Monday, 5 July 2010

Fortress Europe? The egos are landing

Call me old fashioned, but I always thought that one of the main purposes of the European Data Protection Directive was to facilitate the free flow of personal information within the borders of the European Union (and the EEA). Others have obviously thought that a principal purpose was to make it pretty hard to allow personal information out of the European Union (and the EEA) unless it was pretty clear that it would be protected to at least as careful an extent as if it were to remain within the European Union (or the EEA).

What becomes ever clearer to the legal wonks, as we try to understand how to pull the social and legal levers in each EU Member State is that it can often be quite difficult to get the stuff out of one member state and into the servers of another. Or, when an institution has the misfortune to suffer a data breach, how differently it may be treated by the regulators, depending on which country the institution was located.

This issue was briefly discussed this afternoon by a group of experts at the Privacy Laws & Business Data Protection Conference, which is taking place at St John’s College in Cambridge. The audience were treated to a fascinating explanation of the different ways that the same breach would be likely to be considered by regulators in Canada, Denmark, France, Germany, and the UK. And the issues were remarkably similar to those expressed by Peter Fleisher who, earlier in the day, had spoken about the different ways that the Google Street View service had been reviewed by various Data Protection Agencies within the EU.

Google’s Street View was first launched in the USA in 2007. The first imagery in Europe was launched the following year, and the imagery is currently available in 21 countries on 5 continents. It is very popular with users – over 100 million images are viewed each day, and additionally a large number of business applications use the images, too. Can 100 million daily viewers be wrong? Well, I wouldn’t have thought so – but of course it’s not for me to say. Just why the service is not available in all of the EU countries yet is one of life’s many mysteries. I gather it’s not necessarily much to do with the collection of the images. I suspect that many of them were collected some time ago. I sense the problem may be more to do with the fact that not all of the EU’s Data Protection Commissioners have completely satisfied themselves that the Street View service meets the cultural expectations of the citizens of that particular state. Why I can use it in the UK, France, Holland, Belgium, and Austria - but not yet Germany- remains a mystery. Will the German citizens rise up and demand views of their (and their neighbour’s) streets any time soon? We’ll see.

This afternoon’s discussion about the different remedies available to regulators on data breaches brought a wide smile to my face. When life gets as complicated as this, I get a job for life. I don’t think there’s any special reason why the rules need to be so complicated (or so nuanced), but complicated life must be. Until reality sets in anyway – the reality that soon the data controllers will start rising up and demanding simplicity and a greater sense of uniformity. When we’ve blown our legal budgets, seeking advice on just why we have to be everso slightly different in the countries where we use the same processing systems. But until that fateful day I’ll carry on marvelling at the way every regulator tries just a little bit too hard to be just a little bit different from the rest of their regulatory friends.