This article was published on August 6, 2019

The UK illegally copied sensitive personal data from EU databases, but the EU doesn’t seem to care

The UK illegally copied sensitive personal data from EU databases, but the EU doesn’t seem to care

On July 24, high-level EU officials finally confirmed the UK made illegal copies of classified personal information from an EU database. Despite this, it doesn’t seem the EU Commission will take any action, which — to concerned members of European Parliament — highlights its and EU member states’ hypocritical and dangerous approach to people’s privacy. 

When Julian King, the European commissioner for security, acknowledged the existence of the secret report detailing the UK’s illegal and sloppy data practices — which the EU Observer revealed in 2018 — he added that “there are a number of member states that have challenges in this area.” While the remark might have been made to decrease the severity of the UK’s infraction, for MEP Sophie in ‘t Veld it only hints at a bigger systemic problem.

“We never hear about these types of cases until it appears in the media or somebody leaks documents. This isn’t how a democracy works, there’s supposed to be accountability and transparency,” in ‘t Veld told TNW. “The European Commission doesn’t seem to understand that, and nor do the member states’ governments. This is ridiculous.”

This is why in ‘t Veld and her fellow Renew Europe MEPs are asking the Commission to make a full inquiry into possible illegal data breaches by member states and share them with the European Parliament, so MEPs can fulfill their power-checking role.

Secrecy doesn’t serve the people

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The secret report, which MEPs didn’t have access to before EU Observer’s reveal, outlined years worth of violations by British authorities after they received restricted access to the Schengen Information System (SIS) back in 2015. 

The SIS is an EU-run database which contains names, biographic information, photographs, fingerprints, and arrest warrants for almost half a million non-EU citizens denied entry into the Schengen zone. In addition to that, it has personal information, such as biometric data, of more than 100,000 missing people and 36,000 suspected criminals. 

The UK sloppily made full and partial copies of the database, and stored it on laptops at airports and government offices, making it vulnerable to further breaches. British authorities also gave private US contractors, such as IBM, access to the data, which means the information could be requested by US authorities under the Patriot Act.

Now if this information is mostly shared to stop crime, what’s the big deal about spreading it? Well, because the UK used static versions of the database (i.e. the illegal copies), it means authorities often worked with outdated information — possibly letting criminals pass through or unnecessarily stopping people already cleared from SIS. In ‘t Veld acknowledges the use of limited personal information and modern technology is needed to catch the ‘bad guys’ — but we live in a democracy where there are limits to government powers. 

Credit: Glyn Lowe PhotoWorks
The European Commission is the EU’s executive branch. It’s responsible the day-to-day business of the EU as well as proposing legislation, implementing decisions, and upholding the EU treaties.

Citizens trust governments to handle their information according to the law, so in case of a breach they must be held accountable. In ‘t Veld and her colleagues believe these types of data breaches shouldn’t be kept from the public or from Parliament. If there are indeed more data breaches like Commissioner King hints at, they need to be thoroughly investigated and made public to make sure there are checks and balances to government powers. 

Most people have come around to the importance of privacy after revelations of malpractices of big tech companies such as Facebook, but people remain unaware that our governments are also guilty of mishandling data. 

“There should be indignation, but instead there’s complete silence — and probably also ignorance — about how public authorities are handling our data, and our civil rights,” in ‘t Veld explains. “And there’s ignorance, because authorities don’t talk about it, they keep it a secret. So how are they any better than Mark Zuckerberg?”

Governments should be held to the same standards as Zuckerberg

Europe is definitely at the forefront of privacy and GDPR is a true feat of regulation — but it doesn’t completely apply to government operations as they were moved to a separate directive. For in ‘t Veld, this was a fundamental mistake which also shows how hypocritical the EU’s lax stance on governments’ illegal handling of personal data is.

The UK and the EU summoned Zuckerberg to answer for the Cambridge Analytica debacle and criminal investigations were launched. But these same authorities are mum on their own abuse of data, such as the commercialization air passengers’ personal information, about which in ‘t Veld and her colleagues have sent questions to the Commission.

In ‘t Veld believes it’s about time the Commission holds member states and government agencies to the same standards as others. “It’s not even a matter of  ‘practice what you preach.’ It’s respect the law and be punished if you don’t — because that’s what happens to normal citizens and companies.”

Mark Zuckerberg being grilled by EU representatives. Hopefully the EU itself and its member states will be held to the same standards.

Brexit pressure

The UK’s imminent departure from the European Union is bringing to a raft of issues, as standard procedures have been upended by the chaos. As with other privileges and accesses it was awarded due to its EU membership, the UK has made overtures to stay in various information sharing agreements in regards to security after Brexit.

In ‘t Veld thinks this will likely happen, but not due to a grand deal or political breakthrough — it will simply be established with on-going negligence. 

“I think the European Commission and other member states will simply turn a blind eye and continue to give UK access, while not being bound in any way to EU standards. I think that’s what they’ll do because that’s what they’re already doing with the United States.”

MEPs like in ‘t Veld are deeply disappointed by the Commission’s sweeping of the UK’s illegal data handling under the rug. It’s a huge concern and other non-governmental entities wouldn’t receive as much slack. This is why in ‘t Veld believes the UK — and any other country that’s been found guilty of illegal behavior (if the Commission will ever reveal them) — should be taken to court.

“If you cross the line by one millimeter, you should be charged,” in ‘t Veld stated.

Brexit is set to happen on October 31 (and Boris Johnson swears this will happen), so in ‘t Veld and her colleagues are expecting a swift response from the Commission — hoping it will hold governments to the same privacy standards as anyone else.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with