Talk of Christiane Féral-Schuhl on this topic during a conference organized by The Law Society in London, on April 30th, 2015. More Information about the program.
Intervention of Christiane Féral-Schuhl below :
The issue of personal data protection, which is the subject of the following debate, is an issue that took on a whole new dimension and importance with the Snowden affair.
Indeed, in 2013 when Edward Snowden revealed the large-scale surveillance of European citizens by the US intelligence services, the public became aware of the reality of mass espionage and the existence of the American “Big Brother”.
Actually, warning bells were ringing a long time before this. Bill Gates in particular, from 1997, spoke out about “private sector firms and civil services (that) already possess a mass of information about us. We have no idea how they use it and whether it is accurate…”.
The French Data Protection Act of 6 January 1978 was passed after the SAFARI (“Automated System for Administrative Files and the Repertory of Individuals”) file system was set up in 1974. This system aimed at centralising the databases of all police departments, using a new generation computer.
The law therefore aimed to limit and supervise access to information and stated in article 1 that “[…] it shall not violate human identity, human rights, privacy, or individual or public liberties.”
This aim is still relevant today and article 1 is, moreover, the only article of the 1978 act that has never been amended.
In France, personal data regulation is based on the concept of robust legislation to protect privacy and individual liberties. These basic rights are enshrined in article 2 of the 1789 Declaration of the Rights of Man and of the Citizen, in article 9 of the Civil Code and also in case law: on 23 October 1990, the French Court of Cassation recalled that “everybody, whatever their status, circumstances of birth, wealth and present or future duties, has a right for their privacy to be respected”.
Nevertheless, because we are facing the threat of terrorism, we are seeing the emergence of “security” legislation that pushes back these individual liberties. Technological development, by giving everyone, everywhere in the world, the power to use new information and communication systems, increases the capacity of public authorities, private enterprise and individuals to carry out surveillance, as well as to intercept and collect data.
This is especially the case with the intelligence bill that will be put to the vote in the National Assembly on 5 May.
This legislation adds to the purposes for which the intelligence services can use different data collection techniques and increases the array of surveillance tools.
One example is the famous “black box”, which operators and internet service providers can be forced to install and which, on the basis of predefined algorithms, will enable identification of suspicious behaviour, such as visits to certain websites or frequent contact with certain people: Data will thus be collected in real time and filtered to detect suspicious behaviour.
There are also “proximity devices”, which will enable the systematic, automated collection of data relating to people who may have no connection whatsoever with the suspect, but simply find themselves sharing the same geographical space…
Also under consideration is the possibility of extending the interception of electronic communications to the family and friends of the person under surveillance.
If the intelligence bill arouses significant debates and protests, this does not mean that our data are not systematically collected, sometimes without our knowledge, but more often with our active involvement.
We are fully aware that free access to the internet is not just the payoff for being exposed to advertising! These days our personal data represent the digital “black gold” coveted by all internet stakeholders.
Unbeknownst to internet users, personal data are also collected from their navigation history, from blogs, social media, search engines… and also by geo-localisation tools.
In addition, we should bear in mind how internet users are urged to communicate information about themselves, encouraged by the “selfie” culture. They eagerly reveal entire chapters of their private lives.
What are the dangers of this data collection?
First of all, internet users lose control over their data: “circulation of information concerning a person can sometimes have serious consequences on their private and professional lives, sometimes several years after” (French Data Protection Authority, 2013 annual report).
It is sufficient to notice that the number of companies falling victim to security breaches relating to customers’ information (names, addresses, phone numbers or even banking data which then become public…) is increasing significantly.
The fact is that internet users do not control the internet environment. There are many examples:
Some people think they are expressing themselves in a private “closed” space, which can only be accessed by their friends. Actually, they are in a public space “open by default”. The consequences of this can be disastrous and we have seen many examples: people who haven’t been able to find a job, let down by the comments they posted; those who were dismissed because of offensive or slanderous remarks about their management, which they posted to their Facebook page; others who have been prosecuted for slander or abuse.
There are those who, either unwisely or carelessly, did not sufficiently protect their accounts, privacy settings, logins or codes. They are unaware that these can be gathered from their navigation history, search engine queries or even by geo-localisation tools. Here the consequences can be even more serious: their online identity is stolen, others speak in their name, harming their reputation and their credibility. This is the case of this young woman whose name was used by a colleague for registering herself on internet dating sites. We shouldn’t underestimate the number of people who sink into depression, the young cyber-bullied or those who try to commit suicide…
In addition, there are many victims of rumours and those who suffer from the re-sending of articles about them, from information, photos and videos they would like to forget or see disappear from the screen for ever. This is the case with this victim whose intimate photos were made public by her housemate, who had installed a webcam without her knowledge.
Or this victim of “revenge porn”, an increasingly frequent practice which consists of posting compromising photos of one’s “ex”.
So, the issue is about focussing on how we protect privacy.
At national level, as was mentioned, there is the “Data Protection Act” of 6 January 1978, updated and adapted in 2004 to the new digital realities.
At the European level, there was the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (Convention 108), which inspired the 1995 European Directive. This aims to protect people’s rights and liberties regarding processing of their personal data, by establishing the guiding principles that determine the legality of this processing.
There will soon be a new European regulation to replace this directive. The choice of regulatory instrument is interesting: given its status as a regulation and not a directive, it will therefore be integrated into the legal systems of all member states without transposition.
On a more international scale, since 14 December 1995, the General Assembly of the United Nations has adopted the guiding principles for regulating computerised personal data files.
Unfortunately, however, although legislation is important, it is incapable of protecting citizens.
In spite of common denominators – for instance, the limitations on collecting personal information and using it solely for the purposes for which it was gathered – the approach to data protection differs radically from State to State:
For example: In England, the rationale has more to do with self-regulation than control: British privacy is undoubtedly inspired by the free-market and is more consumer-oriented than French privacy.
An even more striking example: US authorities pronounce themselves somewhat in favour of selling data, whereas French authorities are bound to protect these. Likewise, in the United States, it is the consumer who is protected and not the individual per se; it is the law of consumerism and competition that applies, not the law of public liberties.
Should the internet user take more responsibility?
This is what is envisaged with the European regulation on personal data protection:
– the right to be notified that one’s personal data has been stolen, in the event of a security breach,
– the right to oppose a profiling measure
– the right to the elimination of one’s data, as well as the elimination by third parties of links to these data or any copy or reproduction of them.
From July 2012, the European Commission called for “an increase in the control that users have over their data (…)”.
In its “Annual Study: the digital age and basic rights” (2014), the French Council of State proposes to promote the right to “digital self-determination”, in other words, the right of the individual to decide on the communication and use of their personal data at international level.
Is the internet user able to protect him or herself?
This issue takes on its full dimension when one discovers that, with regard to surveys for instance, most people attach little value to protecting their personal data.
– 71% would agree to exchange their password… for a bar of chocolate!
– -Almost a third of internet users asked would give significant access to their data “for financial reward”
So, consent is not enough to protect the individual, since people prefer to opt for short-term gains; proof, if any were needed, that they are unaware of the seriousness of consequent risks to their privacy.
In this context, how do we reinforce “protection of basic rights when faced with the use (of personal data) for industrial and commercial purposes (…)”?
One possibility might be the “technological” guarantees – provided by the European Directive on personal data since 1995.
These are protective prevention measures, for example, procedures of the “privacy by design” type (taking privacy into account at the design stage of technical devices) and “privacy by default” (protection of privacy “by default” in device settings).
It is also about raising the awareness of the big internet stakeholders so they are fully conscious of the importance of their role in protecting individual liberties (CJEU ruling of 13 May 2014 on the right to be forgotten: how effective this “right to be forgotten” is, depends on the search engines).
It is also about making these big internet stakeholders responsible for “setting the rules (transparency, compliance and so on) for implementing any processing that uses algorithms of a decision-making or predictive nature, having an effect on people.
One thing is certain: globalisation of the internet compels us to rise above our borders in order to compare and share our thoughts.
I leave the floor to Nathalie Moreno and Anne-Claire Dubois, who will certainly be able to explain to us where French law falls short and what we can learn from British law… and vice versa?!