I had an interesting day in Brussels yesterday, providing input for the Commission’s revision of the 1995 Data Protection Directive. Invitations had been sent to those who responded to the consultation last year, so a wide variety of organisations were present, including banking, marketing, medical, consumer rights, content industries and telecommunications operators.
There was general agreement that technology has progressed since the original Directive to the extent that many of its provisions are close to becoming both unenforceable and ineffective in protecting privacy. In particular there was widespread agreement with my view that the simple divide between “personal” and “non-personal” data is obsolete and that these are now separated by a large category of “potentially identifying information“. This intermediate category is developing at both ends – technology now means there is much less need to use identifiers (such as name or e-mail addresses) that directly identify a person, but statistical and other techniques are also revealing that a lot of information previously considered “anonymous” can actually be linked back to an individual. For these types of information the only practical way to protect privacy is a risk-based approach to the Directive’s requirements on security, international transfers and subject access. It seems a perverse result if satisfying a subject access request requires a data controller to strip away an individual’s near anonymity! A risk-based approach would also provide an incentive to improve privacy protection by data minimisation, privacy by design approaches and privacy enhancing technologies. This seems a more future-proof approach than writing particular methodologies or technologies into law.
Given some of the problems we’ve tripped over in trying to expand federated access management internationally it was good to hear recognition that different national definitions and implementations are acting as a significant handicap to the free movement of personal data within Europe. Indeed from some of the examples given I feel we have got off rather lightly! There was also a warning against trying to isolate Europe in terms of data flow: many of the most promising technical developments are taking place elsewhere in the world and it could significantly damage business and consumer opportunities if they law were to prohibit access to these. A better approach to international transfers of information is needed.
There were also some interesting observations on privacy notices. Informing individuals what will be done with their data is currently a legal requirement, and it was suggested that this leads to privacy notices being written in highly legalistic terms. A study by Carnegie-Mellon University estimated that the cost in customer time of reading these is significantly greater than companies’ total advertising budgets! There are some promising examples of more human-friendly notices, often presented as layers from simple to more detailed (see for example the Information Commissioner’s recent guidance), but making these a legal requirement doesn’t seem the right way to go.
Finally there was some discussion around how individuals might have more control of their personal data, though noting that some storage and processing is required for society’s benefit – a “right to forget” that a drug trial had been unsuccessful, or that an individual had a history of bankruptcy, could be dangerous. Again, this is an area where balance rather than absolute rules seems necessary.
The Commission are due to report their conclusions later in the year.
