Thursday, March 29, 2007

“We can lick gravity, but sometimes the paperwork is overwhelming”

Wernher von Braun was not speaking about the paperwork of European data protection filings, but he might as well have been. Having worked for two large companies with operations all across Europe, I’ve probably done more data protection notification filings than just about anyone, and I’m exhausted. I wouldn’t mind, if it wasn’t such a waste of time and money.

Every European country requires that companies file data protection notifications with the local data protection authority. While most other European regulatory fields allow companies to file their regulatory paperwork in their country of origin only, EU data protection requires this to be duplicated in every country. And every country takes a completely different approach, magnifying the work considerably. Some countries require filings on a “per-controller” basis (e.g., the UK requires one filing per company), others require filings on a “per-database” basis (e.g., France requires filings for all “databases”, whatever that means). Some countries provide exemptions from some or all filing requirements if the company appoints a data protection officer (e.g., Germany). In case you’re interested, see this helpful “vademecum”, a summary of the filing requirements across Europe. The summary runs to 76 pages:

Companies in Europe take one of two approaches. The vast majority essentially ignores the filing requirements completely, or fills them out with cursory and meaningless generalities (e.g., "yes, I have a database with my employees' names"). The minority spend a lot of time and money in trying to complete these filings conscientiously. Having worked in the latter category, I have some ideas for a radical revision of the entire process.

1) Filings should be required in a company’s Country of Origin only. This is a classic Common Market concept, and if it works in so many other areas of European regulatory law, I think it should work for data protection too.
2) Filings should be required only once for each Controller (i.e., company). The concept of multiple filings for each database is archaic, and makes no sense in the modern world of IT, where “databases” can be created by any employee with a few keystrokes.
3) Delete all requirements for “prior approval” for international transfers. Data protection authorities already cannot meet the requirements to review and provide the theoretic “prior approval” required for international data transfers. In the era of the Internet, such transfers are routine, instantaneous and unproblematic.
4) Re-allocate all the money that will be saved from this simplification of data protection filings to more productive purposes: companies can spend it on real improvements to their privacy practices, and the data protection authorities can spend it on higher priorities, like education, advocacy, and enforcement.

The current European maze of data protection filing requirements makes less and less sense every day. Leading privacy thinkers, like the UK Information Commissioner Richard Thomas, are starting to call for a re-think: “There may be scope for less bureaucracy, less emphasis on prior authorisation and more concrete focus on preventing real harm.” ICO press release of March 9, 2007
Enterprise and Industry Commissioner Günter Verheugen has repeatedly called on the Commission to cut the burden of red tape. Simplifying and improving the EU regulatory environment is one of the Commission’s key instruments under the Lisbon Strategy to revitalize Europe's economy. Let’s start here!

No comments: