What a 21st Century Privacy Law Could—and Should—Achieve
It’s no secret that the EU’s proposed General Data Protection Regulation (GDPR) hangs in the balance. Some have even declared it dead (see here), though, to paraphrase Mark Twain, those reports are somewhat exaggerated. Nevertheless, 2014 will prove a pivotal year for privacy in the European Union: Either we’ll see some variant of the proposed regulation adopted in one form or another, or we’ll be heading back to the drawing board.
So much has already been said and written about what will happen if the GDPR is not adopted by May that it does not need repeating here. Though, for my part, I’d be quite happy to return to the drawing board: Better, I think, to start again and design a good law than to adopt legislation for the sake of it—no matter how ill-suited it is to modern-day data processing standards.
With that in mind, I thought I’d reflect on what I think a fighting-fit 21st century data protection law ought to achieve, keeping in mind the ultimate aims of protecting citizens’ rights, promoting technological innovation and fostering economic growth:
1. A modern data privacy law should be simple, objectives-focused and achievable. The GDPR is, quite simply, a lawyer’s playground, a lengthy document of breathtaking complexity that places far more emphasis on process than on outcome. It cannot possibly hope to be understood by the very stakeholders it aims to protect: European citizens. A modern data privacy law should be understandable by all—and especially by the very stakeholders whose interests it is intended to protect. Further, a modern privacy law needs to focus on outcomes. Ultimately, its success will be judged by whether it arrived at its destination (did it keep data private and secure?) not the journey by which it got there (how much paper did it create?).
2. A modern privacy law should recognize and reflect the role of the middleman. Whether you’re a user of mobile services, the consumer Internet or cloud-based services, access to your data will in some way be controlled by an intermediary third party: the iOS, Android or Windows mobile platforms whose APIs control access to your device data, the web browser that blocks or accepts third-party tracking technologies by default or the cloud platform that provides the environment for remotely hosted data processing services. Yet these “middlemen” —for want of a better term—simply aren’t adequately reflected in either current or proposed EU privacy law, which instead prefers an outmoded binary world of “controllers” and “processors.” This means that, to date, we have largely relied on the goodwill of platform providers—Are they controllers? Are they processors?—to build controls and default settings into their platforms that prevent unwarranted access to our data by the applications we use. A modern data privacy law would recognize and formalize the important role played by these middlemen, requiring them to step up to the challenge of protecting our data.
3. A modern data privacy law would categorize sensitive data by reference to the data we REALLY care about. Europe’s definition of sensitive—or “special”—personal data has long been a mystery to me. Do we really still expect information about an individual’s trade union membership or political beliefs to be categorized as sensitive when their bank account details and data about their children are not treated as sensitive in Europe—unlike the U.S.? A modern data privacy law would impose a less rigid concept of sensitive personal data, one that takes a greater account of context and treats as sensitive the information that people really care about—and not the information they don’t.
4. A modern privacy law would encourage anonymization and pseudonymization. Sure, we all know that true anonymization is virtually impossible, that if you have a large enough dataset of anonymized data and compare it with data from this source and that source, eventually you might be able to actually identify someone. But is that really a good enough reason to expect organizations to treat anonymized and pseudonymized data as though they are still “personal” data, with all the regulatory consequences that entails? From a policy perspective, this just disincentivises anonymization and pseudonymization—why bother, if it doesn’t reduce regulatory burden? That’s plainly the wrong result. A modern data privacy law would recognize that not all data is created equal, and that appropriately anonymized and pseudonymized data deserve lesser restrictions as to their use—or reuse—and disclosure. Without this, we cannot hope to realize the full benefits of Big Data and the societal advances it promises to deliver.
5. A modern privacy law would not impose unrealistic restrictions on global movements of data. The Internet has happened; get over it. Data will forever more move internationally, left, right, up and down across borders, and no amount of regulation and red tape is going to stop that. Nor will Europe’s bizarre obsession with model clauses. And when it comes to surveillance, law enforcement will always do what law enforcement will do: Whilst reigning in excessive government surveillance is undoubtedly crucial, that ultimately is an issue to be resolved at a political level, not at the business regulatory level. A modern data privacy law should concern itself not with where data is processed but why it is processed and how it is protected. So long as data is kept secure and processed in accordance with the controller’s legal obligations and in keeping with its data subjects’ reasonable expectations, it should be free to process that data wherever in the world it likes. Maintaining unrealistic restrictions on international data exports at best achieves little—organizations will do it any way using check-box solutions like model clauses—and, at worst, will adversely impact critical technology developments like the cloud.
6. A modern privacy law would recognize that consent is NOT the best way to protect people’s privacy. I’ve argued this before, but consent does not deliver the level of protection that many think it does. Instead, it drives lazy, check-box compliance models—“he/she ticked the box, so now I can do whatever I like with their data.” A modern law would acknowledge that, while consent will always be an important weapon in the privacy arsenal, it should not be the weapon of choice. There must always be other ways of legitimizing data processing and, perhaps, other than in the context of sensitive personal information, these should be prioritized over consent. At the same time, if consent is to play a lesser role in legitimizing processing at the outset, then the rights given to individuals to object to processing of their data once it has begun must be bolstered—without this, you place too much responsibility in the hands of controllers to decide when and why to process data with no ability for individuals to restrain unwanted intrusions into their privacy. There’s a delicate balance to be struck, but a modern data privacy law would not shy away from finding this balance. Indeed, given the emergence of the Internet of Things, finding this balance is now more important than ever.
There’s so much more that could be said, and the above proposals represent just a handful of suggestions that any country looking to adopt new privacy laws—or reform existing ones—would be well-advised to consider. You can form your own views as to whether the EU’s proposed GDPR—or indeed any privacy law anywhere in the world—achieves these recommendations. If they don’t now, then they really should; otherwise, we’ll just be applying 20th-century thinking to a 21st-century world.
About the Author
Phil Lee is a partner in the Privacy and Information Law Group at Field Fisher Waterhouse LLP, and runs the Palo Alto office of Field Fisher Waterhouse (California) LLP. Lee has particular specialisms in behavioral profiling and cookie regulation, e-marketing and international data transfer strategies (including binding corporate rules). He has worked on numerous multi-jurisdictional data privacy projects across more than 80 countries.
Lee holds an M.A. in computer science from Cambridge University and a postgraduate diploma in intellectual property from Bristol University. He is a frequent contributor to FFW's Privacy and Information Law blog and is also a contributing author to the IAPP's European Privacy: Law and Practice for Data Protection Professionals and Wolter Kluwers' Global Privacy & Security Laws. Lee is a former committee member of the Society for Computer and Law's Privacy & Data Protection Group.
He can be contacted at firstname.lastname@example.org.