Saturday, 19 November 2011

What sort of Directive will emerge from this fundamental divergance of views?

The more I think about these things, the more I thank my lucky stars that I’m not going to be accountable for proposing a new Data Protection Directive. The closer we get to European Data Protection Day (28 January 20112) the happier I am that my DNA won’t be too closely associated with (perhaps) the first publicly available draft of the new proposals.

The battle lines have already been drawn up and if you know where to look, you can read about the tectonic policy plates grinding along the usual fault lines. The principal fault line seems to be the extent to which common rules will be imposed on data controllers and on citizens across the entire Community, and the extent to which Member States will be able to implement the main rules in ways that sympathetically address local cultural traditions.

I’ve recently been reading the comments made by prominent ladies on the different sides trotting out their positions – and I am really not sure which side will eventually win.

On the “One law to rule them all” side, we have people who share the views expressed by Commissioner Viviane Reding. She was recently interviewed by the Washington Post, and made it pretty clear that her preference is for a highly harmonised set of binding regulatory rules for all data controllers. In her words:

"Today in Europe, if you are an American company, you have to abide by 27 different interpretations of the EU law data protection. This makes no sense for a business and is absolutely cumbersome. Our reforms are aimed at getting rid of this fragmentation and providing consistency and coherence for the whole of the continent. That means providing services to 500 million people, which presents a fantastic business opportunity for companies.

Q: What do you think of self-regulation? Is it a good idea?

A: Self-regulation can be little more than a fig leaf. It works only if there is strong, legally binding regulation in the first place. Otherwise self-regulation means that everyone does whatever he or she has in mind. Just look at the instability that self-regulation in the financial markets brought us. The financial markets, through personal greed and irresponsibility, failed to effectively regulate themselves. This is why I do encourage codes of conduct for businesses in Europe provided that they are fully in line with our European data protection law.

Q: Explain your philosophy behind individual privacy.

A: It is clear that every citizen has a right to their own data. Before a company can use your data they should ask for permission. This is a basic rule of the European Union.

We do have a set of rules today that is not always being applied and controlled in the way it should be. That has led to fragmentation and different interpretations of the rules.

For example, with Google’s StreetView last year, seven countries took seven different decisions on how to deal with a case of e-mails being collected and stored without people knowing it. Divergent interpretations of the same rules in the same situation is not good -- neither for citizens nor for companies.

Q:Is there a divergence between the U.S. and Europe in terms of the approach to data privacy?

A:It is clear that we have different approaches between the two sides of the Atlantic. The American people and their representatives understand that the question of data protection is not a theoretical one. These are not questions by idealists but bipartisan issues that are directly linked to the way we see the individual, the citizen, in our society. But I also want to say that we are heartened to see proposals such as the one by Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) for new online privacy rules."

And, on the other side, we have people who share the views expressed by commentators such as Janet Daley. Writing in the Daily Telegraph recently she made her distaste of detailed centralist European regulation very clear. As far as she is concerned:

"What you hear in the grandiose speeches of European leaders and the bumptious pronouncements of EU officials is precisely this: we have an ideal system which can guarantee infinite security and wellbeing, provided that everyone behaves in ways that are consistent with the rules of life as we describe them.

The great irony of the [economic] mess we are now in is that this concept of a totally rational, perfect society which must be imposed on actual people, each with his own distinct experience and perception of life, was the same delusion that wreaked havoc in Europe for generations. From one Terror to another, Robespierre to Stalin, the enforced experiments ran their course. And virtually every one required the “temporary” expunging of democracy.

... However repugnant the present generation of capitalists may be, and however much personal disrepute they may incur, it is not capitalism that is about to destroy the prosperity of the populations of modern Europe. It is the folly of enforced uniformity – yet another dream of enlightened perfection – that will accomplish that."

It’s an argument that will run for a long time. And the deeper I think about these issues. The more sympathy I feel with the need to respect local cultural traditions, rather than have rules imposed that will generally be ignored locally precisely because they conflict with local cultural traditions. If I were ever to work for a multinational, or global, data controller, I might be more sympathetic to the practical problems they deal with as they offer services across continents. But, currently, I don’t, so I’ll focus on developing an approach that respects local, or national, needs, rather than a more centralist approach.

Should I change my employer in the New Year, I may revisit this view. But, right now, this is what I think.