A landmark EU-wide study of national privacy safeguards shows a decline in privacy protection across Europe and a steep increase in state surveillance over the lives of individuals.

The study includes a rating for EU member states and accession candidate countries. This rating pits Britain and Ireland fighting over the bottom of the privacy league.

Key findings:

Good

European democracies are in generally good health, with the majority of countries having constitutional protections.

Surveillance policies have faced obstacles across Europe, including political challenges, policy implementation problems, and resistane from regulators, civil society, the general public and industry.

European regulators are getting more and more complaints, which we take as a sign of increased awareness of privacy issues and awareness of the regulators’ duties.

Notification requirements for those placed under secret surveillance. (Luxembourg, Switzerland, Czech Republic).

Heroic

Greece: in 2007 there was a collective resignation from the regulator in protest to the government’s insistence of repurposing the Olympics’ surveillance system.

Germany: groups mounted a campaign against communications data retention where 34,000 people filed a case at the Constitutional Court appealing against the law.

Netherlands: policy on mandatory smart meters had to be withdrawn after opposition.

UK: NGOs mounted policy campaigns against the surveillance policies of the previous government, resulting in policy repeal on issues ranging from ID cards and biometric passports, to DNA practices, and large databases.

Awkward

Many of the ambitious surveillance proposals have failed in implementation.

Deployment of biometric passports and data retention is fragmented.

Cutbacks have affected regulators’ abilities to do their jobs, e.g. Latvia, Romania

Ministerial warrants still exist in too many countries, i.e. Ireland, Malta, UK

Access to financial data is on the rise, e.g. Belgium, Croatia, Czech Republic, France, Germany, Greece, Italy, Norway, Poland, Slovenia

Failed oversight mechanisms, e.g. Sweden’s commissioner over covert surveillance powers resigned in protest.

Bad

Inability to build safeguards into processes to gain access to information over new services, e.g. France, Germany, Switzerland seeking powers to conduct secret searches fo computers, Ireland’s ambiguous powers for unwarrranted interception of VoIP; Italy building ‘backdoors’ into systems; Bulgaria’s ‘black boxes’ at ISPs

France: Attempt to ignore constitutional amendment proposals to include an explicit constitutional right to privacy.

eHealth systems with security faults and/or centralised registries (France, Germany, Italy, Netherlands)

Biometric registries and databases emerging and with more coming (Estonia, Italy, Lithuania, Netherlands)

Few protections and safeguards for government access to data. (most countries)

Illegal and warantless surveillance still occurs.

Journalists and dissident groups are under surveillance. (Lithuania, FYRM, Poland, Romania, Slovakia, Turkey).

Ugly

Direct access to information held by third parties without warrants or oversight, conducted by unaccountable bodies. (e.g. Bulgaria, Croatia)

Inability to audit and review the actions of security services. (e.g. Lithuania, Croatia, Estonia, Hungary, Sweden)

Medical databases are emerging with centralised registries. (e.g. Croatia, Czech Republic, Denmark, Sweden, Norway, UK).

Brian Honan, the founder and head of Ireland’s first CERT, comments: “It is a worrying trend that authorities are trying to deal with perceived threats from the use of certain technologies that their reaction is to legislate for increased surveillance, and in some cases not having the appropriate oversight or controls on how that data is accessed. Europe, and Ireland, have been promoting our privacy protections as a major benefit for cloud providers to locate here. However, as those privacy advantages are slowly being eroded away by ill-thought out legislation that may no longer be the case. Increased surveillance of a people does not lead to more security, in fact it can lead to the opposite as activities are forced underground. It will be interesting to see how the case against the Data Directive will fare in the European Courts.”

“We also need to be clear that access to certain data by security services is essential in protecting society but that access needs to have proper judicial oversight & protection for individuals. The use of mega databases to store large information on citizens can also bring benefits but this needs to be done carefully with the proper levels of security, oversight and controls. Just because you can do something does not mean you should,” Honan added.

The year-long study, funded by the European Commission and backed by a 600-page analysis of privacy in 31 countries, was co-authored by London-based Privacy International, the Electronic Privacy Information Center in Washington DC and the Center for Media and Communications Studies of the Central European University in Budapest.

The EPHR project comprises three action areas:

Map European privacy laws and recent developments as well as summarise the trends in the light of the right to privacy

Disseminate information and publish it on multiple online and offline platforms

Develop innovative awareness-raising campaigns to be launched at the European Data Protection Day on 28th January 2011.

The country reports were also translated into native languages. For more details on the study go here.