Català | Deutsch | English | Français | Ελληνικά | Italiano | Nederlands | Slovenčina

Data Protection in Europe

More than 100 Leading European Academics are taking a position

This position has been signed by more than 100 leading senior academics from across Europe, from disciplines such as Computer Science, Law, Economics and Business Administration.

The automatic processing of personal data is growing at an incredible pace and is starting to become an integral part of economic, administrative and social processes in Europe and throughout the world. On the Web in particular, users have learned to pay for a nominally free service by providing personal data for marketing purposes. Against this background, the overhaul of data protection regulation is now being discussed across Europe. A year ago, the European Commission presented a new draft of a European Data Protection Regulation. The European Parliament and the European Council are now preparing their views on this new regulation. At the same time, huge lobby groups are trying to massively influence the regulatory bodies.

To contribute a more objective perspective to this heated debate, we would like to bring forward some professional arguments. We want to reply to some arguments that aim to weaken data protection in Europe.

Innovation and competition are not threatened

The core argument against the proposed data protection regulation is that the regulation will negatively impact innovation and competition. Critics argue that the suggested data protection rules are too strong and that they curb innovation to a degree that disadvantages European players in today’s global marketplace. We do not agree with this opinion. On the contrary, we have seen that a regulatory context can promote innovation. For example, regulation has promoted innovation in the areas of road safety, environmental protection, and energy. For data protection, we already see start-ups throughout Europe that offer European citizens solutions to protect their personal data “out-of-the-box”. Security and privacy experts are selling consulting services to companies to help them manage their IT infrastructures more securely. For many important business processes, it is not data protection regulation that prevents companies from adopting cloud computing services; rather it is uncertainty over data protection itself.

The Boston Consulting Group’s recent report on ”The Value of Digital Identity“ provides further support for the notion that new data protection regulation from the European Commission will not impede the personal data economy. Five of the six usage areas BCG outlines for personal data are compatible with the proposed regulation. The consulting firm sees personal data, for example, as a lever for process automation, personalization, and the improvement of products and services. From our perspective, companies can use personal data for such purposes if they maintain personal relationships with their customers. For a long time, it has been shown that people are happy to exchange their personal data in return for valued services. Personalized offerings and continuous service improvement are feasible in the context of fair exchange relationships between companies and customers. Moreover, more trust in data handling practices will strengthen such relationships.

Current business practices will only be constrained if companies create value based solely on the aggregation and trade of personal data and do not invest in direct relationships with end customers. For example, large ad-targeting networks or data brokers will be restricted in their use of personal data if the regulation is passed in its current form. In these areas, however, we indeed see a need to adjust regulation and introduce sanctions.

Also, innovation is not threatened by the new data protection regulation because many services do not need data that relates directly to individuals. In many cases, the use of personal data can be avoided by using anonymization technologies. Where a service really requires personal data, this data can be collected on a contractual basis. Services can also gain access to data by asking citizens – in a fair way – for their informed consent.

On informed consent

Since 1995, usage of personal data in the European Union has relied on the principle of informed consent. This principle is the lynchpin of informational self-determination. However, few would dispute that it has not been put into practice well enough so far. On one side, users criticise that privacy statements and general terms and conditions are difficult to read and leave users without choices: If one wants to use a service, one must more or less blindly confirm. On the other side, companies see the legal design of their data protection terms as a tightrope walk. Formulating data protection terms is viewed as a costly exercise. At the same time, customers are overstrained or put off by the small print.

As a result, many industry representatives suggest an inversion of the informed consent principle and an embrace of an opt-out principle, as is experienced today in the USA. In the USA, most personal data handling practices are initially allowed to take place as long as the user does not opt out.

The draft regulation, in contrast, strengthens informational self-determination. Explicit informed consent is preserved. Moreover, where there is a significant imbalance between the position of the data subject and the controller, consent shall not provide a legal basis for the processing. The coupling of service usage with personal data usage is even prohibited if that usage extends beyond the immediate context of customer service interaction.

We support the draft of the data protection regulation because we believe that explicit informed consent is indispensable. First, an inversion of the informed consent principle into an opt-out principle considerably weakens the position of citizens. Such an inversion gives less control to individuals and therefore reduces their trust in the Internet. Second, we see several solutions that can solve today’s user problems. European companies are producing technical tools that will help users manage their privacy decisions automatically or with very little effort. In the USA, we see the W3C’s “do-not-track” initiative, which foresees the implementation of user preferences in browsers. Furthermore, technologies are being developed that interpret privacy terms for users and summarize the terms to facilitate decision-making.

As soon as the coupling of personal data use to unrelated service use is outlawed, users can make real choices.

On ‘legitimate interest’

Currently, companies can process personal data without client consent if they can argue that they have a legitimate interest in the use of that data. So far, unfortunately, the term “legitimate interest” leaves plenty of room for interpretation: When is an interest legitimate and when is it not?

To prevent abuse of this rule, which is reasonable in principle, the new data protection regulation defines and balances the legitimate interests of companies and customers. The regulation requires that companies not only claim a legitimate interest, but also justify it. Moreover, the draft report of the European Parliament’s rapporteur now outlines legitimate interests of citizens. It determines where the interests of citizens outweigh company interests and vice-versa. In the proposed regulatory amendments provided by the rapporteur, citizens have a legitimate interest that profiles are not created about them without their knowledge and that their data is not shared with a myriad of third parties that they do not know about. We find this balancing of interests a very fair offer that aligns current industry best practices with the interests of citizens.

When to apply the regulation? When is data ”personal“?

An important point of contention is what data processing activities should actually be covered by the regulation. Online users are often identified implicitly; that is, users are identified by the network addresses of their devices (IP addresses) or by cookies that are set in web browsers. Implicit identifiers can be used to create profiles. Some of these implicit identifiers change constantly, which is why at first sight they seem unproblematic from a data protection perspective. To some, it may appear as if individuals could not be re-identified on the basis of such dynamic identifiers. However, many experiments have shown that such re-identification can be done.

Despite the undisputable ability to build profiles and re-identify data, some industry representatives maintain that data linked to implicit identifiers should not be covered by the regulation. They argue that Internet companies that collect a lot of user data are only interested in aggregated and statistical data and would therefore not engage in any re-identification practices.

For technical, economical and legal reasons we cannot follow this opinion. Technically, it is easy to relate data collected over a long period of time to a unique individual. Economically, it may be true that the identification of individuals is not currently an industry priority. However, the potential for this re-identification is appealing and can therefore not be excluded from happening. Legally, we must protect data that may be re-identifiable at some point, as such precautionary measures could prove to be the only effective remedy.

Some EU parliamentarians suggest that anonymized, pseudonomized and encrypted data should generally not be covered by the data protection regulation. They argue that such data is not “personal” any more. This misconception is dangerous. Indisputably, anonymization, pseudonomization, and encryption are useful instruments for technical data protection: Encryption helps to keep data confidential. Pseudonyms restrict knowledge about individuals and their sensitive data (e.g., the relation between the medical data of a patient) to those that really need to know it. However, in many cases even this kind of protected data can be used to re-identify individuals. We therefore believe that this type of data also needs to be covered by the data protection regulation, even if it may be treated in a different manner than personal data that is directly identified. Moreover, coverage of this kind of data is also necessary to ensure that protection is properly and professionally applied. We need binding rules that are regularly adjusted to technical standards (i.e. best available techniques) and that define when data is sufficiently pseudonymized and when it can be considered anonymous.

Who should determine data protection requirements?

Besides the many positive aspects of the draft regulation, we see one structural weakness, albeit one that can be easily rectified: In many articles, the current draft from the European Commission sets only vague goals. For further details, it establishes the European Commission itself as the institution that would later define details through ‘delegated’ and ‘implementing’ acts. This plan would put the European Commission into a position of power that does not correspond to the European constitutional requirements. Data protection rules can have major impacts on economic, administrative and social activities. It is therefore the duty of the European legislative bodies to make such decisions by themselves. All relevant rules therefore need to be embedded within the regulation itself. Only details that are less critical from the perspective of politics and fundamental rights may be left to the Commission’s discretion.

This position from the initiators Oliver Günther, Gerrit Hornung, Kai Rannenberg, Alexander Roßnagel, Sarah Spiekermann and Michael Waidner has first been published on February 14th, 2013 in the weekly German newspaper „Die Zeit“. Read the German article.

Meanwhile, it has been signed by more than 100 leading senior academics from across Europe, from disciplines such as Computer Science, Law, Economics and Business Administration:

  1. Sarah Spiekermann, Vienna University of Economics and Business, Institute for Management Information Systems, Vienna, Austria
  2. Edgar Weippl, SBA Research and Vienna University of Technology, Vienna, Austria

  3. Jacques Berleur, University of Namur, Computer Science Faculty, Namur, Belgium
  4. Paul de Hert, Vrije Universiteit Brussel, Brussels, Law Science Technology & Society (LSTS), Belgium
  5. Cécile de Terwangne, University of Namur, Faculty of Law, Namur, Belgium
  6. Séverine Dusollier, University of Namur, Faculty of Law, Namur, Belgium
  7. Yves Poullet, University of Namur, Rector and Faculty of Law, Namur, Belgium
  8. Jean-Marc Van Gyseghem, University of Namur, Faculty of Law, Namur, Belgium

  9. Marios D. Dikaiakos, University of Cyprus, Department of Computer Science, Nicosia, Cyprus
  10. Tatiana Synodinou, University of Cyprus, Department of Law, Nicosia, Cyprus

  11. Vaclav Matyas, Masaryk University, Faculty of Informatics, Brno, Czech Republic

  12. Anja Bechmann, Aarhus University, Department of Aesthetics and Communication - Media Science, Digital Footprints Research Group, Aarhus, Denmark
  13. Ivan Damgård, Aarhus University, Department of Computer Science, Aarhus, Denmark
  14. Niels Christian Juul, Roskilde University, Department of Communication, Business and Information Technologies, Roskilde, Denmark
  15. Jakob I. Pagter, Head of Research and Innovation, Security Lab, The Alexandra Institute, Denmark
  16. Jan Pries-Heje, Roskilde University, Department of Communication, Business and Information Technologies, Roskilde, Denmark
  17. Christian W. Probst, Technical University of Denmark, Department of Applied Mathematics and Computer Science, Kongens Lyngby, Denmark

  18. Jukka Heikkilä, University of Turku, Department of Management, Turku, Finland
  19. Valtteri Niemi, University of Turku, Department of Mathematics and Statistics, Turku, Finland

  20. Catherine Barreau-Saliou, Institut de l’Ouest - Droit et Europe, Faculté de Droit et de Science Politique, Rennes, France
  21. Claude Casteluccia, Institut National de Recherche en Informatique et Automatique, Grenoble, France
  22. Yves Deswarte, Centre National de la Recherche Scientifique, Laboratoire d’Analyse et d’Architecture des Systèmes, Toulouse, France
  23. Marc-Olivier Killijian, Centre National de la Recherche Scientifique, Laboratoire d’Analyse et d’Architecture des Systèmes, Toulouse, France
  24. Daniel Le Métayer, Institut National de Recherche en Informatique et Automatique, Lyon, France
  25. Refik Molva, Eurecom Graduate School and Research Center In Communication Systems, Sophia Antipolis, France
  26. Philippe Pucheral, University of Versailles Saint-Quentin en Yvelines, France

  27. Andreas Albers, Goethe-Universität Frankfurt am Main, Faculty of Economics and Business Administration, Frankfurt am Main, Germany
  28. Michael Backes, Saarland University, Center for IT-Security, Privacy and Accountability (CISPA) and Max Planck Institute for Software Systems, Saarbruecken, Germany
  29. Harald Baier, Hochschule Darmstadt, Department of Computer Science, Darmstadt, Germany
  30. Eric Bodden, Technische Universität Darmstadt, Department of Computer Science and Fraunhofer Institute for Secure Information Technology, Darmstadt, Germany
  31. Tim Güneysu, Ruhr-Universität Bochum, Horst Görtz Institute for IT-Security, Bochum, Germany
  32. Oliver Günther, Universität Potsdam, Präsident, Potsdam, Germany
  33. Markus Hennies, Hochschule der Medien Stuttgart,Faculty Information and Communication, Stuttgart, Germany
  34. Jeanette Hofmann, Wissenschaftszentrum Berlin für Sozialforschung und Alexander von Humboldt Institut für Internet und Gesellschaft, Berlin, Germany
  35. Matthias Hollick, Technische Universität Darmstadt, Department of Computer Science, Darmstadt, Germany
  36. Thorsten Holz, Ruhr-Universität Bochum, Horst Görtz Institute for IT-Security, Bochum, Germany
  37. Gerrit Hornung, Universität Passau, Juristische Fakultät, Passau, Germany
  38. Stefan Katzenbeisser, Technische Universität Darmstadt, Department of Computer Science and CASED, Darmstadt, Germany
  39. Eike Kiltz, Ruhr-Universität Bochum, Faculty of Mathematics and Horst Görtz Institute for IT-Security, Bochum, Germany
  40. Ioannis Krontiris, Goethe-Universität Frankfurt am Main, Faculty of Economics and Business Administration, Frankfurt am Main, Germany
  41. Alexander May, Ruhr-Universität Bochum, Faculty of Mathematics and Horst Görtz Institute for IT-Security, Bochum, Germany
  42. Prof. Dr. Thomas Meier, Institut für Ur- und Frühgeschichte und Vorderasiatische Archäologie, Ruprecht-Karls-Universität Heidelberg, Heidelberg, Germany
  43. Mira Mezini, Technische Universität Darmstadt, Department of Computer Science, Darmstadt, Germany
  44. Jörn Müller-Quade, Karlsruher Institut für Technologie (KIT), Fakultät für Informatik, KASTEL, Karlsruhe, Deutschland
  45. Alfred Nordmann, Technische Universität Darmstadt, Department of Philosophy, Darmstadt, Germany
  46. Christof Paar, Ruhr-Universität Bochum, Horst Görtz Institute for IT-Security, Bochum, Germany
  47. Kai Rannenberg, Goethe-Universität Frankfurt am Main, Faculty of Economics and Business Administration, Frankfurt am Main, Germany
  48. Alexander Roßnagel, University of Kassel, Institute for Business Law, Kassel, Germany
  49. Britta Schinzel, Albert-Ludwigs-Universität Freiburg, Institut für Informatik und Gesellschaft, Freiburg, Germany
  50. Thorsten Strufe, Technische Universität Darmstadt, Department of Computer Science, Darmstadt, Germany
  51. Michael Waidner, Technische Universität Darmstadt, Department of Computer Science and Fraunhofer Institute for Secure Information Technology, Darmstadt, Germany
  52. Christopher Wolf, Ruhr-Universität Bochum, Horst Görtz Institute for IT-Security, Bochum, Germany

  53. George Katrougalos, Demokritos University of Thrace, Department of Social Administration, Athens, Greece
  54. Paul G. Spirakis, University of Patras, Department of Computer Engineering and Informatics, Patras, Greece

  55. Magdolna Csath, Szent István University, Gödöllõ, Hungary
  56. Kristina Irion, Central European University, Department of Public Policy, Budapest, Hungary
  57. Laszlo Majtenyi, University of Miskolc, Ferenc Deak Doctoral School of Law, Mickolc, Hungary
  58. Iván Székely, Budapest University of Technology and Economics, Department of Electronics Technology, Budapest, Hungary

  59. Simon N. Foley, University College Cork, Department of Computer Science, Cork, Ireland
  60. Mike Hinchey, University of Limerick, Lero - the Irish Software Engineering Research Centre, Limerick, Ireland
  61. TJ McIntyre, University College Dublin, School of Law, Dublin, Ireland

  62. Alessandro Aldini, Università di Urbino "Carlo Bo", Dip. di Scienze di Base e Fondamenti, Urbino, Italy
  63. Maurizio Cavallari, Università Cattolica del Sacro Cuore, Department of Business Administration, Milano, Italy
  64. Sabrina De Capitani di Vimercati, Università degli Studi di Milano, Dipartimento di Informatica, Milano, Italy
  65. Antonio Lioy, Politecnico di Torino, Dip. di Automatica e Informatica, Torino, Italy
  66. Alessandro Mantelero, Politecnico di Torino, Nexa Center for Internet and Society, Department of Management and Production Engineering, Turin, Italy
  67. Fabio Martinelli, Istituto di Informatica e Telematica, National Research Council, Pisa, Italy
  68. Fabio Massacci, Università degli Studi di Trento, Dipartimento di Ingegneria e Scienza dell'Informazione, Trento, Italy
  69. Pierangela Samarati, Università degli Studi di Milano, Dipartimento di Informatica, Milano, Italy

  70. Peter Y A Ryan, University of Luxembourg, Faculté des Sciences, de la Technologie et de la Communication, Luxembourg

  71. Svein Johan Knapskog, Norwegian University of Science and Technology, Department of Telematics, Trondheim, Norway
  72. Geir M. Køien, University of Agder, Faculty of Engineering and Science, Grimstad, Norway
  73. Stig Frode Mjølsnes, Norwegian University of Science and Technology, Department of Telematics, Trondheim, Norway

  74. Andrzej Adamski, Nicolaus Copernicus University, Faculty of Law and Administration, Torun, Poland
  75. Zbigniew Kotulski, Warsaw University of Technology, Faculty of Electronics and Information Technology, Warsaw, Poland
  76. Miroslaw Kutylowski, Wroclaw University of Technology, Institute of Mathematics and Computer Science, Wroclaw, Poland

  77. Paulo Mateus, Instituto Superior Técnico, Departamento de Matemática, Lisbon, Portugal

  78. Ladislav Hudec, Slovak University of Technology, Faculty of Informatics and Information Technologies, Bratislava, Slovakia
  79. Daniel Olejar, Comenius University, Faculty of Mathematics, Physics and Informatics, Department of Computer Science, Bratislava, Slovakia

  80. Gilles Barthe, Madrid Institute for Advanced Studies in Software Development Technologies, Madrid, Spain
  81. Josep Domingo-Ferrer, Universitat Rovira i Virgili, Department of Computer Engineering and Mathematics, Tarragona, Catalonia
  82. Javier López, University of Malaga, Computer Science Department, Malaga, Spain
  83. Artemi Rallo Lombarte, Universitat Jaume I, Faculty of Law and Economics, Castelló de la Plana, Spain
  84. Esther Mitjans Perelló, Universitat de Barcelona, Dept Dret Constitucional i Ciència Política, Barcelona, Spain

  85. Sonja Buchegger, KTH Royal Institute of Technology, School of Computer Science and Communication, Stockholm, Sweden
  86. Simone Fischer-Hübner, Karlstad University, Department of Computer Science, Karlstad, Sweden

  87. David Basin, ETH Zurich, Department of Computer Science, Institute for Information Security, Zurich, Switzerland
  88. Dirk Helbing, ETH Zurich, Departement Geistes-, Sozial- und Staatswissenschaften, Switzerland
  89. Marc Langheinrich, Università della Svizzera italiana (USI), Faculty of Informatics, Lugano, Switzerland
  90. Hubert Oesterle, Universität St. Gallen, Institut für Wirtschaftsinformatik, St. Gallen, Switzerland

  91. Mireille Hildebrandt, Radboud University Nijmegen, Institute of Computing and Information Sciences (ICIS), The Netherlands
  92. Jaap-Henk Hoepman, TNO, Groningen and Radboud University Nijmegen, Institute for Computing and Information Sciences, The Netherlands
  93. Bart Jacobs, Radboud University Nijmegen, Institute for Computing and Information Sciences, Nijmegen, The Netherlands
  94. Ronald Leenes, Tilburg University, Tilburg Law School, Tilburg, The Netherlands
  95. Nico van Eijk, University of Amsterdam, Institute for Information Law, Amsterdam, The Netherlands

  96. Ross Andersson, University of Cambridge, Computer Laboratory, Cambridge, UK
  97. Paul Bernal, University of East Anglia, UEA Law School, Norwich Research Park, Norwich, UK
  98. Eerke Boiten, University of Kent, School of Computing, Kent, UK
  99. David W Chadwick, University of Kent, School of Computing, Kent, UK
  100. Juliet Lodge, University of Leeds, Institute of Communication Studies and Jean Monnet European Centre of Excellence, Leeds, UK
  101. Mark Manulis, University of Surrey, Department of Computing, Guildford, UK
  102. Charles Raab, University of Edinburgh, School of Social and Political Science, Edinburgh, UK
  103. Brian Randell, Newcastle University, School of Computing Science, Newcastle upon Tyne, UK
  104. Angela Sasse, University College London, Department of Computer Science, London, UK
  105. David Wright, Trilateral Research & Consulting, London, UK