Despite landmark court cases, many member states in the EU continue to push forward with overbroad surveillance laws.
What is the European Union’s track record on surveillance? The short answer is, it’s a mixed bag. While landmark rulings have shown a potential to rein in indiscriminate surveillance, some governments continue to pursue legislation that would put users and the global Internet infrastructure at risk. Indiscriminately collecting information about all users is at the core of negative reactions to overbroad surveillance regimes and harm to trust online. Still, the European Union can set strong global standards in the area of technology policy and user rights.
The EU’s standard-setting potential has been apparent in a handful of landmark cases from the Court of Justice of the EU (CJEU) over the past few years, most notably the invalidation of the Data Retention Directive in April 2014. The Directive had been in place for 8 years, and Europe’s highest court ruled that the law—which mandated indiscriminate collection and storage of all communications data of every European citizen—was a disproportionate infringement on the rights to privacy and data protection and therefore invalid.
Despite these landmark court cases, many member states in the EU continue to push forward with overbroad surveillance laws, including France, the UK, and most recently, Germany. The German government recently adopted a surveillance bill that includes mandatory data retention this October, even though the country had successfully challenged the implementation of the Data Retention Directive only a few years ago.
Too often in the current surveillance debate we are presented with a false dichotomy: privacy or security. In reality, to ensure trust online and the continued health of the Internet, we need both. Too often in the current surveillance debate we are presented with a false dichotomy: privacy or security. In reality, to ensure trust online and the continued health of the Internet, we need both.
Current debates around the use of encryption and the mandating of backdoors offer a compelling context in which privacy and security are mutually reinforcing. Governments around the world, from the UK to India, Australia to the United States have been discussing and even initiating proposals, to mandate backdoors into encrypted communications.
Such suggestions are not only harmful for user security and trust, but also are infeasible in practice. Encryption is a tool that improves user security, and enables secure transactions in a digital economy; for instance, online banking or essentially any online commerce would not be possible without encryption. Undermining it puts user and business security fundamentally at risk.
And this isn’t just about governments—the private sector has a big role to play as well. This is another area where the EU is actively setting a strong global standard. An omnibus data protection bill, the General Data Protection Regulation, which aims to strengthen the current framework and provide more control for users over their personal data, will soon pass the EU institutions and become law.
For Mozilla, our work starts with our products, which are built with open source code so that our users can trust—and verify—the privacy and security properties we claim. As both an Internet organisation and a global community of users and developers, we see it as essential to enable choice, transparency, and control; empowering those that use it.
Our principles are guided by the Mozilla Manifesto—#4 states “Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.” In that sense, governments should act to bolster user security, not to weaken it. At the same time, companies should adopt data privacy practices that respect users and create trusted online experiences, by providing greater transparency and control over their online identities. That includes ensuring that their policies are made accessible and understandable for those that use them.
I look forward to attending the World Forum for Democracy in November in Strasbourg, as this is an apt venue to engage in a constructive debate and collectively devise solutions to these pressing issues. It is important that at this crucial time, we openly and critically examine Europe’s approach, to ensure that it remains a standard setter for the protection of user privacy and the open and secure web. In Lab 5, I will participate in a debate on how to ensure privacy, data protection and freedom of choice online, through a discussion of two projects that seek to analyse and improve the current state of complicated Terms of Service Agreements.