Adoption of three texts on personal data: teach yourself how to be safe!

Paris, 14 April 2016 — Today, the European Parliament adopted three texts on personal data: the regulation framework for personal data processing by private companies, the Directive on judicial and police processing of personal data, and the PNR (Passenger Name Record) that aims at the creation of national records gathering large amounts of data of persons travelling from or to the European Union, including internal flights. These texts feature numerous loopholes that threaten the right to privacy. Given the inability of the institutions to come up with regulations that actually protect Internet users, it is up to each and every one of us to learn how to protect themselves, their personal data and their privacy on the Internet.

The first of the three texts in the General Data Protection Regulation (analysis in French), a regulation on personal data protection. This regulation will provide a framework for the usage of personal data by private companies. Even though it does feature a number of improvements upon the present situation, this regulation will not provide full protection of individuals against abuses of access to this data by companies or Member States, as we have been warning about for numerous months.

The second is the Directive that comes with the Regulation. It determines usage of personal data by police services and judicial services in the Member States. The Directive has comparably not been given lots of attention, given how important the negotiation of the Regulation was. Nevertheless, its reach is extremely vast1, which begs the question of institutional surveillance by the States. We worry about the checks and balances of the various national transpositions of this Directive, which will be difficult at the European scale, and virtually impossible worldwide2).

The third text adopted is the Directive on the usage of data from passenger records for the prevention and detection of terrorist infractions and serious crime, as well as for investigations and lawsuits on these matters, also known as PNR. Each Member State will have to establish a record of all passenger data for flights to or from the European Union, as well as within the EU. However, the Directive does not sufficiently specify the rules for access to these records, as well as modalities for exchange of information between EU States. Mere statements of attachment to fundamental rights might thus prove insufficient. France pressuring for the text to be voted as an instrument for the fight against terrorism is a distraction from the severe imperfections it carries, not only with respect to citizens' protections but also, ironically, in terms of effectiveness of surveillance of suspected individuals.

"These three texts voted today by the European Parliament after long and sometimes rough negotiations do not sufficiently protect personal data and fundamental rights. It is of the utmost urgency to learn and regain control of one's own data. Publicity blockers, cookie erasers, encryption and Tor usage are the instruments to regain some degree of privacy on the Internet. There are tools to help each and every one protect their private life, such as the website Contrôle tes données. La Quadrature du Net urges all of us to start securing and appropriating themselves their personal data as a fundamental step to protect our right to privacy, to free expression and to information.

  • 1. Notably covering demonstrations, sport events and riots, considering 11 (bis).
  • 2. Analysis soon to be published