There is no new thing under the sun
Photo: Like it’s namesake, the European Data Protection Directive (“DPD”), this Mercedes is old, German-designed, clunky and noisy – yet effective. [Photo: Omer Tene]
Old habits die hard. Policymakers on both sides of the Atlantic are engaged in a Herculean effort to reform their respective privacy frameworks. While progress has been and will continue to be made for the next year or so, there is cause for concern that at the end of the day, in the words of the prophet, “there is no new thing under the sun” (Ecclesiastes 1:9).
The United States: Self Regulation
The United States legal framework has traditionally been a quiltwork of legislative patches covering specific sectors, such as health, financial, and children’s data. Significantly, information about individuals’ shopping habits and, more importantly, online and mobile browsing, location and social activities, has remained largely unregulated (see overview in my article with Jules Polonetsky, To Track or “Do Not Track”: Advancing Transparency and Individual Control in Online Behavioral Advertising). While increasingly crafty and proactive in its role as a privacy enforcer, the FTC has had to rely on the slimmest of legislative mandates, Section 5 of the FTC Act, which prohibits ‘‘unfair or deceptive acts or practices”.
To be sure, the FTC has had impressive achievements; reaching consent decrees with Google and Facebook, both of which include 20-year privacy audits; launching a serious discussion of a “do-not-track” mechanism; establishing a global network of enforcement agencies; and more. However, there is a limit as to the mileage that the FTC can squeeze out of its opaque legislative mandate. Protecting consumers against “deceptive acts or practices” does not amount to protecting privacy: companies remain at liberty to explicitly state they will do anything and everything with individuals’ data (and thus do not “deceive” anyone when they act on their promise). And prohibiting ‘‘unfair acts or practices” is as vague a legal standard as can be; in fact, in some legal systems it might be considered anathema to fundamental principles of jurisprudence (nullum crimen sine lege). While some have heralded an emerging “common law of FTC consent decrees”, such “common law” leaves much to be desired as it is based on non-transparent negotiations behind closed doors, resulting in short, terse orders.
This is why legislating the fundamental privacy principles, better known as the FIPPs (fair information practice principles), remains crucial. Without them, the FTC cannot do much more than enforce promises made in corporate privacy policies, which are largely acknowledged to be vacuous. Indeed, in its March 2012 “blueprint” for privacy protection, the White House called for legislation codifying the FIPPs (referred to by the White House as a “consumer privacy bill of rights”). Yet Washington insiders warn that the prospects of the FIPPs becoming law are slim, not only in an election year, but also after the elections, without major personnel changes in Congress.
This leaves us with the “multistakeholder process”, conjured by the White House in its report and recently initiated in practice. Yet many doubt the potential for significant progress in a multistakeholder setting; where incentives are strong for grandstanding, thinly disguised industry turf wars, and policy laundering. These critics point to the repeated failures of industry self regulation. Some question the legal authority or even competence of fora such as the W3C tracking protection working group to decide on policy issues such as the definition of “tracking” or legitimate exemptions from consent requirements.
Europe: More Regulation
Across the ocean, in Europe, the European Commission submitted in January 2012 a proposal to reform the highly influential yet outdated 1995 Data Protection Directive (“DPD”) (see photo above). There is broad consensus, from Palo Alto to Brussels, that while a boon for lawyers and privacy professionals, the DPD has brought little effective protection to individuals. Does anyone really think European citizens have more privacy than individuals in the U.S.? The DPD mandated companies to engage in bizarre rituals such as signing multiple (i.e., hundreds or even thousands of) copies of “standard contractual clauses”, which were immediately filed in dusty cabinets never to be looked at again. It set forth individuals rights, such as access, rectification, and freedom from automated decisions, which were seldom understood – much less pursued or enforced by individuals. It set up a network of national enforcement agencies, which often lacked resources or legal tools to enforce.
One important goal of the reform was to reduce red tape and focus on substance over form. The result, however, was a 119-page document indecipherable to all but the most devout fans and experts. While doing away with some bureaucratic burdens, the draft Regulation introduces new ones such as a requirement to conduct and file with regulators “privacy impact assessments” and an obligation to report security breaches within 24 hours. Google’s CPO Peter Fleischer, typically understated, called it “the biggest increase in paperwork and compliance process obligations in the history of privacy law anywhere on the planet.” Moreover, the draft Regulation aspires to introduce newly minted privacy rights such as a “right to be forgotten” and a right of “data portability”. While reflecting commendable aspirations, such rights, at best, look like a nightmare to operationalize. Worse, they represent a dangerous shift in the delicate balance between freedom and regulation on the Internet. Indeed, Jeffrey Rosen wrote that the right to be forgotten “represents the biggest threat to free speech on the Internet in the coming decade.” (While I do not personally subscribe to this point of view, I do agree that the right to be forgotten may look better in the books than on the ground). Finally, the draft Regulation greatly expands the geographical application of Europe’s data protection law, causing potential conflicts or even retaliation by trading partners.
When assessing the provisions of the draft Regulation, European policymakers should keep in mind the desired balance between innovation, economic progress and regulation. They should make sure that the draft Regulation does not become another symptom of an overregulated economy, which has unfortunately ground to a screeching halt. Why is it, after all, that Europe, with no less great minds, top-notch research institutions, and capital than the U.S, has not been able to produce more than a handful of global tech leaders? (If that; Nokia is teetering and on the verge of being taken over by Microsoft). Embarrassingly, this week’s special by the Economist about European entrepreneurs is titled “Les Miserables”. Of course it is not all privacy regulation; Silicon Valley thrives on a rare combination of tax laws, hostility towards non-compete covenants, and more. But Brussels needs to facilitate innovation by being innovative in its tech regulation; not by resorting to mechanisms which have been discredited for more than a decade.