Data protection: What will the new Directive look like?
Ryan Jendoubi argues that the new Data Protection Directive details will flow from European Policy
For the past two years the European Commission's Justice Directorate has been reviewing the 1995 Data Protection Directive and other legislation affecting EU citizens' right to have their personal data protected. An examination of the Justice Commission's Communication on the review,and of the speeches of Commissioner Viviane Reding, reveals a number of recurring themes, but it's difficult at this stage to accurately predict what their implementation will be in practice.
There have been strong hints that the activities of justice and security functions will fall under the new Directive. The likely impact of this is particularly hard to gauge. Reding has made positive reference to the current UK government's commitment to stop "storage of internet and email records without good reason". On the other hand, an attempt in 2008 to reach a similar goal at the European level was highly contested, with the final protections leaving domestically held police data completely unregulated. As ever, when it comes to security, it will be incumbent upon civil society to be vigilant against "emergency" or "exceptional" powers or exemptions which may over time creep into casual usage.
There have been mixed messages on the subject of notification to data breach victims that their privacy has been compromised. In one speech, Reding declared that, "I will introduce a mandatory data breach notification requirement – the same as I did for telecoms and Internet access when I was Telecoms Commissioner, but this time for all sectors: banking data, data collected by social networks or by providers of online video games." The Commission Communication on the review pledged that, "The Commission will examine the modalities for the introduction in the general legal framework of a general personal data breach notification, including the addressees of such notifications and the criteria for triggering the obligation to notify."
There is of course a danger that the Commission will not set a high enough standard. In another speech to a different audience, Reding made the following statement: "I understand that some in the banking sector are concerned that a mandatory notification requirement would be an additional administrative burden. However, I do believe that an obligation to notify incidents of serious data security breach is entirely proportionate" (emphasis mine). Care is due here for three reasons. First is the basic moral argument that people should be told whenever their privacy has been compromised by the party responsible for that breach. Second is the practical issue that the individual may be in a much better position than the data controller (the person in charge of managing their data) to assess the potential seriousness of a breach given their personal circumstances – who decides what is a "serious" breach and what is not? Finally, in answer to the "administrative burden" argument, we should remember that the burden is one of the purposes of any legislation, since it will incentivise data controllers to prevent breaches.
The definition of personal data is an area of ongoing dispute which will receive attention in the new Directive. The limited approach says that data is only 'personal' where it contains enough information in and of itself, or combined only with other information which the data controller already has, to be linked to a particular person. In practice, this leads some to argue that IP addresses are not personal data because the owners of websites visited cannot link an IP address to a person without more information.
On the other hand, a more realistic approach acknowledges that part of the purpose of data protection is to guard the privacy of individuals against the misuse of their data by people other than the data controller, who may well have malicious intent. It follows then that any data which may be linked back to an individual through cross-referencing with other data should also be regarded as personal. Indeed, the wording used in the Data Protection Directive is oriented towards this interpretation. Article 29 (a working group made up of the data authorities from all EU countries) have been clear that in their view this latter approach is the correct interpretation of the law. The UK however differs from many other European countries, having a lower standard not explicitly including the idea of 'indirect' identification (Munir and Teh, 2008). Any additional clarification in the new Directive requiring the UK to raise its standards is likely to be met with political opposition, fuelled by the complaints of data controllers likely to have their workloads increased.
Consent is another area wherein subtle but significant disagreement is found. Ambiguity arises where data controllers claim 'implicit' consent, which is for example the source of the controversy surrounding the new 'cookie law'. The Regulation changes the standard of consent from opt-out ("opportunity to refuse") to opt-in ("given his or her consent"), but goes on to allow consent to be "signified by a subscriber who amends or sets controls on the internet browser [...] or by using another application or programme". Some see this as a get-out clause, whereby a user who fails to modify their browser settings will be interpreted as giving blanket consent to website owners. This would clearly circumvent the kind of user control the regulation exists to institute. Article 29 have already adopted an opinion on the proper definition of consent, calling for greater clarification of the meaning of "unambiguous" consent in the new Directive. Again, getting this basic point wrong would deprive the law of much of its protective purpose, but data controllers continue want consent to remain as 'passive' as possible. Some justify this by talking about preserving a 'smooth user experience', while others are quite frank about the risk of informed users refusing to be tracked, which would put a serious dent in many sites' advertising-based business models.
The right to be forgotten is a tricky concept, but less because it is contentious than because it is prone to being misunderstood. First, since people obviously cannot be forced to forget information, 'forgotten' must necessarily be understood to mean 'forgotten by organisations'. Secondly, being 'forgotten' in this way is actually already the result of other data protection principles, most notably the principle of data minimisation (controllers should collect only the bare minimum information they need) and the principle of keeping data no longer than necessary.
It is difficult to see how the idea can extend beyond these existing requirements, yet the "right to be forgotten" was explicitly mentioned in the Justice Commission's Communication on the review of data protection, as well as several speeches by Commissioner Reding. As the phrase becomes popularised it's very important that we guard against getting carried away with the concept. This is because there are legal, ethical and technical limitations to any erasure of data. For that reason, talking about a "right" in this context is misleading, bringing the risk of raising unrealistic expectations, which argument can then be used against a legitimate and necssary tightening of data minimisation and timely deletion rules (Justice Secretary Ken Clake has already criticised the concept). Another danger is that, if misunderstood and taken literally, a "right to be forgotten" could have massive ripple effects on the internet, with people trying to enforce their 'right' against indexing and caching service: one could imagine the extreme difficulties which could be created for the likes of the Internet Archive. Thus, though it might make a good soundbite, the "right to be forgotten" is a misleading and potentially dangerous broken metaphor which should be excluded from the ongoing debate.
Everyone's keen to talk about how new technological developments require the law to be brought up to date, and that privacy enhancing technologies should be included in new regulations. Predictably though, outside of academic papers there's little detail on what any of that means or what to do about it. There is concern both about the increasing generation of new types of very personal data (location, biological, medical) and about how that data, and the ability to process it, is becoming more accessible (cloud storage, cheaper processors). It's good that things like the treatment of NHS patient records have made more people tune in to data protection as an issue, but making different provisions for specific types of data could create trouble, as all personal data should be accorded the same degree of respect and protection.
On the positive side, it seems that 'privacy enhancing technologies' might be more than a buzzword. For example, the work of the Kantara Initiative makes it possible to conceive of eg user A logging on to service B, who receives A's identity information via identity provider C; the beauty being that C will not know that the identity request related to A, and B will not be able to request any information which A has not authorised. These "serious" privacy protocols do not yet seem to be on the radar of policy makers in the Justice Commission, but the possibilities are exciting. See this episode of Security Now for more information (on the audio file skip to 42:40).
Lastly come a bunch of interrelated issues regarding the management of personal data by large companies. For starters there is discussion of streamlining of the 'registration requirement' for data controllers, which would reduce or remove of the requirement for them to register their activities with the national data authority. Commissioner Vivane Reding has stated that the current notification regime has proved to be 'unnecessary and ineffective', and the streamlining policy is likely to be a hit with the business community. The UK's Ministry of Justice has expressed concern that the registration fees paid by businesses 'an important part of the arrangements for the ICO's independence from the UK Government'. However in ORG's experience the independence of the ICO is already somewhat strained, and given that its present funding levels are far below those enjoyed by similar regulatory bodies, an opportunity to rethink its funding may not go amiss.
Another possible way of streamlining business procedures would be EU-wide registration, whereby a company would only have to register their activities once within the EU. There is a related proposal that approval of contractual undertakings and binding corporate rules (two methods of guaranteeing citizen's data rights in data transfers outside the European Economic Area) should likewise be valid across the whole of Europe, instead of requiring approval in every country. While this will certainly cut the administrative burden on companies, there is an obvious danger where the data authority of one state might take a less stringent view of what is an appropriate level of protection, in which case pan-European approvals might be seen to lower protection standards across the board. In order to avoid this a greater level of prescription and tight definitions from the Commission would be necessary, yet in the European policy process tighter centralised regulation is just what many governments, including the UK, seek to avoid.
While it's possible to have a pretty good idea of which parts of the new Directive will be most interesting, for practical protection of individuals' data and privacy the devil will be in the detail. I heard it said recently that "It's easy to write a patch, but it's not so easy to write a law." The seeming remoteness and obscurity of the European legislative process is frustrating to many, but many of the rights, freedoms and protections which we enjoy in Britain flow to us from the continent. It's important that as individuals and organisations we continue to engage with European policy formation at every opportunity.
Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.
ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views
People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.
Manchester Cryptoparty with FSFE