Why privacy commissioners are betraying human rights

Privacy bridges logo

By Simon Davies

I want to briefly describe a small but messy footnote to history that just unfurled this week. This tale may explain why a big chunk of the privacy world is falling to pieces through neglect and betrayal by some privacy authorities.

Many readers will be familiar with the role of privacy and data protection authorities. These officials are mandated to protect the rights of citizens by enforcing provincial or national privacy legislation.

Sadly however, most authorities across the world are a waste of time. Some are insular, politically timid, ethically compromised and arrogant.

Well, that’s the theory at least. There are some authorities that do outstanding work. They are forward-looking, tenacious and innovative. Those regulators care about the issues in their domain, and they seek out the best advice on how to protect the fragile right of privacy. They engage, they motivate and they provoke change.

Some elements of Germany, France, Slovenia, Norway and Canada, for example, display such outstanding leadership. Berlin has been an inspiration on complex technology issues. Schleswig Holstein consistently confronts the social media giants. The British Columbia and Alberta privacy authorities took the lead on holding a gun to the US over data transfers from Canada.

There are other regulators (mainly in Europe) that do great work in specific topic areas. Sadly however, most authorities across the world are becoming a waste of time. Some are insular, politically timid, ethically compromised and arrogant. Others simply tread water and take a “lowest common denominator” approach to their work.

This is a tragic situation. At a time in history when we need privacy regulators with tenacity and commitment, the field appears to be increasingly dominated by self-serving cowards. Still, that fact does not detract from the exceptional work being done a few maverick regulators.

These are important considerations. The connection between ‘theoretical’ privacy rights and the enforcement of those rights is fragile and unstable. The Netherlands Authority, for example, simply doesn’t accept direct complaints from victims. The UK and Ireland do accept complaints, but then almost always dismissed them as irrelevant, unsustainable or frivolous (yes, the Irish Authority regarded Max Schrems’ complaint as frivolous). The Australian regulator is largely toothless while authorities such as those of Hungary were historically compromised by their political masters. The list goes on.

Let’s be brutally clear for a moment. Privacy and data protection authorities have a lot of fence-mending to do. Following a string of recent European Court decisions, most have egg on their face, having remained silent for years about data retention or Safe Harbour. They knew all the time that these instruments were simply illegal, but chose to do nothing about it. 

Privacy and data protection authorities have a lot of fence-mending to do. Following a string of recent European Court decisions, most have egg on their face, having remained silent for years about data retention or Safe Harbour.

There has never been a moment in history when the privacy regulator community needs to do more to restore trust and relevance. Instead, this week signals a new low in that trust.

Here’s the background. Each year the world’s privacy and data protection authorities get together at an international conference to discuss important topics and to seek some level of international understanding. To this end the conference involves both open and closed sessions – the latter of which has become a sort of informal management board for the global regulatory community. This year, the Netherlands is the host country.

For every commissioner attending these events, there are around eight registered corporate and legal types – often lobbyists or DP officers – plus a handful of academics and NGO’s. The result is a conglomeration of up to a thousand professionals, occasionally including some of the sleaziest and most disreputable information users on earth.

To gain voting membership of this club of regulators, a country must have both a data protection or privacy law and an independent oversight authority. 65 countries now have such an accredited infrastructure, and can thus participate as full members of the “Plenary”.

It used to be that the conferences were centred on Europe – the true home of data protection. These events focused on key issues that went to the heart of privacy. They embraced civil society, welcomed open debate and sought some degree of evolution.

As the number of members of the regulator community exploded in recent years, this ethic started to decompose. Countries such as Senegal, with a poor record on human rights, have been accredited – and even achieved host status to organise the annual conferences (Morocco, for example, which does not even enjoy DP adequacy status with the EU, will host the 2016 event, prompting one media outlet to describe the decision as “privacy’s FIFA moment”).

This, however, is not the issue that this week galvanised the ire of civil society toward the conference. Instead it is the matter of slippage of human rights values. A substantial coalition of human rights organisation has signed a petition to the privacy conference condemning the commissioners’  decision to centre the entire event on a project called ‘Privacy Bridges’, which is a voluntary trans-Atlantic initiative designed to find solutions to key privacy challenges.  The petition reads, in part:

We  were  surprised  and  disappointed  that  the conference  organizers  this   year  focused  on  a  report  recommending actions  that  would  do  little  to  change   the  business  or  government behavior that  threatens  privacy  and  data protection.  The report recommends no substantive changes in law. Particularly  after  the  Safe  Harbor  decision,  the “Bridges  report”  is  remarkably  out  of  touch  with the  current  legal  reality  and  what  we  need  to  do to address  it.

The failure  of  the  Amsterdam   conference  to  engage  with  the  many  new challenges,  from  “Big  Data”  to  drone  surveillance,  is  also  a  lost  opportunity.  The  practical consequence  of  focusing  instead  on  failed  policies, such  as  self-­‐regulation,  will  be  to  make  more difficult the  work  of  the privacy  experts  around  the world  who  could  have  otherwise benefitted  from  a meaningful  discussion  about  how to move  forward on  legislation,  aggressive  enforcement,  and  other steps  that  are  long  overdue.  Yes,  they  are  difficult; all  the  more  reason why we need  to  act  now.

This development is bad news for international privacy. There has never been such a blatant attack by civil society against the conference. In the past, constructive tension has always resulted in some positive outcome at a practical level at these events. This week, NGO’s complain that they have never felt so isolated from the annual conference – nor so troubled by its focus.

I won’t comment any further. I’ve argued with the key players – without success – about both the membership arrangements for privacy authorities and about this week’s Bridges focus. I am sick and tired of this charade and won’t sign any further letters or petitions. What I will do, however, is warn privacy authorities reading this blog that they had better engage these issues as a matter of urgency. This is the moment to prove you can step up to the plate and take constructive and forward-looking decisions that provide true leadership for the privacy sector.