Tuesday 24 January 2012

Was this the Commissioner's protocol statement?

Perhaps, we now know what is meant when we are told that a Commissioner will make a “protocol statement”. Commissioner Reding spoke in Munich last Sunday. Unlike my suggestion on 18 January, what she had to say was not an explanation of the behaviours that are to be exhibited when meeting a Commissioner. It’s more of an announcement of things to come. In this case, the things to come are to come “this week”. Yes, I know it was delivered last Sunday. But it’s not Data Protection Day, yet.

On the other hand, she might well be saying something tomorrow, too. Who knows? There's really no stopping her, once she puts her speaking shoes on. I am aware of arrangements for a press conference which will announce "something" tomorrow, but I wonder who will be at that conference, and what will be said ...

I was intrigued to find a few similarities between the draft I had prepared for Commissioner Reding on 12 January, and the text of Sunday's speech. They both start the same way (with the phrase “Check against delivery”). They both acknowledge that this is not the occasion on which the drafts are formally revealed. And they both contain a number of questionable statements.

First, let’s look on the bright side of life. I share her hope that the new rules achieve their purpose of creating legal certainty, in a simplified regulatory environment which provides for clear rules for international data transfers. And if they achieve this, then I will be among the first of many who will laud her to the skies and take to the streets to demand that she be appointed “Queen of the European Commission”, before she graces the UN as its next Secretary General.

On the other hand, the measures have to work fairly and proportionately, taking into account the legitimate rights of data controllers, as well as individuals. Will red tape be cut, as is hoped, or will the existing red tape simply be replaced with reams of other types of tape? I really hope that it will not be the latter – but I’m not yet persuaded. Will savings from the scrapping of a general notification rule simply be swallowed by hugely increased compliance expenditure in other areas, without commensurate protections being given to individuals? I fear this may be the case.

Will individuals actually be able to exercise many of the new rights that appear to be bequeathed to them? Commissioner Reding makes some play of the principle that individuals will be able to exercise greater control of their information by exercising their right to consent to the processing of that information. What she fails to point out is that the natural result of this power to withdraw consent will, in many cases, simply lead to a flight from consent – as prudent data controllers will increasingly use the legitimate interests condition as a basis for legitimising their data processing, rather than rely on creaky notions of consent that could easily be withdrawn.

The Commissioner skated over many of the details of the proposal (presumably so that she did not then need to refer to the manner in which other Directorate Generals had expressed their own reservations). She made the general commitment to extending the breach notification provisions to all data controllers, with notification as a general rule within 24 hours, even though the evidence that the current rules are either workable, effective or have brought about any measurable behavioural change among data controllers is questionable (if it actually exists, that is). Still, it’s a great headline, and we can enjoy many months of discussions fleshing out the details, as we first work out what we are trying to stop, and then assess whether the proposed measures actually achieve that aim.

But I should not be too cranky. Individuals deserve great protections whenever they go on line, and they’ll get the best protections that the state can afford to give them. Whether they will actually enjoy similar levels of protections wherever they are in the European Union, well, that’s another matter. European citizens don’t actually enjoy similar levels of healthcare, public housing, social security provision, taxation or education wherever they are just yet, so it is a brave Commissioner who commits themselves to ensuring that: “all data protection authorities in whichever EU country will have the same adequate tools and powers to enforce EU law.” I’ll believe that when I see it. And I’ll celebrate, when I see it, too. But I won’t hold my breath.

One casual, almost throw away remark that did take my breath away was her last statement. Then again, it may well have been designed to have left the audience in a state of shocked excitement as she left the stage and departed for Davos.

It was about freedom of information and copyright: “The protection of creators must never be used as a pretext to intervene in the freedom of the internet. That is why, for Europe, blocking the internet is not an option”.

Well said. What she didn’t say was that “blocking access to parts of the internet is not an option”.

Because we do block access to parts of the internet, and for very good reasons. Hold your horses, you civil libertarians, please hear me out. We block access to illegal content on the internet. We don’t want the on-line experience of minors or the easily led to be harmed by their ability to access information that might corrupt or deprave them.

So, we need an internet censor, or at least someone who cares passionately about the safety of internet users. And I’m happy to be that censor - or at least to be appointed as a person who cares passionately about the safety of the internet users of whichever service provider is employing me.

So, well done, Commissioner. Enjoy your trip to Davos. Then return refreshed, and ready to work with the rest of the passionate squad to develop a set of legal instruments that are truly fit for purpose.

Speech 12/26 to the Innovation Conference Digital, Life, Design, "The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age” Munich 22 January 2012