Wednesday, August 22, 2012

August in Paris: has everyone left?

A VIP friend of mine, Monsieur Banal, rang me up

Mr Banal:  Bonjour, Pierre.  Sorry to interrupt you with a phone call in August, but I can't reach any other foreign executives in France.  Where have all the others gone?

Me:  Monsieur Banal, they have moved to Switzerland, or Belgium, or the UK, to escape your plans to tax them at 91%.  

Mr Banal:  No, it's 75% tax, plus social charges.  Together taxes are over 90%.  That's true.  But only for the rich. 

Me:  But, Monsieur Banal, your tax rates are double those of London or Switzerland.  Mitt Romney pays 13% tax!  Even for people who love France, like me, how can we ever save for retirement if there's nothing left after taxes?

Mr Banal:  You don't need to save for retirement, since we have a generous French pension system, and you can now retire with a full pension at 60, thanks to me, the lowest retirement age in Europe.   

Me:  Monsieur Banal, do you remember when George W Bush said:  "French doesn't even have a word for entrepreneur'.  Ok, it was a very funny line.   Entrepreneurs building new businesses around the world use stock options as a way to incentivize their workforce to create new companies.  So, why would you pursue a policy to make stock options illegal?

Mr Banal:  In the public sector, we don't get stock options, so we see no reason why you should either.  We believe in fairness. 

Me:  Entrepreneurs often complain about suffocating regulation and bureaucracy.  Will things get better here?

Mr Banal:  I have never worked one day in my life in the private sector, but I learned how to regulate the excesses of capitalism at the Ecole Nationale d'Administration. 

Me:  France has well-educated, productive workers, doesn't it?

Mr Banal:  Indeed.  In France, we have a happy workforce.  Our employees get more vacation than almost anywhere in the world (by law, a minimum of 5 weeks per year), and they work fewer hours than almost anywhere in the world (by law, 35 hours per week).  This makes them very happy.  It is true that they sometimes strike, but only when they are not happy.    

Me:  What if my business fails?  

Mr Banal:  My Ministre du Redressement Productif (I cannot translate this into the English) will castigate you in the media, but it's only populist politics.  Don't pay any attention to him.  I don't really hate the rich, I just say that to set the tone.  

Me:  Why would so many French entrepreneurs expatriate to London or Silicon Valley to build their businesses?

Mr Banal:  Indeed, this is completely unacceptable.  We have a tradition of engineering excellence, and my government will help select those French technologies and businesses that deserve to succeed in the future.  

Me:  Let's have lunch in September.  

Mr Banal:  Sorry, I've been invited to lunch in Berlin.  I don't like the food there, but at least they pick up the check.  Will you still be in France when I get back?  

Thursday, August 16, 2012

It's time for a "lead regulator" in Europe

Who's in charge in Europe?  That's a common conundrum for those of us who work in the privacy field in Europe.  When I was at a Berlin privacy conference, dopey picture attached, everyone was talking about it.

Privacy regulators play the key role in enforcing privacy laws.  Most companies (certainly all Internet companies) operate globally.  So, it's a natural question to ask which regulator(s) will or should have jurisdiction to enforce privacy laws.  For many years, I have advocated for the concept of a "lead regulator" in Europe.  It makes a lot of sense for one country's regulator to take the lead on behalf of all of Europe.  It encourages consistency across Europe, it provides for a deeper regulatory-relationship, it saves taxpayer money, when numerous regulators are not all re-inventing the regulatory wheel.  This is exactly what the European Commission is proposing in its re-write of privacy laws for Europe.  

Take the example of Facebook, whose European operations are headquartered (in legal terms, "established") in Ireland.  Normally, the Irish data protection authority would therefore be the lead regulator of Facebook, on behalf of Europe.  And indeed, it has been acting accordingly, conducting a company-wide audit of Facebook's privacy practices.  

The key to making all this work is clear:  the concept of "lead regulator" simply cannot work unless other regulators to defer to their sister-regulator.  That's why this story caught my eye:  German privacy regulators re-open their investigation into Facebook's face recognition software, notwithstanding the fact that the Irish are currently investigating the same thing, and notwithstanding having previously said that they would defer to the Irish audit before proceeding.  

The German regulatory world is a microcosm of the European regulatory world.  Each "Land" in Germany has its own independent data protection authority.  In theory, each is entirely independent, and is free to investigate or regulate separately, or in addition to, or even differently than one of its sister-German-DPAs.  But in practice, the German DPAs have developed a custom (not based in law, but based in deference and mutual respect) that they would defer to the "lead German DPA".  In the example of Facebook, the DPA of Hamburg is leading on behalf of its sister-German DPAs, because Facebook's German headquarters are based in Hamburg.  That's why Hamburg, rather than, say, Munich, is investigating Facebook.  

So, the question is simple:  German DPAs have developed the concept of "lead regulator" amongst themselves.  But are they willing to respect the same concept, and show the same necessary regulatory deference, at a European level, e.g., vis-a-vis the Irish DPA? 

If the European Commission proposal becomes law, then the concept of "lead regulator" will be cemented into law.  I often critique other aspects of the Commission's proposal, but on "lead regulator", I applaud their efforts. The issue is contentious, and the French authority, the CNIL, to take one example, is very publicly attacking the concept of a "lead regulator", precisely because they don't want to defer to a non-French lead regulator.  

In the meantime, it's hard to know who's in charge.  I'm someone who believes that regulatory enforcement is more effective when it's absolutely clear who's in charge.  

Wednesday, August 15, 2012

Rainbows in Ravello: Technocracy or Democracy?

As the European elite has for centuries, I love summertime in Ravello.  Civilization has flourished on these ravishing hills for millenia.  Democracy has ruled here for only very brief interludes.  Indeed, modern Italy has given up on having an elected Prime Minister, and instead appointed a (well-respected) technocrat as their leader. The "democracy deficit" in Europe is well-documented.  When things get tough in Europe, well, do we turn our backs on democracy?  Virtually all European-level legislation is drafted by un-elected Brussels-based European Commission technocrats.  (I have the greatest respect to the intelligence and professionalism of the Commission staff, so my comments are institutional, rather than individual.)  What's true for virtually all EU legislation is also true for data protection.  The current EU proposal for revising EU Data Protection is a technocratic tour-de-force. 

The Commission has chosen the approach of a Regulation (directly applicable law), rather than the approach of a Directive (prior law was a Directive, which included scope for national parliaments to make adjustments).  There are pro's and con's to the Regulation approach.  The biggest advantage is that it would result in fully harmonized, consistent privacy laws across Europe.  That's why businesses love it: it's easier to comply with one set of rules, rather than with dozens of (slightly) different rules.  The biggest disadvantage is that a Regulation leaves no scope for national parliaments to bring their own democratic choices and legitimacy to privacy laws in Europe.

Privacy is the product of culture and history, and naturally, attitudes to privacy vary widely across Europe, given the wildly different cultural and historical experiences.  Even neighboring countries, like Germany and Denmark, have very different views on privacy, given their different histories and cultures.  Given Germany's history, we expect Germans to be particularly sensitive to privacy issues.  But should German views on privacy, based on Germany's traumatic history, or French views on State-dirigisme, based on centuries of an all-powerful centralized State, dictate privacy laws in a country like Britain that has been a stable parliamentary democracy for centuries?  Half of European Member States are first-generation democracies.  Does one size fit all?

The toughest choices in privacy laws are deeply political.  For example, how much cost are we willing to impose on businesses to improve privacy compliance?  This is a clear political trade-off:  how much bureaucracy, like privacy impact assessments, mandatory appointments of Data Protection Officers, etc is enough, before the costs become too burdomsome for European businesses, in particular, SMEs?  Where do you draw the line between freedom of expression and the "right to be forgotten"?  Where do you draw the line between citizens' privacy and government surveillance?  How much flexibility should the laws include to reflect the cultural and regulatory differences amongst countries in Europe?  Is a Regulation the right instrument in the interest of harmonization, or is the flexibility of a Directive more democratic?  How high should fines be set for data handling compliance mistakes (high enough to punish/deter, but not so high as to freeze European innovation and risk-taking)?  All these are deeply political issues.  I have my views, and the unelected Commission has its views, and unelected data protection authorities have their views, but what do European elected officials think? 

There has been very little political debate in Europe about how privacy laws should be up-dated for the modern world.  The European Commission technocrats have had their say, and they are naturally wary of seeing their careful package of privacy-compromises re-opened in a messy democratic debate in the European Parliament, and elsewhere.   Democracy is indeed messy, but, as the saying goes...the alternative is worse.  

"Privacy" is a deeply political and democratic issue.  It is too precious to leave all difficult privacy law decisions to technocrats.  Privacy needs and deserves a political and democratic debate.  Perhaps this is all part of a much bigger democracy deficit in Europe.  We're on a path to "solve" the Euro crisis by transferring even more power from elected national leaders to unelected Brussels technocrats.  Nonetheless, I hope we see a vibrant debate in the European Parliament on data protection.  Privacy laws need democratic legitimacy.  Anyway, that's what we, the European elite, are debating, sipping Campari over the Amalfi coast.  

Wednesday, August 8, 2012

A travel blog post, about data centers

Sometimes I think I should write a travel blog instead of a privacy blog.  I'm the kind of guy who likes to be outdoors and physically active, and I'm just back from hiking in Spain.  Galicia has a pristine coast like Brittany, but with fewer tourists.  And it's relaxing to have a few days to enjoy privacy, instead of worrying about it.  If I don't feel safe hiking in a place, I sure wouldn't recommend putting a data center there. 

Data centers are now big business.  They're part of the fundamental infrastructure of the Web.  And people naturally want to know that the data that they choose to store in the cloud will be safe.  The location of data centers is one factor in ensuring that data will be safe.  

Some countries have proven successful at fostering a data center industry:  a few come to mind immediately, ranging from the US, UK, Ireland, Belgium, The Netherlands, Norway, Finland, Hong Kong, Singapore, Taiwan, Japan (of course there are others, but these were top of mind for me).  All these countries strike me as welcoming jurisdictions, and they are succeeding in convincing international investors to put their money and host data there. Nowadays, data centers can be large investments, involving hundreds of millions of euros, creation of hi-skilled jobs, and spurring a virtuous cycle of hi-tech clustering.  It's no surprise that many countries are competing to attract them.  

I think there are two big factors in picking locations for data centers, namely, physical-infrastructure stuff and law.  

Physical infrastructure includes:  1) cheap, reliable and renewable energy sources,  2) a cool climate to reduce electricity running costs,  3)  lots of bandwidth.  

But law is just as important.  What's the legal/regulatory environment in each country, with regards to:  
  • the rule of law?  
  • censorship?  
  • fair legal process to validate/challenge government and law enforcement requests for user data?  
  • holding intermediaries liable for third-party content in the cloud?  
Many countries around the world fail all of these tests.  Some of them only fail one or two of them.  There is no commonly-accepted "black list" of countries where international companies should avoid placing a data center.  That's an interesting challenge, and perhaps deserves some public discussion.  Maybe someone should do a study to rank countries according to these criteria, just as countries are regularly ranked for competitiveness.  For example, companies also need to worry about opening a data center in a country where its employees could be held personally liable for third-party content hosted there.  (friends, how's that for understatement?) 

Maybe the safest place to put data centers, in terms of protecting users' data from government surveillance, would be on boats floating in international waters, powered by waves, cooled by sea water, and safely beyond the jurisdictional reaches of most governments.  Ok, not really, but then again, try coming up with your own list of countries.   And if you're having trouble concentrating, would you run the risk of landing in jail for a risky bet?

Tuesday, August 7, 2012

Mud-slinging, Anonymously

As a privacy-sensitive guy, I have always had a soft spot for anonymity.  But I wonder if things have just gone too far.  Sometimes, I hold my nose and try to read the "comments" on un-moderated platforms that allow "anonymous" to post comments.  Frankly, these comments often sound like monkeys throwing their feces at each other.  And all of this happens, because, well, it's anonymous.  Anonymity has become the shield of the ignorant, the inhumane, and the uncivil.  

I'm all for freedom of speech.  And in some contexts, anonymity is an essential foundation for freedom of speech.  Without anonymity, there would be far impoverished freedom of speech for political dissidents, or whistle-blowers, or other types of speech that are socially desirable, but which put the speaker at personal risk.  Nonetheless, the real question is whether the social benefits of certain categories of anonymous speech outweigh the tsunami of garbage that is being un-leashed behind the veil of anonymity on Internet platforms today.  

It's a hard challenge: can we figure out how to enable the socially-desirable forms of anonymous speech, while filtering out the anonymous slime, without turning into censorship engines?  

On this blog, I do not allow unmoderated comments.  In other words, I welcome your comments, but I review all comments before they are posted here.  I am not censoring the critical comments posted anonymously (you need only take a look at them to verify this).  But I do delete the many comments that are spam, or blatantly ignorant or hate-speech.  Really, a picture of myself hiking without a shirt should hardly prompt an outpouring of homophobic rants, but well, sadly, it did.  

As I grow older, I think more and more sites should reconsider the idealism of the early web, when many of us believed the world would be a better place, and privacy would flourish, by enabling people to express themselves anonymously.  Forcing people to use their real names on many sites might stop much of the grotesque defamation, hate-speech, cyber-bullying, ignorance and incivility that we are all enduring today, under some out-dated (and algorithmically ordered) view that "anonymous" should be free to say anything.

It's not easy for an Internet platform to figure out how to balance the benefits of anonymity against the lack of accountability that goes with it.  By the way, I use my real name for this blog.  Here's a picture of myself, vulnerable and unclothed, covered in mud on the Dead Sea.  If you want to comment with a homophobic or anti-Semitic rant, would you dare to use your real name?  I'm not writing a blog to give "anonymous" a platform for bile.  

I predict the Web tide is going to start ebbing away from anonymity, with a sea-shift back to real-world identity.