The algorithm decided not to hire you: is that legal?

I spend a lot of time thinking about privacy and algorithms.  

The Wall Street Journal carried an interesting story "Meet the New Boss:  Big Data", about how algorithms are now being widely used to make human resources decisions, like hiring and promotion.  The article pointed out that such algorithms could run into legal problems, if they intentionally or unintentionally filter out protected categories of employees, like older employees, under US anti-discrimination laws.  But the article didn't discuss a more fundamental legal issue, at least in Europe.

In Europe, "automated individual decisions" are a violation of EU privacy laws.  Article 15 of the EU Privacy Directive guarantees:  "...the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc".  

Well, that's about as clear as a law can get.  In our age of Big Data, we all know algorithms are being refined and used more and more widely to make decisions about hiring and promotion, and many other topics.  But when these decisions are made solely by algorithms, they are violating EU privacy laws.  Period.  The only way such algorithms can be used legally is to supplement them with certain other measures to safeguard the legitimate interests of the person being evaluated, e.g., by allowing him to put his point of view.  

I'm a great believer that algorithms can help all of us (governments, businesses, individuals) make better decisions.  But when a computer program is making key decisions by itself about whom to hire or fire, or whether or not to extend credit to someone, it's fair to ask for additional safeguards.  The privacy laws in Europe require it.  I'm agnostic about whether algorithms are more or less fair than humans at making a lot of such decisions.  In any case, companies using such algorithms need to consider how to make them comply with European privacy laws.  When algorithms are used to supplement other evaluation tools, they should be legal.  When algorithms are used to make these decisions by themselves, there's a serious risk they would be considered illegal in Europe.  Use with care.  

August in Paris: has everyone left?

A VIP friend of mine, Monsieur Banal, rang me up

Mr Banal:  Bonjour, Pierre.  Sorry to interrupt you with a phone call in August, but I can't reach any other foreign executives in France.  Where have all the others gone?

Me:  Monsieur Banal, they have moved to Switzerland, or Belgium, or the UK, to escape your plans to tax them at 91%.  

Mr Banal:  No, it's 75% tax, plus social charges.  Together taxes are over 90%.  That's true.  But only for the rich. 

Me:  But, Monsieur Banal, your tax rates are double those of London or Switzerland.  Mitt Romney pays 13% tax!  Even for people who love France, like me, how can we ever save for retirement if there's nothing left after taxes?

Mr Banal:  You don't need to save for retirement, since we have a generous French pension system, and you can now retire with a full pension at 60, thanks to me, the lowest retirement age in Europe.   

Me:  Monsieur Banal, do you remember when George W Bush said:  "French doesn't even have a word for entrepreneur'.  Ok, it was a very funny line.   Entrepreneurs building new businesses around the world use stock options as a way to incentivize their workforce to create new companies.  So, why would you pursue a policy to make stock options illegal?

Mr Banal:  In the public sector, we don't get stock options, so we see no reason why you should either.  We believe in fairness. 

Me:  Entrepreneurs often complain about suffocating regulation and bureaucracy.  Will things get better here?

Mr Banal:  I have never worked one day in my life in the private sector, but I learned how to regulate the excesses of capitalism at the Ecole Nationale d'Administration. 

Me:  France has well-educated, productive workers, doesn't it?

Mr Banal:  Indeed.  In France, we have a happy workforce.  Our employees get more vacation than almost anywhere in the world (by law, a minimum of 5 weeks per year), and they work fewer hours than almost anywhere in the world (by law, 35 hours per week).  This makes them very happy.  It is true that they sometimes strike, but only when they are not happy.    

Me:  What if my business fails?  

Mr Banal:  My Ministre du Redressement Productif (I cannot translate this into the English) will castigate you in the media, but it's only populist politics.  Don't pay any attention to him.  I don't really hate the rich, I just say that to set the tone.  

Me:  Why would so many French entrepreneurs expatriate to London or Silicon Valley to build their businesses?

Mr Banal:  Indeed, this is completely unacceptable.  We have a tradition of engineering excellence, and my government will help select those French technologies and businesses that deserve to succeed in the future.  

Me:  Let's have lunch in September.  

Mr Banal:  Sorry, I've been invited to lunch in Berlin.  I don't like the food there, but at least they pick up the check.  Will you still be in France when I get back?  

It's time for a "lead regulator" in Europe

Who's in charge in Europe?  That's a common conundrum for those of us who work in the privacy field in Europe.  When I was at a Berlin privacy conference, dopey picture attached, everyone was talking about it.

Privacy regulators play the key role in enforcing privacy laws.  Most companies (certainly all Internet companies) operate globally.  So, it's a natural question to ask which regulator(s) will or should have jurisdiction to enforce privacy laws.  For many years, I have advocated for the concept of a "lead regulator" in Europe.  It makes a lot of sense for one country's regulator to take the lead on behalf of all of Europe.  It encourages consistency across Europe, it provides for a deeper regulatory-relationship, it saves taxpayer money, when numerous regulators are not all re-inventing the regulatory wheel.  This is exactly what the European Commission is proposing in its re-write of privacy laws for Europe.  

Take the example of Facebook, whose European operations are headquartered (in legal terms, "established") in Ireland.  Normally, the Irish data protection authority would therefore be the lead regulator of Facebook, on behalf of Europe.  And indeed, it has been acting accordingly, conducting a company-wide audit of Facebook's privacy practices.  

The key to making all this work is clear:  the concept of "lead regulator" simply cannot work unless other regulators to defer to their sister-regulator.  That's why this story caught my eye:  German privacy regulators re-open their investigation into Facebook's face recognition software, notwithstanding the fact that the Irish are currently investigating the same thing, and notwithstanding having previously said that they would defer to the Irish audit before proceeding.  

The German regulatory world is a microcosm of the European regulatory world.  Each "Land" in Germany has its own independent data protection authority.  In theory, each is entirely independent, and is free to investigate or regulate separately, or in addition to, or even differently than one of its sister-German-DPAs.  But in practice, the German DPAs have developed a custom (not based in law, but based in deference and mutual respect) that they would defer to the "lead German DPA".  In the example of Facebook, the DPA of Hamburg is leading on behalf of its sister-German DPAs, because Facebook's German headquarters are based in Hamburg.  That's why Hamburg, rather than, say, Munich, is investigating Facebook.  

So, the question is simple:  German DPAs have developed the concept of "lead regulator" amongst themselves.  But are they willing to respect the same concept, and show the same necessary regulatory deference, at a European level, e.g., vis-a-vis the Irish DPA? 

If the European Commission proposal becomes law, then the concept of "lead regulator" will be cemented into law.  I often critique other aspects of the Commission's proposal, but on "lead regulator", I applaud their efforts. The issue is contentious, and the French authority, the CNIL, to take one example, is very publicly attacking the concept of a "lead regulator", precisely because they don't want to defer to a non-French lead regulator.  

In the meantime, it's hard to know who's in charge.  I'm someone who believes that regulatory enforcement is more effective when it's absolutely clear who's in charge.  

Rainbows in Ravello: Technocracy or Democracy?

As the European elite has for centuries, I love summertime in Ravello.  Civilization has flourished on these ravishing hills for millenia.  Democracy has ruled here for only very brief interludes.  Indeed, modern Italy has given up on having an elected Prime Minister, and instead appointed a (well-respected) technocrat as their leader. The "democracy deficit" in Europe is well-documented.  When things get tough in Europe, well, do we turn our backs on democracy?  Virtually all European-level legislation is drafted by un-elected Brussels-based European Commission technocrats.  (I have the greatest respect to the intelligence and professionalism of the Commission staff, so my comments are institutional, rather than individual.)  What's true for virtually all EU legislation is also true for data protection.  The current EU proposal for revising EU Data Protection is a technocratic tour-de-force. 

The Commission has chosen the approach of a Regulation (directly applicable law), rather than the approach of a Directive (prior law was a Directive, which included scope for national parliaments to make adjustments).  There are pro's and con's to the Regulation approach.  The biggest advantage is that it would result in fully harmonized, consistent privacy laws across Europe.  That's why businesses love it: it's easier to comply with one set of rules, rather than with dozens of (slightly) different rules.  The biggest disadvantage is that a Regulation leaves no scope for national parliaments to bring their own democratic choices and legitimacy to privacy laws in Europe.

Privacy is the product of culture and history, and naturally, attitudes to privacy vary widely across Europe, given the wildly different cultural and historical experiences.  Even neighboring countries, like Germany and Denmark, have very different views on privacy, given their different histories and cultures.  Given Germany's history, we expect Germans to be particularly sensitive to privacy issues.  But should German views on privacy, based on Germany's traumatic history, or French views on State-dirigisme, based on centuries of an all-powerful centralized State, dictate privacy laws in a country like Britain that has been a stable parliamentary democracy for centuries?  Half of European Member States are first-generation democracies.  Does one size fit all?

The toughest choices in privacy laws are deeply political.  For example, how much cost are we willing to impose on businesses to improve privacy compliance?  This is a clear political trade-off:  how much bureaucracy, like privacy impact assessments, mandatory appointments of Data Protection Officers, etc is enough, before the costs become too burdomsome for European businesses, in particular, SMEs?  Where do you draw the line between freedom of expression and the "right to be forgotten"?  Where do you draw the line between citizens' privacy and government surveillance?  How much flexibility should the laws include to reflect the cultural and regulatory differences amongst countries in Europe?  Is a Regulation the right instrument in the interest of harmonization, or is the flexibility of a Directive more democratic?  How high should fines be set for data handling compliance mistakes (high enough to punish/deter, but not so high as to freeze European innovation and risk-taking)?  All these are deeply political issues.  I have my views, and the unelected Commission has its views, and unelected data protection authorities have their views, but what do European elected officials think? 

There has been very little political debate in Europe about how privacy laws should be up-dated for the modern world.  The European Commission technocrats have had their say, and they are naturally wary of seeing their careful package of privacy-compromises re-opened in a messy democratic debate in the European Parliament, and elsewhere.   Democracy is indeed messy, but, as the saying goes...the alternative is worse.  

"Privacy" is a deeply political and democratic issue.  It is too precious to leave all difficult privacy law decisions to technocrats.  Privacy needs and deserves a political and democratic debate.  Perhaps this is all part of a much bigger democracy deficit in Europe.  We're on a path to "solve" the Euro crisis by transferring even more power from elected national leaders to unelected Brussels technocrats.  Nonetheless, I hope we see a vibrant debate in the European Parliament on data protection.  Privacy laws need democratic legitimacy.  Anyway, that's what we, the European elite, are debating, sipping Campari over the Amalfi coast.  

A travel blog post, about data centers

Sometimes I think I should write a travel blog instead of a privacy blog.  I'm the kind of guy who likes to be outdoors and physically active, and I'm just back from hiking in Spain.  Galicia has a pristine coast like Brittany, but with fewer tourists.  And it's relaxing to have a few days to enjoy privacy, instead of worrying about it.  If I don't feel safe hiking in a place, I sure wouldn't recommend putting a data center there. 

Data centers are now big business.  They're part of the fundamental infrastructure of the Web.  And people naturally want to know that the data that they choose to store in the cloud will be safe.  The location of data centers is one factor in ensuring that data will be safe.  

Some countries have proven successful at fostering a data center industry:  a few come to mind immediately, ranging from the US, UK, Ireland, Belgium, The Netherlands, Norway, Finland, Hong Kong, Singapore, Taiwan, Japan (of course there are others, but these were top of mind for me).  All these countries strike me as welcoming jurisdictions, and they are succeeding in convincing international investors to put their money and host data there. Nowadays, data centers can be large investments, involving hundreds of millions of euros, creation of hi-skilled jobs, and spurring a virtuous cycle of hi-tech clustering.  It's no surprise that many countries are competing to attract them.  

I think there are two big factors in picking locations for data centers, namely, physical-infrastructure stuff and law.  

Physical infrastructure includes:  1) cheap, reliable and renewable energy sources,  2) a cool climate to reduce electricity running costs,  3)  lots of bandwidth.  

But law is just as important.  What's the legal/regulatory environment in each country, with regards to:  

• the rule of law?  
• censorship?  
• fair legal process to validate/challenge government and law enforcement requests for user data?  
• holding intermediaries liable for third-party content in the cloud?  

Many countries around the world fail all of these tests.  Some of them only fail one or two of them.  There is no commonly-accepted "black list" of countries where international companies should avoid placing a data center.  That's an interesting challenge, and perhaps deserves some public discussion.  Maybe someone should do a study to rank countries according to these criteria, just as countries are regularly ranked for competitiveness.  For example, companies also need to worry about opening a data center in a country where its employees could be held personally liable for third-party content hosted there.  (friends, how's that for understatement?) 

Maybe the safest place to put data centers, in terms of protecting users' data from government surveillance, would be on boats floating in international waters, powered by waves, cooled by sea water, and safely beyond the jurisdictional reaches of most governments.  Ok, not really, but then again, try coming up with your own list of countries.   And if you're having trouble concentrating, would you run the risk of landing in jail for a risky bet?

Mud-slinging, Anonymously

As a privacy-sensitive guy, I have always had a soft spot for anonymity.  But I wonder if things have just gone too far.  Sometimes, I hold my nose and try to read the "comments" on un-moderated platforms that allow "anonymous" to post comments.  Frankly, these comments often sound like monkeys throwing their feces at each other.  And all of this happens, because, well, it's anonymous.  Anonymity has become the shield of the ignorant, the inhumane, and the uncivil.  

I'm all for freedom of speech.  And in some contexts, anonymity is an essential foundation for freedom of speech.  Without anonymity, there would be far impoverished freedom of speech for political dissidents, or whistle-blowers, or other types of speech that are socially desirable, but which put the speaker at personal risk.  Nonetheless, the real question is whether the social benefits of certain categories of anonymous speech outweigh the tsunami of garbage that is being un-leashed behind the veil of anonymity on Internet platforms today.  

It's a hard challenge: can we figure out how to enable the socially-desirable forms of anonymous speech, while filtering out the anonymous slime, without turning into censorship engines?  

On this blog, I do not allow unmoderated comments.  In other words, I welcome your comments, but I review all comments before they are posted here.  I am not censoring the critical comments posted anonymously (you need only take a look at them to verify this).  But I do delete the many comments that are spam, or blatantly ignorant or hate-speech.  Really, a picture of myself hiking without a shirt should hardly prompt an outpouring of homophobic rants, but well, sadly, it did.  

As I grow older, I think more and more sites should reconsider the idealism of the early web, when many of us believed the world would be a better place, and privacy would flourish, by enabling people to express themselves anonymously.  Forcing people to use their real names on many sites might stop much of the grotesque defamation, hate-speech, cyber-bullying, ignorance and incivility that we are all enduring today, under some out-dated (and algorithmically ordered) view that "anonymous" should be free to say anything.

It's not easy for an Internet platform to figure out how to balance the benefits of anonymity against the lack of accountability that goes with it.  By the way, I use my real name for this blog.  Here's a picture of myself, vulnerable and unclothed, covered in mud on the Dead Sea.  If you want to comment with a homophobic or anti-Semitic rant, would you dare to use your real name?  I'm not writing a blog to give "anonymous" a platform for bile.  

I predict the Web tide is going to start ebbing away from anonymity, with a sea-shift back to real-world identity.

A torrent of bureaucracy

As Europe slips into recession and economic decline, how is privacy law being changed in Europe?  Sadly, privacy debates here, like the other big political debates in Europe, are not about how to foster the digital economy, but rather about how to regulate it.  Tax and regulate:  is that Europe's plan to build its digital economy?

While policymakers around the world are frantically nurturing their digital economies, what's happening here in Europe?  Lots, lots more red tape is coming.  Politicians are furiously running around giving media interviews about how this will rein in Facebook or Google, as though all of Europe's privacy laws should be written for one or two companies.  Indeed, wags have started to call Europe's new proposed privacy laws "Lex Google" or "Lex Facebook".  But trying to write a privacy law to "rein in" Google or Facebook is a sure recipe for writing a bad privacy law that would apply to all companies in Europe.

Very few people have actually looked at how Europe is planning to change fundamental privacy laws.  While politicians are posturing that this is a reduction of red tape, the reality is that it is on track to become the biggest increase in paperwork and compliance process obligations in the history of privacy law anywhere on the planet.  Moreover, here's an assessment that would surprise some people:  I think Facebook and similar big companies could cope just fine with the new proposals, one way or another.  But there is absolutely no way Small and Medium-size Enterprises in Europe could cope.  SME's are already an embattled group in Europe, facing the highest regulatory and employment tax burdens in the world.  Data protection officers at large corporations generally have lots of resources, and they can manage bureaucracy and paperwork, even if it costs a few more million euros.  For big companies, it's not a big deal if the data protection "compliance tax" increases by a few million "new pesetas" or "new lira".  Frankly, I wonder how an SME could possibly deal with this paperwork and process torrent, and how they're supposed to pay for it.

Consider the details of this regulatory torrent, and ask yourself how new legal obligations like those below would impact an SME:

• 1)  Breathtaking fines for routine paperwork data protection lapses.  Large fines are proposed for data protection violations, some of which are really nothing more than paperwork lapses or documentation foot-faults.  Does anyone really think European SME's are set up to be able to report a data breach in less than 24 hours?  It baffles me how policymakers can propose to impose fines of 1 or 2% of a company's global turnover for not "adequately" filling out paperwork, such as "privacy impact assessments" or "documentation of data processing", especially since there is not even any agreement on what such paperwork is even supposed to look like.  
• 2)  Mandatory Data Protection Officers.  What happens if we obligate all enterprises with over 250 employees to appoint a Data Protection Officer?  Practically, where are all these people going to come from, since only a handful exist today?  Can SMEs afford the cost of these new employees, or of outsourcing this function to expensive law firms?  Or over-burden others on their staff, e.g., a Human Resources person, to try to play this role too?  and needless to say, some companies with 250 employees (like Internet or health companies) have vastly different privacy impacts than others (like construction companies), so laws with arbitrary fixed rules are rarely well-adapted to the different realities of the real world. 
• 3)  Mandatory privacy impact assessments.  What will SMEs have to do, if they are obligated to carry out privacy impact assessments on all new projects?  While I think such privacy impact assessments can be a useful privacy compliance tool for some projects, I also know that they are burdensome and time-consuming.  Can SMEs handle this additional burden?  While "privacy impact assessments" are still undefined, I estimate doing one would cost, roughly 10,000 to 100,000 euros.  I imagine most SMEs would have several, and larger companies would have many projects requiring such privacy impact assessments.  
• 4)  Mandatory data processing documentation.  Documenting such data handling processes is time-consuming and difficult.  How much will it cost SMEs to document their data processing practices?  I would roughly assume that the burden to comply with this requirement would be comparable to the time/money spent complying with tax laws.  No one knows what it means to "adequately" document data processing, but nonetheless, these confused proposed privacy laws would threaten massive fines for failing to comply with an undefined standard.  

I hope SMEs will have their voices heard in the up-coming political process.  As long as the laws are passed to "rein in" Google and Facebook, you can be sure the SMEs will be ensnared in rules that make no sense for them.  But I wonder if politicians can limit SME-killing regulatory over-load.  I am worried about the impact of excessive regulation on Europe's digital economy, which is surely the world's most promising to create the jobs of the future.  All successful technology companies start as SME's.  Europe is committing a crime against its youth, when 50% of young people in many countries here are out of work.  SMEs create jobs, especially for young people.  Although politicians can run around and get media headlines about how these new proposed fines would rein in Facebook and similar companies, the reality is that a law applies to all companies, including SMEs.  Surely, we can figure out how to apply data protection paperwork obligations in a more sensible fashion, more adapted to the sensitivity and scale of data processing, than what is contained in the current proposed law.  Let's not suffocate European SMEs, as the unfortunate collateral damage of trying to "get" the big American Internet companies.

Europe is about to threaten companies with fines so large that they will throw them into bankruptcy for bureaucracy and paperwork foot-faults?   As countries around the world begin the competitive race to build their digital economies, we in Europe are starting the race by shooting ourselves in the foot?   It's possible to be deeply committed to privacy, without drowning in a torrent of privacy bureaucracy.

The Safe Harbor

Periodically, and again today, there’s a conference to discuss trans-Atlantic privacy issues, and take stock of the Safe Harbor framework. As an American who works in this field in Paris, I have long cared more than most people about trans-Atlantic privacy issues.

Why is the Safe Harbor framework still relevant? Here’s a reminder: the Safe Harbor framework was created because of a quirk in European law dating from 1995 that divided the countries of the world into so-called "adequate" and not-"adequate", in terms of having European style data protection. Countries like the US and Japan are not currently deemed to have "adequate" protections under EU law, but other countries like Argentina and Mexico and Israel are. It's a fair question whether the criteria to assess "adequacy" are themselves realistic or out-dated. Essentially, the criteria area formalistic: e.g., does a country have a European-style “independent data protection authority” and European-style “comprehensive” privacy legislation? So, countries that do not, like Japan and the US, are not deemed to have “adequate” data protection, but countries like Mexico, Argentina or Israel are. The Safe Harbor framework constitutes an “adequacy” regime for the US-based companies that comply with it. Therefore, the Safe Harbor framework is a partial solution to a bigger “adequacy” problem.

Rather than debating the Safe Harbor framework, we should be debating the “adequacy” regime. In the real world, no one would believe for a minute that data is less protected in Japan or the US than in Mexico, Argentina or Israel. But this bureaucratic fiction has very real-world consequences, if it makes “illegal” the transfer of personal data from Europe to these non-”adequate” countries. Surely, such routine global data transfers from Europe to Japan, to take just one examples amongst many in the cloud, can’t all be “illegal”?

Why does Europe fight so hard to maintain these rather reality-divorced rules, and why is Europe choosing not to modernize them as part of its comprehensive data protection law review? There is a simple reason, and it has very little to do with the reality of privacy protections. The so-called “adequacy” test is a powerful tool used by European policymakers to cajole other countries into adopting European style data protection laws and regulations. In 2011 alone, 6 countries in Latin America adopted European-style data protection laws. The motivation for these countries is often unabashedly trade-based, namely, the unhindered transfer of personal data from Europe to these countries, which hope to build information-based out-sourcing industries. Europe holds out a significant carrot to countries, saying essentially, “if you copy my privacy legal structure, we’ll reward you with information-based trade.” This, in a nutshell, is why Europe is winning the global competition to influence privacy laws in countries around the world.

I have long been an advocate of the vision of global privacy standards. Instead, what the world is getting is the globalization of European privacy standards.

"I didn't have time to write a short letter, so I wrote a long one instead". Mark Twain

I recently spent a few days grappling with government regulations written for the public. Together with my Dad, who is in his 80's, we tried to get some answers to simple Medicare questions about prescription drugs. I almost gave up when I realized that I still had no clue, after spending hours trying to read the government's guidance. I'm a Harvard-trained lawyer, and I couldn't understand them. I looked at my Dad, and I wondered what seniors are supposed to do who are often old and sick, and might not have a Harvard-lawyer around the house to help them.

Thankfully, there's a very worthwhile initiative, to get the US Federal government to use Plain English. Indeed, I think it's worthwhile to simply quote from the government's site directly:

President Obama signed the Plain Writing Act of 2010 on October 13, 2010. The law requires that federal agencies use "clear Government communication that the public can understand and use." On January 18, 2011, he issued a new Executive Order, "E.O. 13563 - Improving Regulation and Regulatory Review." It states that "[our regulatory system] must ensure that regulations are accessible, consistent, written in plain language, and easy to understand."

And to bring it back to my blog's topic, namely, privacy, I'd encourage you to take a look at how plainlanguage.gov has drafted its own site's privacy policy. It's here.

Many government regulations aren't really drafted for normal citizens. They're drafted by and for lawyers, lobbyists, specialists, and regulators. The same is often true of privacy policies. I'm in the school that thinks that privacy policies should be drafted for the general public, and that they should look something like plainlanguage.gov's privacy policy. Even the IRS, which is not an agency generally celebrated for its brevity of its prose, managed to publish a privacy policy that is exactly 7 sentences long.

Data Protection Officers, required by law in Europe

Europe has long led the world in creating privacy rules. Soon, Europe will likely make it a requirement for all companies with over 250 employees to appoint a Data Protection Officer (DPO). Here are a few practical thoughts about DPOs in the modern corporation.

1) We need to train up more DPOs. The universe of privacy professionals is still quite small, today. There simply aren't enough experienced DPOs to fill the imminent legal requirements. Soon, many thousands of companies operating in Europe will be looking to appoint DPOs to meet legal obligations, and since there is no available pool of such people, companies need to start thinking now about how to recruit, train and resource a DPO, and/or an entire DPO team, for the large companies.

2) Companies should decide if their data processing is simple or complicated, and staff their DPO accordingly. Depending on what kind of company you are, you could legitimately take three different approaches:

1) DPO role is added to existing function: Some companies may have data processing operations that are quite simple and unproblematic. For them, it may make perfect sense to ask someone in the Human Resources or Marketing departments to train up and play this role too.

2) DPO role is out-sourced. Some companies may decide to outsource the role to DPO-consultants who might provide similar services for many clients. Note to entrepreneurial privacy professionals: creating such shared-DPO-consultant services is likely to be a booming business opportunity in the future. Realistically, I think DPO-out-sourcing is only really an option for companies with simple data processing operations, but there are still legions of those.

3) DPO heavy-weights needed. Some companies have complicated and sensitive data processing operations. They will want their DPOs to be strategic data-stewards, guiding their companies to use and protect data in responsible ways, navigating through the thickets of regulatory rules, and representing them before regulatory bodies and courts. I think large and complicated companies should be expected to have senior and experienced DPOs, or in the cases of big companies, indeed, teams of them. But today, rather shockingly, some of the world's largest data processing companies, with mega-databases of trillions of pieces of personal data, do not have a single heavy-weight DPO on staff.

3) Companies need to give their DPOs adequate resources and authority. It's pretty obvious to me, as a long-time insider, that privacy will be well-served by a growing profession of DPOs in companies. To succeed, DPOs will need two things, which are essential to getting things done in large organizations: namely, resources and authority. It takes significant resources to monitor/advise/document the data processing operations of a large corporation (as will likely be required under the new EU laws) and it takes people with real authority to implement the goals of the role of the DPO, as the laws envision it. As for authority, I don't think authority always flows from corporate reporting lines (let's get over this simplistic thinking that every DPO should report to the CEO). I believe authority is derived from substantive knowledge of privacy law and business goals, judgment, persuasiveness, credibility, and perhaps most important of all, the backbone to defend the precious goal of privacy. The European legal proposals go even further in trying to protect the DPO's independence, by providing the DPO with some legal protections against unfair dismissal.

Europe, once again, leads the world in creating privacy rules. Europe proposes many daft rules (e.g., mandatory security breach notifications sent to consumers within 24 hours!, as is currently proposed, get real!). But, Europe sometimes leads the world in creating rules that meaningfully improve privacy protections. In the decade ahead, let's work together to strengthen and spread the role of the Data Protection Officer.

Hey, Mom and Dad, look, I'm the most powerful censor on the planet

Not really. But I could be.

Europe's proposals to create a "right to be forgotten" are suggesting that people should be able to request Google/Yahoo!/Bing to delete any third-party content from the search engines that they don't like, if it violates their sense of "privacy". If such a law were to be passed, then it would mean that employees at Google and similar companies would become censors-in-chief of the world's web content. Whenever someone finds something on the web that they found unflattering about themselves, they could demand that the search engines delete it. The Google/Yahoo!/Bing global censors would then be obligated to delete the content, regardless of whether it was true or fair or legal, regardless of who published it, and regardless of the fact that the search companies had nothing to do with the content.

Hmmm, the prospect of becoming the world's most powerful censor makes me giddy. Eat your hearts out, you Iranian web censors, now I've got the sort of power you've only dreamt of. History, truth, memory, knowledge, it's all mine, mine, to decide what gets to survive. And a word of "merci" to the French, who put all this power into the hands of American employees like me. Now I can make Mom and Dad proud.

The right to be forgotten, or how to edit your history

The "Right to be Forgotten" is a very successful political slogan. Like all successful political slogans, it is like a Rorschach test. People can see in it what they want. The debate would sound quite different if the slogan were actually something more descriptive, for example, the "right to delete". The European Commission has now proposed to make the "right to be forgotten" into a law. It's a big step to turn a vague political slogan into a law. The time for vague slogans must now give way to a more practical discussion of how the "right to be forgotten" could actually work.

What is the "right to be forgotten"? There is a spectrum of views. On one end of the spectrum, the "right to be forgotten" is simply viewed as a re-branding of long-standing data protection principles, in particular: the rights to access and rectify one's own personal data, the right to oppose processing of one's personal data in the absence of legitimate purposes, the principle of data minimization. On this end of the spectrum, people think that the "right to be forgotten" is nothing new; at most, it is simply an attempt to apply long-standing data protection principles to the new worlds of the Internet and modern technologies. I'm firmly in this school of thought.

On the other end of the spectrum, the "right to be forgotten" is viewed more sweepingly as a new right to delete information about oneself, even if published by a third-party, even if the publication was legitimate and the content was true. This school of thought believes that people should have the right to force third-parties to delete content about them (photos, blogs, anything) that violates their sense of privacy, which in practice usually means their online reputations. Common examples of things people want to remove are compromising photos, references to past criminal matters, negative comments, etc. While I strongly believe that people should have the right to complain to third-party websites about information that is published there about them, I am deeply skeptical that the laws should obligate such third-parties to delete information on request of data subjects. This raises troubling questions of freedom of expression.

There is an even more extreme end of the "right to be forgotten" spectrum, which holds that this deletion right can be exercized not just against the publisher of the content (e.g., a newspaper website), but even against hosting platforms and other intermediaries like search engines that merely host or link to this third-party content. This view is being litigated in Spain, as the Spanish Data Protection Authority is suing Google to delete links to third-party content, like newspaper articles, that the DPA has acknowledged are legal. In other words, the DPA is attempting to apply this reading of the "right to be forgotten" to delete links to content in a search engine, despite the fact that the original content is legal and will remain on the Web. Cases like this will require judicial review, since they clearly posit a conflict of two fundamental rights: privacy and the "right to be forgotten" against freedom of expression. I expect this issue to be considered at the European Court of Justice.

As this debate unfolds, the lack of clarity is raising false expectations. As people read that there will soon be a legal "right to be forgotten", they are asking DPAs and search engines to delete third-party content about themselves or links to such content. I regularly hear requests from people to "remove all references to me, Mrs. X, from the Internet". No law can or should provide such a right, and politicians and DPAs should not mis-lead them to expect it.

We need more public debate about what the "right to be forgotten" should mean. We also need a debate about how it should be applied to hosting platforms and search engines. I think a balanced and reasonable and implementable approach is possible, based on a few principles: 1) people should have the rights to access, rectify, delete or move the data they publish online. 2) people should not have the automatic right to delete what other people publish about them, since privacy rights cannot be deemed to trump freedom of expression, recognizing that some mechanisms need to be streamlined to resolve these conflicts. 3) web intermediaries host or find content, but they don't create or review it, and intermediaries shouldn't be used as tools to censor the web. Stay tuned, and Happy Data Protection Day.

Harsher data protection sanctions are coming

When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?

Since 2012 has now begun, here's a prediction about the future: there's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.

We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros. And yet others, like the Belgian DPA, don't have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.

But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There's also an entire industry of US privacy-based class actions which has sprung up in the last few years.

Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.

In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year. And in Europe, where class actions generally don't exist and don't fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.

I regularly hear people claim that there's not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that's probably scarier than killer snakes.

Is that all that's left?

2011 has come and almost gone, and I've already forgotten most of it. It's always been that way. I can barely remember my own life. No one else will remember it either. Most of humanity has lived and died and left little more lasting traces of its existence than crickets in a summer field.

Despite our collective social fears of data deluge and "the age of big data", the reality is that we're probably the last generation in human history that will disappear with relatively little trace. As I troll the web today, I don't find much about myself: a few dozen YouTube video clips, a few hundred photos, my blog postings, a few thousand media quotes. Frankly, it really doesn't amount to all that much. It's barely a sliver of my life. In the future, digital archeologists will try to understand our generation, making sense of these digital fragments of our generation, the last lost generation.

The current privacy debates about particular technologies will seem oddly quaint in a few years. I remember a time only a few years ago when serious people thought a spam filter in email must be an invasion of privacy, since a machine was doing the filtering. Now we're debating whether users should click on a pop-up screen for cookies. A decade from now, we'll laugh, I think, about the current fears of digital over-exposure, based on today's trivia: posting a photo to the web, or tweeting, or blogging, or sharing location info with friends, or whatever. Of course, some things shouldn't be published or shared, because they are hurtful or embarrassing. But the scale of data and technology is changing so fundamentally that the importance of a particular piece of data today is almost unknowable.

I'm sure that more and more data will be shared and published, sometimes openly to the Web, and sometimes privately to a community of friends or family. But the trend is clear. Most of the sharing will be utterly boring: nope, I don't care what you had for breakfast today. But what is boring individually can be fascinating in crowd-sourcing terms, as big data analysis discovers ever more insights into human nature, health, and economics from mountains of seemingly banal data bits. We already know that some data sets hold vast information, but we've barely begun to know how to read them yet, like genomes. Data holds massive knowledge and value, even, perhaps especially, when we do not yet know how to read it. Maybe it's a mistake to try to minimize data generation and retention. Maybe the privacy community's shibboleth of data deletion is a crime against science, in ways that we don't even understand yet.

Assuming I live a normal lifespan, I will live to be able to up-load my life memories to remote storage. I'll be able to start real-time recording of my experience of life, and to store it, share it, and edit it. My perceptions, thoughts, and memory, will be enhanced by machines guided by artificial intelligence. Perhaps it's human vanity, but I want to have the choice to store and share my life, before or after its biological limits are extinguished. I am already losing clear memories of my youth, and of places I've been, and people I've loved. What I've lost is lost forever. There was no back-up disk. That's not my idea of privacy, but privation. I suspect a future privacy debate will discuss whether "memory deletion" is a fundamental human right, or deeply anti-social.

I have no idea what this future will look like, or whether humans and society can adapt to it as quickly as the technology will enable it. But as the year draws to a close, I am grateful for a front row seat, hoping to live long enough to see a world of technologies that will stop me from just disappearing from the planet, without anything more than a few random photos and video clips, as part of the last human generation whose evanescent lives left almost no traces, disappearing from the earth like crickets at the end of summer.

Data Protection Officers: on solid ground?

I've worked in the field of privacy long enough to remember a time when almost no companies in the world had privacy officers. Now, almost all big companies do. And soon, Europe's privacy laws are likely to be amended in a way to mandate them, or at least to provide strong incentives to appoint them, which will lead to massive growth in this profession.

But what is a data protection officer? Or can we even agree on what to call them? "Data Protection Officer" or "DPO" is a euro-centric title, since Europe long ago invented the concept of "data protection" as an alternative (not synonym) for "privacy". Personally, I have long used the title "Global Privacy Counsel", since I think it's useful to express three things that define my job, namely, the topic (privacy), the geographic scope (global) and the functional perspective (namely, counsel, or lawyer). But privacy leaders are often not lawyers, and hence, use different monikers, ranging from Chief Privacy Officer to Director of Privacy Engineering, or Director of Privacy Compliance, or Chief Privacy Evangelist, in each case stressing a different functional perspective.

For very large companies, privacy needs to be a cross-functional effort, representing security, engineering, legal, compliance, policy and communications. Personally, I focus on the legal/regulatory/policy sides of privacy. For very large information-based Internet companies, literally hundreds of people work on privacy, across these different functions. For smaller companies, in my opinion, there should be at least one person who is accountable for privacy, in some sense, even if it's not a full-time job.

As Europe is on the verge of mandating "data protection officers", we need to understand what exactly these people will be accountable for. First, it's important to note that the European proposal will probably be modeled on the existing functions in France ("correspondent") and Germany ("Datenschutzbeauftragte"). In these countries, the DPO is responsible for supervising their companies' creation and use of databases of personal data, liaising with government privacy regulators, and providing good privacy advice and guidance. In practice, DPOs in Germany and France are sometimes focused on the legal side, and sometimes on the technical/security side.

In the US, there is a different vision of privacy leaders. At most US companies, lawyers play this role, just as I came to privacy through the legal profession. And we play this role in our capacity as lawyers, namely, providing privacy legal advice to our companies. As privacy lawyers, we provide advice, but are not empowered to make final decisions about whether or not our companies will follow our advice. The companies' executives are the decision-makers, ultimately, not the privacy lawyers. There are of course other models at some US companies, but they're still in the minority.

So, as Europe institutionalizes the role of DPO, it will be important to define what exactly these people will be accountable for, seen from inside and outside their companies. For multinationals, it will take some time to work out how to support their privacy leaders under these different legal regimes as they straddle jurisdictions. And as DPOs are held accountable for certain areas, they too may need protection and indemnification from their companies for personal liability, just like other professions, such as chief financial officers who are mandated by various laws with specific areas of accountability.

I welcome laws in Europe that will help strengthen the role of DPOs in their companies, and will help make DPOs more prevalent across industry. This will be a practical step forward for privacy. But at the same time, it will be important to define what we're accountable for, internally and externally, especially in a field where the very notion of "privacy" is highly subjective, and where the visions of what a privacy leader is supposed to do diverge dramatically, by country, by industry, and by function.

My Italian Appeal

A lot of you have wondered about the status of the appeal of my Italian conviction. So, here's a short update, just on some logistical points.

There have been some changes to my legal defense team. First, I'd like to congratulate one of the defense team's members, Giuliano Pisapia, on his recent election as Mayor of Milan. Sadly for me, of course, he will be withdrawing from the legal team. But I'm delighted that Giulia Bongiorno and Carlo Blengino have joined my team. Giulia will be fully on board once her work in the Amanda Knox/ Raffaele Sollecito appeal winds down.

Preliminary appeal briefs have been filed with the Milan appeals court, but the appeal has not yet been assigned to individual appeals court judges. Once that happens, the judges will decide on a hearing schedule. So, realistically, I am not expecting the hearings to begin until later this fall. I have no insights into how many hearings will be held, nor when they might be held.

September 11

September 11, seen 10 years later, changed many things in the world, in geo-political terms. Some people also think it changed the nature of privacy too, since it gave rise to the Patriot Act.

I can't think of any topic in the field of privacy that has been more polemicized and politicized and distorted than discussions about the Patriot Act. Most discussions about it are simply factually and legally wrong. I respect Microsoft for blogging and explaining this. It takes courage to talk about this issue, since so many people around the world have passionate reasons to want to resist or restrict the power of (some, all, or just the US) governments to use valid legal process to access data.

Over and over again, I read about people and politicians around the world saying that they want their data to be stored in the cloud (i.e., in a data center) in their country/Continent, so that it's protected from American law enforcement under the Patriot Act. This is a common refrain, for example, in Europe and Canada. Indeed, it has given rise to an entire industry purporting to offer "euro-clouds".

Therefore, it's perhaps surprising for some people to learn that the location of storage of the data has no impact on this issue, with regards to US-headquartered companies. It has limited impact on this issue, with regards to non-US headquartered companies. I won't repeat the legal analysis, since Microsoft's blog did a good job in explaining it.

It's well-known that global cloud-service providers maintain data centers around the world, mostly to ensure that their services operate with efficiency, speed and reliability. But they don't, and can't, operate as tools to evade or circumvent valid US government access to information, whether under the Patriot Act or any of its related/predecessor laws, since the location of data within the cloud is simply not a relevant legal factor. I know that's controversial, but it's also a legal fact, so kudos to Microsoft for saying it publicly.

"The Right to be Forgotten", seen from Spain

I'd like to share some personal musings about an interesting series of court cases pending in Spain, pitting the "right to be forgotten" against the right to freedom of expression. The New York Times reported on this debate recently. In a nutshell, the cases ask the question whether people can demand that search engines delete content from their indexes, even if the content is true and the third-party site that published it clearly has the right to publish it (e.g., newspapers).

Virtually everyone uses search engines to find information on the web. There are way over a trillion pages on the web today. To help people find what they're looking for in the vastness of the web, search engines create giant indexes of the web. Search engines are intermediaries, since they don't create, select or edit the content on the web sites they index. Search engines try to match a user's search query with the search results most likely to be relevant, using complex algorithms to rank the likely relevance of a particular webpage. The vast majority of websites want to appear in search engine indexes, but if they don't want to be included in the index, they can use a simple tool, called robots.txt, to opt-out of being indexed by all leading searching engines.

Many websites publish information about people, and sometimes this information can be hurtful to a person's sense of privacy or reputation. For example, government websites or newspapers may publish information about criminal convictions or accusations of medical malpractice. People who feel that information about them was wrongly published by these web sites can always ask them to correct or delete it. But newspapers and government websites usually have published this information legally, or indeed may even be legally obligated to publish it, or may be exercizing their rights of freedom of expression. As search engine intermediaries, Google and other search engines play no role in what these web sites publish, or in deciding whether they should revise or remove content based on someone's privacy claim against them.

That's why I think it's wrong that the Spanish Data Protection Authority has launched over a hundred different privacy suits against Google, demanding that Google delete web sites from its index, even though the original websites that published the information (including Spanish newspapers and Spanish official government journals) published that information legally and continue to offer it. The legal question is important: should search engines like Google be responsible for the content of the web sites that they index? Should Google be forced to remove links from its search index, in the name of privacy, even if the websites that published it want to be included in its search index and the content is legal? Should search engines be used to make information harder to find, even if the information is legally published?

I have great sympathy with people who feel their privacy has been invaded by a web site that publishes information about them. But search engines shouldn't be asked to delete links to legal content that is published by a third-party website. These cases have sometimes been referred to as about the "right to be forgotten". In fact, these cases are not about deleting or "forgetting" content, but just about making it harder to find content. These cases would make it impossible for users to use search engines to find content that otherwise continues to exist on the web.

It's not hard to imagine the negative consequences for freedom of expression, if search engines could be ordered to delete links to any website that publishes content about a person that is deemed to have invaded someone's privacy. The debate about privacy v freedom of expression is an important and timeless debate, which is becoming more urgent in the age of the Internet. But it's wrong to try to use search engines to try to make legal information harder to find. It's wrong to use search engines as a indirect tool of censorship, since European law rightly holds the publisher of material is responsible for its content. Requiring intermediaries like search engines to censor material published by others would have a profound chilling effect on freedom of expression.

There are better ways to protect privacy online, by remembering that it should be the publisher of content who is responsible for it. Interestingly, the Spanish Data Protection Authority seems to be coming around to this conclusion itself. It recently issued a resolution ordering a website to use the robots.txt protocol to exclude some of its pages from search engine indexes. That's exactly the right approach. Now, the debate will turn to the websites that receive such orders: should they exclude some of their pages from search engine indexes, in the name of privacy, or should they refuse, in the name of freedom of expression? Newspapers worldwide, and in particular their online archives, will soon be in the middle of this debate. I believe that Spanish papers, like El Pais, are now respecting such orders. I would wager that The New York Times wouldn't, based on their reporting on Two German Killers demanding Anonymity Sue Wikipedia's Parent.

This is a difficult debate, and I'm sure that different publishers will come to different conclusions about it. That's how it should be.

Trying to define “sensitive” data

Privacy laws need to ensure that there is a higher level of privacy protection for everyone’s sensitive personal data. There's universal consensus on that. So, it’s very important for laws to do a good job defining what should be considered “sensitive personal data”. It’s quite instructive to compare Europe’s definition (from 1995) with India’s (from 2011).

The European Data Protection Directive defines them as:

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”

As I read this list, and having worked with its concepts for years, I find it quite unsatisfying. It is both far too broad, and far too narrow, at the same time. It’s far too broad, because it seems to extend exceptional privacy legal protection to banal and often public things, like “political opinions”, or “racial origin” when any photo of me will show I’m a white dude. And things like “trade union membership” or “racial origins” probably should not be protected by privacy laws, but rather by labor laws or anti-discrimination laws, as they generally already are. But it’s also far too narrow, because the European definition of sensitive personal data fails to include something as strikingly sensitive as, say, genetic data, or biometrics. Granted, the laws in some individual European countries got this right, like France, which already treats biometrics as sensitive. In my opinion, in the future, genetic/biometric data will become the most important category of what should be treated as sensitive, so laws that don’t include biometrics in the category of sensitive data have a big gap. Strangely, European law also does not include sensitive personal financial information in its list of “sensitive” categories.

Now, for comparison, here is India’s just revised categories of “sensitive” data:

“unless freely available in the public domain or otherwise available under law, SPDI under the Rules is personal information which consists of information relating to:

password,

financial information such as bank account, credit or debit card details as well as other payment instrument details,

physical, physiological and mental health condition,

sexual orientation,

medical records and history,

Biometric information (a defined term including fingerprints, eye retinas and irises, voice and facial patterns, hand measurements and DNA),

Any detail relating to the above when supplied for providing service, and

Any of the information described above received by an organization for processing, stored or processed under lawful contract or otherwise. “

When India drafted its privacy laws, it looked to Europe’s Directive, both for inspiration and to protect its out-sourcing industry. But Europe would do well to look to India for inspiration about how to modernize our data protection concepts. India's list of "sensitive personal data" strikes me as much more modern and relevant to privacy than the legacy of what we have in Europe.

France re-writes the rules of data retention

When Europe introduced a Data Retention Directive in 2006, it struck a very very careful political and legal balance between the interests of privacy and the interests of Law Enforcement/ Government access to data. The core distinction of the laws was to impose an obligation on service providers to retain and produce traffic data relating to communications, but to exclude contents of communications. Notwithstanding this careful balance, the Directive has always been highly controversial. There has been a long debate about whether this Directive, and the balance it struck, is Constitutional under national privacy laws, and indeed, last year its German-implementation was held un-constitutional by the German Constitutional Court.

Surprisingly, very few people have noticed what just happened in France. The law (decree, technically) adopted a few days ago in France up-ended the careful political/legal balance of the Directive by inserting one little word: "passwords". In other words, passwords are added to the list of "traffic data" that ISPs have to retain and produce to the French police on demand. Interestingly, the version of the law that had been circulating for discussion in France for the last two years, and which was reviewed by the French privacy authority the CNIL and by industry associations, did not contain that little word "password". The word "password" was inserted at the last minute, with no public or privacy review, as far as I can tell.

Stop to reflect for just a minute. Why would police want a password and what would they do with it? Well, obviously, they would use it to look at "content" of communications. In other words, a password would grant them access to all the things that the Directive explicitly chose not to subject to Data Retention in the interests of privacy.

All the years of work by privacy advocates has been chucked aside, in one little word. Well, three in French: "mot de passe".

I'm sure legal challenges to this French law will not be far behind. Curiously, only a few lone voices in the press or advocacy community seem to have noticed all this.