Data protection for the digital age: Interview with Jan Philipp Albrecht
On 14 April 2016, the plenary session of the European Parliament completed the legislative process for the General Data Protection Regulation. As rapporteur of the European Parliament, Jan Philipp Albrecht took part in the negotiation with the European Council of Ministers and the European Commission. The documentary Democracy. Im Rausch der Daten gives insights into his work in Brussels. In late April 2016, after the screening of the movie at Humboldt-Universität zu Berlin, Maximilian von Grafenstein spoke with Jan Philipp Albrecht about the complex legislative process.
The General Data Protection Regulation will replace the 1995 directive and is thus intended to bring data protection into the digital age. Why did the commission, after announcing a great modern approach, base the General Data Protection Regulation on the same principles used by the Data Protection Directive?
Jan Philipp Albrecht: The directive also builds on the system of past and other laws on data protection, as well as on the system of the fundamental rights to data protection in the constitutions of the member countries, in the Charter of Fundamental Rights and also on the judgements of the European Court of Human Rights. This means that there is a list of principles guiding data protection and its implementation. The reservation of authorisation was always an inherent part of the principle of data protection, meaning that data can only be processed if I either get the consent of the data subject or find some other legal basis. It was obvious that these legal bases, as well as the additional rights emerging from primary law – access, correction of inaccurate data, information rights – should be encapsulated in the regulation.
Twenty-eight member states were involved in the legislative process, and constitutionally, these have very different objects of protection and protection concepts for data protection. The Germans have the right to informational self-determination; Italian data protection is regulated in the context of communication rights, and others regard it as privacy. The key term is learning process: did the agreement of 28 countries on an object of protection or concept result in a mutual learning process?
I believe that people learned a lot from each other, but above all regarding the concrete application and enforcement of data protection law. For example, people learned from the Germans that a company data protection officer is a good and helpful concept for the enforcement of data protection. People also took principles from other legal systems, such as privacy by design, the issue of the portability of the data and how to formulate the balancing of interests. These were discussions in which everyone let themselves be influenced by everyone else to some extent, so that the best result could emerge. Nevertheless, it is a European process. This means not just taking a bit from here and there, but also discussing things in a European context. It is not a German law, a Spanish law or an Italian law; it is a European law and it is, of course, built on a European legal basis. The Charter of Fundamental Rights has now been binding for almost seven years and the European Court of Justice has already made it clear what the objects of protection are in relation to data protection. These have to be a point of orientation for everyone, including the national courts. They will not be able to assess data protection in this regulation according to their national constitutional law; they will have to assess it against European law, the European Charter of Fundamental Rights and the case law of the European Court of Justice.
There is a second aspect of the learning process: one problem with data protection is that people have little understanding of the technical and economic processes in which data is processed. Did the contribution of the private sector, which submitted nearly 4000 suggested amendments, offer insights into the economic and technological processes?
Definitely. This broad influence also led to a huge learning process among the participants in the legislative process, because, of course, an incredible number of new perspectives were introduced. Some of these perspectives were quite unexpected: even Danish ship- owners have their own concerns. That is why it is important and good that we allow more influence from the outside. I believe it is just as necessary and important that influence is exerted in a balanced way, and this was also the reason for the uproar, because 80 to 90 per cent of the influence came from one industry. However, it is important to differentiate between the various actors who added their voices to the conversation. There are some who propose an amendment, request a change or bring up an interest that is solely in the interests of their own profit and which does not add any value for the legislator at all. And there are those who did genuinely contribute something valuable to the process. This concerned, for example, the question of what technical standards should apply for do-not- track procedures or how to make information about data processing as understandable as possible for the consumer via visualisation. We also worked together with some actors from the industry, who progressively exerted more influence and introduced new perspectives when developing these changes. It is not like we just let things slip through our fingers.
What are the major improvements compared to the old directive?
The greatest step forward achieved in this regulation is that in the future we will have a uniform regulation in Europe and hence in the European single market (the largest one in the world) and have thus created many factors that will contribute to better protection for consumers and a fair market for businesses that functions more effectively. This goes hand in hand with a reduction in bureaucracy, and, by the way, also of legal uncertainty, since deciding on one word instead of 28 different words (albeit with 28 different cultures of interpretation) already creates a degree of legal certainty. It is not that we can get rid of legal uncertainty; I believe no law can do this, because all words, even the words and or or, are open to interpretation and dispute. But we were able to significantly reduce legal uncertainty within a framework that also remains technologically neutral, i.e. independent of the technology used, and is thus able to cope with technical changes. Anyone who tries to define things in such a way as to provide virtually no room for interpretation will not be able to legally respond to new technical and economic developments in the coming years, because that would require this legislative process to be conducted every year, and that would not make much sense.
And the greatest loss?
The regulation could only be adopted because the member states were given the opportunity to continue making adjustments and rules in many areas at a national level. In a time of far-reaching digitalisation in all areas of life, this is already a drawback, and personally, I would have preferred if, for example, in the area of marketing, the perspective of consumers who would like greater decision-making powers, had been more strongly involved in the balancing of interests. Even if the companies constantly say that consumers don’t really want that. Unfortunately, there was nothing more to get from the other parties. And in the end, although we had to compromise, what we achieved is stronger than any national data protection legislation so far.
UPDATE: This interview was conducted in German and translated for encore 2016. Fascinated by that verbal sparring match, HIIG Researcher Jörg Pohle analysed the different stances taken by Albrecht and von Grafenstein. Both the interview and the deconstruction are featured in the 2016 edition of the institute’s research magazine encore.
This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact firstname.lastname@example.org.