Thursday 1 December 2011

Commissioners commenting at the IAPP Congress

European Commissioner Viviane Reding made a great impression on the delegates at the International Association of Privacy Professionals' European congress in Paris on Tuesday. She swept into the conference room just a few minutes before her carefully prepared speech to Europe’s data protection elite was billed to start. She majestically read it, and then glided away, protected by a posse of flunkies, well before any members of the awkward squad in the audience could ask her any questions.

What did she say?

Well, were promised a late Christmas present. It is to be a simpler way of legitimising global data flows, and it is to be delivered in the form of an easier way for Binding Corporate Rules to be approved by regulators in all Member States. Oh, we’ll also get consistent enforcement across Europe, and some innovation. This, apparently, will increase levels of confidence, as it is evidently confidence which is what lacks today in the digital world.

And that was about it. Introduced as "the most important person in Data Protection in Europe today" this really was about all she had to say to an audience that included Jacob Kohnstamm (Chairman of the Article 29 Working Party), Peter Hustinx (European Data Protection Supervisor), Peter Scharr (Federal Commissioner for Data Protection & Freedom of Information Germany, Richard Thomas (former UK Information Commissioner), Peter Fleisher (he of Google), and Richard Allen (of Facebook fame). Some late Christmas present we’ve got to look forward to. But, let’s give Viviane her due. She is the most important woman in Data Protection in Europe today, and she did very kindly agree to speak.

The audience were left a little bemused, but there were lots of really important issues that were discussed last Tuesday and Wednesday. There was the inevitable speculation about what else might be in the Commission's proposals for a new legal framework. The Commission is either keeping its proposals a very closely guarded secret, or it hasn't yet got much to unveil. There were murmurs of an announcement about the framework during "data protection week" next year. Excuse me. Data Protection Day is quite enough for me, thanks. There's only so much fun a data protector can have. This fun can be squeezed into a day, but I think it would be really hard to stretch it to cover a whole week.

The announcement from the platform (just before Viviane Reding swept into the building) was that the new legal instrument would take the form of a Regulation, not a Directive. But I'm not sure I believe that announcer (so I won't identify her, to save potential blushes later). Peter Hustinx pointed out that there can be various kinds of Regulations, and that Directives can also take different forms, too. It left the audience little the wiser as to what was really likely to happen.

I managed to raise a laugh among delegates when I asked Peter Scharr a question. It was related to his support for rules which had Community-wide application. He had commented, in his keynote speech, that Data Protection authorities need to think on a global basis, yet they were organised and were obliged to react locally. I pointed out that, recently, on economic matters, the Germans had been really helpful to the Greeks and others who were facing local economic difficulties, in order to strengthen confidence in the Euro. I asked Peter if he thought that the Germans might be so kind as to consider lowering their own current data protection standards, if this would result in the prize of the possibility of common data protection rules applying across the European Community, in order to strengthen confidence in data protection.

Significantly, Peter did not rule this out. He accepted that everyone needed to adopt a flexible approach, if common standards were to apply across a wider geographic area. You heard it here, first! No-one laughed at Peter's response - and many were mightily relieved.

It was left for Richard Allen to make the really significant point that in future, data protection regulation is only likely to be effective if the applicable law is to focus on where the data controller is based, not where the data (or copies of the data) is being processed. After all, the data, thanks to the wonders of cloud computing and the internet, is likely to be all over the globe and constantly on the move. Everyone appeared to supported this suggestion. These Facebook chaps talk a lot of common sense.

The full text of Viviane Reding’s speech can be found at