Monday 2 August 2010

Can we have a data protection passport?

I’ve recently had a really thought-provoking email from David, who has read some of my postings and decided to contact me as he has similar views to mine. He’s also passionate about data protection, and equally keen, as a businessman, to be both at the “bleeding edge” of data protection practice – but also to be on the right side of that edge.

Here’s an edited version of what he had to say:

“I rather tend to agree with you about how EU data protection law has become so complex that it can’t really be observed properly, and that it needs to be ignored when unfair or impractical. But for all that this is very tempting, especially for people like me who are designing IT solutions that will stretch data protection (although not, I stress, to the detriment of the data subjects), it’s also a very dangerous message to preach, simply because the penalties for non-compliance are steadily becoming more painful for data controllers.

You write in your ‘Chester Hangman’ piece about the desirability of DPAs having an ex officio right of appearance in court cases about data protection, and I think you’re right; but I think it’s equally important that technologists and entrepreneurs in data-intensive businesses should have the right of access to DPAs to get pre-rulings on what they are planning to build, so that they don’t get involved in unnecessary and expensive court cases. Equally, I think it is very important that data protection practices in the EU and elsewhere should follow the example of financial industry regulation, so that DPAs would be able to give a ‘regulated by the Ruritanian DPA’ status to data-rich companies that could then be ‘passported’ to other jurisdictions.”

I agree with David that it’s a dangerous message to preach that one should ignore laws when they are impractical – especially when the penalties for non-compliance are becoming more painful for data controllers. But I would argue that the fault here lies in the hands of the regulators. Data controllers have human rights too, and they have the right to know what the rules are – and to be told that the rules are in terms that are accessible and comprehensible. It would be thoroughly reprehensible for a regulator to hide behind a complex web of rules and regulations, and then lash out at a data controller simply because they had not taken the precautionary measure of seeking (expensive) expert advice on an arcane and unwieldy set of rules. I think we would all welcome higher penalties for non compliance - so long as the penalties were proportionate to the offence committed, and it was easy to understand whether non compliance had occurred in the first place.

David’s core point is that technologists and entrepreneurs in data-intensive businesses should have the right of access to DPAs to get pre-rulings on what they are planning to build, so that they don’t get involved in unnecessary and expensive court cases. What a great idea. Why is it that, in some cases, this relatively simple “ask” results in either different answers or, in the case of some Member States, an apparent refusal even to deal with the question. I’m glad I’m not the product manager for Google’s Steetview application, spending months dealing with separate Data Protection regulators, and getting different answers from lots of them. (And no answer at all from at least one of them.)

If the members of the Article 29 Working Party were permitted by law to have sufficient confidence in each other, they should always accept each other’s passports. But European law does not yet permit this.

How long have passports been in existence? According to, one of the first passport holders was Nehemiah around 450BC. He was an official in the court of King Ataxerxes of ancient Persia. Nehemiah, who rebuilt Jerusalem asked permission to travel to Judah. Ataxerxes agreed and gave Nehemiah a letter "to the governors of the province beyond the river" requesting safe passage for him as he travelled through their lands.

So, if passports have permitted human beings to cross borders with integrity for almost 2,500 years, then they really ought to allow concepts to cross borders with the same degree of respect in the not too distant future. A start is being made with the mutual recognition of binding corporate rules. Well, at least among some of the members of the Article 29 Working Party. Small steps. But in the right direction.

I read recently that the UK has recently let another huge section of its domestic telephone betting infrastructure to slip through its fingers, as the tax laws in Gibraltar are much more attractive than the tax laws in Glasgow. But does it mean that the Glaswegian punters, in real terms, have suffered a corresponding decrease in consumer protection?

I think not.

I’m sure that individuals in one jurisdiction are unlikely to suffer real damage simply because the service to which they have become linked has been approved by someone who lives in another country.

And I’m equally sure that the forces of data protection conservatism will prevent member states from taking that bold step of trusting each other in the same way that the financial services industry have managed to reach out and spread their bit of common sense.

But I may be wrong – so come and join the passport campaign – and campaign for the mutual recognition of the learned views of the righteous!