Ten Years of Observation on EU Data Protection
I have a close friend who used to work in government and is now out in the private world. S/he (I will use "he" henceforth, but without a gender indication to be inferred from its use) has ten years of experience dealing with the EU Data Protection authorities, both inside government and outside. Given his current position, he can't speak to the issue on in his own name, but over the many years I have found his insights and thoughts useful in understanding issues relating to privacy and Europe.
Published by The Lawfare Institute
in Cooperation With
I have a close friend who used to work in government and is now out in the private world. S/he (I will use "he" henceforth, but without a gender indication to be inferred from its use) has ten years of experience dealing with the EU Data Protection authorities, both inside government and outside. Given his current position, he can't speak to the issue on in his own name, but over the many years I have found his insights and thoughts useful in understanding issues relating to privacy and Europe. Recently he had some particularly interesting things to say and I asked him to put them down on paper, with my promise to keep his identity confidential. Here are his thoughts:
Dear Paul,
After more than ten years of working with our EU friends on privacy, I've observed a trend. The EU privacy community seems to be moving toward ever-greater isolation of data protection. EU Privacy has been quarantined from other fundamental rights and values, as well as national security, law enforcement, international law and commerce and the day-to-day world of practitioners. I've seen this from various perspectives following EU-US joint reviews, EU-US negotiations, and diplomatic outreach and in the private sector. With the French CNIL's extraterritorial enforcement of the Right to be Forgotten, the ECJ's invalidation of Safe Harbor and the EU's General Data Protection Regulation, the EU seems to be moving toward ever greater isolation of privacy from other norms and values. I have a few thoughts as to what this might mean.
1. An Overly Complex Framework.
a. Resources. If the gold standard for privacy regulation becomes so complex and overly prescriptive that only global 500 companies with the people and financial resources can comply with the framework, what will happen with others? Small and medium companies will not have the resources to meet these requirements. Is this a barrier to entry? For example, the recent EU General Data Protection Regulation is 88 pages long with dozens of provisions still waiting for further interpretation. It has been estimated that organizations will need to hire at least 28,000 data protection officers in the next two years.[1]
b. Prohibition Effect? In the 1920s, America attempted to outlaw the manufacture and sale of alcohol without devoting the financial or personnel resources to carry out effective enforcement. Ultimately, only a small percentage of liquor distributors found themselves and juries were often reluctant to find the defendants guilty; only about 60 percent of cases ended with a conviction. The persistent problems with poor enforcement caused Americans not only to ignore Prohibition, but also to repeal it. Are EU regulators prepared to handle the amount of enforcement required to oversee the extensive provisions of the EU Regulations? Will they have the resources to apply it fairly? Given the amount of regulation and the amount of data flowing throughout the world, will regulation be effective? If there is poor enforcement, will this create an undercurrent among some business to accept the risks of being "mostly compliant" or even ignore many of the rules, similar to Prohibition?
2. EU - the World's Regulator?
a. Conflict of Laws. Following the ECJ's 2014 "Right to be Forgotten Ruling" against Google, French data protection regulators have demanded that Google apply the legal decision to all of its search domains worldwide, including Google.com. Can one country regulate the Internet for the rest of the world? There are 196 countries in the world. If country X says you must do action A on the Internet and it applies worldwide and country Y says you must NOT do action A on the Internet and it applies worldwide, how would that work? What if all 196 countries adopted the principle of the French data protection regulator and asserted worldwide jurisdiction over the Internet? How would organizations comply in a world that would be filled with conflicted legal obligations? Have the EU data protection authorities reached outside of their silos to seek out experts or practitioners in the areas of international law and commerce to understand the implications of asserting worldwide jurisdiction?
b. Philosopher Kings? Under the EU Data Protection Regulation, if a country wishes to achieve adequacy, Article 45 of Regulation of the European Commission must conduct a review of a country's systems for law, human rights, fundamental freedoms, public security, national defense, criminal law, public authorities, data protection onward transfers of data, judicial redress, independent supervisory authorities and international agreements. Such a review is far beyond the world of privacy and includes a country's entire legal, political, national security, criminal law and foreign policy framework. Does any entity in the world have the competency, resources and knowledge to collect, analyze and pass judgment on the various government structures across the globe and do it on an ongoing basis? Is such a scheme practical? Further, the Regulation requires all this must be monitored on an ongoing basis and at a minimum reviewed every four years. Such a competency would require the wisdom of Plato's mythological philosopher-kings. The doyen of EU privacy scholars recently concluded, "[the EU] must discard illusions, such as the idea that DPAs and national courts can perform meaningful assessments of the adequacy of non-EU data protection systems."[2]
c. Fair and Equal? Even if it was accepted for one country or regional economic area could be the global regulator on privacy, could the regulations be applied equally and fairly? The EU's Article 29 Working Party has considered recommending suspension of data flows to the US and not to other trading partners like Russia, China or other nations that clearly deny human rights violations of the EU Charter. Further, would the regulator apply the same standard to itself? From a U.S. perspective, the EU has turned a blind eye toward Member State surveillance while holding the U.S. to a standard that the EU itself cannot meet.
3. “It’s all very well in practice but how is it in theory?” This is an old punch line to a joke that has been applied to the current debate between the US and EU over privacy. Is it possible to renew an effort to connect privacy principles and privacy practice? How long can we operate in a world where the two are disconnected? Turning again to one of the foremost scholars on EU data protection, "the EU must move beyond formalistic and political measures and legal fictions to implement actual protection in practice."[3]
4. National Security and Intelligence. Can we acknowledge that national security and intelligence services exist as an accepted activity of governments that are responsible for the safety and security of their citizens? Data protection law cannot by itself resolve issues related to surveillance for national security or intelligence gathering purposes. Data protection must be considered together with a country's national security framework.
5. Return to the Long-Standing Practice Mutual Recognition. Long before electronic commerce came along, international law and commerce relied upon the principle of Mutual Recognition to connect the world of different legal systems in a practical manner.[4] Can a worldwide privacy framework operate without abiding by a basic foundation of mutual recognition? Data protection authorities and EU courts should look to the long-standing practice of this concept instead of acting in isolation. Mutual recognition might also help to resolve the one-sidedness of the EU standard around national security.
Sincerely,
Your former government colleague and friend
[1] http://www.euractiv.com/section/social-europe-jobs/news/new-eu-privacy-rules-will-create-28000-jobs-says-industry-group/
[2] Reality and Illusion in the EU Data Transfer Regulation Post Schrems, Chris Kuner, University of Cambridge, Paper No. 14/2016 (March 2016). http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732346 .
[3] Kuner, p. 38.
[4] In simplified terms, Mutual Recognition is the principle of sovereign states recognizing the validity of different legal systems. For example, the U.S. and various EU member states have agreements that establish mutual recognition in the areas of customs, financial oversight, and taxation.