Sunday, 23 January 2011

The Supervisor and the Spice Girls

Peter Hustinx has been at it again. No, not like Italian PM Silvio Berlusconi. The European Data Protection Supervisor has issued his opinion on the EU’s cunning plan to revise data protection law. And he's provoked a bit of a debate. He’s accepted the global nature of data flows, and sees great merit in some form of binding global rules on data protection. And he suggests that many of the practical difficulties in ensuring compliance can be addressed by data controllers adhering to an “Accountability” principle.

He’s also bang on the money with his observation that technological developments since the introduction of the original Directive mean that in many cases this has led to fundamental changes in the way personal data of individuals are being processed. The information society can no longer be considered as a parallel environment where individuals can participate on a voluntary basis, but has become an integrated part of our day to day lives. [paragraph 37]

And on the following paragraph he points out that the framework must also bring more legal certainty for companies and for individuals. They must understand what is expected from them and be able to exercise their rights. This requires that the legal arrangements are precise.

He also makes a plea for harmonisation, opining that the level of harmonisation under the present Directive has been judged as less than satisfactory (a diplomatic understatement here, perhaps).

The Communication recognises that this is one of the main recurrent concerns of stakeholders. In particular, stakeholders stress the need to enhance legal certainty, reduce the administrative burden and ensure a level playing field for economic operators. As the Commission rightly notes, this is particularly the case for data controllers established in several Member States and obliged to comply with the (possibly diverging) requirements of national data protection laws. [paragraph 49] Peter also wants the current notification system to be simplified.

All good stuff.

Then, in paragraph 65, he suggests that a Regulation would reduce room for contradictory interpretations and for unjustified differences in the implementation and the application of the law. Hmmmmm - this means that whatever comes out of the Commissioner will be the law. An interesting concept – but what happens when the EU publishes something that even the Member States can’t agree on what it means. Like the current debate on cookies. Do we really need the consent of the user in each and every case, or can the settings on their browsers be taken to reflect their wishes? You currently get different answers to this pretty fundamental question, depending on which side of the English Channel you are.

But then it goes a bit haywire when we get to digesting the likely impact of his comments about transparency – at paragraph 71 Peter argues that transparency is of paramount importance in any data protection regime, not only because of its inherent value but also because it enables other data protection principles to be exercised. Only if individuals know about the data processing, they will be able to exercise their rights. I think he then starts to spoil his argument, by suggesting requirements

1. for a controller to provide information on data processing in a manner which is easily accessible and easy to understand, and in clear and plain language. The information should be clear, conspicuous and prominent. The provision could also encompass the obligation to ensure easy understanding of the information. This obligation would render illegal privacy policies which are opaque or difficult to understand.
2. to render the information easily and directly to data subjects. The information should also be permanently accessible, and not after a very short time disappear from an electronic medium. This would help users to store and reproduce information in the future, enabling further access.

The classic problem I’ve faced with regulators is that while they want “their” material to be provided in this way, they then get a little surprised when the result is a text which is so long that no-one reads the stuff. Data Protection. Consumer Credit. Distance Selling. Other health warnings and safety advice. Terms and conditions. Operating instructions. Add that lot up and you’re well on your way to a decent sized novella. To be honest I would prefer to read the opening passages from the Rime of the Ancient Mariner – or the Prologue to the The Canturbury Tales – in its original Middle English – than the regulatory stuff.

It is an ancient Mariner
And he stoppeth one of three
‘By thy long grey beard and glitterying eye,
Now, wherefore stopp'st thou me?

Marvellous stuff. As is this:

A Marchaunt ther was with a forkyd berd
In motley on high on hys hors he sat
Up on his hed a flaundres beuer hat
Hys boots claspyd feyer and fetously
Hys resons he spack ful solempnely
Shewynge alway the incresse of hys wynnynge

But I digress (slightly).

My main concern is that Peter wants the rules on consent to be expanded, but fails to point out what the consequences should be if people decide not to acquire sufficient knowledge to be able to supply this consent. If someone clicks a “consent for marketing button” on the internet without truly knowing the full consequences of that click, has the data controller committed an offence when they subsequently use appropriate information for, say, marketing purposes?

We all know that, according to the Directive, for consent to be valid it must be informed, freely given and specific. It must be an informed indication of the individuals’ wishes by which he signifies his agreement to personal data relating to him being processed. The way in which consent is given must be unambiguous.

Peter comments at paragraph 81 that it is not always clear what constitutes true, unambiguous consent. Some data controllers exploit this uncertainty by relying on methods not suitable to deliver true, unambiguous consent. So, he wants more rules on the concept of “express consent.”

He’s suggested

1. New rules to broaden the situations where express consent is required, currently limited to sensitive data.
2. Adopt additional rules for consent in the on-line environment.
3. Adopt additional rules for consent to process data for secondary purposes (i.e., the processing is secondary to the main processing or not an obvious one).
4. In an additional legislative instrument ... determine the type of consent needed, for example, to specify the level of consent on the processing of data from RFID tags on consumer products or on other specific techniques.

Bring back the Spice Girls.

In future perhaps we’ll have multi layered levels of consent. Just like when I want to delete electronic files and Microsoft sends me a message are you sure before it consigns it to the cyber furnace, we’ll have to devise new scripts that legitimise marketing. I expect the Commission to require pop up messages on all computer screens every now and again saying:

So you want the marketing?
Are you sure?
Are you really really sure?

And the recipient can type back

I’ll tell you what I want what I really really want
I wanna a, I wanna a, I wanna a, I wanna a,
Really really wanna ze dem adds right now.