Saturday, March 31, 2007

Stop! Make sure you’re on the white list!

The European Data Protection Directive divides the countries of the world into two lists: the white list (with “adequate” data protection) and the black list (without “adequate” data protection). All the EU countries automatically get on the white list. The European privacy regulators have the unenviable task of assigning other countries to that list, and they have taken a very conservative approach, only putting countries on that list that have a clone of EU-style data protection. So, Argentina and the Channel Islands are deemed to have “adequate” data protection, but the USA is not. In other words, data flows from Europe to such places as Bulgaria, Romania and Argentina are unimpeded by regulatory constraints, but similar flows to the USA are subject to considerable regulatory process. Of course, all this exists in a parallel universe, rather divorced from reality. I doubt many people in Europe would honestly believe that their data is more protected in Argentina or Bulgaria than in the USA.

It’s time to scrap these artificial concepts. White lists and black lists are inherently unfair, and they simply do not reflect the realities of privacy protection, especially when they are based on rather arbitrary legalistic concepts, far divorced from the realities of the world. Such concepts might have been defensible in the days before the Internet, when global transfers of data were rare, but they are patently absurd in the era of the World Wide Web, when data zips around the planet with the click of a mouse.

I’m all for robust data protection legal obligations. What we really need are global standards. You don’t get those by creating silly white lists and black lists. And if you don’t agree, you can always choose to move all your sensitive data to Argentina. It’s on the white list.

Binding Corporate Rules: Data Protection for the Rich

Yes, the rich are different. They can afford to spend millions in fees and years in regulatory process, all in the hope that their “binding corporate rules” will be approved by 27 different EU regulators, all applying slightly different rules. Whether all this money results in better privacy is dubious. I have never believed that regulatory paperwork by itself improves privacy practices. Indeed, every euro from a privacy professional’s budget that is spent on such paperwork is not being spent on other things, like employee privacy trainings, or improving privacy systems. Even the rich have budgets.

The concept of “binding corporate rules” is rather weird: a company makes a promise to itself, or rather its various affiliates make a promise to their parent company, or the other way around. And the promise is essentially to respect the law. In other words, to respect EU data protection concepts governing the transfer of personal data outside of the EU to countries that are not deemed to have “adequate” data protection. In case you’re wondering, Bulgaria and Romania have “adequate” data protection, but the USA does not... I’ll come back to that in another blog post. In essence, “binding corporate rules” are a solution to an artificial problem: the legal presumption that any data transfer outside of Europe will not have “adequate” privacy protection unless it fits into some sort of exception, like “binding corporate rules” or the Safe Harbor Agreement.

The reason that “binding corporate rules” are so expensive, and so well-loved by the legions of outside counsel who help their clients try to complete them, is because they require a company to document its data handling processes to the satisfaction of every data protection regulator in every jurisdiction in which it operates in Europe. A recent effort to streamline the process adopted the concept of “lead regulator” – a concept well known in many other regulatory fields in EU law – but still retained the legal obligation to obtain approval from all the other regulators. You can read the recommendation of the WP29 from January 10, 2007 here:
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp133_en.doc
Since all these independent regulators are free to have a different opinion than the lead regulator, it’s hard to see how complicated companies with complicated data processing practices are ever going to obtain the unanimity required to have their “binding corporate rules” approved. And in fact, almost none have. GE famously obtained approval of its “binding corporate rules” after spending tons of time and money, but only for its human resources data. And GE and its regulators spent considerable effort publicizing this “success” across Europe. Considering that human resources data is only a small part of the data handling operations of any corporation, I can only wonder at the modesty of the achievement, at least in the real world of privacy protection. Since GE is one of the most sophisticated companies on the planet, what does that portend for the rest of us? Realistically, most companies that enter the process of “binding corporate rules” are going to be stuck in a sort of regulatory limbo, for years, and perhaps permanently. And in the unlikely event that any company obtains such approval, what would it mean in an era when companies are constantly changing their data processing practices?

The business world knows a flop when it sees one. Unless you're so rich, you don't care.

Thursday, March 29, 2007

“We can lick gravity, but sometimes the paperwork is overwhelming”

Wernher von Braun was not speaking about the paperwork of European data protection filings, but he might as well have been. Having worked for two large companies with operations all across Europe, I’ve probably done more data protection notification filings than just about anyone, and I’m exhausted. I wouldn’t mind, if it wasn’t such a waste of time and money.

Every European country requires that companies file data protection notifications with the local data protection authority. While most other European regulatory fields allow companies to file their regulatory paperwork in their country of origin only, EU data protection requires this to be duplicated in every country. And every country takes a completely different approach, magnifying the work considerably. Some countries require filings on a “per-controller” basis (e.g., the UK requires one filing per company), others require filings on a “per-database” basis (e.g., France requires filings for all “databases”, whatever that means). Some countries provide exemptions from some or all filing requirements if the company appoints a data protection officer (e.g., Germany). In case you’re interested, see this helpful “vademecum”, a summary of the filing requirements across Europe. The summary runs to 76 pages:
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/others/2006-07-03-vademecum.doc

Companies in Europe take one of two approaches. The vast majority essentially ignores the filing requirements completely, or fills them out with cursory and meaningless generalities (e.g., "yes, I have a database with my employees' names"). The minority spend a lot of time and money in trying to complete these filings conscientiously. Having worked in the latter category, I have some ideas for a radical revision of the entire process.

1) Filings should be required in a company’s Country of Origin only. This is a classic Common Market concept, and if it works in so many other areas of European regulatory law, I think it should work for data protection too.
2) Filings should be required only once for each Controller (i.e., company). The concept of multiple filings for each database is archaic, and makes no sense in the modern world of IT, where “databases” can be created by any employee with a few keystrokes.
3) Delete all requirements for “prior approval” for international transfers. Data protection authorities already cannot meet the requirements to review and provide the theoretic “prior approval” required for international data transfers. In the era of the Internet, such transfers are routine, instantaneous and unproblematic.
4) Re-allocate all the money that will be saved from this simplification of data protection filings to more productive purposes: companies can spend it on real improvements to their privacy practices, and the data protection authorities can spend it on higher priorities, like education, advocacy, and enforcement.

The current European maze of data protection filing requirements makes less and less sense every day. Leading privacy thinkers, like the UK Information Commissioner Richard Thomas, are starting to call for a re-think: “There may be scope for less bureaucracy, less emphasis on prior authorisation and more concrete focus on preventing real harm.” ICO press release of March 9, 2007 www.ico.gov.uk
Enterprise and Industry Commissioner G√ľnter Verheugen has repeatedly called on the Commission to cut the burden of red tape. Simplifying and improving the EU regulatory environment is one of the Commission’s key instruments under the Lisbon Strategy to revitalize Europe's economy. Let’s start here!

Saturday, March 3, 2007

Are there things you only tell your dog?


There’s a lot of hope that Privacy Enhancing Technologies (called PETs) will restore the privacy that technology took away. When you speak with someone on the telephone, you can be reasonably assured that there is no record of the contents of your communications, since it’s generally illegal to record a phone call without notice. But the evolution of communications technologies has unfortunately undermined that sense of confidentiality. When you send an email, you know that the contents of your communications may be permanently retained by the recipient, forwarded, or read by third parties. And online chatting raises the same privacy issues, in a medium where people tend to ramble on with even less thought.

I am therefore heartened by a PET in Google’s instant messaging service, called Talk. With a simple click, you can take the chat “off the record,” preventing the person with whom you’re chatting from retaining a written copy of the communication. In fairness, the confidentiality is not absolute, since someone could always take a screenshot of the message to retain it. You can read more about how it works, and its limitations, here:
http://www.google.com/talk/chathistory.html#offrecord
But, for everyday purposes, the “off the record” functionality restores some of the evanescence of communications that have become lost. I don’t think the Internet will ever offer the same level of anonymity as talking to your dog, so there are things you may only want to tell your Rover. But then, as Andy Rooney said: “If dogs could talk, it would take a lot of the fun out of owning one.”