment 1224 was to delete an obligation to inform someone of the source of data not collected from him/her. The Commission's formulation seemed to me unworkable in relation to publically available data. It would require Google, for example, which collects publically available data from the internet, to inform every data subject about the source from which the personal data originate. Politics.co.uk says that my name is Sarah Ludford and I am a Liberal Democrat MEP, but did not inform me from which source this personal data originates! Again, I am pleased that my forensic probing has had an effect in that the rapporteur now proposes that the obligation should be worded: "If personal data originates from publicly available sources, a general indication may be given."

Turning to my (now-famous!) amendment 1210, this was to delete a paragraph regarding information to users when their data is transferred abroad. In part this was a probing amendment to try to clarify its meaning and extent. I do agree in principle that where a transfer of data is to be made to a third country information should be provided, but I want to avoid in practice lots of irritating tickboxes and popups, and I'd really like to know how that will be done.

But the text from the European Commission said information should be given on the "the level of protection afforded by that third country", and I wanted to know the exact import of that. Was it realistic to expect that a user accessing services like YouTube, Twitter and Google, or the Politics.co.uk website, would have to be given an explanation of all the laws in, for instance, the United States? Would that mean information on all state as well as federal laws? The Patriot Act and the Foreign Intelligence Surveillance Act (Fisa)? Data protection? In fact the rapporteur has decided that this requirement should be dropped so I guess he agreed with me and my probing amendment was worthwhile.

The revelations that the US National Security Agency (NSA) has been trawling through 'metadata' from ISPs, telecoms companies and social media sites under a programme called Prism is of deep concern, especially while negotiations on this new regulation are in train. But these revelations are new only as to the details. MEPs, myself included, have long been worried about the 'conflict of laws' between EU data protection rules and US intelligence powers. We have campaigned for years through parliamentary questions such as this one in 2011 of which I am a signatory for the Commission to press the US on how Patriot and Fisa powers affected Europeans, and to try to ensure that the data of EU citizens is secure from NSA snooping.

And it is only thanks to the Liberal Democrats that NSA-type powers were blocked in the UK through the derailing of the communications data bill – the snoopers' charter –  which would have made suspects of us all in the same way as Prism.

The Commission's response to MEPs' concerns has been lame. I welcome justice commissioner Viviane Reding’s response to our concerns in promising to raise the matter with US attorney general Eric Holder and I hope and trust she will be now be robust.

But the issues of EU data protection law and US intelligence demands, though linked, are separate. The Commission's promise on June 11th to MEPs that the new EU data protection regulation would protect companies from the demands of US intelligence services for access to personal data is untrue and undeliverable. EU law will not in itself prevent the application of Fisa.

Thus the EU must at last resolutely press the case to the Americans that it is unfair for their own citizens to be protected by American constitutional and data privacy protections that EU citizens are denied and also clarify how the clash of laws between our data privacy standards and their surveillance powers is sorted.  

Returning to the progress of the data protection regulation, I am proud of some red lines I have put on behalf of the ALDE group. ALDE refuses to agree that the fundamental rights of the data subject can be overridden by the legitimate interests of the controller as the rapporteur to my surprise proposed. I have successfully insisted in Article 21 that member states should be able to extend as well as restrict rights. I have proposed that the possibility for member states to restrict rights on the basis of "an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters" should be entirely deleted as it could be a large loophole.

Regarding the principle of data minimisation in article five, I have said I cannot accept the rapporteur's suggestion to replace "limited to the minimum necessary [in relation to the purposes for which they are processed]" with "not excessive", which is far broader as well as imprecise. 

I therefore believe that the ALDE line of trying to get a synthesis of high privacy standards with text that makes sense is one worthy of praise, not attack.

Sarah Ludford is the Liberal Democrat MEP for London. Sarah is the Liberal Democrat European spokeswoman on justice & human rights and shadow rapporteur for ALDE on the EU data protection regulation.

The opinions in politics.co.uk's Comment and Analysis section are those of the author and are no reflection of the views of the website or its owners.