Computers, Privacy & the Constitution

Assessing a Regulatory Approach to Data Protection: the EU Directive

-- By MislavMataija - 01 May 2009

Can the collection of personal data be regulated by the market? Some people have suggested models in which consumers could negotiate with companies interested in their data, to everyone's benefit; others argue for industry self-regulation through common privacy policies. The implication of having a workable model of this sort is that there is little need for government regulation. Instead of supposedly inefficient regulations, the market could decide what happens to the data, as well as police violations.

The opposite perspective is broad-ranging regulation. The EU Data Protection Directive, which limits the collection and use of data, at least provides a minimum standard and some sort of predictability for the person whose data is used, unlike the US system of piecemeal or "self"-regulation. But how well does the Directive do its job? The verdict is not good.

First of all, its power to protect individual rights is compromised by the market-building approach that lies at its core. As a harmonizing measure, it is meant to achieve a common market in data. While this may not necessarily be a bad thing, it means that privacy protection is not its center of gravity and is always tainted by the desire to facilitate cross-border trade and services. Evidence of this is that, unlike even the US situation, Member States are not allowed to provide for higher levels of data protection within the scope of the Directive.

Doing too much and doing too little

Some of its broadly applicable obligations may seem tough. But even if in some ideal world they were really effective in regulating business practices, they would also be able of imposing unnecessarily obstacles to harmless conduct and chilling free expression. Thus, in Lindqvist, the Directive was applied to a church volunteer who posted a list of people working for her parish on a website, along with phone numbers and some "mildly humorous" information on their jobs and hobbies. Under that standard, having a list of students and their e-mails available on a public wiki would definitely be suspect.

Elevating privacy to the level of a fundamental right does not help either, because many other interests merit that lofty status in the case law of the European Court of Justice. A case in point is Telefonica, where a recording industry group demanded the names and addresses of a Spanish ISP's clients. The case was governed, said the Court, by three fundamental rights: right to property, right to an effective remedy, and the right to respect for private life. Which of these will win? The judgment does not really say - all we are left with is a hodge-podge of fundamental rights, from which national courts are supposed to derive a solution through "fair balancing". One can only imagine what the outcomes are in the 27 Member States.

How effective is it?

Finally, all of these doubts to one side, the Directive is not effective in practice. The more specific problems are: people don't know about it, companies don't follow it and national regulators are not really functional.

In an EU-wide survey, 48% of companies said that they received less than 10 requests for access to personal data in the previous year, and 25% said they have received none. A third of surveyed individuals had never heard of their most important rights under the Directive - access, correction and erasure of data. While this may be explained by general apathy regarding privacy matters, it certainly does not serve as a glowing recommendation for the Directive.

As for the companies subject to legislation, the consensus so far seems to be that compliance is not a top priority because of low detection risk and weak enforcement. The Directive also tries to encourage the adoption and clearance of industry-wide privacy policies, but only one has been adopted so far.

Data protection agencies

One way to improve the situation might be by raising awareness and scrutinizing individual companies more aggressively. Explaining in more accessible language, perhaps by way of real-life examples, what "data processing incompatible with the purpose for which the data were initially collected" means, would be a good start. This should be the job of the national data protection agencies.

The problem is, however, that less than a third of Europeans are aware of the existence of those agencies. Looking at some of their "guides for the citizens", maybe that is for the better. As a random example, the Irish guide is 20 pages of trite text more or less repeating the Directive, with some pep talk sprinkled around ("Who is a data subject? We are all data subjects!"). A survey from 2009 shows that the agencies are largely reactive, do not engage with other agencies or NGOs, and have no mechanisms in place to measure the effectiveness of their "promotional activities". Elsewhere they have been described as "characterised by excessive legalism and procedures" (Y. Poullet).

Finally, national legislation is not close to being fully harmonized, even now. Poullet's report indicates that some national rules diverge even over the most fundamental concepts, such as what "personal data" means, how data processing can be justified and the scope of the right of access to personal data. This has actually led to companies pleading for an EU-level regulation leaving no implementation powers to the Member States.

All of this is still not an argument against regulation, and definitely not an argument for "self-regulation". But if the world's most ambitious piece of data protection legislation has achieved so little to protect privacy, there is a problem. Progress might come if European and national regulators start to cooperate more effectively in developing a "privacy culture". Perhaps they can influence policymakers and regulators in other fields to make privacy a central concern; perhaps some of that will lead to better industry practices in specific sectors. So far, however, none of that seems to be happening.

Word count: 992

[Old version removed! Mislav]

Mislav, if you have come across any great papers discussing how well the EU Data Protection Directive has (or has not worked), I would appreciate it if you could pass those on to me as they would be of great interest to me. Thanks. -- KateVershov - 09 Mar 2009

  • I don't think I understand either the technical or economic arguments of the essay. It's hard to have a functioning market in valueless data. The "behavioral marketing from clickstream" scam is just stupid, as I've mentioned elsewhere, so we don't have to wonder why there isn't a market in the dreck Phorm can capture. But because I don't know how to evaluate the arguments that seem to me to depend on unestablished technical or economic propositions, I don't really know how to take the "We should talk about what turns out to be a thoroughly unrealistic idea" structure of this paper. Is it a deliberate send-up? A satire whose point I miss? It can't be serious but it doesn't seem to be fooling.

Navigation

Webs Webs

r4 - 06 May 2009 - 03:50:35 - MislavMataija
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM