Privacy’s greatest threat and how to overcome it
By Phil Lee, CIPP/E
After some erroneous newspaper reports in 1897 that he had passed away, Mark Twain famously said that the reports of his death were greatly exaggerated. The same might also be said of privacy. Scott G. McNealy, former CEO of Sun Microsystems, reportedly once said “You already have zero privacy. Get over it.” However, if the recent IAPP Privacy Academy in San Jose, CA, was anything to go by, privacy is very much alive and kicking.
It’s easy to understand why concerns about the death of privacy arise, though. Today’s data generation, processing and exploitation is simply vast—way beyond a level any of us could meaningfully hope to comprehend or, dare I suggest, control. The real danger to privacy, though, is not the scale of data processing that goes on—that’s simply a reality of living in a modern day, technology-enabled society, a Pandora’s box that, now opened, cannot now be closed. Instead, the real danger to privacy is excessive and unrealistic regulation.
Better regulation drives better compliance
From many years of working in privacy, it’s been my experience that most businesses work hard to be compliant. Naturally, there are outliers, but these few cases should not drive the regulation that determines how the majority conduct their business. It’s also been my experience that compliance is most often achieved where the standards applied by legislators and regulators are accurate, proportionate and not excessive—the same standards they expect our controllers to apply when processing personal data. In other words, legislation and regulation drives the best behaviour when it is achievable.
By contrast, excessive, disproportionate regulation that does not accurately reflect the way that technology works or recognise the societal benefits that data processing can deliver often brings about the opposite effect. By making compliance impossible, or at least, disproportionately burdensome to achieve, businesses, unsurprisingly, often find themselves falling short of expected regulatory standards—in many cases, wholly unintentionally.
The recent “cookie law” is a good example of this; a law that, though well-intentioned, is effectively seen as regulating a technology (cookies) rather than a purpose (tracking), leading to widespread confusion about the standards that apply and—let’s be honest—noncompliance currently on an unprecedented scale throughout the EU.
Why the regulation mustn’t make the same mistake
In its current form, the proposed General Data Protection Regulation also runs this risk. The reform of Europe’s data protection laws is a golden, once-in-a-generation opportunity to revisit how we do privacy and build a better, more robust framework that fosters new technologies and business innovation while still protecting against unwarranted privacy intrusions and harm.
But instead of focusing on the “what”, the legislation focuses too much on the “how”; rather than looking to the outputs we should strive to achieve—namely, ensuring that ever-evolving technologies do not make unwarranted intrusions into our private lives—the draft legislation instead mandates excessive accountability standards that do not take proper account of context or actual likelihood of harm.
• How, exactly, does an online business ensure that its processing of child data is predicated only on parental or guardian consent (Article 8)? My prediction: Many websites will build meaningless terms into their website privacy policies that children must not use the site—delivering no “real” protection in practice.
• Why is it necessary for an organisation transferring data internationally to inform individuals “on the level of protection afforded by that third country…by reference to an adequacy decision of the commission” (Article 14)? Do data subjects really care where their data goes and whether the commission has made an adequacy decision—or do they just want assurance that their data will be used for legitimate purposes and at all times kept safe and secure, wherever it is? How does this work in a technology environment that is increasingly shifting to the cloud?
• Why should controllers be required to provide data portability to data subjects in an “electronic and structured format which is commonly used” (Article 18)? Surely confidentiality and data security is best achieved through the use of propriety systems whose technology is not “commonly used”, therefore less understood and vulnerable to external attack? Are we legislating for a future of security weakness?
• Why should data controllers and processors maintain such extensive levels of data processing documentation (Article 28)? How will smaller businesses cope with this burden? Yes, an exemption applies for businesses employing less than 250 persons but only if their data processing is “ancillary” to the main business activities—immediately ruling out most technology startups.
For the past 17 years, the European Union has been a standard-bearer in operating an effective legal and regulatory framework for privacy. That framework is now showing its age and, if not reformed in a way that understands, respects and addresses the range of different—and competing—stakeholder interests, risks being ruinous to the privacy advancements Europe has achieved to date.
The good news is that reforming an entire European legal framework doesn’t happen overnight, and the process through to approval and adoption of the General Data Protection Regulation is a long one. While formal consultation periods are now closed, there remain many opportunities to get involved in reform discussions through legislative and regulatory liaisons at both a European and national level.
To make their voices heard, businesses throughout the data processing spectrum must seize this opportunity to get involved. Only through informed dialogue with stakeholders can Europe hope to output technology-neutral, proportionate legislation that delivers meaningful data protection in practice. If it does this, then Europe stands the best chance of remaining a standard-bearer for privacy for the next 17 years too.
Phil Lee, CIPP/E, is a partner in the Field Fisher Waterhouse’s Privacy and Information Law Group. He runs the firm’s new Palo Alto, CA, office. An earlier version of this report was first published by firm’s Privacy and Information Law Blog.