Tuesday 5 May 2015

Privacy trumps the free flow of personal data

“The free flow of personal data is not a fundamental right. Privacy is a fundamental right.”

So said the ICO’s David Smith at a data protection KnowledgeNet event in London today.

It's a phrase that will be mulled over for some time. But when can data controllers assert rights that are equivalent to those of individuals? What rights do data controllers have (who, after all, also benefit from human rights legislation)? When is it that their right to exercise freedom of expression can be quashed by someone who tries to exercise a right to forget?

And how can the person who wants others to forget actually achieve that aim? What practical steps are really effective? Perhaps the courts will, in the fullness of time, clarify what obligations search engines have to identify and then remove all hyperlinks to data that is considered (by some) to be unacceptable to remain in the public domain.

These are some of the really interesting challenges that are facing those who are brave enough to stick their heads above the policy parapet and propose potential solutions.

And who is it that ought to be leading the discussions on this issue? Should privacy regulators assume that they must take the lead? Are privacy regulators sufficiently dispassionate about the issue, or are they so heavily focused on privacy that their mindset is against the competing rights that others exercise, in the name of self expression?

We’re back to that awful word “balance.” Somehow, the regulators will need to balance fundamental privacy rights with other rights, such as the right of self expression. Fortunately, help was on hand today. Anya Proops of 11 Kings Bench Walk was able to explain to the audience what data protection rights were in the ascendant, and what issues still needed to be addressed by the Courts. My, she’s good. In the fullness of time, she’s going to be on the bench, opining on whatever issues are left to address.

The second half of the event focused more narrowly on the General Data Protection Regulation, and featured Bruno Gencarelli from the European Commission and Wojciech Wiewiorowsk, the Assistant European Data Protection Supervisor.

Bruno will be leading for the Commission as the informal triologue discussions on the GDPR get underway, and it was useful to hear his defence of “the perfect, as always, proposal of the Commission”.  Quite how he and his team will find the time to discuss and find a common approach with the other stakeholders to all of the issues that need to be negotiated and agreed, to meet the Commission’s self imposed deadline of completing the task by the end of the year, is beyond me.

It emerged that the compromise ceiling for financial sanctions against Google & Facebook transgressors could be 3% or 3.5% of global turnover. But then again, I might have been dreaming those figures. Bruno did speak for quite some time.

Wojciech knows how to charm an audience. He started his presentation by emphasizing how the EDPS was not a super supervisor, but simply one privacy supervisor, among many others. Yes, the EPDS had a role to play by offering opinions on a range of proposals published by the European Commission, but he left the delegates in no doubt that it was the role of the EDPS to facilitate the work of the Article 29 Working Party (and possibly subsequently the European Data Protection Board), rather to automatically assume that it would lead it.

Wojciech also paid tribute to the incredible influence that UK courts had on the development of data protection law throughout Europe. We may think that, in other areas, the Brits are widely ignored, but certainly in terms of privacy law, the Europeans do sit up and take notice. The main reason for this is that we operate in a language that is easy to use – so reports of British cases travel further much than, say, cases decided in the Czech, Hungarian, Polish or Estonian languages.

The packed audience was left with plenty to think about. Actually, it makes a change to attend a privacy event and leave with so much to think about. Lots of breaking news – about the Bulgarians trialing an automated pre-PIA tool, and what some companies were doing to undermine data protection professionals within those organisations. But I won't be blogging on those subjects – at least, not yet.