Saturday, 4 December 2010

Data Protecting at the IAPP Congress

I had a useful opportunity earlier this week to quiz a bunch of regulators about the different ways they dealt with Google’s wifi affair. I was keen to understand whether there was much of a thirst to adopt a more joined-up approach to either future investigations, or about the penalties. Because of limited budgets, many regulators prioritise their efforts on certain sectors and activities. But are their priotities broadly similar?

The occasion was the first congress of the International Association of Privacy Processionals to be held outside the USA. As the Europeans put it, finally here was evidence that they were putting the I into the IAPP. A couple of hundred of the usual suspects met on January 29 & 30 at an impeccably chic location, Salons de la Maison des Arts at Metiers, just a few yards from the Eiffel Tower itself. Representative bodies included the International Chamber of Commerce (ICC), French Association of Data Protection Correspondents (AFCDP), Federation of European Direct Marketing Associations (FEDMA), German Association for Data Protection & Data Security (GDD), the UK Data Protection Forum, IAPP Canada and IAPP New Zealand.

David Smith, for the UK, answered me by making the point that while the EU Data Protection regulators met frequently under the auspices of the Article 29 Working Group, and discussed issues that were of mutual interest, a very significant amount of proactive regulatory work had to be planned with the domestic climate in mind. And, as regulators had been granted different powers in the different Member States, it was extremely hard to, say, develop a co-ordinated approach on sanctions. It's mainly about local cultures, political priorities and the legal framework. One colleague in the audience murmured to me “be careful about what you wish for”, hinting that if there were to be an EU-wide approach on sanctions, life might be considerable less comfortable for UK-based data controllers than it currently is. But, in circumstances when one controller had acted in the same manner in all relevant Member States, then it made sense for the Commissioners to appoint a “lead investigator” so that at least everyone could agree on the relevant facts.

Gary Davis, Deputy Irish Data Protection Commissioner, and Yann Padova, Secretary General of the CNIL (France)broadly agreed. There didn’t seem to be much of a domestic thirst for greater international co-ordination in matters such as these.

Artemi Rallo, from the Spanish Data Protection Authority however, was more candid in admitting that there was some room for improvement in the performance of the regulators in the Google Wifi affair. He accepted that many observers found it extremely difficult to understand why they had taken such significantly different positions. It was not their finest hour. I could sense he knew what it must have felt for a European operator like Google trying to provide services which customers in a significant number of countries were evidently enjoying, and seeking, and yet which local laws seemed determined to impede.

What lessons did I take away from this as far as aspirations for an enhanced European Data Protection Directive were concerned? Not many positive ones, I fear. While there may be a sense of frustration that some areas of the current law are unwieldy and not fit for purpose , I did not detect a thirst for harmonisation, if such harmonisation was at the price of lowering current local protections.

I sense that a lot of talk is going to happen. But I can't see too many eople actually wanting to listen - and modify their own views. The policy makers are going to love it, as everyone will be talking about stuff. But no-one will be giving way. Meetings will be held. Speeches will be made. And we'll all return home wondering what the point of it all really was.

To me, the fundamental issue is that data protection standards reflect cultural standards in particular countries. But there is no possibility of harmonising data protection standards unless the cultural standards are also harmonised. And, as I am determined not to lose the flexibility which comes from adopting pragmatic approaches to solving problems, I’m as likely to join the rules-based “if it’s not specifically allowed then it’s absolutely forbidden” brigade as I am to be a teenager again.