The first European Data Protection and Privacy Conference was held in Brussels on November 30, 2010. Main topic was the new European framework for data protection, as outlined in the recent publication of a consultation document by the European Commission. I’ll summarise the main statements made and issues that were raised in this blog post.
The conference started with two keynote presentations, by Vivian Reding (Commissioner for Justice, Fundamental Rights and Citizenship) and by Jacob Kohnstamm (chairman of Article 29 Data Protection Working Party), followed by four panel sessions on harmonisation, data breach notification, ensuring data protection, and the definition of personal data.
According to commissioner Reding, the main goals that the new framework for data protection should achieve are
- strengthening the rights of individuals, by introducing the “right to be forgotten”,
- enhance the single market, through harmonisation, and simplifying the notification process that is required when businesses start processing personal data.
- strengthen the position of the Data Protection Authorities (DPA), by increasing their powers and increasing their resources, and improve the international coordination among DPAs.
The right to be forgotten applies to social networking sites that should offer the possibility to truly delete your profile, and also applies to the automatic deletion of personal data from databases as soon as the data is no longer needed. The Commission has not decided yet whether the new data protection framework should be implemented by a Recommendation or as a Directive.
Jacob Kohnstamm urged the European Commission to show more ambition. In particular, DPA’s should move from ex-ante oversight to ex-post enforcement.
DPA’s should be true enforcement agencies, with a duty to enforce compliance to data protection laws, the means to impose meaningful financial penalties, and the power to investigate any case they deem necessary. Cross border investigations and collaboration among DPAs to deal with transnational cases (the case of doping control by WADA laying the absurd requirement on athletes to report their location 24 hours a day fro a 3 month period was mentioned) should be enabled. Moreover, Privacy by Design (PbD) should be obligatory. Notifications procedures should be simplified and harmonised, include ways to prove compliance to the data protection regime, and should only apply to ‘risky’ operations. Kohnstamm stressed the importance of open norms, easy access to complaint procedures, and the possibilities for DPAs and other consumer organisation to start class action lawsuits. According to him, the Article 29 WP should be truly independent, with its own budget and own secretariat. Finally, Kohnstamm strongly supported the “right to be forgotten”, stressing that people have a fundamental right to change (behaviour, beliefs, convictions, ideas, etc.).
Panel 1, on “Harmonising and simplifying the legislative maze” was chaired by Stanley Pignal (journalist FT), and consisted of Peter Hustinx (European Data Protection Supervisor (EDPS)), Michelle O’Neill (U.S. Dept. of Commerce), Aurel Ciobanu-Dordea (Director Justice, Fundamental Rights and Citizenship of the European Commision), Mikael Hagström (SAS) and Ilias Chantzos (Symantec).
Hustinx stressed that the framework should focus on ensuring that data protection is actually implemented, and that the rules actually work in practice. Moreover, he believes the same rules should apply across the board for both government and business.
Hagström criticised the current notification procedures, that take months sometimes even a year to complete, and stressed that data protection laws should be harmonised globally. (Later in the discussion the question was raised what this means if also countries like China – “that do not share our moral values” – should be part of this harmonisation).
Ciobanu-Dordea pointed out that the consultation document is a policy document, not a legal text. The main challenges are to stimulate companies to comply, and make them use Privacy-by-Design (PbD) and Privacy Enhancing Technologies (PET). Also challenging is to deal with the security objectives of the law enforcement area that stand in the way of harmonisation. Ciobanu-Dordea believes we are making progress in that area: five years ago the different stakeholders were not willing to even discuss this. Later, in the discussion he observed that the differences between the EU and the US are largely overstated.
Chantzos pointed out the following trends: personal and professional use of ICT is merging, data production by consumers doubles each year, and consumers require access to data from anywhere: the data becomes more important than the device you use to access it. According to Chantzos, proper data protection is in fact an enabler of the future. (Sometime later it was said that “Information is the currency of the future”).
O’Neill stressed that data protection should not prove to be barrier to innovation and trade.
In the discussion, Hagström implied that social networks are the cause of the current privacy fears, and suggested to make the right to be forgotten only applicable to social networks. Chantzos questioned how this right to delete should be implemented, especially how you can later prove you complied. O’Neill suggested that educating users not to provide information (to social networks) is more effective than exercising a right to be forgotten (a right that really does not exist in the US, whereas in the EU it emphasizes rights already present in the current legal framework).
The question was raised how to empower businesses to comply with data protection laws (especially because DPAs move from ex-ante to ex-post enforcement).
Panel 2, on “Data Breach Notification – time for mandatory notification requirements?” was chaired by Laura Linkomies (editor Privacy Laws and Business International) and consisted of Udo Helmbrecht (director ENISA),
David Smith (UK ICO), Steve Kenny (eBay), Jim Halpert (DLA Piper).
Halpert stated that security breach notifications are a US invention. Transparency works (“sunlight is the best disinfectant”) because it helps victims to take defensive actions, and business want to avoid reputation damage. Notification should only be required when it really matters. Otherwise users will get too many notifications and at some point will ignore all of them, including the important ones.
Smith pointed out that in the UK, notification is voluntary, and that there is a distinction between notifying the regulator and notifying the victim. The regulator does not publicise data breaches. He found that there is a lack of governance within business that leads to incidents: people handling personal data do not know ow to handle them properly.
Helmbrecht claims PbD is not available right now, because there is no outside pressure and there is no business case. He questions the purpose of notification, because if there is no PbD in the system in the first place, the feedback generated by data breach notifications on measures to increase privacy cannot be applied to the system anyway. He further noted that willingness to report data breaches varies across member states, and that data breach notification standards are necessary.
Kenny stated that privacy is fundamental to the business case of eBay. Data breach notifications are the logical choice for a company that embraces openness and transparency. The only concern is that too many notifications will lower the expected and perceived privacy of the general public when faced with a large number of incidents. Everybody (government as well as business) should have the obligation to notify data breaches.
Fines are unnecessary: reputation loss is the real driver.
It was stressed that security does not imply privacy: privacy also concerns things like proportionality of the data being collected, the right to be informed and review personal data, etc.
Panel 3, on “Avoiding the security pit-falls – how can we ensure that data is kept secure in a society driven by technological change and globalisation?” (I’m not making these panel titles up!) was chaired by Marc Tysebaert (Belgian Ministry of Justice) and consisted of Paolo Balboni (European Privacy Association), John Vassallo (Microsoft), Sinisha Patkovic (RIM), Gustav Kalbe (DG INFSO, European Commission) and Christoph Luykx (Intel)
Vassallo stressed that a balance between privacy and a free and open market should be struck. The current rules are too complex. The focus should be on Privacy by Design (PbD), but the framework should be careful to define this preciusely as it now means different things to different people. According to Vassalo PbD applies not only to the design and implementation phase of a system, but also to how the system is used, the context in which it is used, and proper training of the people involved. Harmonisation should ensure that in the future there no longer is a conflict between data retention laws in one country and privacy rules in another county. This is currently a problem in cloud computing.
Patkovic points out that these days mobility and mobile devices are used to redefine the business: they create ways of doing business. Strong risk management is needed in mobile environments. Proper governance is lacking.
Kalbe stressed the role of technology in establishing trust, and argued that more tools are needed to build and measure trust. Current business models put too much emphasis on the own responsibility of the user.
Luykx (like Chantzos earlier) told the audience that people want access to all data from anywhere, using whatever device is available. Intel calls this the “Computing continuum”. Harmonisation of data protection will not lead to a single global framework. Instead, a collection of common building blocks will be established that will be combined in different ways by different countries.
Standardisation is important. So is certification.
Balboni argued that it is sometimes hard to tell whether a party is a data controller or a data processor.
In the discussion that followed, it was noted that cloud service providers actually see having a privacy friendly infrastructure as a competitive advantage.
The final panel, number 4, on “Defining the boundaries – when should data be classed as ‘personal’?” was chaired by Martin Abrams (Centre for Information Policy Leadership), and consisted of Stavros Lambrinidis (European Parliament), Kostas Rossoglou (BEUC), Thomas Boué (Business Software Alliance) and Chris Sherwood (Yahoo).
Sherwood argued that whether a data item is personal data depends on the context. He announced that Yahoo now offers their visitors the possibility to click an icon for more information about the profiles used to generate behavioural advertisements on the web pages they visit, and the option to switch of such ads all together.
Boué challenged the Article WP 29 point of view that IP addresses are personal data, and basically argued that he found the protection of Intellectual Property Rights (IPR) more important than privacy. According to him, data should only be considered personal data if the data controller himself can directly link a data item to a natural person. Lambrinidis intervened, stating that this really is a much too narrow view because at any time later the data may come into the possession of someone else (for example the police) that actually can establish this link. Quote: “Do not expect parliament to fiddle with this definition”.
Rossoglou observed that the current data protection framework did not stop innovation, and that a review of the framework should not be abused to make fundamentals rights secondary to IPR. The current definition of personal data is flexible and balanced enough. In the US, privacy is a consumer right. In the EU, privacy is a fundamental right. Using browser settings to deal with cookies is not the best approach to implement consent, because browsers by default accept all cookies, and browser settings do not cover all types of cookies (e.g. flash cookies).
Lambrinidis stated that it was not the intention of parliament to let browser settings be the method to express consent with respect to cookies. The fact that we use the Internet should not be construed as consent to being profiled. Music industry’s claim that we should trace users on the Internet to see what files they download is deeply problematic, especially if this tracing is done by private companies. Cutting of households of Internet access if some member infringed on copyright is excessive. Even more so because we use the Internet more and more to exercise the right of assembly, the right of free speech and the right of access to information. Another nice quote: “If you have nothing to hide, you don’t have a life”.
In the discussion that followed, Sherwood argued for a harm based approach: instead of focusing on collecting personal data (as the current framework does) we should focus on inappropriate use of that data. Problem is: how do we define harm? He also noted that companies cannot be liable for the fact that law enforcement can get access to the data they collect.
Concluding, the conference was interesting, and provided nice insights in the current thinking within the European Commission, DPAs and businesses on the future of data protection and privacy in Europe and beyond. Mayor points I took home
- The right to be forgotten is a prominent aspect of the new framework
- When businesses talk about harmonsing data protection, they actually hope to lower data protection requirements
- Data protection authorities move from ex-ante to ex-post enforcement: they want to police data protection infringements.
Organisationwise, four panel sessions, each one and half hour long, are too much, especially if there is very little discussion and debate. The conference would improve if more keynote presentations were scheduled, that could provide structure and clarity in issues currently being debated, or that present challenging visions of the future.