Response to Question 2
In your views, does the current legal framework meets these challenges?
No. The regulatory system may have to carry some responsibility for this parlous situation.
- The very language of ‘data protection' conceals two significant obstacles to effective privacy protection. The language of ‘data protection' is obsolete. Few understand the link between ‘privacy' and ‘data protection’. A better choice of terminology would be the ‘protection of information privacy’. Also, the protection of privacy is greater than the strict adherence to the language of ‘data protection’. As the divergent opinions from regulators regarding the deployment of public surveillance cameras has shown recently, the definition of ‘personal data' has caused much confusion.
- The Directive cannot adequately address the challenge of identity construction of ‘data shadows’. Data may exist without clear linkages to individuals but when mined and processed can disclose vast amounts of information about people. Recent research has also shown that it is indeed possible to de-anonymize data, and through combining data sets to identify individuals across multiple platforms.
- In our focus on the regulatory system as a technical application of principles, we have often forgotten that the protection of privacy is our primary goal. At the very foundation of the Directive is the quest to protect human rights across Europe, not merely to monitor adherence to the articles of the Directive.
In turn, the public’s awareness of their rights under ‘data protection' is remarkably low. This is perhaps a reflection of the legalistic approach that has been taken too many times, and the lack of public education campaigns by the European Commission and national regulators across Europe. It also reflects how data protection law is considered: a matter for compliance rather than empowerment. That is, if regulators required clear communication from organisations that processed personal information, and ensured that individuals could be presented regularly with their personal information under their rights of subject access, we believe a greater awareness of privacy would follows. Instead the issue has become arcane and the debates are insular, never able to compete with other interests such as public safety.
In our experiences of having filed complaints in a number of Member States, sometimes simultaneously, we have found that there is an utter absence of harmonization. The Directive has been poorly transposed, and the Commission has been remiss at enforcing a harmonized regulatory system. We are astonished by the failure of the Commission to publish documents regarding Member States’ weaknesses in implementing the Directive.
- Definitions of ‘personal data' are not harmonized, leading to a diversity of opinions from regulators and courts. The failure to define personal data rigorously is a major reason why the Directive has not been effective for data protection on the Internet.
- The powers of regulators vary widely. They are not held to account when they fail to uphold the highest standards, and yet are insufficiently heeded when they express concerns. We cannot imagine another domain of public policy where the regulators' powers and effectiveness are so weak to question the very integrity of the law.
- Regulators have inadequate experiences and knowledge of technology and innovation. In our experiences they are not properly equipped to understand the implications of new techniques, to apply the law to innovations, or to provide guidance to technologists and innovators on privacy issues.
- Regulators should be given the ability to oversee management practices. While Privacy Impact Assessments have been useful in identifying the risks to new policies and technologies, more transparent and publicly available techniques are required. There is a vast gulf between identifying risk and taking action to eliminate that risk. Regulators should be promoters of privacy and transparency in processing but should also be more active in prosecuting cases where privacy is violated.
In our opinion, one of the greatest challenges is that the Directive has come to be seen as a ‘foreign' interference with public policy and business practices, as few are willing to stand up and defend it. Governments across Europe and around the world often implement data protection law because of the Directive, and this is indeed something we celebrate; but the mere existence of a law does not mean that a comprehensive regime is in place. Every Member State needs to promote a national discussion and educational campaign on personal information protection. Privacy law must be embraced by countries and citizens, and not merely implemented because of international standards or requirements.