What's Next for Human Rights, Privacy and Data Protection in Europe?

Welcome to another session on Cloudflare TV on the occasion of our Privacy and Compliance Week.

I'm here with Iverna McGowan. Welcome. You're the director of the Europe Office of the Center for Democracy and Technology, CDT.

And I can say, I mean, you've recently joined, I don't know, I think it's in the summer that you came to CDT.

October, or even October. And before this, you worked at the United Nations, at the Office of the High Commissioner for Human Rights.

And before that, Amnesty International's European office, I think in Brussels as well.

So welcome, and very happy that you're able to join us to have a discussion around human rights and privacy.

Of course, two topics, I think that are very close to your heart and to CDT's heart as well.

And maybe just for the viewers, who may not be so familiar with CDT, maybe you can just briefly tell a little bit about what CDT does, and what your role is as well in the Brussels office.

Absolutely. Well, firstly, thank you so much for having me and happy International Human Rights Day.

What a fitting day it is to have this conversation.

I have been head of the Center for Democracy and Technology's Europe Office, which was actually founded as a not-for-profit under Belgian law only last year.

So we are really setting up our operations in Europe with a view to growing.

We are a non-profit advocacy organization, and we focus on protecting human rights and democracy in the digital age.

And I guess two features that for me are so important in these times about CDT is one that we bring together technologists, engineers, and human rights lawyers to look for solutions to today's challenges.

And the other is, of course, that we bring that multi-stakeholder approach.

And that's so relevant to some of the European Union level policy debates that we're going to discuss later today.

That's great. Yes. And I'm sure that you've only started, but I think you're already very active.

I believe this is one of a number of discussions that you're having today.

And in the course of the next weeks before Christmas, I'm sure there's a lot going on.

And I think one of the questions come to mind, as we are in our privacy week, of course, the topic of data protection and privacy in Europe, there's a lot happening right now.

There have been a lot of developments.

Most notably, I think most people will be aware of the Schrems 2 ruling that came through the European Court in July.

I just wondered, you know, from your kind of perspective, working on human rights and on issues around privacy online and technology and privacy, what's your take on kind of those latest developments around international data transfers and the kind of discussions that it has kind of ignited in Europe?

So, indeed, well, the first thing that I think is quite interesting is that when you look at the judgment of the European Court of Human Rights, which, of course, has set this whole discussion going with all the implications that it's brought, it's essentially a fundamental rights ruling.

So they've looked at a lot of the principles around human rights and fundamental rights and EU law and raised concerns about how the lack of, you know, guarantee they can have with those data transfers in the United States that those people's rights will be respected.

So it's very interesting.

And at the Center for Democracy and Technology, what we've said is surveillance reform in the United States has long been a human rights imperative.

And what this Schrems 2 ruling has done, it's making it really an economic imperative as well.

So it's really upping the game and putting the pressure on that.

So obviously, we have a large office in Washington as well who are closing, have followed these topics for many years.

To give you an idea, some of the points that the Center for Democracy and Technology is looking at in the United States is calling on Congress to prohibit upstream surveillance.

We're looking to strictly limit the purpose for which US intelligence agencies can use personal data under Section 702.

And we're also looking at, you know, stronger procedural safeguards and constraints on EU officials' ability to access and use data.

So we are, you know, as a human rights organization, we are quite aligned at that pressing need for some of the reforms and have been long-term advocates in the United States.

I would add that, and a number of people have made this discussion at some of the conferences that you've mentioned, is that, you know, there's also an element of looking at, do the same standards apply within the European Union?

So obviously, from CDT Europe's perspective, what we're really focused on as well is that we very much agree with the ruling and it'd be great to have a discussion as well about whether the EU's own member states are adhering to those same standards and that we really keep, the EU, I believe, plays a very important leading role in the world in valuing privacy as a fundamental right.

But is that really the same standard in Europe as well?

So the Schrens ruling has thrown all of that up for debate.

Yeah, indeed. I think it has caused a lot of debates and still will continue probably in the years to come.

It has triggered, I think, a lot of different discussions, not only, let's say, about the international data transfer elements, as you were mentioning, both, I guess, of course, with the US, but of course now with Brexit, there is another discussion happening on the same level with the UK, for example, where, you know, that element also of looking at European countries, has been brought up and how to solve, you know, how to ensure data flows, but at the same time, you know, looking at privacy concerns.

I think also next to that, I think there's an ongoing discussion about GDPR itself.

So the European privacy law, which where, of course, a lot of these things kind of come from, or at least, you know, are based on the discussions around transfers, but I think there's a lot of other more general kind of GDPR discussions that are happening as well about, you know, there was a recent evaluation about the implementation of it, I think about it in June this year.

Of course, a lot, a lot of discussion around, you know, are they, you know, how the rules working, are they enforced properly, etc.

Is there any, you know, I think the GCT has been quite active on that front as well.

Could you maybe tell us a little bit more about, you know, your views on that?

Absolutely. Well, first of all, you know, you've said it pretty much, but we at the Centre for Democracy and Technology, we're a big fan of the EU's, you know, data protection rules, GDPR.

It's really, it has really set a global standard.

It's such an important law. Obviously, some people think about that in commercial terms, but for us, it's just so essential, especially in COVID-19, when all of our lives, our personal life, everything is happening online, you know, just having that extra legal security.

At the same time, we, like many other advocacy organisations in this space, are concerned that despite the very laudable, you know, rights and efforts within that regulation, that in practice, it's not being as enforced as robustly as we would see necessary.

And one area that's quite high on the European Union's agenda at the moment is, of course, the EU Digital Services Act.

And the EU's Digital Services Act is going to be a very broad raft of legislation, which is looking at a number of different things.

But one of the things that we'll be looking at is setting new rules on content moderation online.

And why I mention that is, for the Centre for Democracy and Technology, one of the things that we're really calling on the European Union to do is to ensure that much stronger enforcement of GDPR, because some of the problems that we're seeing on online platforms to do with, you know, driving disinformation and amplification of hate and other issues.

We know that a lot of that is driven by the use of personal data, what's called, you know, some surveillance-based advertising.

So we really feel that proper enforcement of GDPR will be part of the solution to that.

Another challenge with enforcement of GDPR is, you know, the country of origin principle, which we don't have any problem with.

But if you do keep a country of origin principle, then you need to be realistic about the implications of that.

The implications means that there's a number of EU member states, my native Ireland being the most obvious one, where due to the location and European headquarters of so many companies, that you basically have the Irish Data Protection Commissioner in a way being the de facto one for Europe.

So then that raises the question, do they have the adequate resources, independence, oversight, all of those issues to really, you know, shift gear, if you like, and look for more implementation of GDPR.

And I will briefly mention, because I think it's always interesting to bring in that transatlantic element like you did in Trends, that on the other side of the Atlantic, my fantastic colleagues are advocating very strongly for federal level privacy legislation in the United States.

And, you know, what I think is really important, there's a lot of talk about data localization or breaking up the Internet, about concerns like that.

But if we think about it, a really strong baseline, transatlantic baseline and agreement on privacy standards could be a way to avoid that.

And that's a really interesting possibility that we feel that politicians and decision makers should explore.

Maybe just a follow up question on that particular point, as I was just thinking about it.

You know, we are saying what next for human rights, privacy and data protection in the title of our session.

You know, with the new US administration coming in, and of course, what I understood also this week, there were some some comments made that, you know, the US will be looking again at the EU-US privacy shield as one of the elements to consider for the new administration.

Do you have any kind of feeling of, you know, how that could impact also that discussion, as you say, federal privacy law, but also the kind of EU-US relationship, which I think both sides are very keen to kind of strengthen and, you know, develop further?

Like, what could that mean for privacy, but maybe also from the human rights perspective, from your perspective?

Absolutely. So there was also a political declaration made by the respective diplomatic corps of the US and EU side about the new, renewing the transatlantic relationship, which I think is an important signal for, you know, for the world about the way forward.

It is important, especially on this day, International Human Rights Day, to remember that, you know, traditionally speaking, the European Union and the United States have been global partners on protecting human rights and democracy.

So, again, going back to that and maybe looking at a positive, how could we have a common approach and, you know, on restrictions on surveillance, on privacy laws, that would be really important.

I am a little bit wary of an idea of another privacy shield, just for the simple reason that we've already seen the European Court of Justice be very clear in striking similar initiatives down twice.

And even the European owns, you know, authority on European Data Protection Board supervisor has come out and said really, you know, been very prescriptive about what compliance with the ruling might look like.

So, obviously, we would look forward to any solutions, but when you look at the history with the European Court, it does seem like there would have to be a considerable shift on the US side in order to really have full compliance going forward and not risk yet another court case.

Yeah, thanks. That's, that's very enlightening. I think, I think we will definitely see, you know, what will happen, you know, after January 20th, you know, when the administration really starts working.

But I, you know, it's, it's, it's a very interesting debate to have, indeed, if, you know, a privacy shield, you know, could could happen again.

And what would it look like if the negotiations would go through?

So, indeed, I think we're all waiting for it to see. And especially, you know, from a business perspective, I think, you know, to see what will happen next year as well with some of those discussions.

Maybe just to kind of shift a little bit to human rights and democracy as well.

I think very apt, as you say, on Human Rights Day today to have a bit of a discussion more on that aspect.

I think, generally, the discussions at the moment that I see, at least in Europe, that are going on, on this, you know, kind of touch upon human rights and technology and democracy as well, to a certain extent, is the discussion around encryption.

And I know that CDT has been, you know, involved in the global encryption coalition.

I think you have actually co-founded it a while ago. So it would be very interesting to hear from you, you know, kind of your thoughts on the encryption debate in Europe that's happening right now, and some of the, some of the kind of developments that we've seen recently, including, I believe, a declaration of member states that was being prepared by the German presidency.

On this very topic.

So maybe just to kind of get your views from the European side, but maybe also from the US side, how CDT's views these latest developments.

Yes, indeed.

So, the Global Encryption Coalition, indeed, CDT was a proud founding member of that coalition.

It's a coalition of not-for-profits and companies who are really looking to champion the importance of encryption at multilateral fora and also on a national, regional level as it comes up.

We, you know, in the 1990s, we had the so-called crypto wars, where there was this, it seemed like an endless discussion on, you know, back to backdoor, you know, is it a backdoor or not, etc, etc.

Rather tiresomely and unfortunately, at the Centre for Democracy and Technology, in our analysis, what's happening at EU level is, again, other versions of the same.

So again, the debate, as you called it, is actually whether or not to break encryption.

And that's deeply worrying, as you said, on Human Rights Day, and this morning, I had the great honour of speaking at a conference organised by the European Union that brought together human rights defenders from across the globe.

And during those discussions, you know, you really need to realise how essential encryption is as a tool for their safety and their security.

And I was also thinking today, of course, as you know, the Centre for Democracy and Technology has partnered with Cloudflare under the Galileo project.

And there, we actually, similarly, we look how to protect human rights defenders and others from technical censorship in the same way.

So really, just the value of encryption in the now, we also know that the encryption debate has come up because the, of course, e -privacy is going to come into law, another new law coming the year, which would make so-called over-the-top messaging services.

So for those less familiar, that means a lot of the mainstreaming kind of social media messaging services would make them encrypted.

At the Centre for Democracy and Technology, we're a pro-encryption organisation for human rights.

And, you know, the Human Rights Committee, one of the highest authorities on international human rights law has itself stressed the importance of encryption.

So we are really glad that the e-privacy would increase the use of encryption.

And we're really concerned about the efforts to curtail and undermine that.

And you can actually, for those who are interested in our website, we've done a technical analysis of some of the leaked technical draft that had come out earlier in the summer.

We've done some technical analysis of that, really to explain the reason why we're saying this is another backdoor, another way just to break encryption.

And do you have any specific views?

I mean, I don't know how familiar our viewers are with this, but I am certainly following that with interest.

The recent discussions around child sexual abuse materials, that is a very specific discussion, I think that, as you mentioned, came up in the e-privacy debate, but has also kind of recently got a lot of attention because of the temporary derogation that is now being proposed to still allow those companies.

I think you mentioned the OTT type companies to voluntarily scan for such materials and remove those materials.

Is there any specific views or recommendations that you've made in that regard?

So together with some of our civil society partners and other human rights organisations, we indeed came together in response to that discussion to make some recommendations.

And first and foremost, I hope it doesn't need to be said, but, you know, the abuse of children online is a heinous crime.

It's totally unacceptable.

That has to be very clear. And at the same time, like with any regulation, we need to be very clear that what we're doing is prescribed by law and does not open the floodgates, you know, for other privacy concerns, because ultimately privacy laws and CDT has worked on this issue in terms of children's education, distance learning, privacy laws are essential to safeguarding children online.

So that was really a point that we made as well. So what we would really like to see, actually, is, you know, the full range of investigative powers also offline being used to really stop these terrible crimes at the source and being very mindful of the broader implications of any legislation, because the matter of concern in that regard was, again, the idea that we might break encryption.

And it comes up in different ways. It's often under, you know, very emotive topics, whether it's counterterrorism legislation or child protection.

But unfortunately, as of yet, we have not come up with a way that you can, you know, give the key to the police and that'll only work under certain circumstances.

An analogy I often give is that in the real world, we would never dream of leaving the key to our front door at the police station and say, in case somebody ever commits a crime here, I want you to have access to my house and come in and check if that happens.

We wouldn't do that. And we should not do that for our online world either, especially as we've said a lot during the pandemic when so many of our private communications, work communications are happening online.

We need people to have that confidence and safety and security as they work and interact online.

Yeah. I think those are very, very important points. And I think, yeah, we'll see specifically on that point.

There's a lot of discussion at the moment, I think, before the end of the year still about how to solve the conundrum about trying to tackle the issue, as you say, online as well as offline.

On the one hand, but of course, you know, the encryption and, you know, I think the Commission does remain committed to encryption, as far as I have heard.

But it is a very difficult, I think, policy puzzle to make.

We'll see what will come out of that.

Maybe just to kind of continue on the kind of human rights team, because we were talking about that earlier.

You recently wrote an op-ed, more also kind of on the topic of human rights and democracy, where of course also from Cloudflare's perspective with our Athenian projects, I think we have, you know, also a very great interest to help, you know, access to election information, for example, which is a very important part of democracy.

Do you have any specific kind of views on that?

I mean, maybe for people that didn't read the op-ed, what was the kind of, you know, message that you wanted to give there?

Sure. So just to be clear, you're referring to, because I've written a few op-eds on the Digital Services Act?

Yes, I think, yeah, but it was, yeah, it was related to democracy as well, right?

Defending democracy, indeed.

The Digital Services Act inspired it, because that's raising a lot of the questions.

But, you know, the Centre for Democracy and Technology works, as you of course will be aware, we work on election integrity and security, both in terms of the physical security in the United States, we haven't gotten to that level yet in Europe, though we might hope to do so, but also really on these online debates of how do we also make sure that the online ecosystem is protected against interference and making sure that we have integrity.

And in the European Union space, in particular, we are concerned about the fact that a lot, again, it comes back to common themes, that some of the electoral laws offline are so outdated that it's almost impossible to know, you know, with reason to say.

So I'll give a really common example. In a lot of countries, you will have a spending, a legal spending limit on the amount of posters that you can put up, it gets very into bureaucratic detail, which areas you can put them in, etc, etc.

And that might be what's in the law, but there's no, you know, clarity on what about online political advertising?

What about transparency for that? And how do we ensure that happens?

And there's a number of calls that we are making in that regard is one, of course, voter suppression is an extremely worrying trend and voter suppression, for those who might not be familiar with it, means that all too often minorities or at risk groups are actually, you know, targeted on the basis of their personal data and either dissuaded from voting or purposefully given wrong information about voting processes and procedures.

So one of the solutions to that, again, goes back to, should that personal data be, you know, we need clarity in law to say, nobody certainly should be targeted because of their race, ethnicity or gender, and for the purpose of suppressing their vote.

So keeping that universal right to vote in those laws is really important.

Another point that we are looking at is this whole question of online advertising.

And we do, we issue a little bit of caution here because of course, it's so hard to define what political is.

Because, you know, civil society organizations will often campaign on refugee and migrants rights, on racial discrimination, and some people would argue, oh, that's somehow political.

Of course, that's very different than if you're actually a political candidate or others.

So one of the things that we're cautioning is what might be a more logical approach is to actually really have more broad transparency online so that people know who paid for this, where is it coming from, am I being targeted, and if so, on what basis.

We feel like that would make it a lot easier for, whether it's civil society organizations, electoral watchdogs and others, to really enforce election integrity and make sure that our online space is protected in that regard.

That's, I mean, I think all very relevant points, especially, you know, with several probably European elections coming up in the next coming years and the Digital Services Act, as you say, likely to kind of look into some of those issues.

We've seen the European Democracy Action Plan, of course, already mentioning, you know, the issue of political advertising.

So I'm sure that there will still be a lot of debate, you know, in the coming year, which brings us to my kind of final question, as we have about five minutes left, I think.

What next, let's say, is the question of the session, so do you have any kind of priorities or kind of expectations for 2021, or maybe beyond about, you know, what you'll be working on and what you're kind of expecting from the EU, or maybe the global kind of debate around human rights, privacy, democracy, etc.

Well, certainly what I would like to see is that privacy goes global, you know, a lot of the conversations, as we said, have circled around how do we keep an open Internet, global, all of those things.

So really, to look, if we had US level federal privacy law, better enforcement of GDPR, that would already be part of the world, but then maybe we need to look, of course, globally at other areas where they do not have strong privacy laws.

So my hope would be that we have more global approach to international privacy standards.

I think for 2021 in Europe, it will be all about the Digital Services Act.

And, you know, I didn't mention detail yet, but of course, on the individual users' rights as well and free expression, I think that human rights advocates will all have a lot of work to do to make sure that we also guard our own rights to express ourselves online, but also protect people from harassment and hate and getting that balance right in law and practice, I think is going to be really important to maintain the Internet as a free and open space where we can organise and fight to protect human rights and democracy.

I think that's a lot to do for you and for, I think, kind of civil society in general.

I think there's a lot of new things that we all have to look at, including the Digital Services Act, but also probably, you know, kind of how EU-US relations will develop.

We have covered, actually, really a lot of ground.

I'm just thinking, because we have a couple of minutes left, just to see if there were any other topics that we could discuss.

But I think, you know, we've kind of went from one to the other. I think, from my side, I really want to thank you for this conversation.

I think it was really enlightening to kind of hear your view on a lot of issues that, obviously, companies in Europe are also dealing with and trying to make sense of, and how to operate, you know, in this, in a kind of more online world than ever, you know, in pandemic times.

And I hope you found it useful as well, just to, you know, talk to our viewers.

And I don't know if you have any kind of, I think we have about a minute left, so if you have any kind of other final remarks that you want to give.

So, look, I'm so grateful for the opportunity to have spoken with you today.

At the Centre for Democracy and Technology, as you know, we are strong advocates and, you know, I guess practitioners in multi-stakeholder approaches.

So, these kind of dialogues between the private sector and civil society, to also get into the details of what are the technical solutions, what does that mean in different places, I think that's going to be really important to get some of these policy challenges right.

So, just to say again, happy Human Rights Day.

Thank you so much for having me, and I really look forward to engaging with you and others on these topics as we go forward.

Thank you so much, and have a great day.

Thank you. Thank you. Bye. Bye.

Bye.