Friday, December 4, 2009

On the sidewalk in Milan

I was relaxing with a glass of chianti watching The Bourne Ultimatum on tv. The shadowy authorities use surveillance technologies to try to track down Jason Bourne.

So, I'm no Jason Bourne. Back in January 2008, as I've blogged before, I was surrounded on a sidewalk in Milan in front of the ancient University by 5 Italian policemen. Many confused thoughts went through my head at that moment, as I'm sure you can imagine: fear, confusion, surprise, indignation. But also, a nagging question: how did these policemen know that I would walk down this sidewalk at this moment in a foreign city and how did they recognize me on a crowded city sidewalk?

As anyone who's checked into a hotel in Italy knows, the first thing that Reception asks you for is a passport. This is also true in most European countries. It's for the police. There is zero transparency or choice in this process: no one I've ever met knows where this data goes or how long it's kept or what it's used for. Needless to say, if you're sharing a room with another person, the police will know this too. You do not have the option of checking into your hotel room anonymously.

In my case in Milan, I don't think there was any great use of police surveillance technology. I'm guessing the police were waiting on the sidewalk because there had been some minor press coverage before the privacy conference where I was scheduled to speak. I assume they downloaded a photo of me from the web and knew from the conference program roughly when I'd be arriving. Why five policemen were sent, I have no clue. Were they expecting me to make a run for it, like Jason Bourne?

According to independent reports, Italy leads the world with more wiretaps per capita than any other country. Wiretaps in the age of the cell phone now include location information.

I've always enjoyed the freedom of walking down the streets of foreign cities with the liberating sense of anonymity. I feel a little less free now. I hope technology will find a way to put users in control of their location information. I'm off somewhere else now, but come to think of it, I'd rather you didn't know where.

Thursday, December 3, 2009

Remembering and Forgetting in Berlin

I've spent a few days in Berlin, and I've spoken with many interesting politicians and journalists about privacy. The most interesting case must surely be this one:

Two German Killers Demanding Anonymity Sue Wikipedia’s Parent

In some countries in Europe, like Germany and France, there are well-established principles about the "right to be forgotten", an awkward translation of the "Droit a l'Oubli." As a privacy-sensitive guy, I'm all for the idea that people ought to be able to walk away from some awkward facts at some point in their lives. But I have never heard anyone be able to tell me how the "right to be forgotten" does not quickly cross the line into censorship. If two German murderers can require German publishers to remove references to their names in articles after they have served their sentence, isn't that censorship? And wouldn't it be even worse if they tried to re-write news archives, which are now rapidly becoming instantly findable online? And in the real world what will be the consequences if German Wikipedia deletes content that English Wikipedia still publishes?

And while I was in Berlin, I visited the Holocaust memorial, as I always do when in Berlin, and I wondered about the "right to be forgotten" in the midst of the memorial to "never forget".

Friday, November 27, 2009

Madrid and Berlin, trying to find workable approaches

Here’s an interesting article about the day-to-day challenges and contradictions of national laws in the context of the global Internet (ok, it does use some of us Google guys as unhappy examples, but just to make a valid point):

At the International Data Protection Commissioners' Conference in Madrid, I added my voice to support the development of global privacy standards, as I've done for several years. I can’t think of a better way forward than trying to develop a more global approach to privacy standards internationally. Here's one example (in Spanish):

I’m off to Berlin now. Germany is one of those places where I feel the need to listen more than talk. I'll blog about what I learn afterwards.

Thursday, November 26, 2009


Like most Americans, I woke this morning to one of my favorite days of the year, Thanksgiving. Unlike most Americans, I also woke this morning to news reports of an Italian prosecutor calling for me to be sentenced to one year in prison.

But in the spirit of the day, now that I’ve skimmed the news and reassured friends that I’m not going to prison (I hope), I’ll go about my day:

I’ll do some planning for my Dad’s 80th Birthday Party, do a kick-boxing class at gym, work on an academic privacy paper on the hotly-debated question of whether IP addresses should be considered “personal data” under EU law, give legal advice on some privacy questions, prepare for some meetings in Berlin, and, best of all, I’ll end the day with a candle-light dinner with the person I love in the city I love.

That’s a lot to be thankful for (well, not the Berlin or the Milan parts), but the rest anyway.

Wednesday, November 25, 2009

European law on hosting platforms

As you can imagine, I've spent a lot of time researching European law on hosting platforms. International legislation recognizes that hosting platforms like Google Video are neither the creators nor the controllers of content. The European Union's Electronic Commerce Directive, enacted in 2000, sets a clear legal framework for establishing liability for unlawful content on the Internet. It provides a safe harbor for entities acting as intermediaries, drawing a clear line between those who create content, and those who, in their capacity as technological intermediaries, provide the tools to make this content publicly available. By establishing legal certainty and creating a single EU-wide standard, the E-Commerce directive allows the development of open platforms that promote free expression and the free flow of information on an unprecedented scale, and play a crucial role in the development of the new economy in Europe.

How does the E-Commerce prescription work in real life? Say an Internet user uploads a video filled with illegal hate speech, nudity, or violence. When notified of this illegal content, the hosting platform is obliged to take it down. The hosting platform, however, is not obliged to monitor and prevent the upload. The responsible party is the Internet user who posts the content. In this case, Google did exactly what the law requir
es - it removed the content upon notification, and took the further step of complying
with law enforcement requests, helping to bring the wrongdoers to justice.

If Google and companies like it were responsible for every piece of content on the web, the Internet as we know it today – and all of the economic and social benefits it provides – would disappear. Without appropriate protections, no company would be immune: any potentially defamatory text, inappropriate image, bullying message or violent video would have the power to shut down the platform that had unknowingly hosted it. In the offline world, it would be like criminally prosecuting post office employees because someone mailed an inappropriate letter. European law recognizes the importance of providing limitations on the liability of hosting platforms.

The Directive applies horizontally across all areas of law which touch on the provision of information society services, regardless of whether it is a matter of public, private, or criminal law. This is confirmed in the first Report from the Commission to the European Parliament on the application of Directive 2000/31/EC dated 8 June 2000. See p. 4: "The Directive applies horizontally across all areas of law which touch on the provision of information society services, regardless of whether it is a matter of public, private, or criminal law. Furthermore, it applies equally both to business-to-business (B2B) and business-to-consumer (B2C) e-commerce." And see p. 12: "The limitations on liability provided for by the Directive are established in a horizontal manner, meaning that they cover liability, both civil and criminal, for all types of illegal activities initiated by third parties."

From a public policy perspective, it wouldn't make any sense if it didn't apply to criminal charges. The objective of the directive was to foster a competitive and dynamic knowledge-based economy in the EU. To provide an environment in which its citizens would have access to inexpensive, world-class communications infrastructure and a wide range of services. To create conditions for e-commerce and the internet to flourish. To enhance quality of life, to stimulate innovation and job creation, and to contribute to the free flow of information and freedom of expression. Those are words directly from the Commission. It wouldn't make any sense to apply these protections only to civil matters; doing so would permit criminal claims to eviscerate the very benefits the directive sought to achieve.

Today in Milan

Today in Milan, the Milan Public Prosecutors’ Office will make their closing arguments why 4 Google employees including me should be held personally criminally liable for content created by four Italian high school students and uploaded to Google Video. I have no idea what the Prosecutors will say in court today, and my lawyers have told me not to set foot in Italy, so I wanted to provide some factual background on this case.

In terms of timeline, the Prosecutors present their case today, November 25. The Google employees' lawyers will present their defense on December 14 and a verdict should be issued on December 23.

The Judge hearing this case is Judge Magi, who recently convicted 23 Americans, mostly CIA agents, as reported by the New York Times:

In a landmark ruling, an Italian judge on Wednesday convicted a base chief for the Central Intelligence Agency and 22 other Americans, almost all C.I.A. operatives, of kidnapping a Muslim cleric from the streets of Milan in 2003.

Today’s trial stems from an incident in 2006 when teenagers at a school in Turin filmed and then uploaded a video to Google Video that showed them bullying a disabled schoolmate. Google removed the video promptly after being notified. Even so, last summer, the Public Prosecutor brought the following criminal charges against four Google employees, including myself. All of us face one or two charges:

Charge A: Criminal defamation against the Vivi Down Association, an association that represents individuals with down syndrome

Charge B: Failure to comply with the Italian Privacy Code

It should be obvious, but none of us Google employees had any involvement with the uploaded video. None of us produced, uploaded or reviewed it.

The video, shot by a student in a classroom, depicts a boy being harassed by teenagers, including one who makes reference to the Vividown Association. A teacher was allegedly present during part of the filming. Four youths between the ages of 16 and 17 from the Technical Institute in Turin were involved in the creation and uploading of the video. One of these young men actually filmed the video. The teenagers who created the video uploaded it to Google Video, which at the time was Google’s online video-sharing service. Google Video was a host for user-generated content. The Vividown Association and later the family of the boy who was filmed filed a claim against Google in Milan, which is how Google was initially brought into the case. The family of the boy later withdrew from the case. Google complied with law enforcement requests to help identify the bullies, who were subsequently punished.

The Prosecutor then chose to charge individual Google employees. Today he will present his case.

Tuesday, November 24, 2009

Ciao, Italia!

I won't be attending my trial in Milan in person. I'll be represented by outside counsel. I believe that each of my 3 co-defendants has reached the same conclusion. As for me, I'm under clear instructions from my outside counsel not to set foot in Italy, at all. That's a tragedy, since I love Italy. It means I won't be speaking at this privacy conference in Bologna in May, which still seems to be advertising me as a speaker:

It also means I won't go hiking with friends in the Dolomites this summer.

Why? Well, Italy has a legal concept which is unknown in Anglo-Saxon countries: namely, that an employee of a company can be held personally criminally liable for the actions or non-actions of the corporation he works for. Moreover, Italy has also criminalized much of its data protection laws, meaning that routine data protection questions can give rise to criminal prosecutions. As everyone in the field of privacy knows, data protection laws are full of sweeping statements that need to be interpreted with judgment and common sense. But imagine the consequences if every data protection decision made by a company can be second-guessed by a public prosecutor with little knowledge of privacy law. Does that mean that a data protection lawyer working for a company is running the risk of personal criminal arrest and indictment and prosecution for routine business practices? Well, I guess you can see why I've been advised not to set foot in Italy. I'm sure such prosecutions will remain rare, and perhaps my current prosecution will the be last of its type. But maybe not. And working for one of the world's most visible Internet companies puts me at more risk than most of my colleagues in the field of data protection, as the current prosecution has shown.

Italy is my favorite country in the world to visit. What a shame.

Ciao, Italia!

Monday, November 23, 2009

On Trial in Italy

I'm relieved that the Google "privacy" trial in Italy is finally underway. This week, the Milan Public Prosecutor will make his case why four random Google employees should be held personally criminally liable for a video that some high-school kids in Turin made and uploaded to Google Video.

For me, I've lived under this Sword of Damocles for two years now. It began in January 2008 when I was invited to speak at a privacy conference at the University of Milan. I was approaching the University on foot, when I heard someone call my name. I turned around, and saw a guy in plain clothes, who told me to wait a minute, while he spoke into a cell phone, and within seconds, I found myself on the sidewalk surrounded by 5 Italian policemen. I had no idea what was going on. I was scared. I couldn't understand much, but I did understand that they wanted to take my passport, asked me to sign some documents, and wanted to escort me to a judge. I was allowed to put a call into my Italian colleagues at Google, who thankfully were able to rush to the scene and talk to the policemen. I was escorted by the policemen on foot through central Milan, with tourists and locals alike stopping to stare at the scene. My colleagues told the group of policemen that I was supposed to deliver a speech at the privacy conference shortly. After much discussion, it was agreed that I would be allowed to deliver the speech, after providing my passport and signing various documents that were being served on me, and that I would be interrogated by the Public Prosecutor afterwards.

And so, I was allowed to deliver this talk. If I look a little distracted, now you know why. [between us, I had to stop to vomit, but that part has been edited out.]

This whole Italian prosecution has been an ordeal. I just want it to be over soon. After two years, well, it's finally underway.

Guys in Ties, thinking about children and privacy

First, thanks to a bunch of you for sending me notes, encouraging me to keep blogging. I will.

I recently joined a group of privacy experts working with a Spanish foundation dedicated to children's issues to think about how to help protect kids' privacy online, in particular in social networking services. We've just had one inaugural meeting, a brainstorming session. It's too early to say which approach the group will take. But for my part, I recommended a crowd-sourcing approach, where we encourage (sponsor?) an open-ended contest to invite people to create videos on YouTube where kids talk to other kids about privacy. I doubt a top-down approach would work, where governments or corporations lecture kids about what they should or should not do online. I think kids will react more to videos by other kids, who talk about sharing with their friends, what happens if they share personal stuff with the wrong people, how to make good choices.

If you have a better idea about how to approach the challenge of sensitizing kids about the privacy risks when they post stuff online, please let me know, and I'll take it to the group.

Sunday, November 22, 2009

I've been taking a break

I've been taking a break from blogging.
In case you wonder why, it's because I was rattled to see an Italian public prosecutor scour my blog and print out copies of it to help him indict and prosecute me and some of my Google colleagues for some "privacy" criminal theory. I'm all for free speech, and love a robust debate of privacy issues, but seeing your own words being combed through by a prosecutor who's looking for evidence to convict you in criminal court is enough to give anyone reason to pause from blogging.
I'll start blogging again soon. At least I know I have one reader.

Thursday, April 16, 2009

The Cloud: policy consequences for privacy when data no longer has a clear location

Cloud Computing has become one of the more influential tech trends of our day. The Cloud is roughly analogous to remote computing, where computing and storage move away from your personal device to servers run by companies. A simple example might be online photo albums, which allow users to move their pictures off personal computers and into a secure and accessible space on the Web. Some Cloud services, like Hotmail, have been around for roughly a decade. And others have appeared since; almost all of Google's services, for example, run in the Cloud. As these services become more widely used, it's important to ask how our privacy laws and regimes should deal with this new phenomenon.

Some privacy laws, such as in the EU Directive, base regulation in part on the location of data. If data is in the Cloud, where exactly is that? Data in the Cloud exists within the physical infrastructure of the Internet, in other words, on the servers of the companies offering these services, as well as on users’ own machines. Cloud services are built on the concept that data held in the Cloud enables users to access and share data from anywhere, anytime and from any Internet-enabled device.

To know the “location” of data in the Cloud, you’d need to understand the architecture of data centers, among other things. Some companies like Google have data centers in multiple locations. A data center is a building that houses many, many, computers-- not too different from the ones you may have in your home. Companies try to pick places that, among other things, have a skilled workforce, reasonable local business regulation and are near low-cost and abundant sources of electricity. They tend not to provide too many specific details about these data centers, for a couple reasons. First, the data center industry is highly competitive and companies try not to disclose too many details that may give competitors a leg up. Second, knowing that users' personal information is stored in these computers, companies take the privacy and security of this data seriously and ensure that these buildings are well secured so that no one could just walk out with a computer holding your credit card information. The geographical location of data centers can be optimized to enhance the speed of a service, e.g., serving European users from a European data center might be faster than having the data cross the Atlantic. Finally, having data centers in different locations allows companies to optimize computing power, automatically shifting work from one location to another, depending on how busy the machines are.

Moreover, cloud applications are architected not to lose users’ data and to respond to queries quickly. Applications therefore usually replicate users’ data in more than one place. No Internet user would be happy if they lost access to all their email or calendar information, for example, just because the power goes out in some data center location. Applications may dynamically load balance their users among different data centers, so that the location of a particular user's data may change over time.

For all these reasons, it’s actually very hard to answer the apparently simple question: “where’s my data?” Indeed, it's becoming problematic that existing EU data protection laws were largely written in an era when data had an easily-identifiable location. For example, EU laws impose restrictions on the transfer of personal data outside the EU to any jurisdiction where there is not "adequate" data protection. In the past, "transfer" was defined as the physical shipment of data, such as sending a computer tape or paper files to an office in a faraway location. However, nowadays almost any activity on the Internet involves a transfer of data outside of the EU. Sending a document to a colleague in New York, for example, can technically be considered a transfer of material outside of the EU. In today's era of connectivity, strict and literal application of these laws would cause more than just a headache for companies and regulators: it would cause the Internet to shut down.

In this Internet age, when data flows around the planet at the click of a mouse, everyone agrees we need to identify a better model of privacy protections. Data doesn't start and stop at national borders when it travels on the Information Super-highway. From a privacy perspective, the important question is not “where is my data?”, but rather “who holds my data, and what are their privacy policies?" For a user, the important thing is to research and understand the data protection policies of the company which holds the data, regardless of its location.

I’ve looked at various laws around the world, and I’m impressed by the far-sighted model adopted in Canada’s privacy laws. I can’t do better than just quote the Office of the Privacy Commissioner:

"European Union member states have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers "adequate" protection for personal information. In contrast to this state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy… [U]nder PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement…

Regardless of where the information is being processed - whether in Canada or in a foreign country - the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it is in the hands of the third party processor. The organization must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. ... [O]rganizations must in their own best interests, as well as those of their customers, do what they can to protect the information."

Canada’s approach works to preserve privacy protections, and to hold data collectors accountable for privacy protections regardless of the location of data. Canada has blazed a trail that will help guide us in the age of the Cloud.

Friday, March 6, 2009

A picture of your house on the Internet for all to see

I did a little OpEd in the French paper Liberation on Google's Street View and privacy. Only fair, I guess, to put a picture of my own house on this blog. I confess, I did hesitate a minute before posting it. In any case, I do believe in taking one's own medicine, or eating one's own dogfood, as the case may be.

D’ici une centaine d’années, quelles avancées auront marqué notre époque ? Nos progrès politiques comme la création de l’Union européenne ? Les avancées scientifiques ?
Selon nous, s’il y a un progrès en gestation depuis la fin du XXe siècle qui pourrait marquer le passage de notre génération sur terre, c’est bien celui du partage de la connaissance. Engendrée par Internet, la démocratisation de l’accès à l’information au tournant du millénaire est une révolution dont on se souviendra probablement très longtemps. Dans une tribune parue le 13 février dans Libération, Odile Belinga et Etienne Tête ont émis un certain nombre de critiques concernant Street View, la nouvelle fonctionnalité de Google Maps qui permet de naviguer virtuellement dans les grandes villes françaises. Les deux auteurs affirment que ce service ne respecte pas la vie privée des individus et le comparent à de la vidéosurveillance.
Street View permet quotidiennement à des milliers d’utilisateurs de naviguer à trois cent soixante degrés grâce à des photos prises dans la rue à hauteur d’homme. Les internautes du monde entier peuvent ainsi se déplacer virtuellement, préparer leur prochain voyage à Rome, descendre les Ramblas à Barcelone, explorer leur ville, ou tout simplement repérer l’adresse de leur prochain appartement. C’est aussi un formidable outil pour mettre en valeur le patrimoine d’une ville ou promouvoir l’activité d’un commerçant. Il s’agit ici de contribuer à l’écosystème ouvert et bénéfique permis par Internet. Les nombreux partenaires qui ont choisi de s’associer à ce service (Télérama, Cityvox, l’Office du tourisme et des congrès de Paris…) ne s’y sont pas trompés.
Le service Street View respecte-t-il la vie privée ? La question est tout à fait légitime. Et la réponse est oui. Rappelons tout d’abord une évidence : sur Internet, l’information, comme la concurrence, est toute proche, à un seul clic de souris. Autrement dit, sans l’intérêt et la confiance de l’internaute, un site ne vaut pas grand-chose. Et cette confiance, il s’agit de ne pas la bafouer.
Les photographies affichées dans Street View sont parfaitement licites. Elles ne contiennent que des images de voies publiques et ne dévoilent aucune information qui n’était déjà exposée à la vue des passants. Les arguments selon lesquels un service de cartographie comme le nôtre ne pourrait pas utiliser de telles images au nom du respect de «l’intimité» remettent fondamentalement en cause la notion d’espace public. Ils dénaturent au contraire cette sphère de l’intime à qui la loi accorde, à juste titre, une protection accrue.
Les images de Street View sont les mêmes que celles que pourrait prendre n’importe quel passant dans la rue avec son appareil photo. Des images de ce type, sur les villes du monde entier, sont déjà diffusées dans toutes sortes de formats sur la Toile mondiale. Conscient que ce service rassemblait ces images en un seul endroit, Google a volontairement décidé de prendre des précautions supplémentaires en créant une technologie de floutage automatique des visages et des plaques d’immatriculation, dont la Cnil a d’ailleurs salué la mise en œuvre. Pour aller plus loin, en cas de visage non flouté ou imparfaitement flouté, toute personne peut demander la suppression des images concernées en cliquant sur un simple bouton. Les photos ne sont pas datées (ni heure, ni jour) et ne sont pas des prises de vue en temps réel. Bref, tout sauf des caméras de surveillance !
Soyons curieux, doutons, c’est ce qui a animé nos échanges avec la Cnil avant le lancement de Street View en France. Mais n’ayons pas peur, par principe, du progrès et des avancées technologiques qu’il implique. Prenons l’exemple récent de «Google Flu Trends» : avant d’appeler leurs médecins, beaucoup d’internautes utilisent comme mot-clé «symptômes de la grippe» dans leur moteur de recherche. Cette requête, multipliée par des millions d’individus a permis à Google de développer un outil de prévision des foyers de grippe capable de devancer jusqu’à dix jours celui des autorités sanitaires. En observant simplement les zones géographiques renseignées par les rapports de connexion. Soyons curieux, soyons vigilants, mais n’ayons pas peur d’Internet.
Bien plus que le véhicule de menaces, aussi réelles sur Internet que dans le monde physique, c’est avant tout un outil extraordinaire qui facilite nos vies au quotidien

Monday, February 9, 2009

Lead Data Protection Authority

Lead Data Protection Authority:  how EU data protection regulation can catch up with other areas of European law

Being a global company means having employees, partners and users who interact on a worldwide basis without geographical or jurisdictional limitations.  Maximising efficiency is a key driver so most global companies attempt to adopt a consistent way of doing business internationally.  Whilst cultural differences may have an impact on some activities, economic globalisation encourages a uniform and coherent approach to most operations, from sales practices to compliance protocols.  However, global companies still have to comply with diverse laws across jurisdictions and be accountable to many national regulators.  All of these trends become even more pronounced for companies doing business over the Internet. 

In the European Union, some industry sectors can benefit from regulatory regimes which are specifically aimed at simplifying the way in which players within those sectors comply with cross-jurisdictional rules.  For example, pharmaceutical companies may rely on simplified procedures to have their products evaluated and authorised across the EU.  One solution is called the “decentralised procedure”, by which companies can go directly to a national authority to obtain permission to market its products in that member state and then seek to have other member states accept the approval of the first member state.  This procedure is applicable in cases where an authorisation for a pharmaceutical product does not yet exist in any member state.

Alternatively, pharmaceutical companies may in some instances rely on the mutual recognition procedure, by which the assessment and marketing authorisation of one member state should be mutually recognised by other concerned countries within the EU.  Under the mutual recognition procedure, the pharmaceutical company submits its application to the chosen country, which will carry out the assessment work and approve or reject the application.  The other countries then have 90 days to decide whether they approve or reject the decision made by the original country.

Similarly, financial services firms can seek authorisation in one member state and obtain “passport rights” to enable them to carry on financial services in other member states.  When a financial services provider wishes to establish a branch or provide services in several EU countries, notification of such intention is submitted to the regulatory authority in the home member state.  This notification is then forwarded to the regulator in the member states in which the operator intends to open the branch or provide its services. As a result, a particular product licensed in the home member state becomes automatically recognised in all other member states and may therefore be sold across borders free of undue bureaucratic controls.

Some areas of law – such as e-commerce – also follow the “country of origin” principle.  This principle establishes that where an action or service is performed in one country but received in another, the applicable law is the law of the country where the action or service is performed.  For example, if a company sells products online across Europe but it is formally established as a limited company under the laws of one member state, that commercial activity will normally be subject to the law of that country.

Data protection regulatory complexities

The jurisdictional rules under the EU data protection directive do not work like that.  When a company handles personal information about employees, customers, suppliers and others, it will be subject to the different privacy and data protection regimes in force in each EU jurisdiction.  In the European Union, data protection laws will establish a number of very specific requirements and compliance will be overseen by the data protection authorities of each member state.  This means that the use of personal information by that company will be regulated in slightly different ways across the EU.

All European directives pursue the same overriding objective: achieving harmonisation across EU member states whilst respecting the national legislative power of each jurisdiction.  This is normally achieved by establishing a set of principles that each member state incorporates into its own legislation within the parameters of the directive.  When a directive, like the 1995 data protection directive, creates a complex regulatory regime involving an independent regulator, member states devise suitable structures that provide for the establishment and operation of that regulator.

This approach to data protection regulation has caused a number of complexities that diminish the two-fold aim of the directive, namely: protecting the fundamental rights and freedoms of natural persons and facilitating the free flow of personal data between member states.  The fact that laws and regulators are different make pan-European compliance more difficult and hence less effective.  At the same time, the existence of disjointed regulatory approaches creates inefficiencies, business barriers and unnecessary expense for those companies seeking to comply with all applicable laws and regulations.

The lead authority concept

Whilst legislative harmonisation may not be achieved without radical constitutional changes, the experience of simplified oversight in some industry sectors shows that adopting a lead regulator approach is not only possible but desirable.  The most promising step in this direction within the data protection regime is the “lead authority” concept that was created for the purpose of assessing and approving Binding Corporate Rules (“BCR”) applications.  In 2005, the Article 29 Working Party adopted a co-ordinated approval mechanism that allows companies seeking the approval of their BCR to fast-track their submissions through all of the relevant EU data protection authorities.  This mechanism entails choosing an “entry point” data protection authority which will be the official point of contact with the candidate until the BCR are ready for approval in that country, and then will assist the relevant organisation to gain approval throughout the European Union.  More recently, a group of data protection authorities within the Article 29 Working Party launched the BCR mutual recognition procedure, so that approval by one authority will automatically lead to approval of the same BCR by the others. 

Whilst for some organisations it may be obvious which data protection authority should act as the lead authority, where it is not clear which authority should become the entry point, the co-ordinated approval mechanism establishes that organisations must consider the following factors to determine the most appropriate data protection authority:

·                     The location of the corporate group’s European headquarters or office with data protection responsibilities.

·                     The location of the company which is best placed to lead the BCR application and, if necessary, enforce compliance.

·                     The place where any key operational decisions in terms of the purposes and means of the data processing are made.

·                     The EU country from which most international transfers originate.

Extending the concept beyond BCR

Both the co-ordinated approval mechanism for BCR and the mutual recognition procedure are contributing to making BCR a much more credible and attractive option for organisations using personal data on a global basis.  The fact that the approval stage itself focuses on meeting one single set of standards and expectations – even when these are high – allows those organisations to concentrate their compliance efforts in a consistent and effective way.  In other words, companies can devote their attention to ensuring that they apply the right standards and achieve a workable level of privacy and data protection, rather than to dealing with the diverse expectations of a plethora of similar regulators.

Given that BCR systems include policies and procedures affecting the whole range of data protection obligations and rights, it should also be possible to take the lead authority concept beyond BCR and apply it to data protection compliance generally.  The criteria to determine the most appropriate data protection authority for BCR applications could also be used to identify the most suitable authority overall.  If the single regulator idea has worked in heavily regulated sectors like health care and banking, it is not inconceivable that the same idea could work very effectively in the area of data protection compliance.

If this were the case, global companies collecting, using and sharing data in the EU could not only benefit from the harmonisation of legal standards but from the simplification of regulatory activities across the EU.  The national regulators themselves would be able to operate in a much more focussed way.  These efficiency gains would ultimately translate into a greater and more realistic level of protection for individuals.  So the case for a lead data protection regulator to oversee the data activities of pan-European organisations is one that the EU data protection authorities themselves, as well as the EU Commission, should be making their own.  




Thursday, January 15, 2009

Launching another "global" forum to talk about privacy

There is a new buzz these days in privacy circles: the idea of global standards seems to be gaining momentum.  On January 12, privacy commissioners, and a handful of invited academics, advocates and CPO's, met in Barcelona for an inaugural meeting to launch work on a "Joint Proposal for a Draft of International Standards for the Protection of Privacy and Personal Data."  

There have been several very serious attempts at developing international, or regional, privacy standards.  The oldest, and perhaps most successful, was the OECD Privacy Guidelines from 1980.  Essentially all privacy laws in the world today derive from the OECD's work.  The OECD was so successful, because it maintained the privacy guidelines at a sufficiently high-level that they were not rendered obsolete by technological developments.  And the OECD refrained from mixing implementation issues into its guidelines, wisely recognizing that its member countries have very different legal and regulatory regimes.  

The EU Data Protection Directive of 1995 is probably the most complete and detailed set of regional privacy laws in the world.  Because the Directive was very focused on European Common Market issues, it took great strides to harmonize pan-European regulatory and implementation issues.  Since many of these implementation issues, such as the mandatory creation of an "independent" data protection authority, are unique to the European legal and regulatory context, the Directive itself is not suitable for broad global adoption, except in countries with European colonial traditions, like Hong Kong.  

APEC continues its work on a Privacy Framework, building on the OECD Privacy Guidelines and adding new and effective concepts of "accountability" and "harm".  APEC is the most exciting initiative underway anywhere in the world in terms of new thinking about how to move forward on global privacy standards.  Singapore, as this year's revolving host country, will host further meetings to build on the strong progress that's been made in past years.  

I attended most of this week's meeting in Barcelona.  It's too early to tell if this initiative, sponsored by the Data Protection Commissioners, will have legs in terms of moving forward the debate.  The inaugural meeting on January 12 was mostly attended by Europeans.  The documents that it cited as reference points were mostly European.  The overwhelming majority of participants were European data protection authorities, who naturally are very familiar with the EU Data Protection Directive, and come to the table imbued with the European approach.  A sprinkling of North Americans rounded out the participants, which left me thinking that this "global" meeting represented countries with something like 10% of the global population.   This particular initiative will sadly fail in the international arena, if it simply turns into an exercise of European commissioners to try to convince the rest of the world to adopt something like the EU Data Protection Directive.  They've already been doing that for over a decade, so there's little incremental benefit from continuing down that path.  

I think the world needs minimum international privacy standards, as I've blogged many times before. OECD and APEC are also promising forums to advance the debate.  In parallel, Europe will continue its reflections on how to modernize its own data protection concepts, and perhaps, streamline some of its rather inefficient bureaucracy.  Europe would certainly be more credible as a global leader, if it got its own data protection house more up to date and efficient.  [I'll be contributing to that effort in a separate forum.]  In the meantime, if I were from a country with no pre-existing tradition of privacy laws, I would be looking to the OECD and APEC for inspiration.  In any case, competition is good, even in the sphere of privacy policy thinking.