On 14 April 2016, the plenary session of the European Parliament completed the legislative process for the General Data Protection Regulation. As rapporteur of the European Parliament, Jan Philipp Albrecht took part in the negotiation with the European Council of Ministers and the European Commission. The documentary Democracy. Im Rausch der Daten gives insights into his work in Brussels. In late April this year, after the screening of the movie at Humboldt Universität zu Berlin, Maximilian von Grafenstein spoke with Jan Philipp Albrecht about the complex legislative process. Fascinated by that verbal sparring match, HIIG Researcher Jörg Pohle analysed the different stances taken by Albrecht and von Grafenstein.
More than four years after the European Commission published the first draft, the EU General Data Protection Regulation (GDPR) was adopted in April 2016 by the European Parliament, coming into force in May 2018 after a two-year transition period. The regulation is, like data protection in general, a highly contested issue. There are deeply conflicting views on what the problem is about: privacy, surveillance and/or data protection; what needs to be protected and against whom; how the protection concept is to be designed, or which protection mechanisms should be applied. This contested quality is reflected in the many very public and often harsh clashes between different stakeholders in the course of the legislative process.
The contested nature of the GDPR deeply influenced this interview between Max von Grafenstein and Jan-Philipp Albrecht. Yet it is quite invisible for people unfamiliar with the specific ideological and conceptual battlegrounds, as both the interviewer Grafenstein and the interviewee Albrecht spar verbally with coded references to some of these very contentious issues. So let’s deconstruct some of the rhetorical tools and narratives employed by both Grafenstein and Albrecht in order to shed light on the underlying ideological positions.
The General Data Protection Regulation will replace the 1995 directive and is thus intended to bring data protection into the digital age. Why did the commission, after announcing a great modern approach, base the General Data Protection Regulation on the same principles used by the Data Protection Directive?
Jan Philipp Albrecht: The directive also builds on the system of past and other laws on data protection, as well as on the system of the fundamental rights to data protection in the constitutions of the member countries, in the Charter of Fundamental Rights and also on the judgements of the European Court of Human Rights. This means that there is a list of principles guiding data protection and its implementation. The reservation of authorisation was always an inherent part of the principle of data protection, meaning that data can only be processed if I either get the consent of the data subject or find some other legal basis. It was obvious that these legal bases, as well as the additional rights emerging from primary law – access, correction of inaccurate data, information rights – should be encapsulated in the regulation.
Grafenstein starts the interview by referring to the »great modern approach” the EU Commission had announced previously, which he then contrasts with the presented draft that is »based on the 1995 directive’s system”. By framing this alternative approach as »modern”, Grafenstein subliminally marks the enacted regulation as outdated, probably in an attempt to delegitimise it. This alternative approach is never explicated, though. Albrecht counters with a rhetorical means of his own: he simply switches the reference system from temporal (outdated vs. modern) to hierarchical. By referring to the member states’ constitutions, the Charter of Fundamental Rights of the European Union and the case law of the European Court of Human Rights as the regulation’s foundations, Albrecht seems to imply that any different approach would be unconstitutional – a different delegitimisation strategy than Grafenstein’s, but equally powerful.
Twenty-eight member states were involved in the legislative process, and constitutionally, these have very different objects of protection and protection concepts for data protection. The Germans have the right to informational self-determination; Italian data protection is regulated in the context of communication rights, and others regard it as privacy. The key term is learning process: did the agreement of 28 countries on an object of protection or concept result in a mutual learning process?
I believe that people learned a lot from each other, but above all regarding the concrete application and enforcement of data protection law. For example, people learned from the Germans that a company data protection officer is a good and helpful concept for the enforcement of data protection. People also took principles from other legal systems, such as privacy by design, the issue of the portability of the data and how to formulate the balancing of interests. These were discussions in which everyone let themselves be influenced by everyone else to some extent, so that the best result could emerge. Nevertheless, it is a European process. This means not just taking a bit from here and there, but also discussing things in a European context. It is not a German law, a Spanish law or an Italian law; it is a European law and it is, of course, built on a European legal basis. The Charter of Fundamental Rights has now been binding for almost seven years and the European Court of Justice has already made it clear what the objects of protection are in relation to data protection. These have to be a point of orientation for everyone, including the national courts. They will not be able to assess data protection in this regulation according to their national constitutional law; they will have to assess it against European law, the European Charter of Fundamental Rights and the case law of the European Court of Justice.
In his second question, Grafenstein refers to the vastly different understandings of what the legally protected good is and how the concept of protection should be conceived. Whether or not the protection principles or the means of protection mentioned by Albrecht in his answer – e.g. privacy by design or data portability – are necessary and sufficient to protect the protected good depends on how this very interest is defined. As neither Grafenstein nor Albrecht explicate what this protected good is – or ought to be, according to their own vested interests – their argument is unintelligible for most readers. Additionally, by referring to the negotiation process as a »learning process”, the vested interests and the conflicting values are obscured and a necessity for the seemingly unknowing lawmaker to learn is simultaneously implied.
There is a second aspect of the learning process: one problem with data protection is that people have little understanding of the technical and economic processes in which data is processed. Did the contribution of the private sector, which submitted nearly 4000 suggested amendments, offer insights into the economic and technological processes?
Definitely. This broad influence also led to a huge learning process among the participants in the legislative process, because, of course, an incredible number of new perspectives were introduced. Some of these perspectives were quite unexpected: even Danish ship- owners have their own concerns. That is why it is important and good that we allow more influence from the outside. I believe it is just as necessary and important that influence is exerted in a balanced way, and this was also the reason for the uproar, because 80 to 90 per cent of the influence came from one industry. However, it is important to differentiate between the various actors who added their voices to the conversation. There are some who propose an amendment, request a change or bring up an interest that is solely in the interests of their own profit and which does not add any value for the legislator at all. And there are those who did genuinely contribute something valuable to the process. This concerned, for example, the question of what technical standards should apply for do-not- track procedures or how to make information about data processing as understandable as possible for the consumer via visualisation. We also worked together with some actors from the industry, who progressively exerted more influence and introduced new perspectives when developing these changes. It is not like we just let things slip through our fingers.
This »need-to-learn” framing is even more apparent in Grafenstein’s third question – and it is similarly misleading. By asking whether the lawmaker gained any new insights from the many proposals submitted by businesses into how modern information processing works, economically as well as technically, Grafenstein obscures the main purpose of the consultation: to enable stakeholders, not only businesses, but also public authorities, academia and civil society, to influence policy-making in order to increase the democratic legitimacy of policy decisions. As the key purpose of these public consultations – in contrast to hearings – is not to receive objective and impartial expert opinions, Albrecht’s critique of many of the businesses’ contributions is similarly misleading. Not only is there nothing wrong in stakeholders pursuing profit or submitting interest-driven statements, by criticising stakeholders for failing to provide »added value” for the lawmaker, Albrecht implicitly attacks them simply for having interests different from those of the data subjects.
While nothing indicates that either Grafenstein or Albrecht or both deliberately try to mislead each other or the reader, their own ideological positions and vested interests still shine through their use of terms, narratives and other rhetorical means. The interview is therefore a striking example of the essentially contested quality of privacy, surveillance, data protection and especially the new GDPR.
Photo: CC BY-SA 2.0 Will Culpepper | flickr.de