By design, the newly released Privacy Bridges paper dominated conversation here at the 37th International Privacy Conference in Amsterdam. Day one of the open session featured a panel presenting the findings and then three hours of open discussion amongst attendees. Day two featured a panel summing up those three hours of discussions.
Further, both invited keynotes on day two—EU Commissioner Vera Jourova and Dutch Minister for Security and Justice Ard van der Steur—mentioned the bridges specifically.
And yet 33 global non-governmental organizations have banded together to release a statement here expressing “concern about the conference this year in Amsterdam” because of the focus on the Privacy Bridges report.
“We were surprised and disappointed,” they write, “that the conference organizers this year focused on a report recommending actions that would do little to change the business or government behavior that threatens privacy and data protection. The report recommends no substantive changes in law. Particularly after the Safe Harbor decision, the ‘Bridges report’ is remarkably out of touch with the current legal reality and what we need to do to address it.”
And while many representatives of civil society and these NGOs were vocal in the breakout discussions (the report was “fundamentally flawed and un-interesting”), they also complained that there was no opportunity for questions and responses in the plenary session of the conference.
“We look forward,” they wrote, “to conferences that actively support and encourage discourse with civil society about the future of privacy and data protection.”
Jacob Kohnstamm, head of the Dutch DPA and the man who convened the Bridges project, called these criticisms “legitimate,” but also had some rejoinders. Yes, he agreed, the way that Europe makes privacy a fundamental right is the regime he prefers, and he would be happy if the United States similarly passed an omnibus law, but “their position is you need to choose between fighting for better legislation or the practical stuff the Bridges project has proposed, that you can’t do them both. I must admit that in my political career, I’ve learned that you can very well do both.”
Do the Privacy Bridges project's 10 proposals distract from legislative efforts? Danny Weitzner, head of MIT’s CSAIL and one of the co-chairs of the Bridges project, doesn’t think so. “I don’t think this is an either-or,” he argued. “I don’t think there’s anyone in the Bridges project who has ever said, either publicly or privately, that this is a substitute for the legislative process.”
In fact, he said, “many of us have worked very hard on encouraging progressive privacy legislation in the United States, and will continue to do that. But we were looking at a different question: Given the current and possibly future state of EU and U.S. law, how do we bridge the gap?”
Kohnstamm made a point to say, as well, that many of the European civil society groups would only participate if they were allowed a formal seat at the table, rather than simply providing information through one of the five listening sessions the Bridges group held. When that wasn’t offered to them, they decided to wait to criticize the result, Kohnstamm said.
“My experience is that if you want to go out walking in a wood,” he said, “it’s better to join someone who will sometimes get lost than to go with someone who doesn’t want to walk at all.”
So, is there a future for any of these Bridges? Are they, as some Twitter users have hashtagged, a #bridgetonowhere?
The first bridge, calling for a memorandum of understanding between the Federal Trade Commission and the Article 29 Working Party, was perhaps a “bridge too far,” Kohnstamm admitted, as that kind of legal document might be more formal of an instrument than the relationship needs. However, the FTC and A29WP announced here at the conference an intention to co-present workshops in 2016.
“The FTC has stakeholder workshops where industry, academia, civil society and other stakeholders come together and discuss the same issue from different angles,” Kohnstamm noted. “That doesn’t happen in Europe. I’ve never seen such a meeting … So it may seem odd to you, but it’s a cultural shock to see the Europeans and Americans do that together. We never did it.”
FTC Chairwoman Edith Ramirez even announced that a staffer of the French DPA, the CNIL, would be working at the FTC for a period of months in the near future.
In another concrete step, the W3C publicly acknowledged the Privacy Bridges work, which pointed to W3C’s work on Do Not Track, and Kohnstamm said he has assurances that the independent group would do more work on user controls, as called for in bridge two.
Bridges seven and nine have some oomph behind them as well. Van der Steur announced that data breach notification (seven) and drone regulation (mentioned as part of the effort toward inter-government cooperation on regulation in nine) would both be high on his agenda as the Dutch presidency takes over in the first half of 2016. “I’ll do my best to initiate a discussion” on the use of drones with lawmakers around the world, he promised.
There are also no shortage of proponents of bridge eight, which promotes the use of accountability. Kohnstamm said Bojana Bellamy and the Center for Information Policy Leadership she runs have committed to working to move accountability forward as a transatlantic and global standard for privacy compliance. She will likely have plenty of help from the likes of the International Accountability Foundation and Nymity, both of whom held side events here on accountability.
Similarly, the Future of Privacy Forum had already taken up discussion of bridge six, a call for a standardization effort for de-identification practices, with a follow-up workshop directly after the conference ended on Thursday afternoon.
And there are researchers already lining up to figure out a way to effect 10, which calls for better ways to fund transatlantic privacy research efforts.
Clearly, there is momentum.
“Overall,” said Weitzner, “I think that the coincidence in timing of this with the Schrems decision really emphasized what I think is the core need for bridging activities. We have to aim for a higher level of collaboration. I’ve said it publicly that the Safe Harbor really suffered from a lack of trust and actual collaboration, so that when it came down to it the Commission was unprepared to defend it … Safe Harbor served a very important purpose, and had an impact, but these things atrophy if they’re not used and cared for. To me, that really underscores the importance of all of these bridging activities.”
If you want to comment on this post, you need to login.