Hey, Mom and Dad, look, I'm the most powerful censor on the planet

Not really. But I could be.

Europe's proposals to create a "right to be forgotten" are suggesting that people should be able to request Google/Yahoo!/Bing to delete any third-party content from the search engines that they don't like, if it violates their sense of "privacy". If such a law were to be passed, then it would mean that employees at Google and similar companies would become censors-in-chief of the world's web content. Whenever someone finds something on the web that they found unflattering about themselves, they could demand that the search engines delete it. The Google/Yahoo!/Bing global censors would then be obligated to delete the content, regardless of whether it was true or fair or legal, regardless of who published it, and regardless of the fact that the search companies had nothing to do with the content.

Hmmm, the prospect of becoming the world's most powerful censor makes me giddy. Eat your hearts out, you Iranian web censors, now I've got the sort of power you've only dreamt of. History, truth, memory, knowledge, it's all mine, mine, to decide what gets to survive. And a word of "merci" to the French, who put all this power into the hands of American employees like me. Now I can make Mom and Dad proud.

The right to be forgotten, or how to edit your history

The "Right to be Forgotten" is a very successful political slogan. Like all successful political slogans, it is like a Rorschach test. People can see in it what they want. The debate would sound quite different if the slogan were actually something more descriptive, for example, the "right to delete". The European Commission has now proposed to make the "right to be forgotten" into a law. It's a big step to turn a vague political slogan into a law. The time for vague slogans must now give way to a more practical discussion of how the "right to be forgotten" could actually work.

What is the "right to be forgotten"? There is a spectrum of views. On one end of the spectrum, the "right to be forgotten" is simply viewed as a re-branding of long-standing data protection principles, in particular: the rights to access and rectify one's own personal data, the right to oppose processing of one's personal data in the absence of legitimate purposes, the principle of data minimization. On this end of the spectrum, people think that the "right to be forgotten" is nothing new; at most, it is simply an attempt to apply long-standing data protection principles to the new worlds of the Internet and modern technologies. I'm firmly in this school of thought.

On the other end of the spectrum, the "right to be forgotten" is viewed more sweepingly as a new right to delete information about oneself, even if published by a third-party, even if the publication was legitimate and the content was true. This school of thought believes that people should have the right to force third-parties to delete content about them (photos, blogs, anything) that violates their sense of privacy, which in practice usually means their online reputations. Common examples of things people want to remove are compromising photos, references to past criminal matters, negative comments, etc. While I strongly believe that people should have the right to complain to third-party websites about information that is published there about them, I am deeply skeptical that the laws should obligate such third-parties to delete information on request of data subjects. This raises troubling questions of freedom of expression.

There is an even more extreme end of the "right to be forgotten" spectrum, which holds that this deletion right can be exercized not just against the publisher of the content (e.g., a newspaper website), but even against hosting platforms and other intermediaries like search engines that merely host or link to this third-party content. This view is being litigated in Spain, as the Spanish Data Protection Authority is suing Google to delete links to third-party content, like newspaper articles, that the DPA has acknowledged are legal. In other words, the DPA is attempting to apply this reading of the "right to be forgotten" to delete links to content in a search engine, despite the fact that the original content is legal and will remain on the Web. Cases like this will require judicial review, since they clearly posit a conflict of two fundamental rights: privacy and the "right to be forgotten" against freedom of expression. I expect this issue to be considered at the European Court of Justice.

As this debate unfolds, the lack of clarity is raising false expectations. As people read that there will soon be a legal "right to be forgotten", they are asking DPAs and search engines to delete third-party content about themselves or links to such content. I regularly hear requests from people to "remove all references to me, Mrs. X, from the Internet". No law can or should provide such a right, and politicians and DPAs should not mis-lead them to expect it.

We need more public debate about what the "right to be forgotten" should mean. We also need a debate about how it should be applied to hosting platforms and search engines. I think a balanced and reasonable and implementable approach is possible, based on a few principles: 1) people should have the rights to access, rectify, delete or move the data they publish online. 2) people should not have the automatic right to delete what other people publish about them, since privacy rights cannot be deemed to trump freedom of expression, recognizing that some mechanisms need to be streamlined to resolve these conflicts. 3) web intermediaries host or find content, but they don't create or review it, and intermediaries shouldn't be used as tools to censor the web. Stay tuned, and Happy Data Protection Day.

Harsher data protection sanctions are coming

When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?

Since 2012 has now begun, here's a prediction about the future: there's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.

We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros. And yet others, like the Belgian DPA, don't have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.

But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There's also an entire industry of US privacy-based class actions which has sprung up in the last few years.

Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.

In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year. And in Europe, where class actions generally don't exist and don't fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.

I regularly hear people claim that there's not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that's probably scarier than killer snakes.

Is that all that's left?

2011 has come and almost gone, and I've already forgotten most of it. It's always been that way. I can barely remember my own life. No one else will remember it either. Most of humanity has lived and died and left little more lasting traces of its existence than crickets in a summer field.

Despite our collective social fears of data deluge and "the age of big data", the reality is that we're probably the last generation in human history that will disappear with relatively little trace. As I troll the web today, I don't find much about myself: a few dozen YouTube video clips, a few hundred photos, my blog postings, a few thousand media quotes. Frankly, it really doesn't amount to all that much. It's barely a sliver of my life. In the future, digital archeologists will try to understand our generation, making sense of these digital fragments of our generation, the last lost generation.

The current privacy debates about particular technologies will seem oddly quaint in a few years. I remember a time only a few years ago when serious people thought a spam filter in email must be an invasion of privacy, since a machine was doing the filtering. Now we're debating whether users should click on a pop-up screen for cookies. A decade from now, we'll laugh, I think, about the current fears of digital over-exposure, based on today's trivia: posting a photo to the web, or tweeting, or blogging, or sharing location info with friends, or whatever. Of course, some things shouldn't be published or shared, because they are hurtful or embarrassing. But the scale of data and technology is changing so fundamentally that the importance of a particular piece of data today is almost unknowable.

I'm sure that more and more data will be shared and published, sometimes openly to the Web, and sometimes privately to a community of friends or family. But the trend is clear. Most of the sharing will be utterly boring: nope, I don't care what you had for breakfast today. But what is boring individually can be fascinating in crowd-sourcing terms, as big data analysis discovers ever more insights into human nature, health, and economics from mountains of seemingly banal data bits. We already know that some data sets hold vast information, but we've barely begun to know how to read them yet, like genomes. Data holds massive knowledge and value, even, perhaps especially, when we do not yet know how to read it. Maybe it's a mistake to try to minimize data generation and retention. Maybe the privacy community's shibboleth of data deletion is a crime against science, in ways that we don't even understand yet.

Assuming I live a normal lifespan, I will live to be able to up-load my life memories to remote storage. I'll be able to start real-time recording of my experience of life, and to store it, share it, and edit it. My perceptions, thoughts, and memory, will be enhanced by machines guided by artificial intelligence. Perhaps it's human vanity, but I want to have the choice to store and share my life, before or after its biological limits are extinguished. I am already losing clear memories of my youth, and of places I've been, and people I've loved. What I've lost is lost forever. There was no back-up disk. That's not my idea of privacy, but privation. I suspect a future privacy debate will discuss whether "memory deletion" is a fundamental human right, or deeply anti-social.

I have no idea what this future will look like, or whether humans and society can adapt to it as quickly as the technology will enable it. But as the year draws to a close, I am grateful for a front row seat, hoping to live long enough to see a world of technologies that will stop me from just disappearing from the planet, without anything more than a few random photos and video clips, as part of the last human generation whose evanescent lives left almost no traces, disappearing from the earth like crickets at the end of summer.

Data Protection Officers: on solid ground?

I've worked in the field of privacy long enough to remember a time when almost no companies in the world had privacy officers. Now, almost all big companies do. And soon, Europe's privacy laws are likely to be amended in a way to mandate them, or at least to provide strong incentives to appoint them, which will lead to massive growth in this profession.

But what is a data protection officer? Or can we even agree on what to call them? "Data Protection Officer" or "DPO" is a euro-centric title, since Europe long ago invented the concept of "data protection" as an alternative (not synonym) for "privacy". Personally, I have long used the title "Global Privacy Counsel", since I think it's useful to express three things that define my job, namely, the topic (privacy), the geographic scope (global) and the functional perspective (namely, counsel, or lawyer). But privacy leaders are often not lawyers, and hence, use different monikers, ranging from Chief Privacy Officer to Director of Privacy Engineering, or Director of Privacy Compliance, or Chief Privacy Evangelist, in each case stressing a different functional perspective.

For very large companies, privacy needs to be a cross-functional effort, representing security, engineering, legal, compliance, policy and communications. Personally, I focus on the legal/regulatory/policy sides of privacy. For very large information-based Internet companies, literally hundreds of people work on privacy, across these different functions. For smaller companies, in my opinion, there should be at least one person who is accountable for privacy, in some sense, even if it's not a full-time job.

As Europe is on the verge of mandating "data protection officers", we need to understand what exactly these people will be accountable for. First, it's important to note that the European proposal will probably be modeled on the existing functions in France ("correspondent") and Germany ("Datenschutzbeauftragte"). In these countries, the DPO is responsible for supervising their companies' creation and use of databases of personal data, liaising with government privacy regulators, and providing good privacy advice and guidance. In practice, DPOs in Germany and France are sometimes focused on the legal side, and sometimes on the technical/security side.

In the US, there is a different vision of privacy leaders. At most US companies, lawyers play this role, just as I came to privacy through the legal profession. And we play this role in our capacity as lawyers, namely, providing privacy legal advice to our companies. As privacy lawyers, we provide advice, but are not empowered to make final decisions about whether or not our companies will follow our advice. The companies' executives are the decision-makers, ultimately, not the privacy lawyers. There are of course other models at some US companies, but they're still in the minority.

So, as Europe institutionalizes the role of DPO, it will be important to define what exactly these people will be accountable for, seen from inside and outside their companies. For multinationals, it will take some time to work out how to support their privacy leaders under these different legal regimes as they straddle jurisdictions. And as DPOs are held accountable for certain areas, they too may need protection and indemnification from their companies for personal liability, just like other professions, such as chief financial officers who are mandated by various laws with specific areas of accountability.

I welcome laws in Europe that will help strengthen the role of DPOs in their companies, and will help make DPOs more prevalent across industry. This will be a practical step forward for privacy. But at the same time, it will be important to define what we're accountable for, internally and externally, especially in a field where the very notion of "privacy" is highly subjective, and where the visions of what a privacy leader is supposed to do diverge dramatically, by country, by industry, and by function.

My Italian Appeal

A lot of you have wondered about the status of the appeal of my Italian conviction. So, here's a short update, just on some logistical points.

There have been some changes to my legal defense team. First, I'd like to congratulate one of the defense team's members, Giuliano Pisapia, on his recent election as Mayor of Milan. Sadly for me, of course, he will be withdrawing from the legal team. But I'm delighted that Giulia Bongiorno and Carlo Blengino have joined my team. Giulia will be fully on board once her work in the Amanda Knox/ Raffaele Sollecito appeal winds down.

Preliminary appeal briefs have been filed with the Milan appeals court, but the appeal has not yet been assigned to individual appeals court judges. Once that happens, the judges will decide on a hearing schedule. So, realistically, I am not expecting the hearings to begin until later this fall. I have no insights into how many hearings will be held, nor when they might be held.

September 11

September 11, seen 10 years later, changed many things in the world, in geo-political terms. Some people also think it changed the nature of privacy too, since it gave rise to the Patriot Act.

I can't think of any topic in the field of privacy that has been more polemicized and politicized and distorted than discussions about the Patriot Act. Most discussions about it are simply factually and legally wrong. I respect Microsoft for blogging and explaining this. It takes courage to talk about this issue, since so many people around the world have passionate reasons to want to resist or restrict the power of (some, all, or just the US) governments to use valid legal process to access data.

Over and over again, I read about people and politicians around the world saying that they want their data to be stored in the cloud (i.e., in a data center) in their country/Continent, so that it's protected from American law enforcement under the Patriot Act. This is a common refrain, for example, in Europe and Canada. Indeed, it has given rise to an entire industry purporting to offer "euro-clouds".

Therefore, it's perhaps surprising for some people to learn that the location of storage of the data has no impact on this issue, with regards to US-headquartered companies. It has limited impact on this issue, with regards to non-US headquartered companies. I won't repeat the legal analysis, since Microsoft's blog did a good job in explaining it.

It's well-known that global cloud-service providers maintain data centers around the world, mostly to ensure that their services operate with efficiency, speed and reliability. But they don't, and can't, operate as tools to evade or circumvent valid US government access to information, whether under the Patriot Act or any of its related/predecessor laws, since the location of data within the cloud is simply not a relevant legal factor. I know that's controversial, but it's also a legal fact, so kudos to Microsoft for saying it publicly.

"The Right to be Forgotten", seen from Spain

I'd like to share some personal musings about an interesting series of court cases pending in Spain, pitting the "right to be forgotten" against the right to freedom of expression. The New York Times reported on this debate recently. In a nutshell, the cases ask the question whether people can demand that search engines delete content from their indexes, even if the content is true and the third-party site that published it clearly has the right to publish it (e.g., newspapers).

Virtually everyone uses search engines to find information on the web. There are way over a trillion pages on the web today. To help people find what they're looking for in the vastness of the web, search engines create giant indexes of the web. Search engines are intermediaries, since they don't create, select or edit the content on the web sites they index. Search engines try to match a user's search query with the search results most likely to be relevant, using complex algorithms to rank the likely relevance of a particular webpage. The vast majority of websites want to appear in search engine indexes, but if they don't want to be included in the index, they can use a simple tool, called robots.txt, to opt-out of being indexed by all leading searching engines.

Many websites publish information about people, and sometimes this information can be hurtful to a person's sense of privacy or reputation. For example, government websites or newspapers may publish information about criminal convictions or accusations of medical malpractice. People who feel that information about them was wrongly published by these web sites can always ask them to correct or delete it. But newspapers and government websites usually have published this information legally, or indeed may even be legally obligated to publish it, or may be exercizing their rights of freedom of expression. As search engine intermediaries, Google and other search engines play no role in what these web sites publish, or in deciding whether they should revise or remove content based on someone's privacy claim against them.

That's why I think it's wrong that the Spanish Data Protection Authority has launched over a hundred different privacy suits against Google, demanding that Google delete web sites from its index, even though the original websites that published the information (including Spanish newspapers and Spanish official government journals) published that information legally and continue to offer it. The legal question is important: should search engines like Google be responsible for the content of the web sites that they index? Should Google be forced to remove links from its search index, in the name of privacy, even if the websites that published it want to be included in its search index and the content is legal? Should search engines be used to make information harder to find, even if the information is legally published?

I have great sympathy with people who feel their privacy has been invaded by a web site that publishes information about them. But search engines shouldn't be asked to delete links to legal content that is published by a third-party website. These cases have sometimes been referred to as about the "right to be forgotten". In fact, these cases are not about deleting or "forgetting" content, but just about making it harder to find content. These cases would make it impossible for users to use search engines to find content that otherwise continues to exist on the web.

It's not hard to imagine the negative consequences for freedom of expression, if search engines could be ordered to delete links to any website that publishes content about a person that is deemed to have invaded someone's privacy. The debate about privacy v freedom of expression is an important and timeless debate, which is becoming more urgent in the age of the Internet. But it's wrong to try to use search engines to try to make legal information harder to find. It's wrong to use search engines as a indirect tool of censorship, since European law rightly holds the publisher of material is responsible for its content. Requiring intermediaries like search engines to censor material published by others would have a profound chilling effect on freedom of expression.

There are better ways to protect privacy online, by remembering that it should be the publisher of content who is responsible for it. Interestingly, the Spanish Data Protection Authority seems to be coming around to this conclusion itself. It recently issued a resolution ordering a website to use the robots.txt protocol to exclude some of its pages from search engine indexes. That's exactly the right approach. Now, the debate will turn to the websites that receive such orders: should they exclude some of their pages from search engine indexes, in the name of privacy, or should they refuse, in the name of freedom of expression? Newspapers worldwide, and in particular their online archives, will soon be in the middle of this debate. I believe that Spanish papers, like El Pais, are now respecting such orders. I would wager that The New York Times wouldn't, based on their reporting on Two German Killers demanding Anonymity Sue Wikipedia's Parent.

This is a difficult debate, and I'm sure that different publishers will come to different conclusions about it. That's how it should be.

Trying to define “sensitive” data

Privacy laws need to ensure that there is a higher level of privacy protection for everyone’s sensitive personal data. There's universal consensus on that. So, it’s very important for laws to do a good job defining what should be considered “sensitive personal data”. It’s quite instructive to compare Europe’s definition (from 1995) with India’s (from 2011).

The European Data Protection Directive defines them as:

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”

As I read this list, and having worked with its concepts for years, I find it quite unsatisfying. It is both far too broad, and far too narrow, at the same time. It’s far too broad, because it seems to extend exceptional privacy legal protection to banal and often public things, like “political opinions”, or “racial origin” when any photo of me will show I’m a white dude. And things like “trade union membership” or “racial origins” probably should not be protected by privacy laws, but rather by labor laws or anti-discrimination laws, as they generally already are. But it’s also far too narrow, because the European definition of sensitive personal data fails to include something as strikingly sensitive as, say, genetic data, or biometrics. Granted, the laws in some individual European countries got this right, like France, which already treats biometrics as sensitive. In my opinion, in the future, genetic/biometric data will become the most important category of what should be treated as sensitive, so laws that don’t include biometrics in the category of sensitive data have a big gap. Strangely, European law also does not include sensitive personal financial information in its list of “sensitive” categories.

Now, for comparison, here is India’s just revised categories of “sensitive” data:

“unless freely available in the public domain or otherwise available under law, SPDI under the Rules is personal information which consists of information relating to:

password,

financial information such as bank account, credit or debit card details as well as other payment instrument details,

physical, physiological and mental health condition,

sexual orientation,

medical records and history,

Biometric information (a defined term including fingerprints, eye retinas and irises, voice and facial patterns, hand measurements and DNA),

Any detail relating to the above when supplied for providing service, and

Any of the information described above received by an organization for processing, stored or processed under lawful contract or otherwise. “

When India drafted its privacy laws, it looked to Europe’s Directive, both for inspiration and to protect its out-sourcing industry. But Europe would do well to look to India for inspiration about how to modernize our data protection concepts. India's list of "sensitive personal data" strikes me as much more modern and relevant to privacy than the legacy of what we have in Europe.

France re-writes the rules of data retention

When Europe introduced a Data Retention Directive in 2006, it struck a very very careful political and legal balance between the interests of privacy and the interests of Law Enforcement/ Government access to data. The core distinction of the laws was to impose an obligation on service providers to retain and produce traffic data relating to communications, but to exclude contents of communications. Notwithstanding this careful balance, the Directive has always been highly controversial. There has been a long debate about whether this Directive, and the balance it struck, is Constitutional under national privacy laws, and indeed, last year its German-implementation was held un-constitutional by the German Constitutional Court.

Surprisingly, very few people have noticed what just happened in France. The law (decree, technically) adopted a few days ago in France up-ended the careful political/legal balance of the Directive by inserting one little word: "passwords". In other words, passwords are added to the list of "traffic data" that ISPs have to retain and produce to the French police on demand. Interestingly, the version of the law that had been circulating for discussion in France for the last two years, and which was reviewed by the French privacy authority the CNIL and by industry associations, did not contain that little word "password". The word "password" was inserted at the last minute, with no public or privacy review, as far as I can tell.

Stop to reflect for just a minute. Why would police want a password and what would they do with it? Well, obviously, they would use it to look at "content" of communications. In other words, a password would grant them access to all the things that the Directive explicitly chose not to subject to Data Retention in the interests of privacy.

All the years of work by privacy advocates has been chucked aside, in one little word. Well, three in French: "mot de passe".

I'm sure legal challenges to this French law will not be far behind. Curiously, only a few lone voices in the press or advocacy community seem to have noticed all this.

Foggy thinking about the Right to Oblivion

I was lucky enough to spend a few days in Switzerland working on Street View. And I treated myself to a weekend of skiing too. The weather wasn't great, we had a lot of mountain fog, but then, the entire privacy world seems to be sort of foggy these days.

In privacy circles, everybody's talking about the Right to be Forgotten. The European Commission has even proposed that the "right to be forgotten" should be written into the up-coming revision of the Privacy Directive. Originally, a rather curious French "universal right" that doesn't even have a proper English-translation (right to be forgotten? right to oblivion? right to delete?), le Doit a l'Oubli, is going mainstream. But, what on earth is it? For most people, I think it's an attempt to give people the right to wash away digital muck, or delete the embarrassing stuff, or just start fresh. But unfortunately, it's more complicated than that.

More and more, privacy is being used to justify censorship. In a sense, privacy depends on keeping some things private, in other words, hidden, restricted, or deleted. And in a world where ever more content is coming online, and where ever more content is find-able and share-able, it's also natural that the privacy counter-movement is gathering strength. Privacy is the new black in censorship fashions. It used to be that people would invoke libel or defamation to justify censorship about things that hurt their reputations. But invoking libel or defamation requires that the speech not be true. Privacy is far more elastic, because privacy claims can be made on speech that is true.

Privacy as a justification for censorship now crops up in several different, but related, debates: le droit a l'oubli, the idea that content (especially user-generated content on social networking services) should auto-expire, the idea that data collection by companies should not be retained for longer than necessary, the idea that computers should be programmed to "forget" just like the human brain. All these are movements to censor content in the name of privacy. If there weren't serious issues on both sides of the debate, we wouldn't even be talking about this.

Most conversations about the right to oblivion mix all this stuff up. I can't imagine how to have a meaningful conversation (much less write a law) about the Right to be Oblivion without some framework to dis-entangle completely unrelated concepts, with completely unrelated implications. Here's my simple attempt to remember the different concepts some people want to forget.

1) If I post something online, should I have the right to delete it again? I think most of us agree with this, as the simplest, least controversial case. If I post a photo to my album, I should then later be able to delete it, if I have second-thoughts about it. Virtually all online services already offer this, so it's unproblematic, and this is the crux of what the French government sponsored in its recent Charter on the Droit a l'Oubli. But there's a big disconnect between a user's deleting content from his/her own site, and whether the user can in fact delete it from the Internet (which is what users usually want to do), more below.

2) If I post something, and someone else copies it and re-posts it on their own site, do I have the right to delete it? This is the classic real-world case. For example, let's say I regret having posted that picture of myself covered in mud, and after posting it on my own site, and then later deleting it, I discover someone else has copied it and re-posted it on their own site. Clearly, I should be able to ask the person who re-posted my picture to take it down. But if they refuse, or just don't respond, or are not find-able, what can do I do? I can pursue judicial procedures, but those are expensive and time-consuming. I can go directly to the platform hosting the content, and if the content violates their terms of service or obviously violates the law, I can ask them to take it down. But practically, if I ask a platform to delete a picture of me from someone else's album, without the album owner's consent, and only based on my request, it puts the platform in the very difficult or impossible position of arbitrating between my privacy claim and the album owner's freedom of expression. It's also debatable whether, as a public policy matter, we want to have platforms arbitrate such dilemmas. Perhaps this is best resolved by allowing each platform to define its own policies on this, since they could legitimately go either way.

3) If someone else posts something about me, should I have a right to delete it? Virtually all of us would agree that this raises difficult issues of conflict between freedom of expression and privacy. Traditional law has mechanisms, like defamation and libel law, to allow a person to seek redress against someone who publishes untrue information about him. Granted, the mechanisms are time-consuming and expensive, but the legal standards are long-standing and fairly clear. But a privacy claim is not based on untruth. I cannot see how such a right could be introduced without severely infringing on freedom of speech. This is why I think privacy is the new black in censorship fashion.

4) The Internet platforms that are used to host and transmit information all collect traces, some of which are PII, or partially PII. Should such platforms be under an obligation to delete or anonymize those traces after a certain period of time? and if so, after how long? and for what reasons can such traces be retained and processed? This is a much-debated topic, e.g., the cookies debate, or the logs debate, the data retention debate, all of which are also part of the Droit a l'Oubli debate, but they completely different than the categories above, since they focus on the platform's traffic data, rather than the user's content. I think existing law deals with this well, if ambiguously, by permitting such retention "as long as necessary" for "legitimate purposes". Hyper-specific regulation just doesn't work, since the cases are simply too varied.

5) Should the Internet just learn to "forget"? Quite apart from the topics above, should content on the Internet just auto-expire? e.g., should all user posts to social networking be programmed to auto-expire? Or alternatively, to give users the right to use auto-expire settings? Philosophically, I'm in favor of giving users power over their own data, but not over someone else's data. I'd love to see a credible technical framework for auto-delete tools, but I've heard a lot of technical problems with realizing them. Engineers describe most auto-delete functionalities as 80% solutions, meaning that they never work completely. Just for the sake of debate, on one extreme, government-mandated auto-expire laws would be as sensible as burning down a library every 5 years. Even if auto-expire tools existed, they would do nothing to prevent the usual privacy problems when someone copies content from one site (with the auto-expire tool) and moves it to another (without the auto-expire function). So, in the real world, I suspect that an auto-expire functionality (regardless of whether it was optional or mandatory) would provide little real-world practical privacy protections for users, but it would result in the lose of vast amounts of data and all the benefits that data can hold.

6) Should the Internet be re-wired to be more like the human brain? This seems to be a popular theme on the privacy talk circuit. I guess this means the Internet should have gradations between memory, and sort of hazy memories, and forgetting. Well, computers don't work that way. This part of the debate is sociological and psychological, but I don't see a place for it in the world of computers. Human brains also adapt to new realities, rather well, in fact, and human brains can forget or ignore content, if the content itself continues to exist in cyberspace.

7) Who should decide what should be remembered or forgotten? For example, if German courts decide German murderers should be able to delete all references to their convictions after a certain period of time, would this German standard apply to the Web? Would it apply only to content that was new on the Web, or also to historical archives? and if it only applied to Germany, or say the .de domain, would it have any practical impact at all, since the same content would continue to exist and be findable by anyone from anywhere? Or to make it more personal, the web is littered with references to my criminal conviction in Italy, but I respect the right of journalists and others to write about it, with no illusion that I should I have a "right" to delete all references to it at some point in the future. But all of my empathy for wanting to let people edit-out some of the bad things of their past doesn't change my conviction that history should be remembered, not forgotten, even if it's painful. Culture is memory.

8) Sometimes people aren't trying to delete content, they're just trying to make it harder to find. This motivates various initiatives against search engines, for example, to delete links to legitmate web content, like newspaper articles. This isn't strictly speaking "droit a l'oubli", but it's a sort of end-run around it, by trying to make some content un-findable rather than deleted. This will surely generate legal challenges and counter-challenges before this debate is resolved.

Next time you hear someone talk about the Right to be Oblivion, ask them what exactly they mean. Foggy thinking won't get us anywhere.

Imagine if tennis had different rules in every country: Cookie Confusion comes to the Continent

A decade ago, European policymakers debated the level of consent required for data protection purposes when a website uses a cookie. Common sense ultimately prevailed. Policymakers realized that an opt-in regime would drive users mad, as every website would be forced to serve up pop-ups asking users to opt-in, annoying everyone. Alternatively websites could just stop using cookies, but that's unworkable in basic technology terms. So, a Directive was adopted mandating an opt-out regime, together with clear notice in privacy policies of the use of cookies. All browsers introduced cookie controls too. After a decade more experience with the Web, rather than seeing more wisdom about the Web, we're seeing the status quo common-sense approach up-ended by contradictory policy agendas in Europe. So, the question is back on the policy agend: should interest-based advertising should be opt-in, or opt-out?

What are the rules now? The 2002 E-Privacy Directive was significantly changed in 2009 (Directive 2009/136/EC). Specifically, the wording for cookies was modified:

• Article 5(3): Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing...
• Recital 66 (non-binding): ...Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.

While non-binding, Recital 66 clearly indicates that the directive does not intend to make cookies opt-in. The guidance from the Commission on this question has, however, been ambiguous.

• In a June 2010 opinion, the Article 29 Working Party contended that in the case of interest-based advertising, at least:

The Article 29 Working Party is of the view that prior opt-in mechanisms, which require an affirmative data subject's action to indicate consent before the cookie is sent to the data subject, are more in line with Article 5(3). In a reference to consent as legal grounds for processing, the Article 29 Working Party recently confirmed these views "The technological developments also ask for a careful consideration of consent. In practice, Article 7 of Directive 95/46/EC is not always properly applied, particularly in the context of the internet, where implicit consent does not always lead to unambiguous consent (as required by Article 7 (a) of the Directive). Giving the data subjects a stronger voice ‘ex ante’, prior to the processing of their personal data by others, however requires explicit consent (and therefore an opt-in) for all processing that is based on consent."

• At a speech in September 2010, Neelie Kroes (European Commissioner for the Digital Agenda) acknowledged the value created by the online advertising sector and signalled that she was “open to all creative ideas” to develop self-regulation that works for the advertising industry. When directly asked, she also said she was "not in favour of opt-in" for interest-based ads.
• Alberto Alvaro, the MEP who drafted the revised ePrivacy Directive, has written that it “does not require websites to obtain prior consent for cookies to be placed on users’ terminals.”
• The Commission’s DG Legal Service has not yet expressed an opinion on whether the revised E-Privacy Directive requires explicit opt-in for interest-based ad cookies.

But this is only the start. The scope for confusion will increase exponentially as individual Member States transpose the law. With no clear guidance to Member States, it is inevitable that 27 different national parliaments will begin diverging in how they transpose these rules. All of which means that global websites will face far more policy and legal confusion in Europe in the years ahead, and users will be facing very different privacy "protections" across geographies. How all of this is supposed to work in the real world is anyone's guess. Messy and contradictory laws and regulations are nothing new in politics, but if you're an engineer, what are you supposed to code?

I always think transparency and user choice are the linchpins of privacy. But a legislated solution which forces people to click like mad on cookie consent pop-ups is hardly the right way forward. At least tennis has clear rules, and they're the same everywhere.

Privacy: a number's game?

How do you measure privacy protections? There are many important questions that I ask, including these:

What data is collected?

Who has access to this data?

How is this data used?

Is this data transferred to third-parties?

Can the data subject see and control this data?

Is this data protected by adequate security safeguards?

How long is this data retained before it is either destroyed or anonymized?

In reviewing this list, I think the last one is the least important in terms of measuring meaningful privacy protections for data. But curiously, it's precisely this one that I hear the most as I move around Continental Europe listening to privacy media and regulatory concerns in the online debates in recent years. Why is that?

European privacy law has clear provisions that personal data should not be retained "longer than necessary". Naturally, this time period is left vague in the laws, since it would be impossible to prescribe precise time periods for myriads of different contexts, especially since retention is always justified by "legitimate purposes". I think there's a temptation to try to boil privacy down into something simple and numerical, and what could be simpler and more measurable than a time period? In practice, there's a vast spectrum of legitimate retention periods, even for similar services, if the retention periods were designed to respect the very different legitimate purposes for which they were retaining data. To take some Google services as examples: Search logs (9 months), Instant Search logs (2 weeks), Suggest logs (24 hours), etc. To me, it's absurd to think that the most important privacy issue in Search is whether Search logs are retained for 6 or 9 months.

To take a different example: data retention rules in Europe (for government and law enforcement access) range from 6 months to 24 months, with each country in Europe picking and debating different time periods. Germany for example picked 6 months (but the German Constitutional Court struck down its version of data retention on other grounds), while France picked 12.

Curiously, the time dimension of data retention is almost entirely a Continental European privacy concern. It rarely registers as a meaningful vector in other countries, even in countries with very intense privacy debates. Of course, the euro-time-period debate is also intimately tied up with the debate about the so-called "right to be forgotten", the "droit a l'oubli", a well-intentioned idea that people should somehow be able to have parts of their own past (presumably the disagreeable parts) edited out of their personal histories. And, not coincidentally, this debate is most intense in countries with historical chapters that many people consciously or unconsciously want to forget: like Spanish society's conflict between remembering or forgetting the crimes of the Franco era.

I've spent a fair amount of time engaging in the time period debate "how many months is ok." It's pretty repetitive after a while. Lots of people who can't be bothered to think about the issues will just say: "oh, that's too long". I strongly believe that personal data should not be retained for "longer than necessary", as required by European privacy law, and I generally believe that it's an important debate for data controllers to justify their retention according to "legitimate purposes". Beyond that, reducing the online privacy debate to a numbers' game risks focusing all the attention on only one aspect of the broader privacy debate (and in my opinion, on the least important aspect of the debate to boot). And I am very much not in the superficial privacy school of thinking that "shorter is always better".

To clear my head, I spent some time playing tennis this summer. Now that's a number's game. By the way, I lost.

Face recognition software

How should we handle face recognition software?

Every so often a new technology comes along that has the ability to alter fundamentally the private/public balance, with profound implications for privacy. Face recognition is one of them, in my opinion.

We're already seeing highly accurate face recognition software provided by companies like face.com in the Facebook community. Some online photo albums also offer it, as a tool for users to tag one of their photos and allow the software to come back with face matches and propose auto-tagging them too.

But what will we do about face recognition software in the wild? Any Internet-connected smart phone with a camera could in theory do a real-time face recognition search on a person walking down the street, without their knowledge, and get web-based search results. Google declined to include face recognition in the version of Goggles that it launched a few months ago, precisely because of the unresolved privacy implications.

Over the last few months, I've spoken about face recognition with a number of privacy experts. Everyone quickly understands how it could be a useful tool, and how it could be a freaky tool, depending on how it's used. But essentially no one has a clue what to do about it. One could imagine a "solution" where users would upload their photos to a company offering this service, with either an opt-in or an opt-out, in other words, telling the company, "yes" you can can run searches against my photo, or "no", please do not run searches against my photo. In either case, the company has to maintain a central database of these people and their faces. Moreover, the database is essentially a biometric database, since the software runs against algorithmic "face prints". Neither of these "solutions", opt-in or opt-out, seems very palatable. In addition, it's hard to imagine how different countries might regulate such global services according to different standards, if, as one might realistically expect, one country wants to regulate an opt-in model, while another wants to take an opt-out model, while yet a third wants to prohibit such services entirely. How would that work?

Well, as we reflect, the technology is developing rapidly, and is already on the marketplace, offered by many different companies. Once again, the technology will evolve faster than our legal, political and sociological response to it. Hang on, this one will be interesting. If you have an idea about how to handle it, I'd welcome your comments, which you're free to submit, anonymously, of course.

--

Exhibitionism, or Self-Expression?

In privacy circles, we all try to make sure that people are sensitive about what they post online. I remember a chat I had with a journalist at SFGate.com back in 2007 :

"Before posting anything online, Peter Fleischer asks himself: Is this something I want to make public forever? ...

he thinks a lot about the implications of sharing information with the world. As a result, in his private life, he takes a cautious approach...

But he's uncomfortable sharing photos online..."

I generally advise people not to post things publicly without thinking about whether they're likely to regret having posted it. I also advise people not to post anything about other people (like pictures or videos), unless those people agreed to have it posted. But that doesn't mean that I think people should stop posting stuff about themselves and their friends online. In fact, I'm wildly enthusiastic about these social platforms that empower people to publish things about themselves and their friends to the world. The interesting risk-debate is about stuff in a gray zone, where one person's self-expression is another person's exhibitionism. This sort of gets summed up as a question that helps kids understand the consequences of posting things online: "even if you think this photo/video etc is cool, what will a future employer think about it when you start looking for a job?"

Digital natives are creating a part of their identity online. What they publish, or don't publish, is a self-created, highly edited version of their "identity" that they'd like to project. Digital natives are used to seeing lots of stuff about themselves and their friends online. The older generation isn't. So, rather than a technology clash, this strikes me more as a classic generational clash. The older generation warns the younger generation about putting too much of themselves out there, because, well, they never did, didn't have the opportunity, and no one in their generation did either. Perhaps that's why some people are calling the younger crowd Generation Xhibitionists.

Curiously, every time I've done an image search on my own name (and hey, regular "vanity" searches on your own name are an essential part of privacy hygiene, to know what's out there about yourself), I see a highly-ranked image search result of a guy in a bathing suit...who isn't me. Since I'm a believer in the principle that the best answer to bad speech (or bad content) is to confront it with better content, I figure I might as well post a picture of myself in a bathing suit too. The other guy is younger and better-looking, but hey, at least this is me. And to all those people who say I'm never willing to share anything personal online, well, call me Gen X.

10 paths and they're all hard

We spent a couple days on mountain bikes in Switzerland recently. We got lost a lot. We didn't use GPS or geo-location-apps. We didn't really know where we were going, but we sort of had faith in our legs and our bicycles that we'd somehow get up and back down.

It was good to get out on a mountain. It clears my head. I was trying to think of the big privacy challenges this year.

And like choosing a mountain path that you don't know, these privacy challenges may turn out to be easy, or they may turn out to be the hardest ride of your life.

Here's my list of this year's cliff-hangers. And like any good cliff-hanger, I'll be back to comment on all of them in the months ahead.

1. Location: who should know where you are and where you've been and how can you control it?

2. Face recognition: how to enable useful apps without creating a mass surveillance device?

3. Data minimization: can we (or should we) restrict some data collection in the age of data ubiquity?

4. Notice and consent in machine to machine processing: e.g., how can a user meaningful exercise control and consent when apps instantly share data?

5. Communicating with end users: everyone agrees privacy policies aren't human-friendly, but does anyone have a better idea?

6. Social graph: what can algorithms know or deduce from your public social graph and what can you do about it?

7. Online mapping: what's private in a public place?

8. Droit a l'Oubli: can a line be drawn between "forgetfulness" and censorship?

9. Conflicts of laws: how can sites on the global web comply with conflicting rules from country to country, and is the global web balkanizing?

10. Anonymization: in the age of data mining, what is "anonymous", or is everything somewhere on a spectrum to identifiability, and what does that mean for privacy practices?

Policy Frameworks for Protecting Privacy in the Cloud

I had the privilege of sharing a podium in Dublin last week at the Institute of International and European Affairs with the Irish Data Protection Commissioner. We were invited to discuss policy frameworks for protecting privacy in the Cloud. The talks are posted here at the IIEA's site:

http://www.iiea.com/events/fleischer-hawkes-regulating-for-the-cloud

Berlin, and its ghosts

I'm back from another few days in Berlin. As usual, I met some political leaders to talk about privacy. I also took a personal side trip to visit the villa where the Wannsee Conference took place in 1942 (the infamous "final solution" conference). The German privacy debate, which I think is the most intense in the world, simply makes no sense to my ears without the backdrop of Germany's two totalitarian traumas in living memory. Privacy is always a cultural concept, and it varies from country to country, based on history and self-perception. Hardly any country, thank heaven, has Germany's history.

Even so, it was a bit of a surprise when I heard a political leader tell me clearly: "in Germany, we want innovation, but we want you to ask for permission first". Innovation and permission. In fact, I wonder if they're oxymoron. I think of innovation as serendipitous, almost the opposite of bureaucratic/political process. But in a nutshell, there it was. I sensed the frustration of politicians and regulators who want (or feel the responsibility) to regulate the profoundly disruptive phenomenon of Internet innovation, but feel dis-empowered to do so. It's hard indeed to control a phenomenon like innovation on the Internet, especially if it happens outside your borders. You can't grab the Internet by the ears and shake it, but you can grab one guy, or one company, and shake them as hard.

Innovation requires you to take risks, to try new things, to accept failure, to iterate and to move on. They all depend on a culture that accepts novelty and failures as a necessary learning step on the way to success. "Launch and iterate" has become the innovation model for the Internet. Some people and countries are more comfortable with that than others, perhaps for very valid historical and cultural reasons. As one Berliner told me: "of course Americans think differently about privacy...so would we if we had had two centuries of stable democracy."

At the Wannsee Conference villa, the Nazi officials spent a lot of time discussing how to deal with "mixed race people", categorizing each permutation of people like me with one Jewish grand-parent into a box. I saw the memo that clarified how I would have been classified as a "second-degree mongrel", with a full catalog of the legal "rights" to which I was entitled. I think of my dad, "a first-degree mongrel", who amazingly lived in Berlin throughout those years. I have lots of pictures of him as a little boy, in the early 1930's, heading off for his first day in school, petting a tiger cub in the Berlin zoo, with his dog. But then nothing, not a single picture, no record at all, for the next decade.

There's a lot of debate about the potential evils that the Internet might enable in the future, as vast amounts of data are retained and publicly available. Those issues are serious, indeed, and I can't get my head around them. Many of the people who argue most passionately about the need for a "right to be forgotten" on the Internet are thinking about these potential evils. But at the same time, so much information also has a disinfectant quality for people who believe in free speech and transparency. There are no records that I can find of that missing decade of my dad's life. In many ways, I'm more a supporter of a "right not to be forgotten" than the opposite.

I doubt the horrors of Wannsee would have been possible in the age of the Internet. Imagine Anne Frank writing a daily blog. Or the Wannsee Conference proceedings leaked onto YouTube. Or maybe I have it all wrong, and the future will cook up evils using the same technologies that seem so benign to me now. I walk around Berlin shaking my head in incredulity, no matter how often I've been. I can understand the intense urge there to forget. Surely, that influences the concept of "privacy" too.

Which privacy laws should apply on the global Internet?

Given the nature of the Internet, all web services are inherently global. All companies doing business on the Internet rely on the collection, storage and analysis of information generated by users, and all of them are confronted by the lack of consistency in the applicability and content of privacy laws across jurisdictions. So, I’ve struggled with the following three questions:

What are the current rules establishing the application of privacy laws around the world?

Do the current rules work?

How could we create clearer rules, to provide greater consistency and certainty?

There are three different jurisdictional approaches to determine the applicability of privacy and data protection laws around the world.

1.1 Location of the organization using the data

This is the principle under Article 4(1)(a) of the EU Data Protection Directive, which looks at the place of origin of the organization that makes decisions about the uses of the data and determines the applicability of the law on that basis. This approach is also used in Canada, where the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) controls the collection, use and disclosure of personal information in the course of the commercial activities of organizations that are federal works, undertakings or businesses.

In both cases, the law applies to an organization established in that particular jurisdiction irrespective of where in the world the actual processing takes place. In the EU where the organization is established in several EU countries, the organization must take the necessary measures to ensure that each of these establishments complies with local law obligations. Under PIPEDA, Canadian entities transferring data outside the country must have provisions in place to ensure a comparable level of protection to that granted by the law.

1.2 Location of the people whose data is being used

This is typically the USA approach under the Federal Children’s Online Privacy Protection Act (“COPPA”) and the data breach notification laws enacted by the majority of individual states. For example, COPPA will apply to operators of websites directed at children within the USA, while a serious data breach affecting a Californian resident must be notified to that person irrespective of who is responsible for the data or where the data breach occurred. This is also the approach in the laws of other jurisdictions like Australia and New Zealand where certain provisions apply in respect of Australian citizens and New Zealand residents respectively.

1.3 Place where the actual processing happens

The EU Data Protection Directive relies on this approach in Article 4(1)(c) to claim jurisdiction on the basis of the use of equipment situated in the EU where the organization is not located in the EU. Many other jurisdictions around the world follow this approach, like Argentina (i.e. law applies to any processing in the national territory), Israel (i.e. law applies to acts that occur in Israel) and even new laws like South Africa’s Protection of Personal Information Act which follows the EU Article 4 model (i.e. law applies both to when a party is domiciled in South Africa and when not domiciled but using means situated in South Africa).

As a result of the different approaches mentioned above (which are often combined - as in the EU), organizations using the Internet, multinational organizations and those engaging global service providers find themselves caught by the laws of many different jurisdictions. Examples of the practical problems caused by this include the following:

2.1 Multinational operations

Multinationals with established operations in many parts of the world face different rules affecting each subsidiary or affiliate. Since there is no international consistency determining the content and obligations under data protection and privacy laws, to be compliant a multinational must review the specific obligations under local law in each case. This is even the case within the EU despite the fact that EU data protection law at a local level emanates from the same source – the EU Data Protection Directive. The result is that a global company seeking to develop a consistent approach across all of its operations is required to create a tailored solution for specific jurisdictions according to the quirks of local law. This is not simple for companies operating standardized global web services.

Internet businesses which transact with individuals who are based in jurisdictions that claim jurisdiction when their citizens’ or residents’ data is being used, will find themselves subject to laws that bear no connection with the place of establishment of that business. For instance, an EU based internet business should be alert to any customers who are Californian residents since Californian data breach laws apply to an organization wherever it is located. Internet businesses must therefore anticipate the application of laws with which they have no real connection. Alternatively an Internet business might consider putting in place a defensive measure to ensure that it does not transact with individuals from those jurisdictions to protect itself from the application of foreign laws, but that approach violates the spirit of the open global Internet.

2.2 Use of equipment

Relying on the use of equipment in a particular jurisdiction (perhaps including the computers of end users) to determine the application of the law could mean that the laws of every single EU Member State will apply to every website operator in the world that uses cookies to gather browsing-related information. This result is due to the interpretation of the scope of ‘equipment’ under EU law and the view of EU regulators that website operators that place cookies on a user’s computer based in the EU without the control of the user, make use of equipment in a way that is caught by EU law. This shows that relying on ‘equipment’ to establish jurisdiction is unworkable.

2.3 Cloud computing: where the processing happens

Cloud computing is directly affected because the dynamic nature of this practice is at odds with the approach based on where the actual processing happens. Part of its agile functionality enables cloud computing to switch between processing data in one location to another location in order that customers are provided with an efficient, affordable and consistent service. Where the processing of data switches according to this technology this could have a knock on effect of changing which law applies to the processing thus introducing uncertainty.

2.4 Cloud computing: where the equipment is located

Another problem for cloud computing is that if the servers of the service provider are based in Europe, any overseas customer could be subject to EU law. Due to the structure of cloud computing technology and the network of servers that are used to deal with demand, a customer based outside the EU may find their data being stored on an EU server. Consequently, under EU rules the equipment (i.e. the server) is located in the EU and EU law applies even though the customer has no other connection with the EU.

Current models for determining the application of privacy law present complicated problems and unintended consequences which are unsuitable to deal with the changing pace of technology and the realities of global business. It is vital that more appropriate and flexible ways are found to address the practical problems created by the different jurisdictional approaches. Alternative approaches could include:

3.1 International privacy standards

The most obvious way of resolving the conflicts created by the different regulatory regimes would be to have just one global privacy regime. The initiative led by the AEPD and approved in Madrid during the International Privacy Commissioners’ Conference is a step in that direction. The initiative recognises that the current approaches in reality provide less protection for individuals and more complexity for businesses.

3.2 Treaty dealing with conflicts of law

As with other areas like contractual disputes, there could be an international treaty setting out which law would apply in the event of a potential conflict. Establishing such a treaty would help to provide certainty for businesses and individuals when situations of conflict arise.

3.3 Country of origin and accountability principle

A key rule to be established by an international treaty would be to apply the law of the country where the main operations reside (e.g. place of establishment of parent company, HQ, etc.) and make the provisions of that law follow the use of the data globally. Following a country of origin principle would bring data protection rules into line with the underlying principle governing e-commerce in the EU. Furthermore it would allow businesses to develop a coherent and consistent global compliance framework to deal with customers on the same terms wherever a customer is located. Adopting a consistent approach would also encourage greater accountability as the business would adopt one defined standard.

3.4 Voluntary submission to one regime

Governments and/or regulators could agree to allow organizations to choose one lead jurisdiction (based on objective, pre-established criteria). In the context of the EU, this is certainly viable as demonstrated by the "lead regulator" concept used in the area of Binding Corporate Rules applications. By submitting to one lead regime or jurisdiction, the organization would then abide by the rules of that regime enabling the business to be certain which law applies to its operations.