Part of the argument for a new instrument – at least as summarized in reports on the speech – is that the existing ones are too old and were crafted before the Internet really took off. The OECD Guidelines date from 1980 and the EU data protection directive from 1995, so they’re said to be out of date. Fleischer is said to argue for new rules based on the APEC privacy framework, and says Google is in favour of individuals’ privacy. The trouble is the ‘past their sell by date’ argument doesn’t hold up, and the APEC principles are a weak model to anyone who cares about privacy.
The OECD guidelines might have been created in 1980, but they have been reviewed since then in the light of new communications technologies. Already in 1998, an OECD ministerial worked on applying the guidelines to an online environment, and the relevant OECD working party continues to work on the guidelines’ applicability to this day. The EU directive had its scheduled review in 2003, and was found to be coping quite well. It also had a follow-up review of its work programme this year that found the directive to be substantively appropriate and technoloically neutral. The main issue identified was that not all the member states had implemented it or had done so properly. A 1997 data protection directive for telecoms (97/66/EC) was revised and re-issued as a new directive in 2002 (2002/58/EC), and then supplemented by a mandatory traffic data retention measure in 2006. The 2002 directive is being reviewed again along with the telecoms package it was originally part of. The 2001 Council of Europe Convention on Cybercrime also has some relevant provisions on communications traffic data and law enforcement access to data. And then there are the APEC principles, created in 2004. So the issue is not that comparable legal instruments are out of date, nor is there a lack of them.
The APEC principles are a ‘framework’ for member countries to follow because APEC’s job is to produce non-binding instruments and let its members figure out what to do with them. The drive to create the privacy principles was not a serious desire to harmonise privacy practices in the Asia Pacific, but because Australia and the US wanted a countervailing force to the EU Directive. The development of the guidelines was dominated by intense lobbying by US and international business interests, many of whom owed their seat at the table to membership of government delegations. While the APEC principles are said to be ‘consistent’ with the OECD guidelines, they are widely accepted as having watered down key provisions such as having a defined purpose for data collection and use, and access by data subjects. And because they’re an APEC instrument, the principles come with no requirement for implementation nor any mechanism for review of their use. So while an appeal to APEC-like international privacy rules may sound impressive, in reality it’s an empty promise that smacks of a policy wonk’s branding exercise.
But Fleischer identifies a real problem. The nature of communications technologies means personal data travels through several countries in minutes. It is truly bewildering for companies acting in good faith to figure out which law they should apply and when. There are also many companies set up in one jurisdiction which market their services to consumers in another, unaware of or ignoring the privacy laws in the second country. The Internet severs the tie between individuals and their national laws, thrusting them out in to a no man’s land of contested jurisdiction and applicable law. But it also leaves global companies like Google vulnerable to being rapped by data protection authorities for running their business in ways that may or may not be wrong, depending on who owns the data flying around, where they came from, what rules applied when they were collected, and endless overlapping variables that make a lawyer’s head spin.
On the face of it, Fleischer’s call for a new international instrument on Internet privacy is consistent with business’ desire to simply know which rules to follow. Having worked for several years in the business lobby on data protection, I can tell you the clarion call of international businesses was always for more legal certainty. But the second part of the argument is the important one. Business wants certainty, but only as long as it means harmonization to the lowest possible level of privacy protection, and ideally none at all. Because, after all, businesses know best what their customers really want. And a competitive market will provide just that…
Any new international privacy instrument would be created by a process involving intense lobbying by international business interests to weaken privacy protections. The US could be expected to exert significant pressure to dilute privacy to homeopathic levels. So realistically, given the players’ incentives and their demonstrable history, we could expect that the new instrument to offer less privacy protection to individuals than any of the existing ones. Nobody with any experience in this area would expect anything else. And that’s just if you look at this from the business point of view.
Of course the wider context of any negotiations on Internet privacy must include other actors; most importantly, the law enforcement community. Privacy has been on a losing streak since 2001; many people believe justifiably so. In Europe, Parliament lost its nerve on the communications data protection directive (2002/58 mentioned above) and weakened privacy protections in response to pressure from justice and home affairs interests. A couple of years ago, the chronically under-resourced data protection unit was removed from DG Internal Market – where its focus was on harmonization of laws antithetical to the internal market – and put in DG Justice Freedom and Security, on the premise that data protection is more akin to rights than to commercial data flows. DG InfoSo (Information Society) didn’t have enough clout to secure the unit to itself, which indicates that the future direction of data protection has very little to do with compatibility with Internet technologies, and everything to do with standard justice ministry concerns.
It can’t be controversial to infer from all this that in the current climate, any changes to data protection will focus more on accommodating business and law enforcement concerns than privacy ones. Opening up data protection negotiations anywhere – in the EU, at the OECD or at some UN forum to be imagined – can only have the effect of weakening existing protections. And of course if the UN were to get involved – there is a weak case for opening discussions under the auspices of the ICCPR – you can only imagine how the input of countries like China and Russia would shape privacy rules. And rules developed anywhere except the EU would almost certainly be non-binding to countries or companies. So any new rules would likely be damaging to privacy and unenforceable anyway. Which would seem to be a lot of work to create very little benefit.
So, interesting and all as Fleischer’s call for new international rules is, it can only result in a) no change, or b) less privacy for individuals and the same uncertainty for business. Is this just a political branding exercise by Google, or is there more to it? Without seeing the text of the speech, I can’t say. But the reports indicate more smoke than fire. If Eric Schmidt is to take up this cause, as some reports say he will, then I hope it has some real substance to it.