For the past decade, Joe McNamee has headed up EDRi, the European Digital Rights organization in Brussels. Often the sole voice of civil society in the room, his dry wit has influenced lawmakers and public discourse about privacy rights across the European Union. He is now stepping down from that role, but he was willing to chat with The Privacy Advisor's Jennifer Baker to get his thoughts on the highs and lows of data protection before he heads off into the sunset.
The Privacy Advisor: In the last 10 years, what have been the big standout moments in terms of data protection and privacy?
McNamee: I think the beginning and end of the [EU General Data Protection Regulation] were obviously major moments. At the time, I remember thinking that the GDPR was happening too early for people to fully understand how important it was. But the alternative would have been happening so late that the horse would have already bolted. So it probably happened at the best time, given that there was really no perfect time for it to be done.
The general challenge with regard to data protection and privacy in modern society, whether it's Europe or anywhere else, is that it's very difficult for people to understand how data is used and, most particularly, how it merged. That's beginning to become obvious now with the various Facebook scandals and the emerging Google scandal. That was also the crucial thing to anticipate and get legislators to understand as the GDPR was being created. The battles around what started out being Article 21 on profiling, the right to object, and the definition of personal data all circled around those points and, of course, purpose limitation. So with it not being understood in the broader public, and possibly not being understood widely among generalist politicians, that was the big challenge of the GDPR.
The Privacy Advisor: During the whole GDPR law-making process, a lot of people said, “This is the most heavily lobbied piece of legislation we've ever seen in Brussels.” Do you agree with that?
McNamee: Yes. It definitely was the biggest campaign that I've ever encountered. But it happened in a different environment. At the time, the EU institutions were open to a civil society voice. They were open to accepting people at face value. If you said you represented civil society or digital rights groups, you were believed. But what happened over the GDPR was that it brought American-style lobbying to Brussels. So you had, for example, the big tech companies lobbying for themselves. Then, you had big tech lobbying through a wide range of trade associations. You had new trade associations, like Tech America Europe, springing up from nowhere. You had the Alliance for Data Protection, which is the association of the associations of the tech companies, amplifying the voice again. You had a think tank appearing with a narrative remarkably reflecting the views of big tech. Yet, that was still more of a level playing field than you would have today because that has served to poison trust in policy advocacy in Europe.
You have only to look at the current copyright negotiations. Nobody can say anything now without being accused of being part of the Google machine, even though the Google machine is actually not opposed to the crucial elements of the Copyright Directive. So, although GDPR lobbying was hugely favoring big business, the atmosphere was still more conducive to a good outcome before the days of astroturfing.
The Privacy Advisor: Are you surprised that the same groups that lobbied heavily against the GDPR now say the GDPR is the greatest thing so we don't need the ePrivacy Regulation? Does that sort of tactic work?
McNamee: I don't think that's been a particularly successful lobbying strategy. They've gone for more obfuscation and confusion. You had the famous IAB study that found publishers would lose a vast amount of money ... if, of course, you believe that Google and Facebook are publishers! There has been a lot of obfuscation like that.
Google has also done an astonishing job of spreading a story that Google benefits from the GDPR and that it hurts everyone else in order to stop GDPR-like measures happening elsewhere in the world, but also to create confusion about whether Google would also benefit from ePrivacy.
It's absurd, but it seems to have been a successful lobbying tactic. Google has got a very efficient press machine. They started pushing out the story, and publishers started repeating it. So that kind of thing has worked, but there has been confusion and obfuscation rather than good lobbying. Plus, it is being done on a national level and, in a lot of EU member states, civil society isn't very strong, so the big tech industry can push more aggressively than they can in Brussels where there is a more open debate.
The Privacy Advisor: We've seen a big discrepancy between the speed with which national negotiators want to complete the ePrivacy Regulation compared to other more intrusive laws, such as E-evidence. How do you interpret that?
McNamee: There was a famous news conference given by Viviane Reding in the middle of the GDPR discussions, at a time when the GDPR discussions were not going well, and she castigated the member states for just that. She was personally very offended by the obvious illegality of the Data Retention Directive, which was approved in record speed, compared to the slow progress of something that was designed to protect citizens’ rights. It's business as usual for the European Council. The council has massive power and very little accountability because it can always blame the EU.
Recently on the E-evidence proposal, I saw some tweets from civil society in France talking about this terrible EU proposal. But it was the former interior minister of France who wrote to the European Commission asking for the proposal. It might be an EU-proposed regulation, but it has French fingerprints all over it. Somehow when things hit Brussels, people accuse Brussels of being the evil party, while the national politicians seem to have no accountability at all.
The Privacy Advisor: Speaking of the Data Retention Directive ... yes, it was a bad law and it was rushed through, but it was ultimately struck down by the Court of Justice of the European Union. Do you foresee that maybe that’s going to become a method of law-making — throw together a law and then test it through the courts?
McNamee: Actually, it’s significantly worse than that, I'm afraid. Data retention was pushed through as a directive, national implementing laws were adopted to bring it into force, then, when it was struck down by the CJEU, most member states kept their illegal national laws, and the European Commission, whose job it is to be the guardian of the treaties, decided that it wasn't going to take action to ensure that the European court ruling was respected. So the commission is able to get legislation put in place and, because of its own political decisions, it has been able to keep in place even after the CJEU rejected it.
And you see this the same thing happening in the Copyright Directive proposal and the Terrorist Content Regulation. They're designed in such a way that even if they're struck down by the European court, there are enough levers in national law and enough legal liability concerns for internet companies that they will still potentially be enforceable even after they're struck down by the European court. That takes us into very dangerous territory.
The Privacy Advisor: Staying with court cases, the other big one in terms of data protection during your time at EDRi was the Safe Harbor–Max Schrems case. What were your thoughts looking at how quickly Privacy Shield was put together to replace it?
McNamee: It was an open secret, which even the dogs from the street knew, that Safe Harbor was not fit for purpose. The implementation report that was due from the commission in the early 2000s was, if I remember correctly, delayed by a year because they had to rewrite it in a way that made the evidence fit the policy. The commission routinely claims it does “evidence-based policymaking” — in fact, it usually does policy-based evidence making.
There was a hearing, I think in 2004, about international data transfers that was a hilarious farce because everybody knew that the regime wasn't fit for purpose. For the whole morning, everyone told the commission what it wanted to hear, claiming that everything was hunky dory. Then, a lady from Andersen Consulting, the first or second speaker of the afternoon, stood up and said, “Here's the thing. We don't comply with the rules. And the reason we don't is because we can't. It's just not working.” And everyone's mouth dropped open before they went back to the script again. But when Safe Harbor was overturned by the CJEU, it was it was extremely unsurprising.
The commission tried hard to hold its nerve and to respect the ruling. But at the 11th hour, they announced the finalization of Privacy Shield, before they'd even started negotiating Privacy Shield. Which is not a very good negotiating strategy, you'll be shocked to hear.
They adopted the mantra that “things are getting better, but we're not yet there.” There is a feeling that they just want to hang on until the end of the current commission mandate and then get the hell out. So, again, you see the commission acting in a way that is not exactly in line with what the European court said.
The Privacy Advisor: Crystal ball time. What are your predictions for what's going to happen in the coming years with regard to all these data instruments, taking in E-evidence and ePrivacy and the implementation and enforcement of the GDPR?
McNamee: On ePrivacy, I think the commercial case for it is going to continue to grow. Regardless of the fundamental rights aspects, I think governments will look at their publishing industries and realize that Google and Facebook are getting the majority of advertising revenue and all the revenue growth. Then, maybe they will do what governments are supposed to do and regulate in the public interest, not on the basis of shortsighted, incompetent lobbying. I think there will be more and more data showing that ePrivacy is needed not just for citizens — the people who elect government — but actually for the economy, as well. And I think that tipping point is going to come sooner rather than later.
The Privacy Advisor: Soon enough to get the law finished before the of change the European Parliament and the commission next year?
McNamee: It's difficult to tell. I'd like to hope so. There's already a lot of research available that shows that the more data you have, the more valuable data is. Therefore, weak data protection means that the biggest companies, i.e., big American tech, will always win. What sort of European policymaker would think that is a good idea?
I think the GDPR is progressing in a reasonably good way. There are still going to be outlandish examples of using the GDPR for outlandish purposes, but as long as people don't overreact, I don't see any particular problems on the horizon.
The next big thing, as artificial intelligence is increasingly used for decision-making purposes, is the significance of extrapolated data. It's going to become a lot more important for the public, and new strategies will be needed to address it.
The Privacy Advisor: So is “extrapolated data” going to become a new category of data alongside personal data, sensitive personal data, metadata and so on?
McNamee: If the GDPR does what it’s supposed to do, possibly not. The lobbying on that has already started. The huge push for a philosophical ethics debate as an alternative to having actual protection for real people has already started as a way of allowing companies to do what they want.
I think the current “ethics lobbying” — as absurd as that sounds — shows that a big societal debate is getting quite close, and that's going to shape everything from how cities are planned to whether artificial intelligence decides what we're allowed to see and read. That's quite a massive issue for our society.
And as with the GDPR, we need to look ahead and make future-proof decisions about what our society stands for in terms of fairness, in terms of democracy, and the competition of ideas and whether we can do that in a world where governments are relying on Facebook and Google to be gateways to information. Time will tell.
The Privacy Advisor: Finally, the question everybody really wants me to ask: What are you doing next?
McNamee: Taking a break. I haven’t decided on the future yet, but I think a brain that has had a break is better able to make that decision. Yeah, I need a break.