Privacy, Data Protection and Cybersecurity in Europe

The right to be forgotten appeared on the internet scene with the judgment of the European Court of Justice on Mario Costeja v. Google Spain (May 2014). Despite the controversy raised by this resolution, the right to be forgotten is actually a new expression of the European system of protection of personal data. The chapter aims to show the development of the right to be forgotten in Spain and, in this process, the relevance of the two main Spanish cases, Mario Costeja v Google Spain and Les Alfacs v Google Spain which represent both the personal aspects and corporate interests in the right to be forgotten.

Social media have been shown to have the potential to broaden the scope of public communication and public sphere processes. In repressive societies or contexts, they can function as an alternative public sphere challenging the mainstream; but it also allows citizens in open, democratic societies to participate more actively in these processes. At the same time, established mainstream media institutions retain a dominant position in the public sphere. This chapter explores the relationship between editorial policies, guidelines and regulations in the UK, with a special focus on the use of social media as sources in domestic local news coverage. These codes govern everyday journalistic practice and hence shape individual journalists’ behaviour in relation to sourcing. A tension arises out of the juxtapositioning of a journalist’s right to freedom of expression and an individual’s expectation of privacy.

In June 2013, the secret actions of the American National Security Agency (NSA) got revealed by Edward Snowden. After that, the European states began discussing the concept of data protection and the legality of keeping people from other nations under surveillance. As this provoked a political crisis, the partnership with the USA was called into question. This chapter will focus on the specific characteristics of the French perception of the NSA affair and the reactions to it. By the aid of qualitative and quantitative linguistic methods, the European and American discourse actors will be analysed as well as the way in which they shape the various facets of the discourse. The corpus, which was built for this analysis, consists of French newspaper articles from both print press and online platforms.

This chapter examines the way surveillance is discussed in the leading Finnish newspaper Helsingin Sanomat after the revelations made by former NSA-contractor Edward Snowden. In 2013, Snowden provided journalists with documents that revealed the unexpected extent of surveillance conducted by security agencies such as the NSA. Drawing on Critical Discourse Studies and a Foucauldian view of discourse, this article understands media discussions following the Snowden revelations as discursive struggles where the legitimacy and future of surveillance are being constructed and debated. The article examines the ways the media formulates solutions to the problems posed by surveillance, and explores the way they contribute to the overall discursive struggle. The solutions appearing in the data are categorised into two main categories, next step solutions and direct solutions. Overall, it is concluded that solutions play a minor role in the news coverage as they tend to appear briefly and rarely as subjects of debate. This means that solutions do not make a substantial contribution to the discursive struggle over surveillance and, furthermore, leads to an understanding of surveillance as a practice that is difficult to change.

Extensive surveillance practices that were revealed by Edward Snowden sparked debates about appropriate state behavior in cyberspace. The governments of the US and UK faced harsh criticism following the first revelations in June 2013. Disclosed documents and statements from Edward Snowden suggested that the British GCHQ acted even less restrained than its American counterpart. Those developments nevertheless didn’t lead to more limitations of surveillance capabilities in Britain. Quite the contrary, the Government legalised some of the revealed practices with the Investigatory Powers Act. This chapter therefore addresses the following question: how was it possible for GCHQ’s surveillance practices to remain stable after the Snowden revelations? In order to answer this question a role theoretical analysis of the domestic processes of role contestation and role stabilisation is conducted. It is argued that the continuity of surveillance practices is best understood by looking at the historical experiences the Britons have made with their intelligence agencies.

Edward Snowden’s revelations regarding the NSA surveillance activities globally reignited debates on the tension between freedom and security. Within those debates, the issues of cybersecurity and data protection are oftentimes part of the same meta-narrative even as they represent differing aspects in the question of how much freedom must be relinquished in order to guarantee a state’s security. This chapter sets out to disentangle the discourses of cybersecurity and data protection in German governmental and parliamentary discourse post-Snowden. To achieve this, we analysed both government and parliamentary documents using the Sociology of Knowledge Approach to Discourse (SKAD). Aside from a meta-narrative of cyber anxiety, we found that problem definitions are used in governmental and parliamentary discourse on cybersecurity and data protection in very similar ways. The frames and narratives regarding proposed solutions offer distinctions, as parliamentary speakers tend to emphasise the importance of privacy and data protection over cybersecurity.

The European Union is well-known for its high levels of data protection and concern about the effects of data sharing on individuals’ privacy. The 1995 Data Protection Directive (95/46/EC) established clear norms that have guided the development of data protection laws at the national level. However, these principles have often been tested by advances in the field of law enforcement, where personal data has increasingly been processed for the purpose of fighting crime. This tension has become more problematic with the advent of the Treaty of Lisbon, which has ‘constitutionalised’ data protection as a fundamental right in Article 16 of the Treaty on the Functioning of the European Union (TFEU) and Article 8 of the Charter of Fundamental Rights. This chapter explores to what extent the tension between data protection and data processing has been solved in the process of recasting the former provisions for the protection of personal data. The ‘package approach’ to the reform process has managed to improve the coherence of data protection in the private and the public sectors, but the tensions between privacy and security remain—especially in the law enforcement domain.

While the proposal for a Network and Information Security Directive (NIS Directive) was still entangled in the legislative process, EU member states started adopting cybersecurity laws. These laws largely follow the philosophy of the NIS Directive and aim at establishing a culture of security across operators of essential services and digital service providers, including providers of banking, energy, transport, financial infrastructure, health and drinking water. These laws are often based on key legal principles, such as non-discrimination and proportionality. However, the compatibility of the newly adopted laws with the human rights framework enshrined in EU treaties as well as in the Council of Europe conventions is subject to discussion. Following this observation, this chapter reflects on the legislative processes and substantive provisions of cybersecurity laws in Lithuania and Romania. An in-depth analysis of the recent developments in the two countries and of the interaction between national and European Union legal frameworks unveils several inconsistencies in the application of EU data protection principles. In analysing regulatory and legal issues concerning cybersecurity policy, the chapter employs two different approaches to examine Lithuanian and Romanian cybersecurity laws. The first approach entails an analysis of these laws as “good regulation”, following up on the concept of the regulatory scholars Robert Baldwin and Martin Cave. The second approach considers the scope of potential limitations which the two cybersecurity laws can impose on human rights. These findings will be complemented by questions which require further research from a social science point of view.