"If I trust you, I'll give you my data"

In April 2016, the European Parliament passed the General Data Protection Regulation. Green MEP Jan Philipp Albrecht was the parliament’s Rapporteur for the new law and led the negotiations. Heinrich Boell Foundation Program Director Hannah Winnick spoke with Jan Philipp Albrecht following a screening of the documentary “Democracy” on May 17, 2016.

The text below is an abridged and slightly modified version of the original discussion.

HW: With so many languages, so many national and outside interests, whether from the private sector or non-EU governments, it’s hard to believe that the EU ever gets anything done. How do you do it?

JPA: It is a miracle that it works. The documentary shows quite in depth how the European Union is governed, so many boring meetings in very grey rooms in Brussels and elsewhere. But, luckily, in December 2015 we managed to get a deal between the 28 member states of the European Union and their governments [the European Council], on the one side, and the European Parliament and its 750 members on the other side.

Just two weeks ago the law [the General Data Protection Regulation] was published in the official journal of the European Union and two years from now it will be applied everywhere on the European market. This is not only to the benefit of EU citizens, but to the benefit of all consumers who consume either from European companies or on the European market. This is a standard that we are setting. It is a miracle that it works, but it works. (To learn more about this process click here). 

HW: It’s astonishing that, as one of the youngest EU parliamentarians in history, with relatively little political experience, you took on the influential role of Rapporteur.

Right, when I was elected to European Parliament in 2009, I was 26 years old. My party, and especially the young people who were very present in my party at that time, pushed to have young people in the European Parliament. But I was one of the few people at the parliament who brought a digital rights perspective and had the ambition to do something about it. That was recognized by my colleagues and also by the older, more experienced colleagues in the European Parliament.

HW: So as Rapporteur, you led the negotiations on EU Data Reform and ultimately wrote a law in which politicians from across the political spectrum and lobbyists from across every sector had a significant stake. How was someone so new to the parliament able to get this position? Were the lobbyists and other parties unaware of what an important and contested issues this would become? Were you yourself prepared for it?

JPA: Most of the lobbyists knew what was coming. It has been clear for years that personal data is the resource for our economies in the future. And for most of these companies that earn most of their money from such data.

The importance of data reform was also clear to me. I came into politics almost right from university, having specialized in IT security/IT law. So I knew what I was doing and what I wanted to do: to get a European standard on data privacy. But I underestimated the time we had to put into it. I’ve been working on this since 2010. We imagined that we would finish by the European elections in June 2014. In reality, we finished a few weeks ago by doing the 24 translations which still needed to be done within the EU and the publications in the journal and the rule books. So it took much more time than we thought.

Regarding why I was appointed as Rapporteur, the European parliament is different than parliaments in the member states of the European Union, but also different than other democracies like here in the United States. It is not made up of a government majority and an opposition. It is far more consensus-oriented, trying to bridge the gaps between the different legal cultures, different political cultures in the 28 EU countries. So therefore the political parties, even the smaller ones, get Rapporteur posts depending on the size of the group and on a rotating system. It was our turn. Of course, we prepared it a bit to be exactly this Rapporteur position. And as the bigger parties realized that would happen, they tried to take the position away from us, but in the end the majority said, no, this is the rule, and this is a person who might be very helpful in this position. So I was elected, which is even better than just getting the job by rotation.

HW: In the film, Joe McNamee (Executive Director, European Digital Rights) observes that each negotiator has to be able to make some compromises, but also has to report back to their party group and voters. What were the hardest compromises that you had to make and what were the red lines you knew you could not cross?

JPA: I really learned that getting into such a complex issue and getting the decisions right also means recognizing when legitimate concerns are brought forward, listening to many different voices, and learning about what might be the best solution. So you compromise. Then, of course you need to get a majority, so you have to also compromise with the other political forces and then you still need to decide if you can defend that, not only vis-à-vis your own expectations, but also to the voters, the party and so on. That’s quite a balance.

But I always had a bigger idea in mind and that’s the idea that a strong privacy scheme is not bad for anyone. It could be good for everyone. It could be good for consumers, but it could be also good for companies, I mean they want consumers to trust them. If I trust you, I'll give you my data. We don’t forbid anybody to share. We don’t forbid anybody to take part in new innovation. It is just that we safeguard their rights in this process.  In the end, even the lobbyists realized that it is also to their benefit, although they did not expect that from the beginning.  So that was the bigger vision, and that prevailed. I think we really got a win-win situation.  

HW: One of my favorite parts of the film is that alongside the shots of people negotiating in conference rooms, it also shows soccer players and the streets of Brussels outside. Ultimately, it was this outside world, in the form of Edward Snowden, that put the necessary momentum into the negotiations. How important was it to have the Snowden revelations occur in the middle of negotiations?  

JPA: The Snowden revelations were a key moment. Not in the European Parliament. We had managed to already get quite far in negotiations before that. But it was EU member governments who were not acting. They thought, “Do we really need to do something for data protection? Nobody really cares about it.” After Snowden, they couldn’t say that anymore. So it was the moment where they realized, we can’t oppose this anymore.

Before that, there had been governments, like my own in Germany or also the British government, who were quite resistant to these new standards. They were pressured by lobbyists and by their own companies, like car manufactures or financial markets, who said, “Let’s just lower the standard so we have a better chance to compete on the global market.” We had to fight that and Snowden was important.

The outside world is developing so quickly, and technology is developing so quickly. The question now is: is politics capable of following these developments?

That’s problematic, because democracy always needs time. You always need to debate. Snowden was important to get basic knowledge about what technology is capable of already, where we are, and to get people, including politicians, to understand the relevance of this. This is a pressing question of our time and we need to have an answer.

HW: Snowden pushed the pendulum in one direction. But we have since had the attacks in Paris and in Brussels in Europe, and in San Bernardino in the US, and those push the pendulum in the other direction. How do you convince people that it is not about balancing security and privacy, but that you need one to ensure the other?

JPA: I was just some hundred meters from the metro attack in Brussels. After the attacks, we all realized that we need to better share information between police authorities across borders. But the reaction that we need to get rid of privacy standards is not the right one. Because in the end, sharing information, especially cross-border, depends on common privacy standards. In Europe we still have 28 different standards in the area of police and justice. Many police authorities just don’t share data with other authorities in another country, because they think, “I cannot really trust that information is treated the way it is treated here, so we better not share. “ All of that comes down to the fact that we need better standards, we need common standards. It is a requirement, a precondition for getting more security, more effective police work, particularly cross-border.

HW: We can’t have a conversation about transatlantic debates on data without mentioning the most current debates. Last October the data transfer agreement between the US and Europe, the Safe Harbor Agreement, was overturned by the European Court of Justice. Snowden played into that in part, because the Court argued that it has no guarantee that the US actually protects Europeans’ data. So the current negotiations are proposing a new agreement called the Privacy Shield which many say does not meet the EU standards. What are your views on the Privacy Shield, and how important is the Privacy Shield if the General Data Protection Regulations are going into effect in two years and presumably already covers data transfers?

JPA: It’s important to understand what this is. This is about the question that in EU law, you have data protection rules based on a fundamental right. Every data processing needs to be justified, including transfers to third states. Normally, there are high requirements set for transfers to third, non-EU states. But if the EU considers this third state to have an equivalent protection of privacy standards, then data can flow on the same level as inside the European market.

So with Safe Harbor, the European commissioners had granted these “adequacies”, that’s the official term. But the European Court ruled that the standard was actually not being upheld, at least for EU citizens. For example EU citizens, in many cases, do not have judiciary redress possibilities as US citizens do. So now, the European Commission is preparing a new decision on adequacy by asking the US government to improve, for example, redress avenues or oversight when it comes to government access to data in companies, because it is mostly companies’ data transfers that we are talking about. This new Privacy Shield, in my view, is a little improvement, but far from what the European Court of Justice demands that the United States should deliver. So, normally, we should say that Privacy Shield is not sufficient.

On the other hand, if you look into the national security possibilities for oversight and redress, the US government tried to adjust a bit after Snowden and to improve oversight, while EU governments who run similar programs and do similarly little on oversight have not done anything. So just to say, “Why are you not adhering to the standards?” when even we do not apply them, looks a bit odd.

So we have the legal issues on the one side, and the political issues on the other side. My impression is, we won’t get perfect agreements right now.

The question is, how can we ensure that in the future it will be better? If we just grant adequacy completely right now, the US government would say, “Okay, that’s done now, we can transfer data from Europe to the US.” What I have in mind is that we constantly have pressure to improve. We need to say okay, for the moment, this is fine, but we also need to set a sunset clause of two, three years to adjust this agreement to further developments and requirements. That is hopefully what we can achieve.

With the data protection regulation, if somebody collects data on the European market and transfers it to the United States, they don’t have to follow only the Privacy Shield standards, they also need to comply with European Data Protection Laws. That is the regulation and hopefully that will makes things better for US consumers, too.

Audience Question: How does the EU General Data Protection Regulation handle the issue of consent? What did you do so that there really is that affirmative consent to share personal data rather than simply click-through consent?   

JPA: We tried to make consent meaningful again. To not say, because nobody takes notice and nobody understands, we just abolish his or her self-determination. We obliged companies to use clear, understandable language, in particular with regard to children online. In many ways, we all are children on the internet, because we don’t understand really what’s happening there. So the goal is to make it easily understandable what happens with our data. This is enforceable now, we can sanction a company up to 4% of its yearly worldwide turnover.

We also introduced the opportunity for standardized icons in the future, which could represent the consent texts. So users can understand, similar to using traffic signs, what will happen if they consent to, for example, an App’s terms.

So that’s how we tried to create informed consent. We hope that this will become a global standard and that companies who adjust to these provision on the European market can then also offer them to other people, for example in the US.

Audience Question: What was your biggest loss in these negotiations? And which one would you advise us individuals and data privacy NGOs to track the most?

On national security, it was clear from the beginning that we would never win anything. That is somehow the sacred cow, not only here in the US, but also in the EU. The EU itself cannot say anything on national security to its member states. So we need to get this right in the future. There shouldn’t be this black hole in democracy where there’s no real control anymore over individual and human rights in this area. This legislation was mainly focused on consumer privacy questions.

Audience Question: The question of data minimization came up in the film. But of course, many business models rely on collecting data. The Facebooks and Googles of the world would say it is necessary to collect all this information, because that is how their businesses work. Will the EU data legislation have any impact on the question of whether these business models threaten privacy?

Actually, the philosophical idea behind data protection was that if there, in an information society, there is more and more information available about all of us, it becomes more and more problematic or difficult to uphold non-discrimination. Equality, dignity, non-discrimination becomes more and more complicated if you know almost everything about everybody, because at a certain moment it becomes almost inappropriate to treat everyone the same—because they are just not. So there is something positive in forgetting or not seeing differences. When we talk about how likely it is that a brown-haired person or a red-head conducts a crime, it becomes hard to say, “oh, we can’t look at that.” To safeguard an open society, perhaps we should not process all personal data, but only what is necessary in order to achieve certain benefits. If you want a certain service online, then it should only process those sets of personal data that are necessary to deliver that service.

This notion, you should not collect or process more data than what is necessary, that’s the motivation for data minimization. It’s not that we want to minimize data because we are against data. It’s that more personal data would poison our society, because every personal data can be misused, misinterpreted, used for inappropriate means. As a society, we should look for anonymization tools. Yes, we are in favor of sharing information massively, but let’s blend out who we are talking about when we provide a service. In most services, it would be possible.

Jan Philipp Albert is the Greens’ member of the European Parliament for Hamburg and Schleswig-Holstein, and domestic policy and justice speaker for the Green party. In 2012 he was named the European Parliament’s commentator for the EU's General Data Protection Regulation. Learn more about Jan’s work here.

Hannah Winnick is Program Director for the Transatlantic Dialogue Program on Democracy and Social Policy at the Heinrich Boell Foundation North America. She runs the Digital Societies initiative.