IAPP_GPS17_CFP_300x250_v1
GDPR16_London_Web_300x250-FRENCH-v2
iapp-privacycore
What a 21st Century Privacy Law Could—and Should—Achieve

It’s no secret that the EU’s proposed General Data Protection Regulation (GDPR) hangs in the balance. Some have even declared it dead (see here), though, to paraphrase Mark Twain, those reports are somewhat exaggerated. Nevertheless, 2014 will prove a pivotal year for privacy in the European Union: Either we’ll see some variant of the proposed regulation adopted in one form or another, or we’ll be heading back to the drawing board.

So much has already been said and written about what will happen if the GDPR is not adopted by May  that it does not need repeating here. Though, for my part, I’d be quite happy to return to the drawing board: Better, I think, to start again and design a good law than to adopt legislation for the sake of it—no matter how ill-suited it is to modern-day data processing standards.

With that in mind, I thought I’d reflect on what I think a fighting-fit 21st century data protection law ought to achieve, keeping in mind the ultimate aims of protecting citizens’ rights, promoting technological innovation and fostering economic growth:

1. A modern data privacy law should be simple, objectives-focused and achievable. The GDPR is, quite simply, a lawyer’s playground, a lengthy document of breathtaking complexity that places far more emphasis on process than on outcome. It cannot possibly hope to be understood by the very stakeholders it aims to protect: European citizens. A modern data privacy law should be understandable by all—and especially by the very stakeholders whose interests it is intended to protect. Further, a modern privacy law needs to focus on outcomes. Ultimately, its success will be judged by whether it arrived at its destination (did it keep data private and secure?) not the journey by which it got there (how much paper did it create?).

2. A modern privacy law should recognize and reflect the role of the middleman. Whether you’re a user of mobile services, the consumer Internet or cloud-based services, access to your data will in some way be controlled by an intermediary third party: the iOS, Android or Windows mobile platforms whose APIs control access to your device data, the web browser that blocks or accepts third-party tracking technologies by default or the cloud platform that provides the environment for remotely hosted data processing services. Yet these “middlemen” —for want of a better term—simply aren’t adequately reflected in either current or proposed EU privacy law, which instead prefers an outmoded binary world of “controllers” and “processors.” This means that, to date, we have largely relied on the goodwill of platform providers—Are they controllers? Are they processors?—to build controls and default settings into their platforms that prevent unwarranted access to our data by the applications we use. A modern data privacy law would recognize and formalize the important role played by these middlemen, requiring them to step up to the challenge of protecting our data.

3. A modern data privacy law would categorize sensitive data by reference to the data we REALLY care about. Europe’s definition of sensitive—or “special”—personal data has long been a mystery to me. Do we really still expect information about an individual’s trade union membership or political beliefs to be categorized as sensitive when their bank account details and data about their children are not treated as sensitive in Europe—unlike the U.S.? A modern data privacy law would impose a less rigid concept of sensitive personal data, one that takes a greater account of context and treats as sensitive the information that people really care about—and not the information they don’t.

4. A modern privacy law would encourage anonymization and pseudonymization. Sure, we all know that true anonymization is virtually impossible, that if you have a large enough dataset of anonymized data and compare it with data from this source and that source, eventually you might be able to actually identify someone. But is that really a good enough reason to expect organizations to treat anonymized and pseudonymized data as though they are still “personal” data, with all the regulatory consequences that entails? From a policy perspective, this just disincentivises anonymization and pseudonymization—why bother, if it doesn’t reduce regulatory burden? That’s plainly the wrong result. A modern data privacy law would recognize that not all data is created equal, and that appropriately anonymized and pseudonymized data deserve lesser restrictions as to their use—or reuse—and disclosure. Without this, we cannot hope to realize the full benefits of Big Data and the societal advances it promises to deliver.

5. A modern privacy law would not impose unrealistic restrictions on global movements of data. The Internet has happened; get over it. Data will forever more move internationally, left, right, up and down across borders, and no amount of regulation and red tape is going to stop that. Nor will Europe’s bizarre obsession with model clauses. And when it comes to surveillance, law enforcement will always do what law enforcement will do: Whilst reigning in excessive government surveillance is undoubtedly crucial, that ultimately is an issue to be resolved at a political level, not at the business regulatory level. A modern data privacy law should concern itself not with where data is processed but why it is processed and how it is protected. So long as data is kept secure and processed in accordance with the controller’s legal obligations and in keeping with its data subjects’ reasonable expectations, it should be free to process that data wherever in the world it likes. Maintaining unrealistic restrictions on international data exports at best achieves little—organizations will do it any way using check-box solutions like model clauses—and, at worst, will adversely impact critical technology developments like the cloud.

6. A modern privacy law would recognize that consent is NOT the best way to protect people’s privacy. I’ve argued this before, but consent does not deliver the level of protection that many think it does. Instead, it drives lazy, check-box compliance models—“he/she ticked the box, so now I can do whatever I like with their data.” A modern law would acknowledge that, while consent will always be an important weapon in the privacy arsenal, it should not be the weapon of choice. There must always be other ways of legitimizing data processing and, perhaps, other than in the context of sensitive personal information, these should be prioritized over consent. At the same time, if consent is to play a lesser role in legitimizing processing at the outset, then the rights given to individuals to object to processing of their data once it has begun must be bolstered—without this, you place too much responsibility in the hands of controllers to decide when and why to process data with no ability for individuals to restrain unwanted intrusions into their privacy. There’s a delicate balance to be struck, but a modern data privacy law would not shy away from finding this balance. Indeed, given the emergence of the Internet of Things, finding this balance is now more important than ever.

There’s so much more that could be said, and the above proposals represent just a handful of suggestions that any country looking to adopt new privacy laws—or reform existing ones—would be well-advised to consider. You can form your own views as to whether the EU’s proposed GDPR—or indeed any privacy law anywhere in the world—achieves these recommendations. If they don’t now, then they really should; otherwise, we’ll just be applying 20th-century thinking to a 21st-century world.

Written By

Phil Lee, CIPM, CIPP/E

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with other privacy pros, dive deep into a specialized topic or simply share a common interest, IAPP Communities are for you.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

We Need You! Call for Volunteers Opens Soon!

Advisory Board Leaders and KnowledgeNet Chapter Chairs call for volunteers opens Oct. 5. Don't miss out on your chance to lead!

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

IAPP-OneTrust PIA Platform

Simplify privacy impact assessments with this cloud-based customizable platform - free to IAPP members!

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

IAPP Communities

Meet locally with other privacy pros, dive deep into a specialized topic or simply share a common interest, IAPP Communities are for you.

More Resources »

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London

Our third and final GDPR Comprehensive 2016 was a great success. London delegates spent two full days with world-recognized experts taking a guided tour of the GDPR.

Call for Speakers at Summit 2017

Are you an engaging speaker with privacy expertise to share? We want you! Submit a proposal today! The Call for Speakers closes Oct. 2, 2016.

GDPR's Top Impacts - Webcon Delivered in French

Rejoignez des experts pour en savoir plus : Les 10 conséquences pratiques les plus importantes du RGPD. S’inscrire maintenant.

Intensive Education at the Practical Privacy Series

The Series is returning to DC, this year spotlighting Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need now!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»