By Simon Davies
I want to briefly describe a small but messy footnote to history that just unfurled this week. This tale may explain why a big chunk of the privacy world is falling to pieces through neglect and betrayal by some privacy authorities.
Many readers will be familiar with the role of privacy and data protection authorities. These officials are mandated to protect the rights of citizens by enforcing provincial or national privacy legislation.
Sadly however, most authorities across the world are a waste of time. Some are insular, politically timid, ethically compromised and arrogant.
Some elements of Germany, France, Slovenia, Norway and Canada, for example, display such outstanding leadership. Berlin has been an inspiration on complex technology issues. Schleswig Holstein consistently confronts the social media giants. The British Columbia and Alberta privacy authorities took the lead on holding a gun to the US over data transfers from Canada.
There are other regulators (mainly in Europe) that do great work in specific topic areas. Sadly however, most authorities across the world are becoming a waste of time. Some are insular, politically timid, ethically compromised and arrogant. Others simply tread water and take a “lowest common denominator” approach to their work.
This is a tragic situation. At a time in history when we need privacy regulators with tenacity and commitment, the field appears to be increasingly dominated by self-serving cowards. Still, that fact does not detract from the exceptional work being done a few maverick regulators.
These are important considerations. The connection between ‘theoretical’ privacy rights and the enforcement of those rights is fragile and unstable. The Netherlands Authority, for example, simply doesn’t accept direct complaints from victims. The UK and Ireland do accept complaints, but then almost always dismissed them as irrelevant, unsustainable or frivolous (yes, the Irish Authority regarded Max Schrems’ complaint as frivolous). The Australian regulator is largely toothless while authorities such as those of Hungary were historically compromised by their political masters. The list goes on.
Let’s be brutally clear for a moment. Privacy and data protection authorities have a lot of fence-mending to do. Following a string of recent European Court decisions, most have egg on their face, having remained silent for years about data retention or Safe Harbour. They knew all the time that these instruments were simply illegal, but chose to do nothing about it.
Privacy and data protection authorities have a lot of fence-mending to do. Following a string of recent European Court decisions, most have egg on their face, having remained silent for years about data retention or Safe Harbour.
There has never been a moment in history when the privacy regulator community needs to do more to restore trust and relevance. Instead, this week signals a new low in that trust.
Here’s the background. Each year the world’s privacy and data protection authorities get together at an international conference to discuss important topics and to seek some level of international understanding. To this end the conference involves both open and closed sessions – the latter of which has become a sort of informal management board for the global regulatory community. This year, the Netherlands is the host country.
For every commissioner attending these events, there are around eight registered corporate and legal types – often lobbyists or DP officers – plus a handful of academics and NGO’s. The result is a conglomeration of up to a thousand professionals, occasionally including some of the sleaziest and most disreputable information users on earth.
To gain voting membership of this club of regulators, a country must have both a data protection or privacy law and an independent oversight authority. 65 countries now have such an accredited infrastructure, and can thus participate as full members of the “Plenary”.
It used to be that the conferences were centred on Europe – the true home of data protection. These events focused on key issues that went to the heart of privacy. They embraced civil society, welcomed open debate and sought some degree of evolution.
As the number of members of the regulator community exploded in recent years, this ethic started to decompose. Countries such as Senegal, with a poor record on human rights, have been accredited – and even achieved host status to organise the annual conferences (Morocco, for example, which does not even enjoy DP adequacy status with the EU, will host the 2016 event, prompting one media outlet to describe the decision as “privacy’s FIFA moment”).
This, however, is not the issue that this week galvanised the ire of civil society toward the conference. Instead it is the matter of slippage of human rights values. A substantial coalition of human rights organisation has signed a petition to the privacy conference condemning the commissioners’ decision to centre the entire event on a project called ‘Privacy Bridges’, which is a voluntary trans-Atlantic initiative designed to find solutions to key privacy challenges. The petition reads, in part:
We were surprised and disappointed that the conference organizers this year focused on a report recommending actions that would do little to change the business or government behavior that threatens privacy and data protection. The report recommends no substantive changes in law. Particularly after the Safe Harbor decision, the “Bridges report” is remarkably out of touch with the current legal reality and what we need to do to address it.
The failure of the Amsterdam conference to engage with the many new challenges, from “Big Data” to drone surveillance, is also a lost opportunity. The practical consequence of focusing instead on failed policies, such as self-‐regulation, will be to make more difficult the work of the privacy experts around the world who could have otherwise benefitted from a meaningful discussion about how to move forward on legislation, aggressive enforcement, and other steps that are long overdue. Yes, they are difficult; all the more reason why we need to act now.
This development is bad news for international privacy. There has never been such a blatant attack by civil society against the conference. In the past, constructive tension has always resulted in some positive outcome at a practical level at these events. This week, NGO’s complain that they have never felt so isolated from the annual conference – nor so troubled by its focus.
I won’t comment any further. I’ve argued with the key players – without success – about both the membership arrangements for privacy authorities and about this week’s Bridges focus. I am sick and tired of this charade and won’t sign any further letters or petitions. What I will do, however, is warn privacy authorities reading this blog that they had better engage these issues as a matter of urgency. This is the moment to prove you can step up to the plate and take constructive and forward-looking decisions that provide true leadership for the privacy sector.