Yesterday’s excellent University of Cambridge conference on Internet Regulation After Google Spain suggested that data protection law will continue to affect a growing range of our activities, but that interpreting its requirements in novel circumstances will continue to be challenging. It was suggested that if the current (1995) European Directive was for the age of the mainframe then the (2012) proposed General Data Protection Regulation is for the age of Web 2.0. So in many areas of networked services it will already be out of date when it finally comes into force. That means it’s unlikely to be possible to guarantee compliance when processing information that may relate to individuals: whether or not the Regulation adopts the proposed risk-based approach it seems clear that organisations will have to do so.
Although most of the headlines arising out of the Google Spain case (C-131/12) concerned the “right not to be found so easily” (as one data protection regulator described it), the conference ranged much more widely over the issues arising out of the case. In particular Orla Lynskey saw the case as confirming a trend – on the rare occasions when the European Court considers data protection law – for very broad definitions of both “personal data” and “processing”. Thus, as Eduardo Ustaran observed, even if Google processes all bytes in the same way, the fact that some of those bytes are the names of individuals makes it a data controller in the eyes of the law, with all the obligations imposed on such organisations. Exemptions – such as those for journalism and domestic purposes – will be narrowly interpreted. The cases of Lindqvist (C-101/01) and Rynes (C-212/13) indicate that individuals, too, may easily become data controllers in the eyes of the law, something that neither they nor data protection regulators seem prepared for. In all three cases it seems that the Court focussed on the specific facts before it, giving little weight to the broader impact of its decision either in practice (despite clear warnings from its own Advocate General in Google Spain) or in political terms.
David Erdos, who also organised the event, presented practical research that confirmed these trends, but also explained why their potential impact may not have been noticed. He invited Data Protection Authorities to comment on a number of Internet publishing scenarios, as well as asking about their actual practice in regulating these areas. The responses indicated that most regulators did take a similarly broad interpretation of the law, but that actual enforcement is both rare and sporadic. Hence Google Spain has only been perceived as affecting search engines when in fact everything from bloggers to social networks, and even smart TVs, could find its conclusions being applied to them if regulators choose to do so.
David Smith, Deputy Information Commissioner for the UK, confirmed the general feeling that pretty much any on-line activity needs to take account of data protection law. Anyone concerned that regulators “don’t understand technology” would have been pleasantly surprised by his awareness – correct, in my opinion – that an IPv6 address is more likely to be personal data than an IPv4 one. But the response to this by on-line service providers and users should be responsibility, not panic. For example we (all) need to get away from the idea that “consent is the answer to everything” – something I’ve been suggesting, and trying to build into Janet services, for a long time (e.g. access management and learning analytics). The law provides five other justifications for processing personal data, each with its own requirements which may well provide better protection for on-line service providers and users than straining the definition of “free, informed consent” to the point where it, and the protection it is supposed to provide, become meaningless. David was also realistic about what legislation and regulation can achieve: only international political agreements, not national laws, can stop spies from spying.
Given all these challenges, the conference was perhaps surprisingly positive. Certainly there seems to be plenty in the field to keep academic lawyers busy for years. But there was a positive attitude to future internet developments, too. Service providers and developers who want to respect data protection are unlikely to ever find a simple instruction manual; but there do seem to be sufficient legal tools, and a willingness to find pragmatic ways to use them, to support responsible service provision and use.