An open letter from Index on Censorship, Open Rights Group,
English PEN and Article 19

Note: Sarah Ludford MEP is a shadow rapporteur on the European Parliament’s data protection dossier

Dear Baroness Ludford,

We are writing to you about data protection. Following the revelations about PRISM and other surveillance by the NSA, we urge you to support a Data Protection Regulation that helps people regain control of their personal data. We would like to request a meeting to discuss our concerns.

MEPs now have a unique opportunity to show leadership by supporting the privacy rights of EU citizens and to establish the European Union as a centre for trusted data processing. As a shadow rapporteur on the dossier, and as an MEP with a track record of promoting human rights, you are in an especially powerful position to achieve this.

We represent UK civil society groups that work to promote and defend the right to freedom of expression. The connection between privacy and freedom of expression is clear. If people are not confident about who can collect information about them and their communications, they will likely refrain from saying certain things or meeting certain people.

Huge damage to trust in online services has been done by recent revelations. This has been to the detriment of both the exercise of fundamental rights and the development of new and innovative services.

Too often, people do not know how their information will be used, where it will be processed or who will have access to it. This is partly because the principles of the current data protection laws are insufficiently implemented. We believe the new Data Protection Regulation could give people more control over what happens to their information, and ensure those that collect and use data adhere to the rules.

The PRISM revelations demonstrated that we cannot cleanly separate regulation that governs the use of personal data by commercial actors from the access to that data by public bodies such as law enforcement. Having participated in the European Parliament discussions on SWIFT, PNR and data retention, you have seen this development over recent years. It is imperative that EU citizens benefit from a legal framework that protects them from secret and disproportionate violations of their privacy.

We welcome and support your desire to see Article 42 reintroduced into the Regulation. This is certainly an important building block towards addressing the ease with which people’s data was accessible to the NSA.

However, this alone is insufficient. There are three further steps we urge you to take:

1. Support amendments that will help people retain control over their data. Whilst people may struggle to control surveillance bodies’ access to their data, they can manage this risk if they have sufficient control over how their information is used and how much they permit use of in the first place.

So we urge you to support ‘explicit’ consent, more transparency for data subjects, data minimisation, restrictions on profiling, stronger sanctions and a definition of personal data that includes ‘singling out’. The ‘right to erasure’ is and should be a limited right. It should allow people to secure the removal of content they provide to platforms such as social networks but not mean that people can simply erase their past from the Internet.
We also urge you not to support carve-outs for pseudonymous data (for example amendment 904) and for broad ‘legitimate interest’ exceptions (such as 873). We urge you not to support a ‘context’ based approach (as proposed in amendments such as 850) that will add complexity for smaller businesses, decrease transparency for data subjects, and put decisions about when data use is acceptable in the hands of those wishing to use it.

2. Reinstate the text deleted by your amendment 1210. Whether data may be transferred to a third country or international organisation will be an important consideration to anybody deciding whether they wish their information to be collected or used. It will be difficult to establish the EU as a centre for trusted online data processing if companies can export data without informing the data subject.

3. Support further amendments that will boost protections against PRISM-like surveillance. We suggest this includes amendments 806, 2385, 2386, 2390, 2529, 2531, 2602, 2637, 2748, 2752, and 2950.

We very much hope to discuss this further with you in person.

Yours sincerely,

Barbora Bukovská, Article 19, Senior Director for Law and Policy
Jo Glanville, Director, English PEN
Kirsty Hughes, Chief Executive, Index on Censorship
Jim Killock, Executive Director, Open Rights Group