In the background to the current discussions, of course, we have lurking the behemoth of the draft Regulation that is very likely to replace the current Directive that governs privacy in the EU. The Regulation itself is currently subject to a “trilog” – a three-way negotiation among the European Commission, Parliament and Council of Ministers. (The Parliament’s plenary vote on March 12, 2014, ensured that the Parliament cannot changes its position on the Regulation even after the round of Parliamentary elections this June.) Speakers at the IAPP conference projected that the Regulation will be finalized and passed as law sometime towards the end of 2014, or possibly 2015.
In the meantime, privacy advocates and commentators from academia, industry and government focused on the following themes, many of which outstrip the thinking in the draft Regulation:
Anonymization: Is it robust anonymization ever possible? (See the comments of a leading international data security expert, Ross Anderson, casting doubt on that.) Can any data set lead us to a given individual if the data queries are structured cleverly enough? Should we instead think of data as only ever “de-identified” and focus on educating data generators and users on the most effective means of de-identification and security, with penalties for intentional re-identification? Or should we stop distinguishing altogether between personal data (which is always within the scope of European privacy laws) and anonymized data (which is outside of the scope of European privacy laws)? The answers to these questions could have huge implications across a range of industries, from marketing research organizations (whose bread-and-butter work involves analyzing massive consumer data sets) to drug development companies (clinical trial data aren’t immune to the current debate).
Notice and Consent: Is the notion of notice and consent worth keeping, given the reality that consumers click to consent without reading the pages of privacy notices that are typically presented to them on their way to the desired app or information? Or should we abandon consent and re-focus regulation on reasonable use restrictions? Is it paternalistic to abandon consent as a basis for processing data? Or just realistic, particularly as we move towards the “Internet of Things” where our homes, cars and personal devices constantly generate and transmit data? To give one example of industry thinking, see Microsoft’s position papers and videos on evolving privacy models.
Give up on shared premises; focus on shared rules? Conference chatter sometimes contains the seed of an important idea. Here’s one: It’s possible that the EU and the US will never see completely eye-to-eye on the underlying reasons for valuing privacy. (Even within the EU, is there agreement on the precise parameters of the “fundamental rights and freedoms of the data subject”?) But can we make international progress by ignoring the underlying premises and simply agree on shared rules?
Privacy probably has never had more public and government attention focused on it than this past year. Some very good ideas are evolving, but whether they make it into the Regulation is doubtful, given the realities of the political process. Of course, actual regulation rarely matches the pace of developments in legal and policy thinking, so the ideas sketched out above are ones to keep in mind for the next round.
The IAPP has made the European Data Protection Intensive 2014 conference presentations available here.