The Commission have been running a consultation for several months to inform a possible revision of the Data Protection Directive (95/46/EC), which is now fifteen years old and starting to creak under the strain of new ways of doing business. I’ve sent in a JANET(UK) response raising issues we’ve tripped over in developing the UK Access Management Federation and, particularly, in trying to do international authentication and authorisation in a privacy-protecting way. Unfortunately the current law (developed long before there was public awareness of the Internet) at best treats such technologies the same as old-fashioned (and privacy-invasive) individually named accounts, and at worst raises sufficient legal uncertainty that organisations wanting an easy compliance life might actually be put off using them.
In the past I’ve tried to extract good practice for federated access management from the current law for the UK federation and for TERENA, but in both those documents there remain significant legal uncertainties. The three issues I’ve highlighted to the Commission actually have much wider application than just federated access management. Search engines, behavioural advertising and cloud computing all raise the same questions:
- Is something like an IP address or pseudonymous label personal data just because you can recognise me when I return, or only if you can link it to my real world identity? (I’m trying to refer to this as recognition versus identification, and to point out that there are different answers within the same EC guidance document!);
- If a label is personal data in my hands (e.g. an IP address held by an ISP that issued it to a particular customer), then is it doomed to be personal data forever, or can someone who has the label but not the linking information treat it as non-personal data? (UK law says the latter, but EC appears to say the former. And two courts in Berlin and Munich chose differently when asked this question!);
- Can compliance be based on risk, rather than the current binary choices of “personal data/non-personal data” and “compliant country/non-compliant country”? (which could make working with the US a lot easier and no less safe).
There are significant differences in what laws and guidance have to say about these questions even between different European countries, which rather makes my point that greater clarity is needed in the Directive that they all claim to be implementing. The good news is that the UK Information Commissioner has recognised the problems and is suggesting a pragmatic approach in his recent draft guide to personal data on line (that consultation is open till March 5th, so please contribute) though he is obviously constrained by the letter of current legislation. It would be nice to think that one day the Directive and UK law might catch up and support the right ways of doing things.