«

»

These fake investigations by data protection regulators have to stop

Screen Shot 2013-07-27 at 17.32.39

 By Simon Davies

On Thursday the Irish Data Protection Authority gave Apple and Facebook a clean bill of health over the transfer of PRISM data to the US National Security Agency. Apparently the practice is entirely legal, and those companies are free to ship the personal data of Europeans across to the spy agencies.

The Austrian-based campaign group Europe v. Facebook had last month brought a complaint alleging that the transfer of personal information to the US was unlawful. The subsequent Irish decision followed a process that the press variously described as “probe“, an “investigation” and an “inquiry“.

Ireland's Data Protection regulator: helping companies with a pragmatic approach

Ireland’s Data Protection regulator: helping companies with a pragmatic approach

One has to feel at least some pity for the Irish Data Protection office under these circumstances. This is a massively complex legal quagmire and the office is handicapped by an almost total absence of serious legal advice, resources or information. Add to that the complexity that Facebook is a big employer in Ireland and there is tacit pressure not to rock the boat – in the same way that Irish consumer regulators are encouraged to turn a blind eye to the criminal trading standards practices of RyanAir.

The end result is that there never was an investigation – let alone a “probe”. Europe v Facebook knows it, Apple knows it and every privacy regulator in Europe knows it.

There might have been a “poke”, but there’s no way that an office as small as the Irish Data Protection Authority could ever have resolved a legal issue as complex and far-reaching as this within a month. For one thing, the office didn’t even have the raw facts at its disposal. Apple and Facebook would have made sure that disclosure of any technical evidence would have taken months – if ever.

Based on my understanding of similar cases in the past, here’s what happened.

After receiving the complaint from Europe v. Facebook a couple of the staff at the office sat down with the Commissioner and had a grumble about the campaign group – which understandably they regard as an interfering troublemaker. After ten minutes everyone agreed on the outcome of the “probe” and the rest of the time was spent writing the appropriate two-page response. Maybe the office made a couple of telephone calls. End of story.

The end result is that there never was an investigation – let alone a “probe”. Europe v Facebook knows it, Apple knows it and every privacy regulator in Europe knows it.

This summary isn’t meant to sound dramatic – it’s just the reality of how such matters play out. When Google’s unlawful mass-harvesting of WiFi data was uncovered a few years ago the UK Information Commissioner’s Office behaved much the same way over Privacy International’s (PI) complaint. The office had a collective moan about the campaigners, decided in advance that Google was off the hook – and then for cosmetic purposes sent a couple of untrained staff to Google’s London office so the advertising giant could confirm that it had acted lawfully.

In the case of the UK regulator’s “investigation” of Google, that office has more resources, so it was able to send a longer letter of response. However it all boiled down to the same position: “We asked the company, it said it was acting lawfully – and we have no reason to doubt its word”.

No-one’s best interest is served by such a process. Privacy protections are circumvented, consumers feel cheated and companies become resentful. Regulators might feel smug that they escaped having to conduct a proper investigation, but every time they pull such a stunt public trust in them – and in the law – takes another tumble.

The harsh reality is that most US companies despise European-style data protection law and they certainly have no intention of complying with either the letter or the spirit of an investigation. This applies in particular to Google, which quite blatantly believes those protections are archaic and unworkable (and also get in the way of maximising profit). Whenever a regulator “investigates” a complaint, such companies close ranks. Regulators learn almost nothing about the intricacies of data processing, business models, security techniques, monetisation practices, contractual arrangements, forecasting outcomes or future planning.

Regulators might feel smug that they escaped having to conduct a proper investigation, but every time they pull such a stunt public trust in them – and in the law – takes another tumble.

There has to be a better way. Even for those regulators who do conduct meaningful investigations (and there are a few) there’s probably an elastic limit to the traditional model of external investigations. As the world moves to the cloud and as information becomes ubiquitous and ambient it may be impossible within a decade for regulators to conduct any precise examination of data practices.

In the absence of any sign that regulators will be given adequate resources – or that the law itself will be substantially tightened – might it be possible to move the burden onto the companies themselves? Say, a culture shift to a higher expectation of transparency and clarity – and a legal requirement to publicly report findings that are more precise?

I’m guessing the response of many Privacy Surgeon readers will boil down to two positions. First; this is a crazy idea that relies on blind faith. If we can’t trust companies to do the right thing in response to official investigations, why should we imagine they’d do any better if left to their own devices? Second; the law is the law. These companies should be forced to respect official processes.

I agree that both positions have validity, but I do think in the circumstances it’s worth exploring some novel ideas even if they end up failing a reality check. Regulatory systems can easily fall into disrepute if they are not tested with alternative approaches, as witnessed by the systemic corrosion of the UK telecommunications regulator OFCOM in its failure to uphold consumer rights.

One alternative strategy to the collapsing regime of external investigations might be found through a clever species of teacher that some of us encountered at school.

Let’s imagine that a transgression has taken place at school – some unknown students attached a pair of rubber breasts to the headmaster’s car – or hacked into the school public address system so they could infiltrate assembly with AC/DC.

In the absence of any sign that regulators will be given adequate resources – or that the law itself will be substantially tightened – might it be possible to move the burden onto the companies themselves?

The traditional response of some teachers (regulators) would be to conduct an external investigation – dragging the usual suspects in for interrogation and setting up a battle of wills that would unite all students against the inquiry and which would ultimately lead nowhere.

Enter the smart teacher. The smart teacher knows that an “official” investigation will fail. The way to play the situation is to get students themselves to do the investigating. In doing so the dynamics of the terrain are inverted.

When students are requested to investigate themselves a few important factors are kicked into play. The resentment that is commonly focused on teachers is turned instead on non-compliant students. The pride that might have been achieved obstructing an official action often turns to pride in negotiating an intelligent – even a constructive – solution.

Of greater importance, the commonality of resistance is shattered. Without a united front and common cause it is less plausible to engineer a complete stonewalling.

You can witness such strategies at play in day-to-day life. In the 1990’s for example, at a time when consumer disdain for London’s Tube network had reached rock-bottom (constant strikes, line failures and inhumanely high temperatures on the trains themselves) London Underground turned the tables by instigating a campaign asking the public to propose solutions. Within a week the resentment had cooled. Importantly, some great ideas were submitted.

So, in view of the failure of many external investigations of the private sector, why not turn the tables by demanding that the companies themselves come up with the facts and the solutions independently? If they fail to do so, the shame will be on them for engineering a breach of trust – rather than the shame being on the regulator for enabling it. Perhaps companies can be encouraged to show leadership in this way through their Corporate Social Responsibility framework.

I’m not saying this approach has an odds-on chance of succeeding, but I do believe it could trigger a culture shift in the corporate world. Right now many investigations in such countries as Ireland and the UK are meaningless. I can’t see how the situation will improve any time soon within the current regulatory framework.