“The
free flow of personal data is not a fundamental right. Privacy is a fundamental
right.”
So
said the ICO’s David Smith at a data protection KnowledgeNet event in London today.
It's
a phrase that will be mulled over for some time. But when can data controllers assert
rights that are equivalent to those of individuals? What rights do data
controllers have (who, after all, also benefit from human rights legislation)?
When is it that their right to exercise freedom of expression can be quashed by
someone who tries to exercise a right to forget?
And
how can the person who wants others to forget actually achieve that aim? What
practical steps are really effective? Perhaps the courts will, in the fullness
of time, clarify what obligations search engines have to identify and then
remove all hyperlinks to data that is considered (by some) to be unacceptable
to remain in the public domain.
These
are some of the really interesting challenges that are facing those who are
brave enough to stick their heads above the policy parapet and propose
potential solutions.
And
who is it that ought to be leading the discussions on this issue? Should
privacy regulators assume that they must take the lead? Are privacy regulators
sufficiently dispassionate about the issue, or are they so heavily focused on
privacy that their mindset is against the competing rights that others
exercise, in the name of self expression?
We’re
back to that awful word “balance.” Somehow, the regulators will need to balance
fundamental privacy rights with other rights, such as the right of self
expression. Fortunately, help was on hand today. Anya Proops of 11 Kings Bench
Walk was able to explain to the audience what data protection rights were in
the ascendant, and what issues still needed to be addressed by the Courts. My,
she’s good. In the fullness of time, she’s going to be on the bench, opining on
whatever issues are left to address.
The
second half of the event focused more narrowly on the General Data Protection
Regulation, and featured Bruno Gencarelli from the European Commission and
Wojciech Wiewiorowsk, the Assistant European Data Protection Supervisor.
Bruno
will be leading for the Commission as the informal triologue discussions on the
GDPR get underway, and it was useful to hear his defence of “the perfect, as
always, proposal of the Commission”.
Quite how he and his team will find the time to discuss and find a
common approach with the other stakeholders to all of the issues that need to
be negotiated and agreed, to meet the Commission’s self imposed deadline of
completing the task by the end of the year, is beyond me.
It
emerged that the compromise ceiling for financial sanctions against Google
& Facebook transgressors could be 3% or 3.5% of global turnover. But
then again, I might have been dreaming those figures. Bruno did speak for quite
some time.
Wojciech
knows how to charm an audience. He started his presentation by emphasizing how
the EDPS was not a super supervisor, but simply one privacy supervisor, among
many others. Yes, the EPDS had a role to play by offering opinions on a range
of proposals published by the European Commission, but he left the delegates in
no doubt that it was the role of the EDPS to facilitate the work of the Article
29 Working Party (and possibly subsequently the European Data Protection
Board), rather to automatically assume that it would lead it.
Wojciech
also paid tribute to the incredible influence that UK courts had on the
development of data protection law throughout Europe. We may think that, in
other areas, the Brits are widely ignored, but certainly in terms of privacy
law, the Europeans do sit up and take notice. The main reason for this is that
we operate in a language that is easy to use – so reports of British cases
travel further much than, say, cases decided in the Czech, Hungarian, Polish or
Estonian languages.
The
packed audience was left with plenty to think about. Actually, it makes a
change to attend a privacy event and leave with so much to think about. Lots of
breaking news – about the Bulgarians trialing an automated pre-PIA tool, and
what some companies were doing to undermine data protection professionals
within those organisations. But I won't be blogging on those subjects – at least,
not yet.
.
Posts
