« Forcing functions | Main | PRISM break »

Flow, sweet data, flow

It's very difficult to gauge the progress of the EU's attempt to reform the data protection directive, whose text is due to be agreed by the end of this year. Basically, it comes down to the difficulty of understanding what is going on in EU government at any given time. There seems to be more than 4,000 amendments (not exaggerating), an endless succession of committee votes, and little way to understand their order of precedence. Couple that general confusion over the EU's legislative process with the fact that a Mad Man trying his hardest could not have come with a term that sounded less engaging, and you have a subject that fights to get mainstream press attention.

At the beginning of the process, which will take until 2014 to complete, it hardly seemed to matter. A bunch of European regulators put forward plans to update the existing directive. The claim that reform was necessary seemed logical enough, since the directive was passed in 1995, when the Internet had only just been opened to commercial traffic, the Web was still a bunch of text pages listing links to other text pages, and the founder of Facebook was 11 years old. Yet what's opened up in the months since is the possibility that instead of a few tweaks and update we will get the substantial weakening of a law that offers European citizens some redress of the balance of power between themselves and the large organizations they transact with, often perforce.

The 1995 data protection principles have held up remarkably well, in large part because they *are* principles and not restrictions on specific technologies. Talk about robots and algorithm-driven decision making, for example, to a data protection expert and they're likely to see little difficulty in applying the principles to constrain potential damage to consumers and allocate liability. In that sense, the big change since 1995 isn't the advent of large, data-driven companies but global interconnection. In a world in which a public company the size of Netflix is built on Amazon's cloud services and, as Frances Cairncross predicted in 1997, distance is dead, the data you entrust to your local solicitor may be stored just about anywhere. How and where data may flow is one of the most contentious issues in the debates over reform, along with requirements for data breach notification.

Member states were required to transpose the directive into national law by October 1998 (the year Google was founded. By early 1999, as I see from my February 1999 piece for Scientific American (TXT)Simon Davies, then the executive director of Privacy International, went so far as to predict a trade war when US companies found themselves blocked.

"They fail to understand that what has happened in Europe is a legal, constitutional thing, and they can no more cut a deal with the Europeans than the Europeans can cut a deal with your First Amendment," he told me at the time.

Ah, yes, well, that was then. The EU and the US went on to negotiate a safe harbour agreement, and when the US wanted Passenger Name Record data the EU caved. Critical reports, such as this one from 2008 pop up in a search, and despite EU law, the US's big data data companies are demonstrating accelerating growth in the EU as elsewhere.

The EU law has been widely emulated. In 2000, Canada passed its equivalent law, PIPEDA. Meanwhile, the 2000s trend toward outsourcing means gave countries like India and the Philippines powerful motivation to copy the EU's data protection principles so they can sell call centers and other services to the EU. The US remains the outlier, stuck on its 15-year-old insistence on a free market approach - only now it has much bigger companies to finance lobbying efforts.

And there has been plenty of lobbying, both traditional and copy and paste. The latest, as the European Digital Rights Initiative documents, is questionable evidence built on assumptions that have no quantifiable basis.

It's a curious dissonance I wish someone would study in a PhD dissertation that data protection law has spread alongside increasing surveillance. Last week, Slate, under the influence of former Microsoft European privacy chief Caspar Bowden, argued that some amendments to the data protection directive have been written with US surveillance powers specifically in mind. Slate cites a report Bowden co-authored in January (PDF) studying the issues relating to cloud computing in the EU. Among the concerns raised by the report is the potential for the loss of control over the data stored in the cloud, as well as the fact that US companies offering cloud services are subject to the PATRIOT (2001) and the Foreign Intelligence Surveillance Amendments (2008) Acts. In other words, the US claims surveillance rights over EU citizens.

In other words: this dull-sounding labyrinthine process could cost EU citizens rights currently thought to be indelible. We'd better pay attention.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Stories about the border wars between cyberspace and real life are posted throughout the week at the net.wars Pinboard - or follow on Twitter.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)