Yvonne Hofstetter

Data Privacy: A European Perspective

Written by: Madeleine Gifford


Justice and the Law writer Madeleine Gifford

Last month the European Commission confirmed that it still aims to adopt the General Data Protection Regulation (GDPR) before the end of the year.[1] This new set of laws aims to comprehensively protect data privacy, taking into consideration recent technological advancements.

With the exception of the UK, there has mostly been an internal consensus on the underlying values of the legislation, with disagreements mainly concerning administrative issues.[2]

The harshest criticisms of the GDPR have originated from the US. American companies and interest groups active in Europe have argued that overregulation will stifle innovation and harm commercial interests.[3] Following the Snowden disclosures negotiations of the Transatlantic Trade and Investment Partnership and the Safe Harbor agreement have become more strained.[4] Clear divisions over privacy in governmental and commercial areas have resulted in frequent ideological clashes between the EU and US. These issues go beyond the struggle between commercial and consumer interests, to also encapsulate what James Whitman calls the clash between ‘Dignity and Liberty’, in this case the clash between the right to privacy and freedom of speech.[5] This debate was exemplified in the Costeja decision, where many American commentators argued the decision infringed on freedom of information and made Google a moral arbitrator of content.[6] In response, the US’s piecemeal approach to legislation was criticised for not providing adequate legal solutions for people who wished to remove images of dead family members, exploitative images, nude photos or revenge porn from their country’s Google search results.[7]  

For an Australian observer, analysis of these differing approaches is valuable in forming our own approach to data privacy. To better understand privacy concerns within Europe, I’ll be talking to author Yvonne Hofstetter who has become a staple in the German media on topics regarding technological advancements and information privacy.


Author Yvonne Hofstetter

MG: Thank you for taking the time to speak with me today. To start off, could you provide some examples of privacy infringement and its implications?

YH: There are numerous examples. Bank loans can be influenced by an individual’s Internet history. For example reliability could be determined based on the socio-economic status of friends on social media.  From the analytics of your telephone behavior (for example whether you make calls during the evenings or weekends) analysts can make conclusions about your character.

Data brokers can use these pieces of information as part of a portfolio in determining your reliability and stability. The worry is that data brokers will sell this information to credit scoring firms. There is concern about how this may affect the health insurance industry, and how data may be used to discriminate against individuals. With the introduction of new technologies we need to have these issues in mind. For example, Oral B has introduced a new toothbrush that records the time and manner in which you brush, then sends the data to your dentist. We need the regulations in place so that insurance premiums aren’t unfairly affected if dentists pass this information onto insurance firms.[8]

 

MG: So what legislative steps should be taken to prevent invasions of privacy? Should it be under the GDPR or through the laws of individual countries?

YH: Data privacy laws are only part of the solution. I don’t think you can fix everything through legal reforms. Technology professionals should build privacy measures into their systems. They need built-in privacy. Legal protections are still of paramount importance. Negative freedoms that allow people to avoid digital platforms should be entrenched in legislation, otherwise discrimination will inevitably occur.

For example, a friend of mine moved to the United States and applied for health insurance. As a military officer it was against protocol for him to have Facebook or other social media accounts. Because the insurance firm used social media to gauge the risk of individual’s leisure and recreational pursuits, and because he didn’t use any of these platforms, he was automatically charged a fifteen percent higher rate as they could not conduct a risk evaluation. This is the type of discrimination that needs to be avoided. However, different nations are going to combat these types of problems in different ways. Europe puts a greater focus on human dignity, whilst America and to some extent other countries such as England or Australia put a greater focus on the concept of freedom.  

 

MG: In the wake of the Costeja decision, Google will now take requests for content to be taken down.[9] In Germany you can apply for your house to be removed from Google Maps.[10] These solutions seem more reactionary than pre-emptive. Are there any ways that privacy violations could be curbed before they occur?  For example, prior to the program’s launch all domestic violence shelters were removed from Google Maps.[11]

YH: Companies could take pre-emptive steps but they won’t, as it’s not their job. To self-regulate in such a way is not the task of a commercial institution.  It is the job of governments to ensure that Internet infrastructure is compliant with privacy standards. Corporations are going to push the limits. For example, Airbnb or Uber violate many regulations and laws. There was a constant back and forth between Uber and the German courts in 2014.[12] Despite a lengthy privacy policy, Airbnb still does not fully explain who has access to identity verification files. Up until last year Airbnb had no ban on secretly filming guests. Only in November did they finally adopt a disclosure requirement for surveillance equipment.[13]

 

MG: After recent criticism Uber hired IBM's former chief privacy officer Harriet Pearson to review their data privacy program.[14] Uber appears to be one of a string of companies to have recently pledged more transparency, however these steps don’t lead to any enforceable consequences for misconduct.[15]

YH: Indeed and with new technologies such as the Google Glass you can see a continuation of legal disputes well into the future. In my opinion Google Glass could potentially violate up to fifty different German laws. It is the job of European governments to enforce legal rights.

 

MG: Privacy concerns regarding something like Google Glass go beyond Continental Europe. In America and the UK it is already looking like the device will be banned in cinemas, cafes, hospitals, casinos and when driving.[16] In Australia last year the ALRC proposed a new national offence for those recording private conversations with new technologies such as Google Glass in mind.[17] This reflects global concern regarding privacy issues, however at the same time a transatlantic culture clash exists.  The European mindset has obviously been shaped by historical violations of privacy under fascist and communist regimes.[18] Data protection is a fundamental right enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.[19]

In comparison the United States has no explicit constitutional protections from privacy violations by businesses and concerns are often raised that privacy laws may infringe on freedom of speech.[20] Arguably more relaxed laws have allowed the US to reap the benefits of big data, creating more innovative and competitive markets. Big data is set to revolutionise the US health care industry and is likely to improve the lives of millions in the process.[21]

In your opinion is this culture clash between the US and EU reconcilable? 

YH: Definitely it is a transatlantic cultural clash and it will not be worked out universally. In the negotiations of the Transatlantic Trade and Investment Partnership (in which they want an open trade zone between the US and Europe) this clash between the values of freedom of speech and human dignity, and to an extent between capitalism and social democracy, can be seen. 

The US will dominate because they can maximise profits, whilst European markets are subject to greater restrictions. We are losing technology. The US is simply stronger at exporting ideas, business models and their understanding of economics.  Already the European military industry is becoming an extended part of the American market, as we are losing production capabilities. Commercially there are no major smart phones being fully produced in Europe therefore we have to accept products with built-in surveillance.  We have no alternatives and with no alternatives can we put our ideals to universal levels? Certainly not.

 

MG: The GDPR plans to penalize foreign companies acting in Europe €100 000 000 or up to 5% of their annual worldwide turnover for data breaches.[22] From your answer I’m guessing you don’t think this will be enforceable?

YH: I think what first needs to be highlighted is that there is rampant lobbyism in Europe. In Brussels firms will set up their lobbyist teams who will apply written proposals. What’s concerning is that some of these proposals will be copied verbatim into directives and laws. I personally think Google has had too much influence upon the directive. An example of this type of undue influence can be seen in the scandal regarding Belgian MEP Louis Michel who was accused of being influenced by lobbyists.[23]

 

MG: Michels is not alone - in 2013 senior British MEPs far more blatantly copied lobby papers.[24] Yet this did not breach parliamentary rules and lobbyists have the right to have their positions considered. If they didn’t have their concerns heard the issue would no longer be about balancing corporate and consumer interests but excluding corporate interests all together. Also if companies such as Google hold such influence, how have such high penalty rates been supported?

YH: The GDPR is perhaps the most aggressively lobbied legislative reform in EU history. A less vigilant approach has been proven to fail and any victories again have come through vigilance. Despite potential biases I do think the GDPR will have a positive effect. It will help entrench the right to be forgotten. It will also make it easier for companies, who will now only have to look at one set of laws.

 

MG: The GDPR was set to save €2.3 billion a year for businesses by unifying a currently fragmented administrative system.[25] Last year saw disagreements regarding how a 'one stop shop' mechanism would be implemented in practice.[26] Concerns regarding Article 17 (the right to be forgotten) were also raised.[27] Consensus over the GDPR sometimes appears to be strained.

Do you regret not being more conciliatory with the initial plan, as support now seems to be fragmenting? Do you think this signals a need for a change of tact by privacy activists?

YH: Securing support from a large group of nations is difficult, and maintaining that support over a period of years whilst facing fierce opposition is even harder. This setback highlights the need to press harder for privacy reforms. It explains why interest in the subject was reinvigorated in 2014. It also shows that changes made to placate corporate interests may not result in financial savings.

 

MG: The UK often has a different stance on privacy laws from its continental neighbours and the US. For example, the UK is a signatory of the Charter of Fundamental Rights of the European Union, however article 1(1) of an attached protocol states that the charter does not give power to the Court of Justice of the European Union or UK courts to find conduct in violation of the charter.[28] In NS v Home Secretary it was emphasised that this does not mean the UK is exempt from its commitments however doubt still remains as to whether the charter is actually enforceable and has any real effect.[29] Another example could be that many Britons have requested the removal of links following the Costeja decision, despite the ruling sparking controversy within the UK.[30]

What role do you think the UK plays in bridging transatlantic values?

YH: Historically and culturally the UK is much more closely allied with America than with the continent. There seems to be a constant clash of opinions between the UK and the continent and recently the UK’s position within the EU seems to be becoming more precarious. I think no single member of the Five Eye Countries [signals intelligence alliance between Australia, Canada, New Zealand, the UK, and the USA] can radically vary their data privacy policies, even in the corporate sphere.  Historically the GCHQ has been accused of privacy violations worse than those committed by the NSA. Whilst things have changed, there are still ongoing issues. Recently concerns have arisen over the ability of the GCHQ to access bulk NSA data without a warrant. Historical and continuing issues make me hesitant to believe the UK will make sustained changes.[31]

 

MG: Last year the High Court of England and Wales confirmed the existence of a tort of the misuse of private information in Vidal-Hall & Ors v Google.[32] Australia is obviously not subject to the same conditions, such as those imposed by the UK’s Human Rights Act. However, Australian courts have left the concept of a tort of privacy open, and last September the ALRC recommended the implementing a tort of the misuse of private information.[33] Do you think Australia should protect data privacy through a tort of misuse of private information similar to the one implemented in the UK? Or should data privacy be protected through different methods?

YH: I don’t think such a tort has a future within the British legal system. It is too controversial and is likely to be overridden by legislative amendments. Similarly I think it would be unpalatable to the Australian legal system. Not being an expert in English or Australian law, I wouldn’t be comfortable recommending changes to their privacy laws.

MG: I think we’ve covered more than enough topics for one interview. Thank you so much for taking the time to speak with Pandora’s Blog.

 

[1] European Commission, Data Protection Day 2015: Concluding the EU Data Protection Reform essential for the Digital Single Marke (28 January 2015) <http://europa.eu/rapid/press-release_MEMO-15-3802_en.htm>.

[2] Germany and France appear concerned that smaller, less capable states could decide on data privacy issues that effect the entire EU.

McCann FitzGerald, Paul Lavery and Ian Duffy, EU data protection – latest developments (January 27 2015) < http://www.lexology.com/library/detail.aspx?g=2a0cbcf2-5c70-4d1f-89bd-f25b347a0a3e>.

[3] There is not only an economic, but social element to the argument against strict privacy laws. Big data is set to revolutionise the healthcare industry, reducing ambulance times, hospital administration costs, improving patient care and revolutionising how the progression of diseases is tracked. Privacy laws could prevent EU citizens from receiving these potential benefits.

Adria Warren and Chanley Howell, Big Data Creates New Opportunities for Healthcare Entities (2 March 2015) The National Law Review < http://www.natlawreview.com/article/big-data-creates-new-opportunities-health-care-entities>.

Michael Roth, How Data Restrictions Hurt The Global Economy (3 March 2015) Information Week <http://www.informationweek.com/strategic-cio/executive-insights-and-innovation/how-data-restrictions-hurt-the-global-economy-/a/d-id/1319301>.

[4] Alexander Dix, EU Data Protection Reform (November 2013) Centre for European Policy Studies< http://www.ceps.eu/system/files/article/2013/10/Forum.pdf>.

[5] James Whitman, ‘The Two Western Cultures of Privacy: Dignity Versus Liberty’ (2004) 113(6) The Yale Law Journal 1151, 1153-1190.

[6] Jeffrey Toobin, The Solace of Oblivion (29 September 2014) The New Yorker < http://www.newyorker.com/magazine/2014/09/29/solace-oblivion>.

[7] Ibid; Adam Clark Estes, This is the Revenge Porn Law We Need in America (25 February 2015) Gizmodo <http://gizmodo.com/this-is-the-national-revenge-porn-law-we-need-1686856437?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow>.

[8] Sam Schechner, Web-Enabled Toothbrushes Join the Internet of Things (2 March 2014) The Wall Street Journal <http://www.wsj.com/articles/SB10001424052702304360704579415161522531046>.  

[9] Google Spain v AEPD and Mario Costeja Gonzále (C-131/12) [2014] ECJ 317.

[10] Kevin O’Brien, Many Germans Opt Out of Google’s Street View (15 October 2010) The New York Times < http://www.nytimes.com/2010/10/16/technology/16streetview.html?_r=0>.

[11] Stephen Hutcheon, Ogle at street level: free speech or invasion of privacy? (5 June 2007) The Age <http://www.theage.com.au/news/national/ogle-street-level-free-speech-or-invasion-of-privacy/2007/06/04/1180809424855.html>.

[12] Concerns regarding Uber in Germany don’t relate to privacy infringement, but they do highlight the struggle of foreign companies to adapt to European regulations. There have been some privacy concerns in other countries:

Kevin Rawlinson, Uber service 'banned' in Germany by Frankfurt court (2 September 2014) BBC < http://www.bbc.com/news/technology-29027803>.

Maya Kosoff, Uber's nightmare scenario: How everything could go wrong for the world's hottest new company (9 February 2015) Business Insider <http://www.businessinsider.com.au/how-everything-could-go-wrong-for-uber-2015-2#more-public-relations-blunders-could-cause-public-opinion-of-uber-to-shift-1.>.

[13] Read more about concerns regarding AirBnB:

Jack Smith, Airbnb Finally Adds a ‘Don’t Secretly Film Guests’ Policy’ (6 November 2014) The Observer <http://observer.com/2014/11/airbnb-finally-adds-a-dont-secretly-film-guests-policy/>;

Nassim Khadem, You can't book with us unless you upload a personal video, Airbnb tells users (16 February 2015) Sydney Morning Herald <http://www.smh.com.au/business/you-cant-book-with-us-unless-you-upload-a-personal-video-airbnb-tells-users-20150216-13foor.html>;

Rishi Iyengar, Airbnb Sued by Group of Users in New York City for Breach of Privacy (3 September 2014) Time

<http://time.com/3260313/airbnb-sued-by-group-of-users-in-new-york-city-for-breach-of-privacy/>.

[14] Serena Saitto, Uber hires former IBM privacy chief to conduct review amid controversy (21 November 2014) Sydney Morning Herald <http://www.smh.com.au/digital-life/consumer-security/uber-hires-former-ibm-privacy-chief-to-conduct-review-amid-controversy-20141121-11r67g.html>.

[15] Heather Clancy, Why data privacy will become a competitive differentiator (18 November 2014) Fortune <http://fortune.com/2014/11/18/data-privacy-competitive-differentiator/>.

[16] Richard Grey, The places where Google Glass is banned (4 December 2013) Telegraph < http://www.telegraph.co.uk/technology/google/10494231/The-places-where-Google-Glass-is-banned.html>

[17] James Hutchinson, Proposed privacy laws put blinkers on Google Glass (31 March 2014) Financial Review <http://www.afr.com/p/technology/proposed_privacy_laws_could_make_9fjR6ab6xHVteBdI0LxaJM>.

[18] Viktor Mayer-Schonberger, Delete: The Virtue of Forgetting in the Digital Age (Princeton University Press, 2009) 141.

[19] Charter of Fundamental Rights of the European Union [2010] OJ C 83/389, art 8.

[20] Jeffrey Toobin, The Solace of Oblivion (29 September 2014) The New Yorker < http://www.newyorker.com/magazine/2014/09/29/solace-oblivion>.

[21]Bloomberg, How Big Data will Revolutionize US Health Care (3 February 2015) < http://www.bloomberg.com/news/videos/2015-02-02/how-big-data-may-revolutionize-u-s-health-care>; Jonathan Fisher, Who’s set to make money from the coming intelligence boom? (24 February 2015) Business Insider Australia < http://www.businessinsider.com.au/artificial-intelligence-how-to-invest-2015-2>; Josh Knowles, Stanford researches use big data to identify patients at risk of high-cholesterol disorder (29 January 2015) Stanford Medicine < http://med.stanford.edu/news/all-news/2015/01/researchers-use-big-data-to-find-patients-with-high-cholesterol-risk.html>; Jennifer Bresnick, Will the White House Chart a Course for Healthcare Big Data? (25 February 2015) Health IT Analytics < http://healthitanalytics.com/2015/02/25/will-the-white-house-chart-a-course-for-healthcare-big-data/>.

[22] European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2014] OJ C7-0025, art 79 (2a(c)), Amendment 188.

[23] Nikolaj Nielsen, Belgian MEP blames assistant for industry-scripted amendments (22 November 2013) EU Observer <https://euobserver.com/institutional/122205>.

[24] Bruno Waterfield, Tory MEPS ‘ copy and paste Amazon and Google lobbyist text’ (12 February 2013) Telegraph <http://www.telegraph.co.uk/technology/9865977/Tory-MEPs-copy-and-paste-Amazon-and-Google-lobbyist-text.html>.

[25] European Commission- Press Release, Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses (25 January 2012) <http://europa.eu/rapid/press-release_IP-12-46_en.htm>.

[26] Out-Law.com , Plans unveiled to remodel proposed 'one stop shop' regulation of data protection in the EU (2 June 2014) <http://www.out-law.com/en/articles/2014/june/plans-unveiled-to-remodel-proposed-one-stop-shop-regulation-of-data-protection-in-the-eu/>.

[27] Christian Wiese Svanberg and John Bowman, The Big Takeways from DPC 2014 (26 November 2014) IAPP <https://privacyassociation.org/news/a/the-big-takeaways-from-dpc-2014/>.

[28] Margot Horspool and Matthew Humphreys, European Union Law Oxford University Press 2012 7th ed .147

[29] NS v Home Secretary and ME v Refugee Applications Commissioner (C-411/10 and C 493/10) [2011] QB 102.

[30] BBC, Thousands of Britons seek 'right to be forgotten' (12 October 2014) < http://www.bbc.com/news/uk-29586700>.

[31] James Ball, GCHQ views data without a warrant government admits (29 October 2014) The Guardian < http://www.theguardian.com/uk-news/2014/oct/29/gchq-nsa-data-surveillance>.

[32] Vidal-Hall & Ors v Google Inc [2014] EWHC 13 (QB).

[33] Australian Broadcasting Commission v Lenah Game Meats Pty Ltd (2001) 208; Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era (ALRC Report 123)- 5. Two Types of Invasion(3 September 2014) <https://www.alrc.gov.au/publications/5-two-types-invasion/misuse-private-information>.