Saturday, 5 December 2009

How can we ditch EU data protection standards in favour of global standards?

It looks as though more and more people are asking this question, and it’s possible that quite a bit of background work has already been done.

And the more I think about it, the more sympathy I feel for the regulators, who are charged with creating solutions to problems that are extremely hard to resolve.; These people must know that the more complicated they make the solution, the greater will be the likelihood that it will fail. All of us dread solutions that are so convoluted you need a brain like Albert Einstein’s to understand them. And we all know that we’re basically doomed unless we can develop an approach that even Homer Simpson can grasp.

So I was really surprised recently to come across a document that actually managed to spell out, in simple language, a set of principles which might well have global application. They were developed by stakeholders from some 50 countries, and first saw the light of day at the recent international privacy conference in Madrid. For those who want to have a close look at them, try the following link - https://www.agpd.es/portalweb/canaldocumentacion/common/estandares_resolucion_madrid_en.pdf

The text uses reasonably plain language and tries to avoid the trap that the EU dug itself into, by focussing on ensuring transparency and fairness, rather than convoluted procedures that so few of us really understood in the first place. Could it result in the demise of the ridiculously complicated contracts that were created to “regulate” international data flows? I have a feeling they might.

The problem, though, will be that there will be countries who pride themselves on high internal data protection standards, either for local cultural reasons (say, to protect people from what is perceived to be a pressing harm in that local country) or for purely protectionist reasons, as they are frightened of the globalisation of trade and hope their initiatives will prove to be more effective than King Canute’s gestures in turning the tide back (which occurred almost exactly one thousand years ago).

Will these countries give up their gold plating, or will they finally acknowledge that they need to live in a real world? I’m sure that some will try to hang onto their gold plating for as long as they can, while many of the companies operating inside them will be finding it ever harder to develop commercially attractive propositions to their customers. Thanks to the globalisation of the internet, if customers don’t like local rules they can simply download a service from a country that operates under more favourable rules. It’s just like the climate change debate – these carbon particles don’t respect political boundaries any more. And neither do the acquirers of electronic services. If it’s hard to download from Germany, you might as well get it from Sweden.

An interesting emerging principle is one of accountability. The Madrid Resolution requires “the responsible person” to make available verifiable evidence that they have actually taken the measures necessary to meet their obligations – and this evidence should be made available both to regulators and individuals. It’s a neat idea – as it now places a greater onus on the company to establish it is behaving responsibly, rather than await an allegation that it had not behaved responsibly.

And this new “accountability principle” might well give the Data Protection Officers the stick they need to remind their companies that, in the event of transgressions, there will be fewer places to hide. And it might also give them an opportunity to point out to regulators that mistakes sometimes happen in spite of the efforts that the companies make to behave properly.