The hour was late. Past 5 p.m., Thursday, on the last day of a conference that saw attendees passionately talking shop for what seemed like 48 hours straight. Yet the conversation continued at the Data Protection Intensive in London. Hands remained raised for questions. Global CPOs sat forward in their seats and whispered commentary amongst themselves.
In front of them, Dutch DPA Jacob Kohnstamm, Sidley Austin Partner and former U.S. Commerce Department General Counsel Cam Kerry and Unilever CPO Steven Wright were simply discussing a topic too important to abandon: Will we ever see a global marketplace with data-transfer interoperability?
“The EU view,” Kerry prodded Kohnstamm with a smile, “is if you’d just do it our way, everything would be fine.” Of course, a fundamental reimagining of the U.S. legal framework is unlikely. Just as it is unlikely the EU will rewrite the Treaty of Lisbon.
So what does interoperability mean in practical terms as a goal to work toward?
“Interoperability means, in my mind,” said Kerry, “maintaining data flows that are essential to the broader economic relationship in ways that respect the differences” between the EU, U.S. and any other jurisdiction. “That means some accommodation on both sides. I don’t think U.S. companies can just say, ‘all that bureaucracy is getting in the way of innovation.’”
Clearly, Kohnstamm said, progress can be made. For example, even as focus is on the European Commission’s 13 necessary fixes for Safe Harbor, he suggested that perhaps the huge progress on Safe Harbor’s efficacy is being lost in the shuffle.
“Looking back at the start of Safe Harbor,” he said, “it was absolutely meaningless. There was one guy in the Department of Commerce who looked after it. I don’t think the FTC did anything or could have done anything and it was just a nonsense face-saving operation on adequacy. But that changed enormously.”
Kohnstamm praised the FTC’s enforcement actions around Safe Harbor and the Commerce Department’s work on building infrastructure around the program.
And yet many would argue that Safe Harbor’s future is tenuous at best, given the Schrems case before the European Court of Justice and the unlikelihood that the U.S. will give much ground on its national security programs. Further, programs like BCRs or APEC’s CBPRs seem practical only for the largest of global firms. If they’re practical at all.
“I keep bringing ‘interoperability’ back to the terminology,” said Wright, whose firm has not gone through the BCR or CBPR process and uses mostly model clauses. “It means something quite different for me. If I look from a tech perspective, it’s the ability to plug and play, so it doesn’t become a constraint. It was the buzzword in tech 20 years ago, but that was about making ICP and TCP could talk to each other.
“I think for me this feels very much the same,” he continued. “We need to be respective of differences culturally and politically, but if we can get to a plug-and-play global framework, my plea would be to please remember that whatever you come up with, we have to live with it. We have to take it and apply it and live with it in the real world.”
Wright worries that instruments like Safe Harbor or BCRs or privacy seals become organizational crutches, “and that’s principally from my experience working with regimes that try to put controls in place with the right intentions but the wrong emphasis by the end of it. And so it’s another sales tick. Another seal that doesn’t mean anything.”
“No mechanism,” he argued, “should be the means to an end. It should be about operationalizing privacy and data protection and baking it in.”
Are you doing the work of privacy so that you can get a seal? Or are you doing the work of privacy because it’s important to your business and you want to have good faith with your customers?
Those are two highly different organizational goals. And perhaps it’s a strained analogy, but a USB device doesn’t work because it has a little seal on the outside identifying it as USB-compliant. The USB device works because it actually works when you plug it in. No logo on the outside of a cord can make a person with a nonworking phone charger happy.
And no privacy seal is going to make customers happy when they find their data has been used for a purpose for which they didn’t consent and there is no one to turn to for redress. While the U.S. debates whether foreign citizens should be protected by the Privacy Act, or whether they should have a right of redress in U.S. courts, the rest of the world is reluctant to simply bide their time.
“We have this tremendous global network,” Kerry observed, “and it’s threatened by data localization. It’s threatened by the erosion of trust. When I was at Commerce, the notion of maintaining trust in the ecology of this network was at the center of our work on privacy and cyber.”
In the fallout from the Snowden revelations, there’s been an enormous erosion of trust. Could that trust be rebuilt through an appeal to ethics that goes beyond policy and law, something similar to the medical profession?
“How do we promote stewardship like that?” Kerry wondered.
“I think we’re all in agreement,” said Kohnstamm, “that trust and transparency go hand in hand. Trust is essential for the global economy.”
His efforts in the short term, however, are focused more practically than that. Programs like his Privacy Bridge project, which will consume virtually the entirety of the 37th Annual Data Protection and Privacy Commissioners Conference in Amsterdam this fall, need to start with the bare essentials.
Is it really not possible to create some kind of standard for privacy notices that can be used globally to simply tell consumers how their data is being collected and used? Is the acquisition of meaningful consent really such a white whale? Can’t we decide on a useful way of knowing whether data is truly anonymized?
Maybe, Kohnstamm said, “this more moral and ethical approach to privacy will be helped by some of these bridges we can build,” bridges that can help to reestablish trust and allow for innovation.
“Permission and innovation are a difficult combination,” he said, ”but I think user control or explicit consent is essential in our democracies anyway. I’m not sure how we can see ethical codes be accepted and talked about and know what steps should be taken unless user control is essential for business models that are trying to be as innovative as possible.”
For some, that might be even harder to see come to pass than interoperability.
If you want to comment on this post, you need to login.