Monday, October 29, 2012

Singapore passes a modern privacy law. Cheers!

Singapore is the latest in the long list of countries that have recently passed privacy laws.  It's joining other Asian countries, like Malaysia and The Philippines, in this year's crop of countries with new privacy laws.

This is in part a tribute to Europe, where modern privacy laws were invented in the 1960's.  Well, they were modern then.  Now, they're pretty much out of date.  There was a school of thought in Europe that data protection laws are a perfect expression of fundamental human rights, a beacon to all mankind, like the Venus de Milo, to be admired and copied by all humanity. 

Singapore has passed a modern privacy law.  Europe, by contrast, is trying to modernize its old privacy law.  Europe should try to learn a lesson from Singapore's new law. 

To me, there is a simple test of whether a privacy law is modern:  how it handles the issue of "international transfers of data".   Indeed, if you asked me to pick the one notion of existing European privacy laws that is most in need of modernization, I'd pick this one:  Europe's restrictions on international transfers.  Bizarrely, in the long list of things that Europe is now proposing to "modernize", the need to create a more rational framework for international transfers is not on the list.  Singapore got this right.  Singapore's new law simply says that a company that transfers data outside Singapore is responsible for ensuring that it continues to respect the provisions of the privacy law.  Simple.  Effective.  Obvious.  

Or to quote Singapore's government minister's speech, when the law was passed:  "We are not adopting a prescriptive approach of restricting transfers of personal data to countries that have an adequate level of data protection. Instead, the Bill adopts a “principle-based” approach, where the onus will be on the organisation in Singapore to put in place measures, such as contractual arrangements, to ensure a comparable standard of protection is accorded to personal data transferred overseas. Therefore, there is no need to further burden organisations with disclosing to consumers where copies of their personal data will be transferred to."

Singapore's approach is a direct repudiation of the European approach, which makes it very hard to transfer data internationally.  The European framework has frankly become bizarre, with an entire legal industry contorting itself in gymnastics for international transfers:  
  • First, European laws declare transfers to be ok to other European countries and to countries deemed to have "adequate" privacy laws, but the list of "adequate" countries is a list of countries which make strange bedfellows, including mostly tax havens (yes, Monaco and Guernsey) and a few (I mean, literally, a few) others, ranging from Argentina and Uruguay to Israel and Canada.  
  • Second, there are a few hypothetical legal mechanisms to enable data to be transferred from Europe to other countries around the world.  Data can flow to the US if the company transferring it signs up the US-EU Safe Harbor Framework.  Data can also flow around the world if the company transferring it signs up to so-called Binding Corporate Rules, and if these Binding Corporate Rules are approved by Data Protection Authorities.  The pure simple fact is that only a tiny handful of Binding Corporate Rules have ever actually made it through the bureaucratic approvals process. E.g., to my knowledge, not a single Internet company has ever had Binding Corporate Rules approved.  So, practically, the option of obtaining Binding Corporate Rules is theoretical. 
  • Third, people can consent to having their data transferred internationally, although there's no consensus on what "consent" means or requires in practice, and no one even knows what a "transfer" is. 
Since we all know that data is being transferred internationally, every day, billions of  times per day, by everyone on the Internet, does that mean that every company, every government, every individual is "illegally" transferring data in Europe today?  Does that also mean that EU privacy laws are hopelessly out of data on this issue?  Well, yes.  And hardly a day goes by without yet another taxpayer-funded study by government authorities on the Cloud, sternly admonishing customers to comply with EU privacy laws on international transfers, and list the locations where data is processed, while at the same time acknowledging that there is no pragmatic, real-world solution to the archaic stuck-in-the-muck rules from the 80's on int'l transfers.  

Europe is attempting to modernize its privacy laws now.  It's proposing a number of sensible ways to modernize the laws.  But, missing an important opportunity, it is doing essentially nothing to try to modernize the single most important piece, namely, simplifying the rules around international data transfers.  Why not just get rid entirely of the reality-divorced restrictions on international data transfers, as most countries around the world have already done?  Whoever collects and transfers data should remain responsible for it, regardless of where the data is processed.  Period.  It's so simple.  

Singapore just passed a modern law, with a sensible provision on international transfers.  A modern law will help build a modern industry and create jobs.  If Singapore can do it, Europe can too.  Or if not, the rest of the world will just move on and build the future without us.  At least, the world will retain a deep affection for the historical treasures of Old Europe, like affluent Singaporean tourists snapping photos of the Venus de Milo in the Louvre, while our diminished-generation of children wait outside and hope to sell them a sandwich.  

Friday, October 26, 2012

Privacy-litigation: get ready for an avalanche in Europe

The US has long been a litigious country.  What's true in general in the US, is also true for privacy.  The US has a vibrant privacy litigation industry, led by privacy class actions.  Within hours of any newspaper headline (accurate or not) alleging any sort of privacy mistake, a race begins among privacy class action lawyers to find a plaintiff and file a class action.  Most of these class actions are soon dismissed, or settled as nuisance suits, because most of them fail to be able to demonstrate any "harm" from the alleged privacy breach.  But a small percentage of privacy class actions do result in large transfers of money, first and foremost to the class action lawyers themselves, which is enough to keep the wheels of the litigation-machine turning.  

Europe, by comparison, is not nearly as litigious as the US.  What's true in general in Europe, is also true for privacy.  In Europe, privacy is mostly handled as a regulatory matter, by Data Protection Authorities, who have the power to investigate complaints, launch enforcement actions and impose sanctions for breaches.  

In theory, any DPA enforcement action or sanction can be appealed to national courts.  In practice, this is rarely done.  Why?  Because European DPA sanctions tend to be very small.  Rationally, would you hire an expensive law firm to appeal a DPA enforcement action resulting in a 100,000 euro fine, if you knew that your outside counsel costs for the appeal alone would exceed that amount?  Even if you knew you'd win, you probably wouldn't appeal, as a purely rational matter. 

One of the unfortunate consequences of the current European DPA enforcement/sanctions model is that very few of its decisions are tested or validated by the courts.  If more of these cases were appealed to the courts, I am absolutely certain that many of them would be over-turned as a matter of law.  So, Europe is building up a body of regulatory "case law", which has never really had the discipline of judicial review, as we'd understand that concept in the US.  

Starting around 2015, when the new EU Privacy Regulation comes into effect, all this will change.  The new laws are almost certain to introduce vast new sanctions and fining levels for privacy breaches, expressed as a percentage (say 2%) of a company's global turnover.  Yes, you read that correctly.  Compare today, when the largest fine ever imposed by the CNIL in its history was 100,000 euros to this near-future, when fines could in theory run to many many millions.  You can do the math.  

Once there is real money at stake, everything changes.  Companies that today shrug their shoulders and pay small fines, rather than be bothered to hire lawyers and launch long legal processes, in the future will be confronted with the risk of massive fines.  Facing massive fines, companies will be required to hire expensive lawyers, launch intense legal battles, and generally handle privacy breach litigation with the full battery of legal process and tools.  Companies already do this in many other areas of law, so extending such practices to privacy law will not be hard.  

DPAs, on the other hand, are completely unprepared for this near-term future.  Many DPAs today operate "prosecution by press release", which is really not meant to withstand legal process, but rather to generate some press and reputational impact.  But DPAs are completely unprepared and un-staffed to launch serious legal actions, with a solid basis in law, and a solid respect of legal process, in a way that would withstand tough legal scrutiny and the judicial appeals process.  It's one thing to launch an enforcement action where the money at stake is 100,000 euros.  It's entirely different when the money at stake is 100,000,000 euros.  

In this post, I'm not commenting on whether creating large sanctions for privacy breaches in Europe makes sense or not.  I'm just saying that the entire legal/procedural game changes when there's lots of money at stake.  Privacy litigation will become an outside counsel growth area in Europe.  Companies will handle privacy in Europe increasingly as a litigation matter, rather than a regulatory matter.  And DPAs are going to have to figure out how to stand up to defendants' legal heavy artillery, something few of them have ever faced.  

Privacy litigation is already a big business in the US.  In a couple years, privacy litigation will go big time in Europe too, once big money is at stake.  Finally, we've found a growth industry in slow-growth-Europe.  

Thursday, October 25, 2012

Microsoft's brilliant master class on how to change a privacy policy

Privacy professionals are often asked how to change or update a Privacy Policy.  There are really just two basic choices:  openly or quietly.  

Naturally, I was professionally curious to see how Microsoft went about changing its privacy policy recently.  It was particularly interesting, because Microsoft made changes that were very similar to those Google made to its own privacy policy in March.  It's interesting when you have two large companies, making very similar changes to their privacy policies at the same time, but annoucing them in very different ways.  

Microsoft made its changes in legalistic language in something called the Microsoft Services Agreement.  

When Google announced its changes, Microsoft launched a worldwide PR campaign to discredit Google.  So, it is striking that Microsoft quietly made similar changes to its privacy policies that it so loudly criticized Google for making.  After Microsoft took out full-page newspaper ads to criticize Google for its changes, did Microsoft take out similar full-page ads to inform its users of the changes Microsoft was making?  Nope.  And "almost no one noticed" Microsoft's changes, as The New York Times reported.  

If the goal was to make changes in their privacy rules that "almost no one noticed", Microsoft was brilliant.  

I can guess what lessons will be drawn by most privacy professionals from this master class.   When the time comes for privacy professionals to update their own privacy policies, they now have two models to compare.  The open and transparent path led to worldword advocacy tirades and intense regulatory scrutiny.  The other path, well, Microsoft brilliantly blazed a trail so that "almost no one noticed".  Which path do you think privacy professionals will pick in the future?  Which path do you think is good for privacy?

Sadly, we all know the answer.   

Tuesday, October 23, 2012

Privacy Professionals peregrinate to Punta

Today in Punta del Este, Uruguay, is the annual conference of the world's data protection commissioners.  It also brings together a large number of people in their orbit, like privacy advocates, practitioners and lobbyists.  These are annual conferences, usually held in Europe, but occasionally in other countries around the world, as a "reward" for adopting European-style privacy laws.  Uruguay has just adopted euro-style-privacy laws, so it's the host this year.  In previous years, other countries that had recently adopted euro-style privacy laws, namely Mexico and Israel, were hosts.  Countries that have not adopted euro-style privacy laws, like the USA or Japan, are not deemed eligible to be hosts.  In fact, until recently, the US Federal Trade Commission wasn't even allowed to vote in the commissioners' meetings, but was only allowed to attend in a sort of second-class "observer" status.  Finally, two years ago, the FTC was admitted as a member of the commissioners' club.  

I have nothing against privacy confabulations.  There are always a lot of interesting things to talk about in the world of privacy.  Of course, all this talk could easily be conducted virtually, using simple Internet technologies, essentially for free. I won't be going to Punta, but I wonder if the Microsoft speaker, who will key-note there, will explain why they changed their privacy rules, as The New York Times reported, in a way that "almost no one noticed".  Or if he'll talk about how they use an army of privacy lobbying proxies, including former privacy regulators, as The Economist reported

I'm sure the conference will provide taxpayer-value-for-money, going by the pictures of the beach and the 5-star hotel in Punta on the Conference website. Flying half-way around the world to hear a Microsoft lecturer on privacy...priceless!  

Monday, October 8, 2012


There's an entire, vibrant privacy conference business.  There are privacy conferences somewhere in the world every week of the year.  Some are commercial, some are taxpayer-funded.  Why are they so boring?

Because they take one of the most interesting topics in the world, privacy, and discuss and debate it from an insular perspective, namely, from the perspective of people who are in the privacy "industry."  I'm very clearly part of this "industry" too.

The privacy "industry", or "privacy industrial complex", as some wags have dubbed it, consists of privacy professionals at companies, privacy advocates, privacy regulators, privacy consultants, etc.  So, conferences tend to be incredibly banal statements about who's more committed to privacy, and begin with stentorian declarations, like "privacy is a fundamental human right, therefore...".  Or they consist of a "debate" between two privacy advocates, which is like listening to two members of the National Rifle Association debate the social benefits of gun control.  Or they consist of paid-corporate advocates trashing their competitors' privacy record, often without disclosing who is paying them to do so.

The interesting privacy debates, in my opinion, are the debates where privacy is balanced against other fundamental human rights, like freedom of speech, or balanced against other social goals, like encouraging innovation, or tested against other yardsticks, like regulatory cost-benefit analysis.  But very little of that occurs at privacy conferences, because virtually no one from outside the privacy "industry" speaks at such events.  E.g., rather than hearing privacy-people talk endlessly about the need for more privacy regulation, I'd like to hear from an economist evaluating whether such regulations are effective, or whether their costs exceed their benefits.  Rather than hearing privacy-people talk about the need to create a "right to be forgotten", I'd rather hear from a free speech advocate on how such a right would undermine freedom of expression.  Rather than hear privacy-people talk about how technology needs to be reined in, and subject to bureaucratic prior approval (in other words, slowed-down), I'd rather hear from people who are committed to building modern and dynamic economies about how (archaic) privacy laws are hampering the creation of innovation-based economies.

But privacy conferences have largely become like any other conclaves of groupthink.  At a Vatican conclave, you don't get a serious discussion about the health benefits of promoting the use of condoms.  At a Tea Party rally, you don't get a serious discussion about whether government welfare benefits are a guarantor of minimal human decency.

I have pretty much stopped going to most privacy conferences, at least for now.  When I go, it's mostly to have a chance to have one-on-one chats with people I'd like to meet or catch-up with.  I think privacy is the most interesting topic in the world.  But groupthink gatherings don't move the debate forward.  If I was at an NRA meeting, I'd advocate for gun control to help reduce the shockingly high murder rates in the US, and I'd probably be run out of the room.  There are so many smart people in the privacy profession, why aren't we challenging each other more, to take a small, wild step outside the privacy-industrial-complex, and actually engage more with the real world?